Qualities of protection available with AMS
The three qualities of protection for Advanced Message Security
are Integrity
, Privacy
, and, from IBM® MQ 9.0, Confidentiality
.
Integrity
protection is provided by digital signing, which provides assurance
on who created the message, and that the message has not been altered or tampered with.
Privacy
protection is provided by a combination of digital signing and
encryption.
Encryption ensures that message data is only viewable to the intended recipient, or recipients. Even if unauthorized recipients obtain a copy of the encrypted message data, they are unable to view the actual message data itself.
Confidentiality
protection is provided by encryption only.
Effect on performance
- Asymmetric cryptographic routines
- For example, when putting a signed message, the message hash is signed using an asymmetric key operation.
- Asymmetric and symmetric cryptographic routines
- When putting an encrypted message, a symmetric key is generated and then encrypted using an asymmetric key operation for each intended recipient of the message.
All three qualities of protection, therefore, contain varying elements of the CPU intensive asymmetric key operations, which will significantly impact the maximum achievable messaging rate for applications putting and getting messages.
Key reuse
Confidentiality
policies do, however, allow for symmetric key reuse over a
sequence of messages.
You can use this approach to significantly reduce the costs involved in encrypting a number of messages intended for the same recipient or recipients.
For example, when putting 10 encrypted messages to the same set of recipients, a symmetric key is generated, and then encrypted for the first message, using an asymmetric key operation for each intended recipient of the message.
Based upon policy controlled limits, the encrypted symmetric key can then be reused by subsequent messages that are intended for the same recipients. An application that is getting encrypted messages can apply the same optimization, in that the application can detect when a symmetric key has not changed and avoid the expense of retrieving the symmetric key.
In this example 90% of the asymmetric key operations can be avoided by both the putting and getting applications by reusing the same key.
- MQSC command SET POLICY
- Control command setmqspl
- IBM i command SETMQMSPL