As others have written, I think the use of SHA-1 within an enterprise as
a data integrity check is fine, so long as it meets a client's own
security standards. To go further, I think our (IBM's) use of SHA-1 for
the same purpose for software downloads is likewise just fine. (One
must now connect to IBM's download servers for z/OS products and PTFs
using SSL, and physical delivery uses R/O DVDs.)
All that said, some clients are starting to ask us to use a stronger
hashing algorithm. Most of them understand and agree that SHA-1 is just
fine for a data integrity check. But, their security departments
believe that disallowing SHA-1 is a simple overall rule that covers the
security-related uses of SHA-1 even if it imposes changes on the
non-security-related uses of SHA-1. It's difficult to argue with
simplification logic, I must admit.
We will probably have to use something stronger for software delivery,
eventually. We will probably need to continue to support SHA-1 for
compatibility's sake when we do.
CM Poncelet wrote:
FWIW SHA1 hashing is *not* secure: you should use SHA2. No idea whether
there is a z/OS utility to do that: I use PGP. HTH.
Chris Poncelet (retired sysprog)
On 20/11/2018 13:36, Sankaranarayanan, Vignesh wrote:
Hello again List!
Is there any utility for z/OS that lets us create SHA1 or MD5 or some such
hash/fingerprint of a dataset or USS file.
The use case is to compare these hashes at source (z/OS) and destination
(linux) after transferring some sizable datasets.
<snip>
--
John Eells
IBM Poughkeepsie
[email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
