How is the key generated? Rob Schramm Senior Systems Consultant Imperium Group
On Mon, Jul 9, 2012 at 12:07 PM, David Stokes <sto...@interchip.de> wrote: > Well, you can encrypt a protected key with PCKMO (Perform cryptographic > management operation) instruction, as appears to be done in some of the > white paper tests, so I'm not convinced CEX is absolutely required. > However, I see little sense, as I said before, in doing such a thing. It > would somewhat void the point of having protected (i.e. secure) keys in the > first place. > > I didn't feel the point important enough to comment on before. > > -----Ursprüngliche Nachricht----- > Von: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] Im > Auftrag von Tom Ambros > Gesendet: Montag, 9. Juli 2012 16:22 > An: IBM-MAIN@LISTSERV.UA.EDU > Betreff: Re: Secure Encryption Keys vs Protected Keys > > Phil Smith wrote: > > "Yes, Protected Key requires ICSF and a CEX." > > Should that not read "Yes, Secure Key requires ICSF and a CEX."? > > Blatant plagiarism follows from my copy of the z196 Tech Guide, Section > 6.2.2 'CPACF Protected key': > > "The zEnterprise CPCs support the protected key implementation. Since > PCIXCC > deployment, secure keys are processed on the PCI-X and PCIe cards, > requiring an > asynchronous operation to move the data and keys from the general purpose > CP to the > crypto cards. Clear keys process faster than secure keys because the > process is done > synchronously on the CPACF. Protected keys blend the security of Crypto > Express3 > coprocessors (CEX3C) and the performance characteristics of the CPACF, > running closer to > the speed of clear keys. > > An enhancement to CPACF facilitates the continued privacy of cryptographic > key material > when used for data encryption. In Crypto Express3 coprocessors, a secure > key is encrypted > under a master key, whereas a protected key is encrypted under a wrapping > key that is > unique to each LPAR. After the wrapping key is unique to each LPAR, a > protected key cannot > be shared with another LPAR. CPACF, using key wrapping, ensures that key > material is not > visible to applications or operating systems during encryption operations. > > CPACF code generates the wrapping key and stores it in the protected area > of hardware > system area (HSA). The wrapping key is accessible only by firmware. It > cannot be accessed > by operating systems or applications. DES/T-DES and AES algorithms were > implemented in > CPACF code with support of hardware assist functions. Two variations of > wrapping key are > generated, one for DES/T-DES keys and another for AES keys." > > Note that CPACF generates the wrapping key and the use of the term > 'protected key' in this context. Thus my confusion, I am not entirely > sure that the CEX hardware is required in this case. I see the > distinction that is drawn between 'secure key' and 'protected key' and I > believe it is significant. > > > Thomas Ambros > Operating Systems and Connectivity Engineering > 518-436-6433 > > This communication may contain privileged and/or confidential information. > It is intended solely for the use of the addressee. If you are not the > intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. This > communication may contain nonpublic personal information about consumers > subject to the restrictions of the Gramm-Leach-Bliley Act. You may not > directly or indirectly reuse or redisclose such information for any purpose > other than to provide the services for which you are receiving the > information. > > 127 Public Square, Cleveland, OH 44114 > If you prefer not to receive future e-mail offers for products or services > from Key > send an e-mail to mailto:dnereque...@key.com with 'No Promotional > E-mails' in the > SUBJECT line. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN