"Encrypts and encodes the specified character expression and returns an encrypted character value that you can store for later use in message authentication code (MAC) operations."
Just how secure is this encryption ? Is it safe to embed in 4GL code ? What is the encryption process ? How big are the keys / salts etc etc ..
I was thinking of using it as such:
if audit-policy:encrypt-audit-mac-key(SomeData) eq "38333c2f66770c2025222a3527363621" then
rather than
if SomeData eq "foobar"
and was debating the merits of the security of this.
The value of SomeData above is "hash42_superuser"; does that answer your question?
It is not salted. It is not secure. It is trivially breakable. It protects data from casual snooping, nothing more. It is the same method used by genpassword to produce "encrypted" passwords ("oech1::blahblah"). The code is implemented in a PSC Java class (com.progress.common.util.genPassword), if you're interested to see what it does.
A little while ago I opened a documentation bug, asking Progress to clarify in the docs that this is not strong encryption. They said they would do that in a future release.
lol. I'm _so_ glad that I didn't post what I originally encoded :) Thanks for the heads up - exactly why I asked the question .
I would assume that MESSAGE-DIGEST("SHA-512" would be much better as it is a one-way thing ?
Thanks !
+1 for documenting that this is not secure. They *really* should have done that from the start
Message encryption and message hashing are two different things, for different purposes. A message digest is one-way by design.
yes - and for best practice, shouldn't all passwords be stored as a digested value ?
Yes, with a strong algorithm, and salted. MD5 and SHA-1 are no longer considered secure. SHA-1 less so, but its days are numbered, and stronger variants are now available.