RE: change password API

[Tim McCarthy <TimM@xxxxxxxxxxxxxxxxxx>]

TrailBlazer Systems, Inc.
http://www.as400ftp.com
AS/400 Communications & E-Commerce Solutions

The early bird may get the worm, but the second mouse gets the cheese.


> -----Original Message-----
> From: Jim Langston [SMTP:jlangston@conexfreight.com]
> Sent: Wednesday, December 29, 1999 7:04 PM
> To:   MIDRANGE-L@midrange.com
> Subject:      Re: change password API
> 
> Tim, you do not need to be able to recover one on the
> other end.  Consider.  I encrypt the password on the PC
> using the same encryption IBM uses in OS/400 (if I knew
> what it was).  I then send the result of this, the encrypted
> passed, to the AS/400 through the network.  On the AS/400
> I then compare this string to the string stored un my user
> profile for my encrypted password.  I never had to recover
> it on the AS/400.  The AS/400, in theory, does not know
> what I originally typed in, just what it encrypted to.
> 
> Now, as for "nothing that can't be decrypted".  Lets take
> a very simple encryption scheme.  You give me any word,
> and for every letter in it I will put a 1 or a 0.  A 1 if it is
> an odd number of the alphabet, a 0 if it's even.
> 
> so CAT = 111
> DOG = 001
> etc...
> 
> As you can see, there are flaws to this simple scheme, as
> many different words will produce the same encrypted
> string.  But, the point is, you tell me, what password is 111 ???
> 
> If something is never meant to be decrypted, but only compared,
> it is possible to make an unencryptable string that will produce
> the same result from the given text.
> 
> The flaw comes in from the password comparison.  I just keep
> trying different strings and encrypting them until they compare
> to the original.  But, the fact of the matter is, I never did really
> decrypt the original encrytped string.  I just used a brute force
> method and tried every possible string until one matched.
> 
> If I am allowed enough characters in my password, say 100
> or so (not sure the length of a PGP password is) it would take
> you enough time to try every possible combination that it can
> be considered to be "un-decryptable".  And that is not "garbage".
> 
> Regards,
> 
> Jim Langston
> 
> Tim McCarthy wrote:
> 
> > Jim,
> > Firstly, whether OS/400 ever decrypts the password or not is
> irrelevant
> > to the situation in hand. If I need to avoid sending a plain text
> > password over an unprotected channel then I need to encrypt either
> the
> > actual password or the hash and I need to be able to recover one of
> > these values at the other end. Secondly, the basis for any
> cryptosystem
> > is that some standard plain text produces a certain output as the
> result
> > of a known transformation, otherwise it's plainly useless. And as
> any
> > cryptographer will tell you there's nothing that can't be decrypted,
> > it's just a matter of the time and effort required to do so.
> > Thus..."Anything that can't be decrypted is garbage."
> 
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> david@midrange.com
> +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---