Radoslaw Skorupka wrote, >> Dual control plus TKE is needed to change DES-MK to 24-byte (from 16-byte), >> but only one person (and no TKE) is needed to zeroize the key! >> First change is just configuration, the second is secret data loss.
There are indeed numerous inconsistencies. I run a zPDT and on there is a utility (i.e. a Linux command ACPTOOL) to allow the changing of some Control Points without a TKE. I have used this to set the CP to allow 24-bit protection of DES master keys. It has been stated that there is no support for a TKE on zPDT - and there never will be. I would support having a method other than TKE for some of these functions on real Z machines. I suggest you raise an IBM idea for this. https://www.ibm.com/support/pages/welcome-ibm-ideas-portal Regards Lennie -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: 04 July 2025 10:37 To: [email protected] Subject: Re: ICSF ACP and TKE W dniu 03.07.2025 o 23:03, Greg Boyd pisze: > One of the 'more' things that the TKE does is to enforce dual controls. That > is, it takes two people (and maybe more) to make certain changes to the > hardware. > > Especially the PIN (credit card) related controls, you want that dual > control. The ACP to enable 24-byte DES-MKs also requires at least two people > to be involved. And while that might be something that you wish was easier > to turn on (create a RACF profile to enable it), you almost certainly would > NOT want to make it that easy to turn off. Well, I fully understand dual control. However I cannot find any rationale for dual control over such things like 24-byte MK or some use of CSNBDKG2 service. Dual control just for dual control is ridiculous and provide false impression of security. What secret is protected by limitations of CSNBDKG2? It is key generate. Note, there are no such restrictions when generating clear keys, there are RACF profiles for use secure key as PROTECTED - which can be really considered as lowering the level of security. Dual control plus TKE is needed to change DES-MK to 24-byte (from 16-byte), but only one person (and no TKE) is needed to zeroize the key! First change is just configuration, the second is secret data loss. Change MK? Just few RACF profiles. No TKE, no dual control (although multi-user controls were implemented in z/OS 3.1 - RACF controlled, no TKE). Last, but not least: user bought a mainframe with CryptoExpress cards. However he cannot use 24-byte DES-MK, because he did not buy TKE. And (again): the user can borrow TKE and press the button for 24-byte DES-MK, so it is not matter of extra-license, it is matter of missing knob in the car. Regards -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
