On Thu, 22 May 2008 13:41:46 -0400, Rob Schramm <[EMAIL PROTECTED]> wrote:
>Perhaps one of the RACF folks can comment on what I am about to say.... > >I thought that there was a change to allow RACF to be able to extract the >password now. (which would allow RACF to play better with LDAP >repositories etc etc) > That's correct. But it's a function that the administrator must enable, and it has controls over who can use it. It's called password enveloping. When enabled for a user (USER1), when that user changes his password then RACF will keep a cryptographically secured, but decryptable, copy of the new password in the RACF database as well as the normal non-decryptable copy. The decryptable copy is encrypted using public key technology based on a digital certificate that the administrator creates and adds to the RACF DB. Thus the key is unique to that database and not known to anyone. Via LDAP SDBM interfaces, another user (USER2) can request the password envelope. RACF will check that USER2 is allowed to make that request, and will then locate USER1's password envelope and decrypt the data. It will then re-encrypt the password into a PKCS#7 package unique to USER2, using USER2's public key (from another certificate provided by the administrator), and via LDAP will send the package to USER2. USER2 then uses his private key to decrypt data in the package. I've simplified a bit, but that's the basic idea. >Although if you: >* have the db >* know the location of the password(s) >* have a known ID on the system > >Then you might stand a better chance of reversing your way out of the >encrypted value. > Right; and that's what Ray talked about doing. >Letting your security database out would generally come under the "big no >no" category. Which I understand is the key to the claim of the >Penetration Testing Manager. > Exactly. >But if you take simple steps like keeping people from read access to your >database.. seems like such an easy prevention step.. oh and things like >keep APF authorization down to a controlled level. > >We do exist on a platform with good controls.. however it does require >that we use them. Precisely the main point Ray was making, and that we (and others) make in our presentations, too. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
