It looks like she was using the term KVV to mean the same thing I was referring 
to. I had just never heard it called that.

I think your understanding was fairly close. I was getting hung up on the 
terminology. Sorry for that.

The check is on the OPEN. I'm not from DFSMS but this is my understanding:

We use the label from the catalog to retrieve the dataset encryption key and 
then use the returned key to check that we get back valid data. If anything 
goes wrong (label isn't found, using the key doesn't return valid data, etc.), 
we stop the OPEN and fail the operation.

Eric Rossman, CISSP
ICSF Cryptographic Security Development
z/OS Enabling Technologies
[email protected]

-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of 
Radoslaw Skorupka
Sent: Saturday, June 25, 2022 5:30 AM
To: [email protected]
Subject: [EXTERNAL] Re: Encrypted datasets - question about key (pervasive 
encryption)

Well, I found the information about KVV in some IBM presentations, like IBM 
Client Center Montpellier - September 19-22, 2017 IBM Z Security Conference or 
Pervasive Encryption Overview
- z/OS Data Set Encryption, November 15, 2018 both authored by Cecilia Carranza 
Lewis.
Maybe I misunderstood something.

Regarding the issue - obviously authors know better than user. :-) I tried to 
read shared dataset with no key present and with key present, same label, 
different value.
Now the question: how the system knows the key is different? Does it happen 
before open?
My understanding (it seems, wrong one) was quite simple: first check is key 
label. Next check is key hash or other way allowing to compare key values 
without knowing them.

-- 
Radoslaw Skorupka
Lodz, Poland



W dniu 24.06.2022 o 22:03, Eric D Rossman pisze:
> While it is true that you can use different CKDS, the label must refer to the 
> same key (even under different master keys) or you won't be able to open the 
> dataset.
>
> There is no KVV anywhere. The value in the catalog for each encrypted dataset 
> is unique to that dataset and is not directly related to the key. You will 
> know if you have the correct keys by trying to open the dataset.
>
> Eric Rossman, CISSP
> ICSF Cryptographic Security Development
> z/OS Enabling Technologies
> [email protected]
>
> -----Original Message-----
> From: IBM Mainframe Discussion List <[email protected]> On Behalf Of 
> Radoslaw Skorupka
> Sent: Friday, June 24, 2022 3:35 PM
> To: [email protected]
> Subject: [EXTERNAL] Re: Encrypted datasets - question about key (pervasive 
> encryption)
>
> Well, labels are unique within ICSF realm or more precisely - CKDS.
> However it is possible to share dataset between systems, non-sysplexed to 
> simplify the considerations. And it is possible (by mistake) to have same 
> labels but different key values. Or just replace the key by mistake.
>
> KVV - I meant Key Verification Value.
>
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>
>
>
>
> W dniu 24.06.2022 o 20:08, Eric D Rossman pisze:
>> Labels for dataset encryption keys (DATA or CIPHER) are unique. You cannot 
>> have the same label with different types where one of the types is DATA or 
>> CIPHER. What "KVV" are you referring to?
>>
>> Eric Rossman, CISSP
>> ICSF Cryptographic Security Development
>> z/OS Enabling Technologies
>> [email protected]
>>
>> -----Original Message-----
>> From: IBM Mainframe Discussion List <[email protected]> On Behalf Of 
>> Radoslaw Skorupka
>> Sent: Friday, June 24, 2022 9:14 AM
>> To: [email protected]
>> Subject: [EXTERNAL] Encrypted datasets - question about key (pervasive 
>> encryption)
>>
>> Encrypted dataset can be easily recognized using ISPF/PDF 3.4 - I line 
>> commands.
>> However "Encrypted - YES" does not contain some important details.
>> Next step could be IDCAMS LISTCAT ENT(dataset) - it shows key label.
>> However in some cases it is possible to have two different keys with same 
>> label. I guess that's why KVV is recorded in VVDS.
>> Now the question: how to get information about the KVV without digging in 
>> VVDS structures?
>>
>> --
>> Radoslaw Skorupka
>> Lodz, Poland
>>

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to