ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Just thinking out loud

Post new topic  Reply to topic
 Just thinking out loud « View previous topic :: View next topic » 
Author Message
tczielke
PostPosted: Tue Jun 30, 2015 6:40 pm    Post subject: Just thinking out loud Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

Wouldn't it have been easier if IBM MQ had just written and used their own proprietary encryption protocol for channel encryption?

The MQ code is always at both ends of the channel. So you don't really need to use the public encryption protocols for interoperability with another product.

You could make the argument that a proprietary encryption protocol is safer then a public one like SSL or TLS, since the hackers don't have direct access to how it works.

We would probably have much less security vulnerabilities to deal with when using a proprietary encryption protocol.

Just thinking out loud . . .
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
smdavies99
PostPosted: Tue Jun 30, 2015 8:22 pm    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

And what about those places that demand a certain level of encryption?
How could IBM perusade them that their own stuff was equal to or better than the required standard?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
tczielke
PostPosted: Wed Jul 01, 2015 3:25 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

True. But couldn't IBM offer both the current public encryption protocols and also proprietary encryption protocols? Maybe there just isn't enough customer demand for proprietary encryption protocols to warrant them.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Jul 01, 2015 5:06 am    Post subject: Re: Just thinking out loud Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

tczielke wrote:
You could make the argument that a proprietary encryption protocol is safer then a public one like SSL or TLS, since the hackers don't have direct access to how it works.


You would also have to make the argument to your internal security audit people that the encryption protocol they'd never heard of was as good as the ones they can find on Google.

I'd also view with some suspicion the assertion that it's inherently more secure because people don't have direct access to how it works. Reverse engineering has an honorable tradition, especially when you can legitimately buy a copy of MQ, set up a secured channel, push known plain text messages down it and catch the packets with Wireshark.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Jul 01, 2015 5:25 am    Post subject: Re: Just thinking out loud Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

tczielke wrote:
Wouldn't it have been easier if IBM MQ had just written and used their own proprietary encryption protocol for channel encryption?


No. Writing an encryption protocol is extremely hard work, with a large amount of certification required - which requires a large amount of testing.

Even without any external certification.

So, an important choice. Would you like a custom encryption protocol, or new features and bug fixes and improvements on the current product with support for well known and well tested protocols...
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Fri Jul 03, 2015 3:24 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

tczielke wrote:
Wouldn't it have been easier if IBM MQ had just written and used their own proprietary encryption protocol for channel encryption?

I used to think exactly the same thing then I got the cold shoulder of the customer's security group and I have learnt my lesson.

In 2007, I launched MQ Instant Secure Data (MQISD) and MQ Instant Secure Data for z/OS (z/MQISD) which provided channel encryption using Tiny Encryption Algorithm Variant (aka TEAV and XTEA).

Lots of customers tried out MQISD (& z/MQISD). MQAdmins gave it good reviews and liked the speed of the exits but EVERY time the security group reviewed MQISD and/or z/MQISD, they gave the evil eye to XTEA. Even though, XTEA has never been broken, they would not give it the thumbs up. Note: Microsoft actually used TEA in the originally XBox and yes, TEA was broken.

After 3 years, of beating my head against the wall (and zero sales), I scrapped both MQISD and z/MQISD. A lot of work, C code for native exit, Java code for Java/JMS and C# code for .NET exit was thrown out all because of perception. Basically, no security group would approve it because there was no official government approval of XTEA (and they would not risk their own neck).

So, since those security groups always used the phrase of "if only you used AES", I decided to start over with AES (128, 192 & 256 bit).

Hence, in 2010, MQ Channel Encryption and MQ Channel Encryption for z/OS were launched using AES and SHA-2. Now, customers try it out, their security groups approve it and no more headaches.

Bottom line, when it comes to encryption, always stay on the (well) beaten path!!!

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter


Last edited by RogerLacroix on Mon Jul 06, 2015 1:47 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Sat Jul 04, 2015 5:42 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

Thanks all for the information.

Roger - That is an interesting story that probably helps show why IBM went with the industry accepted encryption protocols for channel encryption.

I find the security part of the IT world very "interesting", to say the least . . .
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Just thinking out loud
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.