Software Product Description ___________________________________________________________________ PRODUCT NAME: Encryption for OpenVMS, Version 1.6 SPD 26.74.06 Note: This Software Product Description describes the Encryption for OpenVMS Version 1.6 software for Integrity, Alpha and VAX computer fam- ilies. Except where explicitly noted, the features described in this SPD apply equally to OpenVMS Integrity, Alpha and VAX systems. Encryp- tion Version 1.6 on Integrity and Alpha systems running OpenVMS V8.2 and later does not require a specific license, as this product is now covered under the OpenVMS operating system license. An Encryption li- cense is required for all Alpha and VAX systems running versions of OpenVMS prior to Version 8.2. PRODUCT SUMMARY Encryption for OpenVMS is a layered product that enhances the confi- dentiality and integrity of information stored on OpenVMS systems. The rapid growth of business transactions over the Internet combined with more system administration functions being outsourced, heighten the need for stronger protection of your data. Encryption for OpenVMS pro- vides the ability for your information to transfer safely through un- known hands and channels without disclosing its contents. Encryption for OpenVMS also provides a mechanism to detect if your information has been altered from its original form. STANDARDS Encryption for OpenVMS is a software implementation of the Data En- cryption Standard (DES) algorithm, from the United States Government. Details on the DES cryptographic algorithm are found in the Federal Information Processing standard 46 (FIPS PUB 46-2). August 2005 DESCRIPTION Encryption is a process that transforms data into an unreadable form called cipher. Decryption transforms the cipher back into its orig- inal (readable) form. Encryption for OpenVMS assures that the data you decrypt is the same as your original data through synchronization pro- cesses that utilizes variables known as keys. Once encrypted, data can only be decrypted with the appropriate key. Thus, encryption can pro- tect sensitive data by limiting access to only individuals who have access to the appropriate keys. Data authentication is a two-step process that verifies the authen- ticity of data, that is, that the data has not been altered. The first step is to calculate code that is directly dependent on the data. En- cryption for OpenVMS supports the use of encrypted manipulation de- tection codes (MDCs) and cryptographic message authentication codes (MACs). MDCs are generated by algebraic functions that accept the data as input. Examples of such functions include cyclic redundancy checks. Encryption for OpenVMS uses CRC-16 to calculate MDCs. MACs are gen- erated by cryptographic functions that take the data as input. Encryp- tion for OpenVMS uses the DES algorithm to generate MACs. The second step is to recalculate the code as needed. If the calculated code is identical to the original code, there is assurance that the original data has not been altered. Encryption for OpenVMS provides these features. A DCL interface from which users can: o Encrypt and decrypt complete files o Generate and verify MACs on complete files o Access the Encryption for OpenVMS help library An Application Program Interface allowing programs to: o Encrypt and decrypt complete files or specific data elements 2 o Generate and verify MACs on complete files or specific data ele- ments An interface to the OpenVMS Backup utility that allows users to main- tain encrypted backup save sets. File Encryption Encryption for OpenVMS provides a Digital Command Language (DCL) in- terface to specify encryption keys and to control the encryption and decryption of disk-resident files. The entire contents of files are encrypted along with separately stored file attribute information such as record structure, original creation date, and original file name. These attributes are then restored at decryption time along with orig- inal file contents. Encryption for OpenVMS supports several options during the encryption and decryption process including: automatic dele- tion of the input file upon successful encryption and data compres- sion of the input file before encryption. File Authentication The same Encryption for OpenVMS DCL interface is used to control the generation and verification of MACs for disk-resident files. Only the data portion of files are processed for MACs. File attribute infor- mation, which can normally change during authorized file operations, is not processed. The files themselves remain unencrypted and the MACs are stored in a separate data base. For files that are encrypted, authentication checks are done automat- ically by Encryption for OpenVMS during the decryption processes. An MDC is calculated and is encrypted along with the other file attribute information. When the file is decrypted, the MDC is recalculated and compared with the decrypted MDC. 3 Key Specification and Storage Key values for the encryption and authentication algorithms may be spec- ified as either sixteen hexadecimal digits or by a more easily remem- bered and manipulated phrase of words and numerals. The alphanumeric phrase format is scanned and packed into a form required by the se- lected algorithm. In Encryption for OpenVMS Version 1.6, all keys are stored, themselves encrypted, in the OpenVMS logical name tables. Application Program Interface Encryption for OpenVMS provides a set of callable routines that al- lows users to integrate its encryption/decryption and authentication functions in application programs. The Encryption for OpenVMS library of callable routines adheres to the OpenVMS Calling Standard and the modular design established in the Guide to Creating OpenVMS Modular Procedures. Entry points are provided to permit the specification and deletion of keys, encryption/decryption of complete files, encryption/decryption of user-specified data elements, and generation of MACs for user-specified data elements. For example, the data-encryption facility permits a user application to manage a data file containing employee information with the salary data field encrypted. Almost all functions possible by the DCL com- mand interface are provided by the application interface. The binary kit includes a complete PASCAL example of an encrypting utility to serve as a model of how such an application might be written. Backup Utility The online OpenVMS Backup utility incorporates an interface to Encryp- tion for OpenVMS to permit the encryption of backup save sets. Restora- tion or listing of the contents of an encrypted backup save set is not permitted without respecification of the encryption key and algorithm parameters used when the save set was encrypted and created. When key and algorithm parameters are stored or transmitted separately from the 4 resulting backup media, access to the backed up data may be more care- fully controlled. This enhances the security of backup tapes and disks when stored or transported off the customer's premises. DES Algorithm and Modes The DES algorithm may be applied in several modes to the processing of data. Encryption for OpenVMS Version 1.6 supports: Electronic Code Book mode (ECB), Cipher Block Chain mode (CBC), Cipher Feedback mode (CFB), and Message Authentication Code mode (MAC). CFB mode is lim- ited to 8-bit character feedback only. The MAC mode uses the CBC mode for processing. INSTALLATION Only experienced customers should attempt installation of this prod- uct, Compaq recommends that all other customers purchase Compaq's In- stallation Services. These services provide for installation of the software product by an experienced Compaq Software Specialist. HARDWARE REQUIREMENTS To install Encryption for OpenVMS Version 1.6 an additional 2000 free blocks of disk space is required. SOFTWARE REQUIREMENTS Encryption for OpenVMS runs on the following versions of OpenVMS. OpenVMS Integrity OpenVMS Integrity Version 8.2-1 OpenVMS Integrity Version 8.2 5 OpenVMS Alpha OpenVMS Alpha Version 8.2 OpenVMS Alpha Version 7.3-2 OpenVMS VAX OpenVMS VAX Version 7.3 ORDERING INFORMATION Encryption for OpenVMS Integrity and Alpha For Versions 8.2 and 8.2-1 on Integrity and Version 8.2 on Alpha, the software license is covered by the OpenVMS operating system li- cense. Encryption for OpenVMS Alpha Version 7.3-2 Software License: QL-597A*-** Software Documentation: BR-081AA-GZ Software Product Services: QT-597A*-* Encryption for OpenVMS VAX Version 7.3 Software License: QL-081A*-** Software Documentation: BR-081AA-GZ Software Product Services: QT-081A*-** Note: * Denotes variant fields. For additional information on avail- able licenses, services and media, refer to the appropriate price book. 6 SOFTWARE WARRANTY As with any security product, Encryption for OpenVMS should be con- sidered part of an overall security plan. Customers are encouraged to follow industry recognized security practices and not rely on any sin- gle security product to provide complete protection. DISTRIBUTION MEDIA For Integrity servers, this product is distributed as part of the Open- VMS Layered Product Library. For Alpha and VAX systems, this product is distributed as part of the Software Product Libraries. The software documentation is also available as part of the OpenVMS Online Documentation Libraries on CD-ROM. DOCUMENTATION Encryption for OpenVMS documentation includes: o Encryption for OpenVMS Installation and Reference Manual - Details the basic encryption user commands, documents the application pro- gramming interface, and provides the installation instructions. © Copyright 2005 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for pos- session, use or copying. Consistent with FAR 12.211 and 12.212, Com- mercial Computer Software, Computer Software Documentation, and Tech- nical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional war- ranty. HP shall not be liable for technical or editorial errors or omis- sions contained herein. 7 8