Couple of key items. One, cracking a cryptogram is a well know process. But I am not aware of any such algorithm that can identify the *meaning* of a character string. Is that an area code, a PIN, or a record type descriptor?
There *is* a difference between data and information. Another, I just can't imagine anyone that would discuss a record layout over the phone to some unknown third party. Internal threats have always been 'the' threat in many situations, especially in the mainframe world. Nothing new there. But we have found ways to protect data without encryption. Sorry, but wholesale data encryption makes no sense to me. What makes sense is a thoughtful, blended, layered, cost effective approach that deals with realities, not some auditor's naïve opinion based on mangled media reports. I, too, have heard stories such as the one you related. But none seem to be verifiable. Best of the season. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Deaver Sent: Wednesday, December 28, 2005 1:50 PM To: [email protected] Subject: Re: ABN Tape - Found >The tapes were, for most reasonable purposes and definitions, >'encrypted'. Without the 'keys' (creation trail and layouts), the data >is useless. Of course, the data could always be recovered just like any >encryption scheme can be broken given enough resources. The strength of any encryption system is often measured in the amount of time it would take to crack the key and decrypt the data. For example, current estimates as to the length of time is would take to crack a 256 bit AES key are in the trillions of years range (given current technology). (The estimated age of the universe is only 12 to 14 billion years.) If this, then, is the measure of the strength of an encryption system, I don't think the "lack of knowledge" encryption algorithm is very strong at all. I would feel remiss trying to pawn this off to an auditor as a protection method given the current regulatory environment. A couple of phone calls to a company posing as a reporter for a storage magazine or a vendor sales rep could easily yield the information necessary to 'decrypt' that data. Also remember that we now, unfortunately, have to protect data from possible internal threats as well. I read of one recent event where an ex-employee was attempting to extort money from his old employer by holding backup tapes with data on them and threatening to let it all go on the internet. So building your encryption systems such that the keys are either hidden from or split amongst multiple employees is important. Jeffrey Deaver, Senior Analyst, Systems Engineering 651-665-4231 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
