Subject Re: [IBO] Was Asta or Direct IP now Securing IB Logins
Author Dalton Calford
Hi Brian,

> Random? A hash from the same algorithm should produce the same output
> every time for a given string. I think you already understand this, but I
> didn't want anyone to get the idea they could use a hashing algorithm for a
> random key generator.

Alot of the hashing code comes from the random number generator concepts. In
fact, as long as you always give the same seed to a random number generator,
you will always get the same predictable results. Back in the early 70's
there was alot of research done with this, and even todays best random number
generator has a tendancy to create predictable patterns on a 3d scatter graph.
Not as bad as in the old 7bit days, but, still noticable to a perfectionist.

> This sounds like it works, although I prefer the "digital envelope" method
> which uses PKI to transfer a one-time use random session password, and
> thereafter uses a strong symmetric cipher like Rijndael to encrypt
> everything else. Unless you want to verify the client's identity, all that
> is needed is the server's public key to initiate the session key.

That is another style, but a little harder to explain in a email forum. It
has its strengths and weaknesses, and is harder to implement within a
standard IB connection.

> My personal view on any encryption is to use tried and true standards using
> industry-standard algorithms--I could never match the amount of testing and
> scrutiny these algorithms have received. MD5 is one of those, but SHA is
> considered a much better hashing algorithm. Have you considered
> implementing a version of your stuff that works off of SHA?

It is a matter of time, I have worked with SHA and other forms of encryption
(I have been working with encryption technologies since the mid-80's) but it
comes down to, ease of implementation and return on investment. The
techniques I have described here are simple enough to implement while secure
enough that it takes a VERY VERY good cracker to beat it - and then only if
they have the entire sequence of packets (miss one and you are lost from that
point on).
To try other algorythms would not give noticably better results but would
cost alot in time and effort.

best regards

Dalton