On Sat, 3 Jan 2015 10:13:21 -0600, Ed Gould wrote: > >Indeed it was at least interesting. >I would be curious if IBM would like to comment on some of the >statements on how how RACF "encrypts" the passwords. >I disagree with how RACF encryption is done (at least by the >commentator)but I am not RACF trained so I can not call the >commentator out. >IBM? > >On Jan 2, 2015, at 3:31 PM, Mark Regan wrote: >> >> Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, by a >> Philip Young and it's about an hour long. >> >> http://youtu.be/uL65zWrofvk >> It has been mentioned here and not refuted that RACF uses single-DES with the password as key and the user ID as salt.
I had not heard (and do not fully believe) that the hashed password data set is generally readable (UACC=READ?). I had not heard, but it's quite plausible, that passphrases, however long, are collapsed to 56 bits becase DES supports no greater. And Phillip Young stressed the weakness of the potential for user ID enumeration -- TSO LOGON tells you immediately whether a string is a known user ID -- he calls it much "too friendly". But z/OS partisans here have advocated that excess friendliness as a boon. It reduces the search space from MxN to M+N, regarded contemptuously by non-mainframers. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
