Patent ?Encrypt dataset using SMS?
Original Publication Date: 2009-Nov-30
Included in the Prior Art Database: 2009-Nov-30
The present publication discloses a new way to manage confidential data on MVS platform. The main idea is to encrypt data before writing it to a dataset. Data is stored directly in an encrypted form. No dataset, even temporary, contains an unencrypted copy of the data. Being authorized to access a file does not mean you are authorized to view its content.
Patent "Encrypt dataset using SMS"
The proposed solution is to define a file as an encrypted file at the time the file is allocated. This would make a difference between access and confidentiality. Someone could be allowed to create the file, execute the program, but not authorized to see the resulting data.
The second effect is that even if somebody "steals" your entire data center, obtaining non encrypted data will not be possible because the encryption key is not be available.
In a z/OS environment, as SMS is the place where file allocation is made, SMS is the right component to decide whether the allocated file should be encrypted or not.
The first possibility is to add an ENCRYPT parameter to the DATACLAS construct (in the same way we have a COMPRESS parameter). The SMS DATACLASS ACS routine is responsible for tagging the allocated file with the encrypted attribute. (SMS will also decide whether encryption is to be honored or not for this file, as it does for compression).
The second possibility is to extend SMS constructs with an ENCRYPTIONCLASS ACS routine. This is a richer solution, in which a structure to decide if a record is fully encrypted, or only a part of the record, could be created, the encryption algorithm or any relevant crypto parameter could also be managed with this construct.
In both cases, SMS will call the right ICSF cryptographic services, as described in the construct. EKM, then TKLM, will be res...