---> Kyle Sparger: Basically, what I'm saying is, TSM's encryption is better than nothing, and is suitable for many purposes, but your original statement,
As I have read this somewhere (I did not invented this wheel too) "weak security is worse than no security at all. It gives fake feel for security". ---> Justin Derrick: Actually, it was EFF.org that built the DES cracker ... To be more precise, the distributed.net won the first two contests (DES-I & DESII-1), EFF's specially designed box won the semifinal and they teamed together for the last contest because RSA set a deadline (24 hours). EFF's box was just a more powerful node of distributed.net's approach. Details can be found on http://www.distributed.net/des Actually on the fourth round d.net got the answer from EFF's box but the box itself checked less than 40% of the keyspace. Total result was over 88% of the keyspace exhausted in 22 hours (when the key was found AND confirmed). So the rest was done by the millions anonymous computers over the Net (few of them were mine so I am familiar). However we have to take into account technology change since then - first DES contest was in 1997, second and third in 1998 and the last in 1999. EFF's machine was built for the third contest (DES-II-2) and used practically unchanged in the fourth. At that time Intel was delivering Pentium II, IBM has PowerPC@332MHz and was just started selling RS64@125/200 MHz, HP has PA-8200/8500@200/440 MHz, etc. If EFF methodology is used with current processors/memory the performance would be better 3-4 times, i.e. instead of approx. 4 days for whole DES keyspace (actual EFF's box performance) it would happen in a day. And prices for components are little bit lower than the same class (be it entry or top performer) in 1997-99. So it may cost $200-220k for less than a day. ---> Paul Seay: In the DoD arena we prescribe to a security called FIPS-140. Basically, it requires encryption of all the network and a closed environment and extending beyond that is all the issues of vault certification and physical plant protection. At the time when DES was designed in 1970's and 80's there were different security levels defined by US DoD (Paul is talking about them, not about afgans or albanians ;-). But the levels were not only for software but for whole site AFAIK (to best of my knowledge level A demanded that data cannot leave the protected area in any way other than peoples memory). And software can achieve certain level of security only if properly tuned. Unfortunately I am not familiar with FIPS 140 beyond the fact that encryption/decryption devices and software modules can be certified according levels 1,2,3 and 4. So it probably is not a replacement to the old division but additional criteria on particular topic - encryption. For commersial grade level C2 was thought enough so at least the products I know advertize that can achieve this level (AIX 3.2 & 4.x, Windows NT 4, NetWare 4, Domino/Notes 4.x) and say nothing about higher levels. Level C2 systems was not protected from eavesdropping nor encrypted the data. And some my own remarks on the topic: Petur for sure does not know at least some of the demanded security details. There might be familiar with other details he cannot tell to a public forum like this one. And at the end we ought to be specialists the backup/restore arena. So neither Petur nor we can resolve the security issue at the backup level if it is not solved as a whole. We can only help him to explain the security features/limitations of TSM. I would guess that this company's main concern is their investment this genealogigal records to be entered, verified and indexed into a database not to fall into their competitors' hands. Another issue is what Petur pointed - people's concern about their privacy data. So lets deal as we do with other TSM uncommon things on this list - focus not to a tree but to look the whole forest. This is security problem not TSM problem at all. So if security is a *real* problem for that company they MUST have a IT security officer (or whatever they call him/her). So that person has to decide how to protect the data. If they do not have such a person either security is not a big concern to them or security is an excuse not to purchase TSM Petur tries to offer them. In the latter case even if solves the issue someone would find another excuse. About the key length - neither DES nor RC4-128 or 3DES are good enough. This research probably is not going to finish in a year or two and also I expect that concern for this data is not for short term protection. On the other hand this data would not change too much and usage of private/public key encryption scheme might be usable. So GnuPG or other file encryption tool might be much more suitable than internal TSM encryption. My 0.02 BGN Zlatko Krastev IT Consultant P.S. Petur, you can contact me if you want. This is more security than TSM-related, so please do it outside the list. Zlatko Please respond to "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject: don�t aynone know anything about Encryption in TSM. Hi i have posted this 2 times before here but havent receved a reply yet. thus led me to belive that knowlegde on this is wery limited. I have a big custemer who is considerating TSM for there backup system. However, they will be needing to take some of there backup offsite. They have extremly valible data witch may not get in the wrong hands. I have been reading up on Encryption in TSM and found it to be only desingd to protect the data on the way to the TSM server. I found no info on werther the data would be Encrypted in the storage pools. My question. Is it possible to make Backupset, and be sure no-one can use it if it gets in the wrong hands (Encrypt it somehow. How can a administrator be sure that no-one can restore his copy-storage-pools. is it posible to encrypt the data somehow. Is it possible to password protect the TSM Database, so that you can�t restore it without a password. what way can they take offsite backup and be sure that there data is safe, even if the bad guys get the tapes. Thanks in advance for any help. Kvedja/Regards Petur Eythorsson Taeknimadur/Technician IBM Certified Specialist - AIX Tivoli Storage Manager Certified Professional Microsoft Certified System Engineer [EMAIL PROTECTED] Nyherji Hf Simi TEL: +354-569-7700 Borgartun 37 105 Iceland URL: http://www.nyherji.is
