Having explored the topic in the past, I believe you need to talk to IBM. The
platform and code for the HMC and SE systems is under tight control and nobody
but IBM can provide you with access to the thing. IBM customers are not allowed
to do that. And event if/when you get the thing, it will
Hi,
Some topics that we had to address when performing mainframe security
assessments:
Why you need the assessment for? If you need it for some certification / legal
purpose, then there are cheap, not too technically advanced solutions out
there. If you are actually looking into detecting and
Are you sure? Could you please specify exactly where too look in the RACF docs?
Or do you mean the ICHDEX01 exit (for which you can either choose masking or
implement - program - your own algorithm)?
Costin
From: Elardus Engelbrecht
Database protection
On 4 September 2013 04:07, Costin Enache e_cos...@yahoo.com wrote:
It may not be APARable. Even if you fix the bug, what do you do with the old
password phrases? Maybe update the RACF database with a secure hash value
once the user logs in (to add the previously discarded
Sent: Wednesday, 4 September 2013, 1:11
Subject: Re: RACF Database protection
On 3 September 2013 09:41, Costin Enache e_cos...@yahoo.com wrote:
The phrase clear text is already padded with spaces to a multiple of 8, but,
after encryption, the resulting hash is truncated to the length
From: Paul Gilmartin paulgboul...@aim.com
To: IBM-MAIN@LISTSERV.UA.EDU
Sent: Monday, 2 September 2013, 22:09
Subject: Re: RACF Database protection
The password phrase hash can be split into blocks of 8 bytes, and each of
them cracked independently, also in
with a short key. IBM
has tried to sort of adapt the CBC mode to this scenario, but did not word out
very well.
Costin
On 3 Sep 2013, at 16:42, Paul Gilmartin paulgboul...@aim.com wrote:
On Tue, 3 Sep 2013 14:41:49 +0100, Costin Enache wrote:
The password phrase hash can be split into blocks
Small
clarification: The usage of password phrases instead of passwords does not
increase the complexity of a brute-force attack against the encrypted hashes,
in case the RACF DB gets compromised (flawed / insecure DES implementation).
The time required for recovering a 16-byte password phrase is
Embarrassing that some actually consider that a security flaw. Except for
the title, that article does not mention any security flaws or any other
problems related to the host. The article describes some evident
functionality - how to solve a technical challenge by FTP + JCL. To consider
this a
There is a major difference between the SVC interrupt handler and an
interrupt routine. You really don't want to mess with the former at
all, and you shouldn't mess with the latter until you understand the
SVC types and have some experience writing privileged code.
Mea culpa :) I was
10 matches
Mail list logo