Posted by jmls on 30-Nov-2013 13:39

"Encrypts and encodes the specified character expression and returns an encrypted character value that you can store for later use in message authentication code (MAC) operations."

Just how secure is this encryption ? Is it safe to embed in 4GL code ? What is the encryption process ? How big are the keys / salts etc etc ..

I was thinking of using it as such:

if audit-policy:encrypt-audit-mac-key(SomeData) eq "38333c2f66770c2025222a3527363621" then 

rather than

if SomeData eq "foobar"

and was debating the merits of the security of this.

All Replies

Posted by Rob Fitzpatrick on 01-Dec-2013 12:18

The value of SomeData above is "hash42_superuser"; does that answer your question?

It is not salted.  It is not secure.  It is trivially breakable.  It protects data from casual snooping, nothing more.  It is the same method used by genpassword to produce "encrypted" passwords ("oech1::blahblah").  The code is implemented in a PSC Java class (com.progress.common.util.genPassword), if you're interested to see what it does.  

A little while ago I opened a documentation bug, asking Progress to clarify in the docs that this is not strong encryption.  They said they would do that in a future release.

Posted by jmls on 01-Dec-2013 12:23

lol. I'm _so_ glad that I didn't post what I originally encoded :) Thanks for the heads up - exactly why I asked the question .

I would assume that MESSAGE-DIGEST("SHA-512" would be much better as it is a one-way thing ?

Thanks !

Posted by jmls on 01-Dec-2013 12:24

+1 for documenting that this is not secure. They *really* should have done that from the start

Posted by Rob Fitzpatrick on 01-Dec-2013 12:25

Message encryption and message hashing are two different things, for different purposes.  A message digest is one-way by design.

Posted by jmls on 01-Dec-2013 12:29

yes - and for best practice, shouldn't all passwords be stored as a digested value ?  

Posted by Rob Fitzpatrick on 01-Dec-2013 14:22

Yes, with a strong algorithm, and salted.  MD5 and SHA-1 are no longer considered secure.  SHA-1 less so, but its days are numbered, and stronger variants are now available.

This thread is closed