Greg, I can't tell.. was that a correction or clarification?
Rob Schramm Senior Systems Consultant Imperium Group On Mon, Jul 9, 2012 at 10:29 AM, Rob Schramm <rob.schr...@gmail.com> wrote: > Nope. > > It is correct. As is your statement. > > The "key" (no pun intended) is that the protected key scheme is dependent > on having secure keys to start with. > > Rob Schramm > Senior Systems Consultant > Imperium Group > > > > On Mon, Jul 9, 2012 at 10:21 AM, Tom Ambros <thomas_amb...@keybank.com>wrote: > >> Phil Smith wrote: >> >> "Yes, Protected Key requires ICSF and a CEX." >> >> Should that not read "Yes, Secure Key requires ICSF and a CEX."? >> >> Blatant plagiarism follows from my copy of the z196 Tech Guide, Section >> 6.2.2 'CPACF Protected key': >> >> "The zEnterprise CPCs support the protected key implementation. Since >> PCIXCC >> deployment, secure keys are processed on the PCI-X and PCIe cards, >> requiring an >> asynchronous operation to move the data and keys from the general purpose >> CP to the >> crypto cards. Clear keys process faster than secure keys because the >> process is done >> synchronously on the CPACF. Protected keys blend the security of Crypto >> Express3 >> coprocessors (CEX3C) and the performance characteristics of the CPACF, >> running closer to >> the speed of clear keys. >> >> An enhancement to CPACF facilitates the continued privacy of cryptographic >> key material >> when used for data encryption. In Crypto Express3 coprocessors, a secure >> key is encrypted >> under a master key, whereas a protected key is encrypted under a wrapping >> key that is >> unique to each LPAR. After the wrapping key is unique to each LPAR, a >> protected key cannot >> be shared with another LPAR. CPACF, using key wrapping, ensures that key >> material is not >> visible to applications or operating systems during encryption operations. >> >> CPACF code generates the wrapping key and stores it in the protected area >> of hardware >> system area (HSA). The wrapping key is accessible only by firmware. It >> cannot be accessed >> by operating systems or applications. DES/T-DES and AES algorithms were >> implemented in >> CPACF code with support of hardware assist functions. Two variations of >> wrapping key are >> generated, one for DES/T-DES keys and another for AES keys." >> >> Note that CPACF generates the wrapping key and the use of the term >> 'protected key' in this context. Thus my confusion, I am not entirely >> sure that the CEX hardware is required in this case. I see the >> distinction that is drawn between 'secure key' and 'protected key' and I >> believe it is significant. >> >> >> Thomas Ambros >> Operating Systems and Connectivity Engineering >> 518-436-6433 >> >> This communication may contain privileged and/or confidential >> information. It is intended solely for the use of the addressee. If you are >> not the intended recipient, you are strictly prohibited from disclosing, >> copying, distributing or using any of this information. If you received >> this communication in error, please contact the sender immediately and >> destroy the material in its entirety, whether electronic or hard copy. This >> communication may contain nonpublic personal information about consumers >> subject to the restrictions of the Gramm-Leach-Bliley Act. You may not >> directly or indirectly reuse or redisclose such information for any purpose >> other than to provide the services for which you are receiving the >> information. >> >> 127 Public Square, Cleveland, OH 44114 >> If you prefer not to receive future e-mail offers for products or >> services from Key >> send an e-mail to mailto:dnereque...@key.com with 'No Promotional >> E-mails' in the >> SUBJECT line. >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
