Data Encryption – Beechglen Development Inc.

Security: Data Encryption

Here are some security and data encryption options available on the HP3000.

SFTP

SFTP (Secure FTP) is a component of SSH (Secure Shell). SSH is an application that protects the TCP/IP connections between two computers. The software enables secure terminal sessions (Telnet) and file transfers (FTP) to and from the servers. It also enables the secured use of networked applications over untrusted networks. The encryption of the connection is done at the application layer, meaning that the security provided is available regardless of the network connection speed or type.

The key phrase here is “enables the secured use of networked applications over untrusted networks.” That is, you can safely exchange files with vendors, partners, or customers over the Internet without first encrypting the data at one end and decrypting at the other. The data is encrypted in transit.

A gentleman named Ken Hirsch ported the open source version of SSH to MPE. Ken has kindly shared his efforts and made the software available to anyone. At this moment only the SFTP module is functional on MPE while secure shell is not.

OpenSSH is built upon several other pieces of software that also must be installed including Perl and OpenSSL. I have put together a checklist for installing all of the components necessary to make SFTP work. It is intended to augment the documentation accompanying each of the pieces. These instructions can be obtained from our web site at http://www.beechglen.com/mpe/sftpinstallnotes.

MD5 Checksum

Calculating an MD5 checksum is a common method to provide one way data encryption. One way meaning you cannot take the encrypted value and recalculate the original value. This is extremely useful for storing passwords in a database. When a user enters a value such as MYPASS, run it through an MD5 algorithm to produce a “number” or checksum, and store the checksum in the database. Thereafter, whenever you need to determine if the correct password has been provided, run the entered password through the MD5 algorithm and compare the checksum to what is stored in the database. If they match, the entered password is correct. At no time will anyone other than the user know what the original password is.

OPENSSL (install per above instructions) includes libraries for MD5 encryption. These libraries can easily be manipulated into an MPE executable library (XL) enabling you to call the MD5 routines from a COBOL program. Use the following commands to create an XL called MD5XL.

:copy /OPENSSL/V000906A/src/openssl-0.9.6a/crypto/md5/md5_one.o,MD5ONE :copy /OPENSSL/V000906A/src/openssl-0.9.6a/crypto/md5/md5_dgst.o,MD5DGST :frombyte.hpbin.sys "-b MD5ONE MD5ONEA" :frombyte.hpbin.sys "-b MD5DGST MD5DGSTA" :file md5onen;code=nmobj :file md5dgstn;code=nmobj :fcopy from=md5onea;to=*md5onen;new :fcopy from=md5dgsta;to=*md5dgstn;new :linkedit LinkEd> buildxl md5xl LinkEd> xl md5xl LinkEd> addxl md5onen LinkEd> addxl md5dgstn LinkEd> listxl LinkEd> exit

The following COBOL program illustrates how to pass a string to the MD5 algorithms and return a value back. Simply run the compiled program with ;XL=”MD5XL”. Store the value of MD5-RESULT in your database instead of PASSWORD. You can download a copy of the MD5XL in WRQ labels format from our web site at http://www.beechglen.com/pub/md5xl.wrq. A binary version which you can FTP to your HP3000 is also available from http://www.beechglen.com/pub/md5xl.bin. To upload the binary version use the command put c:subdirmd5xl.bin md5xl.pub.sys;rec=128,1,f,binary;code=nmxl.

$CONTROL USLINIT,NOSOURCE,NOLIST,BOUNDS,POST85
 IDENTIFICATION DIVISION.
 PROGRAM-ID. COBTEST.
 ENVIRONMENT DIVISION.
 CONFIGURATION SECTION.
 SPECIAL-NAMES.
     CONDITION-CODE IS C-C.
 INPUT-OUTPUT SECTION.
 FILE-CONTROL.
     SELECT FILE1      ASSIGN TO 'FILE1' FILE STATUS IS FSTAT.
 I-O-CONTROL.
 DATA DIVISION.
 FILE SECTION.
 FD FILE1.
 01 FILE1-RECORD PIC X(80).

 WORKING-STORAGE SECTION.
 01 FSTAT PIC XX.

 01 PASSWORD       PIC X(20) VALUE SPACES.
 01 PASS-LENGTH    PIC 9(9) COMP VALUE 20.
 01 MD5-VALUE      PIC X(20) VALUE SPACES.
 01 MD5-RETURN     PIC X(20) VALUE SPACES.
 PROCEDURE DIVISION.
 0000-CONTROL-PROCESS.
     MOVE SPACES TO PASSWORD.
     DISPLAY "PASSWORD=?" WITH NO ADVANCING.
     ACCEPT PASSWORD.
     MOVE %0 TO PASSWORD (20:1).
     IF PASSWORD = "E" THEN STOP RUN.
     CALL "MD5" USING PASSWORD, PASS-LENGTH, MD5-VALUE.
     DISPLAY "RESULT=" MD5-VALUE.
     GO TO 0000-CONTROL-PROCESS.

Encrypting data with MPE Intrinsics

In MPE/iX Release 5.5, HP included several callable routines to empower COBOL programs to perform bit manipulation functions such as Xor, and Xand. Xor functionality can be implemented as an encryption algorithm for storing sensitive data such as credit card numbers. Xor is not a strong encryption methodology but it suffices to make data unreadable in ASCII format.

The routines are:
HP_BYTE_UNPACK which returns a sequence of ASCII “0” and “1” characters to represent a pseudo-binary representation of a string.
HP_BYTE_PACK returns the pseudo-binary value back to a string to store in a database.

The most interesting of all is HP_BYTE_XOR which will perform a binary Xor. This can be used to encrypt and decrypt a string. Only someone who knows the Xor value can decrypt the data.

A sample COBOL program that uses HP_BYTE_XOR to first encrypt, and then decrypt a string looks like this:

$CONTROL USLINIT,NOSOURCE,NOLIST,BOUNDS,POST85
 IDENTIFICATION DIVISION.
 PROGRAM-ID. XORTEST.
 ENVIRONMENT DIVISION.
 CONFIGURATION SECTION.
 SPECIAL-NAMES.
     CONDITION-CODE IS C-C.
 INPUT-OUTPUT SECTION.

 FILE-CONTROL.
     SELECT FILE1      ASSIGN TO 'FILE1' FILE STATUS IS FSTAT.
 I-O-CONTROL.
 DATA DIVISION.
 FILE SECTION.
 FD FILE1.
 01 FILE1-RECORD PIC X(80).

 WORKING-STORAGE SECTION.
 01 FSTAT                 PIC XX.
 01 CC-NUM                PIC X(16)  VALUE SPACES.
 01 CC-NUM-ENCRYPTED      PIC X(16) VALUE SPACES.
 01 XOR-VALUE             PIC X(16) VALUE "Xor_EncryptValue".
 PROCEDURE DIVISION.
 0000-CONTROL-PROCESS.
     DISPLAY "CCNUM? " WITH NO ADVANCING.
     ACCEPT CC-NUM.
     CALL "HP_BYTE_XOR" USING CC-NUM,
                              XOR-VALUE,
                              CC-NUM-ENCRYPTED,
                              16.
     DISPLAY "Original CCNUM: ", CC-NUM.
     DISPLAY "Encrypted: ", CC-NUM-ENCRYPTED.

     MOVE SPACES TO CC-NUM.
     CALL "HP_BYTE_XOR" USING CC-NUM-ENCRYPTED,
                              XOR-VALUE,
                              CC-NUM,
                              16.
     DISPLAY "Original CCNUM: ", CC-NUM.
     STOP RUN.

Running the program listed above produces the following output. A “real life” program can store the CC-NUM-ENCRYPTED value in the database and run it through the Xor algorithm only for authorized users or batch jobs.

:run xortest CCNUM? 1234567987654321 Original CCNUM: 1234567987654321 Encrypted: i]AkpXTKAGBcU_GT Original CCNUM: 1234567987654321