|
Bob, sounds more like then you're comparing a new hash result against a trusted result to validate a independent variable...kinda like OS/400 passwords work nowadays... And, really, that hash is basically designed to be a unique key...so, why would you need to decript it at the POT/POS? Then, which hash algorithm do you want? MD4/MD5 have a few minor problems I'm told and NIST has a few that are stronger... And, do you really have to have the need at transaction time to decrypt it or have it in the clear in anyform? In theory, you could hash it at the POS/POT and the verify this hash accross some net to a trusted source... In theory, this should provide some form of secure transaction. On Fri, 3 Sep 2004, Bob Cozzi wrote: > You should encrypt passwords and private data in a database file if it is > possible for you to do that. Decrypting it is where things get tricky. > If you only encrypt passwords, then if the end-user forgets it, you can > generate another one and email it to them or have it on an SSL page to > retrieve. > If you encrypt, say my social security number or credit card number, then > how do you use that information unless you can decrypt it? > Interesting problem. > Depending on the laws including where there are none covering this issue, > you could write a simply cipher routine that, for example, scrambles the > account number or stores it in a second, private location, where the data in > the (for example) credit card field is really a key to access the credit > card information in that other area. > A validation list object comes to mind as one such semi-secure location or > level of indirection that may satisfy the requirement. > -Bob Cozzi > > > -----Original Message----- > From: rpg400-l-bounces@xxxxxxxxxxxx [mailto:rpg400-l-bounces@xxxxxxxxxxxx] > On Behalf Of Rooney, Michael P > Sent: Friday, September 03, 2004 9:13 AM > To: RPG programming on the AS400 / iSeries > Subject: RE: Triple-DES algorithm on AS/400 > > Emilio, > > California law isn't the only reason. What about any sensitive customer > data? > As a financial instituion we also have to secure customer account PIN's and > addresses. > As MikeW pointed out, securing the information over the network is one > thing. Securing > it locally is another. Why do you suppose AS/400 passwords are stored > encrypted, yet > passed across the network (TN5250 w/o SSL) unencrypted? > > Regards, > > Michael Rooney > Citigroup International > > > -----Original Message----- > From: rpg400-l-bounces@xxxxxxxxxxxx > [mailto:rpg400-l-bounces@xxxxxxxxxxxx]On Behalf Of Mike Wills > Sent: Thursday, September 02, 2004 7:20 PM > To: RPG programming on the AS400 / iSeries > Subject: Re: Triple-DES algorithm on AS/400 > > > The problem with that is California's law... you have to encryt the > data in the database. So the communication might be secure, but the > data isn't if someone managed to hack into the 400. > > On Thu, 2 Sep 2004 09:29:21 -0600 , Emilio Padilla - Sistemática Intl. > <epadilla@xxxxxxxxxxxxxxxxxx> wrote: > > IMHO, why would you want to load encryption/decryption to the as/400? > > Wouldn't be easier to buy a cheap firewall (us$ 600) and connect one of > your > > Ethernet card to it? Let the firewall do the encryption/decryption that's > > what the built for. > > > > EAPT > > > > > > > > -----Original Message----- > > From: Keith Carpenter [mailto:CarpCon@xxxxxxx] > > Sent: Thursday, September 02, 2004 7:43 AM > > To: RPG programming on the AS400 / iSeries > > Subject: Re: Triple-DES algorithm on AS/400 > > > > Gene published a MI version of Twofish some years ago. Actually it was a > > REXX procedure that generated the MI source and then created the program. > > > > One of the problems with MI's CIPHER is you need to check that the > specific > > encryption/hash function you want has been installed on your system. > > > > I haven't had any experience with this, but it's multi-platform (including > > OS/400). > > http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ > > > > Keith > > > > Don (in DC) wrote > > > > > Now, we DO have this stuff in MI if this guy wants to play in MI (DES, > but > > > I don't think 2-fish)...and I'm sure that Bob will want them to call the > > > MI intrinsics from RPG as he usually does...:) > > > > -- > > This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list > > To post a message email: RPG400-L@xxxxxxxxxxxx > > To subscribe, unsubscribe, or change list options, > > visit: http://lists.midrange.com/mailman/listinfo/rpg400-l > > or email: RPG400-L-request@xxxxxxxxxxxx > > Before posting, please take a moment to review the archives > > at http://archive.midrange.com/rpg400-l. > > -- > > This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list > > To post a message email: RPG400-L@xxxxxxxxxxxx > > To subscribe, unsubscribe, or change list options, > > visit: http://lists.midrange.com/mailman/listinfo/rpg400-l > > or email: RPG400-L-request@xxxxxxxxxxxx > > Before posting, please take a moment to review the archives > > at http://archive.midrange.com/rpg400-l. > > > > > > > -- > Mike Wills > iSeries Programmer/Lawson Administrator > koldark@xxxxxxxxx > http://www.koldark.net > Want Gmail? Email koldark+gmail@xxxxxxxxx to get on my waiting list. > > -- > This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list > To post a message email: RPG400-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/rpg400-l > or email: RPG400-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/rpg400-l. > > > -- > This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list > To post a message email: RPG400-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/rpg400-l > or email: RPG400-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/rpg400-l. > > > > > -- > This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list > To post a message email: RPG400-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/rpg400-l > or email: RPG400-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/rpg400-l. >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.