"SSL" (or TLS) is a client-server secure connection protocol, not a
file/disk encryption protocol.
It involves both:
a) key exchange (handshake) which uses asymmetric key operations
(handshake happens once or periodically for long sessions)
b) symmetric ciphers using a shared session key negotiated by (a)
(ciphers are used for encrypting each block of data)
Crypto Express is the best for (a), but not for (b).
CPACF is best for (b), but doesn't do (a).
CPACF does either clear-key or wrapped-key symmetric ciphers.
S/MIME, which is similar to SSL would be commonly used for file encryption,
as would CMS or PGP.
For any of these, the actual cipher (AES) would be best done with CPACF on
z.
FWIW, you can use CPACF Ciphers via ICSF calls or direct use of the CPACF
instructions.
Kirk Wolf
Dovetailed Technologies
http://dovetail.com
On Thu, Jun 15, 2017 at 1:14 AM, Arye Shemer <aryeshe...@gmail.com> wrote:
> Hello Todd,
> I'll try answer your questions as best I can.
> 1. I am talking about z/VM z/VSE customer who is using currently CPACF to
> encrypt data going to the disk and (I am not sure)
> some software using CPACF for SSL.
> 2. Customer predict workload increase and expect to get more performance
> using the Crypto Express especially in the growing SSL
> demand
> 3. Customer is currently using CPACF with key length of 128 bits for clear
> key encryption and (by internal demand) expect to move to 256 bits with the
> Crypto Express
> 4. As far as I know there are no immediate requirements for high secured
> key protection (which provided of course
> by the Crypto Express)
> 5. The Crypto Express is offered to the customer for marketing reasons (Can
> not elaborate and have to leave it vague)
>
> Thanks for your interests and suggestions,
>
> Arye.
>
> On Wed, Jun 14, 2017 at 3:46 PM, Todd Arnold <arno...@us.ibm.com> wrote:
>
> > As Phil said:
> > > (arguably the firmware is slightly less secure than the
> tamper-resistant
> > HSM, but the memory
> > > used in the firmware to hold that key is protected-it's apparently not
> > even visible in HMC dumps)
> >
> > That is correct. The memory where the key is held is associated with the
> > CPACF hardware and its operation. That memory is part of the internal z
> > hardware and is completely separate from any memory that the applications
> > or operating system can see or use.
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
