• Subject: Re: Rewarding challenge AS/400...
  • From: "Phil Hall" <hallp@xxxxxxxx>
  • Date: Thu, 16 Sep 1999 15:54:26 -0500

Bruce,

> I don't understand why having password limiting system values would
> lead to the conclusion that the method of encryption is not strong.
> Could you expand on this?

Sure.

There are, as you know, a number of system values that limit what you can
choose as a password. Most of them (such as QPWDLMTREP to limit repeating
characters) can be supported by just checking the clear text version of the
password before it's encrypted, and are trivial to implement in code. The
system value in questioning the encryption strength is QPWDPOSDIF. This
sysval stops you from changing your password from ABC1 to ABC2, because the
ABC are still in the same place. One of the things that makes an encryption
algorithm strong is the ability to hide the 'positional information' about
the text being encrypted, because if your encrypted strings for ABC1 & ABC2
end up, for example as C1C2C3F1 and C1C2C3F2, then it makes it very simple
(simple in relative terms in cryptology) to determine/reverse the encryption
algorithm hence my point that the encryption method cannot be very strong
(again, strong in cryptology terms).

My point being that if IBM is saying there is no way to decrypt the password
then the encrypted password must be 'showing' the positional information for
the code to determine the positions of the characters in the old password
verses the new password.

Encryption algorithms such as, say, Blowfish do leave the 'positional
information' in the encrypted form, and dependent upon the size of the key
used are breakable.

I, personally have nothing to fear from the AS/400 encryption method being
cracked in the near future, for a number of reasons;

1. Nobody knows what method IBM is using - although it seems to be machine
independent i.e. nothing seems to be used from the machine to encrypt the
passwords.

2. Encrypted passwords on the AS/400 use aprox. 2000 bytes of storage for
the 10 characters of clear text you enter for your password

3. The object protection for programs makes it very difficult to run
anything (any user written code) that can be used to help, unless you've got
a high authority user ID all ready - in that case there is a bigger security
hole !

--phil

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.