1.  Home
  2. MI400
  3. August 2001

Re: CIPHER

This is a multipart message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
Hello Steve, See my responses below.

---------------------------------------
Hi Beth,

Thanks for the post.

So if I want to implement private key/public key encryption, where as i
understand it, the public key encrypts the data and the private key
unencrypts it, ( and the reverse where the private key encrypts and the
public key unencrypts ), ....  the CIPHER operation will do this?

    No. The CIPHER instruction does not support any Public Key Algorithms
(PKA).

Is that how ssl and vpn encryption work:  public key and private key?

    Yes.  SSL and VPN use RSA.  Although CIPHER does not support RSA,
there are actually 3 implementations of RSA in v5r1. 1) It is implemented
in SLIC within the BSAFE toolkit which comes from RSA Inc.  However, our
contract with RSA Inc. does not allow us to open up the BSAFE function for
customer apps without significant value add.  2) RSA is supported on the
4758 crypto card with a set of APIs available in the OS/400.  3) RSA is
implemented within JCE.

If so, could you specify which CIPHER algorithm is used, or is most
common?

        DES has been the standard encryption algorithm for many years and
consequently it is probably used in more applications than any other.
However, it's level of security is outdated.  A new algorithm, called AES,
has been selected by the government to replace DES.  NIST selected the AES
algorithm last fall at which time we pushed it into v5r1.  According to
NIST's schedule, AES was to be officially approved this summer, but it has
not happened yet.  It is possible the algorithm will be approved with
changes at which time we would ptf the changes into v5r1.

Also, the encryption key lgth.  Is that what the bit nbrs ( 56 bit, 128
bit, ... ) refer to?  Are there still laws that limit the nbr of bits?

        Yes, the bit numbers refer to key length.  The encryption functions 
(DES, TDES, RC4, AES) are under U.S. export and
some foreign import restrictions.  To enable these functions you must
install 5722-AC2 (for 56-bit strength) or 5722-AC3 (for 128-bit strength).
 AC2 and AC3 are no-charge LPs.  Because of recent legislation these
restrictions are much more relaxed and even AC3 is available to most
customers in most countries. Actually, the AC3 product enables longer key
lengths than 128-bit for some algorithms in some cryptographic service
providers.

If you have any code samples, I would be interested in seeing them.

        I can probably get you a code sample in C.  Any particular
algorithm?

Thanks,

Steve Richter


---------- Original Message ----------------------------------
From: "Beth Hagemeister" <hag@us.ibm.com>
Reply-To: mi400@midrange.com
Date: Tue, 21 Aug 2001 11:44:05 -0500

>This is a multipart message in MIME format.
>--
>[ Picked text/plain from multipart/alternative ]
>For your information -
>
>In v5r1 several new algorithms were added under the CIPHER MI
instruction,
>which now supports the following:
>
>DES - Functions: encrypt, decrypt, MAC.  Key: 56-bit. Modes: ECB, CBC,
>OFB, CFB 1-bit, CFB 8-bit, CFB64-bit.  Padding. Requires installation of
>AC2 or AC3 LP.
>
>TDES - Functions: encrypt, decrypt, MAC.  Key: 56-bit, 112-bit, 168-bit.
>Modes: ECB, CBC, OFB, CFB 1-bit, CFB 8-bit, CFB64-bit.  Padding. Requires
>installation of AC2 (56-bit key - equivalent to single DES) or AC3 LP.
>
>RC4compatible - Functions: encrypt, decrypt. Key: 1-256 bytes.
>
>AES - Functions: encrypt, decrypt, MAC.  Key: 128-bit. Modes: ECB, CBC.
>Block size: 16, 24, 32 bytes.  Requires installation of AC3 LP.  Warning:
>AES algorithm and modes are not yet approved standards and could change
in
>the future.
>
>MD5 - Functions: hash, HMAC.
>
>SHA1 - Functions: hash, HMAC.
>
>crypt(3) - This is a string encryption algorithm used on UNIX systems for
>password authentication.  It is based on DES.
>
>pseudorandom number generator - Functions: generate numbers, add seed.
>These functions are also available via 2 new APIs.  Uses FIPS 186-1
>algorithm.  Collects seed automatically and will use a 4758 crypto card
if
>one is available on the system.
>
>The QSYSINC/MIH.CIPHER header file has been updated to reflect these new
>algorithms.
_______________________________________________

Beth Hagemeister
iSeries Cryptographic Services

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.