Timothy, You forgot to mention the other alternative for using CPACF facilities - direct application-level HLASM coding. I did that once a long while ago, in the era before protected clear keys, for encryption of a single field in a huge business record, security provided by "hiding" the encryption key value (I know, not very secure at all, but it was a short-term urgent business necessity). Long since replaced of course by more modern and far more secure methods, but the CPACF hardware facility is there to use (assuming it is turned on) should one have the need, and with protected clear keys it can even be somewhat secure.
Of course, it's probably only curious old dinosaurs like me who would even think of "roll your own" for an encryption need when these days there is so much infrastructure available to do the work for you. Peter From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Timothy Sipples Sent: Wednesday, January 24, 2024 5:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Encryption and decryption - processor or TCPIP >So Timothy (and probably just for me), I've seen a couple >of sites without crypto HSM cards not bother to run ICSF. >Can I assume in that case there's pretty-much no way any >encryption processing could be using CPACF? ICSF supports many, many cryptography-dependent features in z/OS. Even many business applications that just need a simple API to get a random number rely on ICSF. ICSF is "darn important." But the way you phrased your question I'd answer no. It's technically possible to exploit CPACF even from within z/OS but without calling ICSF. One simple example that comes to mind is via the z/OS Container Extensions (zCX). You could have a running container image in zCX that's using CPACF instructions - via an OpenSSL library, for example. (OpenSSL on this architecture knows how to exploit CPACF instructions and has for many years.) However, the container image has no direct access to ICSF. -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN