The error can be easily demonstrated, see one of my earlier posts. But I'm only a security consultant and I don't work for one of those companies paying millions yearly to IBM, so I guess it has high chances to be ignored. Wishful thinking: that IBM, if they decide to change the algorithm, will learn the advantages of open, secure and open to debate cryptography over secret, obfuscated and most often broken schemes.
Costin ________________________________ From: Tony Harminc <t...@harminc.net> To: IBM-MAIN@LISTSERV.UA.EDU Sent: Wednesday, 4 September 2013, 17:45 Subject: Re: RACF Database protection On 4 September 2013 04:07, Costin Enache <e_cos...@yahoo.com> wrote: > It may not be APARable. Even if you fix the bug, what do you do with the old > password phrases? Maybe update the RACF database with a secure hash value > once the user logs in (to add the previously discarded hash bytes), but the > system cannot know if the correct password phrase has been used (and not one > of the others which also work). Or just invalidate the old phrases. The > system does not store enough hash bytes to decide which password is the > correct one ... in any case it would be a mess. The bug cannot be used to > brute-force authentication (the account will be locked before one can benefit > from the collisions) and, in case the RACF db is exposed, it is easy to crack > the hashes anyway, the collisions are not really needed. It will probably > just stay as it is :) Not all APARs are opened for what seems to be their obvious reason. It may well be that, with nothing beyond reported weaknesses in phrase handling, there is nothing to APAR - even more the case if it is based on reports from a third party's analysis rather than a customer's business problem. But an easily demonstrable error (accepting the wrong phrase and allowing logon) is blatant enough to perhaps get action, and if the necessary action is to redesign the whole scheme (or provide for customer/ISV supplied encryption routines, as is done for passwords), then they might just do it. I'm sure it's not that the IBM developers don't want to fix it; it's a matter of IBM management devoting sufficient time and budget to it. And that requires a customer squeaky wheel. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
