BBj 4.0 and higher, and (V)PRO/5 5.0 and higher, utilizes the 128-bit AES (Advanced Encryption Standard) encryption. Version 6.0 and higher of BBj, Visual PRO/5, and PRO/5 offer 256-bit AES encryption. AES is the National Institute of Standards and Technology (NIST) secret key cryptography method that officially replaced the Triple DES method in 2001 as the industry standard. While permitting a very high degree of cryptographic security, AES is fast and efficient in operation.
|
CRYPTPASS= mode |
Used with the MKEYED and OPEN verbs to create and access encrypted MKEYED files. |
|
DECRYPT() |
Decrypts data and record fields. |
|
ENCRYPT() |
Encrypts data and record fields. |
|
PASSWD= mode |
Password protects records in an MKEYED file from unauthorized reads and writes. It does not encrypt the data. |
To encrypt an existing file, write a short program to perform the following:
Open the existing file.
Create a new encrypted version of the old file using the MKEYED verb, FID() function, and CRYPTPASS= mode.
Iterate through the existing file reading the records from that file.
Write the records to the new encrypted file.
The initial security.provider that Sun provides with Java is not compatible with the default encryption that BASIS uses, which in turn affects both BBj Solaris and Sun-Intel ports.
To remedy this, first make changes to the java.security file located in ..jdk/jdk1.6.0/jre/lib/security/security.policy file. Use root permissions and give the file write permissions temporarily.
The list of security providers will look like this:
security.provider.1=sun.security.pkcs11.SunPKCS11${java.home}/lib/security/sunpkcs11-solaris.cfg
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSCkcs11-solaris.cfg
The default encryption depends on the second security provider...not the first so we need to reorder this list moving the first entry to the last:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSCkcs11-solaris.cfg
security.provider.9=sun.security.pkcs11.SunPKCS11${java.home}/lib/security/sunpkcs11-solaris.cfg
Once complete, change the file permissions back to --r--r--r and restart BBjServices.
The default encryption should now work properly.
Use passwords with caution. If the password is lost or forgotten the encrypted data cannot be recovered. Furthermore, there is absolutely no way to retrieve or derive a lost password.
To receive the full benefit of using AES-256 instead of AES-128, the password must be a minimum length of 17 characters. BASIS, however, recommends a password of 40 characters.
Field-level encryption on keyed fields prevents the filesystem from iterating through the records on the encrypted keychain. However, exact match finds are still possible.
JKEYED files do not currently support file-level encryption.
The ENCRYPT() and DECRYPT() functions take strings as parameters; convert all numerics to a string before encrypting it.
Some encrypted data is longer than the decrypted version of the data, depending on the encryption algorithm used. For example, encrypting an 18-byte string using AES 128 bit encryption will result in a 32-byte string. This occurrence of longer encrypted data can have an impact on field definitions in files and in string templates. BASIS recommends working with two templates - one for the decrypted version and one for the encrypted version that accommodates for the extra field length.
To utilize AES-256 in BBj, the "Java Cryptography Extension (JCE)" module must be installed. This module is available for download at the bottom of the Sun Microsystems' Java Downloads page under the "Other Downloads" section.