Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
In <4914821700290639.wa.walt.farrellgmail@bama.ua.edu>, on
04/24/2012
at 11:33 AM, Walt Farrell said:
>As often happens when people include links in sentences, his
>sentence-ending punctuation ("." ) was taken as part of the link.
Which is why enclusing a URL in <> is best practice.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO position; see
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
On Tue, 24 Apr 2012 12:05:28 -0500, Paul Gilmartin wrote: >Hmmm. This could be the basis for the APAR IO11698 fiasco >two years ago in which IBM manfestly allowed an integrity >exposure to remain unrepaired but provided a means of limiting >access to the dangerous tool. No, it's not related to anything like that. >I have been granted the RACF >authority as I need it for my job; this indicates that I qualify >as highly trusted. But it irritates me that I have never been >given instructions concerning what behavior I must avoid in >order not to compromise system integrity. Having that authority, there's nothing special you neeed to do to avoid compromising system integrity, beyond what you would normally do as someone with the authority to update APF libraries. By granting you that authority, the security administrator has merely indicated his trust that you will not actively try to compromise system security or integrity, and that he trusts you as much as he would had he given you UPDATE to the APF libraries and other sensitive system libraries. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
On Tue, 24 Apr 2012 11:33:08 -0500, Walt Farrell wrote:
>
>>>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on
>>>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist
>>>(CP Assist for Cryptographic Function) is running compliant implementations
>>>of the SHA algorithms. For the z196, see Cert #1497 at
>>>http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm
>
>As often happens when people include links in sentences, his sentence-ending
>punctuation ("." ) was taken as part of the link. Simply remove it and the
>link works fine.
>
I try _so_ hard not to do that; sometimes I even repair broken links
when I reply. Sometimes I slip up.
The above further refers to:
http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf
The validation seems to be entirely empirical; they don't audit the
microcode. This leaves open the possibility of a "magic" message
back door.
When SMP/E RECEIVE FROMNETWORK came out, it was followed by
an APAR fixing an error in SHA-1 computation. Not the fault of ICSF,
but of the way SMP/E invoked it; a buffer alignment logic error.
Then there was a second APAR providing tolerance for SHA hashes
incorrectly computed in SYSMODs extant before the first APAR.
Reasonably safe if some ranges of bytes were processed twice;
more problematic if some ranges of bytes were never processed
leaving a nook in which a Trojan Horse could hide.
Hmmm. This could be the basis for the APAR IO11698 fiasco
two years ago in which IBM manfestly allowed an integrity
exposure to remain unrepaired but provided a means of limiting
access to the dangerous tool. I have been granted the RACF
authority as I need it for my job; this indicates that I qualify
as highly trusted. But it irritates me that I have never been
given instructions concerning what behavior I must avoid in
order not to compromise system integrity.
-- gil
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
On Tue, 24 Apr 2012 12:23:39 -0400, Rob Schramm wrote: >Worked for me. > >>>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on >>>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist >>>(CP Assist for Cryptographic Function) is running compliant implementations >>>of the SHA algorithms. For the z196, see Cert #1497 at >>>http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm. >>> >> Gives me 404: >> >> Not Found >> The requested URL /groups/STM/cavp/documents/shs/shaval.htm. was not >> found on this server. >> Were you subscribed or reading from the web? Ah! YA LISTSERV stupidity. Looking at the page source: see Cert #1497 at http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm."; ... It's the period at the end. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
On Tue, 24 Apr 2012 11:15:37 -0500, Paul Gilmartin wrote:
>On Tue, 24 Apr 2012 10:00:46 -0500, Greg Boyd wrote:
>
>>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on
>>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist
>>(CP Assist for Cryptographic Function) is running compliant implementations
>>of the SHA algorithms. For the z196, see Cert #1497 at
>>http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm.
>>
>Gives me 404:
>
>Not Found
>The requested URL /groups/STM/cavp/documents/shs/shaval.htm. was not found
> on this server.
>
As often happens when people include links in sentences, his sentence-ending
punctuation ("." ) was taken as part of the link. Simply remove it and the link
works fine.
--
Walt
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
Worked for me. Rob Schramm Senior Systems Consultant Imperium Group On Tue, Apr 24, 2012 at 12:15 PM, Paul Gilmartin wrote: > On Tue, 24 Apr 2012 10:00:46 -0500, Greg Boyd wrote: > >>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on >>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist >>(CP Assist for Cryptographic Function) is running compliant implementations >>of the SHA algorithms. For the z196, see Cert #1497 at >>http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm. >> > Gives me 404: > > Not Found > The requested URL /groups/STM/cavp/documents/shs/shaval.htm. was not found > on this server. > > Thanks, > gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
On Tue, 24 Apr 2012 10:00:46 -0500, Greg Boyd wrote: >Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on >the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist (CP >Assist for Cryptographic Function) is running compliant implementations of the >SHA algorithms. For the z196, see Cert #1497 at >http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm. > Gives me 404: Not Found The requested URL /groups/STM/cavp/documents/shs/shaval.htm. was not found on this server. Thanks, gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist (CP Assist for Cryptographic Function) is running compliant implementations of the SHA algorithms. For the z196, see Cert #1497 at http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm. Greg Boyd IBM Advanced Technical Support Supporting Crypto on System z -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
ICSF/CSNBOWH (was: load mmodules copying to other site)
On Wed, 31 Aug 2011 (last year) 20:07:42 -0500, Paul Gilmartin (I) wrote: > >If you have ICSF, there's CSNBOWH. See Rexx samples in SYS1.SAMPLIB(CSF*). >There's a manual somewhere. > A few days ago, I received an off-list communication from a colleague who tried this, then attempted to replicate the ICSF results with two online conversion sites that agreed with each other and disagreed with ICSF. I strongly suspect his problems were ASCII/EBCDIC or newline conventions. Personally, I have great faith in IBM hardware, but how to reassure a skeptic? Perhaps Walt will jump in with a link to an independent certification of ICSF SHA-1. (I replicated the ICSF result with a third online conversion site and with a C program I downloaded from Sourceforge long ago. I was not able to get any result, right or wrong from either of the two sites my correspondent mentioned. NoScript.) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
