|
agree ----- Original Message ----- From: V. Leveque <vleveque@earthlink.net> To: <MIDRANGE-L@midrange.com> Sent: Monday, September 27, 1999 10:51 AM Subject: RE: Rewarding Challenge AS/400 > The security in an crypto system is based entirely in the key itself, not in > the particular algorithm. This has been a principle of cryptography since > the late 19th century. Analogous to I can tell you everything about how the > lock is constructed, but without a key you still can't get in. > > Another point is that it is impossible to do an accurate risk assessment and > protect your systems unless you know what the vulnerabilities are. Knowing > there is a flaw in the password crypto means first you are aware this is an > exposure (so you are not blind-sided when it happens) and second allows you > to take compensating measures to protect this vulnerability (restrict access > to utilities which provide the encrypted passwords, audit system use for > unauthorized access attempts resulting from compromised passwords, maybe > front-end the AS/400 with a one-time password server like ACE/Server, etc.) > > I work advising folks on security. I really hate "security by obscurity". > It makes it impossible to say what's broken, how serious it is, and how it > can be fixed. > > > At 01:02 PM 9/27/99 +0100, you wrote: > >Haven't you just told everyone how to decrypt as400 passwords? > > > >If so, isnt that very irresponsible? > > > >>>> -----Original Message----- > >>>> From: leif@ibm.net [mailto:leif@ibm.net] > >>>> Sent: Saturday, September 18, 1999 6:38 AM > >>>> To: MIDRANGE-L@midrange.com > >>>> Subject: Re: Rewarding Challenge AS/400 > >>>> > >>>> > >>>> let me clarify. there are actually TWO encrypted values stored in > >>>> the user-password table QSYUPTBL. One is the user id encrypted with > >>>> the password, the other is a secret unique key encrypted > >>>> with the password. > >>>> The latter is the easier one. If you have access to the > >>>> first you also have > >>>> access to the second. Both can be decrypted by brute force. > >>>> There is a > >>>> program you can download from the internet that does this. > >>>> On a 500 MHz PIII or equivalent the latter takes at most > >>>> 6.7 hours while the > >>>> first takes at most 40 times as long. So send me the second > >>>> of the two > >>>> encrypted values. Also send the password to someone else on the list > >>>> so the validity of my decryption that be verified. The > >>>> encryption method is > >>>> in both cases 56-bit DES, which is strong enough at it is. > >>>> The reason we > >>>> can crack the encryption is the limited key space (only 40 > >>>> different symbols) > >>>> and the crummy way IBM has applied the (otherwise strong) > >>>> DES algorithm. > >>>> > >>>> ----- Original Message ----- > >>>> From: <leif@ibm.net> > >>>> To: <MIDRANGE-L@midrange.com> > >>>> Sent: Friday, September 17, 1999 8:57 PM > >>>> Subject: Re: Rewarding Challenge AS/400 > >>>> > >>>> > >>>> > I'll take you up one that one. > >>>> > I'll decrypt it in less than a day. > >>>> > ----- Original Message ----- > >>>> > From: Steve Glanstein <mic@aloha.com> > >>>> > To: mr <midrange-l@midrange.com> > >>>> > Cc: Leif Svalgaard <leif@ibm.net> > >>>> > Sent: Friday, September 17, 1999 4:32 PM > >>>> > Subject: Rewarding Challenge AS/400 > >>>> > > >>>> > > >>>> > > > >>>> > > >The encryption method **may** change from release to > >>>> release, but > >>>> between > >>>> > > >machines on the same release, and from what I've > >>>> played with, it > >>>> **seems** > >>>> > > >the same method but who really knows ? > >>>> > > > >>>> > > It is the same method. For example, the encrypted > >>>> password for user TEST, > >>>> > > password TEST is 50C8C4C683D60CE2. This is the same on > >>>> V1R2 through V4R3. > >>>> > > > >>>> > > This encryption is done with both user id and password. > >>>> No other parts > >>>> are > >>>> > > needed. For example, if you replace another password > >>>> for TEST with the > >>>> > > above hex then TEST will have a password of TEST. > >>>> > > > >>>> > > Unfortunately the software vendor (you know who I > >>>> mean!)doesn't have > >>>> > > enough confidence in the encryption technique to permit > >>>> public analysis > >>>> > > and verification that it is truly one way. > >>>> > > > >>>> > > The answer to people who can crack the AS/400 > >>>> password...I'll send them > >>>> the > >>>> > > encrypted password and see if they can decrypt it! This > >>>> was done several > >>>> > > times with PGP and the network went silent. > >>>> > > > >>>> > > Steve Glanstein > >>>> > > mic@aloha.com > >>>> > > > >>>> > > > >>>> > > +--- > >>>> > > | This is the Midrange System Mailing List! > >>>> > > | To submit a new message, send your mail to > >>>> MIDRANGE-L@midrange.com. > >>>> > > | To subscribe to this list send email to > >>>> MIDRANGE-L-SUB@midrange.com. > >>>> > > | To unsubscribe from this list send email to > >>>> > MIDRANGE-L-UNSUB@midrange.com. > >>>> > > | Questions should be directed to the list owner/operator: > >>>> > david@midrange.com > >>>> > > +--- > >>>> > > > >>>> > > >>>> > +--- > >>>> > | This is the Midrange System Mailing List! > >>>> > | To submit a new message, send your mail to > >>>> MIDRANGE-L@midrange.com. > >>>> > | To subscribe to this list send email to > >>>> MIDRANGE-L-SUB@midrange.com. > >>>> > | To unsubscribe from this list send email to > >>>> MIDRANGE-L-UNSUB@midrange.com. > >>>> > | Questions should be directed to the list owner/operator: > >>>> david@midrange.com > >>>> > +--- > >>>> > > >>>> > >>>> +--- > >>>> | This is the Midrange System Mailing List! > >>>> | To submit a new message, send your mail to > >>>> MIDRANGE-L@midrange.com. > >>>> | To subscribe to this list send email to > >>>> MIDRANGE-L-SUB@midrange.com. > >>>> | To unsubscribe from this list send email to > >>>> MIDRANGE-L-UNSUB@midrange.com. > >>>> | Questions should be directed to the list owner/operator: > >>>> david@midrange.com > >>>> +--- > >>>> > >+--- > >| This is the Midrange System Mailing List! > >| To submit a new message, send your mail to MIDRANGE-L@midrange.com. > >| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > >| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > >| Questions should be directed to the list owner/operator: david@midrange.com > >+--- > > > > > > |----------------------------| "Outside of a dog, a book is a man's > |\ / | \ / | best companion. Inside of a dog, > | \/ INCENT |__E \/EQUE | it's too dark to read." > |----------------------------| -- Groucho Marx > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- > +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
