On Thu, 22 May 2008 09:17:34 -0500, Dave Cartwright <[EMAIL PROTECTED]> wrote:
>On Wed, 21 May 2008 12:19:16 -0500, Chase, John <[EMAIL PROTECTED]> >wrote: > >> >>You could also have said (truthfully) that RACF doesn't store passwords. >>As documented in the SecAdmin Guide, RACF uses the tendered password as >>a key to one-way encrypt the userID, and stores the encrypted userID. >>Thus, it is (remotely) possible that a given userID could have more than >>one valid password at a given time. >> > > >I'm now wondering if this is an urban myth. At the GSE LSWG meeting last >Tuesday Ray Evans the IBM UK Penetration Testing Manager claimed several >times to be able to recover passwords from a copy of the RACF database. I >have a recording of the presentation. I hope this doesn't get him into trouble >as it was a very good presentation. >Look after your RACF D/B - security begins at home. No, it's not an urban myth. Properly configured (to use DES (the default), rather than masking), RACF does not store a user's password on the DB. It encrypts the user ID using a slight modification of the password, and saves the encrypted result. All you can do, assuming you can read the DB to extract the encrypted value, is a brute force attack where you propose a password, encrypt the user ID, and see if it matches. That's a significant amount of work, though of course: (a) machines are getting faster, and the work can perhaps be split across many machines. (b) overly restrictive password rules can reduce the amount of work. Note, though, that this kind of attack requires either the ability to run an APF-authorized program on the system, or physical access to a copy of the database, in order to retrieve the encrypted value. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
