From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,b667898b16e99a9d X-Google-Attributes: gid103376,public From: Jonathan Guthrie Subject: Re: MD5 Function in Ada Date: 1997/06/04 Message-ID: #1/1 X-Deja-AN: 246070330 References: <199706041300.JAA27378@acmey.gatech.edu> To: jm59@prism.gatech.edu Organization: Houston Area League of PC Users Newsgroups: comp.lang.ada Date: 1997-06-04T00:00:00+00:00 List-Id: On Wed, 4 Jun 1997, MILLS,JOHN M. wrote: > In comp.lang.ada you write: > >Is there any available source for calculating MD5 hashes in Ada? > If you don't find a verified source, would it be acceptable to link > the C-language object into your Ada? Of course this wouldn't be "pure Ada," > but I would still prefer that to verifying a non-trusted source for such > security-critical functions as MD5 commonly provides. If you can't find > the C source publically, I must have an archive address somewhere. > Sorry for not addressing your question directly. That's okay. I actually expected someone to suggest linking in a C source file. As a matter of fact, I have two different MD5 implementations in C source (and I could type in the one in APPLIED CRYPTOGRAPHY if I wanted a third.) I just don't want to have to figure out how to call C code from Ada in order to implement this. This is not for a money-making project (like the guy who's looking for the socket stuff, it's actually intended to be a learning experience for me) so I don't care if I approach the project in the most efficient manner possible or not. In any case, I don't think that verifying the source is that big a deal. The reason is because of the way that MD5 hashes are usually used. If I choose my test suite at "random", it is highly unlikely that someone would be able to create a function that generates the proper MD5 hashes for all the files in the test suite but has some security hole when used in practice. So, if I have test set of oh, a dozen or so files (both large and small) I can compare the hashes with the MD5 generator I'm currently using and it will immediately obvious if the algorithm hasn't been implemented correctly. It will also be obvious if something is broken (and, from my perspective, security holes are equivalent to a broken implementation, for reasons that I hope will soon be clear) the first time I use a bad implementation because of the application for which I want this. What I'm trying to do is implement a RADIUS (Remote Authentication for Dial-In User Services) server. I'm currently looking at implementing this in Ada, Modula-3, and Scheme. (I will, no doubt, pick one language before I go very much farther.) RADIUS uses an MD5 hash on parts of the message to encrypt the parts that must be kept secret. Since both the server end and the client end must generate the same hash for it to work, and with a client that works with a verified MD5 hash generator, it is impossible for a broken implementation to work at all. A RADIUS server would make a good project because although RADIUS has been widely deployed, (we use RADIUS here at IBS for authenticating most of our callers) there are but two RADIUS servers widely used. The MERIT server doesn't work. (I can get it to run for as long as two hours at a time.) The Livingston server works, but it's not easily modifyable and it's fairly nonportable. What I'd like to do is create a server that is more modular (my model is the Apache Web server) so that end users can write modules to link in to the executable and add to or modify the server's functionality without digging through half the source. The languages that I listed all have various strengths and weaknesses, but although I have good free compilers for all three languages, I have no MD5 code in any of them. Ada's main strength is standardized multithreading support on a diverse collection of platforms, and it's the language I'm least experienced with. (That's an advantage because it enhances the effect of the "learning experience".) Modula-3 has socket support and built-in multithreading on multiple platforms, but I'm more familiar with it. Scheme (a Lisp variant, for those who don't know) matches the problem domain the best of the three, but the least support for sockets, threading, and bit-twiddling. -- Jonathan Guthrie (jguthrie@brokersys.com) Information Broker Systems +281-895-8101 http://www.brokersys.com/ 12703 Veterans Memorial #106, Houston, TX 77014, USA We sell Internet access and commercial Web space. We also are general network consultants in the greater Houston area.