EDJCrypt

EDJCryptEDJCrypt™ is an enhanced encryption utility set for IBM 4690 sales applications. This utility set assists retailers in protecting customer account numbers and other data appearing in transaction logs, electronic journals and other temporary files that exist on the IBM 4690 store controller.

EDJCrypt™ contains a set of 4690 "CBasic" and "C" routines that encrypt, decrypt and make encrypted data into a printable format. This flexibility allows clear text, as well as binary data, to be encrypted and stored in an ordinary text file. The routines are available for use in the register, the controller and on Windows platforms.


How Does EDJCrypt™ Work?
  • EDJCrypt™ provides a function call that will take a key supplied by the retailer and data supplied by the retailer to be encrypted and return a two part string. The first part is an identifier that describes the encryption characteristics of the data. This would include encryption type, length, initialization vector, etc. The second part of the string is the encrypted data. This data is encrypted and encoded to make the data available in a printable format.
  • The retailer will integrate the routines into their terminal user exit code or into controller applications as needed to protect customer account data. Through the use of function calls, the retailer will pass information to the routine and receive encrypted information back to be passed to the appropriate destination.

Electronic Journal
  • EDJCrypt™ has three basic steps for the encryption process. These steps are typically done internally. The first is the encryption routine that uses an algorithm (AES, Blowfish, or Triple DES) for data protection and generates a KeyID. The user picks the algorithm, supplies the private key, the initialization vector (optional), the trans-formation form and the data string. The second step takes the output of the first step and encodes it using a Base64 algorithm to make the data printable. The third step takes the data string and creates a "block" of data for use on the electronic journal. The format of the "block" of data allows other programs, such as EDJ's ESCAPE™ application, to recognize and process the data in the normal course of business. An example of the output follows: Sample data block in electronic journal file.
  • [-- BINARY
    {Desc=Account Number}
    {Crypt=Blowfish/CBC/PKCS5Padding}
    {KeyID=8A2B94CD}{IV=00000012}
    {Code=Base64}{Length=56}{Break=38}
    (qIjKL759e34zJS6xIwQ2yamlOwHXRy8rvBC+0
    oVf21dsmC137ZdQQA==) --]
  • On the Windows platform, the "C" routines provide the same functionality. The module referenced above that performs the encryption and encoding will also perform the decoding and decryption of any data submitted to them.

ESCAPE™ Modifications
  • EDJ has modified its ESCAPE™ application on the Windows platform to provide the ability to handle the "blocks" of encrypted data. In the current level of the Windows platform ESCAPE™ V3.3, there is a "decrypt" feature that needs to be installed. The presence of this feature means that the user has permission to see account numbers.
  • ESCAPE™ users needing to decrypt account numbers will also need the current key on their system in order for decryption to be successful. Users who supply an account number for a search of the electronic journals will receive the transaction report in the usual fashion with candidate transactions being listed in the journal roll format. The encrypted account numbers on the journals would remain in the encrypted state. The user would use the "double-click" method to decrypt a number in the electronic journal and to display it in an adjacent window pane.
  • In the browser environment, EDJ's EDJCommon module provides a secured logon capability to access the web browser version of the ESCAPE™ application. This means that users who need to decrypt data in the electronic journals will need to have permission access granted by the system administrator to be able to do so. The advantage of the browser version of ESCAPE™ is that the software resides in one location and does not have to be distributed to multiple machines.
Key Management
  • A manual, symmetric key solution is used. A key generator will create an appropriate key that will be used to encrypt and decrypt the data. Each key will need to be recorded and protected from compromise. Encryption and decryption of data will use only one private key. The key will be distributed only to those authorized to do the encryption or decryption of data using that key.
  • For the encryption, the KeyAgent 4690 background task will issue keys to the terminal source that utilizes the EDJCrypt™ module. The encrypted data will identify the proper key. To decrypt the data, the proper key must be available to the ESCAPE™ application; otherwise no attempt to decrypt the data will be made. ESCAPE™ will store the encrypted key set on the Windows machine using a key encryption key (KEK).
  • The key manager application should reside in one protected location. The keys should be backed up and stored in a safe location. The key manager will be responsible for creating, storing, protecting, packaging and destroying the keys. Keys that are created will be stored encrypted by a KEK. The KEK will be stored along with the key set backup. Each key set backup must have an accompanying KEK.