View previous topic :: View next topic
|
Author |
Message |
Martin Großhans
New User
Joined: 04 Nov 2011 Posts: 4 Location: Germany
|
|
|
|
On a web server we do retrieve data. This data is transferred to an application server and from there via MQ Series / OTMA to an IMS Transaction.This IMS transaction calls a COBOL program.
In that COBOL program we would like to ensure that the received data originating on the web server was not changed (e.g. by a man-in-the-middle attack) during these several steps of transfer.
For that reason a signature (hash-value) for the data has be created on the web server using standards like MD5 or AES.
Does anyone know if there is a way to create such a (e.g. MD5-) hash value within a COBOL programm, which could be compared than to ensure that the data wasn't changed?
data --> Web-Server --> data, MD5-hash --> Application Server --> data, MD5-hash --> MQSeries --> OTMA --> IMS transaction --> data, MD5-hash --> COBOL programm
P.S.:
- I'm not looking for a full size (RACF-) PKI solution or the signing of a message e.g. just during the transport on MQSeries. Important is the end-to-end aspect of a solution.
- of course we don't intend to use MD5, but a more secure method, if available on z/OS
Best regards, Martin |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10873 Location: italy
|
|
|
|
I might have misunderstood the data flow,
but seems to me that sending the data with the signature appendend will not provide too much of protection |
|
Back to top |
|
|
Martin Großhans
New User
Joined: 04 Nov 2011 Posts: 4 Location: Germany
|
|
|
|
On the web server the signature (hash) is create with a secret key.
In the COBOL program the hash is also created with a secret key.
If somebody is changing the data on the way to the COBOL program without generating a new signature the hash created by the COBOL program will be different to the hash created on the web server. So we know the data is compromised.
If the secret key is kept secret there is no way to change the data without disclosure. |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10873 Location: italy
|
|
|
|
Quote: |
On the web server the signature (hash) is create with a secret key.
In the COBOL program the hash is also created with a secret key. |
the approach seems a bit simplicistic to me...
where/how is the secret key stored/retrieved ? |
|
Back to top |
|
|
Martin Großhans
New User
Joined: 04 Nov 2011 Posts: 4 Location: Germany
|
|
|
|
enrico-sorichetti wrote: |
Quote: |
On the web server the signature (hash) is create with a secret key.
In the COBOL program the hash is also created with a secret key. |
the approach seems a bit simplicistic to me...
where/how is the secret key stored/retrieved ? |
In the web world the task of storing a secret key and creating signatures a safe way is daily business. On the mainframe there are a couple of ways to store and retrieve secret data.
For the mainframe side I'd be very happy to find somebody who knows how to create a signature, using a standard method like MD5 or AES out of a COBOL program.
If there is a tool for z/OS, I'd expect it would come automatically with a solution for storing the secret key too.
Best regards
Martin |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10873 Location: italy
|
|
|
|
well... I feel that in this case the only way of doing it properly
would be to meditate on the IBM integrated cryptographic service facility |
|
Back to top |
|
|
Martin Großhans
New User
Joined: 04 Nov 2011 Posts: 4 Location: Germany
|
|
|
|
enrico-sorichetti wrote: |
well... I feel that in this case the only way of doing it properly
would be to meditate on the IBM integrated cryptographic service facility |
Thank you, for your information, Enrico.
If somebody is out there with real live experience on this topic, I'd highly appreciate.
All the best
Martin |
|
Back to top |
|
|
|