Register FAQ Memberlist Search Linoma Software Forum Index

Linoma Software Forum Index -> Crypto Complete -> Version 2.00 (7/15/2009)
This forum is locked: you cannot post, reply to, or edit topics.  This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic 
Version 2.00 (7/15/2009)
PostPosted: 07/15/09 01:47:31 PM Reply with quote
Support
Site Admin
 
Joined: 12 Mar 2004
Posts: 378
Location: Omaha, NE


******************************************************************************
If you already have CRYPTO COMPLETE installed on your System i (iSeries) and
want to see your current installed version, run the command:

DSPDTAARA CRYPTO/VERSION

******************************************************************************


VERSIONS IN DESCENDING ORDER:

Version 2.00 (7/13/2009)

ENHANCE: Created a new command called TRNFLDKEYI which can be used to
easily translate (rotate) the keys used to encrypt the field
values that are stored in the existing database file (internal
storage). This command will read all the records in the file and
will decrypt each field value with the old key and reencrypt the
value with the new key specified.

FIX: When copying a field entry in the Field Registry to another
library, the new external logical library value was not being
updated correctly in the Field Registry.

FIX: When copying a field in the field registry, do not show an error
when the physical file does not exist in the TO Library
and when the TOFLDSTS parameter is set to *INACTIVE.

FIX: Fixed the date and time validations in the PRTAUDLOG (Print Audit
Log) command.

FIX: Corrected the OVRTAPF and OVRDBF parameters for reading and
writing to Tape and Save files for the ENCFIL, DECFIL, ENCOBJ,
DECOBJ, ENCLIB, DECLIB, ENCSAVF and DECSAVF commands.

FIX: Added validation to the TRNFLDKEY (Translate Field Keys) command
to ensure the field identifier is in an *ACTIVE status.

FIX: Added validation to the CHGFLDKEY (Change Field Keys) command
to ensure that the Key encryption algorithms match the
field identifier's encryption algorithm.

Version 1.61 (6/16/2009)

ENHANCE: Within the Advanced encryption/decryption APIs (EncAdv3, EncAdv4,
DecAdv3, DecAdv4), allow specifying the pad option of '2' when
using the AES Algorithm, which will pad the value using a
padding number. See the Programmer's Guide for more details.

ENHANCE: Added a pre-check to ACTFLDENC (Activate Field Encryption) to
verify the key can be used for encryption and that the user is
authorized to encrypt with that key. This validation will run
before any values are encrypted.

ENHANCE: Added a pre-check to DCTFLDENC (Deactivate Field Encryption),
when the values are stored in an external file, to verify all
related keys can be used for decryption and that the user has
authority to those keys. This validation will run before any
values are decrypted.

Version 1.60 (6/8/2009)

ENHANCE: When adding/changing a field in the Field Encryption Registry, you
can specify *CUSP mode for the AES algorithm. CUSP mode produces an
encrypted value that is the same length as the input (plain text)
value. This allows you to encrypt alpha fields of any length and
store the encrypted values within the existing field.

ENHANCE: When adding/changing a field in the Field Encryption Registry, you
can specify an Initialization Vector (IV) for *CBC and *CUSP modes.
The IV serves as an additional input to the AES encryption algorithm
to produce different output (encrypted) values. This is an
additional security mechanism.

FIX: When adding/changing a field in the Field Encryption Registry,
verify the field mask value is not longer than the specified field
length.

FIX: Changed EncAdv3, EncAdv4, DecAdv3 and DecAdv4 to use a default
block length of 32 (versus 16) when the AES algorithm and CUSP mode
is specified and no block length is provided by the programmer.

Version 1.59 (6/3/2009)

FIX: The FNDDBFLD (Find Database Fields) command now bypasses non-
readable files in the search.

Version 1.58 (5/19/2009)

ENHANCE: Allow activating a field in the registry that is stored in a multi-
member file. This is allowed only if the encrypted values are stored
in the existing field.

Version 1.57 (5/11/2009)

ENHANCE: Produce a warning message if adding a field in the registry with an
entered length that is shorter than the actual database field length.

ENHANCE: When decrypting a field's masked value using a key that requires
logging, then indicate in the audit log that only the masked value
was retrieved. In the prior version, you could not tell if the full
or masked value was decrypted.

ENHANCE: Added new command WRKCCALR, which allows authorized users to set up
and maintain Security Alert settings. Security Alerts can be
configured to send immediate notifications when security-related
changes or authority errors occur in Crypto Complete.

Security Alerts can be sent when any changes are performed on the Key
Policy settings, Key Officer settings, Master Encryption Keys, Data
Encryption Keys, Field Encryption Registry entries and Alert
settings. Alerts can also be sent when authority errors occur in
Crypto Complete, such as when an unauthorized user attempts to access
a Key Store.

Alerts can be sent to email addresses, QSYSOPR, QHST log, message
queues and QAUDJRN. Alerts can also be added, changed, displayed and
deleted with the new commands of ADDCCALR, CHGCCALR, DSPCCALR and
DLTCCALR.

ENHANCE: Added new audit types for journal entries that will be created in
the CRJN001 journal:
* 34 Unable to send Security Alert
* 35 Security Alert added (ADDCCALR)
* 36 Security Alert changed (CHGCCALR)
* 37 Security Alert deleted (DLTCCALR)

ENHANCE: For the Advanced encryption/decryption APIs (EncAdv3, EncAdv4,
DecAdv3, DecAdv4), added a new mode of '6' to allow the programmer to
specify CUSP mode. With CUSP mode, the output cipher text will be the
same length as the input plaintext. When using CUSP mode, it is also
important to supply a unique Initialization Vector to provide the
best protection.

ENHANCE: Added a new flag to the Key Officers to indicate if the Officer is
allowed to maintain the Key Policy and Alerts. The name of the flag
is MNTPCYALR. Added this flag to the commands of WRKKEYOFR,
DDKEYOFR, CHGKEYOFR and DSPKEYOFR.

ENHANCE: Added a new parameter to the ADDFLDENC (Add Field Encryption) and
CHGFLDENC (Change Field Encryption) commands to allow specifying the
Authorization List (AUTLDEC) to use by the field decryption APIs when
decrypting the full values for the field.

ENHANCE: Added a new parameter to the ADDFLDENC (Add Field Encryption) and
CHGFLDENC (Change Field Encryption) commands. This parameter
specifies which Authorization List (AUTLMASK) is used by the field
decryption APIs when accessing the masked values for the field.

ENHANCE: Added new command CHGFLDAUTL (Change Field Authorization Lists) to
allow changing the Authorization Lists for the AUTLDEC and AUTLMASK
parameters. Added to menu CRYPTO4.

ENHANCE: Added new ILE procedure DecFldAuth in service program CRSP505 to
retrieve either 1) the fully decrypted value for the field, 2) the
masked value for the field, or 3) a blank value. The user?s authority
to the field is determined by checking the Authority Lists indicated
on the field?s AUTLDEC and AUTLMASK settings that are specified in
the Field Encryption Registry. This API can be used when the
encrypted values are stored in the existing file. The corresponding
program API is CRRP638. SQL function is F_DecFldAuth. Stored
procedure is P_DecFldAuth.

ENHANCE: Added new ILE procedure GetEncFldAuth in service program CRSP505 to
retrieve either 1) the fully decrypted value for the field, 2) the
masked value for the field, or 3) a blank value. The user?s authority
to the field is determined by checking the Authority Lists indicated
on the field?s AUTLDEC and AUTLMASK settings that are specified in
the Field Encryption Registry. This API can be used when the
encrypted values are stored in an external file. The corresponding
program API is CRRP637. SQL functions are F_GetEncFldAuth and
F_GetEncFldAuthChr. Stored procedure is P_GetEncFldAuth.

ENHANCE: Added new ILE procedure DecFldMask in service program CRSP505 to
allow a programmer to retrieve the masked value. This can be used
when the encrypted value is stored in the existing database field.
The DecFldMask has the same functionality as the existing DecFld2
procedure, but now has a more descriptive name.

ENHANCE: Added new SQL function F_DecFldMask and Stored Procedure
P_DecFldMask that allows the retrieval of the masked value for a
field. These can be used when the encrypted values are stored in the
existing file.

ENHANCE: Added new ILE procedure GetEncFldMask in service program CRSP505 to
allow a programmer to retrieve the masked value. This is used when
the encrypted value is stored in a separate external file. The
GetEncFldMask has the same functionality as the existing GenEncFld2
procedure, however it retains the leading zeros when returning the
masked value for numeric data.

ENHANCE: Added new SQL functions F_GetEncFldMask and F_GetEncFldMaskChr, as
well as Stored Procedure P_GetEncFldMask, which allows the retrieval
of the masked value for a field. These can be used when the encrypted
values are stored in a separate external file.

ENHANCE: Added new program API CRRP640 to retrieve the masked value. This
can be used when the encrypted value is stored in a separate external
file. CRRP640 has the same functionality as the existing CRRP624
program, however it retains the leading zeros when returning the
masked value for numeric data.

ENHANCE: Added a new program API called CRRP639 to retrieve the masked
value. This can be used when the encrypted value is stored in the
existing field. CRRP639 has the same functionality as the existing
CRRP623 program.

ENHANCE: ILE procedures DecFldMask, DecFld2, GetEncFldMask and GenEncFld2
were enhanced to check the user's permission to the Authorization
List specified on the field's AUTLMASK parameter. Also placed same
behavior in SQL functions F_DecFldMask, F_DecFldMaskChr,
F_GetEncFldMask and F_GetEncFld2. Also added this behavior to program
APIs CRRP640, CRRP624, CRRP639 and CRRP623. If not authorized, a
message is returned on the API and a journal entry will be written to
the audit file.

ENHANCE: Added new parameters to EncAdv3 and EncAdv4 procedures to allow the
programmer to specify the OutputType (*EBCDIC, *ASCII) and the
OutputFmt (*CHAR, *HEX, *BASE64). The main benefit of these new
parameters allows you to share of encrypted data with non-System i
platforms. Performed the same changes to their corresponding program
APIs of CRRP633 and CRRP635.

ENHANCE: Added new parameters to DeccAdv3 and DeccAdv4 procedures to allow
the programmer to specify the InputType (*EBCDIC, *ASCII) and the
InputFmt (*CHAR, *HEX, *BASE64). The main benefit of these new
parameters allows you to decrypt data that was encrypted on a non-
System i platform. Performed the same changes to their corresponding
program APIs of CRRP634 and CRRP636.

ENHANCE: Depricated program APIs CRRP629 and CRRP630. Depricated SQL
functions F_EncAES3 and F_DecAES3. Depricated Stored procedures
P_EncAES3 and P_EncAES3.

ENHANCE: Created SQL Functions F_EncAdv and F_DecAdv to be able to
encrypt/decrypt data with advanced features. Corresponding stored
procedures are P_EncAdv and P_DecAdv.

ENHANCE: Enhanced the DECFIL (Decrypt File) command to allow the user to
decrypt multiple stream files on the IFS using wildcard criteria.

FIX: On the ENCFIL command, if *DEFAULT is specified as the Key Store,
then it stores the actual Key Store name in the header of the data
being encrypted. This will ensure that the DECFIL command can locate
the appropriate Key Store if the default is no longer specified or
changed.

FIX: On the ENCFIL and DECFIL commands, only allow a log comment to be
specified if a *KEY is indicated. Do NOT allow for a *PASSword.

FIX: Move the edit check for multi-member files from the ADDFLDENC and
CHGFLDENC commands to the ACTFLDENC (activate) and DCTFLDENC
(deactivate) commands.

FIX: Changed the ENCFIL command to store the file's byte count in the
header of the encrypted file. Changed the DECFIL command to decrypt
the file using this byte count in order to preserve the original
length in the decrypted file. This ensures that binary IFS files
(PDFs, Excel, etc.) can be opened properly after they are decrypted.

FIX: On the advanced encryption APIs with the AES algorithm, make sure
the block length parameter is either 0, 16, 24 or 32.

FIX: When a user specifies encryption and decryption keys on the
ADDFLDENC and CHGFLDKEY commands, verify that the key values match.

FIX: When performing mass encryption with the ACTFLDENC command, do not
error out if the length of data is longer than the field length
entered in the field registry. Instead, clear out any remaining bytes
in the field. For instance, if the field length entered in the
registry is 16, but the field length in the database is actually 20,
then it will clear out the remaining 4 bytes in the field.

Version 1.56 (2/18/2009)

ENHANCE: Added a new command named PRTAUDLOG which allows authorized users
to print any audit log entries generated by Crypto Complete. The
PRTAUDLOG command provides selection criteria of from/to dates and
times, user id and audit types. A formatted report will be generated
with the audit details. For each detail record printed, it will
include the audit date, time, user, job name, job number, audit type
and message.

ENHANCE: Added a new command named FNDDBFLD which allows authorized users to
find database files that contain fields that may require encryption.
This is especially useful for finding sensitive fields such as credit
card numbers and social security numbers. With the FNDDBFLD command,
you can search for fields that meet your criteria, such as a type of
field, a certain field length and a range of field values. A
formatted report will be generated with details of any files/fields
found that meet the selection criteria.

ENHANCE: Add a new command IMPPTGKEYS which allows authorized users to
import keys from Protegrity's Enterprise Security Administrator. See
www.Protegrity.com for more details on their enterprise key
management solution.

ENHANCE: Added a new parameter option of KEYVALFMT(*BASE64) to the CRTSYMKEY
(Create Symmetric Key) command, which allows authorized users to
import keys into a Crypto Complete Key Store that are in *BASE64
format. This provides more flexibility for importing keys that were
generated in other key management solutions.

ENHANCE: In the CRTSYMKEY (Create Symmetric Key) command, allow the user to
specify an iteration count up to 50,000 when generating a key using
the GENOPT(*PASS) option. Uses the algorithm specified in RFC2898.

ENHANCE: In the CRTSYMKEY (Create Symmetric Key) command, allow the user to
specify a passphrase and salt in ASCII format using the ASCII(*YES)
option. This is Valid when generating a key using the GENOPT(*PASS)
option.

ENHANCE: Generate an audit log entry when a user attempts to access a Key
Store that does not exist.

ENHANCE: Add a new command VFYCRVL001 which allows a user to check the
validity of the CRVL001 validation list, which holds the key
policies, key officers and master keys.

ENHANCE: Added a new procedure named VfyCRVL001 in service program CRSP509
to allow a programmer to check the validity of the CRVL001 validation
list, which holds the key policies, key officers and master keys.
Corresponding program API is CRRP632.

ENHANCE: Added a new procedure named GetFldAttr in service program CRSP505
to allow a programmer to retrieve the attributes for a field registry
entry. Corresponding program API is CRRP631.

ENHANCE: Enhanced the ENCFIL (Encrypt File) command to allow the user to
encrypt multiple stream files on the IFS using wildcard criteria.

ENHANCE: Changed the ADDFLDENC (Add Field Encryption Registry Entry) command
to allow the user to specify a logical file name. This will allow a
user to encrypt only the records that are selected in that logical
file. When using a logical file name, triggers are not allowed for
auto-encryption.

FIX: When using the Field Encryption Registry to set up fields to
encrypt, then use the proper algorithm if AES128 or AES192 is
specified. Also use the proper mode when CBC mode is specified for
AES or TDES algorithms, and use the proper key value if TDES
algorithm is specified. The old behaviors will be preserved for
fields that are currently activated in the registry. However, the new
behavior will be used for any future activations of fields (including
when a field is deactivated and reactivated).

FIX: Fixed a problem with the F_GetEncFldChr (Get Encrypted Field)
procedure, in which it was not returning the decrypted value if
certain conditions were met. This would only affect a customer if the
encrypted values were stored in an external file, and if the index
number was stored (aligned) on the right side of the field, and if
the length of the field was greater than 34 characters.

FIX: Fixed a problem in the SQL update trigger, in which it was not
properly updating a field value if certain conditions were met. This
would only affect a customer if the encrypted values were stored in
an external file, and if the index number was stored (aligned) on the
right side of the field, and if the length of the field was greater
than 13 characters.

FIX: Changed the DSPKEYSTR (Display Key Store) command to show the
proper error message if the MEK version is not found.

FIX: When adding SQL triggers to a file for automated encryption, place
double quotes around the library and file names. This allows for
adding triggers to library/file names that contain special
characters, such as a period.

FIX: When launching the SETMSTKEY command from the CRYPTO2 menu, qualify
it with the library name of CRYPTO. This ensures that the user does
not inadvertently run IBM's SETMSTKEY command that was introduced in
V6R1.

FIX: Added validation to the ENCFIL (Encrypt File) command to verify the
from physical file member exists when FROMTYPE is *PF and the member
name is entered.

FIX: Added validation to the DECFIL (Decrypt File) command to verify the
from physical file member exists when FROMTYPE is *PF and the member
name is entered.

FIX: Deprecated procedures EncAdv1, EncAdv2, DecAdv1, DecAdv2 in CRSP505
and replaced with procedures EncAdv3, EncAdv4, DecAdv3, DecAdv4 in
CRSP510. These were fixed to use the proper algorithm if AES128 or
AES192 is specified. Also fixed to use the proper mode when CBC mode
is specified for AES or TDES algorithms, and fixed to use the proper
key value if TDES algorithm is specified.

FIX: Deprecated programs CRRP610, CRRP611, CRRP612, CRRP613 and replaced
with programs CRRP633, CRRP634, CRRP635, CRRP636. These were fixed to
use the proper algorithm if AES128 or AES192 is specified. Also fixed
to use the proper mode when CBC mode is specified for AES or TDES
algorithms, and fixed to use the proper key value if TDES algorithm
is specified.

Version 1.55 (06/17/2008)

ENHANCE: Increased the speed of the ACTFLDENC (Activate Field Encryption)
command when performing a mass encryption of field values that will
be stored in an external file. It can now encrypt up to 40% more
records in the same amount of time. This will minimize the downtime
on the database file during the activate process.

ENHANCE: Increased the speed of the ACTFLDENC (Activate Field Encryption)
command when performing a mass encryption of field values that will
be stored in the existing customer's file. It can now encrypt up to
54% more records in the same amount of time. This will minimize the
downtime on the database file during the activate process.

ENHANCE: Improved the performance of encryption (which use external files to
store the encrypted values) by keeping the data path to the external
file open between operations.

ENHANCE: Increased the speed of the "Insert" SQL Triggers to be 2 times
faster. This will decrease CPU usage for applications that write
records to a file containing fields that are automatically encrypted
by Crypto Complete.

ENHANCE: Increased the speed of the "Update" SQL Triggers to be 3 times
faster. This will decrease CPU usage for applications that update
records in a file containing fields that are automatically encrypted
by Crypto Complete.

ENHANCE: Increased the speed of the "Delete" SQL Triggers to be 6 times
faster. This will decrease CPU usage for applications that delete
records in a file containing fields that are automatically encrypted
by Crypto Complete.

ENHANCE: Added ability to use commitment control on an external physical
file which stores the encrypted values.

ENHANCE: Added ability to activate (mass encrypt) a field using multiple
jobs, which is especially useful when the file contains millions of
records. Since this option requires some custom programming, please
consult with Linoma Software if you would like to explore this
feature.

ENHANCE: Created new SQL functions called F_ENCAES3 and F_DECAES3 which can
be used to encrypt and decrypt strings of data using the AES
algorithm and a key label. These functions can be called from within
SQL statements. These functions include format options of *HEX and
*BASE64 to allow the cipher text to be changed into a format that
other platforms can work with.

ENHANCE: Created new SQL stored procedures of P_ENCAES3 and P_DECAES3 which
can be used to encrypt and decrypt strings of data using the AES
algorithm and a key label. These stored procedures can be called
using the SQL CALL statement. These procedures include format options
of *HEX and *BASE64 to allow the cipher text to be changed into a
format that other platforms can work with.

ENHANCE: Added program CRRP629 to allow a programmer to encrypt a string
using AES256 encryption and specify an output (cipher) format of
*HEX, *BASE64 or *CHAR.

ENHANCE: Added program CRRP630 to allow a programmer to encrypt a string
using AES256 encryption and specify an input (cipher) format of *HEX,
*BASE64 or *CHAR.

FIX: Added validation to the CPYFLDENC (Copy Field Encryption Entry)
command to not allow the copy of a field with a status of *ERROR or
*PROCESS.

FIX: Add validation to the CPYFLDENC (Copy Field Encryption Entry)
command to not allow the copy of a field when its status is *ACTIVE
and the file does not exist in the TO library.

FIX: Added ability to use the default key store when using the EncAdv2
and DecAdv2 procedures.

FIX: Changed the command ENCFIL parameter of EXPDATE to allow values
other then *PERM.

FIX: When exporting a key with the EXPSYMKEY command, users can specify
*BASE64 format.

FIX: Fixed issue with decrypting data that was backed up using Transfer
Anywhere's SAVOBJENC, SAVLIBENC, and SAVSAVFENC commands with *AES128
and *AES192 algorithms.
View user's profile Send private message Send e-mail Visit poster's website
Version 2.00 (7/15/2009)
  Linoma Software Forum Index -> Crypto Complete
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT - 6 Hours  
Page 1 of 1  

  
  
 This forum is locked: you cannot post, reply to, or edit topics.  This topic is locked: you cannot edit posts or make replies.  



Powered by phpBB 2.0.6 © 2001-2003 phpBB Group Style created by Vjacheslav Trushkin