On Thu, 22 May 2008 11:46:18 -0500, Walt Farrell <[EMAIL PROTECTED]> wrote:
>On Thu, 22 May 2008 09:17:34 -0500, Dave Cartwright ><[EMAIL PROTECTED]> wrote: >>...snipped... >>I'm now wondering if this is an urban myth. At the GSE LSWG meeting last >>Tuesday Ray Evans the IBM UK Penetration Testing Manager claimed several >>times to be able to recover passwords from a copy of the RACF database. I >>have a recording of the presentation. I hope this doesn't get him into trouble >>as it was a very good presentation. >>Look after your RACF D/B - security begins at home. > >No, it's not an urban myth. Properly configured (to use DES (the default), >rather than masking), RACF does not store a user's password on the DB. It >encrypts the user ID using a slight modification of the password, and saves >the encrypted result. > >All you can do, assuming you can read the DB to extract the encrypted value, >is a brute force attack where you propose a password, encrypt the user ID, >and see if it matches. That's a significant amount of work, though of course: >(a) machines are getting faster, and the work can perhaps be split across >many machines. >(b) overly restrictive password rules can reduce the amount of work. > >Note, though, that this kind of attack requires either the ability to run an >APF-authorized program on the system, or physical access to a copy of the >database, in order to retrieve the encrypted value. Ray assures me that he did not say that he can "recover passwords". He did say that when he finds he has READ access to the RACf database, that he retrieves the encrypted data and "breaks the encryption". That specifically means a brute force password guessing attack such as I described above. His purpose in mentioning that was to make sure that people understand that giving users READ to the RACF database is not a safe thing to do. We have had discussions with z/OS security administrators who have felt that since the password itself is not saved, that there's no reason to prohibit reading the database, and Ray was pointing out the flaw in that thinking. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
