Encryption for OpenVMS, Version 1.6

ManualsBrandsHP ManualsSoftwareOpenVMS 8.4

Encryption for OpenVMS, Version 1.6 SPD 26.74.06

• Access the Encryption for OpenVMS help library

An Application Program Interface allowing programs to:

• Encrypt and decrypt complete ﬁles or speciﬁc data

elements

• Generate and verify MACs on complete ﬁles or spe-

ciﬁc data elements

An interface to the OpenVMS Backup utility that allows

users to maintain encrypted backup save sets.

File Encryption

Encryption for OpenVMS provides a Digital Command

Language (DCL) interface to specify encryption keys

and to control the encryption and decryption of disk-

resident ﬁles. The entire contents of ﬁles are encrypted

along with separately stored ﬁle attribute information

such as record structure, original creation date, and

original ﬁle name. These attributes are then restored at

decryption time along with original ﬁle contents. Encryp-

tion for OpenVMS supports several options during the

encryption and decryption process including: automatic

deletion of the input ﬁle upon successful encryption and

data compression of the input ﬁle before encryption.

File Authentication

The same Encryption for OpenVMS DCL interface is

used to control the generation and veriﬁcation of MACs

for disk-resident ﬁles. Only the data portion of ﬁles are

processed for MACs. File attribute information, which

can normally change during authorized ﬁle operations,

is not processed. The ﬁles themselves remain unen-

crypted and the MACs are stored in a separate data

base.

For ﬁles that are encrypted, authentication checks are

done automatically by Encryption for OpenVMS during

the decryption processes. An MDC is calculated and is

encrypted along with the other ﬁle attribute information.

When the ﬁle is decrypted, the MDC is recalculated and

compared with the decrypted MDC.

Key Speciﬁcation and Storage

Key values for the encryption and authentication algo-

rithms may be speciﬁed as either sixteen hexadecimal

digits or by a more easily remembered and manipu-

lated phrase of words and numerals. The alphanu-

meric phrase format is scanned and packed into a form

required by the selected algorithm. In Encryption for

OpenVMS Version 1.6, all keys are stored, themselves

encrypted, in the OpenVMS logical name tables.

Application Program Interface

Encryption for OpenVMS provides a set of callable

routines that allows users to integrate its encryp-

tion/decryption and authentication functions in applica-

tion programs. The Encryption for OpenVMS library

of callable routines adheres to the OpenVMS Calling

Standard and the modular design established in the

Guide to Creating OpenVMS Modular Procedures. En-

try points are provided to permit the speciﬁcation and

deletion of keys, encryption/decryption of complete ﬁles,

encryption/decryption of user-speciﬁed data elements,

and generation of MACs for user-speciﬁed data ele-

ments.

For example, the data-encryption facility permits a user

application to manage a data ﬁle containing employee

information with the salary data ﬁeld encrypted. Almost

all functions possible by the DCL command interface

are provided by the application interface. The binary kit

includes a complete PASCAL example of an encrypting

utility to serve as a model of how such an application

might be written.

Backup Utility

The online OpenVMS Backup utility incorporates an in-

terface to Encryption for OpenVMS to permit the encryp-

tion of backup save sets. Restoration or listing of the

contents of an encrypted backup save set is not per-

mitted without respeciﬁcation of the encryption key and

algorithm parameters used when the save set was en-

crypted and created. When key and algorithm parame-

ters are stored or transmitted separately from the result-

ing backup media, access to the backed up data may be

more carefully controlled. This enhances the security of

backup tapes and disks when stored or transported off

the customer’s premises.

DES Algorithm and Modes

The DES algorithm may be applied in several modes to

the processing of data. Encryption for OpenVMS Ver-

sion 1.6 supports: Electronic Code Book mode (ECB),

Cipher Block Chain mode (CBC), Cipher Feedback

mode (CFB), and Message Authentication Code mode

(MAC). CFB mode is limited to 8-bit character feedback

only. The MAC mode uses the CBC mode for process-

ing.

INSTALLATION

Only experienced customers should attempt installation

of this product, Compaq recommends that all other cus-

tomers purchase Compaq’s Installation Services. These

services provide for installation of the software product

by an experienced Compaq Software Specialist.