We need to do user/password validation for a web site from a file on a
d3 system. I know how to encrypt a password in D3 but would like to
encrypt the password on the web side and pass it already encrypted to
D3. Anyone have any suggestions for the best way to do this. On the D3
side I can encrypt with a seed using ICONV(SEED:@AM:STRING,'U0090'). Is
there an equivalent encryption algorithm outside of D3?

Bob,

Take a close look at how this encryption works and you can easily write code
to allow the same functionality.

IIRC, it take the seed and uses each character in rotation and adds that
characters ASCII value to the a character in the string to be encrypted.
You just have to be careful when reaching into the hi-bit charaters.

I wrote an emulation several years ago, but I can't find the code anymore.

Regards,

Dale
"Bob Frank" <bgf (AT) jgatech (DOT) com> wrote

"Bob Frank" <bgf (AT) jgatech (DOT) com> wrote

Bob:

Try the following, encryption code courtesy of Mark Brown. Hope this helps.

SUBROUTINE dtaENCRYPT (Code, Seed, InString, OutString)
** Encrypt and decrypt a string using a seed.
!
** Last Modified: 16 Mar 2004, wph
** First Created: 16 Mar 2004, mark brown
** Program Type-: Utility
!
** Notes:
**
** This program is designed to replace the D3 user mode 'U009D' which
** can encrypt/decrypt a passed string using a seed.
**
** Code Definitions:
** 0 - encrypt
** 1 - decrypt
*
**------------------------------------------------------------------**
** **
** S T A R T P R O G R A M R U N **
** **
**------------------------------------------------------------------**
*
** assign the encrypt/decrypt multiplier
IF Code = 0 THEN
Multiplier = 1
END ELSE
Multiplier = -1
END
*
** initialize the loop variables
SeedCnt = 1 ; ** the seed digit# being used
SeedLen = LEN(Seed) ; ** the # of digits in the seed
ccHigh = LEN(InString) ; ** the maximun # of loops to run
OutString = '' ; ** the encrypted/decrypted string
*
** test for validity
IF TRIM(Seed) = '' THEN RETURN
*
** loop and encrypt/decrypt the string character-by-character
FOR CharCnt = 1 TO LEN(InString)
RdChar = InString[CharCnt,1]
OutString := CHAR(SEQ(RdChar) + (Multiplier * SEQ(Seed[SeedCnt,1])))
SeedCnt += 1
IF SeedCnt > SeedLen THEN SeedCnt = 1
NEXT CharCnt
*
**------------------------------------------------------------------**
** **
** E N D O F P R O G R A M **
** **
**------------------------------------------------------------------**
*
RETURN
END

Now to use the program here is a dictionary subroutine that may be used
like:

DICT dwMASTER 'MgmtCoDPassword' size = 212
01 S
02 0
03 MgmtCoDPwd
04
05
06
07
08 {Some correlative to retrieve the encrypted password}
CALL BP D.DECRYPT
09 L
10 15
11
12
13
14
15
16
17 The decrypted ASCII password (for .Net)



SUBROUTINE D.DECRYPT (Value)
** Maintain data for names file
!
** Last Modified: 05 Jul 2004, wph
** First Created: 14 Jun 2004, wph
** Program Type-: Dict-Subroutine
!
** Notes:
**
** This simply decrypts a password from the address book.
**
**-------------------------------------------------------------------**
** **
** I N I T I A L I Z A T I O N **
** **
**-------------------------------------------------------------------**
*
** Initialize standard program variables
COMMON DM.MESSAGES
NULL$ = ''
*
sPassword = Value
Value = NULL$
*
{Read the Seed from somewhere}
*
** decrypt password
IF sPassword NE NULL$ THEN
CALL dtaENCRYPT ('1', Seed, sPassword, Value) ; ** decrypt
END
*
** End of program
RETURN
END

I've written bi-directional encryption/decryption for D3 that does
what you say but the non-D3 component is all written in VB6 at the
moment.

Can you tell us more about how you're moving data between D3 and the
web site? FlashCONNECT? WebWizard? Coyote?

If you're using HTTPS/SSL with FC for example, then the password is
encrypted from the client to the web server, but from the web server
to the DBMS it's in the open. On a LAN that's not so much a problem
but if your web server proxies calls over the internet back to D3 then
you need to wrap the comms in IPSEC, or wrap queries and responses in
another HTTPS call to the back-end.

More info on the technologies in use on the client and middle tier
would really help.

Tony
TG@ removethisNebula-RnD
..com


Bob Frank <bgf (AT) jgatech (DOT) com> wrote:

Thanks for the responses. Thanks Dave H, code samples are great b/c then
I know exactly what you're talking about.
To answer Tony's question, we are using a modified jd3.
My only concern is with passing unencrypted passwords from the web
server to the d3 server. We got the job due to the previous company
being careless on security so we want to be extra careful. Even though
within it's only employee's on the company's network, if they sniff a
password, they can make web purchases under posing as one of the
company's users.
Our plan is to never allow passwords to never appear unencrypted at any
point in the transaction and to validate passwords only by comparing
encrypted values.



Tony Gravagno wrote:

On 23 Jul 2005 13:07:53 EDT, Bob Frank <bgf (AT) jgatech (DOT) com> wrote:

The OpenSSL command line tool is great for things like this. Heavy
encryption can be done via standard I/O so there's no temp files to
sniff. Check out my VISA CISP article on PickSource for an example of
a 1-line encryption and base64 encoding command.

Glen
http://picksource.com

Wouldn't it be better to not do the LEN every tiem the loop executes?

/just asking

Hello Douglas! You are RIGHT as usual.

That's a common mistake even seasoned programmers make --- forcing the
system to resolve the same thing over and over (like when within a
loop).
Sure, it saves a single command line, and arguably does not take much
computer time. But, IMHO is not the best code that could be
accomplished.

Bad:
FOR CharCnt = 1 to LEN(InString)
bla bla bla
bla bla bla
NEXT CharCnt

Much better:
MaxLength = LEN(InString)
FOR CharCnt = 1 to MaxLength
bla bla bla
bla bla bla
NEXT CharCnt

Dave Weaver, Weaver Consulting

douglas (AT) pickteam (DOT) com wrote:

And/or a 'trick?' I recently picked up, if you LIKE the idea of having
a LEN() in the loop, change the structure so it is

FOR CharCnt = LEN(inString) to 1 step -1

This way the LEN() is only executed once ... provided the order that
you traverse doesn't matter. Ditto for DCOUNTS etc

Though of course, for us unreconstructed old assembly programmers, we note
that many Pick systems optimize Fors with an implict step of 1, ie:

FOR i = 1 TO 100 is different than FOR i = 1 TO 100 STEP 1 or FOR i =100
TO 1 STEP -1.

Saves ya a few nanoseconds!

Chandru

"Ross Ferris" <rossf (AT) stamina (DOT) com.au> wrote