Re: iSeries passwords

["James H. H. Lampert" <jamesl@xxxxxxxxxxx>]

> >  * For vanilla 5250, the password is right there for the picking.
> >  * For 5250E the password is obtainable within a few minutes extra work.
> >  * For OpsNav the password is obtainable within a few minutes extra work.
> 
> I'm still not sure why you're saying this.   Are you saying that the
> password substitution algorithm used to sending the passwords is easy to
> decrypt for passwords under 10 chars?

Actually, no it isn't, with password substitution. If memory serves
correctly (I've studied the algorithm, but found it beyond my ability to
implement, which says more about the algorithm than it says about me),
password substitution does not merely encrypt the password before
sending it; rather, it never actually sends it. Instead, it uses a hash
of the encrypted password to encrypt the user ID, then sends BOTH the
clear AND encrypted versions of the user ID. The host then duplicates
the process with its encrypted copy of the password, and if it matches,
it admits the user. There's no way to sniff the password because it's
never sent.

Moreover, even if the password WERE to be sent in encrypted form, 10
characters is an absurdly small sample to try and decrypt, even if
algorithm, plaintext, and ciphertext were all known.

Of course, password substitution only protects the password, and is
completely irrelevant unless auto-signon is in use. Under any other
circumstances, secure TN5250 is a much better choice, and since
auto-signon takes place after the SSL connection is established, it
eliminates the need for password substitution in all but the most
stringent of circumstances.

-- 
James H. H. Lampert
Professional Dilettante
http://www.hb.quik.com/jamesl
http://members.hostedscripts.com/antispam.html
http://www.thehungersite.com

Help America's Passenger Trains. http://www.saveamtrak.org

Read My Lips: No More Atrocities!