It uses XTS (CipherText Stealing).
I couldn't find it in a manual (but didn't look very hard).
Found it in one of CeCe Lewi's presentations:
https://www.zexpertenforum.ch/images/87/GSE_201710_Z_security_for_Data_set_encryption_092017.pdf
(See slide #9)
Greg Boyd
gregb...@main
You must have a CCA Coprocessor to initialize a PKDS. From the current SPG,
for HCR77D1 (SC14-7507-09, p. 431), Appendix F:
If only the CPACF feature is installed, you will not be able to:
1. Set master keys.
2. Initialize the PKDS.
3. Store keys in the PKDS.
That has been true for a long time.
n the
latest versions of z/OS, System SSL uses the native crypto instructions on the
CPACF. Hashing for the record phase is also done on the CPACF (no ICSF
required, on current versions of z/OS) if you are using SHA-1, SHA-2.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
On Fri, 8 Nov
You can zeroize individual domains from the SE as well. Both are on the Crypto
Configuration panel.
I don't know of any way to do it from ICSF.
Greg Boyd
www.mainframeCrypto.com
On Mon, 4 Feb 2019 17:42:18 +0100, R.S. wrote:
>AFAIK there are ways to zeroize CryptoExpress engines u
seems unlikely to me that it makes much difference.
>
>
>
>On Tue, Jan 22, 2019 at 4:33 PM Greg Boyd
>wrote:
>
>> I started to send you an offline note to ask about /dev/random ...
>>
>> First, the way I understood it, was that the really old /dev/random
>>
ery
secure for a production environment.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
On Tue, 22 Jan 2019 21:59:51 +0100, R.S. wrote:
>There is (was in HCR77D0) an utility which show master keys from
>provided passphrase.
>However this utility works for CCF, which is ancient an
random numbers. More generally, your performance depends
on:
What hardware you are running on (both CEC and CEX card)
What version of ICSF you are using, and how you have it configured
Which /dev/random driver you are using
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
On Tue, 22 Jan 2019
of the crypto
functions available in ICSF, you need a CCA Coprocessor.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
On Tue, 22 Jan 2019 16:57:09 +, Cieri, Anthony wrote:
>
> I believe that it is the Secure+ feature for Connect:Direct that
> exploits the Crypto hardware. I
in throughput and
capacity (CPU savings), but strictly speaking it's probably not required unless
you configure the environment to use the crypto hardware.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
On Fri, 18 Jan 2019 17:55:51 -0600, Steve beaver wrote:
>Also it’s required for
7;always up' to also mean 'running
everywhere'. There are simply more things that can leverage ICSF, some
optionally and some require it.
I'm not sure why DFSMShsm would need ICSF active, unless they were using the
Encryption Facility for z/OS with the
rlier card) to an
accelerator. On the older cards, an accelerator could drive approximately
twice as many SSL operations as a coprocessor. A CEX6S accelerator can only
drive about 15% more SSL operations than a CEX6S coprocessor.
Greg
Greg Boyd
www.mainframecrypto.com
On Thu, 4 Oct 2018 14:11:55 +0000,
I don't think the agenda for St. Louis has been published yet, but Eysha Powers
did a z14 Crypto Update in Sacramento. Roan Dawkins did a similar session at
IBM Tech U in Orlando last week.
Greg
Greg Boyd
www.mainframecrypto.com
On Thu, 10 May 2018 17:05:39 -0500, Edward Gould
wrote:
Greg
Greg Boyd
www.mainframecrypto.com
On Wed, 9 May 2018 18:48:38 -0500, Edward Gould wrote:
>ICSF Delivers With the New FMID HCR77C1 Release
><http://links.mspcommunications.mkt7925.com/ctt?kn=57&ms=MTM0NTkyMjYS1&r=MTMzMzgyMTE0MjcxS0&b=0&j=MTQwMDYyNjg4NgS2&mt=1&a
/OS, a security administrator or a storage administrator can configure things
so that the encryption happens 'auto-magically', without the end-user even
knowing that his data is now encrypted.
Most of the above comes from Cecilia Lewis' Share presentation 20612 in San
Jose that Ste
'Active Domain'.
Can you query System Variables? If you are using it, &PARDOM can be used to
specify the Usage Domain.
It is available in Linux, with the lszcrypt command.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
On Mon, 14 Aug 2017 16:55:18 +, Rob Schramm
It depends on the application. If you are using IEBGENER to copy DSNA (clear
text) to DSNB, and DSNB is flagged as requiring encryption and key label KEYB
is associated with DSNB, then you must have write access to DSNB and read
access to KEYB. IEBGENER will complete successfully if you have
Phil,
I agree with most of your comments, but only half of this sentence:
Transparent, whole-file encryption has its uses, but adds very little real
security: if you can read the data set, you get the cleartext.
Pervasive encryption does encrypt the whole file, but getting read access to
the dat
oke CSNBSYE, the Symmetric Key Encipher API, then ICSF will use
the assembler instructions on the CPACF to perform that operation. So ICSF is
not deciding where the operation is performed, your choice of APIs is.
I hope that helps.
Greg Boyd
Mainframe
If you just want a list of the key labels, then a 'PRINT INDA('ckds name')
COUNT()' will probably work, if you have read access to the keystore. (Be
careful and see below.) If you want something to format the flags and fields
in the record then you can do that either processing the data th
you have access, do a D CEE command (look up syntax) to display what is
>available.
>
>Lizette
>
>
>> -Original Message-----
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
>> Behalf Of Greg Boyd
>> Sent: Tuesday, February 14, 2
ted? Is
there another option to tell LE to process the abend and generate the dump for
the S0C4?
Thanks!
Greg Boyd
www.mainframecrypto.com
On Mon, 13 Feb 2017 13:29:28 +0100, Peter Hunkeler wrote:
>Have you tried
>//CEEOPTS DD * TERMTHDACT(UAIMM,,96)/*
>
>The system will use the
I added a CEEOPTS DD * to the job. And I tried several variations of TRAP ON
and OFF with SPIE and NOSPIE, and both DUMP and UADUMP, but still not getting
the S0C4 dump.
I also specified some invalid parms in the CEEOPTS input to make sure the DD
statement was being processed, and I got CEE379
I'm trying to debug a COBOL program that is getting a S0C4, but I'm not getting
a dump when it abends.
I'm pretty sure this is a simple issue. I'm not a COBOL programmer, but I can
copy and paste from samples. I've put together some code to make an ICSF API
call and it compiles and binds just
And this evening it's working fine ... no idea what was going on. But thanks
for checking!
Greg
Greg Boyd
www.mainframecrypto.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to
g too long to respond.'.
Similar results if I google the specific manual and go in thru a direct link.
The link Lucas Rosalen posted last month to check the status of the 'IBM
Support Portal' says it is available.
Greg Boyd
www
ected device.
Other vendors provide devices that can be IP connected to System z and I
thought IBM might be embracing a similar technique to support this family of
algorithms. But you may be right, IBM might be expanding what can be installed
in the I/O cage using PCIe.
Greg Boyd
Mainframe C
er keys in advance, but if it's a push-pull you can't load master keys
until the CEX hardware is available, and you'll need at least one z/OS LPAR to
connect to the TKE. The other alternative is to use a driver z/OS system and
stop and restart ICSF, pointing to each domain, to load th
amily
of algorithms’. I suspect that
this is not a new direction for IBM, allowing ICSF to route work to distributed
devices, but more an
acknowledgement of the realities of supporting crypto in China."
Greg Boyd
Mainframe Crypto
www.mainframe
o upgrade to
TKE V8 and use that TKE to load your key material. If this is the case, then I
would suggest first upgrading your TKE to V8 on the z196 and then use the
migration wizard on the TKE.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
--
rs but our conclusion was that the z10
does not support the new instructions that are available with MSA-4, and the
vendor confirmed that the MSA-4 support is a pre-req for the CFB support.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
On Tue, 29 Sep 2015 14:00:52 -0500, Greg Boyd
wrote
re working with. If
you'd like to take this up offline, we can summarize the results for the list
later. Feel free to send me a note.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
--
For IBM-MAIN subscribe / signoff /
encryption is done in CBC (Cipher Block Chaining) mode ...'.
So I don't think CFB is even supported by the SSL protocol.
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
On Thu, 24 Sep 2015 10:17:13 -0400, Dazzo, Matt wrote:
>I have searched the archives but not finding the specif
... probably to 85. (There
is conflicting doc but it is more than 16 and the consensus seems to be 85.)
Greg Boyd
Mainframe Crypto
www.mainframecrypto.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to
Thanks Mary Anne! I haven't been paying the proper attention to IBM-MAIN the
last week or so.
Greg
www.mainframecrypto.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu
d a number of customers who
were using the remote access, but they didn't realize some of the exposures
that remote access introduced.
Greg Boyd
Mainframe Crypto (www.mainframecrypto.com)
On Tue, 5 Aug 2014 20:28:55 +, Ken Porowski wrote:
>Any reason to prefer one setup over t
d ECC private keys both rely on AES encryption because it's
more secure.
Note: With HCR77A1 and the CEX4S card and a TKE, the DES master key can now be
a 32-byte (triple DES) key providing stronger security for your operational DES
keys.
Is that the confirmation you are looking for?
er I would suggest that you need some robust local procedures to manage
those operational keys.
Greg Boyd
IBM Advanced Technical Support
Supporting Crypto on System z
(and soon to be Greg Boyd at MainframeCrypto, www.mainframecrypto.com)
On Tue, 18 Mar 2014 10:04:12 -0500, Ann Mackey wrote:
>Gr
KMF, SKLM, TKE). A tool like EKMF will provide
a way to recover a single key in the keystore. My general comment would be
that your recovery procedures will depend on your key management process, and
no matter what tools you use, you'll need to test your DR plan. Otherwise you
don't ha
u
can develop trend lines and monitor the use of crypto at that level.
Greg Boyd
IBM Advanced Technical Support
Supporting Crypto on System z
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@
feature code, most shops today have it installed.
That wasn't true 5+ years ago.
Greg Boyd
IBM Advanced Technical Support
Supporting Crypto on System z
On Thu, 29 Aug 2013 20:32:30 -0500, Peter Bishop wrote:
>On Thu, 29 Aug 2013 15:45:08 -0500, gsg wrote:
>
>>Sorry about tha
because that's where the work will be routed. And if you use the CSNBSYE
API, you want to use the CPACF hardware.
You might want to review the 'A Synopsis of Systme z Crypto Hardware' Techdoc,
available at
http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP100810 .
I
and z196
(look under 'Learn More' on each page).
Greg Boyd
IBM Advanced Technical Support
Supporting Crypto on System z
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listser
the results back from the card.
Greg Boyd
IBM Advanced Technical Support
Supporting Crypto on System z
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
u hover over it, it says 'Quote Original Message'. I always forget to
>do it because it's done automatically in email. :(
>
>MA
>
>On Tue, 18 Dec 2012 21:26:07 -0600, Greg Boyd wrote:
>
>>Not sure why, but I'm not seeing a button to imbed the o
The decision of coprocessor vs accelerator is performance/capacity based. When
configured as an accelerator you can process significantly more transactions
per second than you can as a coprocessor. The differences depend on which
cards (CEX2, CEX3 or CEX4S) as well as which machines you are us
pport PKCS #11 APIs. When configured in EP11 mode the card
supports secure key PKCS #11 operations. It does not support SSL handshakes or
the other secure key APIs mentioned above.
Greg Boyd
IBM ATS, Washington Systems Center
Supporting crypto on System z
W dniu 2012-12-17 18:37, Rob Schramm
! I guess if it was simple, it would be easy
to break.
Many years ago, our local paper had a daily blurb called Gobbleydygook, where
they quoted something (usually from a government office) that was especially
convoluted. If it was still around I guess I would have a candidate.
Greg Boyd
IB
s. Crypto has a cost and it can be
significant, but I would also suggest that the application design can have a
significant impact on your performance expectations as well.
Greg Boyd
IBM Advanced Technical Support
Supporting Crypto on System z
--
results for various blocksizes. The crypto hardware (both CPACF and CEX card)
is designed to handle large blocks of data and you'll get the best throughput
with large blocks. So your application design can have a major impact on your
performance.
Greg Boyd
IBM Advanced Technical Sup
hardware (both CPACF and CEX card)
is designed to handle large blocks of data and you'll get the best throughput
with large blocks. So your application design
Greg Boyd
IBM Advanced Technical Support
Supporting Crypto on System z
--
50 matches
Mail list logo
