info
Google 網路論壇不再支援新的 Usenet 貼文或訂閱項目,但過往內容仍可供查看。
Dismiss
Am I missing something when doing XMIT with an encrypted data set?
瀏覽次數:53 次
跳到第一則未讀訊息
Colin Paice
2021年9月1日 上午11:43:222021/9/1
收件者:
I've set up encryption for some data sets.
I did an *XMIT a.a dsn(...) *of an encrypted data set, and it was sent
unencrypted so I could to a TSO receive and read it with no encryption
This means that your datasets on the local z/OS are very secure - but
people could unwittingly send them out in the clear.
If I use DFDSS to backup, and then send the dataset it works as expected.
There is "ENCIPHER" on the XMIT command - but I could not get this to work.
Is there some set up I need to do to prevent this? I was expecting some
checks along the lines of "this dataset is encrypted, it needs additional
checks - or use DFDSS under the covers"
Colin
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@listserv.ua.edu with the message: INFO IBM-MAIN
I did an *XMIT a.a dsn(...) *of an encrypted data set, and it was sent
unencrypted so I could to a TSO receive and read it with no encryption
This means that your datasets on the local z/OS are very secure - but
people could unwittingly send them out in the clear.
If I use DFDSS to backup, and then send the dataset it works as expected.
There is "ENCIPHER" on the XMIT command - but I could not get this to work.
Is there some set up I need to do to prevent this? I was expecting some
checks along the lines of "this dataset is encrypted, it needs additional
checks - or use DFDSS under the covers"
Colin
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@listserv.ua.edu with the message: INFO IBM-MAIN
Mike Wawiorko
2021年9月1日 上午11:49:502021/9/1
收件者:
Secure NJE with AT-TLS?
But you do have a point that XMIT might somehow check that to make it all-pervasive encryption.
Mike Wawiorko
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU> On Behalf Of Colin Paice
Sent: 01 September 2021 16:43
To: IBM-...@LISTSERV.UA.EDU
Subject: Am I missing something when doing XMIT with an encrypted data set?
CAUTION: This email originated from outside our organisation - colin...@GMAIL.COM Do not click on links, open attachments, or respond unless you recognize the sender and can validate the content is safe.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority.
But you do have a point that XMIT might somehow check that to make it all-pervasive encryption.
Mike Wawiorko
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU> On Behalf Of Colin Paice
Sent: 01 September 2021 16:43
To: IBM-...@LISTSERV.UA.EDU
Subject: Am I missing something when doing XMIT with an encrypted data set?
CAUTION: This email originated from outside our organisation - colin...@GMAIL.COM Do not click on links, open attachments, or respond unless you recognize the sender and can validate the content is safe.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority.
Carmen Vitullo
2021年9月1日 上午11:56:402021/9/1
收件者:
IIRC your installation needs to allow this option, if allowed you
should be prompted for the encipher option, this option is used on the
AMS repro command - via TSO HELP
I don't understand you said you did the XMIT on an encrypted dataset but
how was it sent unencrypted?
I wonder why this file cannot be encrypted and packed via the transmit
command? and get received encrypted, then decrypted?
does it get corrupted?
Carmen
--
/I am not bound to win, but I am bound to be true. I am not bound to
succeed, but I am bound to live by the light that I have. I must stand
with anybody that stands right, and stand with him while he is right,
and part with him when he goes wrong. *Abraham Lincoln*/
should be prompted for the encipher option, this option is used on the
AMS repro command - via TSO HELP
I don't understand you said you did the XMIT on an encrypted dataset but
how was it sent unencrypted?
I wonder why this file cannot be encrypted and packed via the transmit
command? and get received encrypted, then decrypted?
does it get corrupted?
Carmen
/I am not bound to win, but I am bound to be true. I am not bound to
succeed, but I am bound to live by the light that I have. I must stand
with anybody that stands right, and stand with him while he is right,
and part with him when he goes wrong. *Abraham Lincoln*/
Lennie Dymoke-Bradshaw
2021年9月1日 中午12:19:452021/9/1
收件者:
Colin,
Yes, you have found that it is easy to "de-classify" the data. This is why data set encryption requires careful design and understanding of the use of the data.
Anyone copying encrypted data they have READ access to will potentially expose the data unless you take steps to avoid it. In your case, perhaps you should use a userid for which encryption is mandated for new data sets. Even so, you can create a clear copy using temporary data sets (e.g. DSN=&TEMP) or copying to tape (for which encryption is not supported) or simply using FTP.
In fact ANY copy mechanism which uses the access method will decrypt the data if it has access to the data set (via RACF) and access to the encryption key (also via RACF). Once decrypted in your programs buffers, the program can do what it likes with the data.
Contrast this with using a physical block mechanism to access the data (like DFSMSdss, FDR, or even PPRC ) which will pick up physical blocks without reference to the encryption mechanism.
Care and design are required to secure your data and its encryption keys.
The ENCIPHER keyword on the XMIT command uses the IDCAMS REPRO facility to encrypt. This is a rather old (> 25 years) facility which is not really related to current data set encryption.
Lennie Dymoke-Bradshaw
https://rsclweb.com
‘Dance like no one is watching. Encrypt like everyone is.’
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU> On Behalf Of Colin Paice
Sent: 01 September 2021 16:43
To: IBM-...@LISTSERV.UA.EDU
Subject: Am I missing something when doing XMIT with an encrypted data set?
Yes, you have found that it is easy to "de-classify" the data. This is why data set encryption requires careful design and understanding of the use of the data.
Anyone copying encrypted data they have READ access to will potentially expose the data unless you take steps to avoid it. In your case, perhaps you should use a userid for which encryption is mandated for new data sets. Even so, you can create a clear copy using temporary data sets (e.g. DSN=&TEMP) or copying to tape (for which encryption is not supported) or simply using FTP.
In fact ANY copy mechanism which uses the access method will decrypt the data if it has access to the data set (via RACF) and access to the encryption key (also via RACF). Once decrypted in your programs buffers, the program can do what it likes with the data.
Contrast this with using a physical block mechanism to access the data (like DFSMSdss, FDR, or even PPRC ) which will pick up physical blocks without reference to the encryption mechanism.
Care and design are required to secure your data and its encryption keys.
The ENCIPHER keyword on the XMIT command uses the IDCAMS REPRO facility to encrypt. This is a rather old (> 25 years) facility which is not really related to current data set encryption.
Lennie Dymoke-Bradshaw
https://rsclweb.com
‘Dance like no one is watching. Encrypt like everyone is.’
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU> On Behalf Of Colin Paice
Sent: 01 September 2021 16:43
To: IBM-...@LISTSERV.UA.EDU
Subject: Am I missing something when doing XMIT with an encrypted data set?
Paul Gilmartin
2021年9月1日 中午12:29:432021/9/1
收件者:
On Wed, 1 Sep 2021 15:49:34 +0000, Mike Wawiorko wrote:
>Secure NJE with AT-TLS?
>
>But you do have a point that XMIT might somehow check that to make it all-pervasive encryption.
>
Pervasive encryption is pervasively too transparent. Do similar concerns apply to
>Secure NJE with AT-TLS?
>
>But you do have a point that XMIT might somehow check that to make it all-pervasive encryption.
>
FTP, IND$FILE, VPN, VNC, IEBGENER to an unencrypted data set, ... The
assumption is that a trusted person via a secure connection does no harm.
My employer's VPN disabled all other network connections (is this typical?)
An irritant to employees who had to disconnect VPN to use their home network
printers. But I could VPN from a Linux guest while the host remained connected
to the Internet.
Portable storage devices? Photographs of terminal screens? Body cavity
searches at the security perimeter?
A pair of co-workers swapped music CDs. One was stopped carrying out a
cardboard box of CDs. The rule was that boxes were searched; bags were
exempt. Someone suggested putting the box in a paper bag.
-- gil
Charles Mills
2021年9月1日 中午12:33:032021/9/1
收件者:
Or more simply, if user X has the ability to read with decryption a particular encrypted dataset, then s/he can do anything s/he likes with it: download it to a PC, print it out, e-mail it, XMIT it, ...
It would be nice if XMIT had some sort of "hey wait a minute -- that dataset is/was encrypted" feature, but I think that enhancements to XMIT are unlikely at this point.
Charles
It would be nice if XMIT had some sort of "hey wait a minute -- that dataset is/was encrypted" feature, but I think that enhancements to XMIT are unlikely at this point.
Charles
Charles Mills
2021年9月1日 下午2:18:132021/9/1
收件者:
> My employer's VPN disabled all other network connections (is this typical?)
Yes. Sometimes it is a checkbox in the client configuration that the user can change if sufficiently cognizant.
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin
Sent: Wednesday, September 1, 2021 9:30 AM
To: IBM-...@LISTSERV.UA.EDU
Subject: Re: Am I missing something when doing XMIT with an encrypted data set?
0 則新訊息