RE: Encryption and digital signatures

HMAC is pretty much what I described. You encrypt the resulting hash with a
key. 

Some people have a private key that they "give" to their trading partners
when PGP and public/private key encryption is not available. Then the sender
creates the hash, encrypts the data, encrypts the hash, sends both to the
recipient, who, using the provided secret key, decrypts the data and the
hash. Then recalculates the hash to verify that it matches the one sent by
the sender.

-Bob Cozzi
www.RPGxTools.com
RPG xTools - Enjoy programming again.


-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx [mailto:rpg400-l-bounces@xxxxxxxxxxxx]
On Behalf Of brian
Sent: Wednesday, January 11, 2006 6:22 PM
To: RPG programming on the AS400 / iSeries
Subject: RE: Encryption and digital signatures

On Wed, 11 Jan 2006, Bob Cozzi wrote:
> Digital signature are basically this:

"Digital signature" could mean a few things. MD5 and SHA1 produce what
could be thought of as digital signatures that can be used to verify
data integrity. HMAC produces digital signatures that can be used to
verify integrity and authenticity. Integrity is about whether the data was
transmitted correctly; authenticity is about whether it came from the
source you think it did.

If the original poster just wants to ensure that the data was transmitted
correctly, MD5 or SHA1 hashes and file sizes will do a good job. If he
wants to ensure that not only was the data transmitted correctly, but that
it came from a particular source, then he should probably use HMAC and
establish some big random key with the other party. (HMAC is just another
hash function, except that it takes a key in addition to just the data).