× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2000

re: MD5, additional questions.

  • Subject: re: MD5, additional questions.
  • From: "Steve Glanstein" <mic@xxxxxxxxx>
  • Date: Tue, 27 Jun 2000 09:35:04 -1000
  • Importance: Normal
 

Date: Mon, 26 Jun 2000 21:35:11 -0700
From: "Peter Dow" <pcdow@yahoo.com>
Subject: Re: MD5 on the AS/400

Hi Steve,

Questions at the bottom...


>> MD5 is not considered as safe as the more recent Secured Hash-1 which
>> generates 160 bytes of hash.
>>
>> Also, let's say that your program issues a CALL to the MD5 program to
check
>> some sort of code. Remember that inside programmers with access to the
>> STRDBG command can always trace this call and override the parameters in
>> order to find out the information.

> 1) Wouldn't your caveat regarding inside programmers apply to Secured
Hash-1
> also?

Yes...my reference to SHA rather than MD5 relates to the larger bit space.
Also SHA-1 has become somewhat of a standard in the National Institute of
Standards and Technology. FYI, the web site is
http://www.itl.nist.gov/fipspubs/fip180-1.htm.

> 2) Wouldn't removing all program observability solve the strdbg problem?
> Just curious.
> Peter Dow
> Dow Software Services, Inc.
> 909 425-0194 voice 909 425-0196 fax

Not from a programming insider. A programmer would simply rename or override
the MD5 program with their own, display all parameters, and then override as
necessary. The safest way to use MD5/SHA-1 is to have it buried within your
code and not accessible outside.

We have this problem with a visual basic program that we wrote. We can't
just call an outside 'C' module because it would be easily overriden by a
"rogue subroutine"

Steve Glanstein
mic@aloha.com


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.