It may not be APARable. Even if you fix the bug, what do you do with the old password phrases? Maybe update the RACF database with a secure hash value once the user logs in (to add the previously discarded hash bytes), but the system cannot know if the correct password phrase has been used (and not one of the others which also work). Or just invalidate the old phrases. The system does not store enough hash bytes to decide which password is the correct one ... in any case it would be a mess. The bug cannot be used to brute-force authentication (the account will be locked before one can benefit from the collisions) and, in case the RACF db is exposed, it is easy to crack the hashes anyway, the collisions are not really needed. It will probably just stay as it is :)
Costin ________________________________ From: Tony Harminc <t...@harminc.net> To: IBM-MAIN@LISTSERV.UA.EDU Sent: Wednesday, 4 September 2013, 1:11 Subject: Re: RACF Database protection On 3 September 2013 09:41, Costin Enache <e_cos...@yahoo.com> wrote: > The phrase clear text is already padded with spaces to a multiple of 8, but, > after encryption, the resulting hash is truncated to the length of the > original clear text, minus the padding. This leaves us with an incomplete DES > cipher text block at the end, if the last clear-text block was padded. This > means that, if for example the last block had one character (say 1=F1) padded > to a length of 8 with spaces (F14040.....), only the first byte of the > resulting DES cipher text will be stored. There are many clear-texts what > will generate the same byte on the first position when encrypted with DES. > Example: create user COSTIN with phrase Abcd1234Abcd1234a, then try to logon > with phrase Abcd1234Abcd1234X I would think that should be APARable... Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
