That is a very, very common scenario, and ICSF has API functions (verbs) to support it. Have a look at the Symmetric Key Export and Symmetric Key Import verbs (and their enhanced relatives Symmetric Key Export 2 and Symmetric Key Import 2). Doing this, of course, requires you to have some kind of PKI to handle certification and distribution of the public keys - and for that, you might want to look at the (free) z/OS PKI Services. There are a few things to note. First, remember that a good rule of cryptography is that you should always encrypt a key using a wrapping key of equal or greater strength. If you want to exchange 256-bit AES keys, that is not possible using RSA-based key transport - systems simply do not support RSA keys of that strength. (NIST SP 800-57 says you need a 15,360 bit RSA key to have strength equivalent to a 256-bit AES key.) However, most people are OK using 4096-bit RSA keys to transport any AES key.
Another thing to remember is that you can directly encrypt (wrap) a symmetric key using RSA, but you can't do it with Elliptic Curve (ECC). With ECC, you have to use a key agreement algorithm to establish a shared symmetric key-encrypting key (KEK), then use that KEK to encrypt the keys you want to exchange with your partner. (See ICSF verb CSNDEDH, "ECC Diffie-Hellman"). Elliptic Curve also has a method called ECIES (Elliptic Curve Integrated Encryption Scheme) that combines all of this "under the covers" into one operation. However, ECIES has several incompatible variants, and I don't think ICSF has built-in support for it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
