HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 9 Using Encryption

Defining Keys

To encrypt or decrypt any file, a key has to be created first.

To define a key, enter the ENCRYPT/CREATE_KEY command:

ENCRYPT /CREATE key-name key-value [ qualifiers ]

where

key-nameis the name of the key.
key-valueis the value you assign to the key.
qualifiersare options that control the format of the key value or where the key is stored.

For AES keys, the /AES qualifier must be added:

$ ENCRYPT /CREATE_KEY keyname "This is my secret key" /AES

This generates an AES key with a key length of 21 characters. You can specify a key of any length as long as it meets the key-length minimum requirement and does not exceed Encrypt’s maximum number of characters (approximately 240). For more information on the /AES qualifier, see the HP OpenVMS DCL Dictionary.

In order to specify the key algorithm, use the /KEY_ALGORITHM qualifier. The default key algorithm is DESCBC for DES keys and AESCBC128 when the /AES qualifier is used. For more information, see “/KEY_ALGORITHM Qualifier”.

Specifying the Key Name

To specify key-name on the ENCRYPT /CREATE_KEY command line, specify a character string using the following rules:

  • Valid length: 1 to 243 characters.

  • Valid: alphanumeric characters, dollar signs, and underscores.

  • Case sensitive: no.

To help you remember the name, use one that has meaning to you.

NOTE: Key names beginning with ENCRYPT$ are reserved for HP.

Specifying the Key Value

To specify key-value on the ENCRYPT /CREATE_KEY command line, use either a text string or a hexadecimal constant, using the following rules:

ASCII text string (default):

  • Length: 8 to 240 characters.

  • The string is not case sensitive.

  • If you use any non-alphanumeric characters, for example, space characters, enclose them in quotation marks.

Example: This command defines a key named HAMLET with character string value (And you yourself shall keep the key of it):

$ ENCRYPT /CREATE_KEY HAMLET
_ Key value: "And you yourself shall keep the key of it"

Hexadecimal constant:

  • Use the /HEXADECIMAL qualifier.

  • Valid characters: 0 to 9, A to F.

  • Valid minimum length: 15 characters.

  • Do not enclose the value in quotation marks.

Example: The following command defines a key named ARCANE with hexadecimal value 2F4A98F46BBC11D:

$ ENCRYPT /CREATE_KEY /HEX ARCANE 2F4A98F46BBC11D 

In addition, when you specify key-value, do not use weak keys. These are key values with a pattern of repeated characters or groups of characters. Using a pattern results in an encrypted form that might be easy for unauthorized users to decrypt. For example, the hexadecimal constant 0101010101010101 and the text string 'abcabcabc' are weak keys.

Using weak keys might produce the following consequences:

  • Security of encrypted data may be at risk.

  • Encryption may be the same as decryption.

Encryption with one weak key followed by encryption with another weak key may result in the original plaintext.

HP supplies a table of known weak keys. The software checks keys you define against this table and displays an error message when you supply a weak key.

Verifying Key Creation

To verify the successful creation of a key, use the /LOG qualifier. For example, this command reports that the key HAMLET is defined:

$ ENCRYPT /CREATE_KEY /LOG HAMLET 
_ Key value: "And you yourself shall keep the key of it" 
%ENCRYPT-S-KEYDEF, key defined for key name = HAMLET 

The following example verifies an AES key:

$ ENCRYPT/CREATE MY_KEY "This is a sample ASCII key value" /AES/LOG
%ENCRYPT-S-KEYDEF, key defined for key name = MY_KEY

The key is flagged as an AES key to distinguish it from a DES key.

Specifying Key Storage Tables

When you define a key, it is stored in encrypted form in a key storage table. The key value is stored under the key name. When you encrypt files, the process takes this stored information and does the following:

  • It compresses the key value taken from the key storage table into a key consisting of 8 bytes of binary digits.

  • It ensures the odd parity of each byte by modifying one of two things for each byte:

    • Sign bit, as needed (default)

    • Low bit (bit 0) (if you specify the /HEXADECIMAL qualifier)

  • For text string key values, it converts letters to uppercase, reduces multiple consecutive spaces to one space, removes some punctuation characters, and compresses the key string.

    As a result, you do not have to remember the exact syntax of the key value. For example, if you define a key value with two spaces between each word, you do not have to remember this spacing to specify the key again.

Key storage tables determine which users can access keys. The following key storage tables control user access:

  • Process key storage table (default) --- accessible only to the process that defined the keys within the table.

    If you are defining a key that is intended for use by other processes, specify the appropriate qualifier (/JOB, /GROUP, or /SYSTEM) so that the intended users of the key can access it.

  • Job key storage table — accessible only to processes within the same job tree as the process that defined the keys within the table.

  • Group key storage table — accessible to users in the same UIC group as the process that defined the keys in the table.

  • System storage table — accessible to all system users.

To enter keys into the key storage tables, use the following ENCRYPT /CREATE_KEY qualifiers:

  • /PROCESS (default)

  • /JOB

  • /GROUP (requires GRPNAM or SYSPRV privilege)

  • /SYSTEM (requires SYSPRV privilege)

    Defines a key that anyone working on the system can use to encrypt his or her files. Because the key is stored in encrypted form, they cannot see the value of the key. The key is available for use until the system is rebooted.

    For example, the following command defines a key named SYSMASTER and places it in the system key storage table.

    $ ENCRYPT /CREATE_KEY /SYSTEM SYSMASTER
    _$ Key Value: "The human heart has hidden treasures, in secret kept,
    in silence sealed"

Maintaining Keys

When you encrypt a file, the key you use is like a password to that file. It is important to keep it secret. In addition, ensure that you remember the key value. You need both the key and the value to decrypt the file.

A key stored in the process key storage table lasts for the life span of the process that defined the keys in the table. Like other process-specific structures, the process key storage table disappears when you log out.

Key values that are meaningful to you are the most memorable, but avoid easily guessed choices such as your nickname or the make of your car. Never post a key name or value in your office or store it online. Like operating system passwords, increasing the length of a key value lessens the possibility of discovery.

The DES algorithm requires that a key value has a minimum length of eight non-null characters. To improve the security of the key value, specify more than eight characters.

For the AES algorithm, the minimum required key sizes are as follows:

  • 128-bit mode = 16-byte key

  • 192-bit mode = 24-byte key

  • 256-bit mode = 32-byte key