IBM Crypto Education Community

  • 1.  "CSNBKTB2" parameters

    Posted Tue September 07, 2021 01:31 PM
    I'm exploring creating keys for data set encryption.  I want to encrypt a dataset on one system and sent it to another system.
    I have
    rule_array = 'INTERNAL'||,
    'AES '||'CIPHER '||'XPRTCPAC'||'ANY-MODE'||'ENCRYPT '
    - - - - - - - - - - - - - - - - - - 21 Line(s) not Displayed
    ADDRESS linkpgm "CSNBKTB2",

    and displaying it gives
    Key Attributes
    Algorithm: AES Key type: CIPHER
    Length (bits): - Key check value: 0266FA ENC-ZERO
    Key Usage: ENCRYPT ANY-MODE

    I get
    IEC143I 213-85, IBMUSER.ENC,  RC=X'00000008',RSN=X'0000085E'

    when I try to create a dataset and encrypt it.

    85E is 
    The key usage attributes of the variable-length key token does not allow the requested operation. For example,
    the request might have been to encrypt data, but encryption is not allowed, or the request might have been to
    use the ECB cipher mode, but that mode is not allowed.

    Am I missing something?  It look like it need both ENCYPT and DECRYPT before it will work encrypt

    Colin

    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: "CSNBKTB2" parameters

    Posted Tue September 07, 2021 05:51 PM
    We don't want to let you start using a key that would effectively make the dataset write-only.

    By the way, there is a draft redbook for dataset encryption available at https://www.redbooks.ibm.com/Redbooks.nsf/RedpieceAbstracts/sg248410.html?Open

    ------------------------------
    Eric Rossman
    ------------------------------



  • 3.  RE: "CSNBKTB2" parameters

    Posted Wed September 08, 2021 03:30 AM

    Hi Eric,

    Thanks your your reply.  I was thinking  of encrypt a data set on one system, send it across to another system and have decrypt capability.   It prevents the exposure of using XMIT to send an encrypted data set ... which becomes unencrypted.

    I can create the same DH key - but with DECRYPT capability on the remote system.

    Do you see a case for having just one of DECRYPT|ENCRYPT, if not, would it be worth removing it from the documentation -  or say it is deprecated.

    I've used that red book - it is pretty good - but doesnt cover the two independent systems area very well.
    9.2.2 Scenario 1: Same Master Master key - does not apply
    9.2.3 Scenario 2: Different Master Key - the execs are not paramerised... and you expect me to edit them to insert the keys?

    I raised some comments on this document a while ago for example under Transmitting encrypted data sets use the secure version of  .. XMIT    I could not find one.
    I could not get the ENCIPHER part of XMIT to work. (Ive raised a doc comment on IDCAM REPRO ENCIPHER because it does not make much sense.)

    regards

    Colin



    ------------------------------
    Colin Paice
    ------------------------------



  • 4.  RE: "CSNBKTB2" parameters

    Posted Wed September 08, 2021 09:43 AM
    I was thinking of encrypt a data set on one system, send it across to another system and have decrypt capability.

    Interesting idea. In general, we don't generally like to build keys that are "write-only" (encrypt-only, sign-only, MAC-gen-only). Usually, if a key can do the "stronger" operation (encrypt, sign, MAC-generate), it will also have the ability to do the "weaker" operation (decrypt, verify, MAC-verify). This doesn't seem like a strong enough case for dataset encryption.

    It prevents the exposure of using XMIT to send an encrypted data set ... which becomes unencrypted.

    We do provide Encryption Facility which provides an OpenPGP-compatible way to send a dataset or file, securely.

    Do you see a case for having just one of DECRYPT|ENCRYPT, if not, would it be worth removing it from the documentation - or say it is deprecated.

    There are cases for this, but dataset encryption is not one of them.

    I've used that red book - it is pretty good - but doesnt cover the two independent systems area very well.
    9.2.3 Scenario 2: Different Master Key - the execs are not paramerised... and you expect me to edit them to insert the keys?

    Yes. Again, they are samples, so you are free to update them to parameterize them.

    I raised some comments on this document a while ago for example under Transmitting encrypted data sets use the secure version of .. XMIT I could not find one.

    There is no "secure version" of XMIT. The ENCIPHER uses a single-length DES key. Extremely weak. (Related to the answer you got on IBM-MAIN.)

    ------------------------------
    Eric Rossman
    ------------------------------



  • 5.  RE: "CSNBKTB2" parameters

    Posted Wed September 08, 2021 12:59 PM
    Hi Eric,

    Thanks for your comments... they all make sense.

    I'll have a read of  IBM Encryption Facility for z/OS: Using Encryption Facility for OpenPGP.  A 2 minute look at the documentation looks like it is not easy to set up and use. 

    regards

    Colin

    ------------------------------
    Colin Paice
    ------------------------------