Table of Contents
Document Summary
RecTrac 3.1 allows user-selectable encryption algorithms for 128-bit encryption. Encryption is set up and maintained by the Encryption profile.
Progress OpenEdge 11.7 supports 20 built-in standard encryption algorithms. These encryption algorithms are user selectable on the Encryption profile. One (1) Encryption profile only is allowed per database tenant. You do NOT link an Encryption profile anywhere. The profile is created with the 3.1 Install and exists in Profile Management using Standard Vermont Systems Encryption. If you desire a higher encryption level, you can modify the profile.
Encrypted database fields are as follows:
- CYStaffProvider.TaxID
- CYStaffProvider.SocialSecurityNumber
- EPayInfo.AccountNumber
- EPayInfo.RoutingNumber
- SASecurityfile.Password = encoded then encrypted
- SASecurity.PasswordList = encoded then encrypted (this is done by default as the password is added to the password list)
- SAPerson.SocialSecurityNumber
- SAStaff.SocialSecurityNumber
- SAStaff.TaxID
- SASystemCode.FTPPassword
- WebUserName.Password = encoded then encrypted
- WebUserName.PasswordList = encoded then encrypted (this is done by default as the password is added to the password list)
Here are the encrypted values stored in the SAProfile.ProfileDetails field:
- MerchantAccountPassword on WebXPress profile.
- MasterKey on ETS profile.
- MerchantPassword on CardConnect profile.
- PWCAPIPassword on Verifone profile.
- StoreKey on PStars profile.
- InsurancePassword on Insurance profile.
- ERCustomerPassword on eRange profile.
Data transmitted from the server remains encrypted throughout the database and is decrypted only by the client requesting the information. In the event a report is generated that contains data from any of the encrypted fields mentioned above, the data, itself, remains encrypted, but the encrypted data appears in plain text on the report output, such as a .PDF.
Note: The Encryption profile should not be confused with SSL encrypted connections provided by Progress. SSL connections require additional configuration AND SSL certificates for the database engine server and configuration of all clients connecting to the database, AppServers and WebSpeed agents. SSL encrypted connections are different than the options provided by the Encryption profile, in that data is encrypted while it’s in “motion” (traveling between a client and server).
The following table represents the 20 supported cryptographic algorithm names:
AES_CBC_128* | AES_CBC_192* | AES_CBC_256* | AES_CFB_128* | AES_CFB_192* |
AES_CFB_256* | AES_ECB_128* | AES_ECB_192* | AES_ECB_256* | AES_OFB_128* |
AES_OFB_192* | AES_OFB_256* | DES_CBC_56 | DES_CFB_56 | DES_ECB_56 |
DES_OFB_56 | DES3_CBC_168* | DES3_CFB_168* | DES3_ECB_168* | DES3_OFB_168* |
* Federal Information Processing Standard (FIPS) Compliant Algorithm
Encryption methods listed here are industry standard. Their functionality, advantages and limitations can be easily researched online. Click here for one such example.
Notes: Progress supports the following hash algorithms:
- United States Government Secure Hash Algorithm - SHA-2 (FIPS Compliant)
- RSA Message Digest hash Algorithm - MD5
Once you link a Data Encryption profile to your database, it CANNOT be removed. However, it can be modified/updated.
License – Maintenance Agreement
The use of this interface requires a Vermont Systems license and annual maintenance agreement for RecTrac and the component modules discussed in this document. Prior to implementing any process outlined in this document, please contact the Vermont Systems Sales department at 1-877-883-8757 to verify that you are authorized to use the modules discussed in this document and if not, to obtain a quote and/or approval.
If you have additional questions about RecTrac Encryption after reading this document, please contact Vermont Systems Customer Service by phone at 887-883-8757 or generate a Support Case through the Customer portal of the Vermont Systems website using your Customer ID and password.
Encryption Configuration
The Encryption profile allows you to set an encryption algorithm for 128-bit encryption for selected tables in your RecTrac database. One (1) Encryption profile only is allowed per database tenant. You do NOT link an Encryption profile anywhere. The profile is created with the 3.1 Install and exists in Profile Management using Standard Vermont Systems Encryption. If you desire a higher encryption level, you can modify the profile.
To Modify the Encryption Profile
Note: Modifying the Encryption profile requires an Access Code from Vermont Systems.
- In RecTrac, search for and go to User/Menu/Profile Management group • Profile Management.
- Highlight/select the Encryption profile and click Change. You will be prompted for an Access Code.
- Contact Vermont Systems Support to obtain an Access Code. Enter it in the Access Code field and click Validate. Upon successful validation, you will continue to the Encryption Profile Update screen.
- Deselect the Use VSI Encryption option. This will unlock the other fields on the profile.
- Enter an Encryption Password, if desired, to make your encrypted data unique.
- Expand Encryption Algorithm and make your selection. Supported cryptographic algorithms are listed above.
- Expand Encryption Hash Algorithm and make your selection.
- MDS - RSA Message Digest hash Algorithm
- SHA-1 - Secure Hash Algorithm designed by the United States National Security Agency.
Note: SHA-1 has been deprecated. Most major browsers (Microsoft, Google, Apple, and Mozilla) no longer accept SHA-1
- SHA-256 - Secure Hash Algorithm designed by the United States National Security Agency.
- SHA-512 - Secure Hash Algorithm designed by the United States National Security Agency.
- Enter a value in the Encryption Rounds field that is greater than 1000.
Many ciphers are defined by specifying a round and then running that specification multiple times. For Example, in AES, a round consists of the operations SubBytes, ShiftRows, MixColumns, and AddRoundKey. That is one round and, to get AES, you run that multiple times (plus some setup and some post-processing). Thus a round is defined by each cipher and typically consists of a number of building blocks that are composed together to create a function that is run multiple times. - Click Save when ready. You will be presented with the following prompt:
- Read the message carefully and make your selection:
- Schedule Database Backup and Schedule Encryption Conversion - This option results in system making a backup of your database at 1:00am and then applying changes to your encryption method at 1:30am. This is the recommended option. You will be returned to the Profile Management DataGrid.
- Schedule Encryption Conversion (No Database Backup) - This option results in changes to your encryption method being applied at 1:30am only. You will be returned to the Profile Management DataGrid.
- Cancel - This option returns you to the Encryption profile update screen. No changes will be applied.
Verify the Scheduled Event(s)
- In RecTrac, search for and go to Scheduled Events Management.
- Depending on which option you selected above, you will see one (1) or two (2) Scheduled Events:
- Encryption Conversion <unique id number>, scheduled to run at 1:30am "tomorrow."
- Encryption Conversion DB Backup <unique id number>, scheduled to run at 1:00am "tomorrow."
- Changes to these events, if necessary, can be made using the Change Other Events button.