Q

Encrypting passwords using COBOL

Can you tell me if there are routines available using COBOL to encrypt and decrypt a security password stored on a mainframe VSAM file?
Unfortunately, I cannot. Most of the standard ways to do this are pretty math-intensive and would be tedious in COBOL. It would be better to call out from COBOL into a language like C. There are many implementations of appropriate algorithms in many languages, but I don't know of any in COBOL.

When you implement your system, consider rather than using a cipher, using a one-way hash function like SHA-1. That way, if someone gets the password database, they cannot decrypt the passwords. Now, the downside of this is that you can't tell someone their password if they lose it, you can only give them a new one.

If you do that, you store the hashed password, and to check the user's connection, you hash the supplied password and compare the result with the stored value in the database.

There is another improvement you can make to this that helps thwart dictionary attacks against your password database. In this technique, you store with the password a small arbitrary string of characters (two to eight characters) called a "salt" value. When you first store a password, you store the hash of the salt and the password, and do the check against the salt with the supplied password. This makes it more difficult for someone to compare a pre-computed dictionary against your database.


For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Password cracking
Best Web Links: Securing your data and information

This was first published in January 2002

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close