IBM Crypto Education Community

  • 1.  Does anyone understand IDCAMS repro with encryption?

    IBM Champion
    Posted Wed September 22, 2021 12:12 PM

    I'm not expecting anyone knows anything about this, as I think it is pre ICSF! (grin), but I thought I would ask 


    I know the documentation is based on pre ICSF, but I cant get it to work.  I raised a doc comment on https://www.ibm.com/docs/en/zos/2.4.0?topic=parameters-cryptographic  but they did not seem able to fix the wording.   
    Has anyone any experience of  using this?

    I got stuck on you specify a key which is used to encipher the data encrypting key! ( I think it means the data is encrypted with an instance specific key.   This key is then encrypted with the key you specify, and the value is stored in the header at the front of the repro data.   If you specify NOSTOREDATAKEY it does not write it in the header, but writes to SYSPRINT after a successful encryption )

    I looked in  Getting Started with z/OS  Data Set Encryption and could not find an example.

    For example the doc has 

    ENCIPHER

    specifies that the source data set is to be enciphered as it is copied to the target data set.

    Abbreviation: ENCPHR


    EXTERNALKEYNAME(keyname) |INTERNALKEYNAME(keyname) |PRIVATEKEYspecifies whether you, PCF, or ICSF manages keys privately.
    EXTERNALKEYNAME(keyname) specifies that PCF or ICSF manages keys. This parameter also supplies the 1-to-8 character key name of the external file key what does this mean ?  The CSF CKDS/PKDS?  I think you have to use a short name in the CKDS/PKDS.  I didnt think you could store External keys in the CKDS/PKDS
     that is used to encipher the data encrypting key. Is this a data key, or a cipher key or another sort of key The key is known only by the deciphering system.  So how does the local end use it?  Does it mean the public key?   This is a key which encrypts the data encrypting key - really? - see my intrpretation above.  The key name and its corresponding enciphered data encrypting key are listed in SYSPRINT only if NOSTOREDATAKEY is specified.  Not if there is a problem!  
    Are there any restrictions on what the keys can be ... eg RSA|ECC  any strengths private|public|symmetric AES|DES?  The doc below talks about private key - so I guess this is a PKI key
    Abbreviation: EKN
    INTERNALKEYNAME(keyname) specifies that PCF or ICSF manages keys. This parameter also supplies the 1-to-8 character key name of the internal file key that is used to encipher the data encrypting key. So is this the PKDS/CKDS or an internal dataset  The key is retained by the key-creating system.  So is this saying it will create a key and save it in the key store, or it will use an existing key in a key store - and does not delete it The key name and its corresponding enciphered data encrypting key will only be listed in SYSPRINT if NOSTOREDATAKEY is specified. Do you mean the key name and its corresponding enciphered data encrypting key will only be listed in SYSPRINT ONLY if NOSTOREDATAKEY is specified.

    Abbreviation: IKN


    PRIVATEKEY specifies that the key is to be managed by you. I dont understand this... how do I manage it - please give more information. Does this mean a private key stored in the PKCS/CKDS?  Does it mean you use


    regards

    Colin



    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: Does anyone understand IDCAMS repro with encryption?

    Posted Wed September 22, 2021 12:22 PM
    Edited by Eric Rossman Wed September 22, 2021 12:25 PM
    This is really an IDCAMS question. PCF is (as you noted) a precursor to ICSF. ICSF does still support a compatibility mode that lets older applications (like IDCAMS ENCIPHER) work but I cannot come up with a good reason to still use IDCAMS ENCIPHER anymore.

    I'm still trying to find some working examples. I don't think the ICSF team was ever involved in testing this so I fear I may come up empty-handed.

    ------------------------------
    Eric Rossman
    ------------------------------



  • 3.  RE: Does anyone understand IDCAMS repro with encryption?

    IBM Champion
    Posted Wed September 22, 2021 01:40 PM

    Eric,

    Thank you ... dont worry, Ive taken enough of your time ...  I'll try on the IBM-MAIN forum. ( then blog about it once i have it working)

    regards

    Colin



    ------------------------------
    Colin Paice
    ------------------------------



  • 4.  RE: Does anyone understand IDCAMS repro with encryption?

    IBM Champion
    Posted Thu September 23, 2021 07:39 AM
    This link contains a sample job:  https://www.ibm.com/support/pages/idcams-repro-encipher-decipher-different-keys
    It contains sample jobs for both encrypt and decrypt (but the issue being discussed had to do with parity of their DES keys).  

    Except for the description of DATAKEYVALUE, its not specifically stated, but IDCAMS only uses single DES keys:
    DATAKEYVALUE(value)
    specifies the 8-byte value to be used as the plaintext data encrypting key to encipher the data.

    So, no one should be using this technology today.  I am pretty sure IBM maintains this support strictly for compatibility ... just in case someone used it to encrypt data ages ago.
    Greg

    ------------------------------
    Greg Boyd
    Consultant
    Mainframe Crypto
    Winchester, VA 22603
    240-772-1539
    gregboyd@mainframecrypto.com
    ------------------------------



  • 5.  RE: Does anyone understand IDCAMS repro with encryption?

    Posted Thu September 23, 2021 07:53 AM
    I cannot speak for other teams, but I can confirm that ICSF maintains our single-DES support only for compatibility reasons. The same for the PCF and CUSP support. Single-DES is just much too weak for use.

    ------------------------------
    Eric Rossman
    ------------------------------