On 1/12/2007 12:21 PM, Tom Marchant wrote:
On Fri, 12 Jan 2007 11:19:42 -0500, Walt Farrell <[EMAIL PROTECTED]>
wrote:
On 1/12/2007 11:02 AM, Tom Marchant wrote:
On Fri, 12 Jan 2007 12:34:59 +0100, Ulrich Boche wrote:
Snip!
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
"Good encryption software doesn't use your password as the
encryption key."
That's what RACF does.
Not precisely, but certainly the transformation we use is not one that
would significantly delay a password guessing program.
Ok, I stand corrected. I've seen it posted here that RACF uses
the password as a key to encrypt the userid. It seemed like a
good technique to me. I was surprised at Mr. Schneier's comment
quoted above.
For practical purposes, it's correct to say the password is the key. It
is somewhat transformed, but (as I mentioned) not enough to
significantly delay password guessing. But again, that's only a problem
if a hacker gains access to an unencrypted copy of the database.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
