• Subject: RE: Rewarding Challenge AS/400
  • From: "V. Leveque" <vleveque@xxxxxxxxxxxxx>
  • Date: Mon, 27 Sep 1999 08:51:03 -0700

The security in an crypto system is based entirely in the key itself, not in
the particular algorithm.  This has been a principle of cryptography since
the late 19th century.  Analogous to I can tell you everything about how the
lock is constructed, but without a key you still can't get in.

Another point is that it is impossible to do an accurate risk assessment and
protect your systems unless you know what the vulnerabilities are.  Knowing
there is a flaw in the password crypto means first you are aware this is an
exposure (so you are not blind-sided when it happens) and second allows you
to take compensating measures to protect this vulnerability (restrict access
to utilities which provide the encrypted passwords, audit system use for
unauthorized access attempts resulting from compromised passwords, maybe
front-end the AS/400 with a one-time password server like ACE/Server, etc.)

I work advising folks on security.  I really hate "security by obscurity".
It makes it impossible to say what's broken, how serious it is, and how it
can be fixed. 


At 01:02 PM 9/27/99 +0100, you wrote:
>Haven't you just told everyone how to decrypt as400 passwords?
>
>If so, isnt that very irresponsible?
>
>>>> -----Original Message-----
>>>> From: leif@ibm.net [mailto:leif@ibm.net]
>>>> Sent: Saturday, September 18, 1999 6:38 AM
>>>> To: MIDRANGE-L@midrange.com
>>>> Subject: Re: Rewarding Challenge AS/400
>>>> 
>>>> 
>>>> let me clarify. there are actually TWO encrypted values stored in
>>>> the user-password table QSYUPTBL. One is the user id encrypted with
>>>> the password, the other is a secret unique key encrypted 
>>>> with the password.
>>>> The latter is the easier one. If you have access to the 
>>>> first you also have
>>>> access to the second. Both can be decrypted by brute force. 
>>>> There is a
>>>> program you can download from the internet that does this.
>>>> On a 500 MHz PIII or equivalent the latter takes at most 
>>>> 6.7 hours while the
>>>> first takes at most 40 times as long. So send me the second 
>>>> of the two
>>>> encrypted values. Also send the password to someone else on the list
>>>> so the validity of my decryption that be verified. The 
>>>> encryption method is
>>>> in both cases 56-bit DES, which is strong enough at it is. 
>>>> The reason we
>>>> can crack the encryption is the limited key space (only 40 
>>>> different symbols)
>>>> and the crummy way IBM has applied the (otherwise strong) 
>>>> DES algorithm.
>>>> 
>>>> ----- Original Message -----
>>>> From: <leif@ibm.net>
>>>> To: <MIDRANGE-L@midrange.com>
>>>> Sent: Friday, September 17, 1999 8:57 PM
>>>> Subject: Re: Rewarding Challenge AS/400
>>>> 
>>>> 
>>>> > I'll take you up one that one.
>>>> > I'll decrypt it in less than a day.
>>>> > ----- Original Message -----
>>>> > From: Steve Glanstein <mic@aloha.com>
>>>> > To: mr <midrange-l@midrange.com>
>>>> > Cc: Leif Svalgaard <leif@ibm.net>
>>>> > Sent: Friday, September 17, 1999 4:32 PM
>>>> > Subject: Rewarding Challenge AS/400
>>>> >
>>>> >
>>>> > >
>>>> > > >The encryption method **may** change from release to 
>>>> release, but
>>>> between
>>>> > > >machines on the same release, and from what I've 
>>>> played with, it
>>>> **seems**
>>>> > > >the same method but who really knows ?
>>>> > >
>>>> > > It is the same method. For example, the encrypted 
>>>> password for user TEST,
>>>> > > password TEST is 50C8C4C683D60CE2. This is the same on 
>>>> V1R2 through V4R3.
>>>> > >
>>>> > > This encryption is done with both user id and password. 
>>>> No other parts
>>>> are
>>>> > > needed. For example, if you replace another password 
>>>> for TEST with the
>>>> > > above hex then TEST will have a password of TEST.
>>>> > >
>>>> > > Unfortunately the software vendor (you know who I 
>>>> mean!)doesn't have
>>>> > > enough confidence in the encryption technique to permit 
>>>> public analysis
>>>> > > and verification that it is truly one way.
>>>> > >
>>>> > > The answer to people who can crack the AS/400 
>>>> password...I'll send them
>>>> the
>>>> > > encrypted password and see if they can decrypt it! This 
>>>> was done several
>>>> > > times with PGP and the network went silent.
>>>> > >
>>>> > > Steve Glanstein
>>>> > > mic@aloha.com
>>>> > >
>>>> > >
>>>> > > +---
>>>> > > | This is the Midrange System Mailing List!
>>>> > > | To submit a new message, send your mail to 
>>>> MIDRANGE-L@midrange.com.
>>>> > > | To subscribe to this list send email to 
>>>> MIDRANGE-L-SUB@midrange.com.
>>>> > > | To unsubscribe from this list send email to
>>>> > MIDRANGE-L-UNSUB@midrange.com.
>>>> > > | Questions should be directed to the list owner/operator:
>>>> > david@midrange.com
>>>> > > +---
>>>> > >
>>>> >
>>>> > +---
>>>> > | This is the Midrange System Mailing List!
>>>> > | To submit a new message, send your mail to 
>>>> MIDRANGE-L@midrange.com.
>>>> > | To subscribe to this list send email to 
>>>> MIDRANGE-L-SUB@midrange.com.
>>>> > | To unsubscribe from this list send email to
>>>> MIDRANGE-L-UNSUB@midrange.com.
>>>> > | Questions should be directed to the list owner/operator:
>>>> david@midrange.com
>>>> > +---
>>>> >
>>>> 
>>>> +---
>>>> | This is the Midrange System Mailing List!
>>>> | To submit a new message, send your mail to 
>>>> MIDRANGE-L@midrange.com.
>>>> | To subscribe to this list send email to 
>>>> MIDRANGE-L-SUB@midrange.com.
>>>> | To unsubscribe from this list send email to 
>>>> MIDRANGE-L-UNSUB@midrange.com.
>>>> | Questions should be directed to the list owner/operator: 
>>>> david@midrange.com
>>>> +---
>>>> 
>+---
>| This is the Midrange System Mailing List!
>| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
>| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
>| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
>| Questions should be directed to the list owner/operator: david@midrange.com
>+---
>
>

     |----------------------------|  "Outside of a dog, a book is a man's
     |\  /         |    \  /      |  best companion.  Inside of a dog,
     | \/ INCENT   |__E  \/EQUE   |  it's too dark to read."  
     |----------------------------|        -- Groucho Marx 

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.