IBM i > ADMINISTRATOR > SECURITY

Tokenized Encryption: Cryptographic Documentation Is Necessary

Cryptographic Documentation

Functions

A total of 26 cryptographic or PCI compliance-related functions were provided by the interface. They took the form of 3-character mnemonics. For example, the mnemonic DCO represented the function that decrypted a credit card number (CC#) and passed it to a calling program, while TKC encrypted a CC#. DCE and TCK provide the same functions for CAD. A more general function, FSN, provides the first six digits of a CC# to the program, OPN opens the token file in read-only mode and CEK changes an encryption key value. A wide variety of functions are provided, and have been covered in three previous articles:

Subroutines

The cryptographic interface was a collection of subroutines that performed different—sometimes overlapping—functions, and programmers needed to determine which subroutines could accomplish particular tasks. So the third section described the subroutines in detail. Nine subroutines were available, some of which could function as standalone programs:

Documentation Is Vital

While staff members come and go, comprehensive documentation provides consistency and continuity. Especially during an emergency such as a sensitive data breach, high-quality documentation provides near-instantaneous answers to vital questions which could otherwise consume precious time to ascertain, allowing a well-trained staff to minimize or prevent the terrible consequences of theft, disruption, or destruction of vital, irreplaceable sensitive data.

The remaining three CPCICI User’s Guide sections and the compendium will be covered in the next article.

  1. Tokenized Encryption: Online Interface Call Parameters
  2. Tokenized Encryption: Batch Interface Call Parameters
  3. Tokenized Encryption: System-Control Interface Call Parameters
    • CIF00001 was the subroutine invoked by CICS TS programs, either via a dynamic or static COBOL CALL or through an EXEC CICS LINK command. In all three cases, data was passed between programs using the CICS Commarea, DFHCOMMAREA. Batch programs could invoke CIF00001via an EXEC CICS LINK. In all cases the CICS Translator had to translate the source code before it could be compiled by the COBOL Compiler. Instructions on all this as well as data passage was included.
    • CIF00002 was invoked by another batch program via COBOL CALL to perform read-only functions such as opening and closing files, accessing the token file and decrypting—but not encrypting—CHD, CAD or SSN before passing it to the calling program. It also retrieved a credit card’s first six and/or last four digits, order number or other token record data. Directions on subroutine usage were provided.
    • CIF00011 decrypted CHD and CAD transmitted from a website. The website encrypted the data using an asymmetric key. Immediately upon landing on the mainframe, a batch program called CIF00011 to asymmetrically decrypt sensitive data.
    • CIF00012 encrypted CHD and CAD using the token file’s symmetric key immediately after CIF00011 decrypted it, all within the same batch program.
    • CIF00080 encrypted CHD and CAD that was entered via a data entry system, invoking CIF00001 to perform the cryptography.
    • CIF00098 recrypted all token file sensitive data using the current encryption key to decrypt, and then encrypt, with a new encryption key, either during an encryption key cutover or a data breach.
    • CIF00099 provided testing facilities, retrieval and decryption, reporting and other functionality, including the WZRD transaction (see Tokenized Encryption: Real-Time System Control).
    • CIF00200 was a report generation program, producing both standardized and ad hoc reports.
    • CIF00097 was a special-purpose, file repair utility.

Jim Schesvold is a technical editor for IBM Systems Magazine. Jim can be reached at jschesvold@mainframehelp.com.



Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.


comments powered by Disqus

Advertisement

Advertisement

2017 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters