Re: MD5 Function in Ada

[Jonathan Guthrie <jguthrie@brokersys.com>]

On Wed, 4 Jun 1997, MILLS,JOHN M. wrote:

> In comp.lang.ada you write:
 
> >Is there any available source for calculating MD5 hashes in Ada?
 
> If you don't find a verified source, would it be acceptable to link
> the C-language object into your Ada?  Of course this wouldn't be "pure Ada,"
> but I would still prefer that to verifying a non-trusted source for such
> security-critical functions as MD5 commonly provides.  If you can't find
> the C source publically, I must have an archive address somewhere.
 
> Sorry for not addressing your question directly.

That's okay.  I actually expected someone to suggest linking in a C source
file.  As a matter of fact, I have two different MD5 implementations in C
source (and I could type in the one in APPLIED CRYPTOGRAPHY if I wanted a
third.) I just don't want to have to figure out how to call C code from
Ada in order to implement this.  This is not for a money-making project
(like the guy who's looking for the socket stuff, it's actually intended
to be a learning experience for me) so I don't care if I approach the 
project in the most efficient manner possible or not.

In any case, I don't think that verifying the source is that big a deal. 
The reason is because of the way that MD5 hashes are usually used.  If I
choose my test suite at "random", it is highly unlikely that someone would
be able to create a function that generates the proper MD5 hashes for all
the files in the test suite but has some security hole when used in
practice. 

So, if I have test set of oh, a dozen or so files (both large and small) 
I can compare the hashes with the MD5 generator I'm currently using and 
it will immediately obvious if the algorithm hasn't been implemented 
correctly.

It will also be obvious if something is broken (and, from my perspective, 
security holes are equivalent to a broken implementation, for reasons 
that I hope will soon be clear) the first time I use a bad implementation 
because of the application for which I want this.  What I'm trying to do 
is implement a RADIUS (Remote Authentication for Dial-In User Services) 
server.  I'm currently looking at implementing this in Ada, Modula-3, and 
Scheme.  (I will, no doubt, pick one language before I go very much 
farther.)

RADIUS uses an MD5 hash on parts of the message to encrypt the parts that 
must be kept secret.  Since both the server end and the client end must 
generate the same hash for it to work, and with a client that works 
with a verified MD5 hash generator, it is impossible for a broken 
implementation to work at all.

A RADIUS server would make a good project because although RADIUS has 
been widely deployed, (we use RADIUS here at IBS for authenticating most 
of our callers) there are but two RADIUS servers widely used.  The MERIT 
server doesn't work.  (I can get it to run for as long as two hours at a 
time.)  The Livingston server works, but it's not easily modifyable and 
it's fairly nonportable.  What I'd like to do is create a server that 
is more modular (my model is the Apache Web server) so that end users can 
write modules to link in to the executable and add to or modify the 
server's functionality without digging through half the source.

The languages that I listed all have various strengths and weaknesses, but
although I have good free compilers for all three languages, I have no MD5
code in any of them.  Ada's main strength is standardized multithreading
support on a diverse collection of platforms, and it's the language I'm
least experienced with.  (That's an advantage because it enhances the
effect of the "learning experience".)  Modula-3 has socket support and
built-in multithreading on multiple platforms, but I'm more familiar with
it.  Scheme (a Lisp variant, for those who don't know) matches the problem
domain the best of the three, but the least support for sockets, 
threading, and bit-twiddling.

--  
Jonathan Guthrie (jguthrie@brokersys.com)
Information Broker Systems   +281-895-8101   http://www.brokersys.com/
12703 Veterans Memorial #106, Houston, TX  77014, USA

We sell Internet access and commercial Web space.  We also are general
network consultants in the greater Houston area.