Radoslaw, Apologies for my derelict statements below. Obviously I was suffering brain-fade.
My first encounters with protected key processing are shown in this redbook. https://www.redbooks.ibm.com/abstracts/sg247848.html?Open There are examples there of using protected keys with the CSNBSYE service. My statement of the storage of the protected key itself was of course completely wrong. A good explanation of the mechanisms is shown in this redbook. https://www.redbooks.ibm.com/abstracts/sg248410.html in section 3.5.6. Regards, Lennie Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Lennie Dymoke-Bradshaw Sent: 10 June 2022 16:56 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Encrypted dataset - any eye catcher? I stand corrected. Lennie -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Eric D Rossman Sent: 10 June 2022 13:13 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Encrypted dataset - any eye catcher? The service used is CSNBKRR2 with rule PROTKEY (and rule BYPAUTH [older z/OSes] or DSENC [newer z/OSes]). It is in fetch-protected storage for use by PCC(PCC-Compute-XTS-Parameter-Using-Encrypted-AES-256) and KM(KM-XTS-Encrypted-AES-256). Eric Rossman, CISSP ICSF Cryptographic Security Development z/OS Enabling Technologies edros...@us.ibm.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Lennie Dymoke-Bradshaw Sent: Friday, June 10, 2022 8:05 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: Encrypted dataset - any eye catcher? Radoslaw, There is an ICSF call used during data set encryption which extracts the secure key from the CKDS and stores it in an encrypted form in "non-addressable" memory for use by the CPACF instructions (e.g. KMC) which process data using protected keys. That ICSF service (I think it is CSNBSYE with KEYIDENT in the rule-array ) uses the Crypto Express device. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Radoslaw Skorupka Sent: 10 June 2022 12:08 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Encrypted dataset - any eye catcher? This is up to the user. IBM *strongly recommends* the key should be kept as secure. However for non-production environments it is possible to use Pervasive Encryption without CryptoExpress cards. It's fine that you don't have to buy yet another CEXC. BTW: Pervasive Encryption is never serviced by CryptoExpress cards and secure keys. Due to performance reasons it is serviced by CPACF and protected key. CryptoExpress CCA Coprocessor is needed only to keep the dataset key safe (encrypted using MK) in CKDS. Note: Protected key is neither secure key nor clear key. Technically it is not clear, but the way of protection the key is not certified by authorities and standards. -- Radoslaw Skorupka Lodz, Poland W dniu 09.06.2022 o 13:35, Lennie Dymoke-Bradshaw pisze: > I was under the impression that there is no technical requirement for the key > to be a secure key. So data encryption can be used with clear keys in the > CKDS when a Crypto Express is not available. > > Lennie Dymoke-Bradshaw > https://rsclweb.com > FaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=wEsRU4BkZTx52MkXPw-33mJ5knyu8ArPRIY8sH7 > icVs&m=cood93YS6XOkb7_jP41C1bDD0h0Y2c4Z7mDhgJy_1EAWvtIyvBZsIHNCEM1CNe4 > F&s=yMz-Hw18wFEl8Qx3vWaOjSNAj9qRcLG5b5iO3ElLSM0&e= > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of Mark Jacobs > Sent: 09 June 2022 01:48 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Encrypted dataset - any eye catcher? > > I found this in a 2017 IBM Security presentation. So it looks like it's > XTS-AES. > > Key label: 64-byte label of an existing key in the ICSF CKDS used for > access method encryption/decryption. Encryption type: AES-256 bit data > key (XTS, protected key). Note: AES-256 key must be generated as a > secure key (i.e. protected by crypto express AES Master Key) > > Mark Jacobs > > Sent from ProtonMail, Swiss-based encrypted email. > > GPG Public Key - > INVALID URI REMOVED > _pks_lookup-3Fop-3Dget-26search-3Dmarkjacobs-40protonmail.com&d=DwIFaQ > &c=jf_iaSHvJObTbx-siA1ZOg&r=wEsRU4BkZTx52MkXPw-33mJ5knyu8ArPRIY8sH7icV > s&m=cood93YS6XOkb7_jP41C1bDD0h0Y2c4Z7mDhgJy_1EAWvtIyvBZsIHNCEM1CNe4F&s > =-9NFjWxxeIVE7RkH2IVy24xn04vDWeq36ToscpBQAsg&e= > > > ------- Original Message ------- > On Wednesday, June 8th, 2022 at 8:38 PM, Phil Smith III <li...@akphs.com> > wrote: > > >> Radoslaw's question makes me ask a pure curiosity question: what AES >> mode is used by z/OS data set encryption? I Googled but all I found >> was "256-bit AES", which doesn't answer the question. >> >> >> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
