• Subject: Re: Rewarding Challenge AS/400
  • From: leif@xxxxxxx
  • Date: Mon, 27 Sep 1999 20:39:05 -0500

agree

----- Original Message -----
From: V. Leveque <vleveque@earthlink.net>
To: <MIDRANGE-L@midrange.com>
Sent: Monday, September 27, 1999 10:51 AM
Subject: RE: Rewarding Challenge AS/400


> The security in an crypto system is based entirely in the key itself, not
in
> the particular algorithm.  This has been a principle of cryptography since
> the late 19th century.  Analogous to I can tell you everything about how
the
> lock is constructed, but without a key you still can't get in.
>
> Another point is that it is impossible to do an accurate risk assessment
and
> protect your systems unless you know what the vulnerabilities are.  Knowing
> there is a flaw in the password crypto means first you are aware this is an
> exposure (so you are not blind-sided when it happens) and second allows you
> to take compensating measures to protect this vulnerability (restrict
access
> to utilities which provide the encrypted passwords, audit system use for
> unauthorized access attempts resulting from compromised passwords, maybe
> front-end the AS/400 with a one-time password server like ACE/Server, etc.)
>
> I work advising folks on security.  I really hate "security by obscurity".
> It makes it impossible to say what's broken, how serious it is, and how it
> can be fixed.
>
>
> At 01:02 PM 9/27/99 +0100, you wrote:
> >Haven't you just told everyone how to decrypt as400 passwords?
> >
> >If so, isnt that very irresponsible?
> >
> >>>> -----Original Message-----
> >>>> From: leif@ibm.net [mailto:leif@ibm.net]
> >>>> Sent: Saturday, September 18, 1999 6:38 AM
> >>>> To: MIDRANGE-L@midrange.com
> >>>> Subject: Re: Rewarding Challenge AS/400
> >>>>
> >>>>
> >>>> let me clarify. there are actually TWO encrypted values stored in
> >>>> the user-password table QSYUPTBL. One is the user id encrypted with
> >>>> the password, the other is a secret unique key encrypted
> >>>> with the password.
> >>>> The latter is the easier one. If you have access to the
> >>>> first you also have
> >>>> access to the second. Both can be decrypted by brute force.
> >>>> There is a
> >>>> program you can download from the internet that does this.
> >>>> On a 500 MHz PIII or equivalent the latter takes at most
> >>>> 6.7 hours while the
> >>>> first takes at most 40 times as long. So send me the second
> >>>> of the two
> >>>> encrypted values. Also send the password to someone else on the list
> >>>> so the validity of my decryption that be verified. The
> >>>> encryption method is
> >>>> in both cases 56-bit DES, which is strong enough at it is.
> >>>> The reason we
> >>>> can crack the encryption is the limited key space (only 40
> >>>> different symbols)
> >>>> and the crummy way IBM has applied the (otherwise strong)
> >>>> DES algorithm.
> >>>>
> >>>> ----- Original Message -----
> >>>> From: <leif@ibm.net>
> >>>> To: <MIDRANGE-L@midrange.com>
> >>>> Sent: Friday, September 17, 1999 8:57 PM
> >>>> Subject: Re: Rewarding Challenge AS/400
> >>>>
> >>>>
> >>>> > I'll take you up one that one.
> >>>> > I'll decrypt it in less than a day.
> >>>> > ----- Original Message -----
> >>>> > From: Steve Glanstein <mic@aloha.com>
> >>>> > To: mr <midrange-l@midrange.com>
> >>>> > Cc: Leif Svalgaard <leif@ibm.net>
> >>>> > Sent: Friday, September 17, 1999 4:32 PM
> >>>> > Subject: Rewarding Challenge AS/400
> >>>> >
> >>>> >
> >>>> > >
> >>>> > > >The encryption method **may** change from release to
> >>>> release, but
> >>>> between
> >>>> > > >machines on the same release, and from what I've
> >>>> played with, it
> >>>> **seems**
> >>>> > > >the same method but who really knows ?
> >>>> > >
> >>>> > > It is the same method. For example, the encrypted
> >>>> password for user TEST,
> >>>> > > password TEST is 50C8C4C683D60CE2. This is the same on
> >>>> V1R2 through V4R3.
> >>>> > >
> >>>> > > This encryption is done with both user id and password.
> >>>> No other parts
> >>>> are
> >>>> > > needed. For example, if you replace another password
> >>>> for TEST with the
> >>>> > > above hex then TEST will have a password of TEST.
> >>>> > >
> >>>> > > Unfortunately the software vendor (you know who I
> >>>> mean!)doesn't have
> >>>> > > enough confidence in the encryption technique to permit
> >>>> public analysis
> >>>> > > and verification that it is truly one way.
> >>>> > >
> >>>> > > The answer to people who can crack the AS/400
> >>>> password...I'll send them
> >>>> the
> >>>> > > encrypted password and see if they can decrypt it! This
> >>>> was done several
> >>>> > > times with PGP and the network went silent.
> >>>> > >
> >>>> > > Steve Glanstein
> >>>> > > mic@aloha.com
> >>>> > >
> >>>> > >
> >>>> > > +---
> >>>> > > | This is the Midrange System Mailing List!
> >>>> > > | To submit a new message, send your mail to
> >>>> MIDRANGE-L@midrange.com.
> >>>> > > | To subscribe to this list send email to
> >>>> MIDRANGE-L-SUB@midrange.com.
> >>>> > > | To unsubscribe from this list send email to
> >>>> > MIDRANGE-L-UNSUB@midrange.com.
> >>>> > > | Questions should be directed to the list owner/operator:
> >>>> > david@midrange.com
> >>>> > > +---
> >>>> > >
> >>>> >
> >>>> > +---
> >>>> > | This is the Midrange System Mailing List!
> >>>> > | To submit a new message, send your mail to
> >>>> MIDRANGE-L@midrange.com.
> >>>> > | To subscribe to this list send email to
> >>>> MIDRANGE-L-SUB@midrange.com.
> >>>> > | To unsubscribe from this list send email to
> >>>> MIDRANGE-L-UNSUB@midrange.com.
> >>>> > | Questions should be directed to the list owner/operator:
> >>>> david@midrange.com
> >>>> > +---
> >>>> >
> >>>>
> >>>> +---
> >>>> | This is the Midrange System Mailing List!
> >>>> | To submit a new message, send your mail to
> >>>> MIDRANGE-L@midrange.com.
> >>>> | To subscribe to this list send email to
> >>>> MIDRANGE-L-SUB@midrange.com.
> >>>> | To unsubscribe from this list send email to
> >>>> MIDRANGE-L-UNSUB@midrange.com.
> >>>> | Questions should be directed to the list owner/operator:
> >>>> david@midrange.com
> >>>> +---
> >>>>
> >+---
> >| This is the Midrange System Mailing List!
> >| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> >| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> >| To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> >| Questions should be directed to the list owner/operator:
david@midrange.com
> >+---
> >
> >
>
>      |----------------------------|  "Outside of a dog, a book is a man's
>      |\  /         |    \  /      |  best companion.  Inside of a dog,
>      | \/ INCENT   |__E  \/EQUE   |  it's too dark to read."
>      |----------------------------|        -- Groucho Marx
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---
>

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].