Chapter 5. Encryption Services to Encryption Services or the Decryption
5.3 Encryption and decryption report examples with the password option
Both encryption (CSDFILEN) and decryption (CSDFILDE) produces a statistics report file that contains information about the control statements used in the CSDFILEN or CSDFILDE batch jobs, the name of the data set or input file that is to be encrypted or decrypted, and performance statistics about the execution of the job.
We provide examples of statistics reports in 5.4, “Encryption and decryption using RSA protection of data-encrypting key” on page 66 and 5.5, “Encryption and decryption using data compression” on page 71.
Here we provide examples of statistics reports produced using the JCL that we described earlier in this chapter. There were two input files for the encryption trials: a small one that has only a few hundred records and a larger one with several hundreds of thousands records. The contents of the files are, in both cases, text strings.
5.3.1 Contents of the statistics report file for encryption
In the first example, shown in Figure 5-3 on page 63, a small file has been encrypted using the CLRTDES keyword on a z900.
The password 1 will never be shown in clear on the report. The encryption is done using the CCF processors 2, as shown in the report. The Encryption Services uses 27998 3 as a length for the output BLKSIZE on disks. In this test case, the amount of the output data, 19992 4 bytes, written to the file also contains the header record information and any padding required for the encryption process. The report also shows the throughput rates along with the longest and shortest cipher times and the data length associated with them are shown at 5.
Note: Save the statistics report issued during encryption, so it can be used to
verify that the correct amount of data is recovered in the decryption and optional decompression processes.
Note: The T-DES algorithm requires the input data length to be a multiple of 8
bytes. The AES-128 algorithm requires the input data length to be a multiple of 16 bytes.
Chapter 5. Encryption Services to Encryption Services or the Decryption Client 63
Figure 5-3 Statistics report with CLRTDES and PASSWORD encryption on z900
In the next example, shown in Figure 5-4, the same small file has been transferred from z900 to z9 to carry on more tests, and the BLKSIZE was also changed to better fit our requirements. The file was encrypted using CLRTDES keyword on the z9 mainframe. This time, the encryption uses the CPACF processors 1, as shown in the report. As expected, the reported cipher time for the block of data is shorter with the CPACF on z9 2 than with CCF on z900.
Figure 5-4 Statistics report with CLRTDES and PASSWORD encryption on z9
CSDFILEN Encryption Utility 07/28/2006 (MM/DD/YYYY) 21:48:45 (HH:MM:SS) INPUT: DESC='TEST ENCRYPTED DATA' INPUT: CLRTDES INPUT: PASSWORD=******************************** 1
INPUT: ICOUNT=10 CSDFILEN: : INPUT: LRECL 80 BLKSIZE 6160 RECFM FB OUTPUT: BLKSIZE 27998 3
ENCRYPTION OF DATA: CLEAR TDES KEY USING CCF 2
RECORDS READ: 227 WRITTEN: 1 BYTES READ: 18,160 6
BYTES WRITTEN: 19,992 4 WITH HEADER AND PAD CIPHER TIMES (IN SECONDS): 5 HIGH: 0.000754 DATA: 19528 LOW: 0.000754 DATA: 19528 TOTAL CIPHER TIME (IN SECONDS): 0.000754 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.11
CSDFILEN Encryption Utility 08/03/2006 (MM/DD/YYYY) 11:06:03 (HH:MM:SS) INPUT: DESC='TEST ENCRYPTED DATA' INPUT: CLRTDES INPUT: PASSWORD=******************************** INPUT: ICOUNT=10 CSDFILEN: : INPUT: LRECL 80 BLKSIZE 27920 RECFM FB OUTPUT: BLKSIZE 27998 ENCRYPTION OF DATA: CLEAR TDES KEY USING CPACF 1
RECORDS READ: 227 WRITTEN: 1 BYTES READ: 18,160 BYTES WRITTEN: 19,992 WITH HEADER AND PAD CIPHER TIMES (IN SECONDS): 2 HIGH: 0.000089 DATA: 19528 LOW: 0.000089 DATA: 19528 TOTAL CIPHER TIME (IN SECONDS): 0.000089 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.02
In the next example, shown in Figure 5-5, the same small file has been encrypted using the CLRAES128 1 keyword on a z9 platform. The encryption again uses the CPACF. This time, the amount of the output data, 20000 2 bytes, written to the file will be bigger because of the longer padding needed for the AES-128 algorithm.
Figure 5-5 Statistics report with CLRAES128 and PASSWORD encryption on z9
5.3.2 Contents of the statistics report file for decryption
A statistics report issued by the decryption process is shown in Figure 5-6 on page 65. 1 is the description information provided at encryption time. The original input data set RECFM, LRECL, and BLKSIZE 2 are also displayed in the report. It is expected that the description data give proper information so that the original data set or file can be easily identified.
To decrypt the encrypted file, the correct password must be given as an input keyword. The given password 4 is not shown in the report. If the password is not the same as the one used at encryption time, an error message “INCORRECT PASSWORD ENTERED” is displayed in the report.
If the BLKSIZE value assigned to the decryption process output data set is different from the BLKSIZE of the encryption input data set, for a RECFM=FB, a warning message 5 is issued and processing continues.
CSDFILEN Encryption Utility 08/03/2006 (MM/DD/YYYY) 11:23:18 (HH:MM:SS) INPUT: DESC='TEST ENCRYPTED DATA' INPUT: CLRAES128 1
INPUT: PASSWORD=******************************** INPUT: ICOUNT=10 CSDFILEN: : INPUT: LRECL 80 BLKSIZE 27920 RECFM FB OUTPUT: BLKSIZE 27998 ENCRYPTION OF DATA: CLEAR AES KEY USING CPACF RECORDS READ: 227 WRITTEN: 1 BYTES READ: 18,160 BYTES WRITTEN: 20,000 2 WITH HEADER AND PAD CIPHER TIMES (IN SECONDS): 3 HIGH: 0.000069 DATA: 19536 LOW: 0.000069 DATA: 19536 TOTAL CIPHER TIME (IN SECONDS): 0.000069 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.01
Note: It is important to verify that the decryption process has recovered all the
data that was encrypted. This can be done by comparing the bytes read value
Chapter 5. Encryption Services to Encryption Services or the Decryption Client 65
Figure 5-6 Statistics report for PASSWORD and CLRTDES decryption on z900
In the second example, shown in Figure 5-7, the same small encrypted file is decrypted on the z9 platform. Here, the BLKSIZE specified in the CSDFILDE JCL is the same as the original clear data BKSIZE data set.
Figure 5-7 Statistics report with PASSWORD and CLRTDES decryption on z9
In the third decryption report example, shown in Figure 5-8, the original file was encrypted using CLRAES128. CSDFILDE retrieves this information from the encrypted file header record.
Figure 5-8 Statistics report with PASSWORD and CLRAES128 decryption on z9 CSDFILDE Decryption Utility 07/28/2006 (MM/DD/YYYY) 21:48:45 (HH:MM:SS) CSDFILDE: HEADER VERSION : 1 CSDFILDE: : INPUT: DESC = TEST ENCRYPTED DATA 1
INPUT: LRECL 80 BLKSIZE 6160 RECFM FB 2
INPUT: PASSWORD=******************************** 4 **WARNING** NEW OUTPUT BLKSIZE. REQUESTED: 27920 5
RECORDS READ: 1 WRITTEN: 227 BYTES READ: 20,032 BYTES RECOVERED: 18,160 3
CIPHER TIMES (IN SECONDS): HIGH: 0.000979 DATA: 27536 LOW: 0.000979 DATA: 27536 TOTAL CIPHER TIME (IN SECONDS): 0.000979 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.12
CSDFILDE Decryption Utility 08/03/2006 (MM/DD/YYYY) 11:06:03 (HH:MM:SS) CSDFILDE: HEADER VERSION : 1 CSDFILDE: : INPUT: DESC = TEST ENCRYPTED DATA INPUT: LRECL 80 BLKSIZE 27920 RECFM FB 1
INPUT: PASSWORD=******************************** RECORDS READ: 1 WRITTEN: 227 BYTES READ: 20,078 BYTES RECOVERED: 18,160 CIPHER TIMES (IN SECONDS): HIGH: 0.000123 DATA: 27536 LOW: 0.000123 DATA: 27536 TOTAL CIPHER TIME (IN SECONDS): 0.000123 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.02
CSDFILDE Decryption Utility 08/03/2006 (MM/DD/YYYY) 11:23:18 (HH:MM:SS) CSDFILDE: HEADER VERSION : 1 CSDFILDE: : INPUT: DESC = TEST ENCRYPTED DATA INPUT: LRECL 80 BLKSIZE 27920 RECFM FB INPUT: PASSWORD=******************************** RECORDS READ: 1 WRITTEN: 227 BYTES READ: 20,000 BYTES RECOVERED: 18,160 CIPHER TIMES (IN SECONDS): HIGH: 0.000090 DATA: 27536 LOW: 0.000090 DATA: 27536 TOTAL CIPHER TIME (IN SECONDS): 0.000090 CIPHERS: 1 TOTAL ELAPSED TIME: 0:00:00.02