Browse Prior Art Database

Hipercrypto - API representing combination of hiperspace and CMS data

IP.com Disclosure Number: IPCOM000198977D
Publication Date: 2010-Aug-19
Document File: 4 page(s) / 36K

Publishing Venue

The IP.com Prior Art Database

Abstract

HiperCrypto represents a high performance S/MIME (CMS) client on a mainframe environment and provides encryption and digital signature, supporting both 3DES and AES, as well as PKCS, including utilities for mail and error diagnosis. It separates certificate administration from operational handling using the CERTEX component to have different responsibility for those two subjects.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 47% of the total text.

Page 1 of 4

Hipercrypto - API representing combination of hiperspace and CMS data

Mainframe data so far could not be encrypted and signed(or incoming: decrypted and verified) according to CMS ('Cryptographic Message Syntax', even called S/MIME)

protocol

for being sent e.g. via email. This had to be done from other platforms. Still, on other

platforms you had the problem of lack of performance in case of big amount of data.

Mainframe offers both encryption environment with ICSF and on demand storage resources in HIPERSPACE feature for an excellent performance . This combination is used in the

publication 'Hipercrypto'. The product uses storage on demand up to 2 GB to encrypt data in

a very short time. A test shows 20 MB being encrypted in 2 seconds on mainframe, the decryption on a work station took > 20 minutes.

ICSF

HIPERCRYPTO overview

User program call

User Data

Certificates

t7mapi

CMS

ENC SIG

3DES/ AES

SHA-1, PKCS

HIPERSPACE < 2GB

Smtp CICS imap ...

Internal exit and access points

Please review the figure above.

What the product does:

Hipercrypto offers composing of encrypted data and participating synchronous and asynchronous keys to a single body (according to RFC3852). En- and decryption is done without any additional manual interference of the originator or recipient. Input data is converted to an encrypted body, and is optionally signed.

Input: any user data (text or binary)
limit: maximum size 2^31 bytes - (1 + CMS header), hiperspace limit is 2 GB, CMS header approximately 1 K.
additional input:

parts of X.509 certificates, ICSF data (

p

rivate /

public keys),.

input parameters:
selection of encryption algorithm (3DES, AES256) for synchronous enciphering of the user data. The encryption key is encrypted ('enveloped') according to the CMS protocol (RSA).

1

Page 2 of 4

others (text mode, kind of attachment in MIME header)

Output: a variable data set containing the CMS body.

Exit/access points:

the output data set can be sent via email access point or other transport media. Input CMS will be processed from any data set on the mainframe. The product offers an imap client access point. The email client access point is adapted to transfer the CMS specific naming convention. The product can be called via an API, thus from a user program, an online monitor (CICS, TSO) or a batch job. A sample for a batch job and the JCL see below:

Coding:

The coding is performed in assembler language, to grant best performance. It contains macros for calling hiperspace, ICSF/KLMD and socket services. DER strings have been natively composed to represent the CMS ASN.1

protocol and to avoid overhead of

//CERTEXV DD DISP=SHR,DSN=MVS.CERTEXV //KEYIN DD * PETER.BYLDNER@DE.IBM.COM PETR.SVOBODA@CZ.IBM.COM //SMOUT DD DISP=(,CATLG),DSN=TEMP.EMAIL(+1),
// DCB=(LRECL=31024,BLKSIZE=31028,RECFM=VB), // SPACE=(CYL,(20,50)),UNIT=3390

Description of 'Certificate Extract'

When an encrypted/signed S/MIME or CMS body is created, some elements from the certificate must be include...