Lennie,
No problem, nobody's perfect, even Jack Lemmon. ;-)
I always appreciated your input. Please, continue.
Regards
--
Radoslaw Skorupka
Lodz, Poland
W dniu 13.06.2022 o 10:35, Lennie Dymoke-Bradshaw pisze:
Radoslaw,
Apologies for my derelict statements below. Obviously I was suffering
brain-fade.
My first encounters with protected key processing are shown in this redbook.
https://www.redbooks.ibm.com/abstracts/sg247848.html?Open
There are examples there of using protected keys with the CSNBSYE service.
My statement of the storage of the protected key itself was of course
completely wrong. A good explanation of the mechanisms is shown in this redbook.
https://www.redbooks.ibm.com/abstracts/sg248410.html in section 3.5.6.
Regards,
Lennie
Lennie Dymoke-Bradshaw
https://rsclweb.com
‘Dance like no one is watching. Encrypt like everyone is.’
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Lennie Dymoke-Bradshaw
Sent: 10 June 2022 16:56
To: [email protected]
Subject: Re: Encrypted dataset - any eye catcher?
I stand corrected.
Lennie
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Eric D Rossman
Sent: 10 June 2022 13:13
To: [email protected]
Subject: Re: Encrypted dataset - any eye catcher?
The service used is CSNBKRR2 with rule PROTKEY (and rule BYPAUTH [older z/OSes]
or DSENC [newer z/OSes]).
It is in fetch-protected storage for use by
PCC(PCC-Compute-XTS-Parameter-Using-Encrypted-AES-256) and
KM(KM-XTS-Encrypted-AES-256).
Eric Rossman, CISSP
ICSF Cryptographic Security Development
z/OS Enabling Technologies
[email protected]
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Lennie Dymoke-Bradshaw
Sent: Friday, June 10, 2022 8:05 AM
To: [email protected]
Subject: [EXTERNAL] Re: Encrypted dataset - any eye catcher?
Radoslaw,
There is an ICSF call used during data set encryption which extracts the secure key from
the CKDS and stores it in an encrypted form in "non-addressable" memory for
use by the CPACF instructions (e.g. KMC) which process data using protected keys. That
ICSF service (I think it is CSNBSYE with KEYIDENT in the rule-array ) uses the Crypto
Express device.
Lennie Dymoke-Bradshaw
https://rsclweb.com
‘Dance like no one is watching. Encrypt like everyone is.’
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Radoslaw Skorupka
Sent: 10 June 2022 12:08
To: [email protected]
Subject: Re: Encrypted dataset - any eye catcher?
This is up to the user.
IBM *strongly recommends* the key should be kept as secure.
However for non-production environments it is possible to use Pervasive
Encryption without CryptoExpress cards. It's fine that you don't have to buy
yet another CEXC.
BTW: Pervasive Encryption is never serviced by CryptoExpress cards and secure
keys. Due to performance reasons it is serviced by CPACF and protected key.
CryptoExpress CCA Coprocessor is needed only to keep the dataset key safe
(encrypted using MK) in CKDS.
Note: Protected key is neither secure key nor clear key. Technically it is not
clear, but the way of protection the key is not certified by authorities and
standards.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 09.06.2022 o 13:35, Lennie Dymoke-Bradshaw pisze:
I was under the impression that there is no technical requirement for the key
to be a secure key. So data encryption can be used with clear keys in the CKDS
when a Crypto Express is not available.
Lennie Dymoke-Bradshaw
https://rsclweb.com
FaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=wEsRU4BkZTx52MkXPw-33mJ5knyu8ArPRIY8sH7
icVs&m=cood93YS6XOkb7_jP41C1bDD0h0Y2c4Z7mDhgJy_1EAWvtIyvBZsIHNCEM1CNe4
F&s=yMz-Hw18wFEl8Qx3vWaOjSNAj9qRcLG5b5iO3ElLSM0&e=
‘Dance like no one is watching. Encrypt like everyone is.’
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On
Behalf Of Mark Jacobs
Sent: 09 June 2022 01:48
To: [email protected]
Subject: Re: Encrypted dataset - any eye catcher?
I found this in a 2017 IBM Security presentation. So it looks like it's XTS-AES.
Key label: 64-byte label of an existing key in the ICSF CKDS used for
access method encryption/decryption. Encryption type: AES-256 bit data
key (XTS, protected key). Note: AES-256 key must be generated as a
secure key (i.e. protected by crypto express AES Master Key)
Mark Jacobs
Sent from ProtonMail, Swiss-based encrypted email.
GPG Public Key -
INVALID URI REMOVED
_pks_lookup-3Fop-3Dget-26search-3Dmarkjacobs-40protonmail.com&d=DwIFaQ
&c=jf_iaSHvJObTbx-siA1ZOg&r=wEsRU4BkZTx52MkXPw-33mJ5knyu8ArPRIY8sH7icV
s&m=cood93YS6XOkb7_jP41C1bDD0h0Y2c4Z7mDhgJy_1EAWvtIyvBZsIHNCEM1CNe4F&s
=-9NFjWxxeIVE7RkH2IVy24xn04vDWeq36ToscpBQAsg&e=
------- Original Message -------
On Wednesday, June 8th, 2022 at 8:38 PM, Phil Smith III <[email protected]> wrote:
Radoslaw's question makes me ask a pure curiosity question: what AES
mode is used by z/OS data set encryption? I Googled but all I found
was "256-bit AES", which doesn't answer the question.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
