Timothy Sipples wrote:
It's worth pointing out that so-called "clear key" encryption is what
every other standard server does with the keys. Except on a mainframe you
have key-protected memory (and accelerators), so it's a lot harder for
another task to grab that key. I'd prefer a different term for "clear
key" on mainframes -- maybe "privileged key" -- but there it is.
"Secure key" is fairly exotic stuff, but mainframes offer it if you need
it. The private keys never appear in memory: they are tucked away inside
the special tamper-proof cryptographic coprocessor cards. That also means
extra I/O out to those cards for crypto processing, so it's not something
you want to do unless you really "need" it.
The comment downthread is quite astute, that DR planning must take into
account private key preservation and recovery. If you lose the key(s)
you've lost the data. Fortunately ICSF (the z/OS key management facility
and crypto API set) has a multi-year track record of keeping those keys
safe. With a little bit of planning this stuff really works, even in a DR
situation.
It not true that the mainframe is the only platform that can use secure
keys (keys encrypted by a master key and only decrypted inside protected
encryption hardware). The IBM 4758-2 cards for xSeries were functionally
very similar to the PCICC cards and had the same FIPS 140-1 level 4
certification. These cards were also available for pSeries and iSeries.
Currently, though, I'm not aware of any announced follow-on products to
these cards.
There are other vendors who sell external crypto boxes with protected keys.
--
Ulrich Boche
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
