> -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of Lloyd Fuller > Sent: Sunday, September 03, 2006 7:08 AM > To: [email protected] > Subject: Re: IBM announces Encrypting tape drives /snip/ > You are incorrect. CPACF is only available on the > z990 and newer hardware (z890, z9, etc). On the > z900, z800 and at least one generation of 9672, CCF > was available. This is restricted to the first two > CPUs in the processer complex. The only way that I > have found after several hours/days of digging to use > the CCF hardware is through IBM's ICSF software. The > instructions necessary for anyone else to use the CCF > was not documented by IBM that I could find. In fact > several IBM technote papers also state this explictly. > > Lloyd /snip/
ISTR that CPACF is orderable for the z900 and z800. The CCF is an older cryptographic architecture. The CCF uses undocumented privileged instructions in the X'B2xx' range (and possibly other ranges). The instructions are only available on CPU 0 and maybe CPU 1. Any other CPU attempting to use the instructions will see a program interrupt X'0119' (co-processor nullifying interrupt). Only IBM ICSF knows how to use the CCF, because ICSF must "own" the crypto unit that has the master key. No other application may directly use the CCF. The CPACF has no notion of a "master key" and therefore it can be publicly documented and problem state. CPACF uses clear keys in application storage. It is up to the application to provide adequate protection of its keys. The CPACF instructions are very fast and available on all CPU, so there is no overhead of redispatching a unit of work on the "correct" CPU for crypto services. With properly designed authorized programming interfaces, an application can use the protection features of z/OS (key controlled protection, address space accessibility, cross memory mode, etc.) to reduce the probability of improper exposure of clear key material. Much of it would depend on proper security measures with a security product, like IBM RACF, and system programming protocols to prevent exposure of the address space storage (like dump data sets or other authorized programs that may improperly peek into the address space). When used properly, the security features of z/OS can prevent an adversary from gaining access to the key material. Jeffrey D. Smith Principal Product Architect Farsight Systems Corporation 700 KEN PRATT BLVD. #204-159 LONGMONT, CO 80501-6452 303-774-9381 direct 303-484-6170 FAX http://www.farsight-systems.com/ ps: comments are invited on my encryption project ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
