The auditors are dictating the use of SHA-2 and discounting the use of SHA-1. It is a blanket requirement and one that one does not argue with.
-------------------------------------------------------------------------- Lionel B. Dyck (Contractor) Mainframe Systems Programmer Enterprise Infrastructure Support (Station 200) (005OP6.3.10) VA OI&T Service Delivery & Engineering Office: 512-326-6173 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John Eells Sent: Monday, May 16, 2016 6:06 AM To: [email protected] Subject: [EXTERNAL] Re: smp/e sha-2 support? Dyck, Lionel B. , TRA wrote: > We asked IBM support about implementing SHA2 for the SMP/E FTP download > process and was told to open an RFE. That seems kinda insane given that SHA-1 > seems to be heading to the heap of obsolete technologies. > > Can anyone shed any light on this? Opening an RFE seems absurd given that > this is an industry standard for security that we are being forced into as I > type this and I'm sure we're not the only IBM customer who will be impacted > by the lack of SHA2 support. > <snip> We understand the NIST recommendation to move off SHA-1 for security-related purposes. However, our use of SHA-1 in this context has nothing to do with security, and as far as I know it was never intended to provide any. We are using SHA-1 just to be reasonably sure that what we send over the wire is what you get from a data integrity standpoint. (I wrote the ServerPac part of the design for Internet delivery.) As I hope everyone knows, we are shortly disallowing FTP connections at our servers. The use of FTPS or HTTPS will be required to download z/OS platform products and PTFs. Secure delivery using HTTPS or FTPS uses different algorithms for securing the link, and happens to pass through a package that has a SHA-1 hash of its content. So...with all that in mind...what is the actual requirement here? Does anyone think the probability of an undetected data integrity exposure is too high because we're using SHA-1? Are auditors reflexively telling you that any use of SHA-1 for anything at all is not acceptable whether or not it's security related? Something else? -- John Eells IBM Poughkeepsie [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
