ICSF PPINIT Pass Phrase Utility - What key values does it generate?

Anyone familiar with the IBM Integrated Cryptographic Service Facility (ICSF), in particular the included ICSF panels, has been lured by the ease of initialising one's cryptocards and key data sets in a single stroke, using the PPINIT "Pass Phrase Master Key/KDS Initialization" facility (option 6 on the menu).

"But what are the key values that it generates?", I asked myself. Turns out this is documented in some detail, in the "Supporting Algorithms and Calculations" section of the "z/OS Cryptographic Services ICSF Administrator's Guide".

Pass Phrase Initialization master key calculations

But now we have something of a "chicken and egg" situation - if I were to attempt to derive the clear key values, using the above recipe, I will need routines that provide various hashing algorithms and DES encryption. The obvious answer is to use the IBM CCA API calls that ICSF provides, but most of these are not operative until my cryptocards and key data sets are initialized!

Turns out, a couple of verbs are available, which don't require initialization of the cryptocards - CSNBOWH - One-Way Hash Generate and CSNBSYE - Symmetric Key Encipher (provided I restrict myself to clear keys, i.e. specify KEY-CLR in the rule array, or let it default). Wonderful! The only other weapon I need for the DES master key is a method to parity-correct the key generated by the recipe, so the key has odd parity.

Parity correction is most easily achieved by a simple lookup table. To achieve odd parity (i.e. an odd number of '1' bits in the binary representation of each byte in the key value), we map x'00' to x'01' = b'00000001', x'01' stays as-is, x'02' stays as is, x'03' maps to x'02', and so on. The parity bit is the low-order bit of each byte, so we flip this bit, if necessary, to arrive at an odd number of '1' bits.

I constructed a mapping table and implemented the translation in REXX, as follows:

 * PAR - Set DES key to odd parity
par: procedure
parse arg key
transtab = x2c('010102020404070708080B0B0D0D0E0E' || ,
               '101013131515161619191A1A1C1C1F1F' || ,
               '202023232525262629292A2A2C2C2F2F' || ,
               '313132323434373738383B3B3D3D3E3E' || ,
               '404043434545464649494A4A4C4C4F4F' || ,
               '515152525454575758585B5B5D5D5E5E' || ,
               '616162626464676768686B6B6D6D6E6E' || ,
               '707073737575767679797A7A7C7C7F7F' || ,
               '808083838585868689898A8A8C8C8F8F' || ,
               '919192929494979798989B9B9D9D9E9E' || ,
               'A1A1A2A2A4A4A7A7A8A8ABABADADAEAE' || ,
               'B0B0B3B3B5B5B6B6B9B9BABABCBCBFBF' || ,
               'C1C1C2C2C4C4C7C7C8C8CBCBCDCDCECE' || ,
               'D0D0D3D3D5D5D6D6D9D9DADADCDCDFDF' || ,
               'E0E0E3E3E5E5E6E6E9E9EAEAECECEFEF' || ,
pkey = translate(key, transtab)                                                  
return pkey        

Another slight wrinkle I ran into was setting an "initial hash" value for calls to CSNBOWH, as required for several steps of the pass phrase recipe (above). While not explicitly documented, this can be achieved for the MD5 and SHA-256 hashing operations, by setting the "hash" parameter to the required initial value and by setting the "chaining_vector" parameter to all nulls, then use the LAST rule, so the new hash value builds on the initial value you set.

The final clarification that is needed applies to step 5 of the recipe, which requires that the (16-byte) MD5 hash value produced in step 4, be used as the initial (32-byte) SHA-256 hash value. The way to resolve this apparent ambiguity is to left-justify the MD5 hash from step 4 and pad it out to 32 bytes with 16 nulls (i.e. '00'x).

I have implemented the recipe in REXX (see below) and my script produces output like the following. You can compare this output to the "status" display (i.e. 'S' line command) under option 1 in the ICSF panels, assuming you used option 6 to initialise your cryptocard(s):

Passphrase: "I wish I could think of a pass phrase"
    Length: 37 characters
    AES-MK: E943D6BCC5344670B58FF8A0B730AD2AF74043E3EDA9811608276BE1B9155B4E
        VP: 24B6E5C5C27A0C74
    DES-MK: 89150B8649CE0D43CEE5011040B6AB16
        VP: 0D8D3612742C5B63
        HP: 7DB3C59544A618B5
          : 0A03F10D7BC1F32C
  DES24-MK: EFE3D0E94F4A08BC89150B8649CE0D43CEE5011040B6AB16
        VP: 3A3E61095A1F43F9
        HP: 91870D7A88CCF738
          : 7C388A8A7DFAF2DC
    ECC-MK: 95D2E940028BA791D5BE03E66EBFE351E4D01112F96189C17BF97FCED9F1CF35
        VP: AF4B505DE62E9E8E
    RSA-MK: 7CCA40D6106F0938439F9CE0703EB537B142B591B8027988
        VP: 16E2C37572370834
          : CED6BB7E3CA9C18F        

Here's the REXX code:

/* REXX */
/* compute master keys and verification/hash patterns for pass phrase */

parse arg pp
if pp = '' then do
  say 'Usage: passkeys "passphrase"'
  return 8
pp = strip(pp)

say 'Passphrase: "'pp'"'
say "    Length: "length(pp)" characters"
say " "

if length(pp) < 16 | length(pp) > 64 then do
  say 'ERROR: pass phrase must be between 16 and 64 characters (inclusive)'
  return 12

/* step 1 */
seed1 = pp || 'AB45'x 
init1 = '23A0BE487D9BD32003424FAAA34BCE00'x
hash1 = md5(init1, seed1)
/* step 2 */
seed2 = pp || '551B1B1B'x
hash2 = md5(hash1, seed2)
des16 = par(hash2)                     /* parity-corrected */
des24 = par(right(hash1, 8) || hash2)  /* parity-corrected */
/* step 3 */
seed3 = pp || '2A2A88'x
hash3 = md5(hash2, seed3)
rsa = hash3 || left(hash1, 8)
/* step 4 */
seed4 = pp || '94'x
hash4 = md5(hash3, seed4)
/* step 5 */
seed5 = pp || 'C1C5E2D4D2'x
init5 = hash4 || copies('00'x, 16)
hash5 = sha256(init5, seed5)
aes = hash5
/* step6 */
seed6 = pp || 'C5D3D3C9D7E2C5'x
hash6 = sha256(hash5, seed6)
ecc = hash6

say "    AES-MK: "c2x(aes)
say "        VP: "c2x(vpaes(aes))
say " "
say "    DES-MK: "c2x(des16)
say "        VP: "c2x(vpdes16(des16))
hp = MDC4(2, des16, '5252525252525252'x, '2525252525252525'x)
say "        HP: "c2x(left(hp, 8))
say "          : "c2x(right(hp, 8))
say " "
say "  DES24-MK: "c2x(des24)
say "        VP: "c2x(vpdes24(des24))
hp = MDC4(3, des24, '5252525252525252'x, '2525252525252525'x)
say "        HP: "c2x(left(hp, 8))
say "          : "c2x(right(hp, 8))
say " "
say "    ECC-MK: "c2x(ecc)
say "        VP: "c2x(vpaes(ecc))
say " "
say "    RSA-MK: "c2x(rsa)
x = vprsa(rsa)
say "        VP: "c2x(left(x,8))
say "          : "c2x(right(x, 8))


vpaes: procedure
parse arg key
x = '01'x || key
/* x = key || '01'x */
vp = left(sha256('6a09e667bb67ae853c6ef372a54ff53a'x || ,
                 '510e527f9b05688c1f83d9ab5be0cd19'x, x), 8)
return vp

vpdes16: procedure
parse arg key
KL = left(key, 8)
KR = right(key, 8)
/* step 1 - do nothing for a master key */
/* step 2 */
s2 = desenc('4545454545454545'x, KL)
/* step 3 */
s3 = bitxor(s2, KL)
/* step 4 */
s4 = desenc(s3, KR)
/* step 5 */
s5 = bitxor(s4, KR)
return s5

vpdes24: procedure
parse arg key
x = '01'x || key
return left(sha1(x), 8)

vprsa: procedure
parse arg key
vp = MDC4(3, key, '5252525252525252'x, '2525252525252525'x)
return vp

 * MD5
md5: procedure
parse arg init, seed

return_code = d2c(0, 4)
reason_code = d2c(0, 4)
exit_data_length = d2c(0, 4)
exit_data = ''
rule_array = 'MD5     LAST    '
rule_array_count = d2c(length(rule_array) / 8, 4)
text_length = d2c(length(seed), 4)
text = seed
chaining_vector_length = d2c(128, 4)
chaining_vector = copies('00'x, 128)
hash_length = d2c(16, 4)
hash = left(init, 16)

address linkpgm "CSNBOWH"  ,
  "return_code            reason_code"     ,
  "exit_data_length       exit_data"       ,
  "rule_array_count       rule_array"      ,
  "text_length            text"            ,
  "chaining_vector_length chaining_vector" ,
  "hash_length            hash"

rc = c2d(return_code)
rsn = c2d(reason_code)
if rc \= 0 then do
  say "ERROR: CSNBOWH rc="rc", reason="rsn
return hash

 * SHA-1
sha1: procedure
parse arg seed

return_code = d2c(0, 4)
reason_code = d2c(0, 4)
exit_data_length = d2c(0, 4)
exit_data = ''
rule_array = 'SHA-1   '
rule_array_count = d2c(length(rule_array) / 8, 4)
text_length = d2c(length(seed), 4)
text = seed
chaining_vector_length = d2c(128, 4)
chaining_vector = copies('00'x, 128)
hash_length = d2c(20, 4)
hash = copies('00'x, 20)

address linkpgm "CSNBOWH"  ,
  "return_code            reason_code"     ,
  "exit_data_length       exit_data"       ,
  "rule_array_count       rule_array"      ,
  "text_length            text"            ,
  "chaining_vector_length chaining_vector" ,
  "hash_length            hash"

rc = c2d(return_code)
rsn = c2d(reason_code)
if rc \= 0 then do
  say "ERROR: CSNBOWH rc="rc", reason="rsn
return hash

 * SHA-256
sha256: procedure
parse arg init, seed

return_code = d2c(0, 4)
reason_code = d2c(0, 4)
exit_data_length = d2c(0, 4)
exit_data = ''
rule_array = 'SHA-256 LAST    '
rule_array_count = d2c(length(rule_array) / 8, 4)
text_length = d2c(length(seed), 4)
text = seed
chaining_vector_length = d2c(128, 4)
chaining_vector = copies('00'x, 128)
hash_length = d2c(32, 4)
hash = left(init, 32)

address linkpgm "CSNBOWH"  ,
  "return_code            reason_code"     ,
  "exit_data_length       exit_data"       ,
  "rule_array_count       rule_array"      ,
  "text_length            text"            ,
  "chaining_vector_length chaining_vector" ,
  "hash_length            hash"

rc = c2d(return_code)
rsn = c2d(reason_code)
if rc \= 0 then do
  say "ERROR: CSNBOWH rc="rc", reason="rsn
return hash

 * MDC-4
MDC4: procedure
parse arg n, text, k1, k2
/* say "MDC-4 n="n", text="c2x(text)", k1="c2x(k1)", k2="c2x(k2) */
KEY1 = k1
KEY2 = k2
do i = 1 to n
  out = MDC1(KEY1, KEY2, substr(text, 8*i-7, 8), substr(text, 8*i-7, 8))
  OUT1 = left(out,8)
  OUT2 = right(out,8)
  KEY1int = OUT1
  KEY2int = OUT2
  out = MDC1(KEY1int, KEY2int, KEY2, KEY1)
  OUT1 = left(out,8)
  OUT2 = right(out,8)
  KEY1 = OUT1
  KEY2 = OUT2
return KEY1 || KEY2

 * MDC-1
MDC1: procedure
parse arg KD1, KD2, IN1, IN2
KD1mod = bitor(bitand(KD1, '9fffffffffffffff'x), '4000000000000000'x)
KD2mod = bitor(bitand(KD2, '9fffffffffffffff'x), '2000000000000000'x)
F1 = bitxor(IN1, desenc(KD1mod, IN1))
F2 = bitxor(IN2, desenc(KD2mod, IN2))
OUT1 = left(F1, 4)||right(F2, 4)
OUT2 = left(F2, 4)||right(F1, 4)
/* say "MDC1 returning "c2x(OUT1) c2x(OUT2) */
return OUT1||OUT2

 * DESENC - DES ECB Encryption
desenc: procedure
parse arg key, data

return_code = d2c(0, 4)
reason_code = d2c(0, 4)
exit_data_length = d2c(0, 4)
exit_data = ''
rule_array = 'DES     ECB     KEY-CLR '
rule_array_count = d2c(length(rule_array) / 8, 4)
key_identifier_length = d2c(length(key), 4)
key_identifier = key
key_parms_length = d2c(0, 4)
key_parms = ''
block_size = d2c(8, 4)
initialization_vector_length = d2c(0, 4)
initialization_vector = ''
chain_data_length = d2c(0, 4)
chain_data = ''
clear_text_length = d2c(length(data), 4)
clear_text = data
cipher_text_length = d2c(length(data), 4)
cipher_text = copies('00'x, length(data))
optional_data_length = d2c(0, 4)
optional_data = ''

address linkpgm "CSNBSYE"                              ,
  "return_code                  reason_code"           ,
  "exit_data_length             exit_data"             ,
  "rule_array_count             rule_array"            ,
  "key_identifier_length        key_identifier"        ,
  "key_parms_length             key_parms"             ,
  "block_size"                                         ,
  "initialization_vector_length initialization_vector" ,
  "chain_data_length            chain_data"            ,
  "clear_text_length            clear_text"            ,
  "cipher_text_length           cipher_text"           ,
  "optional_data_length         optional_data"
rc = c2d(return_code)
rsn = c2d(reason_code)

if rc \= 0 then do
  say "ERROR: CSNBSYE rc="rc", reason="rsn
return cipher_text

 * PAR - Set DES key to odd parity
par: procedure
parse arg key
transtab = x2c('010102020404070708080B0B0D0D0E0E' || ,
               '101013131515161619191A1A1C1C1F1F' || ,
               '202023232525262629292A2A2C2C2F2F' || ,
               '313132323434373738383B3B3D3D3E3E' || ,
               '404043434545464649494A4A4C4C4F4F' || ,
               '515152525454575758585B5B5D5D5E5E' || ,
               '616162626464676768686B6B6D6D6E6E' || ,
               '707073737575767679797A7A7C7C7F7F' || ,
               '808083838585868689898A8A8C8C8F8F' || ,
               '919192929494979798989B9B9D9D9E9E' || ,
               'A1A1A2A2A4A4A7A7A8A8ABABADADAEAE' || ,
               'B0B0B3B3B5B5B6B6B9B9BABABCBCBFBF' || ,
               'C1C1C2C2C4C4C7C7C8C8CBCBCDCDCECE' || ,
               'D0D0D3D3D5D5D6D6D9D9DADADCDCDFDF' || ,
               'E0E0E3E3E5E5E6E6E9E9EAEAECECEFEF' || ,
pkey = translate(key, transtab)                                                  
return pkey        



