Key management is the, pardon the expression, key to the security of the whole thing. Your security is going to be only as good as your ability to manage the private key and the random secret key. I suppose you can mitigate things somewhat by generating a new public/private key pair each "session" (in quotes because I do not know if "session" exactly describes your scenario).
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Radoslaw Skorupka Sent: Friday, January 14, 2022 11:18 AM To: [email protected] Subject: Re: ICSF key exchange scenario Carmen, Did you use ICSF services? Which ones? Charles, You are absolutely right - only one asymmetric key is needed for that purpose. I added the second one for redundancy :-) And yes, it is reinventing the wheel. No, network features like TLS are not the option (no network). To be honest I presented as little details as possible. Regards -- Radoslaw Skorupka Lodz, Poland W dniu 14.01.2022 o 19:44, Carmen Vitullo pisze: > I should have added, in our solution the data was offline, tape data > being shipped to clearing houses and banks :( > > my POC doc and my finding doc I found, written in 2004 :( so very old > > Carmen > > On 1/14/2022 12:39 PM, Charles Mills wrote: >> Yes, this is (very!) basically what the TLS certificate key exchange >> does under the covers. For a minimal solution, you only need one >> asymmetric key pair: >> >> A Creates public/private pair and sends public key to B >> B Generates random number, encrypts with A's public key, and sends it >> to A >> A Decrypts the random number with the private key >> Voila! Both sides have a secret random number to use for symmetric >> encryption >> >> Implicit in the above is that asymmetric is way too slow to use >> directly for bulk data transfer. >> >> Why re-invent the wheel? Why not use one of the secure variants of >> FTP, which already do the above and more, more or less perfectly. >> >> Charles >> >> >> -----Original Message----- >> From: IBM Mainframe Discussion List [mailto:[email protected]] >> On Behalf Of Radoslaw Skorupka >> Sent: Friday, January 14, 2022 10:00 AM >> To:[email protected] >> Subject: ICSF key exchange scenario >> >> Let's assume two z/OS images and some data exchange. >> One of possible methods is symmetric encryption. >> However that requires key exchange. >> I have the following idea: >> 1. Both sides create asymetric key. >> 2. Public keys are exported and exchanged. >> 3. One side encrypt symm key using public key of another side. >> 4. Second side decrypt symm key using it's own private key. >> >> Does it make sense? >> Any hints? >> What services to use in steps 4. and 5. ? >> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
