On Thu, 24 Jan 2008 10:59:10 +0100, Barbara Nitz <[EMAIL PROTECTED]> wrote:
>My colleague came across the following while testing key rings and rsa encryption: >He checked the FM to find out that he can set the size of the key via racdcert from anything between 512 and 99999. We had it set to 1024, so he tried 2048 to make the encryption harder to break, given that there is no guarantee that there really is a prime number used in the RSA algorithm (in which case encryption is not secure, it can be broken). > >This is the result of the racdcert command: >msgirrd125i:The key size that was specified is not acceptable. The request is not >processed. >explanation: The maximum key size is determined by US export restrictions or internal >system limits based on the key type. > >Our conclusion: Big 'brother' is watching you, all the better to break your encryption and > spy on all you non-Americans! First, I'd have to wonder what FM yoiur colleague read. From the RACF Command Language Reference: <quote> Currently, the maximum key size enforced by RACF is 1024 for keys generated with RSA using software, 2048 for keys generated using a PCI-class cryptographic coprocessor or keys generated with DSA using software. </quote> It sounds like you are not using the PCI crypto processing, and so you've simply hit RACF's software limit of 1024-bit RSA keys. Use the hardware and you can have stronger certificates. While there are US export restrictions, as far as I know US law does not prevent exporting the 2048-bit hardware capability to Germany. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
