I stand corrected. Lennie -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Eric D Rossman Sent: 10 June 2022 13:13 To: [email protected] Subject: Re: Encrypted dataset - any eye catcher?
The service used is CSNBKRR2 with rule PROTKEY (and rule BYPAUTH [older z/OSes] or DSENC [newer z/OSes]). It is in fetch-protected storage for use by PCC(PCC-Compute-XTS-Parameter-Using-Encrypted-AES-256) and KM(KM-XTS-Encrypted-AES-256). Eric Rossman, CISSP ICSF Cryptographic Security Development z/OS Enabling Technologies [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Lennie Dymoke-Bradshaw Sent: Friday, June 10, 2022 8:05 AM To: [email protected] Subject: [EXTERNAL] Re: Encrypted dataset - any eye catcher? Radoslaw, There is an ICSF call used during data set encryption which extracts the secure key from the CKDS and stores it in an encrypted form in "non-addressable" memory for use by the CPACF instructions (e.g. KMC) which process data using protected keys. That ICSF service (I think it is CSNBSYE with KEYIDENT in the rule-array ) uses the Crypto Express device. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: 10 June 2022 12:08 To: [email protected] Subject: Re: Encrypted dataset - any eye catcher? This is up to the user. IBM *strongly recommends* the key should be kept as secure. However for non-production environments it is possible to use Pervasive Encryption without CryptoExpress cards. It's fine that you don't have to buy yet another CEXC. BTW: Pervasive Encryption is never serviced by CryptoExpress cards and secure keys. Due to performance reasons it is serviced by CPACF and protected key. CryptoExpress CCA Coprocessor is needed only to keep the dataset key safe (encrypted using MK) in CKDS. Note: Protected key is neither secure key nor clear key. Technically it is not clear, but the way of protection the key is not certified by authorities and standards. -- Radoslaw Skorupka Lodz, Poland W dniu 09.06.2022 o 13:35, Lennie Dymoke-Bradshaw pisze: > I was under the impression that there is no technical requirement for the key > to be a secure key. So data encryption can be used with clear keys in the > CKDS when a Crypto Express is not available. > > Lennie Dymoke-Bradshaw > https://rsclweb.com > FaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=wEsRU4BkZTx52MkXPw-33mJ5knyu8ArPRIY8sH7 > icVs&m=cood93YS6XOkb7_jP41C1bDD0h0Y2c4Z7mDhgJy_1EAWvtIyvBZsIHNCEM1CNe4 > F&s=yMz-Hw18wFEl8Qx3vWaOjSNAj9qRcLG5b5iO3ElLSM0&e= > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Mark Jacobs > Sent: 09 June 2022 01:48 > To: [email protected] > Subject: Re: Encrypted dataset - any eye catcher? > > I found this in a 2017 IBM Security presentation. So it looks like it's > XTS-AES. > > Key label: 64-byte label of an existing key in the ICSF CKDS used for > access method encryption/decryption. Encryption type: AES-256 bit data > key (XTS, protected key). Note: AES-256 key must be generated as a > secure key (i.e. protected by crypto express AES Master Key) > > Mark Jacobs > > Sent from ProtonMail, Swiss-based encrypted email. > > GPG Public Key - > INVALID URI REMOVED > _pks_lookup-3Fop-3Dget-26search-3Dmarkjacobs-40protonmail.com&d=DwIFaQ > &c=jf_iaSHvJObTbx-siA1ZOg&r=wEsRU4BkZTx52MkXPw-33mJ5knyu8ArPRIY8sH7icV > s&m=cood93YS6XOkb7_jP41C1bDD0h0Y2c4Z7mDhgJy_1EAWvtIyvBZsIHNCEM1CNe4F&s > =-9NFjWxxeIVE7RkH2IVy24xn04vDWeq36ToscpBQAsg&e= > > > ------- Original Message ------- > On Wednesday, June 8th, 2022 at 8:38 PM, Phil Smith III <[email protected]> > wrote: > > >> Radoslaw's question makes me ask a pure curiosity question: what AES >> mode is used by z/OS data set encryption? I Googled but all I found >> was "256-bit AES", which doesn't answer the question. >> >> >> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
