Tokenized Encryption: System/Control Interface Call Parameters
The previous article in this series examines batch-to-online interface options and call parameters used between batch programs and an online cryptographic interface. A comprehensive cryptographic interface must support online, batch, and system/control (hereafter referred to as syscontrol) processing scenarios. Simplifying matters somewhat, syscontrol lends itself primarily to online processing, so most batch issues are nonexistent. Like other interfaces, each environment has unique requirements but shares common functions like tokenization, decryption and recryption, but syscontrol also includes encryption key, hardware, cryptographic and system management functions like security and debugging.
This article discusses a variety of syscontrol functions, related considerations and call parameters. This interface is mainframe-based, oriented to CICS Transaction Server, but principles and concepts apply to all processing platforms; syntax, call parameters and implementation may vary.
A call parameter is a special kind of program variable used in virtually any language or platform, a universal mechanism for passing information between programs, routines, subroutines, functions, etc., of identical or different languages. A call—sometimes known as link, invocation or branch—is a mechanism for passing control between program objects. When the called object completes, control passes back to the calling program’s next sequential instruction, with call parameters providing requested results.
The Cryptographic Interface
The cryptographic interface has three basic components:
An online subsystem provides real-time tokenization of credit card (CHD) and checking account (CAD) data for processes like order entry or authorization. Work is processed and files or databases are updated immediately. Workflows are initiated to complete the process.
A batch subsystem processes record groups called batches. Because batch and online contend with one another, the cryptographic batch subsystem took two forms addressing different concerns.
A control subsystem provides the following facilities: cryptographic utilities, administrative tools, diagnostic functions, testing tools, switching cryptographic product options, dynamic encryption key changes, report generation and search capabilites.
It’s necessary to provide contextual information that illuminates how functions work and why they're needed:
Mnemonics DIF, SIF and SMF provide dynamic switching between encryption products, a requirement when only some of the processors in a complex are equipped with a specialized, high-performance cryptographic satellite processor. IBM’s Integrated Cryptographic Service Facility (ICSF) supports a cryptographic processor. Disaster recovery sites may not have a cryptographic processor installed on the mainframe where the client's workload has to run. Advanced Software Products Group’s MegaCryption performs software-based cryptography, which entails more overhead but provides the capability to run on any mainframe. Thus, a simple switching capability between the two products was necessary.
If an encryption key breach is detected, mnemonic CEK is used to promptly switch to a new key, and new sensitive data is written to a fallback file. Current sensitive data is taken offline and recrypted with the new key. During a slow period, both files are merged into a new, secure token file.
Some functions are limited to select managers. A transaction identifier (TRANSID) with specific security classes and/or operator IDs via an EXEC CICS START of the TRANSID invokes Security Manager software to begin a security check. If the operator isn’t authorized, the transaction is abnormally terminated.
Syscontrol Cryptographic Interface Call Parameters
Three parameters are passed to the batch cryptographic interface:
PCI-RECORDS-TO-PROCESS: This 3-byte numeric field is only used for EXCI batch. It has a default value of 1. It specifies the number of credit card (CC#) and/or CAD numbers in TN001BC-PCI-CARD-OR-TOKEN to be processed before issuing a CHECKPOINT, which releases record locks.
PCI-CARDNUM-OR-TOKEN(index): This 16-byte alphanumeric field contains CHD or CAD for tokenization, returning token number. The order number may also be passed.
PCI-REQUEST-MNEMONIC: This 3-byte alphanumeric field contains mnemonic specifying operation to perform.
Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.