Evaluating Your IBM i Encryption Options
September 25, 2017 Alex Woodie
In the wake of the Equifax breach, companies are taking a hard look at their security practices, including the use of encryption that renders data unreadable. While database encryption is not a panacea for securing a Db2 for i database – especially if there are other vulnerabilities in an IBM i system – it can play an important role in protecting sensitive data from leaking out into the world.
Encryption has emerged as a topic in the wake of the massive data breach at Equifax, which lost critical data like names, addresses, and Social Security numbers for 143 million Americans, Brits, and Canadians. The company has admitted that hackers made their way into systems through an unpatched vulnerability in the Apache Struts framework, but it’s unclear whether Equifax had actually encrypted the data. (There are some unverified claims – including one contained in this report from the Institute for Critical Infrastructure Technology [ICIT] that cites claims on the Deep Web purportedly made by the Equifax hackers themselves – that Equifax had encrypted the data but left the encryption keys on the server.)
Customers running the IBM i server have several options for when it comes to encrypting data at rest (encrypting data in motion is a separate topic). There are two main approaches customers can take, including writing their own encryption routines using technology provided by IBM, or selecting a packaged software offering from a third-party vendor.
IBM provides a variety methods for encrypting data, including software and hardware co-processors. It sells special hardware, like the PCI-Express Cryptographic Coprocessor 4764, to offload cryptographic workloads from the main Power processor. While the hardware can alleviate the inevitable processing hit of encrypting and decrypting data, it doesn’t eliminate the need to set up and manage the encryption using software.
IBM offers a variety of encryption services for IBM i. Some of these are old, such as Cryptographic Support for AS/400, which was killed after i5/OS V5R4, and CIPHER Machine Instruction (MI), which dates back to the System/38 days. Others, like the Common Cryptographic Architecture (CCA) APIs were designed to work with older encryption hardware that’s no longer supported, according to the excellent 2014 paper Protecting IBM i Data With Encryption, written by IBMers Kent Milligan and Beth Hagemeister.
The main software-based encryption offering in use from IBM today is the Cryptographic Services APIs, which debuted with OS/400 V5R2 and was designed to replace the CCA APIs. The Cryptographic Services APIs provides the capability for programmers working in high-level languages to access a variety of encryption-related tasks and workflows in the IBM i environment. It includes a set of APIs, including the core encryption and decryption APIs, authentication APIs, key generation APis, and key management APIs.
The Cryptographic Services APIs supports a variety of cryptographic libraries, including 256-bit Advanced Encryption Standard (AES-256), which is considered the gold standard in security today, as well as older ones like 3DES that are no longer considered secure. It also supports an array of hashing algorithms like SHA-256, key exchange algorithms like Diffie-Hellman, and pseudo random-number and key-generation algorithms. While the Cryptographic Services APIs are powerful, working with them requires technical expertise that is beyond the capabilities of many IBM i shops.
Another software option available from IBM are DB2’s built-in SQL encryption and decryption functions, which actually use the Cryptographic Services APIs. IBM also offers Java-based encryption extensions for IBM i. Two of the three Java Cryptography Extension bring Java implementations of cryptography libraries, while the third acts as a bridge to the now-defunct CCA APIs.
With the launch of IBM i 6.1 in 2008, IBM added disk encryption through the new ASP-level encryption feature. This function, which is activated by selecting Option 45 – Encrypted ASP Enablement, allows IBM i users to encrypt all the data stored in a disk pool, or an auxiliary storage pool (ASP), as well as independent auxiliary storage pools (iASPs). This encryption technique works with external storage arrays as well as internal disk, and also works with IBM’s iASP-based high availability setups (i.e. cross-site mirroring, which is now PowerHA). IBM added the capability to turn encryption on and off for disk pools with IBM i 7.1.
Rochester’s most recent software advancement in the encryption space is the DB2 Field Procedure that debuted with IBM i 7.1 in 2010. The “FieldProc” was a game-changer for encryption because it no longer required developers to make extensive changes in their code, thereby opening up encryption to a large class of customers running older applications.
“This is exciting news to those IBM i customers with legacy RPG and COBOL applications that are looking to encrypt sensitive data at rest without any application changes,” Milligan and Hagemeister wrote back in 2014. “All that’s required is registering the FieldProc program object…for those columns containing sensitive data.” Any type of encoding can be performed by a FieldProc program, but IBM expects AES to be the most common.
The FieldProc has also been utilized by third-party software providers, including Linoma Software (now HelpSystems), Townsend Security Solutions, Enforcive (now Vision and Syncsort), and most recently Raz-Lee Software. These vendors have updated their encryption software to support the DB2 FieldProc interface, which further reduces the amount of technical expertise required to use it. “This is a good option for those clients that don’t want to invest in writing their own Fieldproc programs,” Milligan and Hagemeister wrote.
Here’s a quick rundown on the encryption offerings offered by these vendors:
Enforcive – The company’s Enterprise Security product provides field-level and backup encryption capabilities for IBM i servers. Its database encryption is based on IBM APIs, and supports a range of symmetric key, asymmetric key, and hash cryptographic algorithms, including AES-256 and Elliptic Curve. This product, which is now owned by Vision Solutions and Syncsort following last month’s acquisitions, also offers key management and audit capabilities.
Richard Marko, the director of technical services for security products at Vision Solutions, which recently bought Enforcive, highlights the GUI as an advantage. “It is straightforward to implement because it uses the IBM database feature FieldProc, which provides application independence, and it uses a role-based approach to assigning the field authority,” he says. “It has unlimited two-tier encryption keys, provides segregation of duties option for the data keys, seamlessly integrates with HA solutions, commands are included so encryption can be done from the command line, and offers full auditing and reporting.”
Linoma Software – Crypto Complete provides encryption for data stored within the IBM i server, including DB2 fields, IFS files, and backups. The product builds upon IBM encryption APIs for popular ciphers, including AES-256. The software also offers support for tokenization and data masking, utilizes the new FieldProc for database encryption, and provides an integrated key manager, as well as integration with enterprise key management products from other vendors.
Raz-Lee Security – The encryption module of the iSecurity suite contains two parts. One of them is based on IBM encryption APIs, and utilizes the FieldProc functionality to provide strong (i.e. AES-256) field-level encryption for Db2 for i fields. Its diabase encryption also supports tokenization, key management, and auditing capabilities. Raz-Lee also provides a file-level encryption capability based on PGP (Pretty Good Privacy) algorithms that’s used for securing the payloads of email messages.
Townsend Security – Alliance AES/400 provides automated encryption and decryption of data residing in IBM i servers. While other vendors’ products use IBM’s Cryptographic Services APIs under the covers, Townsend developed its own cryptographic library and APIs based on AES and other ciphers for this product. The company tells IT Jungle that writing its own libraries gives it a big performance advantage over using IBM APIs. In addition to encryption, the product offers tokenization and data masking capabilities. It also supports the FieldProc and is compliant with FIPS-197 and NIST standards. Townsend also offers enterprise key management functionality.
“We use AES, but we wrote our own encryption library,” Patrick Townsend, the CEO and founder of Townsend Security, says. “It’s blindingly fast: 115 times faster on Power6 and Power7, and even on Power8, which has AES encryption on the chip, it’s 50X faster.”