>>"Secure key" is fairly exotic stuff, but mainframes offer it if you need
>>it. The private keys never appear in memory: they are tucked away inside >>the special tamper-proof cryptographic coprocessor cards. That also means >>extra I/O out to those cards for crypto processing, so it's not something >>you want to do unless you really "need" it. >It not true that the mainframe is the only platform that can use secure >keys (keys encrypted by a master key and only decrypted inside protected >encryption hardware). The IBM 4758-2 cards for xSeries were functionally >very similar to the PCICC cards and had the same FIPS 140-1 level 4 >certification. These cards were also available for pSeries and iSeries. >Currently, though, I'm not aware of any announced follow-on products to >these cards. >There are other vendors who sell external crypto boxes with protected keys. I didn't actually say that the mainframe is the only platform tha can use secure keys. (I just said "fairly exotic," not "unique.") However, now that you mention it, there are certification standards for encryption technologies. What is extremely rare is for a secure key encryption system to attain FIPS 140-2 Level 4 certification. IBM has done so with at least one specific mainframe configuration -- an off-the-shelf one. (All high-end certifications, including that one, are done with a specific configuration.) Again, "extremely rare" is not unique, although I believe there's nothing else that has both EAL5 and FIPS 140-2 Level 4. And if you use your favorite search engine on "FIPS 140-2 Level 4," you don't get much. :-) The main point I'm trying to make is that we're talking about the very upper reaches of cryptographic technology. Mainframes can help protect all data classifications (including national security secrets), but I wanted to point out that some data are more sensitive than others. Use the technology in this wonderful system appropriately, selectively, according to the data's sensitivity. I also wanted to point out that not all "clear key" is created the same. Mainframes do have some inherent advantages, which is why I'm proposing a middle ground term such as "privileged key," although I'm not 100% happy with that either. Maybe just "standard key"? - - - - - Timothy F. Sipples Consulting Enterprise Software Architect IBM Americas zSeries/z9 Software E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
