Re: What is the justification for not using Trusted Key Entry (TKE) workstation?

Thu, 23 Feb 2012 11:43:51 -0800 

W dniu 2012-02-23 18:02, Francis van Zutphen pisze:

Hello ICSF

We have a particular mainframe environment which is a contained Data Server 
(only DB2 databases and CICS).
We do not have any ATM or PIN applications; we do have websphere; we do not 
have direct customer/user access on this machine.
The non-mainframe platforms communicate with this mainframe via services like 
MQ and TIBCO.

We have been using TKE to securely load the Master keys only, and not 
operational keys.
Over the years the new applications that use crypto have been installed on the 
other platforms.
We now have a situation where we only have ONE legacy application key defined 
and in use in the CKDS, that is why we are now considering dismantling the 
optional TKE.

We realise that going back to TSO panels for Master Key Administration is less 
secure than TKE, but find can no longer justify using TKE as the remaining 
application does not have a high enough CIA rating.

I have two questions:

1). Are there any other customers out there that do not use TKE?
2). What is the justification for not using TKE?



Well,
You wrote that TSO panels are less secure. I would say this method MAY be less secure and IS "less certified". 
Imagine special procedure for key entry:
- "fresh PC" - just installed from scratch,
- connected directly to the host, even without the switch
- using SSL/TLS
- erased just after one use.
The key consist of three parts. Every part can be entered by another person.
Question: what *technical* reason causes the above method less secure than TKE?
Back to the question: Who don't use TKE? I bet (and I'm pretty sure of that) all the shops in Poland do not use TKE. 
Justification: MONEY. No real need to use TKE.

--
Radoslaw Skorupka
Lodz, Poland


--
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. 
BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax 
+48 (22) 829 00 33, www.brebank.pl, e-mail: [email protected]
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2012 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.410.984 zotych. 

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to