Encryption on IBM i

Encryption on IBM i Simplified with Field Procedures

Copyright 2016 - Linoma Software

Bob Luebbe Chief Architect

Ron Byrd Senior Software Architect

Introductions

www.LinomaSoftware.com

Data Risks and Trends

Introduction to Encryption

Traditional methods for field (column) encryption

Introduction to DB2 Field Procedures (FieldProcs)

How FieldProcs can simplify encryption How to get started with FieldProcs

Tips and techniques for FieldProcs Key Management and Audit Trails Feel free to ask any questions

Agenda

Founded in 1994 - based in Nebraska

Growing and profitable

Active R&D with focus on Encryption, Data Automation and Security

Responsive technical support – Phone, Web, Email

Almost 99% of customers renew their product maintenance each year

Division of with over 10,000 customers and nearly 500 employees around the world

Company Overview

Our solutions help customers save time, money, and eliminate errors.

• Workload Automation

• Business Process

Automation

• Network Monitoring

• Message & Event

Monitoring

• Performance Monitoring

• Data Backup Management

• Remote Monitoring &

Management

• Enterprise Data

Access

• Executive Dashboards &

Reporting

• Mobile Data Access

• Data Warehousing

• Risk Assessment

• Anti-virus

• Security Event Monitoring

• Identity & Access

Management

• Compliance Reporting

• Professional Security

Services

• Managed File Transfers

• Database Encryption

• Process & Workflow

Management

• Document & Image

Management

• Forms Management

• Electronic Forms

• Document Distribution

• Signature Capture

www.HelpSystems.com

Unless otherwise protected, all data

transfers travel openly over the Internet

and can be monitored or read by others.

Databases can be accessed

through a wide variety of tools by

both external hackers and rogue

employees.

Backup media often passes through

many hands to reach its off-site

storage location.

IBM i Data Risks

Cost of a Data Breach study conducted by the Ponemon Institute each year Costs include admin and IT labor, notifications to customers, public relations, credit monitoring, lost business and regaining trust $6.5 million average cost per data breach in 2015. Approximately $217 per lost record.

Cost

in M

illio

ns

of

Dolla

rs

Cost of Data Breach


What Data Should be Protected?


Anything that is confidential to the organization, its employees and its customers

PCI data (Credit card numbers)

PII data (Social security numbers and birth dates)

PHI data (Health-related information) Bank Account numbers

User ids and Passwords

PIN numbers

Payroll information (e.g. wages)

Driver License numbers

Financial data

Trade Secrets (e.g. product formulas)

Encryption is the process of encoding information to protect it from unauthorized access

Encryption hides the meaning of the message, but not its existence.

Data is encrypted using an encryption algorithm and a key. The output is called Ciphertext.

The encrypted message can then be decrypted only with the appropriate key. The decrypted value is call Plaintext.

Plaintext Before: The quick brown fox jumped over the lazy dog

Ciphertext After: „Œ \ËKä°BBY ý \åê·Ñ‚C‹Ÿ^{F+rÀJ[1]Ï(54Y3s3s874s

Encryption Introduction


Cipher is a pair of algorithms that perform encryption and decryption. Example ciphers are AES, TDES, BLOWFISH and CAST5. Some of the older ciphers should not be used since they have been broken. AES is the most popular cipher today.

Key controls the detailed operations of the Cipher algorithms. The output (Ciphertext) is therefore manipulated by the Key. A Key is represented by bits (i.e. 101001…).

Symmetric Key Cryptology is a form of cryptology in which the sender and receiver share the same key. The key must be kept secret or the security is compromised. Also known as Secret key cryptology.

Asymmetric Key Cryptology is a form of cryptology that implements Key Pairs, in

which the Public key portion of the Key Pair is used to encrypt information and the Private key portion is used to decrypt information. Otherwise known as Public Key Cryptology.

Encryption Terms


For field encryption on IBM i (prior to 7.1), you had two options:

• Use API calls to encrypt the data before writes and updates (requires program mods)

• Use column triggers to automatically encrypt data on writes and updates (much better) Still needed to call APIs from any applications where data needs to be decrypted:

• Screens

• Reports

• Batch processes

• Queries For numeric fields, had to change database types to alphanumeric OR store the encrypted values in an external (shadow) file Could not encrypt date, time, timestamp and BLOB field types

Field Encryption before V7R1


Field Procedures (FieldProcs) available in IBM i 7.1

Linoma has been working with FieldProcs since beta (early 2010)

FieldProcs are “enabling” technology to simplify encryption projects

Can minimize or eliminate any application changes

Stores alternative “encoded” values for fields, so do not need to change your data types, lengths or CCSIDs

Supported for DDS-described physical files and SQL-defined tables

FieldProcs allowed on multiple fields in a file

Supported in multi-member files

Field Procedures - Introduction


Field Procedures are at the Database Level


FieldProcs are called on database

Insert, Update and Read operations

Adding a Field Procedure (registering)

SQL syntax: ALTER TABLE library/filename ALTER COLUMN fieldname SET FIELDPROC proglib/program

No other locks can be on the file while the ALTER statement runs

Make sure you have *OBJALTER authority to the file, as well as *USE authority to the FieldProc program

Performs a mass encoding (encryption) of the field values

May take some time – Submit to batch

Removing a Field Procedure

SQL syntax: ALTER TABLE library/filename ALTER COLUMN fieldname DROP FIELDPROC

Performs a mass decoding (decryption) of the field values

Adding and Removing Field Procedures


Time taken (in seconds) to add FieldProcs to a file with 1,000,000 records

Every time you add a new FieldProc to a file, it runs all the existing FieldProcs on the file to decode and re-encode the values

Best practice – Use a single ALTER TABLE statement to add all FieldProcs to the file at once

* Tests conducted on an IBM i Power 8 (8286-42A) with 2 core, 16 GB memory partition

Performance – Adding Field Procedures


*...+....1....+....2....+....3....+....4....+....5....+....6....+....7....+...

Data Field Buffer Buffer Field Column

Field Type Length Length Position Usage Heading

CMSSNO PACKED 9 0 5 43 Both Social Secur.

Field text . . . . . . . . . . . . . . . : Social Security number

Coded Character Set Identifier . . . . . : 37

Field Procedure Name . . . . . . . . . . : CRRP008

Field Procedure Library . . . . . . . . : CRYPTO

This is the field length that the application will see, but the encoded length may be different. Shows the name of the

program that will be called on the encode and decode operations

Encoded value can have a different type, length and CCSID than the original field

Does not change the record format level id – Will not get level checks in programs

DSPFFD example after adding a FieldProc:

Field Procedures – Encoded Values

Encoded Space Example

PACKED (9 0)

ALPHANUMERIC (16) Encoded Space:

Field Description:


Output example:

69D692FD4062D246805867E39A9C3C0F

BED7758A5B145983FD73E292D8304C1B

C2178F6AE5073A83E41B8FF2DAA3F155

E801C9C44F84C16865390429FF498770

127D92B215D67C602D0EB35B6463982D

1DD011C326ED1BB312360F160257363D

CE8E18895B4816AAEDF30CACE85CA9D2

7A9124ED81A4D186E91FF1A450BA9B2E

3B1F0023A19F3F1E89BBCC983D0C0F40

6A87EB2DA95B130F0C9416B46D329E7D

D27BDB248CB7C47EBCDC753A1CA4F605

4B5D281BB7D68F4C985CFF937765AEC9

EEE00CED97427DE62F2FA27372C36890

CECC7B3A7B385261351CF1C3054A53E2

1D1BA4C00CAF104B2E216B421703093D

AC4CCC04FEF3BA2B6736C2840F7CB4D3

DCC202EA621EC42A7636E13B692D8683

0B8836C5B89274880A4A0DB2D913DB2F

3B1F0023A19F3F1E89BBCC983D0C0F40

Regular database tools (e.g. DSPPFM) cannot be used to view the encoded values (since the values will be automatically decoded)

View the hex encoded values with the HEX_ENCODED function in SQL. Example:

SELECT HEX_ENCODED(SSNO) FROM EMPMAST

Viewing the Encoded Values

Native record-level updates and writes

SQL Insert and Update statements

Some CL Commands: CPYF, RGZPFM, STRDFU

Query Processing e.g. Select SSNO, NAME where SSNO = ‘508773211’

Encoded key values on the SETLL , SETGT, CHAIN, READE: e.g. SSNO CHAIN EMPMAST

Encode Events – Which call the FieldProc


Only the lookup value is encrypted

Only the lookup value is encrypted

Native record-levels reads (READ, READE, SETLL, CHAIN, SETGT)

SQL Select and Fetch

e.g. Select SSNO, NAME where NAME = ‘BOB’

Query Processing e.g. Select SSNO, NAME, CITY, STATE where SSNO > ‘508773211’

Report writers

File Transfer utilities (e.g. FTP, Client Access, Surveyor/400)

Reading CL commands: DSPPFM, CPYF

Trigger Processing (e.g. for before/after images)

Decode Events – Which call the FieldProc


Has to perform a mass decode to properly evaluate >, >=, < and <= operations. Could be performance hit.

Test on reading 1,000,000 records within an ILE RPG Program:

Red line indicates using RPG embedded SQL SELECT and FETCH statements

Blue line indicates using an RPG READ statement


Performance – Reading Records


Test on inserting 1,000,000 records within an ILE RPG Program:

Red line indicates using an RPG embedded SQL INSERT statement

Blue line indicates using an RPG WRITE statement



Performance – Inserting Records

Tests ran on reading/updating 1,000,000 records within an ILE RPG Program:

Test conducted with a combination of a READ and UPDATE statement

On a record UPDATE, the FieldProc encode operation runs even if the

field values did not change (unlike a column trigger)



Performance – Updating Records

Commercial Encryption Solution from Linoma

Crypto Completetm

Through Authorization Lists, users can be granted access to the fully decrypted field values, restricted to the masked values or can be completely denied access. Key Management

Security Controls

Audit Logs & Alerts

FieldProc Programs

Key Rotation

Policy Settings for PCI


Global Policy Settings (PCI dual control, separation of duties, etc.) Integrated Key Management, or can integrate with 3rd Party External Key Managers Security controls (e.g. who is allows to manage keys, encrypt/decrypt data, etc.) Strong encryption using AES256, AES192, AES128 or TDES algorithms Field Encryption: IFS Encryption – Commands provided to encrypt/decrypt stream files on IFS Backup Encryption – Encrypt and save entire libraries or selected objects

- Define and manage fields in Crypto Complete’s “Field Registry” - Automatically encrypts database fields using Field Procedures or Column Triggers - Most field types (packed numeric, zoned, alpha, date, time, graphic) are supported - Can encrypt small and large field sizes

Overview

Quote from Brad Snapp, City of Owensboro "We have found Crypto Complete to be very easy to use. In about an hour, we had

our first field encrypted! Crypto Complete gives us the option to automatically encrypt

data, which eliminates the need for us to make software changes for encryption."

Main Menu

PEK – Product Encryption Key

• Quantity: 1

• Used for protecting Master Encryption Keys (MEKs)

• Unique per iSeries serial number

• Only generated in memory when needed (never stored)

MEK - Master Encryption Keys

• Quantity: 1-8

• Used for protecting Data Encryption Keys (DEKs)

• Generated based on 1-8 passphrases

• Stored in validation list (*VLDL) object CRVL001

DEK – Data Encryption Keys • Quantity: Unlimited

• Used for protecting (encrypting) data

• Can be created 3 ways:

1) Random

2) Generated based on passphrase

3) Manually entered

• DEKs are held in Key Stores

• Key Stores are IBM Validation List (*VLDL) objects

Key Hierarchy


PEK is different per System

Recreate Master Keys on H.A.

system using same passphrases

as used on Production system

Replicate Key Stores

Replicate any external files containing encrypted data

Replicate Field Registry and Last Index Numbers Used

High Availability


MEK – Master Encryption Key

DEK – Data Encryption Key

PEK is different per System

Production Backup: - Master Keys

- Key Stores

- External files

- Field Registry

If recovery on Production system: Restore Master Keys from media

If recovery on D.R. system: Recreate Master Keys on D.R.

system using same passphrases

as used on Production system

Restore: - Key Stores

- External files

- Field Registry

- Last Index Numbers


MEK – Master Encryption Key

DEK – Data Encryption Key

Disaster Recovery

Comprehensive audit trails Stored in secure IBM Journal Types of activity audited:

When any Key Policy settings are changed When Key Officers are added, changed or removed When Master Encryption Keys (MEKs) are loaded or set When Key Stores are created or translated When Data Encryption Keys (DEKs) are created, changed or deleted When Field Encryption Registry entries are added, changed, removed, activated or deactivated When any functions are denied due to improper authority When data is encrypted or decrypted with a key that requires logging of those events When data cannot be encrypted or decrypted due to errors (i.e. invalid key label specified)

Generate reports based on:

User Date range Audit type

Audit Trails

It sorts by the encoded (encrypted) value on READs… not by the decoded (decrypted) value

Example file layout for EMPMAST

Field procedure is added to EMPID

RPG Example of reading entire file

Instead, use ORDER BY in an embedded SQL Select statement (if use default QAQQINI option) e.g. SELECT * FROM empmast ORDER BY empid

Should not have problems with CHAINS or READEs

* Read all the employees by employee id C *LOVAL SETLL EMPMAST

C DOW NOT %EOF(EMPMAST)

C READ EMPMAST

C ENDDO

A R EMPREC

A EMPID 7 0 COLHDG(‘Employee id’)

A NAME 30 COLHDG(‘Employee Name')

A SSNO 9 COLHDG(‘Social Security Number')

A K EMPID

ALTER TABLE EMPMAST ALTER COLUMN EMPID SET FIELDPROC PRGLIB/CDRP008

Results not ordered: 23233 54332 11111


Sorting on Keyed Logicals and Physicals

CRTDUPOBJ will duplicate any FieldProcs on the file

CPYF will always decode the values on the “From” file. It will also encode the values on the “To” file (if FieldProcs exist on the file)

Users must have authority to the FieldProc program

• They should have at least *USE authority to the FieldProc program OR

• Create the FieldProc program with USRPRF(*OWNER) and *EXCLUDE public authority. However, this approach will circumvent any authority checks for masking.

If a user is not authorized to a FieldProc program, they will get message id CPF4236 with the text of “Not authorized to open member X”.

Make sure to back up FieldProc programs since they are not automatically backed up with the file.

View all FieldProcs on the system with the following SQL statement: SELECT * FROM QSYS2.SYSFIELDS

Each entry will show the file name, field name, type, length and FieldProc name


Other Things to Know

Free 30 day trial available for download Installs as a licensed program – Uses only 75 Mb of disk Most customers can install and start encrypting data in less than a couple hours Comprehensive easy-to-read manual On-line help text Evaluate with test data in your own environment

Customer Testimonial

“There are not a lot of software products that impress me, but I

have to say that I really like the way Crypto Complete works. It

was easy to implement and allowed us to meet all the requirements

for securing our data to get PCI compliant.”

- Will Crowe, Love's Travel Stops and Country Stores

Summary

Web site: www.LinomaSoftware.com

E-mail: [email protected] Toll-free: 1-800-949-4696 Direct: (402) 944-4242

Documents

Encryption on IBM i