Where are the keys stored?. i.e., How does the service program get the key?.. Few shops I have worked, use to place the keys either in a data area or sometime hard-coded in the program.
----- Original Message ----
From: "matt.haas@xxxxxxxxxxx" <matt.haas@xxxxxxxxxxx>
To: rpg400-l@xxxxxxxxxxxx
Sent: Thursday, October 25, 2007 3:43:49 PM
Subject: RE: sensitive data
The service program does not have the keys in it so no.
Matt
-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx
[mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of Lim Hock-Chai
Sent: Thursday, October 25, 2007 3:38 PM
To: RPG programming on the AS400 / iSeries
Subject: RE: sensitive data
Would having a service program for easy access to data in those field be
considered an security risk?
-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx
[mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of
matt.haas@xxxxxxxxxxx
Sent: Thursday, October 25, 2007 2:35 PM
To: rpg400-l@xxxxxxxxxxxx
Subject: RE: sensitive data
I put the encrypt/decrypt methods in a service program. I also created a
couple of wrapper programs so it can be used by non-ILE programs. I just
uploaded the source of a service program that does 128-bit AES to
http://code.midrange.com/67d8ae32db.html. To use 256-bit AES, you'll
need to use a 32 byte key, salt value, padding block, and change the
block size variables in the code to 32 bytes instead of 16 (you'll also
need to make sure you have the 256-bit AES ciphers installed - take a
look at
http://code.midrange.com/3d3a1d56b6.html for a program to do
that).
Matt
-----Original Message-----
From: rpg400-l-bounces+matt.haas=cengage.com@xxxxxxxxxxxx
[mailto:rpg400-l-bounces+matt.haas=cengage.com@xxxxxxxxxxxx] On Behalf
Of Lim Hock-Chai
Sent: Thursday, October 25, 2007 3:06 PM
To: RPG programming on the AS400 / iSeries
Subject: RE: sensitive data
Thanks for the info Matt. I guess encrypt method is required on the CC
field. As far as application that need to access this field, do/should
you have some type of export procedure to decrypt it?
-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx
[mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of
matt..haas@xxxxxxxxxxx
Sent: Thursday, October 25, 2007 1:44 PM
To: rpg400-l@xxxxxxxxxxxx
Subject: RE: sensitive data
Lim,
You need to use either TripleDES or 256-bit AES to satisfy credit card
industry rules which are both block ciphers (this means that the cipher
text will always be a multiple of how every many bytes the cipher is
for, in the case of 256-bit AES, it will be a multiple of 32 bytes).
Once you add in a block for padding bytes and a block for the salt value
(this is a secure random number that makes the cipher text different for
the same value and pass phrase, you'll need to store this with the
cipher text but it doesn't need to be encrypted), you can pretty much
guarantee that the existing fields will be too small. Also, cipher text
is binary data so if you need to move it around, you'll need to encode
it into printable text. We just use the hex values (which double the
size of the field) but you could also Uuencode it.
In the specific case of credit cards, what we did was store 12 *'s + the
last four digits of the card number in the credit card field and then we
let the credit card software (jCharge) worry about sending it to the
bank. If someone really needs to see the card number, there is a
function in jCharge that lets them look it up and jCharge logs who did
it.
Since our development machine is on V5R1 still, I had to use the #CIPHER
MI to do the encryption/decryption work. This function is actually
pretty easy to use and the interfaces to it seem to be pretty
standardized so it was easy to apply information I found on the Internet
to it.. There is also an example of 128-bit AES in the archives but read
through the entire thread since there is a bug with the original code I
posted. The example only encrypts a single block but it's pretty easy to
make it do multiple blocks.
Matt
-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx
[mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of Lim Hock-Chai
Sent: Thursday, October 25, 2007 2:24 PM
To: RPG programming on the AS400 / iSeries
Subject: sensitive data
Just want to know how other handle file that contains both sensitive and
non-sensitive data field. For example, Customer-Billing-Info Master
file might have Billing Address fields (Non-Sensitive Data) and Credit
Card field (Sensitive data). Do you create special Service Program to
access those field, using field level auth...?
--
This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing
list To post a message email: RPG400-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/rpg400-l.
--
This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing
list To post a message email: RPG400-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/rpg400-l.
midrange.com
