| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Just thinking out loud |
« View previous topic :: View next topic » |
| Author |
Message
|
| tczielke |
 Posted: Tue Jun 30, 2015 6:40 pm Post subject: Just thinking out loud |
 |
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Wouldn't it have been easier if IBM MQ had just written and used their own proprietary encryption protocol for channel encryption?
The MQ code is always at both ends of the channel. So you don't really need to use the public encryption protocols for interoperability with another product.
You could make the argument that a proprietary encryption protocol is safer then a public one like SSL or TLS, since the hackers don't have direct access to how it works.
We would probably have much less security vulnerabilities to deal with when using a proprietary encryption protocol.
Just thinking out loud . . .
_________________
Working with MQ since 2010. |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Tue Jun 30, 2015 8:22 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
And what about those places that demand a certain level of encryption?
How could IBM perusade them that their own stuff was equal to or better than the required standard?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Jul 01, 2015 3:25 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
True. But couldn't IBM offer both the current public encryption protocols and also proprietary encryption protocols? Maybe there just isn't enough customer demand for proprietary encryption protocols to warrant them.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jul 01, 2015 5:06 am Post subject: Re: Just thinking out loud |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| tczielke wrote: |
| You could make the argument that a proprietary encryption protocol is safer then a public one like SSL or TLS, since the hackers don't have direct access to how it works. |
You would also have to make the argument to your internal security audit people that the encryption protocol they'd never heard of was as good as the ones they can find on Google.
I'd also view with some suspicion the assertion that it's inherently more secure because people don't have direct access to how it works. Reverse engineering has an honorable tradition, especially when you can legitimately buy a copy of MQ, set up a secured channel, push known plain text messages down it and catch the packets with Wireshark.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jul 01, 2015 5:25 am Post subject: Re: Just thinking out loud |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| tczielke wrote: |
| Wouldn't it have been easier if IBM MQ had just written and used their own proprietary encryption protocol for channel encryption? |
No. Writing an encryption protocol is extremely hard work, with a large amount of certification required - which requires a large amount of testing.
Even without any external certification.
So, an important choice. Would you like a custom encryption protocol, or new features and bug fixes and improvements on the current product with support for well known and well tested protocols... |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Jul 03, 2015 3:24 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| tczielke wrote: |
| Wouldn't it have been easier if IBM MQ had just written and used their own proprietary encryption protocol for channel encryption? |
I used to think exactly the same thing then I got the cold shoulder of the customer's security group and I have learnt my lesson.
In 2007, I launched MQ Instant Secure Data (MQISD) and MQ Instant Secure Data for z/OS (z/MQISD) which provided channel encryption using Tiny Encryption Algorithm Variant (aka TEAV and XTEA).
Lots of customers tried out MQISD (& z/MQISD). MQAdmins gave it good reviews and liked the speed of the exits but EVERY time the security group reviewed MQISD and/or z/MQISD, they gave the evil eye to XTEA. Even though, XTEA has never been broken, they would not give it the thumbs up. Note: Microsoft actually used TEA in the originally XBox and yes, TEA was broken.
After 3 years, of beating my head against the wall (and zero sales), I scrapped both MQISD and z/MQISD. A lot of work, C code for native exit, Java code for Java/JMS and C# code for .NET exit was thrown out all because of perception. Basically, no security group would approve it because there was no official government approval of XTEA (and they would not risk their own neck).
So, since those security groups always used the phrase of "if only you used AES", I decided to start over with AES (128, 192 & 256 bit).
Hence, in 2010, MQ Channel Encryption and MQ Channel Encryption for z/OS were launched using AES and SHA-2. Now, customers try it out, their security groups approve it and no more headaches.
Bottom line, when it comes to encryption, always stay on the (well) beaten path!!! 
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Last edited by RogerLacroix on Mon Jul 06, 2015 1:47 pm; edited 1 time in total |
|
| Back to top |
|
|
| tczielke |
| Posted: Sat Jul 04, 2015 5:42 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Thanks all for the information.
Roger - That is an interesting story that probably helps show why IBM went with the industry accepted encryption protocols for channel encryption.
I find the security part of the IT world very "interesting", to say the least . . . 
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
