× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. October 2007

RE: sensitive data

Thanks for the info Matt. I guess encrypt method is required on the CC
field. As far as application that need to access this field, do/should
you have some type of export procedure to decrypt it?



-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx
[mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of
matt.haas@xxxxxxxxxxx
Sent: Thursday, October 25, 2007 1:44 PM
To: rpg400-l@xxxxxxxxxxxx
Subject: RE: sensitive data

Lim,

You need to use either TripleDES or 256-bit AES to satisfy credit card
industry rules which are both block ciphers (this means that the cipher
text will always be a multiple of how every many bytes the cipher is
for, in the case of 256-bit AES, it will be a multiple of 32 bytes).
Once you add in a block for padding bytes and a block for the salt value
(this is a secure random number that makes the cipher text different for
the same value and pass phrase, you'll need to store this with the
cipher text but it doesn't need to be encrypted), you can pretty much
guarantee that the existing fields will be too small. Also, cipher text
is binary data so if you need to move it around, you'll need to encode
it into printable text. We just use the hex values (which double the
size of the field) but you could also Uuencode it.

In the specific case of credit cards, what we did was store 12 *'s + the
last four digits of the card number in the credit card field and then we
let the credit card software (jCharge) worry about sending it to the
bank. If someone really needs to see the card number, there is a
function in jCharge that lets them look it up and jCharge logs who did
it.

Since our development machine is on V5R1 still, I had to use the #CIPHER
MI to do the encryption/decryption work. This function is actually
pretty easy to use and the interfaces to it seem to be pretty
standardized so it was easy to apply information I found on the Internet
to it. There is also an example of 128-bit AES in the archives but read
through the entire thread since there is a bug with the original code I
posted. The example only encrypts a single block but it's pretty easy to
make it do multiple blocks.

Matt

-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx
[mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of Lim Hock-Chai
Sent: Thursday, October 25, 2007 2:24 PM
To: RPG programming on the AS400 / iSeries
Subject: sensitive data

Just want to know how other handle file that contains both sensitive and
non-sensitive data field. For example, Customer-Billing-Info Master
file might have Billing Address fields (Non-Sensitive Data) and Credit
Card field (Sensitive data). Do you create special Service Program to
access those field, using field level auth...?




--
This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing
list To post a message email: RPG400-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/rpg400-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.