Encrypting passwords using COBOL
Can you tell me if there are routines available using COBOL to encrypt and decrypt a security password stored on a mainframe VSAM file?
Unfortunately, I cannot. Most of the standard ways to do this are pretty
math-intensive and would be tedious in COBOL. It would be better to call
out from COBOL into a language like C. There are many implementations of
appropriate algorithms in many languages, but I don't know of any in COBOL.
When you implement your system, consider rather than using a cipher, using a
one-way hash function like SHA-1. That way, if someone gets the password
database, they cannot decrypt the passwords. Now, the downside of this is
that you can't tell someone their password if they lose it, you can only
give them a new one.
If you do that, you store the hashed password, and to check the user's
connection, you hash the supplied password and compare the result with the
stored value in the database.
There is another improvement you can make to this that helps thwart
dictionary attacks against your password database. In this technique, you
store with the password a small arbitrary string of characters (two to
eight characters) called a "salt" value. When you first store a password,
you store the hash of the salt and the password, and do the check against
the salt with the supplied password. This makes it more difficult for
someone to compare a pre-computed dictionary against your database.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Password cracking
Best Web Links: Securing your data and information
This was first published in January 2002