Using Communication Support Modules (CSMs) for Password and Data Transmission Encryption

Home | Previous Page | Next Page The Database Server > Security > Encryption >

Using Communication Support Modules (CSMs) for Password and Data Transmission Encryption

You can use communication support modules (CSMs) to enable two different kinds of encryption:

The simple password CSM (SPWDCSM) provides password encryption.
This encryption protects a password when it must be sent between the client and the database server for authentication. SPWDCSM is available on all platforms.
The encryption CSM (ENCCSM) enables you to encrypt data transmissions, including distributed queries, over the network.
This option provides complete data encryption with the openSSL library, with many configurable options. A message authentication code (MAC) is transmitted as part of the encrypted data transmission to ensure data integrity. A MAC is an encrypted message digest.

The encryption algorithms use openSSL 0.9.6 as the code base.

Important:

CSMs have the following restrictions:

You cannot use both kinds of CSM simultaneously. For example, if you are using the SPWDCSM and decide to encrypt your network data, you must remove the entries for the SPWDCSM in your concsm.cfg and sqlhosts files.
You cannot use either simple password CSM or encryption CSM over a multiplexed connection.
Enterprise Replication and High-Availability Data Replication (HDR) support encryption, but cannot use a connection configured with a CSM.
To use network encryption with Enterprise Replication, set the encryption configuration parameters (for more information, see the IBM Informix Dynamic Server Enterprise Replication Guide).
Encrypted connections and unencrypted connections cannot be combined on the same port.

To use encryption, you must do the following:

Add a line to the concsm.cfg configuration file.
The concsm.cfg file must contain an entry for each Communications Support Module (of the same kind) that you are using. See CSM Configuration File below for more information on the concsm.cfg file.
Add an entry to the options column of the sqlhosts file or registry.
For information on specifying the CSM in the sqlhosts file or registry, see Communication Support Module Option.

CSM Configuration File

You must have a concsm.cfg file if you use a communication support module (CSM). An entry in the file is a single line and is limited to 1024 characters. After you describe the CSM in the concsm.cfg file, you can enable it in the options parameter of the sqlhosts file, as described in Communication Support Module Option.

The concsm.cfg file resides in the $INFORMIXDIR/etc directory by default. The default directory for the concsm.cfg file is INFORMIXDIR/etc. If you want to store the file somewhere else, you can override the default location by setting the INFORMIXCONCSMCFG environment variable to the full pathname of the new location. For information on setting the environment variable INFORMIXCONCSMCFG, see the IBM Informix Guide to SQL: Reference.

Entries in the concsm.cfg file must conform to the following restrictions:

The following characters are not allowed to be part of library pathnames:
- = (equal sign)
- " (double quote)
- , (comma)
White spaces cannot be used unless the white spaces are part of a pathname.

Configuring Password Encryption

For password encryption, you must specify password encryption libraries and connection options. To configure password encryption, use the following syntax to add a line to the concsm.cfg file.

>>-csmname--(--"--+-client--=--clientlib--,--server--=--serverlib-+--"--,-->
                  '-csmlib----------------------------------------'
 
>--"--+----------------+--"--,--"--+--------------+--"--)------><
      '-global_options-'           '-conn_options-'

Option	Description
client=clientlib	Specifies the full path and name of the shared library that is the CSM on the client computer. Client computers use this CSM to communicate with the database server. The library provided by Dynamic Server is $INFORMIXDIR\lib\client\csm\libixspw.so
conn_options	The conn_options option has the following options: Setting Result p=1 The password is mandatory for authentication. p=0 The password is not mandatory. If the client provides it, the password is encrypted and used for authentication. An unknown option placed in conn_options results in a context initialization error. You can put a null value in the conn_options field, for example: `""`. For Client SDK before Version 2.3, if the conn_options field is null, the default behavior is `p=1`. For Client SDK, Version 2.3 and later, if the conn_options field is null, the default behavior is `p=0`.
csmlib	The full path and name of the shared library that is the CSM if the CSM is shared by both the database server and the client computers. The library provided by Dynamic Server is $INFORMIXDIR\lib\csm\libixspw.so.
csmname	The name that you assign to the communications support module For example, a name could be SPWDCSM.
global_options	This option is not currently used.
server=serverlib	Specifies the full path and name of the shared library that is the CSM on the database server. The library provided by Dynamic Server is usually installed in the following directories: UNIX: $INFORMIXDIR/lib/csm/libixspw.so Windows: %INFORMIXDIR%/bin/libixspw.so

SMI Tables and concsm.cfg Setting

If you want to build the SMI tables when you bring up the database server (oninit -i), do not specify the p=1 option in the database server CSM entry in the concsm.cfg file. The oninit process does not have a password for the informix or root user ID. If you specify the p=1 option in the concsm.cfg file for the database server, you receive the following error message:

-5013 CSM: cannot obtain credential: 
authentication error.

To specify that the password is mandatory for the database server CSM when the SMI tables are not yet built

Do not specify the p=1 option in the concsm.cfg entry.
Bring up the database server with the oninit -i command to build the SMI tables.
Bring down the database server.
Specify the p=1 option in the database server CSM entry in the concsm.cfg file.
Start the database server again with the oninit command.

Example concsm.cfg Entries for Password Encryption

The following two examples illustrate the two alternatives for parameters you must enter in the concsm.cfg file to define the Simple Password Communication Support Module:

SPWDCSM
("client=/usr/informix/lib/client/csm/libixspw.so,

server=/usr/informix/lib/csm/
libixspw.so", "", "")

SPWDCSM("/usr/informix/lib/csm/
libixspw.so", "", "")

The following example shows the conn_options field set to 0, so no password is necessary:

SPWDCSM("/work/informix/csm/libixspw.so","","p=0")

Configuring Network Data Encryption

For network data encryption, you must specify the network encryption libraries and the encryption options. You can specify the following types of encryption options:

3 DES and AES ciphers to use during encryption
Modes to use during encryption
Message authentication code (MAC) key files
MAC levels
Switch frequency for ciphers and keys

Each of these options are described later in this section.

You can specify encryption options using encryption parameters in a separate file, or using encryption tags in the concsm.cfg file. To configure network encryption, use the following syntax to add one or more lines to the concsm.cfg file.

>>-csmname--(--"--+-client--=--clientlib--,--server--=--serverlib-+--"--,-->
                  '-csmlib----------------------------------------'
 
>--"--+------------------------------------------------------------+--"--)-><
      +-config--=--encrypt_config----------------------------------+
      |                (1)               (2)                  (3)  |
      '-| Cipher Tag |-------| Mac Tag |-------| Switch Tag |------'

Notes:

Option	Description
client=clientlib	The full path and name of the shared library that is the CSM on the client computer. Client computers use this CSM to communicate with the database server. The library provided by Dynamic Server is $INFORMIXDIR/lib/client/csm/iencs10a.so.
config=encrypt_config	The full path and filename of the file in which the encryption parameters are defined. If the file does not exist, then the default values are used. No error is returned. For more information on using encryption parameters, see Using Encryption Parameters.
csmlib	The full path and name of the shared library that is the CSM if the CSM is shared by both the database server and the client computers. The library provided by Dynamic Server is $INFORMIXDIR/lib/csm/iencs10a.so.
csmname	The name that you assign to the communications support module. For example, a name could be SPWDCSM.
server=serverlib	The full path and name of the shared library that is the CSM on the database server. The library provided by Dynamic Server is usually installed in the following directories: UNIX: $INFORMIXDIR/lib/csm/libixspw.so Windows: %INFORMIXDIR%\bin\iencs10a.so

Ciphers and Modes

You must specify which ciphers and mode to use during encryption. The cipher and mode that is used is randomly chosen among the ciphers that are common between the two servers. Make sure that all servers and client computers that participate in encrypted communication have ciphers and modes in common. Encryption is more secure if you include more ciphers and modes that the database server can switch between. For information on how to switch between ciphers, see Switch Frequency.

Important:

It is strongly recommended that you do not specify specific ciphers. For security reasons, all ciphers should be allowed. If a cipher is discovered to have a weakness, you can exclude it.

Use the allbut option to list ciphers and modes to exclude. Enclose the allbut list in angled brackets (<>). The list can include unique, abbreviated entries. For example, bf can represent bf1, bf2, and bf3. However, if the abbreviation is the name of an actual cipher, then only that cipher is eliminated. Therefore, des eliminates only the DES cipher, but de eliminates des, ede, and desx.

The following des, ede, and desx ciphers are supported.

Cipher	Explanation	Blowfish Cipher	Explanation
des	DES (64-bit key)	bf1	Blowfish (64-bit key)
ede	Triple DES	bf2	Blowfish (128-bit key)
desx	Extended DES (128-bit key)	bf3	Blowfish (192-bit key)

Warning:

The cipher desx can only be used in cbc mode.

3The following AES-encryption ciphers are supported.

3 33333333333333333333333333

Cipher	Explanation
aes	AES (128-bit key)
aes128	AES (128-bit key)
aes192	AES (192-bit key)
aes256	AES (256-bit key)

The following modes are supported.

Mode	Explanation
ecb	Electronic Code Book
cbc	Cipher Block Chaining
cfb	Cipher Feedback
ofb	Output Feedback

Because ecb mode is considered weak; it is only included if specifically requested. It is not included in the all or the allbut list.

MAC Key Files

The MAC key files contain encryption keys that are used to encrypt messages. All database servers and client computers that participate in encryption should have MAC key files in common. For information on how to switch between MAC keys, see Switch Frequency.

The default MAC key file is the built-in file provided by Dynamic Server. This file provides limited message verification (some validation of the received message and determination that it appears to have come from an IBM Informix Dynamic Server client or server). A site-generated MAC key file performs the strongest verification. You can generate key files with the GenMacKey utility.

Each of the MAC key files is prioritized and negotiated at connect time. The prioritization for the MAC key files is based on their creation time by the GenMacKey utility. The built-in key file has the lowest priority.

Tip:

If there are no MAC key files present, the built-in MAC key is used by default. However, by using a MAC key file, the default built-in MAC key is disabled.

To generate a new MAC key file

Execute the following command from the command line:
GenMacKey –o filename

The filename is the path and filename of the new MAC key file.
Update the central server's configuration to include the location of the new MAC key file in one of the following ways:
- Using encryption tags: Edit the relevant line in the concsm.cfg file to add a path and filename to the mac tag. For instructions, see The Mac Tag.
- Using encryption parameters: Edit the encryption parameters file to alter the value of the ENCCSM_MACFILES parameter. For instructions, see ENCCSM_MACFILES.
If necessary, remove old MAC key file entries from the configuration.
Distribute the new MAC key file among all appropriate computers.

MAC Levels

MAC levels determine the type of MAC key generation.

The supported generation levels are:

high. Uses SHA1 MAC generation on all messages.
medium. Uses SHA1 MAC generation for all messages greater than 20 bytes long and XOR folding on smaller messages.
low. Uses XOR folding on all messages.
off. Does not use MAC generation.

The level is prioritized to the highest value. For example, if one database server has a level of high and medium enabled and the other database server has only low enabled, then the connection attempt will fail. The off entry should only be used between servers when it is guaranteed that there is a secure network connection.

Make sure that all servers and client computers that participated in encrypted communication have MAC levels in common.

Switch Frequency

The switch frequency defines when ciphers and or secret keys are renegotiated. The longer that the secret key and encryption cipher remain in use, the more likely that the encryption rules might be broken by an attacker. To avoid this, cryptologists recommend periodically changing the secret key and cipher on long-term connections. The default time that this renegotiation occurs is once an hour. By using switch options, you can set the time in minutes when the renegotiation occurs.

Using Encryption Parameters

You can configure encryption options by setting encryption parameters in a file. In the encryption parameters file, each option has the following form:

parameter_name value

Use the following parameters to set encryption options:

ENCCSM_CIPHERS: Ciphers to be used
ENCCSM_MAC: MAC levels
ENCCSM_MACFILES: MAC file locations
ENCCSM_SWITCH: Cipher and key change frequency

Each of these parameters is described later in this section.

The following restrictions apply to the parameter values:

Each entry should be of the form parameter_name value separated by white spaces.
No white spaces are allowed within a value.
Each parameter should have one entry in the configuration file. If multiple entries exist, only first entry is considered.
Default values are used if a parameter does not exist in the configuration file.
Characters after a comment character (#) are ignored; however, the pathname value is not ignored.

ENCCSM_CIPHERS

syntax ENCCSM_CIPHERS

all|allbut:<list of ciphers and 
modes>|cipher:mode{,cipher:mode ...}

all
Specifies to include all available ciphers and modes, except ECB mode. For example: ENCCSM_CIPHERS all
allbut:<list of ciphers and modes>
Specifies to include all ciphers and modes except the ones in the list. Separate ciphers or modes with a comma. For example: ENCCSM_CIPHERS allbut:<cbc,bf>
cipher:mode
Specifies the ciphers and modes. Separate cipher-mode pairs with a comma. For example: ENCCSM_CIPHERS des3:cbc,des3:ofb

default value allbut:<ecb>

The ENCCSM_CIPHERS parameter specifies the ciphers and modes to use during encryption. For more information on ciphers and mode, see Ciphers and Modes.

ENCCSM_MAC

default value

medium

range of values

One or more of the following options, separated by commas:

off does not use MAC generation.
low uses XOR folding on all messages.
medium uses SHA1 MAC generation for all messages greater than 20 bytes long and XOR folding on smaller messages.
high uses SHA1 MAC generation on all messages.

For example: ENCCSM_MAC medium,high

The ENCCSM_MAC parameter specifies the MAC level to use. For more information on MAC levels, see MAC Levels.

ENCCSM_MACFILES

default value: builtin
units: pathnames, up to 1536 bytes in length
range of values: One or more full path and filenames separated by commas, and the optional builtin keyword. For example: ENCCSM_MACFILES /usr/local/bin/mac1.dat,/usr/local/bin/mac2.dat,builtin

The ENCCSM_MACFILES parameter specifies the MAC key files to use. For more information, see MAC Key Files.

ENCCSM_SWITCH

syntax ENCCSM_SWITCH cipher_switch_time,key_switch_time

cipher_switch_time specifies the minutes between cipher renegotiation
key_switch_time specifies the minutes between secret key renegotiation

default value

60,60

units

minutes

range of values

positive integers

The ENCCSM_SWITCH parameter defines the number of minutes between cipher and key renegotiation. For more information, see Switch Frequency.

Example of Encryption Parameter File

The following example shows an encryption parameter file:

ENCCSM_CIPHERS         all
ENCCSM_SWITCH          120,60
ENCCSM_MAC             medium
ENCCSM_MACFILE         /usr/informix/etc/MacKey.dat

The following example illustrates a line in the concsm.cfg file to specify encryption with a parameter file:

ENCCSM("usr/informix/lib/cms/iencs10a.so",
"config=/usr/lib/encrypt.txt")

Using Encryption Tags

You can use encryption tags to specify encryption options in the concsm.cfg file.

The Cipher Tag

The cipher tag can include the cipher options shown in the following syntax diagram.

>>-cipher--[--+-all-----------------------+--]-----------------><
              |             .-,------.    |
              |             V        |    |
              +-allbut:--<----cipher-+-->-+
              | .-,-----------.           |
              | V             |           |
              '---cipher:mode-+-----------'

Cipher Option	Description
all	Specifies to include all available ciphers and all available modes, except ECB mode. There is no value list. For example: cipher[all],...
allbut:<list of ciphers to exclude>	Specifies to include all ciphers except the ones in the list. For more information, see Ciphers and Modes. For example: cipher[allbut:<ecb,des>],... cipher[allbut:<cbc,bf>]
cipher:mode	Specifies one or more cipher and mode. For example: cipher[des:cbc,des:ofb]

Cipher Option

Description

all

Specifies to include all available ciphers and all available modes, except ECB mode. There is no value list. For example:

cipher[all],...

allbut:<list of ciphers to exclude>

Specifies to include all ciphers except the ones in the list.

For more information, see Ciphers and Modes.

For example:

cipher[allbut:<ecb,des>],...

cipher[allbut:<cbc,bf>]

cipher:mode

Specifies one or more cipher and mode. For example:

cipher[des:cbc,des:ofb]

The default value for the cipher field is:

cipher[allbut:<ecb>]

For more information on ciphers and modes, see Ciphers and Modes.

The Mac Tag

The mac tag defines the MAC key files and the level of MAC generation to be used during the MAC generation.

The mac tag can include the MAC options shown in the following syntax diagram.

>>-mac--[--+---------------------------+------------------------>
           '-levels:--<--+-high---+-->-'
                         +-medium-+
                         +-low----+
                         '-off----'
 
>--files:--<--+-path--,--builtin-+-->--]-----------------------><
              '-builtin----------'

Mac Option	Description
levels	Specifies a comma-separated list of MAC generation levels that the connection supports. For more information, see MAC Levels.
files	Specifies a comma-separated list of the full path names of MAC key files. For more information, see MAC Key Files. For example: mac[levels:<high,low>,files: </usr/local/bin/mac1.dat, /usr/local/bin/mac2.dat,builtin>]

Mac Option

Description

levels

Specifies a comma-separated list of MAC generation levels that the connection supports.

For more information, see MAC Levels.

files

Specifies a comma-separated list of the full path names of MAC key files.

For more information, see MAC Key Files.

For example:

mac[levels:<high,low>,files:
</usr/local/bin/mac1.dat,
/usr/local/bin/mac2.dat,builtin>]

The Switch Tag

The switch tag defines the frequency at which ciphers and or secret keys are renegotiated.

The switch tag can include the switch options shown in the following syntax diagram.

>>-switch--[--+------------------------------------+--]--------><
              +-cipher:--minutes-------------------+
              +-key:--minutes----------------------+
              '-cipher:--minutes--,--key:--minutes-'

Switch Option	Description
cipher:minutes	Specifies the time in minutes between cipher renegotiation.
key:minutes	Specifies the time in minutes between secret key renegotiation. For example: switch[cipher:120,key:20]

Switch Option

Description

cipher:minutes

Specifies the time in minutes between cipher renegotiation.

key:minutes

Specifies the time in minutes between secret key renegotiation.

For example:

switch[cipher:120,key:20]

For more information on switching ciphers and modes, see Switch Frequency.

Examples Using Encryption Tags

The following two examples illustrate alternatives for tags you enter in the concsm.cfg file to define the encryption CSM. For example:

ENCCSM("$INFORMIXDIR/lib/csm/iencs10a.so",
 "cipher[allbut:<ecb,bf>]")

This configuration string states to use all available ciphers except for any of the blowfish ciphers, and to not use any cipher in ECB mode.

Another example:

ENCCSM("/$INFORMIXDIR/lib/csm/iencs10a.so",
"cipher[des:cbc,ede:ofb,desx:cbc],switch[cipher:120,key:15]")

This configuration string states to use the DES/CBC-mode, EDE/OFB-mode, and DESX/CBC-mode ciphers for this connection and also to switch the cipher being used every 120 minutes and renegotiate the secret key every 15 minutes.