• Aucun résultat trouvé

Data Encryption Keys

Dans le document Program Product (Page 81-85)

See Figure 13 on page 66 for a graphic representation of the input and output data sets involved in REPRO ENCIPHER/DECIPHER operations.

You should not build an alternate index over a VSAM

entry-sequenced data set that is the output of a REPRO ENCIPHER operation.

When a VSAM relative record data set is enciphered, the record size of the output data set must be at least 4 bytes greater than the record size of the relative record data set. (The extra 4 bytes are needed to prefix a relative record number to the output record.) You can specify the record size of an output VSAM entry-sequenced data set through the RECORDSIZE parameter of the DEFINE CLUSTER command. You can specify the record size of an output sequential (SAM) data set through the DCB LRECL parameter ~n the Qutput data set's DD st~tement- Wh~n

an enciphered VSAM relative record data set is subsequently deciphered with a relative record data set as the target, any empty slots in the original data set will be reestablished.

If you specify the REPLACE parameter of the REPRO command together with either the ENCIPHER or the DECIPHER parameter, access method services will ignore REPLACE, because the target VSAM data set must be empty and thus has no records to replace.

When you encipher a data set, you can specify any of the delimiter parameters available with the REPRO command (SKIP, COUNT, FROMADDRESS, FROMKEY, FROMNUMBER, TOADDRESS, TOKEY,

TONUMBER) that are appropriate to the data set being enciphered.

However, no delimiter parameter can be specified when a data set is deciphered. If DECIPHER is specified together with any REPRO delimiter parameter, your REPRO command terminates with a

message.

When the REPRO command copies and enciphers a data set, it places one or more records of clear header data preceding the enciphered data records. This header data consists of

information necessary for the deciphering of the enciphered data. Information a header may contain consists of:

• Number of header records

• Number of records to be ciphered as a unit

• Key verification data

• Enciphered data encrypting keys

This section is intended to give you an overview of key management used when enciphering or deciphering data via the REPRO command.

A "key" is defined as an a-byte value. When you use the

encipher/decipher function of the REPRO command, you may specify keys that the Programmed Cryptographic Facility or the

Cryptographic Unit Support generates and manages for you

(system-key management), or keys that you manually generate and privately manage (private-key management). In either case, REPRO invokes the appropriate Programmed Cryptographic Facility program product service.

For both private- and system-key management, REPRO allows you to supply an a-byte value to be used as the plaintext

data-encrypting key. If you do not supply the data encrypting key, REPRO provides an a-byte value to be used as the plaintext data-encrypting key. The plaintext data encrypting key is used to encipher/decipher the data using the Data Encryption

Standard.

INPUT ENCIPHER OUTPUT Source Data Set

(Plaintext) Any' data set REPRO can copy into (except ICF or VSAM catalogs):

-VSAM ESDS

KSDS Target Data Set

RRDS (Ciphertext)

-ISAM -SAM

REPRO VSAM ESDS

ENCIPHER or SAM

Target Data Set

(Empty)

I

I

VSAM ESDS

I

or SAM

I I

INPUT DECIPHER OUTPUT

Source Data Set (Ciphertext)

VSAM ESDS or SAM

Target Data Set (Plaintext)

VSAM Target Data Set

(Empty) REPRO ESDS

KSDS DECIPHER

Any data set RRDS

REPRO SAM

can copy into (except ICF or VSAM catalogs):

-VSAM ESDS KSDS RRDS SAM

Figure 13. REPRO Encipher/Decipher Operations

Secondary File Keys

If you want to supply your own plaintext data-encrypting key on ENCIPHER or DECIPHER through the REPRO command, there is a risk of exposing that key when the command is listed on SYSPRINT. To avoid this exposure, you may direct REPRO to a data-encrypting key data set to obtain the plaintext data encrypting key. You identify the DD statement for this data set through the

DATAKEYFILE parameter of the REPRO command. REPRO obtains the data-encrypting key from this data set by locating the first non blank column in the first record of the data set and processing 16 consecutive columns of data. These 16 columns contain the hexadecimal character representation for the 8-byte key. Each column of data must contain the EBCDIC character representation of a hexadecimal digit (that is, 0 through F).

If a blank column is found before 16 nonblank columns have been processed, the data key is padded to the right with EBCDIC

blanks. If the end of the first record is encountered before 16 columns have been processed, thQ data kQy is considQred invalid.

If a valid data-encrypting key cannot be obtained from the first record of the data-encrypting key data set, then REPRO either generates the data-encrypting key (ENCIPHER) or terminates with a message (DECIPHER).

If you allow (or force, by an invalid data-encrypting key data set record) REPRO to provide the data-encrypting key on

ENCIPHER, there is a risk of exposing the data-encrypting key only if you have chosen to manage your keys privately, because REPRO lists the generated data-encrypting key only for privately managed keys.

When you want to decipher the data, you must supply the data-encrypting key that was used to encipher the data.

However, as a security precaution, you may want to supply the data-encrypting key in a disguised form. When enciphering the data set, the name of a system-managed key, called a secondary file key, may be supplied. REPRO uses the secondary file key indicated by the supplied name to disguise (encipher) the

data-encrypting key. When deciphering the data set, the name of the file key and the disguised dclta-encrypting key may be

supplied rather than the plaintext data-encrypting key. In this way, the actual plaintext data-encrypting key is not revealed.

(Note that the secondary file key is used only in key communication, not when enciphering data.)

The Programmed Cryptographic Facility or the Cryptographic Unit Support offers the installation this secondary file

key-management facility. To use this facility, your

installation must first execute the Programmed Cryptographic Facility key generator utility. This utility is used to

generate the secondary-file keys to be used by the installation.

The Programmed Cryptographic Facility key generator utility generates the secondary-file keys you request and stores the keys, in enciphered form, in the cryptographic key data set (CKDS). It lists the external name (key name) of each secondary key and the plaintext form of the secondary key. To access a particular secondary file key, you supply the keyname of the secondary file key. If the secondary key is to be used on a system other than the system on which the keys were generated, the utility must also be executed at the other system to define the same plaintext secondary file keys. The plaintext secondary file keys may be defined in the CKDS of the other system with different keynames.

If you choose to manage your own private keys, no secondary file keys are used to encipher the data-encrypting key; it is your responsibility to ensure the secure nature of your private data-encrypting key.

If you choose to have the Programmed Cryptographic Facility or the Cryptographic Unit Support manage your keys, REPRO uses secondary file keys to encipher the data-encrypting key. You

REQUIREMENTS

specify a secondary file key to REPRO through the key name by which it is known in the CKDS. Two types of secondary file keys are recognized by REPRO:

• An internal file key is one that is defined in the CKDS by using a remote or cross key 2 statement as input to the Programmed Cryptographic Facility key generator utility.

Use of a cross key 2 statement for DECIPHER requires APF (Authorized Program Facility) authorization and thus can provide an additional level of security.

• For ENCIPHER~ an external file key is one that is defined in the CKDS by using a local or cross key 1 statement as input to the Programmed Cryptographic Facility key generator utility. An internal file key may be used for ENCIPHER but not for DECIPHER operations.

Although both internal and external secondary file keys may be used when doing a REPRO ENCIPHER, only internal secondary file keys may be used when doing a REPRO DECIPHER. Thus~ external secondary file keys may not be used to do a REPRO ENCIPHER and REPRO DECIPHER on the same system. External secondary file keys are used when the enciphered data is to be deciphered on another system. The REPRO DECIPHER is done on the other system using the same secondary file key; however~ in this other system's CKDS, the secondary file key must be defined as an internal secondary file key.

An internal secondary file key may be used to do a REPRO

ENCIPHER and REPRO DECIPHER on the same system, and~ if the same secondary file key is also defined as an internal secondary file key in another system's CKDS~ then a REPRO ENCIPHER and REPRO DECIPHER may also be done on that system.

In planning to use the ENCIPHER or DECIPHER functions of the REPRO command~ you should be aware of the following

requirements:

• Either the Programmed Cryptographic Facility Program

Product~ Program Number 5740-XY5, or the Cryptographic Unit Support Facility Program Product~ Program Number 5740-XY6~

must be installed on your system.

• Prior to issuing the REPRO command (via a batch job or from a TSO terminal)~ the Programmed Cryptogaphic Facility

program product must have already been started through a START command at the operator's console.

In planning to use REPRO DECIPHER with the SYSTEMKEYS parameter specifying a cross key 2 secondary file key, you should be aware of the following requirement:

• Access method services must be authorized. For information about program authorization~ see "Authorized Program

Facility (APF)" in System Programming library: Supervisor Services and Macros.

Dans le document Program Product (Page 81-85)