Todd, So.. even though the protected key starts with the Crypto Express, it wouldn't pass an audit for protection of card data?
I had thought that the key never appears in the clear at any time with protected key. Seems like as long as it never is in the clear that it would pass muster. Even with the more esoteric attacks.. if all they get is the encrypted key... what does it buy them? Or am I missing something obvious? Rob Schramm Rob Schramm Senior Systems Consultant Imperium Group On Thu, Apr 25, 2013 at 9:32 AM, Todd Arnold <[email protected]> wrote: > > I am having difficulty understand how much less secure protected key > > is from the secure key. > > I agree with the comments about this. The real issue is conforming with > the very strict requirements written in to banking standards such as ANSI, > ISO, or PCI. Basically, they do not approve any implementation that is not > inside secure, tamper-detecting hardware that clears all keys and other > secrets immediately if anyone attempts to tamper with it. Obviously, the > hardware and low-level firmware in the System z processor do not have that > kind of secure packaging, whereas the Crypto Express cards to have it. > However, the Protected Key implementation keeps all keys and other > sensitive information completely protected from access by any user, > application program, O/S code, etc - so it is indeed very, very secure. > > I always recommend Protected Key when it has the required functions and > where it's being used for something where your auditor won't say "no" - and > in those cases, you have to use the Crypto Express. Protected Key is an > incredibly fast solution that really does have very good security. > > Todd Arnold > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
