Re: How to validate passwords without storing them anywhere. -- MIDRANGE-L

I have used ENCRYPT, but I can not reproduce it now. I do not remember the
details.
To produce different encrypted text is a requirement for passing one of the
tests for secure algorithms.

On Thu, Mar 18, 2021 at 12:15 PM Rob Berendt <rob@xxxxxxxxx> wrote:

I would really like to know the details on that.
For example, along with ENCRYPT_AES, ENCRYPT_RC2, ENCRYPT_TDES there's an
ENCRYPT but you won't find ENCRYPT in the Knowledge Center. However it
works.

Maybe IBM tried something silly like changing ENCRYPT from ENCRYPT_TDES to
ENCRYPT_AES and considered ENCRYPT to translate to "whatever is current".
Pure speculation on my part.
Tried pulling some old Knowledge Centers but I can only find up to 7.1 and
none of them mention ENCRYPT.

But maybe I am missing your point. Perhaps your point isn't that the
results of ENCRYPT...(MYSTRING, MYKEY) would generate different results
upon each execution, even with the same values, as that shouldn't matter as
long as DECRYPT...(ENCRYPTEDSTRING, MYKEY) retrieves the same value.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Raul Alberto Jager Weiler
Sent: Thursday, March 18, 2021 11:01 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: How to validate passwords without storing them anywhere.

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.

I had a program where I encrypted the user's email with his password, then
to check I used the same procedure and compared the result against the
saved one. Using SQL encryption)
After an OS upgrade the program stopped working. A better encryption
algorithm generates different "encrypted data" using the same text and the
same password.

On Wed, Mar 17, 2021 at 6:06 PM Patrik Schindler <poc@xxxxxxxxxx> wrote:

Hello Rob,

Am 17.03.2021 um 20:03 schrieb Rob Berendt <rob@xxxxxxxxx>:

If I have these hex codes in DSPPFM
0122DF02DAB6856F42E4EF0BA8
08CE2F055E9100FEF3B661B953
And, even if you knew the word being stored is 'VALID',
just how likely is it to figure out the encryption key used in this

process?

How likely is it that IBM POWER machines become inoperable? And still,
companies opt to have machine level redundancy, extremely costly.

It's the same with security: How far would you go to prevent a very fatal
but extremely unlikely event?

How likely is it that there is a security breach into the VPN
infrastructure, in turn allowing access to all internal servers

*including*

IBM i, because credentials have been stored on a private laptop, being
infected by malware, copying "interesting" data back "home"?

How likely is it that on some windows share (being accessible with the
same credentials) are scripts running automatisms, containing passwords

in

clear text, allowing an attacker to gain a 5250 login?

How likely is is that this attacker knows enough about IBM i to search

for

the central application on that machine and succeeds?

How likely is it that he is able to find and can cpytostmf the login
credentials database, ftp'ing it to that windows machine and in turn

upload

it to dropbox or something similar?

Just give it a thought.

:wq! PoC

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com