> -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of R.S. > Sent: Sunday, September 10, 2006 11:35 AM > To: [email protected] > Subject: Re: ICSF with CPACF (was RE: Encrypting tape drives... anyone > considering field encryption?) > > Jeffrey D. Smith wrote: > [...] > >>How about key IMPORT ? Could I keep the key in encrypted form and import > >>it from CKDS ? > > > > Of course, but you can't use CPACF in that case. > I can use both: ICSF for key extract and CPACF. > BTW: I understand "using CPACF" as using CPACF directly OR via ICSF API.
You can't decrypt the encrypted key. Therefore, you can't use CPACF with ICSF encrypted key tokens. > >>>The RACF support in ICSF restricts access to the services, but not the > >>>resource being ciphered. That is a HUGE difference. > >> > >>RACF restrict acces to both services and keys as well. > > > > ICSF issues security calls for services and keys. That's not my point. > > ICSF does nothing to protect the ciphered resource. *Both* the ciphered > > resource and the key that ciphers it must be protected through a single > > point of access. > Now I understand your point! You want to tie protection of key with > protection of the resource. This is very interesting approach. However I > cannot agree with the "must" keyword as a general rule. Why ??? Because that's the way a key management system works, by separation of key type (usage) and binding keys to the resource protected by the key. > > I think there is a language barrier here. My point is that there is > > no point in preventing/restricting acccess to the ICSF ciphering > > functions. The vast majority of encryption needs involve ciphering > > data. With CPACF, there is no need to use ICSF. Thus, applying security > > controls to ICSF ciphering is useless. A program can directly use CPACF > > instead of ICSF. > Even if CPACF would be unavailable, I don't think, that any function > should be restricted. We don't restrict READ, but we control a dataset > which can be read. Everyone can add, multiply, divide, etc. so why to > deny encryption as a function ? Well, you're the one who pointed out that ICSF can use RACF to restrict access to its ciphering services, as well as access to the keys. Restricting access to ciphering is somewhat useless. It's the keys combined with the resources protected by the keys that need protection. ICSF doesn't do that. > >>>So, if you are forced to use a 3rd party key management system, you > have > >>>no need for ICSF. > >> > >>Wrong assumption - maybe people are not forced to use 3rd party KMS. > >>Sometimes people use ICSF with TKE workstation. > > > > TKE is not a key management *system*. It is a trusted key entry device. > > That has nothing to do with managing the use of keys. > TKE is for key entry. Key entry is part of key management (this is > matter of definition). Sometimes this part of key management is enough. > Sometimes even TKE is not needed. TKE is only for physical protection while entering clear keys into a physically protected key storage unit. TKE is not anything near to being a key management system. TKE has nothing to do with what happens with the keys after the keys get inside the secure boundary. Many sites that use ICSF ciphering don't need TKE. Also, there are many sites that use non-ICSF ciphering and they rely solely on software security controls (or sometimes post-it notes on the terminal) for access to the keys and the resources. > Regards > -- > Radoslaw Skorupka /snip/ ICSF provides a key repository and a ciphering interface to older cryptographic hardware that uses the hardware master key concept. ICSF is not a key management *system*. If a site needs a KMS, then it must buy or build one. Jeffrey D. Smith Principal Product Architect Farsight Systems Corporation 700 KEN PRATT BLVD. #204-159 LONGMONT, CO 80501-6452 303-774-9381 direct 303-484-6170 FAX http://www.farsight-systems.com/ comments are invited on my encryption project ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
