HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 9 Using Encryption

Authenticating Files

Authentication is the checking of files to determine whether or not they have been modified.

The ENCRYPT/AUTHENTICATE command detects any modification of either plaintext or ciphertext files. The software calculates a Message Authentication Code (MAC) based on the contents of the files and associates it with one or more files. An additional MAC is created that is based on security settings unless you specifically request that the security MAC not be created. At a later time, when you want to check file integrity, the software recalculates the MACs and then compares the current and stored MACs. Before you use the ENCRYPT /AUTHENTICATE command, complete the process that associates MACs with files.

NOTE: AES (Advanced Encryption Standard) is not supported with /AUTHENTICATE qualifier.

The ENCRYPT /AUTHENTICATE command has the following syntax:

ENCRYPT /AUTHENTICATE file-spec key-name [ qualifiers ]

where

file-specis the name of the file you want to check.
key-nameis the name of the key. Specify a 1-to-243-character string.
qualifiersare options that control the encryption process or the selection of files you want to encrypt.

A summary report on the authentication operation is displayed on SYS$OUTPUT.

The following qualifiers are valid with ENCRYPT /AUTHENTICATE:

  • /[NO]DATABASE[=file-spec]

    Specifies a file in which to store binary MAC values created by using the file contents as input

  • /LOG

    Displays the results of the authentication operation for each file

  • /MULTIPLE_FILES

    Indicates that the (file-spec) parameter represents a list of file names to be checked

  • /[NO]OUTPUT[=file-spec]

    Specifies a file in which to store readable MAC values

  • /[NO]SECURITY[=file-spec]

    Generates a MAC using the file's security settings: owner, protection settings, and optional ACL, and specifies the file in which to store the binary MAC values.

  • /[NO]UPDATE

    Associates new MAC values with one or more files

In addition, you can use all the file selection qualifiers available to the ENCRYPT command: /BACKUP, /BEFORE, /BY_OWNER, /CONFIRM, /EXCLUDE, /EXPIRED, /MODIFIED, and /SINCE.

The following sections describe how to use the /DATABASE, /LOG, /SECURITY, /OUTPUT, and /UPDATE qualifiers with ENCRYPT /AUTHENTICATE.

Associating MACs with Files

To associate MACs with a file or to replace former MAC values with new MAC values, use the /UPDATE qualifier. The /UPDATE qualifer updates two different MACs created from file contents and from security settings. The following command creates MAC values for all files in the current directory.

$ ENCRYPT /AUTHENTICATE *.* whitehen /UPDATE

%ENCRYPT-I-SUMMARY1,   Summary:   Files successfully authenticated: 0
%ENCRYPT-I-SUMMARY2,              Files failing authentication:  0            
%ENCRYPT-I-SUMMARY3,              Files not in database:  3
%ENCRYPT-I-SECSUMM1,   Summary:   Security settings authenticated: 0
%ENCRYPT-I-SECSUMM2,              Security settings failing authentication: 0
%ENCRYPT-I-SECSUMM3,              Security settings not in database: 3

Two sets of summary information are displayed: the first set applies to the MAC values generated from the file contents, the second set applies to the MAC values generated from the security settings. Because this is the first time MACs are associated with these files, none are reported as authenticated (summary message 1 for each set) or as having failed authentication (summary message 2 for each set). The last message in each set reports that no previous MACs were associated with these files.

The MACs are stored in a binary database. Therefore, you cannot specify /NODATABASE or /NOSECURITY with /UPDATE.

Checking Files

With no other qualifiers, the ENCRYPT /AUTHENTICATE command compares previous MACs with current MACs. In addition, the software reports on files with no currently associated MACs.

The following command reports on the status of all the files in the current directory.

$ ENCRYPT /AUTHENTICATE *.* whitehen

%ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
%ENCRYPT-I-SUMMARY1, Summary:   Files successfully authenticated: 3
%ENCRYPT-I-SUMMARY2,            Files failing authentication:  0
%ENCRYPT-I-SUMMARY3,            Files not in database:  0
%ENCYRPT-I-SECSUMM1, Summary:   Security settings authenticated: 3
%ENCYRPT-I-SECSUMM2,            Security settings failing authenticated: 0
%ENCYRPT-I-SECSUMM3,            Security settings not in database:0

Specifying a File for MACs Generated from File Contents

A database file stores MAC values in binary format. By default, binary MAC values created from the file contents are stored in SYS$LOGIN:ENCRYPT$MAC.DAT. You can use the /DATABASE qualifier to store the MAC values in an alternate file.

The following command selects an alternate file in which to store the MAC values.

$ ENCRYPT /AUTHENTICATE *.com whitehen /DATABASE=[MACS]MACCHECK.DAT /UPDATE

%ENCRYPT-I-NEWDB,     New authentication code database has been created
%ENCRYPT-I-SUMMARY1,  Summary: Files successfully authenticated: 0
%ENCRYPT-I-SUMMARY2,  Files failing authentication:  0                
%ENCRYPT-I-SUMMARY3,  Files not in database:  6

When you specify /NODATABASE, the MAC values are not stored. The next time you use the ENCRYPT /AUTHENTICATE command, the files are treated as new since there are no current MAC values to check.

Specifying a Security MAC File

MAC entries based on security settings are automatically generated and stored in a security database when the /UPDATE qualifier is used. If you do not want to generate a MAC value based on security settings, use the /NOSECURITY qualifier on the ENCRYPT /AUTHENTICATE command line.

The entries in the security database are generated by using the security settings: owner, protection settings, and an ACL if one is associated with the file. By default, security MAC values are stored in the database ENCRYPT$SEC.DAT. You can use the /SECURITY qualifier to store security MAC values in an alternate file.

The following command selects an alternate file in which to store security MAC values.

$ ENCRYPT /AUTHENTICATE *.com seveneleven /SECURITY=SECURITYMAC.DAT /UPDATE

%ENCYRPT-I-NEWSECDB, New authentication security settings database has been created
%ENCRYPT-I-SUMMARY1, Summary:   Files successfully authenticated: 0
%ENCRYPT-I-SUMMARY2,            Files failing authentication: 0
%ENCRYPT-I-SUMMARY3,            Files not in database: 3
%ENCRYPT-I-SECSUMM1, Summary:   Security settings authenticated: 0
%ENCRYPT-I-SECSUMM2,            Security settings failing authentication: 0
%ENCRYPT-I-SECSUMM3,            Security settings not in database: 3

Specifying a Listing File

In addition to a binary MAC database, Encryption stores MAC values and status information in readable form. By default, readable MAC values are stored in SYS$LOGIN:ENCRYPT$MAC.LIS.

To store readable values in an alternate file, use the /OUTPUT qualifier. The file extension defaults to .LIS. For example, this command specifies SYS$LOGIN:08MAC.LIS as the listing file:

$ ENCRYPT /AUTHENTICATE *.*  whitehen /OUTPUT=08MAC

%ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
%ENCRYPT-I-SUMMARY1, Summary: Files successfully authenticated: 6
%ENCRYPT-I-SUMMARY2, Files failing authentication:  0                
%ENCRYPT-I-SUMMARY3, Files not in database:  0

To display the listing on SYS$OUTPUT, enter:

$ TYPE 08MAC.LIS 

File Integrity Report  22-APR-2009 10:50:22.62       Compaq Encryption  V1.6  Page  1
Authentication database: DISK_1:[000000.SCRATCH]ENCRYPT$MAC.DAT;1

File name                           Stored MAC         Current MAC  Status
==================================  =================  ===========  ======
DISK_1[SCRATCH]EXAMPLE.FILE;1       90E70CB4E8E96BBF   (same)      
 owner: [1,1]  prot: (RWED, RWED, RWED, ) 
DISK_1[SCRATCH]PICTURE.SLS;1        FCAD115A72E7934A   (same)          
 owner: [1,1]  prot: (RWED, RWED, RWED, ) 
DISK_1[SCRATCH]RELEASE.TXT;1        11375BD8D504ABB3   (same)
 owner: [1,1]  prot: (RWED, RWED, RWED, ) 
DISK_1[SCRATCH]RELEASE_NOTES.PS;3   2632027C133A8B5F   (same)
 owner: [1,1]  prot: (RWED, RWED, RWED, ) 
DISK_1[SCRATCH]SCHEDULE.LIST;3      852D440358FBFF95   (same)          
 owner: [1,1]  prot: (RWED, RWED, RWED, ) 
DISK_1[SCRATCH]WATCH_MAIL.COM;5     B75D00EC4991662C   (same)
 owner: [1,1]  prot: (RWED, RWED, RWED, ) 

Summary:        Files successfully authenticated: 6             
                Files failing authentication: 0
                Files not in database: 0

Summary:        Security settings authenticated: 6
                Security settings failing authentication: 0
                Security settings not in database: 0

To suppress the creation of this listing, use the /NOOUTPUT qualifier.

Logging the Authentication Operation

To display the results of the authentication operation on each file, use the /LOG qualifier. For example, the following command displays the results of each file authentication on your terminal screen.

$ ENCRYPT /AUTHENTICATE /LOG *.* whitehen 

%ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
%ENCRYPT-S-AUTHMATCH, File DISK_1:[SCRATCH]EXAMPLE.TXT;1 successfully authenticated
%ENCRYPT-S-SECAUTHMATCH, Security settings for DISK_1:[SCRATCH]EXAMPLE.TXT successfully authenticated
%ENCRYPT-S-AUTHMATCH, File DISK_1:[SCRATCH]TEST.TXT;1 successfully authenticated.           
%ENCRYPT-S-SECAUTHMATCH, Security settings for DISK_1:[SCRATCH]TEST.TXT successfully authenticated
%ENCRYPT-S-AUTHMATCH, File DISK_1:[SCRATCH]RELEASE.TXT;2 successfully authenticated.
%ENCRYPT-S-SECAUTHMATCH, Security settings for DISK_1:[SCRATCH]RELEASE.TXT successfully authenticated
%ENCRYPT-I-SUMMARY1, Summary:   Files successfully authenticated: 6
%ENCRYPT-I-SUMMARY2,            Files failing authentication:0
%ENCRYPT-I-SUMMARY3,            Files not in database:0

%ENCRYPT-I-SECSUMM1, Summary:   Security settings authenticated: 6
%ENCRYPT-I-SECSUMM2,            Security settings failing authentication:0
%ENCRYPT-I-SECSUMM3,            Security settings not in database:0