IBM Crypto Education Community

  • 1.  Transport keys - they are required - but I dont need them to set up two systems.

    IBM Champion
    Posted Fri September 03, 2021 04:07 AM
    I'm struggling to understand the need for transport keys(import and export).  The ICSF overview says..
    Page 11
    Exchanging symmetric keys using callable services
    ICSF provides these security measures for AES and DES key exchange:
    • Encrypting the keys to be sent between systems, so that they are not in the clear.
    Chapter 2. Solving your business needs with ICSF 11
    Requiring that specialized transport keys protect the data-encrypting keys or key-encrypting keys.
    Transport keys can be used only to protect other keys; they cannot be used for other cryptographic
    operations.

    Page 25 in the ICSF overview it says there are Key Encrypting Keys (KEK).  You have an exported key at the sender and an imported key at the receiver.
    Elsewhere it talks about setting these up, and the need to courier a key to the remove system.

    I've set up my cross system keys without using transport keys.. ( or a courier)

    1. Using public private keys; exported an AES key using the public key, written the encrypted data to a file, sent the file to the remote system, imported the data using the private key and added it to the CKDS.
    2. Using Diffie-Hellman (using private key and public key) and that works.  Extract the key and encrypt using the DH AES, write to file, sent the file to the remote system, imported the data using the matching DH AES key and added it to the CKDS.

    Am I missing something?  Is my use of public/private keys not secure enough?  I cant see a need for transport keys - they just seem to add a layer of complexity.


    I raised a doc comment about this, but haven't heard back.
    Colin



    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: Transport keys - they are required - but I dont need them to set up two systems.

    Posted Fri September 03, 2021 04:28 PM
    Using a data encryption key to transport key material is a violation of the separation of duties, plus it means that your key material exists in the clear in host storage. You could use EC-DH to create an AES EXPORTER on one system and the corresponding AES IMPORTER on the other side. You don't need a transporter for the transporter, so just the one level of indirection should do the trick.

    ------------------------------
    Eric Rossman
    ------------------------------



  • 3.  RE: Transport keys - they are required - but I dont need them to set up two systems.

    IBM Champion
    Posted Sat September 04, 2021 04:42 AM

    Eric,

    Thank you... I see it is a difference between can (to be able to) and should ( to be obliged).   yes; I can use my private/public key to encrypt a key... but procedurally; not.

    I don't see were the key exists in the clear.  For example with CSNDSYI2 you specify either the private key or the importer key, similary with export.
    Colin



    ------------------------------
    Colin Paice
    ------------------------------



  • 4.  RE: Transport keys - they are required - but I dont need them to set up two systems.

    Posted Sat September 04, 2021 06:10 PM
    If you are directly encrypting with a data-encrypting key (derived with EC-DH), the key material is in the clear before that encrypt step, and after the decrypt step from ICSF until it gets imported.

    ------------------------------
    Eric Rossman
    ------------------------------



  • 5.  RE: Transport keys - they are required - but I dont need them to set up two systems.

    IBM Champion
    Posted Sun September 05, 2021 12:28 PM
    Eric,
    Thank you,

    so if I have  for export
    ADDRESS LINKPGM "CSNDSYX",
    'myrc' 'myrs' ,
    'exit_length' 'exit_data' ,
    'rule_count' 'rule_array' ,
    'llabel' 'label' ,
    'lpublic' 'public' ,
    'lOut' 'Out'

    where label is what I went to export, public is the PKI public or Exporter label, it stores it in Out.
    Is this safe?

    For import I have...

    ADDRESS LINKPGM "CSNDSYI2" ,
    'myrc' 'myrs' ,
    'exit_length' 'exit_data' ,
    'rule_count' 'rule_array' ,
    'lData' 'data' ,
    'lPrivate' 'private' ,
    'lLabel' 'label' ,
    'lOut' 'Out'

    The doc says
    Symmetric Key Import2 (CSNDSYI2 and CSNFSYI2)
    Use the Symmetric Key Import2 callable service to import an HMAC, AES or DES key enciphered under an RSA public key or AES EXPORTER key. It returns the key in operational form, enciphered under the master key.  Which makes me think it is safe.

    Am I missing something?

    Colin

    ------------------------------
    Colin Paice
    ------------------------------