• Subject: Re: Fw: Rewarding challenge AS/400...
  • From: Larry Bolhuis <lbolhui@xxxxxxx>
  • Date: Thu, 16 Sep 1999 15:37:26 -0400
  • Organization: Arbor Solutions, Inc

Phil Hall wrote:
> 
> Just to put some peoples minds at rest, according to IBM, the password
> encryption on the AS/400 is one way only. There is **NO** API or program
> supplied that will decrypt the passwords on the AS/400. All password
> comparison (i.e. when you sign on, or use the profile APIs) is made between
> encrypted versions of the passwords. They also state that no un-encrypted
> versions of the password is stored on the machine.
> 
> This doesn't stop a brute force attack.

  Unless QMAXSIGN is set to *NOMAX, I disagree.  Once the QMAXSIGN
value is reached, there is no way to do any more compares to the
encrypted version.

> Now to put the cat among the pigeons, if this is true, then surely the
> method of encryption cannot be that strong, as otherwise the code to allow
> the implementation of the password limiting system values would be
> impossible...?

  Why would this be true?  Just because it is a strong encryption
routine makes little difference.  As an example a PII300 machine can
encrypt a small text string (something like 64 bytes I believe) with a
64bit key over 800,000 times in one second. Even a 486-66 can do it
over 60,000 times in a second.  Remember that they are only encrypting
the password. 

  If you are refering to the QPWDRQDDGT and all it's friends and
neighbors these are enforced before the password is encrypted I
beieve.  Changes to those values have no affect on passwords already
on the system (and therefore already encrypted)   

  - Larry

-- 
Larry Bolhuis         | What do You want to Reload today?
Arbor Solutions, Inc  |
(616) 451-2500        | 
(616) 451-2571 -fax   | Two rules to success in life:
lbolhui@ibm.net       | 1. Never tell people everything you know.

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.