LOGIN
~~~~~
By Lennert Sluyk (Sluykie@hotmail.com) (C) May 1999

A password protection program for the Psion Organiser II LZ/LZ64.



Although the Psion LZ has a password protection built in,
I decided to write one of my own for two reasons.

1. To use it as a login for the money manager so that not anyone
   having access to my organiser can see my bank balance (provided
   they don't know they can access the file MONEY using Xfiles
   from the main menu).

2. To use it as an alternative for the normal password
   protection to show owner id when the organiser is
   turned on (much like LOCK, but taking full advantage of
   the bigger LZ screen and scrambling the password in the
   file (which is not done in LOCK so the password can easily
   be retrieved).

LOGIN lets the user set a login name, a password and owner info.
When LOGIN is run for the first time, the user is asked to set the
owner info. Four strings of upto 20 characters can be used for this.
Then the login name and password must be inputted. When setting the
password, it is asked for twice, to take out typo's. The actual
letters are not shown on screen, instead "#" is printed for every
character of the password.

The organiser is then switched off. When switching the organiser on
again, the owner info is shown. Pressing MODE continues, any other
key switches the organiser off.

When MODE is pressed, the login name and password have to be entered.
If both are correctly entered, access to the organiser is granted.
Otherwise the organiser is switched off again and a wrong entry is
recorded.


NOTES ON LOGIN
~~~~~~~~~~~~~~
The length of both login and password must be at least 1 character
and may not exceed 8 characters.

Creating the access key requires some time, so there is a small
delay in granting access.

All info is saved in the first record of a file on A: called
LOGIN.ODB.

To change the password simply delete the file A:LOGIN.

Altering the access key in A:LOGIN can be detected by LOGIN (see
below on how the key is created). A "PASSWORD CORRUPTED" warning
is shown and the organiser is NOT switched off.

Both login name and password are case sensitive.

When entering the password DEL deletes the last typed character.
ON clears the input. When setting the password, ON quits without
saving information (first ON clears input, second ON STOPs).

Wrong logins are recorded in A:MAIN. A warning is shown and you
can look them up using the search key "xxx".

CREATE KEY
~~~~~~~~~~
The access key is created as follows.

The length of login name and password varies between 1 and 8
(8 possibilities). When both lenghts are used to calculate a single
number, a maximum of 64 (8^2) different possible numbers remain.
Let a%=LEN(login$) and b%=LEN(passw$). The two variable function
f(a%,b%)=8*(b%-1)+a% generates unique values for all combinations
of x and y in the interval [1..64].
This number is then used as the seed in RANDOMIZE to create a
unique set of numbers used to fill out both the password and the
login name to LEN=8 using the characters in the original login and
password strings as well as creating encryption arrays, as explained
later.

Then the ASCII code of the characters are put into an array,
l%(1..8) for the login name and p%(1..8) for the password. Also, two
random arrays, el%(1..8) and ep%(1..8), are created.

Next step is calculating x%=l%(i%)+el%(i%) and y%=p%(i%)+ep%(i%).
These numbers must be in the interval [123..255]. If they are not,
133 is subtracted until they are. Characters 123 till 255 are all
non-keyboard characters. Depending on the counter i%, CHR$(x%) is
added to el$ and CHR$(y%) to ep$ or vice versa. This is continued
until LEN(el$)=LEN(ep$)=8. Both strings are added to create one
string of length 16.

Because of the unique seed resulting from the length of both login
and password, along with using the characters in the original
strings, I honoustly believe that the original password and login
cannot be retrieved from the access key k$, without knowing both
the algorithm used to create k$, the length of the login name AND the
length of the password. Even if all this information is available, I
still think it'll be a lot of work to figure out the login and
password.
However, I can't guarantee this. Neither can I guarantee that two
different combinations of login name and password do not result in
the same access key.

Before locking the organiser a check is done on the access key in
the file A:LOGIN for characters with ASC<123. This is to assure that
when a vandal thinks he can screw up your password by altering the
key in A:LOGIN this is detected before you are locked out of your own
organiser. When Jaap Scherphuis' KEYS111 is installed and the vandal
knows how to insert non-keyboard characters, the password can still
be corrupted. So my advice remains not to leave your organiser
unattended with people you don't trust and who know how to use the
organiser.

(C) 30.05.99 Lennert Sluyk
======================================================================

SCRAMBLING EXAMPLE
Suppose
Login: BARRY
Passw: 45ZXC7V

Step 1:
~~~~~~~
a%=LEN(login$)=5 and b%=LEN(passw$)=7
As both strings contains less than 8 characters, they need to be
filled out by adding a random number from the string to the end.

First set the seed using RANDOMIZE.
RANDOMIZE 53 (RANDOMIZE 8*(b%-1)+a%)

Login is filled out by taking 3 random characters out of the set
BARRY and adding those to the end. The same is done with the
password, except 1 random character is taken from the set 45ZXC7V.

Results:
BARRYRBR  45ZXC7VX
     ^^^         ^

The ASCII codes of both strings are saved to two arrays, l%() and
p%(). Also, 2 random arrays el%() and ep%() are created. These random
arrays contain numbers in the range 123..255, which are all
non-keyboard characters.
To encrypt the login and password strings, a calcultion is performed.
These are x%=l%(i%)+el%(i%) and y%=p%(i%)+ep%(i%) for the login
and password respectively. If the result is greater than 255 (out of
range) than 133 is subtracted until the result is in the allowable
range [123..255].

Results:
i% | l% | p% | el% | ep% | x%  | y%
   |    |    |     |     |     |
 1 | 66 | 52 | 155 | 129 | 221 | 181
 2 | 65 | 53 | 160 | 123 | 225 | 176
 3 | 82 | 90 | 134 | 169 | 216 | 126
 4 | 82 | 88 | 127 | 232 | 209 | 187
 5 | 89 | 67 | 151 | 181 | 240 | 248
 6 | 82 | 55 | 130 | 177 | 212 | 232
 7 | 66 | 86 | 233 | 231 | 166 | 184
 8 | 82 | 88 | 206 | 180 | 155 | 135

Using the CHR$() function the final step merely consists of creating
a string of non-keyboard characters using x% and y%.



-----------------------------------------------------------------------------
Jaap's Psion II page:                           http://www.jaapsch.net/psion/
