linoma cryptocomplete
TRANSCRIPT
© 2008, Linoma Software. All rights reserved.
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Overview
Establish policy settings on how Symmetric Keys can be created and utilized Automated encryption of database fields within System i database files Integrated Symmetric Key Management Rotation of encryption keys without having to re-encrypt existing data Encryption of small database fields without requiring field expansion Encryption of both alphanumeric and numeric database fields
CRYPTO Main Menu
Select one of the following:
1. Key Policy and Security Menu (GO CRYPTO1)2. Master Key Menu (GO CRYPTO2)3. Symmetric Key Menu (GO CRYPTO3)4. Field Encryption Menu (GO CRYPTO4)5. Library/Object/File Encryption Menu (GO CRYPTO5)6. Source Examples Menu (GO CRYTPO6)10. Product Information Menu (GO CRYPTO10)Selection or command===>_______________________________________________________________________________________________________________________________________
F3=Exit F4=Prompt F9=Retrieve F12=CancelF13=Information Assistant F16=AS/400 main menu
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Overview continued
Strong encryption with key lengths up to 256 bits Compliance with Advanced Encryption Standard (AES) and Data Encryption Standard (TDES) Intuitive i5/OS menus and commands with on-line help text Program calls and ILE procedures (APIs) for decrypting data within native applications Stored procedures and SQL functions for decrypting data through SQL Comprehensive audit trails and reporting Backup Encryption for Libraries, Objects and Files Support for multiple environments
Quote from Brad Snapp, City of Owensboro
"We have found Crypto Complete to be very easy to use. In about an hour, we had our first field encrypted!
Crypto Complete gives us the option to automatically encrypt data, which eliminates the
need for us to make software changes for encryption."
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE - Key Management Features
Establish policy settings on how Symmetric Keys can be created and utilized Indicate which users can create and manage Symmetric Keys Randomly generate strong Symmetric Keys Protect Symmetric Keys using Master Encryption Keys Organize Symmetric Keys into one or more Key Stores Restrict access to Key Stores using i5/OS object authority Restrict the retrieval of the actual Symmetric Key valuesProvide separation of duties (i.e. the creator of a Symmetric Key can be restricted from using the Key to encrypt and/or decrypt data) Control which users can utilize Symmetric Keys to encrypt and decrypt data
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE - Key Hierarchy
PEK – Product Encryption Key Quantity: 1
Used for protecting Master Encryption Keys (MEKs) Unique per iSeries serial number
Only generated in memory when needed (never stored)MEK - Master Encryption Keys
Quantity: 1-8 Used for protecting Data Encryption Keys (DEKs)
Generated based on 1-8 passphrases
Stored in validation list (*VLDL) object CRVL001DEK – Data Encryption Keys
Quantity: Unlimited
Used for protecting (encrypting) data
Can be created 3 ways:1) Random2) Generated based on passphrase3) Manually entered
DEKs are held in Key Stores
Key Stores are IBM Validation List (*VLDL) objects
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Key Policy
Indicate the global settings
Criteria for MEK (Master Encryption Keys)
Criteria for DEK (Data Encryption Keys)
Change Key Policy (CHGKEYPCY)
Type choices, press Enter.
MEK number of passphrase parts 2 1-8MEK each part by unique user . . *YES *NO, *YESDEK default key store name . . . *NONE _ Name, *NONELibrary . . . . . . . . . . . __________ NameDEK can be randomly generated . *YES *NO, *YESDEK can be passphrase based . . *NO *NO, *YESDEK can be manually entered . . *NO *NO, *YESDEK values can be retrieved . . *NO *NO, *YESDEK encrypt usage by owner . . . *YES *NO, *YESDEK decrypt usage by owner . . . *NO *NO, *YESDEK can be deleted . . . . . . . *NO *NO, *YES
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Key Officers
Indicate which Users are authorized to perform Key Management Can exclude QSECOFR and users with *SECADM or *ALLOBJ authorities
24/6/07 Work with Key Officers QSECOFR21:03:44 CRRM002
Type options, press Enter.
2=Change 4=Remove 5=Display
Maintain Load Set/Clear Maintain Maintain MaintainOpt User Officers MEKs MEKs Key Stores DEKs Field Reg
__ BILL *NO *YES *NO *NO *YES *NO__ JACK *NO *YES *NO *NO *YES *YES__ MARY *YES *YES *YES *YES *YES *YES__ QSECOFR *NO *NO *NO *NO *NO *NO
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Master Encryption Keys (MEK)
Load the MEK with the passphrases (quantity of passphrases is based on the policy)
Load Master Encryption Key (LODMSTKEY)
Type choices, press Enter.
MEK id number . . . . . . . . . 1 1-8MEK passphrase part . . . . . . 3 1-8Passphrase . . . . . . . . . . . PART 3 OF THE PASSPHRASE
Replace existing part . . . . . *NO *NO, *YES
Set Master Encryption Key (SETMSTKEY)
Type choices, press Enter.
MEK id number . . . . . . . . . 1 1-8
Set (create) the MEK
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Key Stores
Create the Key Store(s) needed
Create Key Store (CRTKEYSTR)
Type choices, press Enter
Key store name . . . . . . . . . PAYROLLDEK NameLibrary . . . . . . . . . . . KEYSTRLIB NameMEK id number . . . . . . . . . 1 1-8Description . . . . . . . . . . Key Store for Payroll Data Encryption KeysPublic authority . . . . . . . . *EXCLUDE *EXCLUDE, *USE, *CHANGE, *ALL
Each Key Store is created as a secure Validation List (*VLDL) object
Contents are encrypted by the Master Encryption Key (MEK)
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Data Encryption Keys (DEK)
Create the DEK(s) needed into the Key Store
You can indicate settings for each DEK
Typically will have a different DEK for each type of data to protect (SSNOs, Bank#s, Credit Card#s…)
Create Symmetric Key (CRTSYMKEY)
Type choices, press Enter.
Key label . . . . . . . . . . . SSNKEY ____________Key store name . . . . . . . . . PAYROLLDEK Name, *DEFAULTLibrary . . . . . . . . . . . KEYSTRLIB NameEncryption allowed with key . . *YES *YES, *NODecryption allowed with key . . *YES *YES, *NOLog encryption usage . . . . . . *NO *YES, *NOLog decryption usage . . . . . . *YES *YES, *NOKey algorithm . . . . . . . . . *AES256 *AES256, *AES192, *AES128...
Key generation option . . . . . *RANDOM *RANDOM, *PASS, *MANUAL
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Field Encryption
Specify fields to encrypt within Field Encryption Registry “Activate” will perform a mass encryption of the field values
16/7/07 Work with Field Encryption Registry BLUEBBE
22:04:19 CRRM040 D2Type options, press Enter.
2=Change 4=Remove 5=Display 7=Activate 8=Deactivate10=Change Key 12=Display Key History
Opt Field identifier Database field Status----- BANK_ACCOUNT BANKNO *ACTIVE------ CREDIT_ CARD CCNO *ACTIVE----- BIRTH_DATE BTHDATE *INACTIVE----- NI_NBR NAT_INS *PROCESS
F3=Exit F5=Refresh F6=Add F11=View2 F12=Cancel
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Field Setup (screen 1 of 2)
Add Field Encryption Entry (ADDFLDENC)
Type choices, press Enter.
Field identifier . . . . . . . . CREDITCARD ____________Database field name . . . . . . CCNO_________________________Database file name . . . . . . . ORDERS NameLibrary . . . . . . . . . . . OEDATA _ NameDatabase field type . . . . . . *CHAR *CHAR, *DECDatabase field length . . . . . 16 1-32624Database field decimal pos . . . 0 0-15Encryption key label . . . . . . CREDITCARDKEY________________Encryption key store name . . . *DEFAULT__ Name, *DEFAULTLibrary . . . . . . . . . . . *LIBL_____ Name, *LIBLDecryption key label . . . . . . *ENCKEYLBL___________________Decryption key store name . . . *ENCKEYSTR Name, *ENCKEYSTR, *DEFAULTLibrary . . . . . . . . . . . *LIBL_____ Name, *LIBLEncryption algorithm . . . . . . *AES256 *AES256, *AES192, *AES128...Algorithm mode . . . . . . . . . *ECB *ECB, *CBC
Field mask . . . . . . . . . . . ‘************9999’______________
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Field Setup (screen 2 of 2)
Add Field Encryption Entry (ADDFLDENC)
Type choices, press Enter.
Store values in external file . *YES *YES, *NOExternal file name . . . . . . . *GEN______ Name, *GENLibrary . . . . . . . . . . . *DBLIB____ Name, *DBLIBExternal logical file . . . . . *GEN______ Name, *GEN, *NONELibrary . . . . . . . . . . . *DBLIB____ Name, *DBLIBStore hash for security check . *YES *YES, *NOStore last retrieved user/time *YES *YES, *NOIndex number alignment . . . . . *LEFT *LEFT, *RIGHTIndex number padding character ' ' Character valueUse triggers to auto encrypt . . *YES *YES, *NOTrigger name for inserts . . . . *GEN________________________________________________________________________Library . . . . . . . . . . . *DBLIB___ Name, *DBLIBTrigger name for updates . . . . *GEN________________________________________________________________________Library . . . . . . . . . . . *DBLIB___ Name, *DBLIBTrigger name for deletes . . . . *GEN________________________________________________________________________Library . . . . . . . . . . . *DBLIB___ Name, *DBLIB
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Customer Example
21/7/08 Work with Customers BLUEBBE
11:11:05 CDRP001 D2
Type options, press Enter.
2=Change 4=Delete 5=Display Decrypted
Opt Id Name Credit Card SSN Bank# Limit__ 000001 Linoma §7 Rø§N 1******** 1.00__ 000004 ON-LINE RETAIL 1 2.00__ 000005 TEST C æ×Í Û¿ï D *à 2******** 3.00__ 000007 XYZ CO 4.00__ 000088 SILVER 3******** 5.00__ 000089 MJ PHOTO êeé/ÀxRª a4Ï K¸ 2 __ 837263 ZZ STORE æ×Í Û¿ï D *à 6******** 5
F3=Exit F5=Refresh F6=Add F11=View2 F12=Cancel
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Customer Example
21/7/08 Work with Customers BLUEBBE
11:11:05 CDRP001 D2
Customer number . . . . . . . : 837263
Name . . . . . . . . . . . . : ZZ STORECredit card . . . . . . . . . : ************7632NI number . . . : 508-37-9922Bank account number . . . . . : 8720376Credit limit . . . . . . . . :
F3=Exit F5=Refresh F6=Add F11=View2 F12=Cancel
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – External Storage of Encrypted Values
Data can be stored in external file (created by Crypto Complete)
Allows encrypting numeric fields and small alpha fields
External file layout:
Field Example Value Optional
Field Identifier Credit Card Index Number /Key ID 2Last updated by User BillLast updated time 10-07-2007-18.09.39.375000
Last retrieved by User Mary YesLast retrieved time 15-07-2007-01.22.32.567000 YesRecord Hash ………………………… YesEncrypted Value …………………………
For above example, original database field will contain index number of 7
Allows rotating keys at any time without having to re-encrypt data
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Retrieve encrypted value
Pass in field identifier and index number
Get back the decrypted value (if authorised)
Example of calling ILE procedure to retrieve decrypted value
GetEncFld (‘Credit_card’
:IndexNumber
:LogCmt
:CreditCardValue
:MsgId
:MsgText);
Also Include API’s that can be called with traditional CALL statement
SQL functions and Stored Procedures are also available
SELECT CustNo,
F_GetEncFld(‘Credit_Card,CreditCard) as decrypted_Credit Card
From OrderFile
WHERE CustId = 12345
Encrypts and saves iSeries libraries, objects and files
Target to disk, tape and other supported media devices
Choose between AES128, AES192 and AES256 encryption
Supports key-based and password-based protection
Can be integrated into BRMS
Native i5/OS commands: Encrypt Library (ENCLIB) Decrypt Library (DECLIB) Encrypt Object (ENCOBJ)
Decrypt Object (DECOBJ)Encrypt Save File (ENCSAVF)
Decrypt Save File (DECSAVF) Encrypt File (ENCFIL) Decrypt File (DECFIL)
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Backup Encryption
Encrypted Backups
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE - Example Commands
/* Save Payroll Library */
ENCLIB LIB(PAYROLL) DEV(TAP01) VOL(*MOUNTED) + SEQNBR(*END) ALGORITHM(*AES256) USEKEYPAS(*KEY) + KEYLABEL(BACKUPKEY) KEYSTR(KEYSTORES/BACKUPSTR)
/* Save Order Files */
ENCOBJ OBJ(ORDERHDR ORDERDTL) LIB(OELIB) + OBJTYPE(*FILE) DEV(TAP01) VOL(*MOUNTED)+ ALGORITHM(*AES256) USEKEYPAS(*KEY) + KEYLABEL(BACKUPKEY) KEYSTR(KEYSTORES/BACKUPSTR)
/* Restore Payroll Library */
DECLIB SAVLIB(PAYROLL) DEV(TAP01) VOL(*MOUNTED) + USEKEYPAS(*KEY) KEYLABEL(*AUTO)
/* Restore Order Files */DECOBJ OBJ(ORDERHDR ORDERDTL) SAVLIB(OELIB) + OBJTYPE(*FILE) DEV(TAP01) VOL(*MOUNTED) + USEKEYPAS(*KEY) KEYLABEL(*AUTO)
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Audit Trails
Comprehensive audit trails
Stored in secure IBM Journal
Types of activity audited: When any Key Policy settings are changed When Key Officers are added, changed or removed When Master Encryption Keys (MEKs) are loaded or set When Key Stores are created or translated When Data Encryption Keys (DEKs) are created, changed or deleted When Field Encryption Registry entries are added, changed, removed, activated or deactivated When any functions are denied due to improper authority When data is encrypted or decrypted with a key that requires logging of those events When data cannot be encrypted or decrypted due to errors (i.e. invalid key label specified)
Generate reports based on: - User - Date range - Audit type
© 2008, Linoma Software. All rights reserved.
CRYPTO COMPLETE – Summary
Free 30 day trial available for download
Installs as a licensed program – Uses only 75 Mb of disk
Most customers can install and start encrypting data in less than a couple hours
Comprehensive easy-to-read manual
On-line help text
Evaluate with test data in your own environment
“There are not a lot of software products that impress me, but Ihave to say that I really like the way Crypto Complete works. It
was easy to implement and allowed us to meet all therequirements for securing our data to get PCI compliant.”
Tommy Sellers, Love’s Travel Stops and Country Stores
To get your free trial of CryptoComplete™ go to:
www.sas-it.eu
Costs are available at:
or
++44 (0) 1525 229308
Software, Applications & Solutions LtdRowan HouseChurch Lane
Eaton Bray LU6 2DJ