Right. As I understand this was a potential vulnerability in *some* implementations. According to IBM, there's does not, but some partners may have it disabled.
IMO it is a good idea to submit your requirement to IBM to support AES CTR mode in ICSF. CTR mode also has the advantage of being able to multi-thread encryption of packets, since each packet can be encrypted in parallel. There is nothing missing from CPACF instructions that is needed - if you write directly to CPACF you can easily implement AES-CTR mode. Kirk Wolf Dovetailed Technologies http://dovetail.com On Mon, Mar 10, 2014 at 5:05 PM, Steve Finch <[email protected]>wrote: > Some shops do not allow aes-cbc because of the 'Padding Oracle Attack' > problem, since AES-CBC uses padding. aes-ctr does not use padding > > Also FIPS 140-2 was published in 2001 and last updated in 2002 > > Steve Finch > Recovery Point > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Mark Jacobs > Sent: Monday, March 10, 2014 11:02 AM > To: [email protected] > Subject: aes-ctr vs aes-cbc > > We've been trying to migrate our ssh/sftp environment, for both our client > and server users to only use FIPS-140-2 certified ciphers, and run ICSF in > FIPS mode. We've had no problems doing so, except with one of our partners > who states that their security policy will not allow their sftp server to > accept data transmitted with any CBC cipher. > > I tried adding the aes-ctr ciphers to our allowed list, but it doesn't > look like ICSF can handle it, which is needed for ICSF to execute in FIPS > mode. > > It seems like I'm in a unresolvable problem from a technology standpoint, > unless our partner changes their policy, which I don't understand why they > don't allow FIPS-140-2 certified ciphers to be used. > > -- > Mark Jacobs > Time Customer Service > Tampa, FL > ---- > > The quiet ones are the ones that change the universe... > The loud ones only take the credit. > > Londo Mollari - Babylon 5 > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
