Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-20 Thread Todd Arnold
Right - the CPACF Protected Keys are *very* secure and we were very happy with our ability to add that feature. Unfortunately, for some applications (such as payment card systems), the standards require a "Secure Cryptographic Device" (SCD) like an HSM that has advanced active tamper detection

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-19 Thread Greg Dyck
On 6/19/2017 8:00 AM, Todd Arnold wrote: - If you need "secure keys" - keys that are protected by hardware that cannot be subverted, even by the highest-technology methods - then use CEX. (but if you need a lower level of security, consider CPACF Protected Key mode.) I would note

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-19 Thread Tony Thigpen
The "Encryption Facility for z/VSE" product is used to transport data between VSE and z/OS or other platform that would accept data encrypted by ""Encryption Facility for z/OS". It does *not* support "data at rest". It does allow you to copy and encrypt a file, but the whole file has to be

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-19 Thread Joerg Schmidbauer
Todd pointed me to this topic, because it's a z/VSE related question, not z/OS. From my point of view Tony and Todd explained everything correctly. Just one additional info: There is an optional feature "Encryption Facility for z/VSE" that allows encrypting data at rest (Librarian members, VSAM

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-19 Thread Todd Arnold
So, the discussion about ICSF is not meaningful - ICSF runs on z/OS, and you're not using z/OS in this case. In general, the choice between CPACF and CEX is fairly straightforward. - If the function(s) you need can be done with CPACF, then use CPACF. It is faster than CEX for everything it

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-17 Thread Greg Boyd
I'm a little late chiming in and I must confess I don't have as much experience with crypto on z/VSE. z/VSE may have changed, but in the past it has not provided a facility like ICSF which provides the interface to the CEX cards. Going back to the original post, I suspect that the customer is

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-15 Thread Kirk Wolf
"SSL" (or TLS) is a client-server secure connection protocol, not a file/disk encryption protocol. It involves both: a) key exchange (handshake) which uses asymmetric key operations (handshake happens once or periodically for long sessions) b) symmetric ciphers using a shared session key

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-15 Thread Phil Smith
Arye Shemer wrote: >I'll try answer your questions as best I can. >1. I am talking about z/VM z/VSE customer who is using currently CPACF to >encrypt data going to the disk and (I am not sure) >some software using CPACF for SSL. >2. Customer predict workload increase and expect to get more

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-15 Thread Arye Shemer
Hello Todd, I'll try answer your questions as best I can. 1. I am talking about z/VM z/VSE customer who is using currently CPACF to encrypt data going to the disk and (I am not sure) some software using CPACF for SSL. 2. Customer predict workload increase and expect to get more performance using

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-14 Thread Todd Arnold
As Phil said: > (arguably the firmware is slightly less secure than the tamper-resistant HSM, > but the memory > used in the firmware to hold that key is protected-it's apparently not even > visible in HMC dumps) That is correct. The memory where the key is held is associated with the CPACF

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-14 Thread Todd Arnold
Since I design some of this stuff, I can help clarify - but others have already done a pretty good job of explaining the various alternatives. What I'd like to ask is what you are actually trying to do? What is the reason for installing the Crypto Express and trying to use it instead of or in

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-13 Thread Arye Shemer
Thank you all for your contribution and time. It sure gave me a lot to think of. thanks, Arye. On Mon, Jun 12, 2017 at 6:44 PM, Phil Smith wrote: > There are several things intertwined here. > > > * CPACF is the "crypto on the chip" - z Systems instructions that do >

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-12 Thread Phil Smith
There are several things intertwined here. * CPACF is the "crypto on the chip" - z Systems instructions that do AES et al. * CEX is the z HSM. * ICSF is, of course, the z/OS service that talks to both (though you can do CPACF operations directly as well). With just CPACF,

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-12 Thread R.S.
W dniu 2017-06-12 o 14:12, Tony Thigpen pisze: We are talking about encrypting "Data at Rest". There is *no* key exchange involved. The only purpose for encrypting keys is so you can send them to someone else. No. The purpose of encrypting keys is something called "secure key cryptography",

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-12 Thread Mark Jacobs - Listserv
Has nothing to do with key exchange. The DEK used to encrypt the data will be in clear text rather than the DEK being encrypted by the KEK. ( ICSF Master Key ). Mark Jacobs Tony Thigpen June 12, 2017 at 8:12 AM We are talking about encrypting "Data at Rest". There

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-12 Thread Tony Thigpen
We are talking about encrypting "Data at Rest". There is *no* key exchange involved. The only purpose for encrypting keys is so you can send them to someone else. Tony Thigpen Mark Jacobs - Listserv wrote on 06/12/2017 08:01 AM: Encryption/decryption without a CryptoExpress only supports

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-12 Thread Mark Jacobs - Listserv
Encryption/decryption without a CryptoExpress only supports clear keys, not protected or secured encryption keys. Might be enough for the OP, but wouldn't fly in my environment. Tony Thigpen June 12, 2017 at 7:22 AM For encrypting "data at rest", the CPACF is really

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-12 Thread Tony Thigpen
For encrypting "data at rest", the CPACF is really all he needs. The Crypto Express is intended to speed up key negotiations between sites, something not needed for his intended plans. Tony Thigpen Arye Shemer wrote on 06/12/2017 02:00 AM: Hello, Customer is currently using CPACF to encrypt

Customer is Using CPACF (Crypto) purchased Crypto Express

2017-06-12 Thread Arye Shemer
Hello, Customer is currently using CPACF to encrypt his data before writing to disks. Customer intent to purchased Crypto Express and want to use it to continue to encrypt the data before writing to the disks, Are there any compatibility issues ? Are there any know documents which