subject:"Re\: IBM Mainframe \(1980's\) on You tube"

CCA (was Re: IBM Mainframe (1980's) on You tube)

2013-03-21 Thread Frank Swarbrick

I don't know much about TR-31, other than the little I've read about it in the 
ICSF documentation.  I do remember our Thales vendor trying to sell it to us 
some years ago, and I couldn't understand a word he was saying!  Now that I 
understand it a bit more I find it interesting, but rather useless until our 
"partners" (Visa, MasterCard, our ATM vendor) support it.  And I've heard no 
indication that any of them have it on their radar.

Frank




>
> From: Todd Arnold 
>To: IBM-MAIN@LISTSERV.UA.EDU 
>Sent: Wednesday, March 20, 2013 6:41 AM
>Subject: Re: IBM Mainframe (1980's) on You tube
> 
>Two points...
>
>(1)  Remember that when IBM invented CCA back in the late 1980s, there really 
>were no other HSMs - thus, there were no other crypto architectures in the 
>banking world to be "compatible" with.  I suppose other vendors who came along 
>and developed HSMs could have adopted CCA, but they developed their own APIs 
>and architectures.  IBM, of course, had no way to make our own CCA any kind of 
>"standard" for the industry.  
>
>(2)  Compatibility for interchange has always been a problem, and the solution 
>for key exchange has generally been to use a least common denominator 
>approach, simply wrapping keys with TDES in ECB mode with no associated 
>type/usage information or other metadata.  Dissimilar systems generally strip 
>off their proprietary metadata when exporting the key, then the receiving 
>system binds its own proprietary metadata structures to the key when importing 
>it.  This obviously is not the best approach in terms of security, but it's 
>what everyone has done all these years.  Now, there is the TR-31 key block 
>format which has improved somewhat on that situation, but TR-31 also has 
>significant problems.  It defines its own fixed set of key metadata, which of 
>course is not entirely compatible with anything the preceded it and does not 
>generally match up exactly with any vendor's HSM architecture, so translations 
>have to occur and in the process security
 information is lost or interpreted differently.  Furthermore, different 
vendors have interpreted the meaning of the key type/usage in TR-31 in 
different ways, so the restrictions you think you defined for a key may not be 
enforced in quite the way you thought when the key reaches some other device.  
One example is that TR-31 has rather coarse key typing and usage, whereas CCA 
has much finer granularity and lets you control the key much more tightly.  
When translating a CCA key to TR-31 format, all that extra control has to be 
discarded so that you use only the attributes defined in TR-31.  Conversely, 
when importing a TR-31 key into CCA, you have to somehow create all the extra, 
more detailed control attributes that are not present in TR-31, and the only 
way to do that is to let the application program tell CCA what to do.
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-20 Thread Elardus Engelbrecht

Anne & Lynn Wheeler wrote:

>(as an aside, after power-on/test sequence ... those circuits get destroyed).

Destroyed after such sequence? I'm having trouble swallowing your statement. ;-D

If you, for example, do that in the factory just to test it out before shipping 
to the customer, it is destroyed?

Are you not meaning 'those key get destroyed'? Or do I misunderstand you?

Thanks for your post anyway.

And thanks to J R and zMan for your reply too about that acronym!

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-20 Thread Peter Eggebeen

>From the Thales manual titled 'SRM for IBM zOS' document 1270A516-006 page
11 1.1 introduction

"Many applications, particularly in the banking area, require security to
be integrated into their design.  Generally, this security is best provided
by adding hardware based Host Security Modules (HSMs), as opposed to
software solutions."



Pete Eggebeen
Senior Systems Engineer
Mainframe Storage Management
Kohl's Corporation


On Wed, Mar 20, 2013 at 9:04 AM, J R  wrote:

> Correct.  Hardware Security Module is the more generic term.
>
> Host Security Module is the Racal/Thales offering.  Many still use the
> term generically.
>
> =
> =
>  > Date: Wed, 20 Mar 2013 09:41:54 -0400
> > From: zedgarhoo...@gmail.com
> > Subject: Re: IBM Mainframe (1980's) on You tube
> > To: IBM-MAIN@LISTSERV.UA.EDU
> >
> > HARDWARE Security Module.
> >
> > On Wed, Mar 20, 2013 at 9:09 AM, J R  wrote:
> >
> > > Host Security Module.
> > >  > Date: Wed, 20 Mar 2013 07:52:04 -0500
> > > > From: elardus.engelbre...@sita.co.za
> > > > Subject: Re: IBM Mainframe (1980's) on You tube
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > >
> > > > Todd Arnold wrote:
> > > >
> > > > > no other HSMs -
> > > > > vendor's HSM architecture,
> > > >
> > > > What is HSM in this context?
> > > >
> > > > Of course, I searched before posting, but found over 270 ambiguous
> > > definitions...
> > > >
> > > > Groete / Greetings
> > > > Elardus Engelbrecht
> > >
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> >
> >
> >
> > --
> > zMan -- "I've got a mainframe and I'm not afraid to use it"
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
CONFIDENTIALITY NOTICE:
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use of 
the contents of this message is expressly prohibited.
If you have received this transmission in error, please destroy it and notify 
us immediately at 262-703-7000.

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the 
right to retrieve and read any message created, sent and received. Kohl's 
reserves the right to monitor messages by authorized Kohl's Associates at any 
time
without any further consent.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-20 Thread Anne & Lynn Wheeler

jayare...@hotmail.com (J R) writes:
> Correct.  Hardware Security Module is the more generic term.  
>
> Host Security Module is the Racal/Thales offering.  Many still use the term 
> generically.  

re:
http://www.garlic.com/~lynn/2013d.html#1 IBM Mainframe (1980's) on You tube

Last decade, I had done design for new security chip and was looking at
having it fab'ed at a new secure facility in Dresden.

In the 90s, I had semi-facetiously commented that I would take a $500
mil-spec chip, aggresively cost-reduce it by 2-3 orders of magnitude
while improving the integrity.

In walk-through/audit of the facility, they wanted to charge me several
cents to have HSM generate public-key pair and inject it into the chip
(also added a couple minutes to processing for each chip)

Since I wanted the chip well under a dollar, that several cents were
significant. I pointed out that the chip had a secure key generation
incorporated into the power-on/test cycle ... and wouldn't need HSM
processing (or the elapsed time). The secure key generation during
power-on/test cycle actually speeded up the power-on/test sequence and
the generated public key was exported as part of the power-on/test
sequence validation data (the private key would never be exported).  Not
only wouldn't I need the HSM, extra time & cost ... but shouldn't I get
a credit for speeding up the power-on/test sequence (as an aside, after
power-on/test sequence ... those circuits get destroyed).

reference to bunch of patents on the subject
http://www.garlic.com/~lynn/x959.html#aads

old email discussing pgp-like public key email on the internal network
http://www.garlic.com/~lynn/2007d.html#email810506
http://www.garlic.com/~lynn/2006w.html#email810515

other old email about public key ... mentioning "The current MVS
Cryptographic Subsystem key management scheme is a perfect example of
the morass that faces us in 'automatically' managing keys"
http://www.garlic.com/~lynn/2007d.html#email841218

and another quote "which, to SNA product developers always seem to be
either inept, uninformed, or irrelevant"
http://www.garlic.com/~lynn/2007b.html#email841226

mentions cost of racal box ... would contributed to getting me involved
as mentioned in post upthread, I wanted under $100, and capable of
3mbyte/sec ... this mentions $3,200/box running 128kbit/sec
http://www.garlic.com/~lynn/2006.html#email850701

-- 
virtualization experience starting Jan1968, online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-20 Thread J R

Correct.  Hardware Security Module is the more generic term.  

Host Security Module is the Racal/Thales offering.  Many still use the term 
generically.  

=
=
 > Date: Wed, 20 Mar 2013 09:41:54 -0400
> From: zedgarhoo...@gmail.com
> Subject: Re: IBM Mainframe (1980's) on You tube
> To: IBM-MAIN@LISTSERV.UA.EDU
> 
> HARDWARE Security Module.
> 
> On Wed, Mar 20, 2013 at 9:09 AM, J R  wrote:
> 
> > Host Security Module.
> >  > Date: Wed, 20 Mar 2013 07:52:04 -0500
> > > From: elardus.engelbre...@sita.co.za
> > > Subject: Re: IBM Mainframe (1980's) on You tube
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > >
> > > Todd Arnold wrote:
> > >
> > > > no other HSMs -
> > > > vendor's HSM architecture,
> > >
> > > What is HSM in this context?
> > >
> > > Of course, I searched before posting, but found over 270 ambiguous
> > definitions...
> > >
> > > Groete / Greetings
> > > Elardus Engelbrecht
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> 
> 
> -- 
> zMan -- "I've got a mainframe and I'm not afraid to use it"
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
  
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-20 Thread zMan

HARDWARE Security Module.

On Wed, Mar 20, 2013 at 9:09 AM, J R  wrote:

> Host Security Module.
>  > Date: Wed, 20 Mar 2013 07:52:04 -0500
> > From: elardus.engelbre...@sita.co.za
> > Subject: Re: IBM Mainframe (1980's) on You tube
> > To: IBM-MAIN@LISTSERV.UA.EDU
> >
> > Todd Arnold wrote:
> >
> > > no other HSMs -
> > > vendor's HSM architecture,
> >
> > What is HSM in this context?
> >
> > Of course, I searched before posting, but found over 270 ambiguous
> definitions...
> >
> > Groete / Greetings
> > Elardus Engelbrecht
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
zMan -- "I've got a mainframe and I'm not afraid to use it"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-20 Thread J R

Host Security Module.  
 > Date: Wed, 20 Mar 2013 07:52:04 -0500
> From: elardus.engelbre...@sita.co.za
> Subject: Re: IBM Mainframe (1980's) on You tube
> To: IBM-MAIN@LISTSERV.UA.EDU
> 
> Todd Arnold wrote:
> 
> > no other HSMs - 
> > vendor's HSM architecture, 
> 
> What is HSM in this context?
> 
> Of course, I searched before posting, but found over 270 ambiguous 
> definitions... 
> 
> Groete / Greetings
> Elardus Engelbrecht
  
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-20 Thread Elardus Engelbrecht

Todd Arnold wrote:

> no other HSMs - 
> vendor's HSM architecture, 

What is HSM in this context?

Of course, I searched before posting, but found over 270 ambiguous 
definitions... 

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-20 Thread Todd Arnold

Two points...

(1)  Remember that when IBM invented CCA back in the late 1980s, there really 
were no other HSMs - thus, there were no other crypto architectures in the 
banking world to be "compatible" with.  I suppose other vendors who came along 
and developed HSMs could have adopted CCA, but they developed their own APIs 
and architectures.  IBM, of course, had no way to make our own CCA any kind of 
"standard" for the industry.  
 
(2)  Compatibility for interchange has always been a problem, and the solution 
for key exchange has generally been to use a least common denominator approach, 
simply wrapping keys with TDES in ECB mode with no associated type/usage 
information or other metadata.  Dissimilar systems generally strip off their 
proprietary metadata when exporting the key, then the receiving system binds 
its own proprietary metadata structures to the key when importing it.  This 
obviously is not the best approach in terms of security, but it's what everyone 
has done all these years.  Now, there is the TR-31 key block format which has 
improved somewhat on that situation, but TR-31 also has significant problems.  
It defines its own fixed set of key metadata, which of course is not entirely 
compatible with anything the preceded it and does not generally match up 
exactly with any vendor's HSM architecture, so translations have to occur and 
in the process security information is lost or interpreted differently.  
Furthermore, different vendors have interpreted the meaning of the key 
type/usage in TR-31 in different ways, so the restrictions you think you 
defined for a key may not be enforced in quite the way you thought when the key 
reaches some other device.  One example is that TR-31 has rather coarse key 
typing and usage, whereas CCA has much finer granularity and lets you control 
the key much more tightly.  When translating a CCA key to TR-31 format, all 
that extra control has to be discarded so that you use only the attributes 
defined in TR-31.  Conversely, when importing a TR-31 key into CCA, you have to 
somehow create all the extra, more detailed control attributes that are not 
present in TR-31, and the only way to do that is to let the application program 
tell CCA what to do.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-19 Thread Frank Swarbrick

Not holding my breath.  I just know that we communicate with other systems 
(VisaNet, MasterCard etc.) and hardware (NCR ATMs) that are "non-CCA 
compliant", and while sharing keys with these systems is supported under CCA it 
is fairly minimally documented.  So I was just curious if there were "systems" 
outside of those by IBM that supported what I might call "CCA conforming 
sharing of keys".



>
> From: Phil Smith 
>To: IBM-MAIN@LISTSERV.UA.EDU 
>Sent: Sunday, March 17, 2013 7:43 PM
>Subject: Re: IBM Mainframe (1980's) on You tube
> 
>Frank Swarbrick wrote:
>>I don't mean the applications that use it, but rather the implementations of 
>>CCA itself.  I've only found ICSF and CCA for Linux on IBM System z.
>>Since CCA is meant to be "common" I was wondering if it was implemented by 
>>anyone outside of IBM itself.
>
>Ah. I don't see the argument for that for the vendor: it's a lot of work, and 
>they're unlikely to need all the functions, so they're doing more work to 
>enable other folks to be able to port their products to that platform more 
>easily. And since (as Todd notes) IBM supports CCA on the four main platforms, 
>this would also mean implementing it for some rare system like HP/UX or 
>Stratus or something.
>
>So the net would be a lot of work on a platform that isn't mainstream to 
>support something that helps others. I wouldn't hold my breath!
>
>...phsiii
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-19 Thread Frank Swarbrick

Thanks.  I had assume "common" to mean that it was common across vendors.  
Apparently it is common only across IBM platforms.



>
> From: Todd Arnold 
>To: IBM-MAIN@LISTSERV.UA.EDU 
>Sent: Sunday, March 17, 2013 7:32 PM
>Subject: Re: IBM Mainframe (1980's) on You tube
> 
>> I've only found ICSF and CCA for Linux on IBM System z.
>> Since CCA is meant to be "common" I was wondering if it was implemented by 
>> anyone outside of IBM itself.
>
>I don't know of any non-IBM products that are designed to support CCA, but it 
>is common to all the IBM platforms.  You've apparently only found it for the 
>mainframe (ICSF (z/OS) and Linux), but it is also supported - with the same 
>crypto cards - on Power systems running either AIX or IBM i, and on x86 
>servers running Linux or Windows (although Windows is by special contract 
>these days).  You can find some info on the cards and CCA for those systems 
>starting at http://www.ibm.com/security/cryptocards.
>
>- Todd Arnold
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-17 Thread Phil Smith

Frank Swarbrick wrote:
>I don't mean the applications that use it, but rather the implementations of 
>CCA itself.  I've only found ICSF and CCA for Linux on IBM System z.
>Since CCA is meant to be "common" I was wondering if it was implemented by 
>anyone outside of IBM itself.

Ah. I don't see the argument for that for the vendor: it's a lot of work, and 
they're unlikely to need all the functions, so they're doing more work to 
enable other folks to be able to port their products to that platform more 
easily. And since (as Todd notes) IBM supports CCA on the four main platforms, 
this would also mean implementing it for some rare system like HP/UX or Stratus 
or something.

So the net would be a lot of work on a platform that isn't mainstream to 
support something that helps others. I wouldn't hold my breath!

...phsiii

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-17 Thread Todd Arnold

> I've only found ICSF and CCA for Linux on IBM System z.
> Since CCA is meant to be "common" I was wondering if it was implemented by 
> anyone outside of IBM itself.

I don't know of any non-IBM products that are designed to support CCA, but it 
is common to all the IBM platforms.  You've apparently only found it for the 
mainframe (ICSF (z/OS) and Linux), but it is also supported - with the same 
crypto cards - on Power systems running either AIX or IBM i, and on x86 servers 
running Linux or Windows (although Windows is by special contract these days).  
You can find some info on the cards and CCA for those systems starting at 
http://www.ibm.com/security/cryptocards.

- Todd Arnold

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-16 Thread Frank Swarbrick

I don't mean the applications that use it, but rather the implementations of 
CCA itself.  I've only found ICSF and CCA for Linux on IBM System z.
Since CCA is meant to be "common" I was wondering if it was implemented by 
anyone outside of IBM itself.



>
> From: Phil Smith 
>To: IBM-MAIN@LISTSERV.UA.EDU 
>Sent: Friday, March 15, 2013 2:56 PM
>Subject: Re: IBM Mainframe (1980's) on You tube
> 
>Frank Swarbrick wrote:
>>This reminds me of something I've wondered.  Are they any non-IBM products 
>>that support the Common Cryptographic Architecture?
>
>Define "support". Lots of products use ICSF. Lots of products use various 
>CCA-provided services, on various platforms.
>
>So...what do you really mean?
>
>Cheers,
>--
>...phsiii
>
>Phil Smith III
>p...@voltage.com<mailto:p...@voltage.com>
>Voltage Security, Inc.
>www.voltage.com<http://www.voltage.com/>
>(703) 476-4511 (home office)
>(703) 568-6662 (cell)
>
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-15 Thread Phil Smith

Frank Swarbrick wrote:
>This reminds me of something I've wondered.  Are they any non-IBM products 
>that support the Common Cryptographic Architecture?

Define "support". Lots of products use ICSF. Lots of products use various 
CCA-provided services, on various platforms.

So...what do you really mean?

Cheers,
--
...phsiii

Phil Smith III
p...@voltage.com
Voltage Security, Inc.
www.voltage.com
(703) 476-4511 (home office)
(703) 568-6662 (cell)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-15 Thread Frank Swarbrick

This reminds me of something I've wondered.  Are they any non-IBM products that 
support the Common Cryptographic Architecture?



>
> From: Todd Arnold 
>To: IBM-MAIN@LISTSERV.UA.EDU 
>Sent: Thursday, March 14, 2013 8:42 AM
>Subject: Re: IBM Mainframe (1980's) on You tube
> 
>IBM had three channel-attached crypto units for the mainframes.
>
>1977 – IBM 3845 DES encryption unit
>
>1979 – IBM 3848 DES encryption unit - faster than the 3845, and added 
>Triple-DES
>   (yes, IBM already had Triple-DES in its products in 1979!)
>
>1989 – IBM Transaction Security System (TSS) which included the 4753.  The 
>4753 was the first product to offer the CCA architecture, and it is the 
>ancestor of all of the other crypto processors such as the Crypto Express 
>cards.
>
>Todd Arnold
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-14 Thread Anne & Lynn Wheeler

arno...@us.ibm.com (Todd Arnold) writes:
> IBM had three channel-attached crypto units for the mainframes.
>
> 1977 – IBM 3845 DES encryption unit
>
> 1979 – IBM 3848 DES encryption unit - faster than the 3845, and added 
> Triple-DES
>(yes, IBM already had Triple-DES in its products in 1979!)
>
> 1989 – IBM Transaction Security System (TSS) which included the 4753.
> The 4753 was the first product to offer the CCA architecture, and it
> is the ancestor of all of the other crypto processors such as the
> Crypto Express cards.

in part to be used with IBM ATM machines
http://en.wikipedia.org/wiki/IBM_3624

in conjunction with PIN processing and authorizing financial
transactions 
http://en.wikipedia.org/wiki/Personal_identification_number

3624 pin processing had a weakness that could be exploited by an
attacker if they had access to the banks computers

discussed in more detail here (also referencing ibm 4758)
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-560.pdf

disclaimer ... even tho I was in research at the time, I also had
offices and labs in the Los Gatos lab ... mentioned in the 3624 wiki
reference ...  which also references one of my old postings from 2004.

recent ibm reference
http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.ibm.zos.r11.csfb300/pinkeys.htm

in the mid-80s, I was involved in doing another kind of twist on DES
... and the product crypto group (responsible for those IBM mainframe
DES units) complained that I had seriously weakened DES ... however,
after spending 3months in debate ... finally convinced them it was
significantly stronger than standard DES (instead of weaker) ... it was
hollow victory ... finding out that (at the time) there were 3-kinds of
crypto: 1) the kind they don't care about, 2) the kind you can't do, 3)
the kind you can only do for them (aka I was told I could build as many
boards as I wanted ... but there was only one customer that they could
be sold to).

I was doing this HSDT effort ... some past posts
http://www.garlic.com/~lynn/subnetwork.html#hsdt

and spending arm&leg on T1 full-duplex DES crypto units (about
300kbyte/sec aggregate). I wanted a board that could do sustained
channel speed DES crypto (ten times faster), being able to even change
key on every packet (traditional DES chips tended to have high latency
on key change) and cost less than $100.

old email mentioning that software standard DES ran at 150kbytes/sec on
3081 processor ... aka both 3081k processors would be required to
support full-duplex T1 (150kbytes/sec concurrent in each direction)
http://www.garlic.com/~lynn/2006n.html#email841115

-- 
virtualization experience starting Jan1968, online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-14 Thread Phil Smith

Todd Arnold wrote:
IBM had three channel-attached crypto units for the mainframes.

>1977 - IBM 3845 DES encryption unit

>1979 - IBM 3848 DES encryption unit - faster than the 3845, and added 
>Triple-DES
>   (yes, IBM already had Triple-DES in its products in 1979!)

>1989 - IBM Transaction Security System (TSS) which included the 4753.  The 
>4753 was the first product to offer the CCA architecture, and it is the 
>ancestor of all of the other crypto processors such as the Crypto Express 
>cards.

Way cool. Just asking: what was this in response to? You didn't quote anything, 
so it's not clear.

Anyone of you packrats have any of these books lying around?
G321-5068  CRYPTOGRAPHY ARCHITECTURE FOR INFORMATION SECURITY (13pp, 
journal reprint, no date)
GA21-2865 IBM 3845 DATA ENCRYPTION DEVICE, IBM 3846 DATA ENCRYPTION DEVICE, 
GENERAL INFORMATION (44pp, 10/1977)
GA21-2866 IBM 3845 DATA ENCRYPTION DEVICE, PRINCIPLES OF OPERATION (can't 
find date or page count; seems to have gotten to at least a -2)
GA21-2899 IBM 3846 DATA ENCRYPTION DEVICE, PRINCIPLES OF INFORMATION (can't 
find date or page count)
GC28-0942 IBM 3848 OS/VS1 AND OS/VS2 MVS CRYPTOGRAPHIC UNIT PRODUCT 
DESCRIPTION, GENERAL INFORMATION (48pp, 10/1977; seems to have gotten up to at 
least a -3, July 1983)
GC22-9062 DATA SECURITY THROUGH CRYPTOGRAPHY (40pp, 10/1977)
GC22-9063 IBM CRYPTOGRAPHIC SUBSYSTEM CONCEPTS AND FACILITIES (48pp, 
10/1977)

This is just a curiosity thing, no real value. I'm guessing these won't work on 
a zEC12 anyway :)
--
...phsiii

Phil Smith III
p...@voltage.com
Voltage Security, Inc.
www.voltage.com
(703) 476-4511 (home office)
(703) 568-6662 (cell)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Mainframe (1980's) on You tube

2013-03-14 Thread Todd Arnold

IBM had three channel-attached crypto units for the mainframes.

1977 – IBM 3845 DES encryption unit

1979 – IBM 3848 DES encryption unit - faster than the 3845, and added Triple-DES
   (yes, IBM already had Triple-DES in its products in 1979!)

1989 – IBM Transaction Security System (TSS) which included the 4753.  The 4753 
was the first product to offer the CCA architecture, and it is the ancestor of 
all of the other crypto processors such as the Crypto Express cards.

Todd Arnold

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

CCA (was Re: IBM Mainframe (1980's) on You tube)

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

Re: IBM Mainframe (1980's) on You tube

19 matches

Site Navigation

Mail list logo

Footer information