> -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of R.S. > Sent: Wednesday, September 06, 2006 9:04 AM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: ICSF with CPACF (was RE: Encrypting tape drives... anyone > considering field encryption?) > > Jeffrey D. Smith wrote: > > >>-----Original Message----- > >>From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > >>Behalf Of Alan Altmark > > > > /snip/ > > /snip/ > > I dare to disagree. ICSF's CKDS is ready to use key container. The keys > are encrypted using master key.
Wrong. The CPACF services offered by ICSF require CLEAR KEYS. They are not encrypted by the master key. There are new key form keywords for clear keys, "CLRDES" for clear DES key and "CLRAES" for clear AES key. These are the only key forms usable by the CPACF interface in ICSF, and they are not encrypted anywhere, either in storage or on the CKDS. > This is the advantage - you don't have > to worry about it. You can control and audit key usage using RACF. The > person who use key may be unable to read the key from storage (different > set of authorities). The RACF support in ICSF restricts access to the services, but not the resource being ciphered. That is a HUGE difference. > Last but not least: it comes almost free - ICSF is built in z/OS price, > ICSF overhead is quite irrelevant. ICSF does not offer a key management *system*. ICSF only offers a key repository, and when it is combined with the CPACF (faster than CCF and scales much better than CCF) there is no key encryption. > "One more last but not least": It could be easier to call ICSF services > than to use CPACF instructions directly. That's why I suggest using an API, instead of directly using CPACF. > > A key management *system* is much more complex than what ICSF offers. > > Please enlight us: > 1. What is key management system? A key management system controls access to keys, rather than access to ciphering services. With CPACF, any problem program can perform ciphering. Restricting access to ciphering is missing the entire point of security. Controlling and auditing access to keys that are bound to specific resources is the point of a secure key management system. > 2. Why do we need KMS, especially for clear key operations? The KMS prevents exposure of the keys to the application. The KMS can use the CPACF with clear keys in *protected* storage so that the end-user cannot exposure the clear keys. Thus, the benefits of performance and scalability of CPACF are complemented with secure key management. You don't get any of that with ICSF. So, if you are forced to use a 3rd party key management system, you have no need for ICSF. > Radoslaw Skorupka /snip/ Jeffrey D. Smith Principal Product Architect Farsight Systems Corporation 700 KEN PRATT BLVD. #204-159 LONGMONT, CO 80501-6452 303-774-9381 direct 303-484-6170 FAX http://www.farsight-systems.com/ comments are invited on my encryption project ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html