Cryptography and the AS400

IBM i

Sep 28

Cryptography isnt the art of keeping dead bodies in a crypt

I must admit to being a little baffled by cryptography, data encryption and all that SSL nonsense… so this was very interesting to read:

Cryptography and the AS/400

Question: I need some help. I have AS/400 F20 in central site and about 30 terminals and PC connected to it by several HDLC lines or X.25 satellite lines. I’m looking for companies offering cryptographic modems, cryptographic cards, ciphering programs or other solutions providing security in this system.

Answer: For AS/400, there are 2 different cryptography products available. The first is Cryptographic Support/400. This is software implementation of the DES. It contains around 10-12 API verbs for encipher/decipher, PIN functions, MAC functions, and some key management. The second product is the Cryptographic Processor, feature 2620 (or 2628) along with PRPQ IBM Common Cryptographic Architecture Services/400. This is a hardware implementation of DES. On V3R1, the RSA public key algorithm is also supported. The PRPQ contains CL commands for initializing and starting the processor, 99 API verbs, and key storage. The API is a superset of IBM’s Common Cryptographic Architecture and contains support for encipher/decipher, MAC functions, MDC, PIN functions, digital signatures, and Key management including ANSI X9.17.

Both products have US Export restrictions. Generally, they may only be exported to financial institutions or US subsidiaries. Feature 2628 is available, however, for customers that are not one of the above. Feature 2628 uses Commercial Data Masking Facility (CDMF) for the data privacy verbs.

For PC’s, there are a number of encryption products available. The IBM Workstation Security Services Program together with the Cryptographic Adapter provide the same support and API as the PRPQ and Cryptographic Processor for AS/400.

Here’s a brief description of IBM’s crypto product offering:

IBM Cryptographic Support/400 Version 3 Program Number 5763-CR1
The IBM* Cryptographic Support/400 program provides support for the encryption and decryption of data and facilities to assist the user in managing cryptographic keys. The encryption and decryption are performed in accordance with the American National Standard Data Encryption Algorithm/Data Encryption Standard (DEA/DES).

(Note: This response is now outdated. IBM’s Cryptography offerings have been substantially revised).

Question: Does anyone know if PGP (Pretty Good Privacy) has been ported to the AS/400? (asked 2/6/96)

Answer 1. I’ve ported PGP 2.6.2 to my system and recompiled most of the code. There are several items that needed to be completed if I am to make this package functional on the AS/400. They are as follows:

1. Resolve programs that didn’t compile for whatever reason. (About 4-6)
2. Provide some form of coded character set id or conversion for the ASCII to EBCDIC problem.
3. Make the PGP functions more compatible with the AS/400 technique for executing software packages.
4. Get some beta test users who want to test the heck out of this.
As with Zimmerman’s PGP, source will be provided… No MI compiler will be needed.

Steve Glanstein

(Note: Steve was unable to complete the port at this time and apparently abandoned the effort. He did, however, provide a very good lab at COMMON on using the PC version of PGP. More recent midrange-l discussions (8/99) indicate renewed interest in use of this product, but no available port).

Question: Does anybody have any ideas on how to encrypt a file in such a manner that the AS/400 can decrypt it with no user intervention?

Answer 1. How about a batch job on the PC that performs the encrypt, and then runs an ftp script. The script sends the file, then does a quote/rcmd to force the process on the 400. This process can also provide notification on the 400 that the file was received.

Answer 2. Another option is to use a VPN over the Internet, using NT PPTP on the server side and the PPTP (VPN) client that comes with Windoze on the client side. The raw performance is not as good as a straight connection to our AS400 via the Internet thru our proxy server, but for secure access to all the services on our network, it works fine. Other VPN products (such as the one from Checkpoint, maker of Firewall-1) could work as well.

Question: I have currently done a VPN setup for Host to Host connection, but somehow unfortunately I’ve made a wrong set of VPN configuration and right now we can’t access the AS/400 through any TCP/IP connection. How can we reset the VPN configuration, while to do that we have to access the CA Express Operation Navigator which it is one thing that we can’t do
right now. Is there any other setup alternative through 5250 session? (12/99)

Answer: Use the RMVTCPTBL command to remove the filter rules you created on your line, you’ll need to do this from the console or a non – IP device. This should allow you to return to normal operation using the line.

Follow

About the Author

IBM i Software Developer, Digital Dad, AS400 Anarchist, RPG Modernizer, Alpha Nerd and Passionate Eater of Cheese and Biscuits. Nick Litten Dot Com is a mixture of blog posts that can be sometimes serious, frequently playful and probably down-right pointless all in the space of a day. Enjoy your stay, feel free to comment and in the words of the most interesting man in the world: Stay thirsty my friend.