

                    *************************************
                    *                                   *
                    *          DB/C Newsletter          *
                    *          September 2003           *
                    *                                   *
                    *************************************


                              News and Comments

     The DB/C programming language is a domain-specific language; it is not
a general purpose programming language.  DB/C was designed specifically for
writing business applications.  As such it is very good at things like fixed
decimal arithmetic, indexed file handling, and user interaction.  DB/C wasn't
designed for computationally intensive things like encryption algorithms.
However, in the last few years, the speed of small computers (desktops and
servers) has increased dramatically.  Because of this, it is now possible
to successfully run certain programs and algorithms in the DB/C DX runtime
that previously would have run much too slowly to be useful.

     This month's newsletter article is about writing two such algorithms -
Blowfish and MD5 - in the DB/C programming language.  As always, we appreciate
your comments about this article.  You can send your comments directly to me,
or if you are so inclined, you can make your comments public on dbctalk.

                                                     don.wills@dbcsoftware.com

******************************************************************************

                       Blowfish and MD5 Written in DB/C

     Encryption and authentication are very important to the acceptance
of electronic commerce.  They provide the security necessary for people
to trust the systems that provide for moving money and data electronically.

     Encryption-decryption algorithms provide the secrecy necessary to be
able to move information over public, untrusted channels so that only the
receiver can understand the information.  The computer science of encryption
algorithms is still maturing.  A variety of algorithms have been used for
the past 30 years.  As computer hardware gets faster, older algorithms have
been shown to be insecure - they can be broken by the really fast computation
available today.  Thus, better algorithms have been invented that can't be
broken by computers available today or in the near future.  Blowfish is
one such algorithm.

     Authentication algorithms provide the assurance that data being
transmitted over public, untrusted channels is not altered during its
travel.  In a nutshell, an authentication algorithm creates a fingerprint
that is unique for a block of data.  The MD5 algorithm is the generally
accepted standard for authentication.

     The ability to write Blowfish, MD5, and other numerically intensive,
32 bit integer-based algorithms in DB/C is now feasible because of two new
features of DB/C DX 13 - the ROTATE verb (which rotates bits left or right
in a 32 bit integer) and the extension of AND, OR, XOR, and NOT to 32 bit
integers.  The programs discussed in this article can be downloaded from
the Sample Code page at www.dbcsoftware.com.

     This Blowfish summary is found at www.counterpane.com/blowfish.html:

       "Blowfish is a symmetric block cipher that can be used
        as a drop-in replacement for DES or IDEA. It takes a
        variable-length key, from 32 bits to 448 bits, making
        it ideal for both domestic and exportable use. Blowfish
        was designed in 1993 by Bruce Schneier as a fast, free
        alternative to existing encryption algorithms. Since
        then it has been analyzed considerably, and it is slowly
        gaining acceptance as a strong encryption algorithm.
        Blowfish is unpatented and license-free, and is available
        free for all uses."
 
     'Symmetric' means that the same key is used for both encryption and
decryption.  'Block cipher' means that more than one byte is encrypted
at a time.  Blowfish encrypts eight bytes at a time.  Because of the
block nature of the algorithm, a padding algorithm is required for real
world use.  The demonstration DB/C program does not provide padding and
thus will only work correctly with text whose length is an exact multiple
of eight.  The demonstration program also does not provide a decryption
function.  Blowfish decryption is very similar to encryption, so a
decryption program would be very similar to the encryption program.

     The DB/C sample code for Blowfish is implemented using the user-verb
and object-oriented features of the DB/C language.  The encryption code
is in the 'blowfish.prg' source file.  The user-verb declarations are in
the 'blowfish.vrb' source file.  The file 'bftest.prg' is a program that
shows how to use the sample code.

     The MD5 algorithm is an Internet (IETF) standard - specifically
RFC 1321.  The details can be found at www.faqs.org/rfcs/rfc1321.html.
Here is a summary from RFC 1321 that describes MD5:

       "The [MD5] algorithm takes as input a message of arbitrary
        length and produces as output a 128-bit "fingerprint" or
        "message digest" of the input. It is conjectured that it
        is computationally infeasible to produce two messages
        having the same message digest, or to produce any message
        having a given prespecified target message digest. The MD5
        algorithm is intended for digital signature applications,
        where a large file must be "compressed" in a secure manner
        before being encrypted with a private (secret) key under
        a public-key cryptosystem such as RSA."


     An MD5 fingerprint can be thought of as a sophisticated checksum.
MD5 fingerprints can be used to guarantee data integrity while downloading
files.  For example, Redhat supplies MD5 fingerprints of all downloadable
files on the download pages of their web site.  This allows users to compare
the actual MD5 fingerprints of the files after downloading to the expected
fingerprints.  If the actual and expected fingerprints are equal, the user
is assured that the file was not corrupted during the download process.
In UNIX, the 'md5' command can be used to generate the MD5 fingerprint of
a file.
 
     The DB/C sample code for MD5 is implemented using the user-verb
feature of the DB/C language.  The actual MD5 code is in the 'md5.prg'
source file.  The file 'md5test.prg' is a program that shows how to use
the sample code.

     The DB/C sample code for MD5 processes data at about 40,000 characters
per second on a 2GHz Windows computer.  This is slower than similar code
written in C, but should be acceptable for most real world uses.



******************************************************************************

                          DB/C DX Class Schedule

   Class:     DB/C DX Fundamentals
   Date:      December, 2003
   Location:  Oak Brook, Illinois

For information, send email to admin@dbcsoftware.com.


******************************************************************************
 
                    Subscribing to the DB/C Newsletter

     If you don't already have the DB/C Newsletter delivered to your email
address and would like to have it emailed to you monthly, just send an
email message to 'dbcnews-subscribe@dbcsoftware.com'.  The newsletter will
be delivered to the email address from which the message was sent.