Redvers Encryption Module
The Redvers Encryption Module is an AES (Advanced Encryption Standard) 128, 192 or 256 bit encryption and decryption algorithm, specifically designed for COBOL applications.
Main features:
- Validated by the NIST (number 1141)
- Runs on any COBOL platform
- Supports all confidentiality modes
- Creates Format-Preserved (Fixed Format) ciphertexts
- Distributed in COBOL source code ("cloaked")
- Fast, efficient, professional and fully scalable
- Can be used to turn production data into secure test data
- Supports calls from batch or on-line (eg: CICS)
- Free 30 day trial
Data selected for encryption can consist of a single field, a group of fields or a complete record. Field level encryption can be used to target sensitive data only, giving applications access to non-sensitive data without the need for unnecessary file/volume encryption and decryption.
The Redvers Encryption Module is used by customers all over the world, running on iSeries/AS400, UNIX, HP, Linux, Fujitsu BS2000, Micro Focus and IBM mainframe platforms. It is frequently used in PCI compliant applications and is suitable for securing personal data under GDPR. Combined with the Redvers COBOL Signature software, these products provide all the technical tools to build a blockchain application in COBOL.
| Download a PDF white paper on COBOL AES Encryption: |
How strong is AES encryption?
Here's an excerpt from a National Institute of Standards and Technology (NIST) Fact Sheet:
"Because of its greater strength and efficiency, AES eventually will replace NIST's earlier Data Encryption Standard (DES), in use since 1977, and Triple DES, approved in 1999. Assuming that one could build a machine that could recover a DES key in a second, then it would take that machine approximately 149 trillion (thousand-billion) years to crack a 128-bit AES key; this is longer than our universe has existed. In 1997, NIST invited the world's best cryptographers to submit and help evaluate algorithms for the new encryption standard. This four-year effort resulted in the new AES."
How it Works
The Redvers Encryption Module consists of a pair of efficient, easy to use, COBOL subroutines (RCENCRYP and RCDECRYP) that encrypt and decrypt data strings as required. These subroutines may be called in batch or on-line modes.
Data to be encrypted (plaintext) is passed to RCENCRYP in the form of a character string held in application storage. RCENCRYP then returns the equivalent encrypted string (ciphertext). Parameter information, including the string length, confidentiality mode and encryption key are transferred in a fixed format communication block.
Decryption is performed by passing the ciphertext string to RCDECRYP along with the communication block. RCDECRYP then returns the equivalent, readable plaintext.
Secure test data can also be generated by RCENCRYP based on the encrypted ciphertext. Alphanumeric values are returned in the form of a Base64 character string and numeric values are returned as an integer.
The diagram below shows how encryption / decryption routines might be used to transfer confidential data from one secure environment to another:
The Redvers Encryption Module runs the standard AES cipher, which means it can generate ciphertext for decryption by other AES ciphers and decrypt ciphertext, generated by other AES ciphers.
Technical Information
The Redvers Encryption Module (2.1) uses the Advanced Encryption Standard (AES) algorithm, developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen (a combination of their surnames producing the Rijndael name). The AES symmetric block cipher was announced in 2001 by the National Institute of Standards and Technology (NIST) in FIPS Publication 197.
The AES algorithm is used in conjunction with one of five primary confidentiality modes, defined in NIST Special Publication 800-38A. These modes are: Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher Feed Back (CFB), Output Feed Back (OFB) and Counter (CTR).
Format-Preserving Encryption (also known as Fixed Format Encryption) is achieved using one of five additional confidentiality modes, capable of producing any selection of numeric, upper case, lower case, mixed case or alphanumeric ciphertexts. In each case, the generated ciphertext is the same length as the input plaintext, making tokenization of confidential data easy. The precise algorithm used is the FF1 algorithm, defined in NIST Special Publication 800-38G.
Encryption based CMAC (Cipher Message Authentication Code) generation and CCM (Mode for Authentication and Confidentiality) encryption, provide for authenticated data transfer using two more confidentiality modes: MAC & CCM respectively. These modes are defined in NIST Special Publication 800-38B and Special Publication 800-38C.
The Redvers Encryption Module fully supports and conforms to all the above confidentiality modes and has been validated by the Cryptographic Algorithm Validation Program (CAVP) at NIST - validation number 1141.
Encryption and decryption is performed using keys of 128, 192 or 256 bits (16, 24 or 32 characters).
Redvers Encryption Module programs do not contain any information that can be used to derive encryption keys or plaintext values. These programs are simply computer instructions that result in the publicly known, AES cipher logic process. They are therefore suitable for production and development environments.
Licensed Redvers Encryption Module programs do not contain input/output files or ACCEPT statements. This produces secure, reliable and consistent results, regardless of external influences. Freely downloaded trial versions however, do contain ACCEPT statements.
Machine memory used by the software to temporarily store plaintext and encryption keys, is wiped clean with a "clean storage" call, once all data has been encrypted or decrypted.
Due to the fact that COBOL data can terminate with a binary field, the Redvers Encryption Module uses the Public-Key Cryptography Standards (PKCS#7) padding method (ECB, CBC and CFB confidentiality modes only).
In order to facilitate the generation of test data, ciphertext can be returned in Base64 encoded form (as defined in IETF RFC 4648) or as a single integer (some truncation may apply).
Encryption rates are 125,000 bytes per second running ECB confidentiality mode with a 256 bit key. Decryption rates are 60,000 bytes per second running ECB mode with a 256 bit key. Faster decryption rates can be achieved if CFB, OFB or CTR confidentiality modes are used, as these modes use the forward cipher for decryption. All benchmark timings were performed on an IBM zSeries mainframe running z/OS 1.10.