COBOL software for XML generation & parsing, AES encryption, data compression and source code obfuscation from Redvers Consulting

Technical Solutions for COBOL

Germany

USA, Canada, Australia, UK

COBOL XML conversion, AES encryption, data compression and source code obfuscation software

Redvers Encryption Device

The Redvers Encryption Device is an AES (Advanced Encryption Standard) 128, 192 or 256 bit encryption and decryption algorithm, specifically designed for COBOL applications.


Main features:

Data selected for encryption can consist of a single field, a group of fields or a complete record. This field level encryption can be used to target sensitive data only, giving applications access to non-sensitive data without the need for unnecessary file/volume encryption and decryption.

The Redvers Encryption Device is used by customers all over the world, running on iSeries/AS400, UNIX, HP, Linux, Fujitsu Siemens BS2000, Micro Focus and IBM mainframe platforms. It is frequently used in PCI compliant applications.

In addition to encryption, the Redvers Hashing Algorithm can be used to produce SHA-1, SHA-2 or SHA-3 message digests of 224, 256, 384 or 512 bit lengths, ensuring safe, authenticated data transfer to/from any location.


Download a PDF white paper on COBOL AES Encryption:


How strong is AES encryption?

Here's an excerpt from a National Institute of Standards and Technology (NIST) Fact Sheet:

"Because of its greater strength and efficiency, AES eventually will replace NIST's earlier Data Encryption Standard (DES), in use since 1977, and Triple DES, approved in 1999. Assuming that one could build a machine that could recover a DES key in a second, then it would take that machine approximately 149 trillion (thousand-billion) years to crack a 128-bit AES key; this is longer than our universe has existed. In 1997, NIST invited the world's best cryptographers to submit and help evaluate algorithms for the new encryption standard. This four-year effort resulted in the new AES."

How it Works

The Redvers Encryption Device consists of a pair of efficient, easy to use, COBOL subroutines (RCENCRYP and RCDECRYP) that encrypt and decrypt data strings as required. These subroutines may be called in batch or on-line modes.

Data to be encrypted (plaintext) is passed to RCENCRYP in the form of a character string held in application storage. RCENCRYP then returns the equivalent encrypted string (ciphertext). Parameter information, including the string length, confidentiality mode and encryption key are transferred in a fixed format communication block.

Decryption is performed by passing the ciphertext string to RCDECRYP along with the communication block. RCDECRYP then returns the equivalent, readable plaintext.

Secure test data can also be generated by RCENCRYP based on the encrypted ciphertext. Alphanumeric values are returned in the form of a base64 character string and numeric values are returned as an integer.

The diagram below shows how encryption / decryption routines might be used to transfer confidential data from one secure environment to another:

Encryption Flowchart

The Redvers Encryption Device runs the standard AES cipher, which means it can generate ciphertext for decryption by other AES ciphers and decrypt ciphertext, generated by other AES ciphers.

Technical Information

The Redvers Encryption Device (2.1) uses the Advanced Encryption Standard (AES) algorithm, developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen (a combination of their surnames producing the Rijndael name). The AES symmetric block cipher was announced in 2001 by the National Institute of Standards and Technology (NIST) in U.S. FIPS Publication 197.

The AES algorithm is used in conjunction with one of five confidentiality modes, defined in NIST Special Publication 800-38A. These modes are: Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher Feed Back (CFB), Output Feed Back (OFB) and Counter (CTR). The Redvers Encryption Device supports all these confidentiality modes.

The Redvers Encryption Device fully conforms to FIPS PUB 197 and NIST Special Publication 800-38A specifications and has been validated by the Cryptographic Algorithm Validation Program (CAVP) at NIST - validation number 1141.

Redvers Encryption Device programs do not contain any information that can be used to derive encryption keys or plaintext values. These programs are simply computer instructions that result in the publicly known, AES cipher logic process. They are therefore suitable for production and development environments.

Encryption and decryption is performed using keys of 128, 192 or 256 bits (16, 24 or 32 characters).

Machine memory used by the device to temporarily store plaintext and encryption keys, is wiped clean with a "clean storage" call, once all data has been encrypted or decrypted.

Due to the fact that COBOL data can terminate with a binary field, the Redvers Encryption Device uses the Public-Key Cryptography Standards (PKCS#7) padding method (ECB, CBC and CFB confidentiality modes only).

In order to facilitate the generation of test data, ciphertext can be returned in Base64 encoded form (as defined in IETF RFC 4648) or as a single integer (some truncation may apply).

Encryption rates are 125,000 bytes per second running ECB confidentiality mode with a 256 bit key. Decryption rates are 60,000 bytes per second running ECB mode with a 256 bit key. Faster decryption rates can be achieved if CFB, OFB or CTR confidentiality modes are used, as these modes use the forward cipher for decryption. All benchmark timings were performed on an IBM zSeries mainframe running z/OS 1.10.

Redvers Hashing Algorithm

The Redvers Hashing Algorithm (2.3) is a COBOL subroutine that can be called from COBOL applications to calculate a hash total (message digest) for any given message string. A total of nine algorithms are supported: SHA-1, SHA-2 (224, 256, 384 or 512 bit lengths) and the latest SHA-3 algorithms (224, 256, 384 or 512 bit lengths). In addition, truncated message digests of 224 or 256 bits can be created from the SHA-512 algorithm (SHA-512/224 and SHA-512/256).

Definitions for the SHA-1 and SHA-2 algorithms can be found in FIPS Publication 180-4. Current definitions for the SHA-3 algorithms can be found in the Keccak Reference document. SHA-3 logic is currently in a provisional state, awaiting NIST confirmation.

Information passed to the hashing routine can consist of a single data string or a series of strings from an input file or database row. The resulting hash totals are returned in binary, hexadecimal and Base64 formats for easy application processing.

Download a free 30 day trial here...

PDF of these pages:

Celebrating our 25th year in business (1988 - 2013)

"I have been very pleased with the approach we took and the simplicity of the design to utilize the Redvers Encryption Device."

ADD Systems (USA)



"The encryption device is working beautifully and there are no issues at all."

Teleflora (USA)



"we have now received the seal of approval on the PCI certification."

Datamann (USA)



"There were no problems downloading the files. We've compiled the programs and are encrypting and decrypting data for our tests."

High Touch (USA)



"Everything looks good. I'll relay to management that your product meets our needs."

HCC (USA)



"Nice product. 1000's of encryptions and decryptions to date. No issues."

DGA Fullfilment Services (Canada)