Field Level Encryption

How it works.

Non displayable fields, like password fields, can be encrypted by the browser before being transmitted and decrypted by the application. Virtel encryption works at a specific field level within a template subpage. For example a userid field and non-displayable password field. This is the sequence of events:-

#. The browser user clicks on a VIRTEL URL to request connection to a host application

VIRTEL generates a random temporary public/private key pair

#. VIRTEL sends to the browser an HTML signon form together with the public key

#. The user enters the userid and password into the form (the password is a non-display field)

#. The browser encrypts the userid and password before sending the form to VIRTEL

VIRTEL uses the private key to decrypt the userid and password
VIRTEL signs on to the application with the clear userid and password
The session continues as a regular unencrypted HTTP session

In this way the userid and password are encrypted when they travel across the network, and they only appear in the clear on the internal LU2 connection between VIRTEL and the application.

Field level encryption is controlled through either the CRYPT1 and CRYPT2 keywords in the TCT. See the Virtel Installation guide for a full explanation of the CRYPT parameters. In this newsletter we look at the template WEB2AJAX which uses the TCT CRYPTn parameter with the name CRYPT3270. Specifying no CRYPTn keywords will mean that ND fields will be visible as clear text between the browser and application. A null CRYPTn parameter can be set up which converts the fields to a hex string. See below:-

A line trace using no CRYPTn parameters:-

Without any encryption the field will be clear text as shown in the following example where the password is clearly visible:-

*POST /w2h/WEB2SUB.HTML++VirtelSe*
*ssion=AD1ctgAAAAQevFSI HTTP/1.1.*
*.Host: 192.168.92.161:41001..Ori*
*gin: http://192.168.92.160..X-Vi*
*rtel-Request-Id: 2 ENTER 11:10:0*
*1..User-Agent: Mozilla/5.0 (Wind*
*ows NT 6.1; WOW64) AppleWebKit/5*
*37.36 (KHTML, like Gecko) Chrome*
*/48.0.2564.116 Safari/537.36..Co*
*ntent-type: application/x-www-fo*
*rm-urlencoded..Accept: */*..DNT:*
*.1..Referer: http://192.168.92.1*
*60/w2h/WEB2AJAX.htm+Tso..Accept-*
*Encoding: gzip, deflate..Accept-*
*Language: en-GB,en-US;q=0.8,en;q*
*=0.6..Cookie: ROUTEID=.1; SYSLAN*
*G=en; SYSSTYL=BLUE; SYSPAGE=auto*
*..X-Forwarded-For: 192.168.92.62*
*..X-Forwarded-Host: 192.168.92.1*
*60..X-Forwarded-Server: zagreb.s*
*yspertec.com..Connection: Keep-A*
*live..Content-Length: 67....pf=E*
*NTER&cursorField=V000024B&focusF*
*ield=V0000243\&V0000243=PASSWORD*   < ND Field shown in clear >

A line trace with a null CRYPTn

Using the following null CRYPTn parameter in the TCT we can see that the ND field is displayed as a hex string. Not fool proof but better than clear text. The non displayable field (V0000243) is shown as a hex string as in the following line trace:-

*POST /w2h/WEB2SUB.HTML++VirtelSe*
*ssion=ADzf4wAAAAQevFSI HTTP/1.1.*
*.Host: 192.168.92.161:41001..Con*
*nection: keep-alive..Content-Len*
*gth: 75..Origin: http://192.168.*
*92.161:41001..X-Virtel-Request-I*
*d: 2 ENTER 11:04:44..User-Agent:*
*Mozilla/5.0 (Windows NT 6.1; WO*
*W64) AppleWebKit/537.36 (KHTML, *
*like Gecko) Chrome/48.0.2564.116*
*Safari/537.36..Content-type: ap*
*plication/x-www-form-urlencoded.*
*.Accept: */*..DNT: 1..Referer: h*
*ttp://192.168.92.161:41001/w2h/W*
*EB2AJAX.htm+Tso..Accept-Encoding*
*: gzip, deflate..Accept-Language*
*: en-GB,en-US;q=0.8,en;q=0.6..Co*
*okie: SYSLANG=en; SYSSTYL=BLUE; *
*SYSPAGE=auto....pf=ENTER&cursorF*
*ield=V000024B&focusField=V000024*
*3\&V0000243=50414153574F5244    *   < ND Field shown as hex string >

With ICSF

With ICSF facility, Virtel can use the ICSF API to obtain the private and public keys and use those to encrypt / decrypt the fields. The following is an example of the CRPYTn parameter that uses ICSF:-

CRYPT1=(CRYPT3270,3TDEA,RSA-1024,ICSF,HEX)

When we start up Virtel we can see that Virtel has connected to ICSF through the API.

VIR0024I STARTING CRYPT1
VIRCA11W CRY1 INITIALISING CRYPTOGRAPHY WITH PARAMETERS:
'CRYPT3270','3TDEA','RSA-1024','ICSF','HEX','CBC','PKCS7'
+VIRCT12W CRY1 'ICSF' SUBTASK STARTED
+VIRCT10I ICSFSTAT : FMID=HCR7780 STATUS1=3 STATUS2=1 CPACF=7 AES=3 DSA=0 RSA1=3 RSA2=3 RSA3=2 ACC=1
+VIRCT10I ICSFST2 : VERSION=1 FMID=HCR7780 STATUS1=1 STATUS2=0 STATUS3=1 STATUS4=1
+VIRCT10I STATAES : NMK-STATUS=1 CMK-STATUS=1 OMK-STATUS=1 CCA-APP-VERS=256 CCA-APP-BUILD= USER-ROLE=
+VIRCT10I STATCARD : ADAPTERS=2 DES=0 RSA=0 POST=138 143 CP-OS=Linux VERS=2.4.18.0 PART=41U0441 EC=0J99635 BOOT=89 89
+VIRCT10I STATDIAG : BATTERY=1 INTRUSION=1 ERROR-LOG=1 MESH=1 LOW-VOLT=1 HIGH-VOLT=1 TEMPERATURE=1 RADIATION=1
+VIRCT10I STATEXPT : CCA=1 CMDF=0 56-bit-DES=1 Triple-DES=1 SET=1 MAX-SYMMETRIC-MODULUS=4096

In the line trace we can see that the field has been encrypted:-

*POST /w2h/WEB2SUB.HTML++VirtelSe*
*ssion=AELoKQAAAAQevHSI HTTP/1.1.*
*.Host: 192.168.92.161:41001..Ori*
*gin: http://192.168.92.160..X-Vi*
*rtel-Request-Id: 2 ENTER 12:10:3*
*5..User-Agent: Mozilla/5.0 (Wind*
*ows NT 6.1; WOW64) AppleWebKit/5*
*37.36 (KHTML, like Gecko) Chrome*
*/48.0.2564.116 Safari/537.36..Co*
*ntent-type: application/x-www-fo*
*rm-urlencoded..Accept: */*..DNT:*
*1..Referer: http://192.168.92.1 *
*60/w2h/WEB2AJAX.htm+Tso..Accept-*
*Encoding: gzip, deflate..Accept-*
*Language: en-GB,en-US;q=0.8,en;q*
*=0.6..Cookie: ROUTEID=.1; SYSLAN*
*G=en; SYSSTYL=BLUE; SYSPAGE=auto*
*..X-Forwarded-For: 192.168.92.62*
*..X-Forwarded-Host: 192.168.92.1*
*60..X-Forwarded-Server: zagreb.s*
*yspertec.com..Connection: Keep-A*
*live..Content-Length: 75....pf=E*
*NTER&cursorField=V0000249&focusF*
*ield=V0000243&V0000243=d2bd6296a*
*e48f9f8                      ** *   < ND Field encypted with public key >

Designing templates to use Encryption

Virtels encryption works at a field level within a template. As an example if we take a look at WEB2AJAX.HTML we can see how the relevant cryptographic parameters are acquired and used within the context of a template and fields within a subpage.

In the <body> tag the ICSF parameters are obtained and inserted by VIRTEL prior to serving the page to the browser:-

<body class="{{{CURRENT-VALUE-OF "$$APP"}}}"
onload="js01onload();pageSetup();
initWEB2AJAX([
'{{{PUBLIC-KEY (EXPONENT) "CRYPT3270"}}}',
'{{{PUBLIC-KEY (MODULUS) "CRYPT3270"}}}',
{{{ENCRYPTION-PARAMETERS "CRYPT3270"}}}
] );">

With the <form> which effectively represents the 3270 response through an HTTP POST we can see that how specific fields, non-displayable in our case, are identified as candidates for encryption.

<div id="virsubpage">
<form name="virtelForm" action="{{{VIRPLEX-CODE}}}WEB2SUB.html++{{{AJAX-SESSION-CODE}}}" method="post">
        {{{ DEFINE-HTML-PFKEY "pf" }}}<input name="pf" type="HIDDEN" value="ENTER">
        {{{DECLARE-FIELD-AS (CRYPTO-SESSION-KEY) "SESSKEY"}}}<input name="SESSKEY" type="HIDDEN">
</form>
</div>

The module vircrypt.js will perform the encryption on the fields within the subpage using the supplied public key.