It looks like she was using the term KVV to mean the same thing I was referring to. I had just never heard it called that.
I think your understanding was fairly close. I was getting hung up on the terminology. Sorry for that. The check is on the OPEN. I'm not from DFSMS but this is my understanding: We use the label from the catalog to retrieve the dataset encryption key and then use the returned key to check that we get back valid data. If anything goes wrong (label isn't found, using the key doesn't return valid data, etc.), we stop the OPEN and fail the operation. Eric Rossman, CISSP ICSF Cryptographic Security Development z/OS Enabling Technologies [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: Saturday, June 25, 2022 5:30 AM To: [email protected] Subject: [EXTERNAL] Re: Encrypted datasets - question about key (pervasive encryption) Well, I found the information about KVV in some IBM presentations, like IBM Client Center Montpellier - September 19-22, 2017 IBM Z Security Conference or Pervasive Encryption Overview - z/OS Data Set Encryption, November 15, 2018 both authored by Cecilia Carranza Lewis. Maybe I misunderstood something. Regarding the issue - obviously authors know better than user. :-) I tried to read shared dataset with no key present and with key present, same label, different value. Now the question: how the system knows the key is different? Does it happen before open? My understanding (it seems, wrong one) was quite simple: first check is key label. Next check is key hash or other way allowing to compare key values without knowing them. -- Radoslaw Skorupka Lodz, Poland W dniu 24.06.2022 o 22:03, Eric D Rossman pisze: > While it is true that you can use different CKDS, the label must refer to the > same key (even under different master keys) or you won't be able to open the > dataset. > > There is no KVV anywhere. The value in the catalog for each encrypted dataset > is unique to that dataset and is not directly related to the key. You will > know if you have the correct keys by trying to open the dataset. > > Eric Rossman, CISSP > ICSF Cryptographic Security Development > z/OS Enabling Technologies > [email protected] > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf Of > Radoslaw Skorupka > Sent: Friday, June 24, 2022 3:35 PM > To: [email protected] > Subject: [EXTERNAL] Re: Encrypted datasets - question about key (pervasive > encryption) > > Well, labels are unique within ICSF realm or more precisely - CKDS. > However it is possible to share dataset between systems, non-sysplexed to > simplify the considerations. And it is possible (by mistake) to have same > labels but different key values. Or just replace the key by mistake. > > KVV - I meant Key Verification Value. > > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > W dniu 24.06.2022 o 20:08, Eric D Rossman pisze: >> Labels for dataset encryption keys (DATA or CIPHER) are unique. You cannot >> have the same label with different types where one of the types is DATA or >> CIPHER. What "KVV" are you referring to? >> >> Eric Rossman, CISSP >> ICSF Cryptographic Security Development >> z/OS Enabling Technologies >> [email protected] >> >> -----Original Message----- >> From: IBM Mainframe Discussion List <[email protected]> On Behalf Of >> Radoslaw Skorupka >> Sent: Friday, June 24, 2022 9:14 AM >> To: [email protected] >> Subject: [EXTERNAL] Encrypted datasets - question about key (pervasive >> encryption) >> >> Encrypted dataset can be easily recognized using ISPF/PDF 3.4 - I line >> commands. >> However "Encrypted - YES" does not contain some important details. >> Next step could be IDCAMS LISTCAT ENT(dataset) - it shows key label. >> However in some cases it is possible to have two different keys with same >> label. I guess that's why KVV is recorded in VVDS. >> Now the question: how to get information about the KVV without digging in >> VVDS structures? >> >> -- >> Radoslaw Skorupka >> Lodz, Poland >> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
