Encryption

Overview

BBj 4.0 and higher and PRO/5 5.0 and higher utilize the 128-bit AES (Advanced Encryption Standard) encryption. Version 6.0 and higher of BBj, Visual PRO/5, and PRO/5 offer 256-bit AES encryption. AES is the National Institute of Standards and Technology (NIST) secret key cryptography method that officially replaced the Triple DES method in 2001 as the industry standard. AES is fast and efficient in operation while also permitting a very high degree of cryptographic security.

Encryption Types

CRYPTPASS= mode

Used with the file creation verbs and OPEN verbs to create and access encrypted MKEYED files

DECRYPT()

Decrypts data and record fields.

ENCRYPT()

Encrypts data and record fields.

PASSWD= mode

Password protects records in an MKEYED file from unauthorized reads and writes. It does not encrypt the data.

How to Encrypt an Existing File

To encrypt an existing file, write a short program to perform the following:

  1. Open the existing file.

  2. Create a new encrypted version of the old file using the MKEYED verb, FID() function, and CRYPTPASS= mode.

  3. Iterate through the existing file reading the records from that file.

  4. Write the records to the new encrypted file.

How to set Default Encryption on a Sun Intel or Solaris Platform

In BBj revisions prior to 19.0, the security providers that Java supplies by default are not compatible with the default encryption that BASIS uses, which in turn affects both BBj Solaris and Sun-Intel ports.

To remedy this, first make changes to the java.security file located in ..<jdk_home>/JRE/lib/security/security.policy file. Use root permissions and give the file write permissions temporarily.

By default, the list of security providers will look like this:

 

security.provider.1=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg

security.provider.2=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg

security.provider.3=sun.security.provider.Sun

security.provider.4=sun.security.rsa.SunRsaSign

security.provider.5=sun.security.ec.SunEC

security.provider.6=com.sun.net.ssl.internal.ssl.Provider

security.provider.7=com.sun.crypto.provider.SunJCE

security.provider.8=sun.security.jgss.SunProvider

security.provider.9=com.sun.security.sasl.Provider

security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.11=sun.security.smartcardio.SunPCSC

 

The default encryption depends on Sun and SunEC security providers. The list needs to be reordered by moving the first two entries to the last positions:

 

security.provider.1=sun.security.provider.Sun

security.provider.2=sun.security.rsa.SunRsaSign

security.provider.3=sun.security.ec.SunEC

security.provider.4=com.sun.net.ssl.internal.ssl.Provider

security.provider.5=com.sun.crypto.provider.SunJCE

security.provider.6=sun.security.jgss.SunProvider

security.provider.7=com.sun.security.sasl.Provider

security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.9=sun.security.smartcardio.SunPCSC

security.provider.10=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg

security.provider.11=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg

 

Once complete, change the file permissions back to --r--r--r and restart BBjServices.

The default encryption should now work properly.

Passwords

Use passwords with caution. If the password is lost or forgotten the encrypted data cannot be recovered. Furthermore, there is absolutely no way to retrieve or derive a lost password.

To receive the full benefit of using AES-256 instead of AES-128, the password must be a minimum length of 17 characters. BASIS, however, recommends a password of 40 characters.

Notes

  • Field-level encryption on keyed fields prevents the filesystem from iterating through the records on the encrypted keychain. However, exact match finds are still possible.

  • JKEYED files do not currently support file-level encryption.

  • The ENCRYPT() and DECRYPT() functions take strings as parameters; convert all numerics to a string before encrypting it.

  • Some encrypted data is longer than the decrypted version of the data, depending on the encryption algorithm used. For example, encrypting an 18-byte string using AES 128 bit encryption will result in a 32-byte string. This occurrence of longer encrypted data can have an impact on field definitions in files and in string templates. BASIS recommends working with two templates - one for the decrypted version and one for the encrypted version that accommodates for the extra field length.

  • To utilize AES-256 in BBj, the "Java Cryptography Extension (JCE)" module must be installed. These files are available for download at Oracle's Java SE Downloads page under "Additional Resources" near the bottom of the page.