While I understand a certain amount of skepticism about the "protected" key.. I am having difficulty understand how much less secure protected key is from the secure key. It would seem on the surface that the protected key is just a "child" of secure key and still very secure. Considering the performance characteristics... it would seem to be quite attractive.
Rob Schramm Rob Schramm Senior Systems Consultant Imperium Group On Wed, Apr 24, 2013 at 11:00 AM, Todd Arnold <[email protected]> wrote: > Well, I see that I started some interesting discussions. Let me try to > answer some of the questions - the answers are not complicated. > > Phil Smith said: > > I can only speculate from here that it's either (a) a conservative > approach, to keep mixed use > > from causing unsatisfactory performance for one camp or the other > (e.g., a ton of SSL handshakes > > causes PIN operations to be slow, or vice versa) > > That is exactly the reason. The System z architects were worried that > performance would be unpredictable when operations of the two types could > "steal" performance from each other. > > Tony Harminc said: > > Which of course raises the questions of how well the card interfaces > >are documented, and whether the cards are available for other > > platforms. > > The low-level interfaces to the cards are intentionally NOT publicly > documented. The reason for this is that those interfaces change from time > to time, typically when we come out with a new card. Thus, there would be > a big problem if customers coded to such an interface - they would be quite > unhappy when their stuff stopped working after IBM made changes. To solve > that problem, we define higher-level interfaces (like the CCA API) that we > keep the same from card to card. > > The cards are definitely available on other platforms. It has always been > available on all IBM server families - for example, see > http://www-03.ibm.com/security/cryptocards/pciecc/overproduct.shtml where > you will find information saying the PCIe crypto card (4765, aka > CEX3/CEX4S) is available on System z (z/OS, Linux, others), Power servers > (AIX, IBM i), and System x servers (Linux, and Windows by special request). > > Tony also mentioned this: > > Some years ago researchers at Ross Anderson's security lab at > Cambridge mounted a > > successful attack on earlier IBM crypto APIs > > Be careful to understand what they really found. Their attack was only > possible in unrealistic configurations in which any user was authorized to > invoke every API function possible with the crypto card - and in real-world > systems, access control is always used to block just such attacks. > Prevention of such attacks is precisely why there IS access control built > in to all systems using the crypto cards. As you may know, even after it > was publicized, there were never ANY actual cases where such an attack was > used on live systems - because it was impossible with any reasonably > configured system. Regardless, we did make some changes to prevent the > attacks they noted. > > Radoslaw Skorupka said: > > > ... and whether the cards are available for other platforms. > > Yes, obviously. There have been since first model (PCICC). > > Actually, it goes back farther than that. Our first crypto card was the > 4755, in 1989. That card was supported on PCs, RISC 6000 AIX systems > (predecessor to System p and Power), and AS/400. In addition, we had a > separate product, the 4753, which contained the 4755 card and > channel-attached to mainframes running MVS. (and yes, I worked on those - > in addition to the research work that preceded them. Thanks, Phil for > mentioning my history on this!) > > Todd Arnold > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
