Hi again, is there anybody who can answer my last (and maybe not least) question ?
Thank you in advance. Massimo 2013/5/6 Massimo Biancucci <[email protected]> > Hi everybody, > > I want to thank you for your valuable support anyway I hope you'll have a > little more patience and give me the "final hint". > > What I've understood is that "Protected Key" is almost as secure as > "Secure Key" but the "clear everything and more" in case of attack. > > Greg said: "CSNBKEX (Key Export) and CSNBKIM (Key Import) are both secure > key APIs, which are executed on the Crypto Express cards" > > so, if I well understand, I can do nothing to use the "local processor" > and still ICSF will use CryptoCard. > > If so, I can consider closed my trip on the topic. > > If not, do I have to modify my application (I'm expecting - NO) ? Is ICSF > still doing the work for me (I'm expecting - YES) ? (I think there're > different stuffs to do at RACF level). > > I'd not want to make my RACF colleagues working on a "dead track" and > paying beers for the whole century ! :D > > Thank you again. > Massimo Biancucci > > > 2013/4/30 Todd Arnold <[email protected]> > >> > IMHO protected key *does require* CryptoExpress option, not for data >> > processing, but for key storing. >> >> You are right. The keys are stored in a form that is protected by the >> Crypto Express card. Crypto Express unwraps the key and passes it directly >> to CPACF. Thus, Crypto Express is needed in order to use the Protected Key >> CPACF features. >> >> Once CPACF receives the key from the Crypto Express, it re-wraps the key >> using a key encrypting key (KEK) that it generates. That key is not >> permanent - it goes away if the system is restarted, etc. Thus, keys >> wrapped under the CPACF KEK are not suitable for long-term storage, such as >> storage in CKDS. >> >> At a very high level, it works something like this: >> >> 1. Key read from CKDS >> 2. Key sent to Crypto Express >> 3. Crypto Express unwraps the key and sends the cleartext key directly >> to CPACF >> 4. CPACF rewraps the key with the volatile KEK it generated when it >> started up >> 5. CPACF returns the rewrapped key to the application program >> 6. Application program uses that rewrapped key in protected mode >> requests to CPACF >> ..... >> 7. When system is powered off, restarted, etc., the CPACF KEK is lost >> and it generates a new one >> 8. Repeat from step 1 >> >> Todd Arnold >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
