RE: MD5 via RPG? -- MIDRANGE-L

Thanks everyone who replied!
The MD5 seems to work okay.

The reason I wanted it, and you will too in the future, is for e-commerce or
web-based applications.

You store a list of users and MD5-encoded passwords in a database, these
people can access your application. Why not use OS/400 security? The biggest
reason is to not create a bunch of user profiles. If your AS?400 is on the
Internet, it is much more prudent to populate a simple user database than
manage user profiles whose sole functions is to get to your application.
Also, if you don't create user profiles, then the user, even if they can use
your application, cannot FTP into your AS/400 because they don't have a
valid OS/400 user id. Their only interface is essentially through the
browser. You can easily encrypt passwords on the browser using an MD5
Javascript. For "simple" password protection that is reasonably secure, and
without the hassle of maintaining Apache's "basic authentication" or
similar, MD5 is a very good tool.

My biggest concern is the translation from EBCDIC to ASCII. 

For "the rest of the world", the MD5 hash is 32 alphanumeric characters
ASCII, publicly "tradable" through email, etc. On the AS/400, the MD5 hash
is 16 bytes, whose hexadecimal representation is the MD5. IE, the AS/400
version is not directly readable. Other MD5 hash programs output the text
string of 32 characters. This can be overcome by using a MD5 wrapper
procedure, I'm sure.

My issue is this: On the MD5.c file, there are a series of 7 test cases to
"prove" the MD5 implementation is correct:

"", d41d8cd98f00b204e9800998ecf8427e
"a", 0cc175b9c0f1b6a831c399e269772661
"abc", 900150983cd24fb0d6963f7d28e17f72
"message digest", f96b697d7cb7938d525a2f31aaf161d0
"abcdefghijklmnopqrstuvwxyz", c3fcd3d76192e4007dfb496cca67e13b
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
d174ab98d277d9f5a5611c2c9f419d9f
"123456789012345678901234567890123456789012345678901234567890123456789012345
67890", 57edf4a22be3c955ac49da2e2107b67a

Unfortunately, this is not directly comparable on the AS/400, because of
ASCII/EBCDIC translation. For my test case, I had to directly compare ASCII
"P" with EBCDIC "&" to achieve MD5: 44 c2 9e db 10 3a 28 72 f5 19 ad 0f da
aa. 

Given the fact that a "normal" MD5 is alphanumeric and the AS/400 MD5 is the
hex representation of bytes, and of the ASCII/EBCDIC translation, will this
be of real use when using the AS/400 to serve web pages, if you want to use
MD5 as a password protection mechanism?

Loyd

-----Original Message-----
From: Don [mailto:dr2@cssas400.com]
Sent: Monday, June 26, 2000 3:46 PM
To: Leif Svalgaard
Cc: MIDRANGE-L@midrange.com
Subject: Re: MD5 via RPG?




Leif,

would you be interested in posting that to the list?  I think MD5 is going
to get alot more popularity in the near future...

Don in DC



On Mon, 26 Jun 2000, Leif Svalgaard wrote:

> > Does anyone have a procedure to compute a MD5 hash on the AS/400?
> > Preferably, it would be called from an RPG program. I don't want RPG
code
> > (necessarily) to do it, but a method or procedure. Unfortunately, I
don't
> > have a C compiler.
> 
> Every AS/400 has an MI-instruction CYPHER that can compute an MD5
> hash. If you want an MI-program you can call to do this let me know.
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---