I’ve discussed and demonstrated the Cryptographic Services APIs in past issues of this newsletter. The encryption examples that I presented have all used the Advanced Encryption Standard (AES) algorithm, which offers a current, strong, and well-performing encryption method that has been adopted as an encryption standard by the U.S. government. If you have followed those examples, you know that AES encryption is a block cipher and that the ciphertext produced by AES therefore always is an exact multiple of the block size applied to the cryptographic process. The block size specified for the AES algorithm is 16 bytes, although the Cryptographic Services APIs’ implementation of AES offers 24 and 32 bytes block sizes as well.
For some purposes and situations, the block-size determined length of the ciphertext could be regarded as an inconvenience. In today’s APIs by Example, I explain a method for handling data not a multiple of the block length.
If you for example have an existing database and want to encrypt one or more fields in this database, you could be faced with the requirement to increase the size of these fields or find alternate solutions to store the ciphertext. This would be the case if the fields’ current size was not an exact multiple of the encryption block size, or if the field’s data type was incapable of storing a cipher string, as for example a packed numeric field. For character fields there’s however another alternative, as pointed out in a recently released Redbook that introduces the concept of the CUSP (Cryptographic Unit Support Program) operation mode in a System i context.
The Redbook IBM System i Security: Protecting i5/OS Data with Encryption was finalized and published on July 24, 2008. I’ve provided links to the Redbook at the end of this article. The Redbook is written by IBM and industry cryptography specialists and offers a multitude of information and discussions relating to introduction to as well as planning and implementation of data encryption. For anyone facing an encryption project, this Redbook is definitely mandatory reading. The Redbook covers fundamental encryption knowledge and principles, step-by-step implementation guidelines, and lots of sample code and programming examples. And, as I mentioned, there’s also a discussion of a method that can be applied to common block cipher encryption algorithms, in order to preserve the length of the cleartext data in its encrypted state.
This method is referred to as CUSP operation mode. I first noticed the CUSP mode being mentioned when I browsed the Cryptographic Services APIs release 6.1 documentation of the enhancements provided with this release to the encryption and decryption APIs, CUSP mode being one of them.