Authentication is the checking of files to determine whether
or not they have been modified.
The ENCRYPT/AUTHENTICATE command detects any modification of
either plaintext or ciphertext files. The software calculates a Message
Authentication Code (MAC) based on the contents of the files and associates
it with one or more files. An additional MAC is created that is based
on security settings unless you specifically request that the security
MAC not be created. At a later time, when you want to check file
integrity, the software recalculates the MACs and then compares the
current and stored MACs. Before you use the ENCRYPT /AUTHENTICATE
command, complete the process that associates MACs with files.
NOTE: AES (Advanced Encryption Standard) is not supported with /AUTHENTICATE
qualifier.
The ENCRYPT /AUTHENTICATE command has the following syntax:
is the name of the key. Specify
a 1-to-243-character string.
qualifiers
are options that control the
encryption process or the selection of files you want to encrypt.
A summary report on the authentication operation is displayed
on SYS$OUTPUT.
The following qualifiers are valid with ENCRYPT /AUTHENTICATE:
/[NO]DATABASE[=file-spec]
Specifies a file in which to store binary MAC values
created by using the file contents as input
/LOG
Displays the results of the authentication
operation for each file
/MULTIPLE_FILES
Indicates that the (file-spec) parameter represents a list of file names to be checked
/[NO]OUTPUT[=file-spec]
Specifies a file in which to store readable MAC values
/[NO]SECURITY[=file-spec]
Generates a MAC using the file's security settings:
owner, protection settings, and optional ACL, and specifies the file
in which to store the binary MAC values.
/[NO]UPDATE
Associates new MAC values
with one or more files
In addition, you can use all the file selection qualifiers
available to the ENCRYPT command: /BACKUP, /BEFORE, /BY_OWNER, /CONFIRM,
/EXCLUDE, /EXPIRED, /MODIFIED, and /SINCE.
The following sections describe how to use the /DATABASE, /LOG,
/SECURITY, /OUTPUT, and /UPDATE qualifiers with ENCRYPT /AUTHENTICATE.
Associating MACs with Files
To associate MACs with a file or to replace former MAC values
with new MAC values, use the /UPDATE qualifier. The /UPDATE qualifer
updates two different MACs created from file contents and from security
settings. The following command creates MAC values for all files
in the current directory.
Two sets of summary information are displayed: the first set
applies to the MAC values generated from the file contents, the second
set applies to the MAC values generated from the security settings.
Because this is the first time MACs are associated with these files,
none are reported as authenticated (summary message 1 for each set)
or as having failed authentication (summary message 2 for each set).
The last message in each set reports that no previous MACs were associated
with these files.
The MACs are stored in a binary database. Therefore, you cannot
specify /NODATABASE or /NOSECURITY with /UPDATE.
Checking Files
With no other qualifiers, the ENCRYPT /AUTHENTICATE command
compares previous MACs with current MACs. In addition, the software
reports on files with no currently associated MACs.
The following command reports on the status of all the files
in the current directory.
$ ENCRYPT /AUTHENTICATE *.* whitehen
%ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
%ENCRYPT-I-SUMMARY1, Summary: Files successfully authenticated: 3
%ENCRYPT-I-SUMMARY2, Files failing authentication: 0
%ENCRYPT-I-SUMMARY3, Files not in database: 0
%ENCYRPT-I-SECSUMM1, Summary: Security settings authenticated: 3
%ENCYRPT-I-SECSUMM2, Security settings failing authenticated: 0
%ENCYRPT-I-SECSUMM3, Security settings not in database:0
Specifying a File for MACs Generated from File Contents
A database file stores MAC values in binary format. By default,
binary MAC values created from the file contents are stored in SYS$LOGIN:ENCRYPT$MAC.DAT.
You can use the /DATABASE qualifier to store the MAC values in an
alternate file.
The following command selects an alternate file in which to
store the MAC values.
$ ENCRYPT /AUTHENTICATE *.com whitehen /DATABASE=[MACS]MACCHECK.DAT /UPDATE
%ENCRYPT-I-NEWDB, New authentication code database has been created
%ENCRYPT-I-SUMMARY1, Summary: Files successfully authenticated: 0
%ENCRYPT-I-SUMMARY2, Files failing authentication: 0
%ENCRYPT-I-SUMMARY3, Files not in database: 6
When you specify /NODATABASE, the MAC values are not stored.
The next time you use the ENCRYPT /AUTHENTICATE command, the files
are treated as new since there are no current MAC values to check.
Specifying a Security MAC File
MAC entries based on security settings are automatically generated
and stored in a security database when the /UPDATE qualifier is used.
If you do not want to generate a MAC value based on security settings,
use the /NOSECURITY qualifier on the ENCRYPT /AUTHENTICATE command
line.
The entries in the security database are generated by using
the security settings: owner, protection settings, and an ACL if
one is associated with the file. By default, security MAC values are
stored in the database ENCRYPT$SEC.DAT. You can use the /SECURITY
qualifier to store security MAC values in an alternate file.
The following command selects an alternate file in which to
store security MAC values.
$ ENCRYPT /AUTHENTICATE *.com seveneleven /SECURITY=SECURITYMAC.DAT /UPDATE
%ENCYRPT-I-NEWSECDB, New authentication security settings database has been created
%ENCRYPT-I-SUMMARY1, Summary: Files successfully authenticated: 0
%ENCRYPT-I-SUMMARY2, Files failing authentication: 0
%ENCRYPT-I-SUMMARY3, Files not in database: 3
%ENCRYPT-I-SECSUMM1, Summary: Security settings authenticated: 0
%ENCRYPT-I-SECSUMM2, Security settings failing authentication: 0
%ENCRYPT-I-SECSUMM3, Security settings not in database: 3
Specifying a Listing File
In addition to a binary MAC database, Encryption stores MAC
values and status information in readable form. By default, readable
MAC values are stored in SYS$LOGIN:ENCRYPT$MAC.LIS.
To store readable values in an alternate file, use the /OUTPUT
qualifier. The file extension defaults to .LIS. For example, this
command specifies SYS$LOGIN:08MAC.LIS as the listing file:
$ ENCRYPT /AUTHENTICATE *.* whitehen /OUTPUT=08MAC
%ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
%ENCRYPT-I-SUMMARY1, Summary: Files successfully authenticated: 6
%ENCRYPT-I-SUMMARY2, Files failing authentication: 0
%ENCRYPT-I-SUMMARY3, Files not in database: 0
To suppress the creation of this listing, use the /NOOUTPUT
qualifier.
Logging the Authentication Operation
To display the results of the authentication operation on each
file, use the /LOG qualifier. For example, the following command displays
the results of each file authentication on your terminal screen.
$ ENCRYPT /AUTHENTICATE /LOG *.* whitehen
%ENCRYPT-I-NOUPDATE, database will not be updated with new authentication codes
%ENCRYPT-S-AUTHMATCH, File DISK_1:[SCRATCH]EXAMPLE.TXT;1 successfully authenticated
%ENCRYPT-S-SECAUTHMATCH, Security settings for DISK_1:[SCRATCH]EXAMPLE.TXT successfully authenticated
%ENCRYPT-S-AUTHMATCH, File DISK_1:[SCRATCH]TEST.TXT;1 successfully authenticated.
%ENCRYPT-S-SECAUTHMATCH, Security settings for DISK_1:[SCRATCH]TEST.TXT successfully authenticated
%ENCRYPT-S-AUTHMATCH, File DISK_1:[SCRATCH]RELEASE.TXT;2 successfully authenticated.
%ENCRYPT-S-SECAUTHMATCH, Security settings for DISK_1:[SCRATCH]RELEASE.TXT successfully authenticated
%ENCRYPT-I-SUMMARY1, Summary: Files successfully authenticated: 6
%ENCRYPT-I-SUMMARY2, Files failing authentication:0
%ENCRYPT-I-SUMMARY3, Files not in database:0
%ENCRYPT-I-SECSUMM1, Summary: Security settings authenticated: 6
%ENCRYPT-I-SECSUMM2, Security settings failing authentication:0
%ENCRYPT-I-SECSUMM3, Security settings not in database:0
