Source language: Translate to:

ajgMD5

Questions about NeoBook PlugIns

Moderator: Neosoft Support

ajgMD5

Postby Aaron » Fri Nov 04, 2005 4:04 pm

Hi to all neobookers,

Here is a plugin that can calculate the MD5 hash of strings and files. It also can compare two MD5 hashes. It's freeware and you can download from:

http://es.geocities.com/neobook05/ajgMD5_Eng.zip

Enjoy!
Aaron
Aaron
 
Posts: 13
Joined: Fri Apr 01, 2005 7:16 am
Location: Spain

Re: ajgMD5

Postby dpayer » Sat Nov 05, 2005 9:31 pm

Aaron wrote:Hi to all neobookers,

Here is a plugin that can calculate the MD5 hash of strings and files. It also can compare two MD5 hashes. It's freeware and you can download from:

http://es.geocities.com/neobook05/ajgMD5_Eng.zip

Enjoy!
Aaron


Thanks! this could be helpful and someone had just asked for it in one of the other forums here!

David P
User avatar
dpayer
 
Posts: 1380
Joined: Mon Apr 11, 2005 5:55 am
Location: Iowa - USA

Postby rcohen » Tue Nov 08, 2005 3:24 pm

Thank you Aaron!!

rcohen
User avatar
rcohen
 
Posts: 279
Joined: Sun Apr 03, 2005 7:29 pm
Location: The Smokey Mountains, Tn

Postby edunaway » Wed Nov 09, 2005 7:59 am

Pardon my ignorance, but what is the purpose of MD5 hash? Is this some sort of encryption? Is it only applicable to strings of text or is it also available for data files? Please enlighten me.

-eric
edunaway
 
Posts: 88
Joined: Wed May 04, 2005 9:17 am

Postby Gaev » Wed Nov 09, 2005 10:04 am

Eric:

This plug-in was developed in response to my request to Dave for such a facility here ...

http://www.neosoftware.com/forum/viewtopic.php?t=13551
what is the purpose of MD5 hash? Is this some sort of encryption?
Yes and No ... it is some sort of encryption ... but unlike traditional encryption, it CAN NOT be decrypted ... so it is used as a "verification mechanism" ...

a) Was the entered value correct ?

So say that (correct) value of ABCDEF returns an MD5 hash of "wq3rtk d;sv;dh ;sdjh ;kjs".
You can ask user to enter correct value, do an MD5 hash on entered value and compare it to "wq3rtk d;sv;dh ;sdjh ;kjs".

So, even if someone snoops inside your .exe file, all they know is that the MD5 has to be "wq3rtk d;sv;dh ;sdjh ;kjs" ... but they will need to loop through all possible values of entered data until one of them matches ... and since user is not told how long the entered value has to be, this could be one of gazillion different combos.

b) Has the file received been tampered with ?

This is the second form of the command, where the entire contents of the file is MD5 hashed ... software suppliers that permit their programs to be downloaded from multiple servers (over which they do not have control), can ensure that hackers do not get a hold of one of these copies and modify it for viruses etc. ... even if the hacker maintains the same file size as the original, the change in the content will yield a different hash ... so if the "hash don't match ... you must beware !"
Is it only applicable to strings of text or is it also available for data files? Please enlighten me.
... I haven't used the file option ... but since exe files are binary by nature, it should work with that option.

Not sure if the first option works only on text strings or binary data as well (assuming you can store/pass binary data).

Note to Aaron:
I sent you a PM on this on Friday Nov/4 ... looks like you have not read it yet ... but I am interested in finding out if the source code is available (for sale or kept in escrow) ... as usage of such a facility would be crucial to an application developer ... and prolonged periods of abscence (support wise) could not be tolerated.
Note to Dave
While it is very generous of Aaron to offer such a plug-in for free ... I would like to re-iterate that such a feature should really be an integral part of the base NeoBook facility ... for two reasons ...

a) the risk associated with deploying an application with such a facility should not exceed the risk associated with deploying the same application with the NeoBook platform ... in other words, while there is a higher risk of deploying an application under NeoBook than (say) VisualBasic, C++ or Delphi ... these products are not as dependent on a small number of individuals ... but relying on a third party, freeware plug-in does increase the risk factor ... and "The 2005 Casualty List of Absent Suppliers" is Proof Plenty.

b) having this function invoked via a plug-in command (a dll call in windows) inherently opens it up to snoopers that can trap calls to such dll files and decipher the "unhashed string" being passed ... something a lot more difficult to do with internal NeoBook commands.

I hope you will reconsider your earlier decision to leave this facility to third party plug-in suppliers ... and since Aaron has graciously offered his plug-in for free, there won't be considerations of running roughshod over such partners either.
User avatar
Gaev
 
Posts: 3716
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby edunaway » Wed Nov 09, 2005 10:29 am

Gaev, thank you for your explanation. I was hesitant to post expose my ignorance, but your reply also raised some valid concerns so I did some research about MD5 hash.

I would like to encourage all to read this Wikipedia entry about MD5 hash: http://en.wikipedia.org/wiki/MD5

If correct, there may be some vulnerabilities in MD5 and the other cryptography methods mentioned in the article should be considered instead.

I agree that NB should support some sort of verification natively or at the very least via a trusted plugin source. Dave, we would like to see your input into supporting the other possible methods such as WHIRLPOOL, SHA-1 or RIPEMD-160.

-eric
edunaway
 
Posts: 88
Joined: Wed May 04, 2005 9:17 am

Postby David de Argentina » Wed Nov 09, 2005 12:02 pm

Hi Gaev,

Take a look of this:

http://www.pbcrypto.com/view.php?algorithm=md5

this is the source code of MD5 algorithm, coded on PowerBasic.

it is very easy to read... and understand.

my devaluated cent,

David de Argentina
User avatar
David de Argentina
 
Posts: 1553
Joined: Mon Apr 04, 2005 4:13 pm
Location: Buenos Aires, Argentina

Postby Neosoft Support » Wed Nov 09, 2005 12:39 pm

I can see the value of having some type of encryption built into NeoBook itself. I assume that what we're talking about would take the form of encrypt and decrypt actions that could be used to process blocks of text. The results could be saved to disk, sent over the Internet, etc.

I'm far from an expert on encryption, so any suggestions are welcome. Whatever scheme is used must be in the public domain and not restricted by patents, copyrights, etc.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5593
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby David de Argentina » Wed Nov 09, 2005 12:59 pm

Hi Dave,

************************************************************
* MD5.BAS - Original code notice:*
* This code implements the MD5 message-digest algorithm.
* The algorithm is due TO Ron Rivest. This code was
* written by Colin Plumb IN 1993, no copyright is claimed.
* This code is IN the public domain; DO WITH it what you wish.
'* Equivalent code is available FROM RSA DATA Security, Inc.
* This code has been tested against that, AND is equivalent,
* except that you don't need to include two pages of legalese
* WITH every copy.
* TO compute the message digest of a chunk of bytes, DECLARE an
* MD5Context structure, pass it TO MD5Init, CALL MD5Update AS
* needed ON buffers full of bytes, AND THEN CALL MD5Final, which
* will fill a supplied 16-BYTE ARRAY WITH the digest.
* -----------------------------------------------------------


(all code on: http://www.powerbasic.com/support/forum ... 00512.html )

I think it is useful.

cheers,

David de Argentina
User avatar
David de Argentina
 
Posts: 1553
Joined: Mon Apr 04, 2005 4:13 pm
Location: Buenos Aires, Argentina

Postby Gaev » Wed Nov 09, 2005 4:43 pm

David de Argentina:

Thank you for the references to the POWERBASIC source code ... my enquiries to Aaron were specific to the code associated with his plug-in ... you see, one defense against "prolonged unavailability of plug-in suppliers in case of emergencies" would be to have access to the source code used in compiling the plug-in ... Aaron has now responded that his plug-in is made with Delphi ... and he is considering some kind of source availability.

Once again, thank you for the reference and your continued contributions to this community.

NeoSoft Support:
I assume that what we're talking about would take the form of encrypt and decrypt actions that could be used to process blocks of text. The results could be saved to disk, sent over the Internet, etc.
That would be a huge start ... something like ...

StrEncrypt "unencrypted text" "encryption key" "variable to store encrypted result"
StrDecrypt "encrypted text" "decryption key" "variable to store decrypted result"
Whatever scheme is used must be in the public domain and not restricted by patents, copyrights, etc.
Yes ... and to ensure inter-operability of NeoBook web applications with server side (non-NeoBook) applications, a widely deployed scheme would be prefered ... one that can be understood/used by asp, php and perl at least.
User avatar
Gaev
 
Posts: 3716
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby Alberto_Meyer » Thu Nov 10, 2005 3:29 am

Aaron, thank a LOT for this. Thanks again. Dave, if the AAron plugin works flawless, without problems, it´s not need a Neobook custom solution for this.
User avatar
Alberto_Meyer
 
Posts: 385
Joined: Tue May 03, 2005 5:14 am

Postby edunaway » Thu Nov 10, 2005 8:09 am

Well, with all due respect to Al, I disagree.

The reason Gaev has asked for the source code to be placed in escrow or made available is for trust reasons. It's not that we distrust Aaron or anyone else, but how can you verify that the plugin is pure? What if a flaw is found? Who will fix it? And while I do appreciate Aaron creating this plugin, I've never heard of him. Will he be around to update the plugin in the future? I reluctantly say this because I do not want to discourage anyone from building plugins and certainly do not want to seem ungrateful, but for for something that is intended to be secure, ie MD5 or other high encryption methods, we need a *known* source to provide us with the plugin.

Neosoftware is a known source that we trust. I would prefer that Neosoftware provide something like this. Yes, similar arguments can be made for other plugins, but with encryption that will clearly be used for this level of security the provider needs to be held to a higher standard.

-eric
edunaway
 
Posts: 88
Joined: Wed May 04, 2005 9:17 am

Postby Alberto_Meyer » Thu Nov 10, 2005 9:07 am

Eric, ok. Agree. I think Dave could provide such encryption tool. BUT, in my opinion, it´s NICE to see Aaron releasing it (time and work of him involved).
User avatar
Alberto_Meyer
 
Posts: 385
Joined: Tue May 03, 2005 5:14 am

Postby Neosoft Support » Thu Nov 10, 2005 12:11 pm

... and to ensure inter-operability of NeoBook web applications with server side (non-NeoBook) applications, a widely deployed scheme would be prefered ... one that can be understood/used by asp, php and perl at least.


I agree. Sounds like MD5 fits all of these requirements. Unfortunately, there may be some restrictions on exporting software that uses this type of encryption - at least in the U.S. We need to look into this.

...it´s NICE to see Aaron releasing it (time and work of him involved).


Yes, absolutely! Thank you Aaron!

Frankly, I think the solution to the concern some people have about using third party plug-ins could be solved if developers would offer both a standard license and a source code license. This is common in the Delphi, Visual Basic, ActiveX market. The source code license is usually more expensive and includes limitations of what you can do with the source, but I think it would be a win-win situation for both developers and users.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5593
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby dpayer » Thu Nov 10, 2005 1:29 pm

Neosoft Support wrote:
I agree. Sounds like MD5 fits all of these requirements. Unfortunately, there may be some restrictions on exporting software that uses this type of encryption - at least in the U.S. We need to look into this.


There are two different issues going on here.

The original post dealt with a mod that did a MD5 based hash. This is a program that creates a unique identifier of 16 bytes in length for a string or a file. A 10 meg file will have a 16byte identifier and so will a 5 character string. If you change one character of the string or one byte of the file, the hash is changed. Using this hash, you can determine if the file you downloaded has been corrupted or infiltrated by something. This could be a helpful thing to have within NB to verify the autheticity of a resource.

This would be of little concern to a government.

Encrypting files that could not be decyphered by govt does cause them concern and that is something that should be addressed with a legal eye. But the people who offer PGP and BlowFish have covered all those issues fairly well and their source code is open source (with some variations of the license).

pgp.com
gnupg.org

blowfish: www.schneier.com

It seems that this kind of implimentation could be done by another developer who would stand behind his work. Either it conforms to the standard or it doesn't. If an implimentation was done incorrectly, the developer could fix it.

Such a mod would be good for providing secure data to customers by protecting it from prying eyes. I don't think this is needed as part of the core of NB.


$.02
David P
User avatar
dpayer
 
Posts: 1380
Joined: Mon Apr 11, 2005 5:55 am
Location: Iowa - USA

Next

Return to PlugIn Discussions

Who is online

Users browsing this forum: No registered users and 4 guests