Re: Can backup mechanisms be used to steal RACF database? was Re: mainframe hacking "success stories"?

Sat, 11 May 2019 19:17:29 -0700 

Passphrases and MFA!

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Andrew Rowley
Sent: Friday, May 10, 2019 6:32 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Can backup mechanisms be used to steal RACF database? was Re: 
mainframe hacking "success stories"?

On 11/05/2019 12:34 am, Dana Mitchell wrote:
>
> Doesn't the KDFAES password encryption algorithm make it *much* more 
> difficult to crack passwords,  given access to the RACF database?  I realize 
> nothing is impossible to crack.. but at least not currently feasible with 
> current available hardware.
>
How slow is KDFAES? How many guesses per second are possible?

This article from 2013 has an interesting discussion on cracking 
passphrases:

https://arstechnica.com/information-technology/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

The researcher had compiled a library of 1.3 billion potential 
passphrases and was quite successful. There is a reference to $800 of 
hardware being able to do 30 billion guesses per second against Windows 
passwords.

I recall a number where KDFAES was 300,000 times slower (than something) 
- does that mean KDFAES might give 100,000 guesses per second? Which 
gives about 4 hours to try 1.3 billion phrases (if I didn't slip a 
decimal point somewhere!)

My belief is that users are not good enough at choosing passwords for a 
database to hold up to an offline attack - whatever the algorithm. You 
must assume that if someone can read the database, they will be able to 
crack at least some passwords. And you don't know which userids they 
will be.


Andrew Rowley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to