RTI_MD5 (OpenInsight 32-Bit)
At 03 SEP 2009 02:58:46AM Barry Stevens wrote:
In 9.1 there is a new command RTI_MD5=…to enable one-way MD5 hashes. This can let you validate passwords, credit cards or SSN without storing them.
Can someone explain how this is used.
At 03 SEP 2009 07:45AM Bob Carten wrote:
You store the hash, not the actual value. Unix has used this technique for a long time. When a user enters their password you hash their entry, compare it to the hashs you stored, if they values are equal then you say they have entered the correct value. If someone generates the hash some other way they an still break into your system, but if someone steals your password or SSN file they cannot use the information to break into other systems.
See PAJ MD5 Site
Technical details:
RTI_MD5 embeds javascript inside OI. It pulls the script off of that site, saves a copy to the OI folder, runs the copy from there. This idea of re-using javascript libraries inside of OI seems useful.
see RTI_MD5 Source
At 03 SEP 2009 12:33PM [url=http://www.sprezzatura.com]The Sprezzatura Group[/url] wrote:
Whilst we applaud the innovative approach taken here, it should be born in mind that we have no control over the content of external sites and should a malicious individual compromise such sites then our applications would, in turn be compromised. Fortunately once the program has pulled down the js it stores it locally so it'll be safe from thereon in if it were not compromised at that point.
So perhaps downloading and verifying externally before using the local copy internally might be a more cautious approach?
World leaders in all things RevSoft
At 03 SEP 2009 01:12PM John Bouley wrote:
I agree with sprezz's concerns. Why wouldn't the js be included in the released version of OI in the first place? The hashing logic can't and shouldn't be changing very often.
Besides when a developer uses an RTI function that is part of the released product there is an "assumption" that everyone will have the same functionality based on version.
my two cents.
John
At 03 SEP 2009 01:28PM [url=http://www.sprezzatura.com]The Sprezzatura Group[/url] wrote:
At the risk of putting words in the esteemed Mt Carten's mouth, we'd suspect that this was actually a "Sandbox" release rather than an official release - sort of a "hey look what's possible". Perhaps then an alternative namespace could be adopted for such releases - RTI_SANDBOX_ springs to mind ;).
World leaders in all things RevSoft
At 03 SEP 2009 03:53PM Bob Carten wrote:
Well,
words taste better than umble, crow or haggis .
Indeed RTI_MD5 started as a code example for an article in Spectrum Magazine about doing mashups from multivalue applications. In that context, grabbing a little data from here and a snippet of code from there is typical behavior.
In our environment I agree that blindly pulling code from a public site is risky. It creates both a security hole and a dependency on that site. In our envrironment the js file should be hosted on the OI server. If nothing else the OI program should test the code against an MD5 signature of it ensure that it matches what is expected. I wnated to leave the javascript files unchanges so that I could use them in OI and server them to web pages. That allows me to serve web pages which calculate a hash value and send that over the wire rather than the unhasehd value, and to have OI use the same code to calculate a matching hash.
RTI_JSON has some similar behavior..We'll have to put up an RDK to remove the reliance on public sites.
BTW, with OI9.1's .NEt functionality, you can use ,Net cryptography to accomplish MD5 and various strong encryption methods without relying on Javascript.
At 03 SEP 2009 08:17PM Barry Stevens wrote:
Spectrum Magazine. Wonder how many did not know this existed.
Nice if all the articles could be reproduced in the KB section.
BTW: Could we be informed of any additions to the KB and Downloads sections.
Further, should not the F.Indexer replace that is in KB, be also in the downloads section.
At 06 SEP 2009 02:39AM [email protected]'s Don Bakke wrote:
Spectrum Magazine. Wonder how many did not know this existed.
I've made several references to Revelation articles in Spectrum magazines at previous User Conference presentations. Very worthwhile reading. Even the general MV articles have often times been helpful.
BTW, for those not wanting to rely on javascript or .NET you can get hashing through our free SRP Utilities. We recently added a few more goodies to this utility as summarized in our product news page.
