---> Kyle Sparger: Basically, what I'm saying is, TSM's encryption is better
r
than nothing,
and is suitable for many purposes, but your original statement,
As I have read this somewhere (I did not invented this wheel too) "weak
security is worse than no security at all. It gives fake feel for
security".
---> Justin Derrick: Actually, it was EFF.org that built the DES cracker ...
To be more precise, the distributed.net won the first two contests (DES-I
To be more precise, the distributed.net won the first two contests (DES-I
& DESII-1), EFF's specially designed box won the semifinal and they teamed
together for the last contest because RSA set a deadline (24 hours). EFF's
box was just a more powerful node of distributed.net's approach. Details
can be found on http://www.distributed.net/des
Actually on the fourth round d.net got the answer from EFF's box but the
box itself checked less than 40% of the keyspace. Total result was over
88% of the keyspace exhausted in 22 hours (when the key was found AND
confirmed). So the rest was done by the millions anonymous computers over
the Net (few of them were mine so I am familiar).
However we have to take into account technology change since then - first
DES contest was in 1997, second and third in 1998 and the last in 1999.
EFF's machine was built for the third contest (DES-II-2) and used
practically unchanged in the fourth. At that time Intel was delivering
Pentium II, IBM has PowerPC@332MHz and was just started selling
RS64@125/200 MHz, HP has PA-8200/8500@200/440 MHz, etc.
If EFF methodology is used with current processors/memory the performance
would be better 3-4 times, i.e. instead of approx. 4 days for whole DES
keyspace (actual EFF's box performance) it would happen in a day. And
prices for components are little bit lower than the same class (be it
entry or top performer) in 1997-99. So it may cost $200-220k for less than
a day.
---> Paul Seay: In the DoD arena we prescribe to a security called FIPS-140.
Basically,
. Basically,
it
requires encryption of all the network and a closed environment and
extending beyond that is all the issues of vault certification and
physical
plant protection.
At the time when DES was designed in 1970's and 80's there were different
security levels defined by US DoD (Paul is talking about them, not about
afgans or albanians ;-). But the levels were not only for software but for
whole site AFAIK (to best of my knowledge level A demanded that data
cannot leave the protected area in any way other than peoples memory). And
software can achieve certain level of security only if properly tuned.
Unfortunately I am not familiar with FIPS 140 beyond the fact that
encryption/decryption devices and software modules can be certified
according levels 1,2,3 and 4. So it probably is not a replacement to the
old division but additional criteria on particular topic - encryption.
For commersial grade level C2 was thought enough so at least the products
I know advertize that can achieve this level (AIX 3.2 & 4.x, Windows NT 4,
NetWare 4, Domino/Notes 4.x) and say nothing about higher levels. Level C2
systems was not protected from eavesdropping nor encrypted the data.
And some my own remarks on the topic:
Petur for sure does not know at least some of the demanded security
details. There might be familiar with other details he cannot tell to a
public forum like this one. And at the end we ought to be specialists the
backup/restore arena. So neither Petur nor we can resolve the security
issue at the backup level if it is not solved as a whole. We can only help
him to explain the security features/limitations of TSM. I would guess
that this company's main concern is their investment this genealogigal
records to be entered, verified and indexed into a database not to fall
into their competitors' hands. Another issue is what Petur pointed -
people's concern about their privacy data.
So lets deal as we do with other TSM uncommon things on this list - focus
not to a tree but to look the whole forest. This is security problem not
TSM problem at all. So if security is a *real* problem for that company
they MUST have a IT security officer (or whatever they call him/her). So
that person has to decide how to protect the data. If they do not have
such a person either security is not a big concern to them or security is
an excuse not to purchase TSM Petur tries to offer them. In the latter
case even if solves the issue someone would find another excuse.
About the key length - neither DES nor RC4-128 or 3DES are good enough.
This research probably is not going to finish in a year or two and also I
expect that concern for this data is not for short term protection. On the
other hand this data would not change too much and usage of private/public
key encryption scheme might be usable. So GnuPG or other file encryption
tool might be much more suitable than internal TSM encryption.
My 0.02 BGN
Zlatko Krastev
IT Consultant
P.S. Petur, you can contact me if you want. This is more security than
TSM-related, so please do it outside the list.
Zlatko
Please respond to "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
cc:
Subject: don´t aynone know anything about Encryption in TSM.
Hi i have posted this 2 times before here but havent receved a reply yet.
thus led me to belive that knowlegde on this is wery limited.
I have a big custemer who is considerating TSM for there backup system.
However, they will be needing to take some of there backup offsite.
They have extremly valible data witch may not get in the wrong hands.
I have been reading up on Encryption in TSM and found it to be only
desingd
to protect the data on the way
to the TSM server. I found no info on werther the data would be Encrypted
in
the storage pools.
My question.
Is it possible to make Backupset, and be sure no-one can use it if it gets
in the wrong hands (Encrypt it somehow.
How can a administrator be sure that no-one can restore his
copy-storage-pools. is it posible to encrypt the data somehow.
Is it possible to password protect the TSM Database, so that you can´t
restore it without a password.
what way can they take offsite backup and be sure that there data is safe,
even if the bad guys get the tapes.
Thanks in advance for any help.
Kvedja/Regards
Petur Eythorsson
Taeknimadur/Technician
IBM Certified Specialist - AIX
Tivoli Storage Manager Certified Professional
Microsoft Certified System Engineer
peddi AT itn DOT is
Nyherji Hf Simi TEL: +354-569-7700
Borgartun 37 105 Iceland
URL: http://www.nyherji.is
|