Peter, No, I am not talking about that...
The issue is that CPACF clear key is tremendously faster than Secure Key. Secure key is the process where the DEK or Operational Key is encrypted under the Master Key but the process is 2 - 3 millisecond for TDES to encrypt or decrypt a card number. Protected key is a pretty cool way to merge the security of Secure Key and the performance of Clear key. z10 crypto performance http://www-03.ibm.com/systems/resources/systems_z_advantages_security_pdf_z10_EC_GA1_Crypto_Rel.pdf ftp://ftp.software.ibm.com/eserver/zseries/zos/racf/pdf/oa29193.pdf Communication Server Performance which has a lot of good information on crypto performance http://www-01.ibm.com/support/docview.wss?uid=swg27005524 Redbook decent discussion on the protected keys in Chapter 3 http://www.redbooks.ibm.com/redbooks/pdfs/sg247848.pdf Rob Schramm Senior Systems Consultant Imperium Group On Tue, Nov 15, 2011 at 2:59 PM, Farley, Peter x23353 <[email protected]> wrote: >> -----Original Message----- >> From: IBM Mainframe Discussion List [mailto:[email protected]] On >> Behalf Of Rob Schramm >> Sent: Tuesday, November 15, 2011 2:18 PM >> To: [email protected] >> Subject: Re: Data encrypt >> >> If you want something similar to clear key performance, use the >> protected key security option. Keys are secure and cpacf is used for >> decrypt processing. While not quite as fast as clear key.. it is only >> a little slower... and more secure. And still way faster than crypto >> operations in CEX2 or CEX3. > > If you are talking about using the ICSF solution to store clear keys in the > ICSF key store and retrieve them using ICSF labels, I have tested that > interface (and the ICSF callable subroutines CSNBSYE and CSNBSYD). I found > the CPU increase using these routines to be substantial (for 1,000,000 > executions of encrypting and decrypting a 16-byte key, CPU time of 6 minutes > and 15 seconds for the ICSF subroutines vs. 1.68 CPU seconds for the > assembler subroutine using the CPACF hardware instructions). > > These results do not necessarily mean that the ICSF subroutines should not be > used. It is just that the cost of using the routines has to be recognized > and accepted as part of the key management solution. > > Peter > -- > > > This message and any attachments are intended only for the use of the > addressee and may contain information that is privileged and confidential. If > the reader of the message is not the intended recipient or an authorized > representative of the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, please notify us immediately by e-mail > and delete the message and any attachments from your system. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
