Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

End-to-End Security: Validate a Signature

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
Martin Großhans

New User


Joined: 04 Nov 2011
Posts: 4
Location: Germany

PostPosted: Fri Nov 11, 2011 12:53 am    Post subject: End-to-End Security: Validate a Signature
Reply with quote

On a web server we do retrieve data. This data is transferred to an application server and from there via MQ Series / OTMA to an IMS Transaction.This IMS transaction calls a COBOL program.

In that COBOL program we would like to ensure that the received data originating on the web server was not changed (e.g. by a man-in-the-middle attack) during these several steps of transfer.

For that reason a signature (hash-value) for the data has be created on the web server using standards like MD5 or AES.

Does anyone know if there is a way to create such a (e.g. MD5-) hash value within a COBOL programm, which could be compared than to ensure that the data wasn't changed?

data --> Web-Server --> data, MD5-hash --> Application Server --> data, MD5-hash --> MQSeries --> OTMA --> IMS transaction --> data, MD5-hash --> COBOL programm

P.S.:
- I'm not looking for a full size (RACF-) PKI solution or the signing of a message e.g. just during the transport on MQSeries. Important is the end-to-end aspect of a solution.
- of course we don't intend to use MD5, but a more secure method, if available on z/OS


Best regards, Martin
Back to top
View user's profile Send private message

enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10211
Location: italy

PostPosted: Fri Nov 11, 2011 12:58 am    Post subject: Reply to: End-to-End Security: Validate a Signature
Reply with quote

I might have misunderstood the data flow,
but seems to me that sending the data with the signature appendend will not provide too much of protection
Back to top
View user's profile Send private message
Martin Großhans

New User


Joined: 04 Nov 2011
Posts: 4
Location: Germany

PostPosted: Fri Nov 11, 2011 1:08 am    Post subject: Reply to: End-to-End Security: Validate a Signature
Reply with quote

On the web server the signature (hash) is create with a secret key.
In the COBOL program the hash is also created with a secret key.

If somebody is changing the data on the way to the COBOL program without generating a new signature the hash created by the COBOL program will be different to the hash created on the web server. So we know the data is compromised.

If the secret key is kept secret there is no way to change the data without disclosure.
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10211
Location: italy

PostPosted: Fri Nov 11, 2011 1:17 am    Post subject: Reply to: End-to-End Security: Validate a Signature
Reply with quote

Quote:
On the web server the signature (hash) is create with a secret key.
In the COBOL program the hash is also created with a secret key.


the approach seems a bit simplicistic to me...
where/how is the secret key stored/retrieved ?
Back to top
View user's profile Send private message
Martin Großhans

New User


Joined: 04 Nov 2011
Posts: 4
Location: Germany

PostPosted: Fri Nov 11, 2011 1:35 am    Post subject: Re: Reply to: End-to-End Security: Validate a Signature
Reply with quote

enrico-sorichetti wrote:
Quote:
On the web server the signature (hash) is create with a secret key.
In the COBOL program the hash is also created with a secret key.


the approach seems a bit simplicistic to me...
where/how is the secret key stored/retrieved ?


In the web world the task of storing a secret key and creating signatures a safe way is daily business. On the mainframe there are a couple of ways to store and retrieve secret data.

For the mainframe side I'd be very happy to find somebody who knows how to create a signature, using a standard method like MD5 or AES out of a COBOL program.

If there is a tool for z/OS, I'd expect it would come automatically with a solution for storing the secret key too.

Best regards
Martin
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10211
Location: italy

PostPosted: Fri Nov 11, 2011 1:39 am    Post subject: Reply to: End-to-End Security: Validate a Signature
Reply with quote

well... I feel that in this case the only way of doing it properly
would be to meditate on the IBM integrated cryptographic service facility
Back to top
View user's profile Send private message
Martin Großhans

New User


Joined: 04 Nov 2011
Posts: 4
Location: Germany

PostPosted: Fri Nov 11, 2011 1:57 am    Post subject: Re: Reply to: End-to-End Security: Validate a Signature
Reply with quote

enrico-sorichetti wrote:
well... I feel that in this case the only way of doing it properly
would be to meditate on the IBM integrated cryptographic service facility


Thank you, for your information, Enrico.

If somebody is out there with real live experience on this topic, I'd highly appreciate.

All the best
Martin
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts Need a logic to validate the data in ... sandeep kumar302 COBOL Programming 17 Mon Feb 01, 2016 3:30 pm
This topic is locked: you cannot edit posts or make replies. BBC is seeking a Security Operations ... Express Mainframe Jobs 0 Tue Dec 22, 2015 1:20 am
This topic is locked: you cannot edit posts or make replies. ADI Security and Privacy Security Con... hemant_borse2003 Mainframe Jobs 0 Tue Apr 28, 2015 9:23 pm
No new posts Validate Day thru Syncsort thesumitk SYNCSORT 19 Mon Sep 22, 2014 2:23 pm
No new posts Security awareness - jpmorgan breach vasanthz PC Guides & IT News 0 Sat Aug 30, 2014 3:48 am


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us