TAA Tools
HASH            HASH TWO FIELDS                        TAACLQG
The Hash  Two Fields command  provides for two  fields to be  input and
returns  a  10 byte  hash  value.   The  command can  be  used for  any
purpose where a hash value is needed.

A HASH command in a CL would appear as:

             DCL           &INPUT1 *CHAR LEN(256)
             DCL           &INPUT2 *CHAR LEN(10) VALUE('...')
             DCL           &OUTPUT *CHAR LEN(10)
              .
             HASH          INPUT1(&INPUT1) INPUT2(&INPUT2) +
                             OUTPUT(&OUTPUT)

Typical use
-----------

Hash  values can  be an  effective security  measure.  For  example, if
you are passing  a value  to a program  that needs  to be available  to
the *PUBLIC  and you are concerned  about a misuse of  the program, you
may  also  pass a  hash value  that can  be  checked by  the non-secure
program.

Assume PGMA  develops  some  data that  needs  to be  executed  by  the
non-secure PGMB.   PGMA would generate a  hash value based on  a secret
code known only to PGMA and PGMB.  The code would look as follows:

   /* PGMA which develops the function to be performed and the hash */
              .
             DCL           &INPUT1 *CHAR LEN(256)
             DCL           &INPUT2 *CHAR LEN(10) VALUE('secret....')
             DCL           &HASH *CHAR LEN(10)
              .
             CHGVAR        &INPUT1 'The function to be performed ...')
             HASH          INPUT1(&INPUT1) INPUT2(&INPUT2) +
                             OUTPUT(&HASH)
             CALL          PGMB PARM(&INPUT1 &HASH)

   /* PGMB checks the hash value and performs the function */
             PGM           PARM(&INPUT1 &HASH)
             DCL           &INPUT1 *CHAR LEN(256)
             DCL           &INPUT2 *CHAR LEN(10) VALUE('secret....')
             DCL           &HASH *CHAR LEN(10)
             DCL           &OUTPUT *CHAR LEN(10)
             DCL           &JOB *CHAR LEN(10)
             DCL           &USER *CHAR LEN(10)
             DCL           &NBR *CHAR LEN(6)
             HASH          INPUT1(&INPUT1) INPUT2(&INPUT2) +
                             OUTPUT(&OUTPUT)
             IF            (&HASH *NE &OUTPUT) DO /* Not same hash */
             RTVJOBA       JOB(&JOB) USER(&USER) NBR(&JOBNBR)
                           /* Send a message to a security     */
                           /*   officer message queue          */
             SNDPGMMSG     MSG('Invalid attempt was made to +
                             use PGMB by ' *CAT &JOBNBR *TCAT +
                             '/' *CAT &USER *TCAT '/' *CAT +
                             &JOB) TOMSGQ(xxxx)
             SNDESCMSG     MSG('An invalid value was passed +
                             to PGMB')
             ENDDO         /* Not same hash */
                           /* Good hash value - Do normal processing */

To prevent improper use of the HASH command, a few checks are made:

  **   Neither &INPUT1 nor &INPUT2 can be all blanks or all X'00'.

  **   &INPUT1  must have at least  25 non-blank values.   You must pad
       out the value if you are passing less than 25 characters.

  **   &INPUT2 (the  secret  field)  must have  at  least  7  non-blank
       values.

Calling the CPP directly
------------------------

For  better protection,  you  may  call  the CPP  TAACLQGR  in  TAATOOL
directly with the following parameters:

          INPUT1   *CHAR   LEN(256)
          INPUT2   *CHAR   LEN(10)
          OUTPUT   *CHAR   LEN(10)

Security considerations
-----------------------

The  intent of  the HASH  command is  for security  sensitive programs.
The  algorithm used  to develop  the hash value  is designed  so that a
slight change in  either the INPUT1 or  INPUT2 values tends to  produce
a  totally different hash  value.   Because of  the technique  used, it
should  be difficult  for  a user  to break  the hashing  technique and
determine the secret code.

As  with any  such  technique,  it  is  never  failsafe  and  you  must
consider the use.

Demonstration command
---------------------

A demonstration  command (DMOHASH)  exists that will  allow you  to try
various values to check how the HASH command will react.

       DMOHASH    INPUT1(xxxx) INPUT2(xxxx)

A message will be sent displaying the generated hash value in hex.

HASH Command parameters                               *CMD
-----------------------

   INPUT1        The  first value to  be hashed.   It can be  up to 256
                 bytes in  length.   It  must  not be  all  blank,  all
                 X'00', and must  contain at least 25 non-blank  or non
                 X'00' characters.

                 This  is   normally  the  field   that  contains  some
                 function to be performed.

                 If  you are  calling a  program that  does not require
                 data  to be  passed  to  it,  pass any  string  of  25
                 bytes.

                 If you  are passing data  that is less than  25 bytes,
                 you must pad it out to 25 bytes of data.

                 If  you are  passing a  command string to  be executed
                 using QCMDEXC and it is  shorter than 25 bytes, add  a
                 comment (/* ..   */) to pad out to  at least 25 bytes.

   INPUT2        The  second value to  be hashed.   It can be  up to 10
                 bytes in  length.   It  must  not be  all  blank,  all
                 X'00', and  must contain at  least 7 non-blank  or non
                 X'00' characters.

                 This  is normally  the  field that  contains  a secret
                 code  that  is only  known between  two or  more valid
                 programs.

   OUTPUT        The  hash  field  that  is  returned.     It  must  be
                 specified as  *CHAR LEN(10) and the  bytes may contain
                 values that are non-displayable.

DMOHASH Command parameters                            *CMD
--------------------------

   INPUT1        The  value to be  hashed.  It  must not  be all blank,
                 all X'00', and must contain  at least 25 non-blank  or
                 non X'00' characters.

   INPUT2        The second  value to be  hashed.  It  must not  be all
                 blank,  all   X'00',  and  must  contain  at  least  7
                 non-blank or non X'00' characters.

Restrictions
------------

  **   Because the command returns a variable,  it can only be used  in
       a CL program.

  **   See the previous restrictions for INPUT1 and INPUT2.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CVTHEX          Convert hex
     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   HASH          *CMD                   TAACLQG       QATTCMD
   DMOHASH       *CMD                   TAACLQG2      QATTCMD
   TAACLQGC2     *PGM       CLP         TAACLQGC2     QATTCL
   TAACLQGR      *PGM       RPG         TAACLQGR      QATTRPG

Note that the RPG program is the CPP for HASH.

Structure
---------

HASH          Cmd
  TAACLQGR      RPG

DMOHASH       Cmd
  TAACLQGC2     CL
					

Added to TAA Productivity tools May 1, 1996


Home Page Up to Top