I just love IBM-Main!! Rob
On Thu, Jun 9, 2022 at 11:04 AM Eric D Rossman <[email protected]> wrote: > Howdy. I'm the author of the core functions used for dataset encryption, > in ICSF (CSNBKRR2), BCF (BCFXCRYP/BCFCRYPT), and SAF (the ICSF segment). > > Confirming: > AES-256 XTS mode > It uses protected key exclusively for dataset encryption. > There is a SAF (CSFKEYS) part of the setup. > > Caveats: > 1. I explicitly coded to support starting with clear keys and converting > to protected keys, but we documented only the secure key case in the > Redbooks to make that the preferred (and documented) method. > 2. BCFCRYPT (the core routine used by dataset encryption) does ship an > executable macro BCFXCRYP to allow other exploiters (though I don't know of > any outside of IBM). It currently supports both clear and protected keys > (only protected keys are used by dataset encryption) as well as XTS and CBC > mode (only XTS mode is used by dataset encryption). > > So, clear keys under a label in the CKDS are supported but we strongly > recommend secure keys. > > Eric Rossman, CISSP > ICSF Cryptographic Security Development > z/OS Enabling Technologies > [email protected] > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Lennie Dymoke-Bradshaw > Sent: Thursday, June 9, 2022 7:35 AM > To: [email protected] > Subject: [EXTERNAL] Re: Encrypted dataset - any eye catcher? > > I was under the impression that there is no technical requirement for the > key to be a secure key. So data encryption can be used with clear keys in > the CKDS when a Crypto Express is not available. > > Lennie Dymoke-Bradshaw > https://rsclweb.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Mark Jacobs > Sent: 09 June 2022 01:48 > To: [email protected] > Subject: Re: Encrypted dataset - any eye catcher? > > I found this in a 2017 IBM Security presentation. So it looks like it's > XTS-AES. > > Key label: 64-byte label of an existing key in the ICSF CKDS used for > access method encryption/decryption. Encryption type: AES-256 bit data key > (XTS, protected key). Note: AES-256 key must be generated as a secure key > (i.e. protected by crypto express AES Master Key) > > Mark Jacobs > > Sent from ProtonMail, Swiss-based encrypted email. > > GPG Public Key - > https://api.protonmail.ch/pks/lookup?op=get&[email protected] > > > ------- Original Message ------- > On Wednesday, June 8th, 2022 at 8:38 PM, Phil Smith III <[email protected]> > wrote: > > > > Radoslaw's question makes me ask a pure curiosity question: what AES > > mode is used by z/OS data set encryption? I Googled but all I found > > was "256-bit AES", which doesn't answer the question. > > > > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
