How, in the most general case, perhaps unblocked, binary data, do you know you've got valid data?
> -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Eric D Rossman > Sent: Monday, June 27, 2022 6:03 PM > To: [email protected] > Subject: Re: Encrypted datasets - question about key (pervasive encryption) > > [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize > the sender and know the content is safe. > > It looks like she was using the term KVV to mean the same thing I was > referring to. I had just never heard it called that. > > I think your understanding was fairly close. I was getting hung up on the > terminology. Sorry for that. > > The check is on the OPEN. I'm not from DFSMS but this is my understanding: > > We use the label from the catalog to retrieve the dataset encryption key and > then use the returned key to check that we get back valid data. If anything > goes wrong (label isn't found, using the key doesn't return valid data, etc.), > we stop the OPEN and fail the operation. > > Eric Rossman, CISSP > ICSF Cryptographic Security Development > z/OS Enabling Technologies > [email protected] > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Radoslaw Skorupka > Sent: Saturday, June 25, 2022 5:30 AM > To: [email protected] > Subject: [EXTERNAL] Re: Encrypted datasets - question about key (pervasive > encryption) > > Well, I found the information about KVV in some IBM presentations, like IBM > Client Center Montpellier - September 19-22, 2017 IBM Z Security > Conference or Pervasive Encryption Overview > - z/OS Data Set Encryption, November 15, 2018 both authored by Cecilia > Carranza Lewis. > Maybe I misunderstood something. > > Regarding the issue - obviously authors know better than user. :-) I tried to > read shared dataset with no key present and with key present, same label, > different value. > Now the question: how the system knows the key is different? Does it > happen before open? > My understanding (it seems, wrong one) was quite simple: first check is key > label. Next check is key hash or other way allowing to compare key values > without knowing them. > > -- > Radoslaw Skorupka > Lodz, Poland > > > > W dniu 24.06.2022 o 22:03, Eric D Rossman pisze: > > While it is true that you can use different CKDS, the label must refer to > > the > same key (even under different master keys) or you won't be able to open > the dataset. > > > > There is no KVV anywhere. The value in the catalog for each encrypted > dataset is unique to that dataset and is not directly related to the key. You > will know if you have the correct keys by trying to open the dataset. > > > > Eric Rossman, CISSP > > ICSF Cryptographic Security Development > > z/OS Enabling Technologies > > [email protected] > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Radoslaw Skorupka > > Sent: Friday, June 24, 2022 3:35 PM > > To: [email protected] > > Subject: [EXTERNAL] Re: Encrypted datasets - question about key > (pervasive encryption) > > > > Well, labels are unique within ICSF realm or more precisely - CKDS. > > However it is possible to share dataset between systems, non-sysplexed to > simplify the considerations. And it is possible (by mistake) to have same > labels but different key values. Or just replace the key by mistake. > > > > KVV - I meant Key Verification Value. > > > > > > -- > > Radoslaw Skorupka > > Lodz, Poland > > > > > > > > > > W dniu 24.06.2022 o 20:08, Eric D Rossman pisze: > >> Labels for dataset encryption keys (DATA or CIPHER) are unique. You > cannot have the same label with different types where one of the types is > DATA or CIPHER. What "KVV" are you referring to? > >> > >> Eric Rossman, CISSP > >> ICSF Cryptographic Security Development > >> z/OS Enabling Technologies > >> [email protected] > >> > >> -----Original Message----- > >> From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Radoslaw Skorupka > >> Sent: Friday, June 24, 2022 9:14 AM > >> To: [email protected] > >> Subject: [EXTERNAL] Encrypted datasets - question about key (pervasive > encryption) > >> > >> Encrypted dataset can be easily recognized using ISPF/PDF 3.4 - I line > commands. > >> However "Encrypted - YES" does not contain some important details. > >> Next step could be IDCAMS LISTCAT ENT(dataset) - it shows key label. > >> However in some cases it is possible to have two different keys with same > label. I guess that's why KVV is recorded in VVDS. > >> Now the question: how to get information about the KVV without digging > in VVDS structures? > >> > >> -- > >> Radoslaw Skorupka > >> Lodz, Poland > >> > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
