This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. -- -- [ Picked text/plain from multipart/alternative ] Scott, As far as I can tell, (I was not involved in the evolution of the stuff they are using, but it is an in-house developed verification system that runs side by side with the As/400 security "don't ask!!!") it verifies the level of access needed by folks accessing systems from the Web. It seems that the UID/PW are being passed in clear text from the Web, exactly how they are planning on getting so many disparate users to all of a sudden use encrypted data is at the moment beyond me ("I am not a security guru, I prefer to get things done instead of preventing things from getting done")... **Real Time Update** Just grabbed the developer on the fly and it sounds like it is a simple and internal thing! We are storing the UID/PW in clear text and security wants us to encrypt it. The only movement will be from the application to the table and back to the app un-encrypted. So it sounds like we can do it either on the 400 or it can be passed to the 400 (from VB) already encrypted. -- Content-Description: Re: Encryption packages From: Scott Klement <firstname.lastname@example.org> Reply-To: email@example.com To: "Midrange List (E-mail)" <firstname.lastname@example.org> Subject: Re: Encryption packages Date: Fri, 11 Jan 2002 16:34:34 -0500 X-Plaintext: Picked text/plain from multipart/alternative -- [ Picked text/plain from multipart/alternative ] Hi Howard, Reading your message, a few things popped into my head: What exactly are you going to do with the encrypted data? a) does an external system need to be able receive your encrypted data and decrypt it? b) will an external system be sending you encrypted data that you need to decrypt? The reason that I ask is that OS/400 has objects that can be used to store usernames & passwords in an encrypted format, where all the encryption work is hidden from your program. This works great if you just need a list of userids/passwords that are valid for a certain resource, but not so well if you need to transfer it over a LAN and decrypt it somewhere else. If you do need to transfer it, the AS/400 has an MI instruction called "CIPHER" which is capable of doing DES encryption. DES was a great encryption back in it's day, but by todays standards is pretty weak. Still, if the security of it isn't REALLY CRITICAL, then this might be a good option. On Fri, 11 Jan 2002, Weatherly, Howard wrote: > > I was just asked is we have any encryption packages for the 400, I know > think this is available as a feature but I can not find the book or pages > that I read this in. > > Anyone know where I can hunt this information up? and so I can give the > choices, I posted on the COBOL list for any home grown code, but I could > also use some input on any packages anyone might have used. > > My understanding is that security wants us to encrypt UID/PWD that we have > in a external client user verification system, so basically the thing does > not need to be heavy duty. I am going to surf about and cook up a list of > possibilities that I can match with any possible Kudos and/or horror > stories. > _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-Lemail@example.com Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.