linoma cryptocomplete


CRYPTO COMPLETE – Overview

Establish policy settings on how Symmetric Keys can be created and utilized Automated encryption of database fields within System i database files Integrated Symmetric Key Management Rotation of encryption keys without having to re-encrypt existing data Encryption of small database fields without requiring field expansion Encryption of both alphanumeric and numeric database fields

CRYPTO Main Menu

Select one of the following:

1. Key Policy and Security Menu (GO CRYPTO1)2. Master Key Menu (GO CRYPTO2)3. Symmetric Key Menu (GO CRYPTO3)4. Field Encryption Menu (GO CRYPTO4)5. Library/Object/File Encryption Menu (GO CRYPTO5)6. Source Examples Menu (GO CRYTPO6)10. Product Information Menu (GO CRYPTO10)Selection or command===>_______________________________________________________________________________________________________________________________________

F3=Exit F4=Prompt F9=Retrieve F12=CancelF13=Information Assistant F16=AS/400 main menu


CRYPTO COMPLETE – Overview continued

Strong encryption with key lengths up to 256 bits Compliance with Advanced Encryption Standard (AES) and Data Encryption Standard (TDES) Intuitive i5/OS menus and commands with on-line help text Program calls and ILE procedures (APIs) for decrypting data within native applications Stored procedures and SQL functions for decrypting data through SQL Comprehensive audit trails and reporting Backup Encryption for Libraries, Objects and Files Support for multiple environments

Quote from Brad Snapp, City of Owensboro

"We have found Crypto Complete to be very easy to use. In about an hour, we had our first field encrypted!

Crypto Complete gives us the option to automatically encrypt data, which eliminates the

need for us to make software changes for encryption."


CRYPTO COMPLETE - Key Management Features

Establish policy settings on how Symmetric Keys can be created and utilized Indicate which users can create and manage Symmetric Keys Randomly generate strong Symmetric Keys Protect Symmetric Keys using Master Encryption Keys Organize Symmetric Keys into one or more Key Stores Restrict access to Key Stores using i5/OS object authority Restrict the retrieval of the actual Symmetric Key valuesProvide separation of duties (i.e. the creator of a Symmetric Key can be restricted from using the Key to encrypt and/or decrypt data) Control which users can utilize Symmetric Keys to encrypt and decrypt data


CRYPTO COMPLETE - Key Hierarchy

PEK – Product Encryption Key Quantity: 1

Used for protecting Master Encryption Keys (MEKs) Unique per iSeries serial number

Only generated in memory when needed (never stored)MEK - Master Encryption Keys

Quantity: 1-8 Used for protecting Data Encryption Keys (DEKs)

Generated based on 1-8 passphrases

Stored in validation list (*VLDL) object CRVL001DEK – Data Encryption Keys

Quantity: Unlimited

Used for protecting (encrypting) data

Can be created 3 ways:1) Random2) Generated based on passphrase3) Manually entered

DEKs are held in Key Stores

Key Stores are IBM Validation List (*VLDL) objects


CRYPTO COMPLETE – Key Policy

Indicate the global settings

Criteria for MEK (Master Encryption Keys)

Criteria for DEK (Data Encryption Keys)

Change Key Policy (CHGKEYPCY)

Type choices, press Enter.

MEK number of passphrase parts 2 1-8MEK each part by unique user . . *YES *NO, *YESDEK default key store name . . . *NONE _ Name, *NONELibrary . . . . . . . . . . . __________ NameDEK can be randomly generated . *YES *NO, *YESDEK can be passphrase based . . *NO *NO, *YESDEK can be manually entered . . *NO *NO, *YESDEK values can be retrieved . . *NO *NO, *YESDEK encrypt usage by owner . . . *YES *NO, *YESDEK decrypt usage by owner . . . *NO *NO, *YESDEK can be deleted . . . . . . . *NO *NO, *YES


CRYPTO COMPLETE – Key Officers

Indicate which Users are authorized to perform Key Management Can exclude QSECOFR and users with *SECADM or *ALLOBJ authorities

24/6/07 Work with Key Officers QSECOFR21:03:44 CRRM002

Type options, press Enter.

2=Change 4=Remove 5=Display

Maintain Load Set/Clear Maintain Maintain MaintainOpt User Officers MEKs MEKs Key Stores DEKs Field Reg

__ BILL *NO *YES *NO *NO *YES *NO__ JACK *NO *YES *NO *NO *YES *YES__ MARY *YES *YES *YES *YES *YES *YES__ QSECOFR *NO *NO *NO *NO *NO *NO


CRYPTO COMPLETE – Master Encryption Keys (MEK)

Load the MEK with the passphrases (quantity of passphrases is based on the policy)

Load Master Encryption Key (LODMSTKEY)


MEK id number . . . . . . . . . 1 1-8MEK passphrase part . . . . . . 3 1-8Passphrase . . . . . . . . . . . PART 3 OF THE PASSPHRASE

Replace existing part . . . . . *NO *NO, *YES

Set Master Encryption Key (SETMSTKEY)


MEK id number . . . . . . . . . 1 1-8

Set (create) the MEK


CRYPTO COMPLETE – Key Stores

Create the Key Store(s) needed

Create Key Store (CRTKEYSTR)

Type choices, press Enter

Key store name . . . . . . . . . PAYROLLDEK NameLibrary . . . . . . . . . . . KEYSTRLIB NameMEK id number . . . . . . . . . 1 1-8Description . . . . . . . . . . Key Store for Payroll Data Encryption KeysPublic authority . . . . . . . . *EXCLUDE *EXCLUDE, *USE, *CHANGE, *ALL

Each Key Store is created as a secure Validation List (*VLDL) object

Contents are encrypted by the Master Encryption Key (MEK)


CRYPTO COMPLETE – Data Encryption Keys (DEK)

Create the DEK(s) needed into the Key Store

You can indicate settings for each DEK

Typically will have a different DEK for each type of data to protect (SSNOs, Bank#s, Credit Card#s…)

Create Symmetric Key (CRTSYMKEY)


Key label . . . . . . . . . . . SSNKEY ____________Key store name . . . . . . . . . PAYROLLDEK Name, *DEFAULTLibrary . . . . . . . . . . . KEYSTRLIB NameEncryption allowed with key . . *YES *YES, *NODecryption allowed with key . . *YES *YES, *NOLog encryption usage . . . . . . *NO *YES, *NOLog decryption usage . . . . . . *YES *YES, *NOKey algorithm . . . . . . . . . *AES256 *AES256, *AES192, *AES128...

Key generation option . . . . . *RANDOM *RANDOM, *PASS, *MANUAL


CRYPTO COMPLETE – Field Encryption

Specify fields to encrypt within Field Encryption Registry “Activate” will perform a mass encryption of the field values

16/7/07 Work with Field Encryption Registry BLUEBBE

22:04:19 CRRM040 D2Type options, press Enter.

2=Change 4=Remove 5=Display 7=Activate 8=Deactivate10=Change Key 12=Display Key History

Opt Field identifier Database field Status----- BANK_ACCOUNT BANKNO *ACTIVE------ CREDIT_ CARD CCNO *ACTIVE----- BIRTH_DATE BTHDATE *INACTIVE----- NI_NBR NAT_INS *PROCESS

F3=Exit F5=Refresh F6=Add F11=View2 F12=Cancel


CRYPTO COMPLETE – Field Setup (screen 1 of 2)

Add Field Encryption Entry (ADDFLDENC)


Field identifier . . . . . . . . CREDITCARD ____________Database field name . . . . . . CCNO_________________________Database file name . . . . . . . ORDERS NameLibrary . . . . . . . . . . . OEDATA _ NameDatabase field type . . . . . . *CHAR *CHAR, *DECDatabase field length . . . . . 16 1-32624Database field decimal pos . . . 0 0-15Encryption key label . . . . . . CREDITCARDKEY________________Encryption key store name . . . *DEFAULT__ Name, *DEFAULTLibrary . . . . . . . . . . . *LIBL_____ Name, *LIBLDecryption key label . . . . . . *ENCKEYLBL___________________Decryption key store name . . . *ENCKEYSTR Name, *ENCKEYSTR, *DEFAULTLibrary . . . . . . . . . . . *LIBL_____ Name, *LIBLEncryption algorithm . . . . . . *AES256 *AES256, *AES192, *AES128...Algorithm mode . . . . . . . . . *ECB *ECB, *CBC

Field mask . . . . . . . . . . . ‘************9999’______________


CRYPTO COMPLETE – Field Setup (screen 2 of 2)

Add Field Encryption Entry (ADDFLDENC)


Store values in external file . *YES *YES, *NOExternal file name . . . . . . . *GEN______ Name, *GENLibrary . . . . . . . . . . . *DBLIB____ Name, *DBLIBExternal logical file . . . . . *GEN______ Name, *GEN, *NONELibrary . . . . . . . . . . . *DBLIB____ Name, *DBLIBStore hash for security check . *YES *YES, *NOStore last retrieved user/time *YES *YES, *NOIndex number alignment . . . . . *LEFT *LEFT, *RIGHTIndex number padding character ' ' Character valueUse triggers to auto encrypt . . *YES *YES, *NOTrigger name for inserts . . . . *GEN________________________________________________________________________Library . . . . . . . . . . . *DBLIB___ Name, *DBLIBTrigger name for updates . . . . *GEN________________________________________________________________________Library . . . . . . . . . . . *DBLIB___ Name, *DBLIBTrigger name for deletes . . . . *GEN________________________________________________________________________Library . . . . . . . . . . . *DBLIB___ Name, *DBLIB


CRYPTO COMPLETE – Customer Example

21/7/08 Work with Customers BLUEBBE

11:11:05 CDRP001 D2

Type options, press Enter.

2=Change 4=Delete 5=Display Decrypted

Opt Id Name Credit Card SSN Bank# Limit__ 000001 Linoma §7 Rø§N 1******** 1.00__ 000004 ON-LINE RETAIL 1 2.00__ 000005 TEST C æ×Í Û¿ï D *à 2******** 3.00__ 000007 XYZ CO 4.00__ 000088 SILVER 3******** 5.00__ 000089 MJ PHOTO êeé/ÀxRª a4Ï K¸ 2 __ 837263 ZZ STORE æ×Í Û¿ï D *à 6******** 5



CRYPTO COMPLETE – Customer Example

21/7/08 Work with Customers BLUEBBE

11:11:05 CDRP001 D2

Customer number . . . . . . . : 837263

Name . . . . . . . . . . . . : ZZ STORECredit card . . . . . . . . . : ************7632NI number . . . : 508-37-9922Bank account number . . . . . : 8720376Credit limit . . . . . . . . :



CRYPTO COMPLETE – External Storage of Encrypted Values

Data can be stored in external file (created by Crypto Complete)

Allows encrypting numeric fields and small alpha fields

External file layout:

Field Example Value Optional

Field Identifier Credit Card Index Number /Key ID 2Last updated by User BillLast updated time 10-07-2007-18.09.39.375000

Last retrieved by User Mary YesLast retrieved time 15-07-2007-01.22.32.567000 YesRecord Hash ………………………… YesEncrypted Value …………………………

For above example, original database field will contain index number of 7

Allows rotating keys at any time without having to re-encrypt data


CRYPTO COMPLETE – Retrieve encrypted value

Pass in field identifier and index number

Get back the decrypted value (if authorised)

Example of calling ILE procedure to retrieve decrypted value

GetEncFld (‘Credit_card’

:IndexNumber

:LogCmt

:CreditCardValue

:MsgId

:MsgText);

Also Include API’s that can be called with traditional CALL statement

SQL functions and Stored Procedures are also available

SELECT CustNo,

F_GetEncFld(‘Credit_Card,CreditCard) as decrypted_Credit Card

From OrderFile

WHERE CustId = 12345

Encrypts and saves iSeries libraries, objects and files

Target to disk, tape and other supported media devices

Choose between AES128, AES192 and AES256 encryption

Supports key-based and password-based protection

Can be integrated into BRMS

Native i5/OS commands: Encrypt Library (ENCLIB) Decrypt Library (DECLIB) Encrypt Object (ENCOBJ)

Decrypt Object (DECOBJ)Encrypt Save File (ENCSAVF)

Decrypt Save File (DECSAVF) Encrypt File (ENCFIL) Decrypt File (DECFIL)


CRYPTO COMPLETE – Backup Encryption

Encrypted Backups


CRYPTO COMPLETE - Example Commands

/* Save Payroll Library */

ENCLIB LIB(PAYROLL) DEV(TAP01) VOL(*MOUNTED) + SEQNBR(*END) ALGORITHM(*AES256) USEKEYPAS(*KEY) + KEYLABEL(BACKUPKEY) KEYSTR(KEYSTORES/BACKUPSTR)

/* Save Order Files */

ENCOBJ OBJ(ORDERHDR ORDERDTL) LIB(OELIB) + OBJTYPE(*FILE) DEV(TAP01) VOL(*MOUNTED)+ ALGORITHM(*AES256) USEKEYPAS(*KEY) + KEYLABEL(BACKUPKEY) KEYSTR(KEYSTORES/BACKUPSTR)

/* Restore Payroll Library */

DECLIB SAVLIB(PAYROLL) DEV(TAP01) VOL(*MOUNTED) + USEKEYPAS(*KEY) KEYLABEL(*AUTO)

/* Restore Order Files */DECOBJ OBJ(ORDERHDR ORDERDTL) SAVLIB(OELIB) + OBJTYPE(*FILE) DEV(TAP01) VOL(*MOUNTED) + USEKEYPAS(*KEY) KEYLABEL(*AUTO)


CRYPTO COMPLETE – Audit Trails

Comprehensive audit trails

Stored in secure IBM Journal

Types of activity audited: When any Key Policy settings are changed When Key Officers are added, changed or removed When Master Encryption Keys (MEKs) are loaded or set When Key Stores are created or translated When Data Encryption Keys (DEKs) are created, changed or deleted When Field Encryption Registry entries are added, changed, removed, activated or deactivated When any functions are denied due to improper authority When data is encrypted or decrypted with a key that requires logging of those events When data cannot be encrypted or decrypted due to errors (i.e. invalid key label specified)

Generate reports based on: - User - Date range - Audit type


CRYPTO COMPLETE – Summary

Free 30 day trial available for download

Installs as a licensed program – Uses only 75 Mb of disk

Most customers can install and start encrypting data in less than a couple hours

Comprehensive easy-to-read manual

On-line help text

Evaluate with test data in your own environment

“There are not a lot of software products that impress me, but Ihave to say that I really like the way Crypto Complete works. It

was easy to implement and allowed us to meet all therequirements for securing our data to get PCI compliant.”

Tommy Sellers, Love’s Travel Stops and Country Stores

To get your free trial of CryptoComplete™ go to:

www.sas-it.eu

Costs are available at:

[email protected]

or

++44 (0) 1525 229308

Software, Applications & Solutions LtdRowan HouseChurch Lane

Eaton Bray LU6 2DJ

http://www.sas-it.eu/

mailto:[email protected]

linoma cryptocomplete

Technology

key stores key stores

key officersqsecofr

crypto complete key

crypto complete key

data encryption keys

crypto complete key

symmetric key menugo

master key menugo crypto2