Hi everybody, I want to thank you for your valuable support anyway I hope you'll have a little more patience and give me the "final hint".
What I've understood is that "Protected Key" is almost as secure as "Secure Key" but the "clear everything and more" in case of attack. Greg said: "CSNBKEX (Key Export) and CSNBKIM (Key Import) are both secure key APIs, which are executed on the Crypto Express cards" so, if I well understand, I can do nothing to use the "local processor" and still ICSF will use CryptoCard. If so, I can consider closed my trip on the topic. If not, do I have to modify my application (I'm expecting - NO) ? Is ICSF still doing the work for me (I'm expecting - YES) ? (I think there're different stuffs to do at RACF level). I'd not want to make my RACF colleagues working on a "dead track" and paying beers for the whole century ! :D Thank you again. Massimo Biancucci 2013/4/30 Todd Arnold <[email protected]> > > IMHO protected key *does require* CryptoExpress option, not for data > > processing, but for key storing. > > You are right. The keys are stored in a form that is protected by the > Crypto Express card. Crypto Express unwraps the key and passes it directly > to CPACF. Thus, Crypto Express is needed in order to use the Protected Key > CPACF features. > > Once CPACF receives the key from the Crypto Express, it re-wraps the key > using a key encrypting key (KEK) that it generates. That key is not > permanent - it goes away if the system is restarted, etc. Thus, keys > wrapped under the CPACF KEK are not suitable for long-term storage, such as > storage in CKDS. > > At a very high level, it works something like this: > > 1. Key read from CKDS > 2. Key sent to Crypto Express > 3. Crypto Express unwraps the key and sends the cleartext key directly to > CPACF > 4. CPACF rewraps the key with the volatile KEK it generated when it > started up > 5. CPACF returns the rewrapped key to the application program > 6. Application program uses that rewrapped key in protected mode requests > to CPACF > ..... > 7. When system is powered off, restarted, etc., the CPACF KEK is lost and > it generates a new one > 8. Repeat from step 1 > > Todd Arnold > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
