Townsend Security Data Privacy Blog

Gnu Privacy Guard (GPG) and PGP Command Line Compatibility

Posted by Patrick Townsend on Mar 25, 2016 9:42:00 AM

Pretty Good Privacy (PGP) is a mature and well-regarded whole file encryption application. In partnership with PGP Corporation, McAfee and now Symantec, we’ve implemented PGP Command Line on both the IBM i (iSeries, AS/400) and on the IBM System z Mainframe. Our customers often have questions about PGP compatibility with open source implementations like Gnu Privacy Guard, or GPG. Let’s dive into this a bit deeper.

Podcast: PGP Encryption on the IBM i Before we jump into a discussion of solutions and their compatibility, it’s important to know about the Internet standards for PGP. These standards are defined in RFCs 2440 and 4880. The standards are referred to as the OpenPGP standard. These Internet RFCs define the format and behavior for any application that claims to support the OpenPGP standard. They do not define an application, and the term OpenPGP does not refer to any actual application or solution. It is just the name of the standard.

We have a standard for PGP, so now we need to identify which applications implement the standard. That’s important because we want our PGP encrypted information to be supported by the largest number of platforms and vendors.

In the open source world there are several solutions that implement the OpenPGP message format and conform to the RFC standards. Probably the most well known is the GNU Privacy Guard, or GPG, application. It is available on several operating system platforms including Windows, Linux, and Unix. GNU has a large community of developers who support this application and it is readily available. Other open source implementations include Bouncy Castle, the International PGP organization, Portable PGP, and others. While GNU Privacy Guard is actively maintained, other open source implementations may not receive as much on-going attention from developers.

Because of its history with the original developers of the PGP, the most common commercial version of PGP is provided by Symantec. Here at Townsend Security our relationship with Symantec allows us to bring the commercial version of PGP to IBM Enterprise platforms IBM i and IBM System z. We’ve been supporting PGP on the IBM platforms for more than a decade. Other commercial versions are provided by Viacrypt and SDS and are supported by those companies.

The OpenPGP standard assures customers that encrypted files can be processed by any application that supports that standard. The open source and commercial versions mentioned above do implement support for the OpenPGP standards.

The OpenPGP standard is reasonably complex and it is easy to inadvertently introduce incompatibilities. Interoperability testing is crucial to avoid implementation errors. Since there is no independent certification authority for PGP it is up to the open source and commercial vendors to perform interoperability testing. Here at Townsend Security we test our implementation against a variety of open source and commercial versions. We also perform the cryptographic test suite defined by the National Institute of Standards and Technology (NIST) to insure that our implementation of PGP Command Line meets all of the relevant encryption standards. In this respect we are standing on the shoulders of those original giants of the PGP world who brought us PGP and who regularly performed NIST FIPS 140-2 validation.

The IBM Enterprise servers are quite different than their Windows and Linux operating system cousins. You might wonder how easy it is to use PGP on these platforms. Our developers at Townsend Security have worked hard to adapt PGP to these platforms without impacting the implementation of OpenPGP. For example, PGP Command Line for the IBM System z Mainframe fully supports Batch z/OS, multiple z/OS file systems, z/OS text files, and built-in support for code page conversions. Combined with a number of JCL examples of encrypting, decrypting and signing files with PGP it provides a powerful implementation of PGP on that platform.

Our customers on the IBM i and IBM System z regularly exchange encrypted files with partners running GNU Privacy Guard. That compatibility is important to us and we will continue to validate our commercial PGP implementation with GPG through interoperability testing.

Patrick

PGP encryption on the IBM i

Topics: Encryption, PGP

PGP on IBM System z Mainframes

Posted by Patrick Townsend on Feb 10, 2015 7:38:00 AM

With the new z13 model, IBM announced another round of enhancements and improvements to the venerable IBM System z Mainframe. Focusing on mobile and social media integration, IBM is yet again modernizing and extending this high-end enterprise server.

PGP Encryption Trial IBM i While the IBM System z Mainframe has a well-earned reputation for security, how do Mainframe customers protect their data as they move towards more open, internet-based mobile and social media integration?

Pretty Good Privacy (PGP) is one path to provable and defensible security, and PGP Command Line is the de facto standard for enterprise customers.

PGP is one of the most commonly accepted and widely deployed whole file encryption technologies that has stood the test of time. It works on all of the major operating system platforms and makes it easy to deploy strong encryption to protect data assets. And it runs on the IBM System z Mainframe!

For about a decade we at Townsend Security have been bringing PGP encryption to Mainframe customers to help them solve some of the most difficult problems with encryption. As partners with Symantec we provide IBM enterprise customers running IBM System z and IBM i (AS/400, iSeries) with the same strong encryption solution that runs on Windows, Linux, Mac, Unix, and other platforms.

Incorporating the OpenPGP standard, PGP Command Line from Townsend Security and backed by Symantec, is compatible with a variety of open source PGP encryption solutions, while adding features to warm the heart of the IBM Mainframe customers. And this is the same PGP whose underlying PGP SDK has been through multiple FIPS 140-2 validations and which is FIPS 140-2 compliant today.

While retaining the core functions of PGP and the standards-based approach to encryption, we’ve been busy extending PGP specifically for the IBM Mainframe customer. Here are just a few of the things we’ve done with PGP to embrace the IBM Mainframe architecture:

  • Native z/OS Batch operation
  • Support for USS operation
  • Text mode enhancements for z/OS datasets
  • Integrated EBCDIC to ASCII conversion using built-in IBM facilities
  • Simplified IBM System z machine and partition licensing
  • Support for self-decrypting archives targeting Windows, Mac, and Linux!
  • A rich set of working JCL samples
  • Free evaluation on your own IBM Mainframe

IBM Mainframe customers never have to transfer data to a Windows or Linux server to perform encryption, and in the process exposing data to loss on those platforms. With full cross-platform support you can encrypt and decrypt data on the IBM Mainframe regardless of its origination or destination.

PGP Command Line is the gold standard for whole file encryption, and you don’t have to settle for less.

Patrick

PGP Encryption for IBM

Topics: IBM z, Mainframe, PGP

Securing Data in Motion with PGP Encryption

Posted by Michelle Larson on Aug 28, 2013 3:22:00 PM

In their latest podcast, Paul Taylor with Security Insider Podcast Edition and Patrick Townsend, CTO of Townsend Security discuss using PGP encryption to secure data in motion for meeting compliance regulations, the OpenPGP standard, the differences between Open and Commercial PGP solutions, and ways to automate your managed file transfers on the IBM i. Podcast: PGP Encryption on the IBM i

PGP stands for “Pretty Good Privacy”, and it’s an encryption solution that originally started in the 1990s. Over 20 years ago, Phil Zimmerman and a group of developers decided to produce secure file encryption technology and felt that PGP should be used everywhere to protect data-in-motion, both for individuals and for companies who need to transfer data across networks. Originally, Phil Zimmerman’s development team offered a free, open-source version of PGP. Over the years, ownership of PGP was transferred from Network Associates to McAfee, and is now owned and commercially licensed by Symantec.  Throughout that development, Townsend Security has helped to bring this important encryption technology to IBM enterprise platforms. We have partnered with Symantec to offer the only commercial version of PGP Command Line on the IBM i.

In their podcast, Paul and Patrick discuss the OpenPGP standard and the two solution versions of PGP, Open and Commercial, and the confusion around them. OpenPGP is a standard (RFC 4880 & RFC 2440), not software, and that standard covers what an Open PGP solution is and should do. There are multiple open source editions for software, available from a number of different organizations, that should meet the OpenPGP standard.

The commercial version from Symantec was created and continues to be advanced by the original PGP developers. It conforms to the OpenPGP standard, and it adds additional functions that are important to enterprise customers.

For example:

    • Additional decryption key support (the ability to encrypt a file for multiple recipients)

If you need to send and recover an encrypted file to yourself for due diligence, your ability to recover that encrypted file through additional decryption key support becomes an important regulatory component.

    • Self-decrypting archives (the ability to encrypt data and send it to almost anyone for processing)

You can create an encrypted file on your system, even on IBM z mainframe or IBM i platform that can be decrypted as an executable on a Mac system, a Windows PC, or even a Linux box.

    • Support for X.509 Certificates, external key management protocols, and the ability to actually store encryption keys on an external server.

With the Commercial PGP product comes full support for OpenPGP standard, as well as these additional features, which really make a difference for enterprise businesses. When you base your company reputation on something mission-critical like PGP encryption, you deserve the comfort of knowing that there’s a support team there ready to stand behind you.

“Pretty Good Privacy” is well recognized and accepted across a broad number of compliance regulations as a secure way to protect sensitive data as it is in transit to your trading partners. PGP encryption helps businesses meet PCI DSS by encrypting credit card numbers and other PII as required by HIPAA/HITECH Act, Sarbanes-Oxley, and FISMA compliance regulations.

Listen to the podcast for more in-depth information and a discussion on how PGP meets compliance regulations with it’s NIST certifications, and how Townsend Security, the only Symantec partner on the IBM i or AS/400 platform as well as the IBM z platform providing PGP Command Line 9, can help IBM i users with PGP!

  DOWNLOAD THE PODCAST: PGP Encryption on the IBM i

If you have topics you would like to hear discussed in future podcasts, please email them to us at podcast@townsendsecurity.com or post your comments here in the blog!

 

Topics: PGP Encryption, Security Insider Podcast, PGP

AES vs PGP: What is the Difference?

Posted by Victor Oprescu on Jul 9, 2013 12:04:00 PM

In the world of encryption there are many different names for encryption, but probably the two most common would have to be AES and PGP. But not everyone knows what these acronyms stand for. In today’s world of TLAs (Three Letter Acronyms) it’s easy to feel left behind in a data security conversation when they start replacing every other word. OMG!

First we’ll break both of them down a bit and then we’ll compare them to each other.

AES Encryption IBM i Encryption with FieldProc AES, or Advanced Encryption Standard, as we know it today is the dreamchild of two cryptographers’ proposal of a symmetric key encryption algorithm based on the Rijndael cipher. This algorithm was developed when NIST (National Institute of Standards and Technology) sent the call out to the cryptographic community to develop a new standard. NIST spent five years evaluating fifteen competing designs for the AES project and in 2001 announced the cipher developed by the two Belgians Joan Daemen and Vincent Rijmen as the adopted standard, known as FIPS-197, for electronic data encryption.

AES is a symmetric key encryption algorithm, which essentially means that the same key is used for the encryption and decryption of the data. A computer program takes clear text and processes it through an encryption key and returns ciphertext. If the data needs to be decrypted, the program processes it again with the same key and is able to reproduce the clear text. This method required less computational resources for the program to complete its cipher process, which means lower performance impact. AES encryption is a good method to protect sensitive data stored in large databases.

There is, however, a time when AES will not be your go-to encryption process. When you need to share sensitive information with trading partners or transfer information across networks, using AES has one downside when it comes to security: You would have to share your encryption key with your trading partners. Sure, they’d be able to decrypt the information you sent them, but they would also be able to decrypt anything else encrypted with that key, and if the key itself became compromised anyone in possession of it could decrypt your data.

PGP encryptionEnter PGP. PGP stands for Pretty Good Privacy, and before you get too distracted by the name, I can tell you it is actually much better than just pretty good. PGP uses symmetric and  asymmetric keys to encrypt data being transferred across networks. It was developed by the American computer scientist Phil Zimmerman, who made it available for non-commercial use for no charge in 1991. To encrypt data, PGP generates a symmetric key to encrypt data which is protected by the asymmetric key.  Podcast: PGP Encryption on the IBM i

Asymmetric encryption uses two different keys for the encryption and decryption processes of sensitive information. Both keys are derived from one another and created at the same time. They are divided into and referred to as a public and a private key, which makes up the key pair. Data is only encrypted with a public key and thus can only be decrypted with the matching private key. The encryption PGP offers is just as strong as that of AES, but it adds the additional security that prevents anyone with just the public key from being able to decrypt data that was previously encrypted with it. Another benefit of asymmetric encryption is that it allows for authentication. After you have exchanged public keys with your trading partners, the private keys can be used to digitally sign the encrypted content, allowing the decryptor to verify the authenticity of the sender.

PGP does require more computational resources, which is why it is usually not recommended for encrypting data in large databases where information needs to be accessed frequently, and each record that you access needs to be ran through a cryptographic process.

When you are considering which encryption to use for your sensitive information choose whichever will suit your needs best. AES is fast and works best in closed systems and large databases; PGP should be used when sharing information across an open network, but it can be slower and works better for individual files.

 

IBM i Encryption with FieldProc

Topics: Encryption, PGP Encryption, Data Privacy, AES, PGP, Webinar, AES Encryption

PGP Encryption 101: Should I Give My Trading Partner My Private Key?

Posted by Jared Mallory on Jun 20, 2013 4:48:00 PM

In the world of PGP encryption, we often hear from users who tell us, “My trading partner says they need my private key for encryption. Is it ok to send it to them?” The simple answer to this question is no. Your private key is aptly named “private” because it should never be shared with others. The key intended for distribution is also aptly named as the “public” key.

PGP Encryption Trial IBM i

The longer and more technical explanation of why you shouldn’t give out your private key is a little more confusing.

The PGP process requires that encryption be performed with a public key that your trading partner gives to you to use, if you are going to send encrypted data to them. You cannot encrypt the data with a private key. If your partner requires that the file be signed as a part of the process, then you will use your private key as a signature. In order to read that signature you must give your trading partner your matching public key to your private key. You should never give them your private key.

On the other hand, if someone wishes to send encrypted data to you, you must provide them with your public key in order for them to send you files. Your system should automatically recognize the key that was used to encrypt the file and will select the appropriate private key for the decryption process. You only need to provide the passphrase for the key to validate that you are authorized to the unencrypted data.

Here’s an example: XYZ Productions uses the services of ABC Personnel Services for payroll management. Each month YXZ sends payroll files to ABC for processing. Due to the confidential nature of the information in the file, XYZ and ABC have agreed to use PGP encryption to protect the data. Both companies export their public keys and send them to one another. As the originator of the file, XYZ uses the ABC public key to encrypt the file before sending it.  By doing so, the file can only be decrypted by the holder of the private key. XYZ then uses their private key to sign the file as a means of verifying the origin of the encrypted file. When the file is received by ABC, they validate the signature by comparing it to the XYC public key they have been given, then use their private key to decrypt the file for processing.

The safety of the confidential data in the example is protected because the encrypted files can only be read using the private key, which has never left the trust of the key generator.      

Remember, when exporting a key to send to a customer, one should always remember that the key type identifies if the key should be shared. Public keys are for sharing; whereas a private key should always be kept close to home.

Topics: Encryption, Data Privacy, PGP

What Types of Encryption are Available on the IBM i?

Posted by Paul Taylor on Jun 18, 2012 8:49:00 AM

AES Encryption & Related Concepts

AES White Paper

Download the white paper "AES Encryption & Related Concepts"

Click Here to Download Now

It seems like every day the media reports another data breach—a stolen laptop that contains patients’ private information, credit cardholders’ names and social security numbers hacked. Not only do the headlines prove to be public relations nightmares for the companies involved—especially if the stolen or hacked data isn’t encrypted—but they come with severe financial penalties, often reaching into millions of dollars.

When data is encrypted, companies can assure those whose data has been stolen or hacked that there is no reason to worry. Thieves may have the files containing the data, but the thief will be unable to access the data itself. This minimizes the public relations hit and reduces liability with compliance regulators. In today’s highly regulated business world, there is no excuse for not having encryption on your IBM i. Here are two types of encryption to make sure your data is secure:

NIST-Certified AES Encryption for Data at Rest
NIST sets non-military government standards for a wide variety of technologies including data encryption. Because NIST uses an open and professional process to establish standards, the private sector usually adopts NIST standards for commercial use. NIST is one of the most trusted sources for technology standards.

Since AES was introduced, it has been adopted by all U.S. government agencies as the gold standard for protecting sensitive data, and many software companies have made it available to consumers through encryption software. When selecting a data security service, looking for one that has NIST certification should be at the top of your list.

PGP Encryption for Data in Motion
In today’s world, data moves faster and further than ever. That’s why it’s important to ensure it’s secure whether it’s in a database, on a laptop, or sent via email.

PGP encryption is ideal for exchanging data with trading partners, banks, insurance companies, benefits providers, and many other external partners. It’s ability to run on any computing platform makes it ideal for this type of secure data exchange.

Data breaches and associated fines don't have to be a reality of doing business. By properly encrypting your sensitive information you remove the risk of seeing your name in the headlines, being fined millions of dollars, and trust of your brand by your customers.  Download our white paper "AES Encryption and Related Concepts" to learn more about industry best practices for securing your data.

 

Click me

Topics: Encryption, IBM i, AES, PGP

Commercial PGP Command Line and Our Symantec Partnership

Posted by Patrick Townsend on Apr 25, 2012 5:30:00 PM

Symantec Townsend Security PGPReally successful technology partnerships are hard to achieve and therefore are rare. There are so many potential pitfalls in this type of partnership that include conflicting goals, changing market conditions, and on and on. That’s why I am particularly pleased with our partnership with Symantec on the IBM Enterprise platform versions of PGP encryption. This technology partnership now spans more than a decade and several mergers and acquisitions. The level of trust and integration between Townsend Security and Symantec has just gotten better over time, and our IBM i (AS/400, iSeries) customers and IBM System z Mainframe customers have benefited.

One thing that has confused our customers is where they should go to get information and to license PGP Command Line for the IBM Enterprise platforms.

It can be hard to negotiate the Symantec web site to locate the PGP Command Line products. And calling Symantec’s 800 number can be downright disorienting. Symantec provides a large number of security and system management products, and finding the PGP products can be hard. Of course, you can always go to the old PGP web site, and it will re-direct you to the Symantec site. That helps, but not many people know about that little short-cut.

Here is a better idea – you can just go directly to the Townsend Security web site and you will be starting in the right place. Just select the PGP option under products.

SDS LogoIBM System z customers will be glad to know that we’ve partnered with Software Diversified Systems (SDS) to provide sales management and customer support that meets the Mainframe customer’s expectations of knowledge and experience with that platform. Just select the PGP Command Line product under their Products link. SDS and their worldwide partner network have really provided the Mainframe experience and depth of knowledge that customers expect. That’s also been a great partnership.

If you are an IBM Enterprise platform customer, save yourself some time and trouble. Go straight to Townsend Security or SDS for your PGP Command Line encryption solutions.

Patrick

Topics: PGP

What is the difference between AES and PGP Encryption?

Posted by Kristie Edwards on Jan 12, 2012 3:55:00 PM

I recently had a conversation with one of our customers about the automatic encryption webinar they attended.  The webinar demonstrated how companies can implement AES encryption on their AS/400 without making application changes. Click to Download the White Paper on AES Encryption This customer currently has our managed file transfer solution, FTP Manager with PGP encryption, and was confused as to why they would need AES encryption if they were using PGP. I explained that PGP encryption protects data in motion - when it is transferred outside his company. If he was storing data on his AS/400, he would need AES encryption to protect his data at rest.

aes encryptionAES Encryption
AES encryption is the standard when it comes to encrypting data in a database. Advanced Encryption Standard (AES) has been adopted as a standard by the US government and many state and local agencies. AES is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations. AES encryption uses an encryption key to encrypt the data. Typically, this key is stored on the AS/400 and used when the data needs to be decrypted.  To side track here a little, this is not a good idea. Leaving your encrypted data and keys in the same place is like leaving the key to your house under your door mat. If you want to learn more about why this is a bad idea, take a look at this blog article on the topic.

PGP Encryption
PGP encryptionPGP encryption is the standard when it comes to encrypting files that need to be transferred. Pretty Good Privacy (PGP) is the standard for encrypted file exchange among the world’s largest financial, medical, industrial, and services companies. Also know that when encrypting a file with PGP, you may be using AES encryption.  

AES encryption and PGP encryption solutions work together to ensure that all your sensitive data is secure. AES will protect data at rest within your organization and PGP encryption keeps it secure when it is sent outside your company.

I hope this has been helpful in better understanding the differences and similarities of PGP encryption and AES encryption. Learn more about AES and PGP encryption with the webinar "Automatic Encryption on the IBM i" that spurred this conversation or the whitepaper "AES Encryption and Related Concepts". 
 

Download Whitepaper AES Encryption & Related Concepts  

 

Topics: Encryption Key Management, AES, PGP, AES Encryption

PGP Encryption: 6 Things You Need to Know

Posted by Luke Probasco on Apr 28, 2011 11:49:00 AM

PGP EvaluationPretty Good Privacy (PGP) is the de facto standard for encrypted file exchange among the world’s largest financial, medical, industrial, and services companies. Based on open standards and tested by time, PGP has won the trust of governments and private enterprises to protect their sensitive data.  Here are the six key things to know about PGP encryption for your IBM i and IBM z platforms, and how to discuss them with your technology providers:

1) Always encrypt and decrypt sensitive data on the platform where it is created. This is the only way to satisfy regulatory audit and privacy notification requirements.

Moving data to a PC for encryption and decryption tasks greatly increases the chances of loss and puts your most sensitive data at risk.  In order not to defeat your data security goals it is important to encrypt and decrypt data directly on the IBM i or IBM z.

2) The best PGP encryption solutions manage PGP keys directly on the IBM i or IBM z without the need for an external PC system, or key generation on a PC.

Using a PC to generate or manage PGP keys exposes the keys on the most vulnerable system. The loss of PGP keys may trigger expensive and time-consuming privacy notification requirements and force the change of PGP keys with all of your trading partners.

3) The best data security solutions will provide you with IBM i and IBM z automation tools that help minimize additional programming and meet your integration requirements.

Most Enterprise customers find that the cost of the software for an encryption solution is small compared to the cost of integrating the solution into their business applications. Data must be extracted from business applications, encrypted using PGP, transmitted to a trading partner, archived for future access, and tracked for regulatory audit. When receiving an encrypted file from a trading partner the file must be decrypted, transferred to an IBM i or IBM z library, and processed into the business application. All of these operations have to be automated to avoid expensive and time-consuming manual intervention.

4) PGP is part of a comprehensive data security plan.

PGP encryption is ideal for exchanging data with trading partners, banks, insurance companies, benefits providers, and many other external partners. It’s ability to run on any computing platform makes it ideal for this type of secure data exchange.

5) PGP helps meet data privacy compliance regulations.

Even if your company is not directly subject to PCI and other similar regulations, you will soon find that your customers who are subject to these laws will require that you be in compliance, too. As the financial auditing profession matures, auditors realize that their customers cannot meet regulatory requirements unless their suppliers meet these requirements.

6) Choose the trusted leader in data security.

When PGP Corporation selected a partner to bring PGP version 9 to the IBM i, POWER Linux, and IBM System z platforms, they selected Townsend Security as their exclusive partner. PGP Corporation’s knowledge of Townsend’s history with PGP on the IBM i and IBM z platforms made Townsend Security the natural choice.

Click the button below to download a free trial of PGP for the IBM i or IBM z from Townsend Security.

Click me

Topics: Compliance, Encryption, PGP

Cross-Platform Standards and Secure File Transfer

Posted by Paul Ohmart on Apr 21, 2011 4:00:00 AM

cross platform encryptionThe modern enterprise runs on a variety of computing platforms. The concept of being "an IBM shop" has gone the way of the buggy whip. With cloud computing and virtual machine technology, you may not even know what your hardware base is. This has caused  those seeking to realize the benefits of standardization to shift their focus to the software.

Take, for example, the need for securely transferring files, both within the organization and between trading partners. In the UNIX-Linux-Windows world the de facto standard for secure file transfer is undoubtedly PGP. The technology is mature and it is implemented on every significant OS variant in common use. It is extensively documented and familiar to a very large number of programmers and administrators.

But while the IBM shop may have disappeared, IBM servers have not. The enterprise is often built around mainframes and mid-range servers. And these servers now need to inter-operate with not only desktop PCs, but mobile laptops and cell phones. This makes the ability to settle on a single secure file transfer standard for the entire company more important than ever.

Fortunately PGP has spread to both the mainframe and mid-range platforms; IBM series z and i. And not just in a quirky slapdash port to UNIX emulation environments, but as fully supported native z/OS applications integrated with RACF and controlled via JCL.

With PGP it is possible to have all the advantages of a uniform secure file transfer approach without sacrificing any of the security and scalability of enterprise level platforms.

If you would like to download a free 30-evaluation of PGP for the IBM i or IBM z, let us know.  We'd be happy to show you how easy it is to encrypt with PGP and transfer to your trading partner.

Topics: Secure Managed File Transfer, FTP Manager for IBM i, PGP