HELPLIB.HLB  —  ENCRYPT  /AUTHENTICATE
    Associates a DES(default) or AES algorithm Message Authenticate
    Code (MAC) value with one or more files and checks for any
    modification of either plain text or cipher text files. Use the
    additional /UPDATE qualifier to store each file's MAC in the
    databases. Use only the /AUTHENTICATE qualifier to subsequently
    test the integrity of the file's data and security attributes.
    You must create a DES or AES key prior to updating or checking an
    existing MAC. When using the AES algorithm, you must specify the
    /AES qualifier. You can use AES algorithm only with respective AES
    key and the DES algorithm only with DES key. For more information
    about creating DES or AES key and the minimum key length required
    for different algorithms, see ENCRYPT /CREATE_KEY help.

    Format for the ENCRYPT /AUTHENTICATE Command

      ENCRYPT /AUTHENTICATE  file-spec key-name [qualifiers]

1  –  Parameters

 file-spec

    File names of the files to authenticate. Behavior can be modified
    with the /MULTIPLE_FILES qualifier.

 key-name

    Key name previously stored in the key storage table with the
    ENCRYPT /CREATE_KEY command.

2  –  Qualifiers

2.1    /AES

       /AES=keyword

    Specifies that you must use AES algorithm. If this qualifier is
    not specified, the DES algorithm is used by default. You can use
    the following keywords with the /AES qualifier:

    Keyword           Description
    AES128(default)   Indicates that 128 bits AES key value is used.
                      The MAC value generated in this mode is of
                      size 128 bits.
    AES192            Indicates that 192 bits AES key value is used.
                      The MAC value generated in this mode is of
                      size 192 bits.
    AES256            Indicates that 256 bits AES key value is used.
                      The MAC value generated in this mode is of
                      size 256 bits.

2.2    /BACKUP

       /BACKUP[=time]

    Selects files according to the dates of their most recent backup.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /BACKUP with /EXPIRED
    or /MODIFIED.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

2.3    /BEFORE

       /BEFORE=time

    Selects files that have a creation time before the time you
    specify.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

2.4    /BY_OWNER

       /BY_OWNER[=uic]
       /NOBY_OWNER

    Selects files with the owner UIC you specify.

    If you omit uic, the UIC of the current process is used. For
    more information on specifying UIC format, see the OpenVMS User's
    Manual.

2.5    /CONFIRM

       /CONFIRM
       /NOCONFIRM

    Controls whether or not a confirmation request is displayed
    before each authentication, as follows:

    Response         Meaning

    YES              Authenticates the file
    NO or <Return>   Does not authenticate the file (default)
    QUIT or          Does not authenticate the file or any subsequent
    <Ctrl/Z>         files
    ALL              Encrypts the file plus all subsequent files

2.6    /DATABASE

       /DATABASE=file-spec
       /NODATABASE

    File name of the file in which to store binary MAC values.

    Generates a MAC using the file contents. If you do not specify a
    file name, the file name SYS$LOGIN:ENCRYPT$MAC.DAT is used.

2.7    /EXCLUDE

       /EXCLUDE=file-spec
       /NOEXCLUDE

    Excludes the specified files from the authentication operation.
    You can use wildcard characters. You do not need to enter an
    entire file specification. Any field that you omit defaults to
    the input file specification.

    Because directory files are never encrypted, you need not specify
    them.

2.8    /EXPIRED

       /EXPIRED[=time]

    Selects files according to the dates on which they expire.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /EXPIRED with /BACKUP
    or /MODIFIED.

    If you omit a time value, TODAY is used. For more information on
    time specifications, see the OpenVMS User's Manual.

2.9    /LOG

    Displays the results of the authentication operation.

2.10    /MODIFIED

       /MODIFIED[=time]

    Selects files according to the dates on which they were last
    modified.

    This qualifier is relevant only when used with the /BEFORE or the
    /SINCE qualifier. In addition, do not use /MODIFIED with /BACKUP
    or /EXPIRED.

    If you omit a time value, TODAY is used. For more information on
    time specifications, see the OpenVMS User's Manual.

2.11    /MULTIPLE_FILES

    Indicates that the file-spec parameter contains a list of file
    names to be checked. The file-spec file is opened and each record
    is read and treated as a file-spec.

2.12    /OUTPUT

       /OUTPUT=file-spec
       /NOOUTPUT

    File name of the file in which to store readable MAC values.
    These MAC values represent both the file contents as well as the
    security settings. If you do not specify a file name, the default
    file name SYS$LOGIN:ENCRYPT$MAC.LIS is used.

2.13    /SECURITY

       /SECURITY=file-spec
       /NOSECURITY

    File name of the file in which to store binary MAC values. If you
    do not specify a file name, the default file name ENCRYPT$SEC.DAT
    is used.

    Generates a MAC using the file's security settings: owner,
    protection settings, and optional ACL.

2.14    /SINCE

       /SINCE[=time]

    Selects files that have a creation time before the time you
    specify.

    If you omit time, TODAY is used. For more information on time
    specifications, see the OpenVMS User's Manual.

2.15    /UPDATE

       /UPDATE
       /NOUPDATE

    Associates new MAC values with one or more files.

3  –  Example

  $ ENCRYPT /AUTHENTICATE NEWFILE HAMLET/CONFIRM

      Associates a MAC with the file NEWFILE using the key HAMLET.
      This command also displays a confirmation request before each
      authentication.

  $ ENCRYPT/AUTHENTICATE/UPDATE *.* MYKEY
  %ENCRYPT-NEWDB, new authentication code database has been created
  %ENCRYPT-NEWSECDB, new authentication security settings database has been created
  %ENCRYPT-I-SUMMARY1, Summary:  Files successfully authenticated: 0
  %ENCRYPT-I-SUMMARY2,     Files failing authentication: 0
  %ENCRYPT-I-SUMMARY3,     Files not in database: 73
  %ENCRYPT-I-SECSUMM1, Summary:  Security settings authenticated: 0
  %ENCRYPT-I-SECSUMM2,     Security settings failing authentication: 0
  %ENCRYPT-I-SECSUMM3,     Security settings not in database: 73

      This example creates a MAC for each file in the current
      directory using the key named MYKEY, storing them in the two
      databases: SYS$LOGIN:ENCRYPT$MAC.DAT and ENCRYPT$SEC_MAC.DAT.

  $ ENCRYPT /AUTHENTICATE *.* MYKEY
  %ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
  %ENCRYPT-I-SUMMARY1, Summary:   Files successfully authenticated: 73
  %ENCRYPT-I-SUMMARY2,     Files failing authentication: 0
  %ENCRYPT-I-SUMMARY3,     Files not in database: 0
  %ENCRYPT-I-SECSUMM1, Summary:   Security settings authenticated: 73
  %ENCRYPT-I-SECSUMM2,     Security settings failing authentication: 0
  %ENCRYPT-I-SECSUMM3,     Security settings not in database: 0

      This example authenticates the same files as in Example 3
      by creating a new MAC and comparing that with those in each
      database, testing file data integrity and security attributes
      as indicated in the summary.

  $ ENCRYPT/CREATE_KEY/AES MY_AES_KEY32 -
  _$ "Sample Key length greater than > 32"
  $ ENCRYPT/AUTHENTICATE FILE.TXT MY_AES_KEY32 /AES=AES256 /UPDATE
  %ENCRYPT-I-NEWDB, new authentication code database has been created
  %ENCRYPT-I-NEWSECDB, new authentication security settings database has been created
  %ENCRYPT-I-SUMMARY1, Summary:   Files successfully authenticated: 0
  %ENCRYPT-I-SUMMARY2,            Files failing authentication: 0
  %ENCRYPT-I-SUMMARY3,            Files not in database: 1
  %ENCRYPT-I-SECSUMM1, Summary:   Security settings authenticated: 0
  %ENCRYPT-I-SECSUMM2,            Security settings failing authentication: 0
  %ENCRYPT-I-SECSUMM3,            Security settings not in database: 1

      This example creates new 256 bits AES key. This new key is used with
      the /AES qualifier to create new MAC database and update it with
      a 256 bits MAC value of FILE.TXT file.
Close Help