W dniu 03.07.2025 o 23:03, Greg Boyd pisze:
One of the 'more' things that the TKE does is to enforce dual controls. That
is, it takes two people (and maybe more) to make certain changes to the
hardware.
Especially the PIN (credit card) related controls, you want that dual control.
The ACP to enable 24-byte DES-MKs also requires at least two people to be
involved. And while that might be something that you wish was easier to turn
on (create a RACF profile to enable it), you almost certainly would NOT want to
make it that easy to turn off.
Well, I fully understand dual control. However I cannot find any
rationale for dual control over such things like 24-byte MK or some use
of CSNBDKG2 service. Dual control just for dual control is ridiculous
and provide false impression of security.
What secret is protected by limitations of CSNBDKG2? It is key generate.
Note, there are no such restrictions when generating clear keys, there
are RACF profiles for use secure key as PROTECTED - which can be really
considered as lowering the level of security.
Dual control plus TKE is needed to change DES-MK to 24-byte (from
16-byte), but only one person (and no TKE) is needed to zeroize the key!
First change is just configuration, the second is secret data loss.
Change MK? Just few RACF profiles. No TKE, no dual control (although
multi-user controls were implemented in z/OS 3.1 - RACF controlled, no TKE).
Last, but not least: user bought a mainframe with CryptoExpress cards.
However he cannot use 24-byte DES-MK, because he did not buy TKE. And
(again): the user can borrow TKE and press the button for 24-byte
DES-MK, so it is not matter of extra-license, it is matter of missing
knob in the car.
Regards
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
