Subject Re: [IBO] Was Asta or Direct IP now Securing IB Logins
Author Brian Nuckels
At 10:12 AM 5/31/2001 -0400, you wrote:
>Like I said, that part was a email onto itself.
>You can use hashes and security in many different ways.
>If you need to encrypt a value, you can send it to a hashing algorythm, and
>your result will be a fixed length random string.

Random? A hash from the same algorithm should produce the same output
every time for a given string. I think you already understand this, but I
didn't want anyone to get the idea they could use a hashing algorithm for a
random key generator.

This sounds like it works, although I prefer the "digital envelope" method
which uses PKI to transfer a one-time use random session password, and
thereafter uses a strong symmetric cipher like Rijndael to encrypt
everything else. Unless you want to verify the client's identity, all that
is needed is the server's public key to initiate the session key.

My personal view on any encryption is to use tried and true standards using
industry-standard algorithms--I could never match the amount of testing and
scrutiny these algorithms have received. MD5 is one of those, but SHA is
considered a much better hashing algorithm. Have you considered
implementing a version of your stuff that works off of SHA?