Previous | Contents | Index |
The user-supplied WORKIO routine is called by EDT when it needs temporary storage for the file being edited. Call it by specifying it as an argument in the EDT$EDIT routine. It cannot be called independently.
WORKIO code ,recordno ,record
OpenVMS usage: cond_value type: longword (unsigned) access: write only mechanism: by immediate value
Longword value returned as a status code. It is generally a success code, because all OpenVMS RMS errors should be signaled. The signal should include the file name and both longwords of the RMS status. Any errors detected within work I/O can be indicated by setting status to an error code, which will be returned by the EDT$EDIT routine.
The condition value is returned in R0.
code
OpenVMS usage: longword_unsigned type: longword (unsigned) access: read only mechanism: by reference
A code from EDT that specifies the operation to be performed. The code argument is the address of a longword integer containing this argument. The valid function codes are as follows:
Function Code Description EDT$K_OPEN_IN_OUT Open the work file for both input and output. Neither the record nor recordno argument is used. EDT$K_GET Read a record. The recordno argument is the number of the record to be read. The record argument gives the location where the record is to be stored. EDT$K_PUT Write a record. The recordno argument is the number of the record to be written. The record argument tells the location of the record to be written. EDT$K_CLOSE_DEL Close the work file. After a successful close, the file is deleted. Neither the record nor recordno argument is used.
recordno
OpenVMS usage: longword_signed type: longword integer (signed) access: read only mechanism: by reference
Number of the record to be read or written. The recordno argument is the address of a longword integer containing this argument. EDT always writes a record before reading that record. This argument is not used for open or close calls.record
OpenVMS usage: char_string type: character string access: modify mechanism: by descriptor
Location of the record to be read or written. This argument always refers to a 512-byte string during GET and PUT calls. This argument is not used for open or close calls.
Work file records are addressed only by number and are always 512 bytes long. If you do not need to intercept work file I/O, you can use the entry point EDT$WORKIO for this argument or you can omit it.
SS$_NORMAL Normal successful completion.
The user-supplied XLATE routine is called by EDT when it encounters the nokeypad command XLATE. You cause it to be called by specifying it as an argument in the EDT$EDIT routine. It cannot be called independently.
XLATE string
OpenVMS usage: cond_value type: longword (unsigned) access: write only mechanism: by value
Longword value returned as a status code. It is generally a success code. If the XLATE routine cannot process the passed string for some reason, it sets status to an error code. Returning an error code from the XLATE routine aborts the current key execution and displays the appropriate error message.
The condition value is returned in R0.
string
OpenVMS usage: char_string type: character-coded text string access: modify mechanism: by descriptor
Text string passed to the nokeypad command XLATE. You can use the nokeypad command XLATE by defining a key to include the following command in its definition:
XLATEtext^ZThe text is passed by the string argument. The string argument can be handled by the Run-Time Library routine STR$COPY_DX.
This argument is also a text string returned to EDT. The string is made up of nokeypad commands that EDT is to execute.
The nokeypad command XLATE allows you to gain control of the EDT session. (See the OpenVMS EDT Reference Manual1 for more information about the XLATE command.) If you do not need to gain control of EDT during the editing session, you can use the entry point EDT$XLATE for this argument or you can omit it.
SS$_NORMAL Normal successful completion.
1 This manual has been archived but is available on the OpenVMS Documentation CD-ROM. |
The encryption routines (APIs) allow you to program encryption operations into applications. OpenVMS Version 8.3 Integrity servers and Alpha systems support the Advanced Encryption Standard (AES) algorithm, which allows any OpenVMS user, system manager, security manager, or programmer to secure their files, save sets, or application data with AES Encryption. The former DES algorithm is also supported for complete backward compatibility. This allows updating archived data encrypted with DES to the more secure AES encryption algorithm.
The DES encryption standard, reviewed and approved by the National Bureau of Standards (NBS) every five years, remained the popular standard until 1992. The Natonal Institue of Standards and Technology (NIST) later declared the minimum encryption standard to be Triple-DES (or TDEA). Triple-DES typically uses at least two or three different secret keys. Since 1999, the older single DES standard is used only for legacy government systems. Since 2001, the Advanced Encryption Standard (AES) (FIPS PUB 197[5]) is the approved symmetric encryption algorithm that replaced DES. |
Encryption is used to convert sensitive or otherwise private data to an unintelligible form called cipher text. Decryption reverses this process, taking the unintelligible cipher text and converting data back to its original form, called plain text. Encryption and decryption are also known as cipher and decipher.
OpenVMS Version 8.3 integrates the former Encryption for OpenVMS software product into the operating system, eliminating the requirement for a separate installation and product license. |
Encryption provides the following routines, listed by function:
AES encryption, like DES, is a symmetric block cipher. However, its algorithm is very different, its key scheduling and number of rounds is based on key size (10, 12, or 14 rounds for 128, 192, and 256 bit keys), making AES much stronger cryptographically. AES features allows any user, system manager, security manager, or programmer to secure their files, save-sets, or application data with strong AES Encryption. It is integrated with OpenVMS Version 8.3 and does not require a separate product license or installation.
Encrypt-AES provides the following features and compatibility:
AESCBC128
AESCBC192
AESCBC256
AESECB128
AESECB192
AESECB256
AESCFB128
AESCFB192
AESCFB256
AESOFB128
AESOFB192
AESOFB256
There are no new Encrypt-AES API routines in OpenVMS V8.3. However, to accommodate the AES algorithm and the various key-length values, an additional AES key and AES file flag mask and value are added to OpenVMS Version 8.3:
AESCBC128---Cipher Block Chaining
AESCBC192---Cipher Block Chaining
AESCBC256---Cipher Block Chaining
AESECB128---Electronic Code Book
AESECB192---Electronic Code Book
AESECB256---Electronic Code Book
AESCFB128---Cipher Feedback
AESCFB192---Cipher Feedback
AESCFB256---Cipher Feedback
AESOFB128---Output Feedback
AESOFB192---Output Feedback
AESOFB256---Output Feedback
AESCBC128 is the default cipher and is also used for encryption and decryption of the users key for storage of logical names. These ciphers are looked up in the order in which they are stored in their algorithm table with the new image file SYS$SHARE:ENCRYPT$ALG$AES.EXE file. |
You can call the Encryption for OpenVMS routines from any language that supports the OpenVMS Calling Standard in 32 bit mode. After it is called, each routine:
The callable routines do not provide all the options of the file
selection qualifiers available with the DCL ENCRYPT and DECRYPT
commands. The functions of /BACKUP, /BEFORE, /BY_OWNER, /CONFIRM,
/EXCLUDE, /EXPIRED, /SINCE, and /SHOW are supported only at the
DCL-interface level. For more information, see the Guide to Creating OpenVMS Modular Procedures.
11.3.1 Encryption Keys
This section provides information about encryptions for AES and DES.
Like DES keys, AES keys are deleted or removed with the encrypt command-line qualifier /REMOVE_KEY or with the ENCRYPT$DELETE_KEY routine:
$ ENCRYPT/REMOVE_KEY KEYNAME /AES |
The user's secret key is encrypted with a master key and stored in a logical name table (PROCESS, JOB, GROUP or SYSTEM-ENCRYP$SYSTEM table), the default is the PROCESS logical name table. To delete a key in a table other than the PROCESS logical name table, the appropriate qualifier (/JOB, /GROUP, or /SYSTEM) must also be specified in the ENCRYPT /REMOVE_KEY command.
Because the users secret key name is unique, only one key with the same
name can exist in the same logical name table, whether this is a DES
key or an AES key. This means that the /AES qualifier is unnecessary,
although it is implemented nevertheless.
11.3.1.2 DES Key and Data Semantics
The National Bureau of Standards (NBS) document FIPS-PUB-46 describes the operation of the DES algorithm in detail. The bit-numbering conventions in the NBS document are different from OpenVMS numbering conventions.
For the AES algorithm, see the National Institute of Standards and Technology (NIST) document FIPS-PUB-197, pages 7 through 9. |
If you are using Encryption for OpenVMS routines in conjunction with an independently developed DES encryption system, ensure that you are familiar with the relationship between the NBS and OpenVMS numbering conventions. Table 11-1 highlights the differences.
NBS | Encryption for OpenVMS |
---|---|
Numbers bits from left to right. | Numbers bits from right to left. |
Displays bytes in memory from left to right. | Displays bytes in memory from right to left. |
Handles keys and data in 8-byte blocks. | Handles 8-byte blocks in OpenVMS display order. |
Treats keys and data as byte strings. | Treats keys and data as character strings. |
The "most significant byte" is byte 1. | Same. |
In DES keys, the parity bits are DES bits 8, 16, 24, and so forth. | In DES keys, the parity bits are OpenVMS bits 0, 8, 16, and so forth. |
DES keys, when expressed as strings of hexadecimal digits, are given starting with the high digit of byte 1, then the low digit of byte 1, then the high digit of byte 2, and so forth, through the low digit of byte 8. | Same. |
To convert a hexadecimal key string into the 8-byte binary key, convert from hex to binary one byte at a time. For example, a quadword hex-to-binary conversion, using the library subroutine OTS$CVT_TZ_L, yields an incorrect, byte-reversed key.
Figure 11-1 OpenVMS Numbering Overlay on FIPS-46 Numbering
Figure 11-2 NBS Numbering Overlay on an OpenVMS Quadword
On OpenVMS Integrity server systems, AES uses an OpenVMS numbering overlay on FIPS-197 numbering. For a description of AES key and data semantics, see the National Institute of Standards and Technology (NIST) document FIPS-PUB-197, pages 7 through 9. |
Once a key has been created, you can encrypt and decrypt files. This can be accomplished at the command line with the ENCRYPT and DECRYPT commands, or by using the ENCRYPT$ENCRYPT_FILE routine.
File encryption encrypts RMS files in fixed-length, 512- byte records. The file characteristics and attributes of the file are preserved, for example, the file creation and modify date, and whether the file was organized as sequential or indexed, and its record format (STREAM_LF, VAR, or other). You specify a key to be used for the encrypting a file and a data algorithm. However, the user key is used to encrypt the random key, initialization vector (IV), and data algorithm in the random key record. The random key encrypts the files attributes and feature records, and its data records, using the data algorithm that you specify.
When decrypting the file, the key specified decrypts the random key record, which retrieves the random (data) key, IV, and data algorithm file. Then the file's attributes, feature records, and data records are decrypted with the random key, IV, and data algorithm from the fixed-length 512-byte records, and then restored to its original format and creation date. The modified (or revised) file date is then updated.
Previous | Next | Contents | Index |