A1: Yes, the clear-key ICSF encrypt/decrypt functions (which use only the CPACF CPU instructions, no crypto-card needed) can be used with clear keys stored securely in the CKDS. It may be (don't know this for a fact) that the recently announced "protected" clear keys can be used without a coprocessor, increasing the security level even for clear keys.
A2: Can't think of anything except loss of the ability for secure storage of clear keys mentioned in A1. If secure storage of clear keys is not an issue, just using CPACF encrypt/decrypt instructions with program-embedded clear keys (obviously not nearly as secure) uses MUCH less CPU time than the ICSF clear-key functions (measured here to be at least an order of magnitude difference). HTH Peter -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John Chase Sent: Thursday, September 19, 2013 10:49 AM To: [email protected] Subject: ICSF Without Crypto Card? Hi, List, On z/OS 1.13: Q1: Is there anything to be gained, running ICSF without any cryptographic coprocessors installed? Q2: Is anything "lost" by NOT running ICSF without cryptographic coprocessors installed? -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
