Mark, If you're involved in SHARE, a SHARE requirement is another way to go. (In addition to an MR). IBM has been extremely responsive to SHARE requirements. If submitted, it would get voted on and IBM would be able to get an idea of the severity of the issue and other customers that might be having a similar issue. If you'd like more info on SHARE requirements, there is some info at http://www.share.org/p/cm/ld/fid=131 and you can feel free to contact me offlist at maryanne4...@gmail.com.
MA On Tue, 11 Mar 2014 10:07:37 -0400, Mark Jacobs <mark.jac...@custserv.com> wrote: >I did request that IBM open up a DCR, > >MR0310145254 - Provide support for CTR mode for AES algorithm. >With priority 'urgent'. The deadline for a response is 2014 Jun08. > >The more people that concur the better I'm assuming. > >Mark Jacobs > >On 03/10/14 18:48, Kirk Wolf wrote: >> Right. As I understand this was a potential vulnerability in *some* >> implementations. According to IBM, there's does not, but some partners may >> have it disabled. >> >> IMO it is a good idea to submit your requirement to IBM to support AES CTR >> mode in ICSF. CTR mode also has the advantage of being able to >> multi-thread encryption of packets, since each packet can be encrypted in >> parallel. There is nothing missing from CPACF instructions that is needed >> - if you write directly to CPACF you can easily implement AES-CTR mode. >> >> >> Kirk Wolf >> Dovetailed Technologies >> http://dovetail.com >> >> >> On Mon, Mar 10, 2014 at 5:05 PM, Steve Finch <sfi...@recoverypoint.com>wrote: >> >>> Some shops do not allow aes-cbc because of the 'Padding Oracle Attack' >>> problem, since AES-CBC uses padding. aes-ctr does not use padding >>> >>> Also FIPS 140-2 was published in 2001 and last updated in 2002 >>> >>> Steve Finch >>> Recovery Point >>> >>> -----Original Message----- >>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On >>> Behalf Of Mark Jacobs >>> Sent: Monday, March 10, 2014 11:02 AM >>> To: IBM-MAIN@LISTSERV.UA.EDU >>> Subject: aes-ctr vs aes-cbc >>> >>> We've been trying to migrate our ssh/sftp environment, for both our client >>> and server users to only use FIPS-140-2 certified ciphers, and run ICSF in >>> FIPS mode. We've had no problems doing so, except with one of our partners >>> who states that their security policy will not allow their sftp server to >>> accept data transmitted with any CBC cipher. >>> >>> I tried adding the aes-ctr ciphers to our allowed list, but it doesn't >>> look like ICSF can handle it, which is needed for ICSF to execute in FIPS >>> mode. >>> >>> It seems like I'm in a unresolvable problem from a technology standpoint, >>> unless our partner changes their policy, which I don't understand why they >>> don't allow FIPS-140-2 certified ciphers to be used. >>> >>> -- >>> Mark Jacobs >>> Time Customer Service >>> Tampa, FL >>> ---- >>> >>> The quiet ones are the ones that change the universe... >>> The loud ones only take the credit. >>> >>> Londo Mollari - Babylon 5 >>> >>> ---------------------------------------------------------------------- >>> For IBM-MAIN subscribe / signoff / archive access instructions, send email >>> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >>> >>> ---------------------------------------------------------------------- >>> For IBM-MAIN subscribe / signoff / archive access instructions, >>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >>> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > > >-- >Mark Jacobs >Time Customer Service >Tampa, FL >---- > >The quiet ones are the ones that change the universe... >The loud ones only take the credit. > >Londo Mollari - Babylon 5 > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
