Re: ICSF master keys at DR site
W dniu 2013-05-15 17:55, Frank Swarbrick pisze: MK Ceremony. I like that. :-) Definitely what we'll have to do, as I'm pretty sure we're not going to remove one of our cryptocards and transport it to DR just for this. Interesting idea, though! Is there a way to copy the master keys from one co-processor to another? IMHO You cannot copy master key, because you cannot read it. Of course you can enter MK to many cards at the time. BTW: MK Ceremony is more ceremony or black magice than real security need. Imagine following scenario: simple PC with fresh-installed system + 3270 emulator connected even without SSL to the OSA card, using 5 ft cable - all visible to the personnel involved. Now you can have several persons responsible for key parts and one standing behind the display to audit/manage the process. Don't forget about video surveillance - cameras cannot see the display. As last part of the ceremony is to wipe out the PC HDD (or destroy it if you want). Q: isn't it less secure than using TKE? In what aspect? Disclaimers: 1. I'm NOT talking about official certifications, regulations, but about real things. 2. TKE can be used for other activities, not only MK Ceremony. 3. Preparation of the above scenario could be considered cumbersome, but pay me half of the TKE price, I will do it for you! ;-) Last, but not least: MK Ceremony is not everyday processs. Regards -- Radoslaw Skorupka Lodz, Poland -- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2013 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.555.904 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
Todd... ooops. That's what I get for relying on memory!! Rob Schramm Senior Systems Consultant Imperium Group On Wed, May 15, 2013 at 8:08 AM, Todd Arnold arno...@us.ibm.com wrote: There is/was a way to set a CEX card to allow it to keep the MK loaded while being transferred between machines. Yes, but you also need a TKE to do this. You can enable or disable the crypto card. When the card is disabled, you cannot perform any application-oriented crypto functions with it - for example, encrypting data, managing keys, etc. The only things you can do are the functions related to re-enabling the card, which is done via TKE. While the card is in disabled state, you can remove it from your machine and it will not lose any of the stored data such as the master keys - but you also cannot USE those master keys for anything until the card is re-enabled, and that is not possible except through TKE by two authorized administrators. Here is part of the description that is in the TKE user's manual: -- A crypto module is either enabled or disabled. When a crypto module is enabled, it is available for processing. You can change the status of the module by pressing the Enable Crypto Module / Disable Crypto Module push button. Enable Crypto Module is a dual-signature command and another authority may need to co-sign. Disable Crypto Module is a single signature command. Disabling a crypto module disables all the cryptographic functions for a single crypto module, a group of crypto modules, or a domain group. This disables the crypto module for the entire system, not just the LPAR that issued the disable. -- Todd Arnold -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
Unless they own the DR machine... in which case it should become part of the MK ceremony. If you have 1 TKE and you own the DR machine, the TKE could manage the remote site as well. You would just have to setup the procedure to enroll another TKE in the case of DR... and store a copy of the smart cards at the 2nd site. The other way for MKs would be using tamper evident envelopes, dual-controlled / logged access to the 3 key parts and some security measure guarding the keys. You should need at least 3 people to make a MK ceremony... in reality.. it would probably be more. Also, CLEARLY documented procedures that are easy to follow and have sign off's for each of the steps. Security logging/alerts, review of logging/alerts that is verifiable.. escalation procedures for possible breach, key change procedures... etc. TKE should be setup in such a way as to prevent others from tampering.. dual locked cabinet? Rob Rob Schramm Senior Systems Consultant Imperium Group On Thu, May 16, 2013 at 2:16 PM, Rob Schramm rob.schr...@gmail.com wrote: Todd... ooops. That's what I get for relying on memory!! Rob Schramm Senior Systems Consultant Imperium Group On Wed, May 15, 2013 at 8:08 AM, Todd Arnold arno...@us.ibm.com wrote: There is/was a way to set a CEX card to allow it to keep the MK loaded while being transferred between machines. Yes, but you also need a TKE to do this. You can enable or disable the crypto card. When the card is disabled, you cannot perform any application-oriented crypto functions with it - for example, encrypting data, managing keys, etc. The only things you can do are the functions related to re-enabling the card, which is done via TKE. While the card is in disabled state, you can remove it from your machine and it will not lose any of the stored data such as the master keys - but you also cannot USE those master keys for anything until the card is re-enabled, and that is not possible except through TKE by two authorized administrators. Here is part of the description that is in the TKE user's manual: -- A crypto module is either enabled or disabled. When a crypto module is enabled, it is available for processing. You can change the status of the module by pressing the Enable Crypto Module / Disable Crypto Module push button. Enable Crypto Module is a dual-signature command and another authority may need to co-sign. Disable Crypto Module is a single signature command. Disabling a crypto module disables all the cryptographic functions for a single crypto module, a group of crypto modules, or a domain group. This disables the crypto module for the entire system, not just the LPAR that issued the disable. -- Todd Arnold -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
We own the DR hardware, so hopefully that will not be necessary! :-) Thanks, Frank From: Richard Peurifoy r-peuri...@neo.tamu.edu To: IBM-MAIN@LISTSERV.UA.EDU Sent: Thursday, May 16, 2013 9:49 AM Subject: Re: ICSF master keys at DR site On 5/15/2013 10:55 AM, Frank Swarbrick wrote: MK Ceremony. I like that. :-) Definitely what we'll have to do, as I'm pretty sure we're not going to remove one of our cryptocards and transport it to DR just for this. Interesting idea, though! Is there a way to copy the master keys from one co-processor to another? Don't forget to clear your Master Key from the DR crypto card when you leave. -- Richard -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
There is/was a way to set a CEX card to allow it to keep the MK loaded while being transferred between machines. Yes, but you also need a TKE to do this. You can enable or disable the crypto card. When the card is disabled, you cannot perform any application-oriented crypto functions with it - for example, encrypting data, managing keys, etc. The only things you can do are the functions related to re-enabling the card, which is done via TKE. While the card is in disabled state, you can remove it from your machine and it will not lose any of the stored data such as the master keys - but you also cannot USE those master keys for anything until the card is re-enabled, and that is not possible except through TKE by two authorized administrators. Here is part of the description that is in the TKE user's manual: -- A crypto module is either enabled or disabled. When a crypto module is enabled, it is available for processing. You can change the status of the module by pressing the Enable Crypto Module / Disable Crypto Module push button. Enable Crypto Module is a dual-signature command and another authority may need to co-sign. Disable Crypto Module is a single signature command. Disabling a crypto module disables all the cryptographic functions for a single crypto module, a group of crypto modules, or a domain group. This disables the crypto module for the entire system, not just the LPAR that issued the disable. -- Todd Arnold -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
MK Ceremony. I like that. :-) Definitely what we'll have to do, as I'm pretty sure we're not going to remove one of our cryptocards and transport it to DR just for this. Interesting idea, though! Is there a way to copy the master keys from one co-processor to another? From: Rob Schramm rob.schr...@gmail.com To: IBM-MAIN@LISTSERV.UA.EDU Sent: Tuesday, May 14, 2013 11:00 PM Subject: Re: ICSF master keys at DR site Actually... There is a method. But it would be a bit silly... And might fail for logistic reasons. There is/was a way to set a CEX card to allow it to keep the MK loaded while being transferred between machines. I just remember reading about it... Not all the details about how long the card could be removed before re-installing it. You can always do it the old fashion way. And have the MK parts stored at the DR site and do a MK ceremony there not near as slick as having a TKE. Of course if you have a TKE at the primary site and store the MK on smart cards .. you'll have to be a bit more creative. But all the methods I can think of leave you in a somewhat less secure state... Possibly managable... But it would depend on the laws/regulation that you are under. Rob Schramm On May 14, 2013 1:11 PM, Frank Swarbrick frank.swarbr...@yahoo.com wrote: Thank you (and Radoslaw) for your answers. From: Todd Arnold arno...@us.ibm.com To: IBM-MAIN@LISTSERV.UA.EDU Sent: Tuesday, May 14, 2013 7:35 AM Subject: Re: ICSF master keys at DR site Without a TKE, I don't think there is any other method. If you do have a TKE, there is a very nice and very secure method of completely cloning everything from one crypto card to another one. This was added a couple of releases ago. Here is the beginning of the description from the current TKE user's guide (which I just retrieved from Resource Link): --- Configuration migration The TKE workstation provides tools to securely capture host crypto module configuration data to a file, and then reapply this data to another host crypto module or crypto module group. The data that can be securely captured includes roles, authorities, domain control settings, and master keys. These tools simplify the task of installing new or replacement host crypto modules, and can be used for backup and disaster recovery as well. Two tools are provided: one that migrates only public configuration data (roles, authorities, domain control settings) and one that migrates all configuration data, including secret data, such as master key values. The protocol for migrating secret data is more complex than the protocol for migrating only public data, and requires the participation of several smart card holders. --- Todd Arnold -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
Without a TKE, I don't think there is any other method. If you do have a TKE, there is a very nice and very secure method of completely cloning everything from one crypto card to another one. This was added a couple of releases ago. Here is the beginning of the description from the current TKE user's guide (which I just retrieved from Resource Link): --- Configuration migration The TKE workstation provides tools to securely capture host crypto module configuration data to a file, and then reapply this data to another host crypto module or crypto module group. The data that can be securely captured includes roles, authorities, domain control settings, and master keys. These tools simplify the task of installing new or replacement host crypto modules, and can be used for backup and disaster recovery as well. Two tools are provided: one that migrates only public configuration data (roles, authorities, domain control settings) and one that migrates all configuration data, including secret data, such as master key values. The protocol for migrating secret data is more complex than the protocol for migrating only public data, and requires the participation of several smart card holders. --- Todd Arnold -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
Thank you (and Radoslaw) for your answers. From: Todd Arnold arno...@us.ibm.com To: IBM-MAIN@LISTSERV.UA.EDU Sent: Tuesday, May 14, 2013 7:35 AM Subject: Re: ICSF master keys at DR site Without a TKE, I don't think there is any other method. If you do have a TKE, there is a very nice and very secure method of completely cloning everything from one crypto card to another one. This was added a couple of releases ago. Here is the beginning of the description from the current TKE user's guide (which I just retrieved from Resource Link): --- Configuration migration The TKE workstation provides tools to securely capture host crypto module configuration data to a file, and then reapply this data to another host crypto module or crypto module group. The data that can be securely captured includes roles, authorities, domain control settings, and master keys. These tools simplify the task of installing new or replacement host crypto modules, and can be used for backup and disaster recovery as well. Two tools are provided: one that migrates only public configuration data (roles, authorities, domain control settings) and one that migrates all configuration data, including secret data, such as master key values. The protocol for migrating secret data is more complex than the protocol for migrating only public data, and requires the participation of several smart card holders. --- Todd Arnold -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
Actually... There is a method. But it would be a bit silly... And might fail for logistic reasons. There is/was a way to set a CEX card to allow it to keep the MK loaded while being transferred between machines. I just remember reading about it... Not all the details about how long the card could be removed before re-installing it. You can always do it the old fashion way. And have the MK parts stored at the DR site and do a MK ceremony there not near as slick as having a TKE. Of course if you have a TKE at the primary site and store the MK on smart cards .. you'll have to be a bit more creative. But all the methods I can think of leave you in a somewhat less secure state... Possibly managable... But it would depend on the laws/regulation that you are under. Rob Schramm On May 14, 2013 1:11 PM, Frank Swarbrick frank.swarbr...@yahoo.com wrote: Thank you (and Radoslaw) for your answers. From: Todd Arnold arno...@us.ibm.com To: IBM-MAIN@LISTSERV.UA.EDU Sent: Tuesday, May 14, 2013 7:35 AM Subject: Re: ICSF master keys at DR site Without a TKE, I don't think there is any other method. If you do have a TKE, there is a very nice and very secure method of completely cloning everything from one crypto card to another one. This was added a couple of releases ago. Here is the beginning of the description from the current TKE user's guide (which I just retrieved from Resource Link): --- Configuration migration The TKE workstation provides tools to securely capture host crypto module configuration data to a file, and then reapply this data to another host crypto module or crypto module group. The data that can be securely captured includes roles, authorities, domain control settings, and master keys. These tools simplify the task of installing new or replacement host crypto modules, and can be used for backup and disaster recovery as well. Two tools are provided: one that migrates only public configuration data (roles, authorities, domain control settings) and one that migrates all configuration data, including secret data, such as master key values. The protocol for migrating secret data is more complex than the protocol for migrating only public data, and requires the participation of several smart card holders. --- Todd Arnold -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
ICSF master keys at DR site
I'm pretty sure I know the answer (no), but I just want to make sure. Is there any method other than loading the original key parts that one can load the current production keys into a cryptocard at another (DR) site? No TKE available, if that makes a difference. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF master keys at DR site
W dniu 2013-05-13 23:18, Frank Swarbrick pisze: I'm pretty sure I know the answer (no), but I just want to make sure. Is there any method other than loading the original key parts that one can load the current production keys into a cryptocard at another (DR) site? For master key, NO. No TKE available, if that makes a difference. No, it doesn't. BTW: depending on your DR scenario, loading master keys may be a part of DR preparation recipe. -- Radoslaw Skorupka Lodz, Poland -- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2013 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.555.904 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN