As others have indicated "Clear Key Encryption" means that the key used for the encryption itself is in the "clear"; while none-clear key means that the key is not in the clear. For example, if you have the full Cypto-coprocessors and are running with z/OS you can encrypt with DES (or Triple-DES) in none-clear key. This means that the encryption key itself is "registered" with ICSF and you are returned a token name. When you want to encrypt data you call ICSF services and pass it this token name. ICSF will take the token name, find the real encryption key (which is stored in an encrypted form in its CKDS - Crypto Key Data Set) and pass this encrypted key down to the co-processor. Now, the co-processor is "locked" to this system and knows how to un-encrypt keys passed to it from this system. So it then un-encrypts the key and encrypts the data with this key and returns the encrypted data.
So, aside from the registration process the key is never seen anywhere in the operating system ever again. No matter when you take a dump, no matter what storage you dump or when you dump that storage, you will never see this key in clear form again. With clear-key, when you call crypto services your program has the key somewhere in storage for at least 1 instruction (when you invoke the crypto service). So a dump of storage at exactly the right time will allow the key to be obtained. A very remote situation, but an exposure none the less. Russell Witt CA-1 Level-2 Support Manager -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] Behalf Of Ward, Mike S Sent: Wednesday, January 18, 2006 2:30 PM To: [email protected] Subject: Clear key encryption Hello all. I was wondering if anyone could explain to me what Clear Key Encryption VS None clear Encryption is. I looked in the archives, but only found a reference that clear key could run on the T-REX. I thought that clear key encryption was purely SSL and the other was DES/3DES where the 3des keys are encrypted by the master. The reason I am asking is because we will be encrypting our data for offsite export. I don't believe that ssl would be a good way to do it. Thanks in advance. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
