ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

DB2 SQL Function To Hash Passwords

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DB2 SQL Function To Hash Passwords

    I need to protect user passwords stored in the user password table.

    I have already prototyped the use of encrypt_aes() and storing the pw in a "varchar() for bit data" column (using a "secret encryption key"). This solution was very elegant and easy-to-use (the RPG cryptographic api's are a bit cumbersome). I've prototyped a procedure that accepts a userid and a plaintext password and compares the encrypted value to the value in the table. This solution is also very elegant and easy-to-use. With this solution, we would be relying on iSeries object/procedure/source security to ensure no one locates the "human readable" encryption key.

    However, if someone knows the secret encryption key, they can decrypt the password. When I researched this dilemma, I discovered the concept of storing "hashed" passwords. However, I do not see a DB2 equivalent of this. I did see that the RPG cryptographic api's allow for this. I was curious if there was a DB2 version of hashing for password protection. If not, what are the DB2/SQL-centric shops doing to store and work with hashed data?






  • #2
    I assume you have to wait until Release 7.4 - Where we get all kinds of HASH functions: HASH_MD5, HASH_SHA1, HASH_SHA256, and HASH_SHA512
    Birgitta

    Comment

    Working...
    X