Timothy Sipples wrote:
On Thu, 4 Aug 2005 11:15:23 -0400, Bruce Black <[EMAIL PROTECTED]> wrote:
"IBM intends to deliver a software-based file encryption solution for z/OS
that leverages the existing z/OS key management capabilities provided
within the Integrated Cryptographic Services Facility (ICSF) in 2005. More
information will be provided at a later date."
It doesn't say "tape" so I didn't think that was what you meant. I
suppose that can be interpreted to mean that they will provide
encryption of tape files.
I found more information in one of Computerworld's System z9 stories:
http://www.computerworld.com/hardwaretopics/hardware/mainframes/story/0,10801,103510,00.html
From this article, some Q&A with IBM's Erich Clementi:
[Question:] What security functionality did you include in this system that
will be of most interest to your customers?
[Answer:] First and foremost, the new AES [Advanced Encryption Standard
algorithm] standard. That is higher encryption than Triple DES [Triple Data
Encryption Standard]. We have added into the zOS software Identrus-certified
public-key infrastructure [PKI]. There is the work we have done with
standards to allow the mainframe to work as the security server for a
diverse infrastructure. So when you look at it, we have bleeding[-edge]
encryption technology, we have augmented the encryption bandwidth of the
system with more power for encryption capability, we have tripled the
performance [of the] adapters for [Secure Sockets Layer] encryption, we have
introduced PKI, and we are extending the security into the infrastructure.
It's pretty comprehensive. On top of this, we have announced a zOS
encryption facility to address this tape in the clear issue.
[Question:] How does tape security work?
[Answer:] When you produce the tape, you encrypt the tape [with] software
that uses the hardware accelerators in the system. That makes it affordable,
and that makes it viable. By using the centralized key management, we can
use the key with a PKI infrastructure, so you send me your public key, and I
send you the encryption key with your private key, you access the key and
decrypt the data -- so the data is never in the clear. If you don't have a
PKI identity, then we deliver to you a Java applet, which allows you to
combine tape and key and decrypt and re-encrypt. So in reality, losing a
tape would never again be a problem.
It is always a problem to rely on manager-talk for technical information.
How can AES be "higher encryption than T-DES" if IBM only implemented a
128-bit key length in the CPAPF of the z9-109? Also note that the Crypto
Express2 card doesn't implement AES in hardware, so there is no AES
encryption with secure keys on z9-109 (and z990).
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
