Well, I found the information about KVV in some IBM presentations, like
IBM Client Center Montpellier - September 19-22, 2017
IBM Z Security Conference
or
Pervasive Encryption Overview
- z/OS Data Set Encryption, November 15, 2018
both authored by Cecilia Carranza Lewis.
Maybe I misunderstood something.
Regarding the issue - obviously authors know better than user. :-)
I tried to read shared dataset with no key present and with key present,
same label, different value.
Now the question: how the system knows the key is different? Does it
happen before open?
My understanding (it seems, wrong one) was quite simple: first check is
key label. Next check is key hash or other way allowing to compare key
values without knowing them.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 24.06.2022 o 22:03, Eric D Rossman pisze:
While it is true that you can use different CKDS, the label must refer to the
same key (even under different master keys) or you won't be able to open the
dataset.
There is no KVV anywhere. The value in the catalog for each encrypted dataset
is unique to that dataset and is not directly related to the key. You will know
if you have the correct keys by trying to open the dataset.
Eric Rossman, CISSP
ICSF Cryptographic Security Development
z/OS Enabling Technologies
edros...@us.ibm.com
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Radoslaw Skorupka
Sent: Friday, June 24, 2022 3:35 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Encrypted datasets - question about key (pervasive
encryption)
Well, labels are unique within ICSF realm or more precisely - CKDS.
However it is possible to share dataset between systems, non-sysplexed to
simplify the considerations. And it is possible (by mistake) to have same
labels but different key values. Or just replace the key by mistake.
KVV - I meant Key Verification Value.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 24.06.2022 o 20:08, Eric D Rossman pisze:
Labels for dataset encryption keys (DATA or CIPHER) are unique. You cannot have the same
label with different types where one of the types is DATA or CIPHER. What "KVV"
are you referring to?
Eric Rossman, CISSP
ICSF Cryptographic Security Development
z/OS Enabling Technologies
edros...@us.ibm.com
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Radoslaw Skorupka
Sent: Friday, June 24, 2022 9:14 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Encrypted datasets - question about key (pervasive
encryption)
Encrypted dataset can be easily recognized using ISPF/PDF 3.4 - I line commands.
However "Encrypted - YES" does not contain some important details.
Next step could be IDCAMS LISTCAT ENT(dataset) - it shows key label.
However in some cases it is possible to have two different keys with same
label. I guess that's why KVV is recorded in VVDS.
Now the question: how to get information about the KVV without digging in VVDS
structures?
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
