Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Data Encryption

30 views
Skip to first unread message

eri...@glink.net.hk

unread,
Jul 8, 1996, 3:00:00 AM7/8/96
to

I wonder if there is any utility or command in the AS/400 that allow
you to encrypt the sensative data such as Personal Identification
Number, Credit Card Number etc.

Thanks in advance

Eric Yip


Nicolas Oschatz

unread,
Jul 8, 1996, 3:00:00 AM7/8/96
to

eri...@glink.net.hk wrote:

Hi Eric,

try the SCRAMBLE command from QUSRTOOL.

S. G.

unread,
Jul 9, 1996, 3:00:00 AM7/9/96
to

osc...@ibm.net (Nicolas Oschatz) wrote:
>eri...@glink.net.hk wrote:
>
>>I wonder if there is any utility or command in the AS/400 that allow
>>you to encrypt the sensative data such as Personal Identification
>>Number, Credit Card Number etc.
>>
Consider the IBM product, 5763-CR1 for V3R1 or 5738-CR1 for V2. It is
IBM's Cryptography product and will permit DES encoding of this informa-
tion.

I'm not sure if it can be exported from the US without a license, so you
will need to check that if your address is out of the US/Canada.

Another option is to get some C programs via the Internet that perform
encryption and use them. They are readily available both inside and
outside of the US.

Internal to the AS/400 is an MI instruction that performs encryption and
decryption. It has been blocked since the earlier releases, and has been
opened in a limited manner recently.

Remember, that somebody at the other end needs to be able to de-crypt
whatever is encrypted.

HTH


Peter Ekstrom

unread,
Jul 9, 1996, 3:00:00 AM7/9/96
to

In article <4rr771$a...@unix2.glink.net.hk>,

eri...@glink.net.hk writes:
>I wonder if there is any utility or command in the AS/400 that allow
>you to encrypt the sensative data such as Personal Identification
>Number, Credit Card Number etc.
>
>Thanks in advance
>
>Eric Yip
>
Yes, there is a source member that does both encryption and decryption.
It's in the save file QATTRPG in QUSRTOOL. I don't remember the name of
it though... Check out the QATTINFO member, you should be able to find it
in there.

Peter


Matt Sargent

unread,
Jul 9, 1996, 3:00:00 AM7/9/96
to

osc...@ibm.net (Nicolas Oschatz) wrote:

>eri...@glink.net.hk wrote:

>>I wonder if there is any utility or command in the AS/400 that allow
>>you to encrypt the sensative data such as Personal Identification
>>Number, Credit Card Number etc.

>try the SCRAMBLE command from QUSRTOOL.

As encryption, SCRAMBLE is virtually worthless. All it does it take
the bytes and moves them around to different positions. It wouldn't
take very long to figure out the correct order of a 4-digit PIN,
simply through trial-and-error. And any type of password that's an
regular word could be figured out in a few minutes by a Scrabble
player. Or solved in just a few seconds by logging into
http://www.infobahn.com/pages/anagram.html and setting the word count
to 1.

_____________________________________________________________________
"But there must be something more to death than surfing all the time"
- Dar Williams


Tim Brown

unread,
Jul 9, 1996, 3:00:00 AM7/9/96
to

Matt Sargent wrote:
>
> osc...@ibm.net (Nicolas Oschatz) wrote:
>
> >eri...@glink.net.hk wrote:
>
> >>I wonder if there is any utility or command in the AS/400 that allow
> >>you to encrypt the sensative data such as Personal Identification
> >>Number, Credit Card Number etc.
>
> >try the SCRAMBLE command from QUSRTOOL.
>
> As encryption, SCRAMBLE is virtually worthless. All it does it take
> the bytes and moves them around to different positions. It wouldn't
> take very long to figure out the correct order of a 4-digit PIN,
> simply through trial-and-error. And any type of password that's an
> regular word could be figured out in a few minutes by a Scrabble
> player. Or solved in just a few seconds by logging into
> http://www.infobahn.com/pages/anagram.html and setting the word count
> to 1.


Agreed.

I'd recommend getting Bruce Schneier's book "Applied Cryptography".
I believe there is now a second version out. It comes with a bunch
of source code of various encryption methods. I'd choose an encryption
method, and then port the C code to the AS/400 using ILE/C.

Hey, if you feel generous, go ahead and port PGP over as well ;-)


lwl...@rchland.vnet.ibm.com

unread,
Jul 10, 1996, 3:00:00 AM7/10/96
to

Please please please be careful with encryption stuff.

In many, if not most places, you can meet a need by gathering up
a subroutine and dropping it into your application. Cryptography
is NOT such a place.

I would like you to use IBM's stuff because I work there and I know
it is good.

But, if you don't use our stuff, please DO NOT take the first thing on the
left on a diskette with a name
like "SCRAMBLE" -- you can burn a lot of CPU cycles and get something out that
looks to gibberish to you. But, a decent expert might also undo it
in an hour or two. Really. It has happened. Don't trust your customers'
PIN numbers to something you don't know is good.

For more details on how to do it right, please see the newsgroup
sci.crypt. There used to be a pretty good FAQ. . .

--

Larry W. Loen | Yes, I work for IBM. But, crypto is
| real work to get right. . .

email to: lwl...@rchland.vnet.ibm.com


S. G.

unread,
Jul 11, 1996, 3:00:00 AM7/11/96
to lwl...@rchland.vnet.ibm.com

lwl...@rchland.vnet.ibm.com wrote:
>Please please please be careful with encryption stuff.
>
Excellent advice!

>In many, if not most places, you can meet a need by gathering up
>a subroutine and dropping it into your application. Cryptography
>is NOT such a place.
>
>I would like you to use IBM's stuff because I work there and I know
>it is good.
>

Larry: Do you know what company developed the original Data Encryption
Standard? (Hint: It was not the International Brotherhood of
Musicians but the abbreviation was the same!)

DES is subject to a brute force vulnerability thanks to the relative
strength of computing today. Triple DES may have better prospects,
but I haven't studied the details.

One problem cryptographers have with any software product that performs
encryption jeopardizes the product's proprietary nature. A cryptographer
would not bless a product unless he/she had seen the source and spent
some time trying to break it. The strongest systems that we use in the
public today (IDEA, which is the backbone of PGP and the combination of
public/private key encryption) is available all over the world in the
original source.


>But, if you don't use our stuff, please DO NOT take the first thing on the left on a diskette with a name
>like "SCRAMBLE" -- you can burn a lot of CPU cycles and get something out that
>looks to gibberish to you. But, a decent expert might also undo it
>in an hour or two. Really. It has happened. Don't trust your customers'
>PIN numbers to something you don't know is good.
>

AGREE.

>For more details on how to do it right, please see the newsgroup
>sci.crypt. There used to be a pretty good FAQ. . .
>

Also, alt.security and alt.security.pgp but they are not as scientific
as the sci.crypt.

We've been able to compile most of PGP on the AS/400, but still need
to resolve some incompatibilities and clean up that G_d awful command
language from Unix!

Steve Glanstein
m...@aloha.com

Don

unread,
Jul 12, 1996, 3:00:00 AM7/12/96
to Tim Brown


Best bet right now is to totally IGNORE the scramble tool in TAATOOL...
and if you're feeling really ambitious, go buy Bruce Schneir's Applied
Cryptography - version 2. You shouldn't have any problems writing
something better than "scramble" ... ALSO, Bruce emails TNL's and PTF's
to the books as they're found and is a really decent guy!

Also, you could use the DES macro's that come with your 400...but unless
you buy the DES package, decryption's a real bitch... :)

Don


0 new messages