Re: Security Question

>1. Is encryption (perhaps through an encryption key on
>the file?) best through an algorithm, and should it be
>a 400 based encryption algorithm or is it better to
>have a call to a Java based algorithm?
>2. Do such things exist on the 400, or should I follow
>up on a Java based forum?

I would first choose the encryption algorithm that I thought was suitable
to attain the level of protection I need. Then I would check to see if the
algorithm I chose is provided by OS/400 native (through the CIPHER MI
instruction) and/or through Java. If available on both, it is really up to
you. Since I am more of a "native guy" than a Java guy, I would argue that
the native implementation has been used more extensively than the Java
implementation, but this is just an opinion and I'm sure you'd find many
folks that would argue the other side.

Encryption is a double-edged sword. If you need to be able to decrypt
something, then you always have the key management problem whether you use
a symetric or asymetric algorithm. However, depending on the application
you're looking at building you could just do an SSL connection from the
front-end to the back-end. I assume the data doesn't need to be encrypted
when stored on OS/400. Another approach, would be to use the GSS APIs. They
have support to encrypt the messages that you send over the connection. You
get the potentially added benefit of doing a JDBC program that used
Kerberos for authentication rather than having to store and forward user
ID/pwd for the backend system. GSS/Kerberos (aka Network Authentication
Service) has a configuration parameter that allows you to choose from a
number of encryption algorithms. On windows 2k, xp, you use the SSPI (they
don't support the GSSAPI that all the other platforms do).

Patrick Botz