View Full Version : New V5R2 Encryption APIs with PTF SI10060
09-23-2003, 12:44 PM
Where can I get more info?
09-24-2003, 10:35 AM
http://www-912.ibm.com/a_dir/as4ptf.NSF/d448bcf26ed42614862566db006cbd34/d045f6c5527b5f8c86256daa005295b2?OpenDocument or download the PTF itself or just its cover letter.
10-03-2003, 12:41 PM
OK, I have downloaded the ptf and the cover/documentation. I am struggling with ALGD0500; binary(4). How do I equate binary to an algorithm of MD5? Where does the MD5 go? What do I put in the binary field?
10-03-2003, 01:24 PM
John Sides wrote: > > OK, I have downloaded the ptf and the cover/documentation. I am struggling with ALGD0500; binary(4). How do I equate binary to an algorithm of MD5? Where does the MD5 go? What do I put in the binary field? It looks like you define a 4-byte integer and set it to a value of 1. "The hash algorithm. Following are the valid hash algorithms. 1 MD5 Documented in RFC 1321. 2 SHA-1 Documented in FIPS 180-2. 3 SHA-256 Documented in FIPS 180-2. 4 SHA-384 Documented in FIPS 180-2. 5 SHA-512 Documented in FIPS 180-2."
01-13-2004, 10:23 AM
I've tried out the new API's to encrypt and decrypt data (in COBOL)and they work nice. My question is how to do this "properly" using keys and certificates to control the encryption and decryption process. DCM kind of sits out there to manage those things, but how does a person get that down into the program level to use those keys or certs, or use the new API's? I haven't been able to find the cookbook for getting these things put together. Any direction would be greatly appreciated. Thanks!
01-13-2004, 08:14 PM
Can you post up examples of what you have done? It would be great to have a head start. Cheers Jim
01-14-2004, 07:40 AM
The code is not fancy. It was an attempt to use AES software encryption to encrypt and decrypt a 32 byte field. My next step (problem) is to use a key and vector initialization string that is system or enterprise wide and enchanged securely between systems. But there doesn't seem to be much AS/400 specific on those kind of things. Thanks. <hr width=50 align=left>Code ('http://www.mcpressonline.com/mc/showcode@@.6ae7dd00/6')
01-18-2004, 03:04 PM
I have tried to convert the above posted API calls to ILE RPG but get the following message. Application error. CPF9DDE unmonitored by IBMENCRYPT at statement 0000000047, instruction X'0000'. CPF9DDE is not defined in my QCPF message so there is no text but according to the IBM documentation if means "Cipher algorithm not valid". It looks like none of the related CPF messages were in the PTF. Here's my code: H DFTACTGRP(*NO) ACTGRP(*NEW) H USRPRF(*OWNER) BNDDIR('QC2LE') INDENT(': ') DClearData S 32A INZ DClearDataLen S 4B 0 INZ(32) DClearDataFmt S 8A INZ('DATA0100') DALGD0200 DS D BlockCipherAlg 4B 0 INZ(22) D BlockCipherLen 4B 0 INZ(32) D BlockCipherMod 1A INZ('1') D BlockCipherPad 1A INZ('0') D BlockCipherPch 1A INZ(x'00') D BlockCipherRsv 1A INZ(x'00') D BlockCipherMLN 4B 0 INZ(0) D KeySize 4B 0 INZ(0) D InitVector 32A INZ('123456789012345678901234567890') DALGD0200Desc S 8A INZ('ALGD0200') DKeyDescription DS D KeyDescType 4B 0 INZ(22) D KeyStringLen 4B 0 INZ(30) D KeyFormat 1A INZ('0') D KeyReserved 3A INZ(x'000000') D KeyString 32A INZ('123456789012345678901234567890') D KeyDescFmt S 8A INZ('KEYD0200') D CryptoProv S 1A INZ('1') D CryptoDevName S 10A INZ DEncryptedData S 32A INZ DEncryptedLen S 4B 0 INZ(32) DEncryptedRtn S 4B 0 INZ DQUSEC DS inz D QUSBPRV 1 4B 0 D QUSBAVL 5 8B 0 D QUSEI 9 15 D QUSERVED 16 16 D* D* Varying length C eval Cleardata='FredSmith' C CALL 'QC3ENCDT' C PARM ClearData C PARM ClearDataLen C PARM ClearDataFmt C PARM ALGD0200 C PARM ALGD0200Desc C PARM KeyDescription C PARM KeyDescFmt C PARM CryptoProv C PARM CryptoDevName C PARM EncryptedData C PARM EncryptedLen C PARM EncryptedRtn C PARM QUSEC C eval *INLR = *on C return
01-19-2004, 06:13 AM
You are defining many of the Binary(4) API elements as 4B 0. This defines only a 2-byte binary field. Either define them positionally (like you did in QUSEC - 1 4B 0) or as 9B 0 or as 10i 0 so that 4-bytes are being passed to the API.
01-19-2004, 12:44 PM
I was a bit unsure of the binary definitions - I know there is a good reason but the leap from BINARY(4) to 9B 0 or 10I 0 was too much for me! Thanks again.
05-12-2005, 03:51 PM
How are the APIs working out. My company is wanting to encrypt credit card numbers, social security numbers, and other personal information on the iSeries. We're looking for field-level encryption. It sounds like these APIs will do the trick.
05-13-2005, 05:32 AM
We are currently beginning programming to encrypt fields within our database. Our plan is to use the API's (on V5R2) to encrypt/decrypt the data so that we can use the AES algorithym. Maybe some day the new hardware encryption card on the i5 will support AES. For us, the API's appear to be the best choice.
05-14-2005, 01:41 AM
Have you started using the APIs yet? It sounds like we're both doing the same thing. I'm surprised that I'm finding so little info on the APIs. We're currently at V5R1. These APIs are pushing us to V5R2. I will be installing the upgrade in a couple of weeks. I'm just curious what experiences (good or bad) other folks have had trying to use the APIs for field-level AES encryption.
06-23-2005, 05:53 AM
You don't necessarily need V5R2 to do field level encryption. There is an MI instruction for doing it called _CIPHER. It can encrypt using the following methods: DEA, TDEA, RC-4, AES. I have written a procedure to test the functionality and after some help from a message posting here, I got it to work. I am no expert on the MI by any means and key mananagement "is the key" and I don't have much input on that issue. An IBM doc about the _CIPHER command is here (thanks Tom Daly). http://publib.boulder.ibm.com/iseries/v5r1/ic2924/tstudio/tech_ref/mi/CIPHER.htm The following is an excerpt from that document. I am not sure what to do if your system does not meet the criteria described and this is true for each of the aforementioned encryption algorithms. "In order to use this function identifier, the cryptography attributes must contain an algorithm entry that specifies DES (Data Encryption Standard) is provided by the machine service provider. If no such entry exists, then requested function not valid (hex 1C08) exception will be signaled. The cryptography attributes may be materialized through the use of the Materialize Machine Attributes (MATMATR) instruction and using a selection value of hex 01C8." Garrett <hr width=50 align=left>Code ('http://www.mcpressonline.com/mc/showcode@@.6ae7dd00/13')
06-24-2005, 10:57 AM
Hi, I am trying to encrypt data captured from the screen (both RPG/400 V5R2). I am running into differnt types of problems as defination not found etc., Can I have a sample program to using QC3ENCDT.. I can answer any questions reqarding whatever I have done so far, though not completly successful. Please guide me thru.. Regards -Dan
06-24-2005, 11:05 AM
I have working on encrption and decryption with RPG/400. Going crazy since 4 days.. I do understand COBOl. COuld you please mail me the COBOL code which you have mention as working nice. -DAN
06-24-2005, 11:14 AM
Hi, I am trying to use encyption using RPG/400. It has been very rough with so many strange error expected with so little info on the same. Could you help in understandin these API's. A Sample could be head start ..
06-29-2005, 08:04 AM
I have entered the sample code written by you and I get the following message. Could you let me know what the problem is.. RNF5412 20 1 An operand must not be specified for a procedure that does not return a value. RNF1503 30 1 The prototype for the procedure was not previously defined. RNF7030 30 1 The name or indicator is not defined.
06-29-2005, 08:17 AM
PTF SI10060 provides these 5 APIs: Qc3EncryptData (QC3DTAEN) - Encrypt data Qc3DecryptData (QC3DTADE) - Decrypt data Qc3CalculateMAC (QC3CALMA) - Calculate message authentication code (mac) Qc3CalculateHash (QC3CALHA) - Calculate hash Qc3CalculateHMAC (QC3CALHM) - Calculate hash mac
06-29-2005, 08:17 AM
The code I provided is only the procedure, you need to create a program that will call the procedure. Below is part of the test program I had created to test the encoding. My test program also included a call to a decoding procedure that is similar to the encoding procedure except for one MI parameter that tells the MI whether to encode or decode. Also note that when you test this the length of the value you request to encode MUST be either 16 or 32 characters. Again, this is a concept test, not a production procedure. I hope this works for you. <hr width=50 align=left>Code ('http://www.mcpressonline.com/mc/showcode@@.6ae7dd00/18')
Powered by vBulletin® Version 4.1.5 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.