Nope. It is correct. As is your statement.
The "key" (no pun intended) is that the protected key scheme is dependent on having secure keys to start with. Rob Schramm Senior Systems Consultant Imperium Group On Mon, Jul 9, 2012 at 10:21 AM, Tom Ambros <thomas_amb...@keybank.com>wrote: > Phil Smith wrote: > > "Yes, Protected Key requires ICSF and a CEX." > > Should that not read "Yes, Secure Key requires ICSF and a CEX."? > > Blatant plagiarism follows from my copy of the z196 Tech Guide, Section > 6.2.2 'CPACF Protected key': > > "The zEnterprise CPCs support the protected key implementation. Since > PCIXCC > deployment, secure keys are processed on the PCI-X and PCIe cards, > requiring an > asynchronous operation to move the data and keys from the general purpose > CP to the > crypto cards. Clear keys process faster than secure keys because the > process is done > synchronously on the CPACF. Protected keys blend the security of Crypto > Express3 > coprocessors (CEX3C) and the performance characteristics of the CPACF, > running closer to > the speed of clear keys. > > An enhancement to CPACF facilitates the continued privacy of cryptographic > key material > when used for data encryption. In Crypto Express3 coprocessors, a secure > key is encrypted > under a master key, whereas a protected key is encrypted under a wrapping > key that is > unique to each LPAR. After the wrapping key is unique to each LPAR, a > protected key cannot > be shared with another LPAR. CPACF, using key wrapping, ensures that key > material is not > visible to applications or operating systems during encryption operations. > > CPACF code generates the wrapping key and stores it in the protected area > of hardware > system area (HSA). The wrapping key is accessible only by firmware. It > cannot be accessed > by operating systems or applications. DES/T-DES and AES algorithms were > implemented in > CPACF code with support of hardware assist functions. Two variations of > wrapping key are > generated, one for DES/T-DES keys and another for AES keys." > > Note that CPACF generates the wrapping key and the use of the term > 'protected key' in this context. Thus my confusion, I am not entirely > sure that the CEX hardware is required in this case. I see the > distinction that is drawn between 'secure key' and 'protected key' and I > believe it is significant. > > > Thomas Ambros > Operating Systems and Connectivity Engineering > 518-436-6433 > > This communication may contain privileged and/or confidential information. > It is intended solely for the use of the addressee. If you are not the > intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. This > communication may contain nonpublic personal information about consumers > subject to the restrictions of the Gramm-Leach-Bliley Act. You may not > directly or indirectly reuse or redisclose such information for any purpose > other than to provide the services for which you are receiving the > information. > > 127 Public Square, Cleveland, OH 44114 > If you prefer not to receive future e-mail offers for products or services > from Key > send an e-mail to mailto:dnereque...@key.com with 'No Promotional > E-mails' in the > SUBJECT line. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
