On Tue, 24 Apr 2012 11:33:08 -0500, Walt Farrell wrote:
>
>>>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on
>>>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist
>>>(CP Assist for Cryptographic Function) is running compliant implementations
>>>of the SHA algorithms. For the z196, see Cert #1497 at
>>>http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm
>
>As often happens when people include links in sentences, his sentence-ending
>punctuation ("." ) was taken as part of the link. Simply remove it and the
>link works fine.
>
I try _so_ hard not to do that; sometimes I even repair broken links
when I reply. Sometimes I slip up.
The above further refers to:
http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf
The validation seems to be entirely empirical; they don't audit the
microcode. This leaves open the possibility of a "magic" message
back door.
When SMP/E RECEIVE FROMNETWORK came out, it was followed by
an APAR fixing an error in SHA-1 computation. Not the fault of ICSF,
but of the way SMP/E invoked it; a buffer alignment logic error.
Then there was a second APAR providing tolerance for SHA hashes
incorrectly computed in SYSMODs extant before the first APAR.
Reasonably safe if some ranges of bytes were processed twice;
more problematic if some ranges of bytes were never processed
leaving a nook in which a Trojan Horse could hide.
Hmmm. This could be the basis for the APAR IO11698 fiasco
two years ago in which IBM manfestly allowed an integrity
exposure to remain unrepaired but provided a means of limiting
access to the dangerous tool. I have been granted the RACF
authority as I need it for my job; this indicates that I qualify
as highly trusted. But it irritates me that I have never been
given instructions concerning what behavior I must avoid in
order not to compromise system integrity.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
