Well, you can encrypt a protected key with PCKMO (Perform cryptographic management operation) instruction, as appears to be done in some of the white paper tests, so I'm not convinced CEX is absolutely required. However, I see little sense, as I said before, in doing such a thing. It would somewhat void the point of having protected (i.e. secure) keys in the first place.
I didn't feel the point important enough to comment on before. -----Ursprüngliche Nachricht----- Von: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] Im Auftrag von Tom Ambros Gesendet: Montag, 9. Juli 2012 16:22 An: IBM-MAIN@LISTSERV.UA.EDU Betreff: Re: Secure Encryption Keys vs Protected Keys Phil Smith wrote: "Yes, Protected Key requires ICSF and a CEX." Should that not read "Yes, Secure Key requires ICSF and a CEX."? Blatant plagiarism follows from my copy of the z196 Tech Guide, Section 6.2.2 'CPACF Protected key': "The zEnterprise CPCs support the protected key implementation. Since PCIXCC deployment, secure keys are processed on the PCI-X and PCIe cards, requiring an asynchronous operation to move the data and keys from the general purpose CP to the crypto cards. Clear keys process faster than secure keys because the process is done synchronously on the CPACF. Protected keys blend the security of Crypto Express3 coprocessors (CEX3C) and the performance characteristics of the CPACF, running closer to the speed of clear keys. An enhancement to CPACF facilitates the continued privacy of cryptographic key material when used for data encryption. In Crypto Express3 coprocessors, a secure key is encrypted under a master key, whereas a protected key is encrypted under a wrapping key that is unique to each LPAR. After the wrapping key is unique to each LPAR, a protected key cannot be shared with another LPAR. CPACF, using key wrapping, ensures that key material is not visible to applications or operating systems during encryption operations. CPACF code generates the wrapping key and stores it in the protected area of hardware system area (HSA). The wrapping key is accessible only by firmware. It cannot be accessed by operating systems or applications. DES/T-DES and AES algorithms were implemented in CPACF code with support of hardware assist functions. Two variations of wrapping key are generated, one for DES/T-DES keys and another for AES keys." Note that CPACF generates the wrapping key and the use of the term 'protected key' in this context. Thus my confusion, I am not entirely sure that the CEX hardware is required in this case. I see the distinction that is drawn between 'secure key' and 'protected key' and I believe it is significant. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
