The DES-MK is used to encrypt secure DES operational keys stored in the CKDS. The DES-MK uses DES encryption to encrypt those keys. The AES-MK is used to encrypt secure AES operational keys stored in the CKDS. It uses AES encryption to protect the AES keys.
The RSA-MK is used to encrypt private RSA keys stored in the PKDS. (The public keys will be public, so they are not encrypted.) And Yes, the RSA-MK is a triple length key and those private keys are encrypted using TDES. The ECC-MK is used to encrypt private ECC keys stored in the PKDS. It is a 256-bit AES key, so those private keys are encrypted using AES encryption. (Similar to RSA keys, the ECC public keys are not encrypted in the PKDS.) DES/TDES operational keys and RSA private keys are encrypted using DES/TDES because that's what was available way back when ICSF first came out. AES operational keys and ECC private keys both rely on AES encryption because it's more secure. Note: With HCR77A1 and the CEX4S card and a TKE, the DES master key can now be a 32-byte (triple DES) key providing stronger security for your operational DES keys. Is that the confirmation you are looking for? Greg Boyd Mainframe Crypto (www.mainframecrypto.com) On Fri, 25 Jul 2014 11:52:40 -0700, Frank Swarbrick <[email protected]> wrote: >The DES-MK (MASTER) key is a double length DES key which is used to encrypt >other symetric keys for storage in the CKDS.� The ASYM-MK (PKAMASTR) is a >triple length key.� Is it also a DES key, with the only difference being the >length of the key and that its usage is for storing RSA private keys and other >asymmetric keys? > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
