• Subject: RE: Rewarding challenge AS/400...
  • From: Chris Bipes <ChrisB@xxxxxxxxxxxxxxx>
  • Date: Thu, 16 Sep 1999 15:29:09 -0700

Phil,

I am a programmer and have the ability to get an AS400 really cheap.  I mean
almost free if I wanted to.  So it an old B10 system.  Does it still have
the same encryption as a 720 running V4R4?  If so,  I can hack away until I
crack the code.  Now I have the program that I can post source for, sell, or
install on any system I get sufficient access to.  Gee how many packages
have you installed that say to sign on as a security officer to install.
Any one of these packages could load this decryption program, and guess
what, your system is now hackable.

No, I have no idea of where to start with encryption/decryption or any
desire to, but how many old AS400s are floating around?  Once a hacker gets
a hold of one,  look out.

One should always check program authorities, adopted vs. owner for all
packages they install and make sure the owner is not a security
officer/administrator.  Especially if requested to be installed from
QSECOFR.

Christopher K. Bipes    mailto:ChrisB@Cross-Check.com
Sr. Programmer/Analyst  mailto:Chris_Bipes@Yahoo.com
CrossCheck, Inc.        http://www.cross-check.com
6119 State Farm Drive   Phone: 707 586-0551 x 1102
Rohnert Park CA  94928  Fax: 707 586-1884

*Note to Recruiters
I nor anyone that I know of is interested in any new and/or exciting
positions. Please do not contact me.


-----Original Message-----
From: Phil Hall [mailto:hallp@ssax.com]
Sent: Thursday, September 16, 1999 1:54 PM
To: MIDRANGE-L@midrange.com
Subject: Re: Rewarding challenge AS/400...


Bruce,

> I don't understand why having password limiting system values would
> lead to the conclusion that the method of encryption is not strong.
> Could you expand on this?

Sure.

There are, as you know, a number of system values that limit what you can
choose as a password. Most of them (such as QPWDLMTREP to limit repeating
characters) can be supported by just checking the clear text version of the
password before it's encrypted, and are trivial to implement in code. The
system value in questioning the encryption strength is QPWDPOSDIF. This
sysval stops you from changing your password from ABC1 to ABC2, because the
ABC are still in the same place. One of the things that makes an encryption
algorithm strong is the ability to hide the 'positional information' about
the text being encrypted, because if your encrypted strings for ABC1 & ABC2
end up, for example as C1C2C3F1 and C1C2C3F2, then it makes it very simple
(simple in relative terms in cryptology) to determine/reverse the encryption
algorithm hence my point that the encryption method cannot be very strong
(again, strong in cryptology terms).

My point being that if IBM is saying there is no way to decrypt the password
then the encrypted password must be 'showing' the positional information for
the code to determine the positions of the characters in the old password
verses the new password.

Encryption algorithms such as, say, Blowfish do leave the 'positional
information' in the encrypted form, and dependent upon the size of the key
used are breakable.

I, personally have nothing to fear from the AS/400 encryption method being
cracked in the near future, for a number of reasons;

1. Nobody knows what method IBM is using - although it seems to be machine
independent i.e. nothing seems to be used from the machine to encrypt the
passwords.

2. Encrypted passwords on the AS/400 use aprox. 2000 bytes of storage for
the 10 characters of clear text you enter for your password

3. The object protection for programs makes it very difficult to run
anything (any user written code) that can be used to help, unless you've got
a high authority user ID all ready - in that case there is a bigger security
hole !

--phil

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator:
david@midrange.com
+---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].