Carmen,
Did you use ICSF services? Which ones?
Charles,
You are absolutely right - only one asymmetric key is needed for that
purpose.
I added the second one for redundancy :-)
And yes, it is reinventing the wheel. No, network features like TLS are
not the option (no network). To be honest I presented as little details
as possible.
Regards
--
Radoslaw Skorupka
Lodz, Poland
W dniu 14.01.2022 o 19:44, Carmen Vitullo pisze:
I should have added, in our solution the data was offline, tape data
being shipped to clearing houses and banks :(
my POC doc and my finding doc I found, written in 2004 :( so very old
Carmen
On 1/14/2022 12:39 PM, Charles Mills wrote:
Yes, this is (very!) basically what the TLS certificate key exchange
does under the covers. For a minimal solution, you only need one
asymmetric key pair:
A Creates public/private pair and sends public key to B
B Generates random number, encrypts with A's public key, and sends it
to A
A Decrypts the random number with the private key
Voila! Both sides have a secret random number to use for symmetric
encryption
Implicit in the above is that asymmetric is way too slow to use
directly for bulk data transfer.
Why re-invent the wheel? Why not use one of the secure variants of
FTP, which already do the above and more, more or less perfectly.
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]]
On Behalf Of Radoslaw Skorupka
Sent: Friday, January 14, 2022 10:00 AM
To:[email protected]
Subject: ICSF key exchange scenario
Let's assume two z/OS images and some data exchange.
One of possible methods is symmetric encryption.
However that requires key exchange.
I have the following idea:
1. Both sides create asymetric key.
2. Public keys are exported and exchanged.
3. One side encrypt symm key using public key of another side.
4. Second side decrypt symm key using it's own private key.
Does it make sense?
Any hints?
What services to use in steps 4. and 5. ?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
