Previous | Contents | Index |
AES (and DES) keys are deleted or removed with the encrypt command-line qualifier /REMOVE_KEY or with the API ENCRYPT$DELETE_KEY( ):
$ ENCRYPT/REMOVE_KEY KEYNAME /AES |
The user’s secret key is encrypted with a master key and stored in a logical name table (PROCESS, JOB, GROUP or SYSTEM---ENCRYP$SYSTEM table), the default is the PROCESS logical name table. To delete a key in a table other than the PROCESS logical name table, the appropriate qualifier (/JOB, /GROUP, or /SYSTEM) must also be specified in the ENCRYPT /REMOVE_KEY command.
Because the user’s secret key name is unique, only one key with the
same name can exist in the same logical name table, whether this is a
DES key or an AES key. This means that the /AES qualifier is
unnecessary, although it is implemented nevertheless.
3.5.9 ENCRYPT$DELETE_KEY( ) API
To remove the key from the logical name table with the Encrypt API, specify the name of the key to be deleted. The flags specify which logical name table.
ENCRYPT$DELETE_KEY (key-name , key-flags) |
The following AES mask can be used in addition to (OR with) other flags for the key-flags parameter (as a longword by reference). An associated AES key value can be used for testing the bit within the program. Use the KEY_AES key flag to specify an AES key with the ENCRYPT$DEFINE_KEY( ), ENCRYPT$DELETE_KEY( ), and ENCRYPT$GENERATE_KEY( ) APIs.
Once a key has been created, a user can encrypt and decrypt files. This can be accomplished at the command line with the ENCRYPT and DECRYPT commands, or by using the ENCRYPT$ENCRYPT_FILE() API.
File encryption encrypts RMS files in fixed-length, 512-byte records. The file characteristics and attributes of the file are preserved, for example, the file creation and modify date, and whether the file was organized as sequential or indexed, and its record format (STREAM_LF, VAR, or other). A user specifies a key to be used for the encryption of a file and a data algorithm. But, the user's key is used to encrypt the random key, initialization vector (IV), and data algorithm in the random key record. Using the data algorithm specified by the user, it is the random key that encrypts the file's attributes and feature records and its data records, .
When decrypting the file, the key that the user specifies is used to
decrypt the random-key record, which retrieves the random (data) key,
IV, and data algorithm. Then the file attributes, feature records, and
data records are decrypted with the random key, IV, and data algorithm
from the fixed-length 512-byte records, and then restored to its
original format and
3.5.10.1 File Encrypt and Decrypt Default Mode---DESCBC
By default, when encrypting a file from the command line, Encrypt uses the DESCBC algorithm to encrypt the file. That is, if a key or data algorithm is not specified on the command line, the DESCBC algorithm and mode is used.
An example that encrypts the file file-name using the key key-name to an output file with the file name of file-name using DESCBC is:
$ ENCRYPT file-name key-name |
The following command is used to decrypt the file with DESCBC:
$ DECRYPT file-name key-name |
To select an algorithm other than the DESCBC default when encrypting files, Encrypt accepts the data and key algorithm qualifiers with the DCL ENCRYPT command and the key algorithm qualifier with the DECRYPT command.
When encrypting files with AES, specify both /DATA_ALGORITHM=AESmmmkkk and /KEY_ALGORITHM=AESmmmkkk:
Encrypt expects that the key matches the key algorithm. An AES key must be used with an AES key algorithm, and a DES key must be used with the DES key algorithm. Although the data algorithm will default to DES if the /DATA_ALGORITHM=AESmmmkkk is not specified for the ENCRYPT command. The same holds true when working with DES keys and KEY_ALGORITHM=DES, the data is protected with a strong algorithm, but the key is not.
The capability of mixing AES with DES key and data algorithms has been disabled in OpenVMS Version 8.3, and any attempt to do so result in an ENCRYPT$_AESMIXDES error condition. |
When decrypting files with AES, specify only the /KEY_ALGORITHM=AESmmmkkk qualifier. That is because the key algorithm is used to decrypt the random-key record that contains the random key that is then used to decrypt the data records of the file. Specifying the data algorithm is not necessary and, in fact, gives an unrecognized-qualifier error message.
For an encrypt operation, if the /DATA_ALGORITHM=AES is specified without the /KEY_ALGORITHM, an error occurs. The default algorithm DESCBC is used to encrypt the random key record that contains the random key and file information. However, Encrypt expects that the user’s key matches the KEY algorithm; if not, an error occurs. That is, if the key-name is an AES key name and value, when the key is fetched from the logical name table and then is decrypted with the DES master key, the key decrypts garbage, and the operation fails with:
|
ENCRYPT /DATA_ALGORITHM=AES /KEY_ALGORITHM=AES
AES has a default encryption and decryption routine (AESCBC128) that is used when AES is specified without a mode and key size (that is, only /AES is specified). This could be used as a shortcut for AES file encryption. For example:
$ ENCRYPT file-name key-name /KEY=AES /DATA=AES |
To select an algorithm other than the DESCBC default when decrypting files, Decrypt accepts only the key algorithm qualifier with the DCL DECRYPT command. When decrypting with AES, specify only the /KEY_ALGORITHM=AESmmmkkk qualifier, where mmm defines the AES mode
Only the key algorithm needs to be specified. The data algorithm is
stored with other file information in the encrypted file within a key
record. The key record was encrypted with the user-specified encryption
key when the file was encrypted. During the decrypt operation, the
user’s key is used to decrypt the key record that contains the data key
(a random key generated during the encrypt), along with its algorithm
is then used to decrypt the remaining data records in the file.
3.5.11 ENCRYPT$ENCRYPT_FILE() API
AES File Flag
This is the command format for the ENCRYPT$ENCRYPT_FILE() API:
ENCRYPT$ENCRYPT_FILE(input-file, output-file, key-name, algorithm, file-flags, item-list ) |
There is an additional FILE_AES flag mask (and value) that is used with the ENCRYPT$ENCRYPT_FILE( ) API when encrypting files using an AES algorithm. The ENCRYPT$ENCRYPT_FILE_FLAGS are used to control file operations such as cipher direction, file compression and so on. The FILE_AES flag controls file AES initialization and encryption operations, and also to flag an AES key:
The optional item list is used to override the data algorithm
parameter. The intent is to substitute one algorithm for another that
is similar in function but different in name. You override the name of
the algorithm in the random-key record with the name of the algorithm
provided by the user in the override descriptor. This provides a way to
open files that were encrypted with algorithm name that may be
different than the algorithm name in the
3.5.12 Record Encryption/Decryption
File records can be encrypted and decrypted with the Encrypt API:
ENCRYPT$ENCRYPT_ONE_RECORD (input, output, key-name, algorithm) ENCRYPT$DECRYPT_ONE_RECORD (input, output, key-name, algorithm) |
To utilize AES for one record ciphers, an AES key must first be created, which is stored in the logical name table (encrypted). The key name of an AES key is specified and an address of a descriptor that contains the ASCII text for the selected AESmmmkkk (mode and key size) algorithm. Note that the input and output buffers (descriptor addresses) are also provided.
These one-record APIs assume that a key already exists in the logical name table key storage. These APIs are primarily used to encrypt and decrypt small amounts of data or only a few records. This is because there are overhead operations involved when calling the ENCRYPT$ENCRYPT_ONE_RECORD( ) API. Calling this API also calls the ENCRYPT$INIT(), ENCRYPT$ENCRYPT() or ENCRYPT$DECRYPT() function, and the ENCRYPT$FINI() function. An INIT, DECRYPT, and FINI function are also called recursively within the first INIT to decrypt the key in logical name storage, using the key name specified by the user in the key-name parameter.
HP recommends that you do not use the
ENCRYPT$xxCRYPT_ONE_RECORD() calls if many records need to be
enciphered or deciphered. Instead, HP recommends that the
ENCRYPT$ENCRYPT() and ENCRYPT$DECRYPT() API functions be used for
normal operations. This implies that the ENCRYPT$INIT() function is
also used to initialize the context prior to encryption or decryption,
and that the ENCRYPT$FINI() API is used to free memory structures prior
to application exit.
3.5.13 Data Encryption/Decryption
The ENCRYPT$ENCRYPT() and ENCRYPT$DECRYPT() routines are used by applications to cryptographically process up to 64K bytes of data.
ENCRYPT$ENCRYPT (context, input, output [,output-length] [,initialization-vector] ENCRYPT$DECRYPT (context, input, output [,output-length] [,initialization-vector] |
These routines require initializing an encryption context with ENCRYPT$INIT() routine, prior to calling ENCRYPT$ENCRYPT() or ENCRYPT$DECRYPT() to encipher or decipher the data blocks. The ENCRYPT$FINI() routine is called at the end to free the context data structures.
The output buffer must be able to accommodate a padded block to an increment of the block length. For AES, this is 16 bytes (8 bytes for DES). The output-length value and initialization-vector (IV) parameter are optional. The output-length is the number of bytes written (encrypted or decrypted).
The AES IV is a reference pointer to a 16-byte value. Internal
structures have been expanded to accommodate AES. The DES IV is a
quadword reference to an 8-byte value.
3.5.14 Lengths and Block Mode Padding
The AES block-mode algorithms (AESCBCxxx and
AESECBxxx pad the data to even 16-byte block boundaries. For
AES, 1 byte encrypts and decrypts to 16 bytes, 72 bytes to 80, and so
forth. The AES padding character is a hexadecimal number of bytes
indicating the number of bytes padded. For example, the 1-byte encrypt
pad would be 15 characters of 0F following the 1 encrypted byte of data
(08 08 ... 08) of 8 bytes following the 72 bytes of data. DESECB and
DESCBC modes always pad with characters of zeros. The character stream
modes (AESCFBxxx, AESOFBxxx, DESCFB) do not pad the
data and the output-length parameter matches the actual number
of bytes.
3.5.15 New AES Encryption Key, Flag Mask, and Value
There are no new AES encryption API routines. However, to accommodate the AES algorithm and the various key-length values, an additional AES key and AES file flag mask and value are added to OpenVMS Version 8.3.
The AES algorithm, mode, and a key length (128, 192, or 256 bits) are specified in the algorithm parameter for the ENCRYPT$ENCRYPT_FILE( ), and ENCRYPT$INIT( ) APIs, or the are specified in the algorithm-name parameter for the ENCRYPT$GENERATE_KEY( ) API. This parameter is in the form of a character string descriptor reference (pointer), as follows:
AESCBC128 is the default cipher and is also used for encryption and decryption of the user’s key for storage of logical names. These ciphers are searched in the order in which they are stored in their algorithm table (as listed) within the new image file SYS$SHARE:ENCRYPT$ALG$AES.EXE file. |
The following AES encryption operations are not supported and, therefore, are not recommended:
$ encrypt /AUTHENTICATE /UPDATE *.exe KeyName /out=tt: |
The following sections describe enhancements to the Monitor utility.
3.6.1 Align Command (I64 Only)
The Monitor utility has been enhanced to display information about alignment faults. This new MONITOR ALIGN command is valid only on OpenVMS for Integrity servers and helps troubleshoot performance problems on Integrity server systems.
The MONITOR ALIGN class displays a rate of alignment faults for each mode (kernel, executive, supervisor and user) along with the total alignment faults per second. If the alignment fault rate per second is very high, use the Alignment Fault utility (FLT), which is run through SDA, to analyze the cause of the alignment faults.
On Integrity server systems, all alignment faults are handled by the operating system, hence counters can be incremented to track the alignment fault rate. On Alpha, alignment faults are fixed in PALcode in the console so counters cannot be ticked without much overhead. For this reason, the MONITOR ALIGN command is only available on Integrity servers.
The header include file $MONDEF has also been enhanced to include the record definitions for the new ALIGN class. Previously, the constants for each class type record have not been provided, but in Version 8.3 $MONDEF also includes the symbolic constant definitions for the class numbers as MNR_CLS$K_xxx.
Note the following example:
$ monitor align ALIGNMENT FAULT STATISTICS on node MTDIB9 11-JAN-2006 16:58:07.25 CUR AVE MIN MAX Kernel Alignment Faults 19529.00 19529.00 19529.00 19529.00 Exec Alignment Faults 7581.00 7581.00 7581.00 7581.00 Super Alignment Faults 0.00 0.00 0.00 0.00 User Alignment Faults 164972.00 164972.00 164972.00 164972.00 Total Alignment Faults 192082.00 192082.00 192082.00 192082.00 |
The four new classname qualifiers for the MONITOR utility PROCESSES class can be used to monitor per-process-based modes usage. They are useful in helping to identify the top consumers of the various CPU modes. If, for example, the MONITOR MODES command shows that an excessive amount of supervisor mode is being used, the new MONITOR PROCESSES/TOPSUPERVISOR display will reveal which process---and hence, which user---is responsible.
The new qualifiers are described in the following table:
Command and Qualifier | Description |
---|---|
MONITOR PROCESSES /TOPKERNEL | Top kernel mode usage per process |
MONITOR PROCESSES /TOPEXECUTIVE | Top executive mode usage per process |
MONITOR PROCESSES /TOPSUPERVISOR | Top supervisor mode usage per process |
MONITOR PROCESSES /TOPUSER | Top user mode usage per process |
See the HP OpenVMS System Management Utilities Reference Manual, in the MONITOR chapter, for more detailed
information.
3.6.3 MONITOR PROCESSES/TOPSUPERVISOR Example
The new MONITOR PROCESSES/TOPSUPERVISOR qualifier allows you to see which processes are top consumers of CPU in supervisor mode. For more information about these qualifiers, see the HP OpenVMS System Management Utilities Reference Manual.
The following example will appear in the section "Using Live Display Monitoring" in the chapter "Getting Information About the System" in the next version of the HP OpenVMS System Manager's Manual.
Example:
$ MONITOR PROCESSES/TOPSUPERVISOR |
This command displays a bar graph showing the 16 processes that are the top consumers of CPU time in supervisor mode. Values are expressed in units of clock ticks (10ms) per second.
The command produces a display similar to the following:
OpenVMS Monitor Utility TOP SUPERVISOR MODE PROCESSES on node QUEBIT 7-DEC-2005 14:04:24.19 0 25 50 75 100 + - - - - + - - - - + - - - - + - - - - + 74E000AD BATCH_3 5 ** 74E000AC BATCH_2 4 * 74E000AA BATCH_1 3 * 74E000AB _RTA3: 3 * |
The controllers of the Enterprise Virtual Array (EVA) 4000/6000/8000 storage systems and of the MSA1500 storage system provide "active optimized" (AO) and "active non-optimized" (ANO) paths. This feature will also be offered in the EVA 3000/5000 storage systems. There is a read I/O performance penalty for using the ANO paths.
The OpenVMS multipath capability has been enhanced to distinguish between the AO and the ANO paths to improve I/O performance. Users should notice a performance improvement, which will vary depending on I/O size and queue depth. The longer the queue depth, the greater the improvement users will notice.
For more information about the OpenVMS multipath capability, refer to Guidelines for OpenVMS Cluster Configurations. For more information about the controllers on these storage systems, visit:
http://www.hp.com/country/us/en/prodserv/storage.html |
For more information about the EVA 4000/6000/8000 controllers, select Browse by capacity, Enterprise, and select the storage system of interest.
Similarly, for more information about the EVA 3000 and 4000 controllers, select Browse by capacity, Mid-range, and select the storage system of interest. For more information about the MSA 1500 controller, select Browse by capacity, Entry-level, MSA 1500.
Previous | Next | Contents | Index |