Security Concepts

Cryptography is the science of keeping messages private. A cryptographic system uses encryption keys between two trusted communication partners. These keys encrypt and decrypt information so that the information is known only to those who have the keys.

There are two kinds of cryptographic systems: symmetric-key and asymmetric-key. Symmetric-key (or secret-key) systems use the same secret key to encrypt and decrypt a message. Asymmetric-key (or public-key) systems use one key (public) to encrypt a message and a different key (private) to decrypt it. Symmetric-key systems are simpler and faster, but two parties must somehow exchange the key in a secure way because if the secret key is discovered by outside parties, security is compromised. Asymmetric-key systems, commonly known as public-key systems, avoid this problem because the public key may be freely distributed, but the private key is never transmitted.

Cryptography provides information security as follows:

  • Authentication verifies that the entity on the other end of a communications link is the intended recipient of a transmission.
  • Non-repudiation provides undeniable proof of origin of transmitted data.
  • Data integrity ensures that information is not altered during transmission.
  • Data confidentiality ensures that data remains private during transmission.
    Connect:Direct® Secure Plus enables you to implement multiple layers of security. Select from two security protocols to use to secure data during electronic transmission: Transport Layer Security (TLS) or Secure Sockets Layer protocol (SSL). Depending on the security needs of your environment, you can also validate certificates using the IBM®® External Authentication Server application.
    • TLS implies versions TLS1.0, TLS1.1, TLS1.2, and TLS1.3
    • SSL implies version SSL3.0
    • SSL, TLS1.0 and TLS1.1 will be removed in a future release.

IBM Connect:Direct also allows you to implement security and encryption as appropriate for your environment. For example, if your company has a universal policy you want to enforce, elect to encrypt all files at all times. To provide flexibility, allow a trading partner to override security settings by specifying any of the following conditions:

  • Turning Connect:Direct Secure Plus for z/OS® on or off for a particular session
  • Specifying one or more ciphers for encryption instead of the default cipher suites
The more flexible the configuration is, the less secure the environment becomes. Observe caution when considering the flexibility of configuration.

From release 6.2, IBM Connect:Direct Encrypts the control block information contained in Function Management Headers (FMHs), such as a user ID, password, and filename as well as the file data being transferred. It provides more security.