60-second timeout in Unix login
Jay Maynard
jay at splut.UUCP
Fri Feb 26 12:19:50 AEST 1988
In article <468 at minya.UUCP>, jc at minya.UUCP (John Chambers) writes:
> If VMS can actually determine that you have used the same password, then it
> is either keeping your unencrypted password somewhere, or it encrypts it the
> same each time. Either is a major security hole, of course, and you should
> refuse to use the system (on security grounds) until they correct the problem.
Not necessarily. The method IBM uses in RACF to keep track of passwords is
beguilingly simple: They store the password as the encrypted value.
I can hear it now: "Security hole!" Well, almost. You're right in that
using the same encryption method (algorithm and key) would allow a
known-plaintext attack on the encryption key.
IBM gets around this by using the simple trick of using the password itself
(possibly permutated somehow - they don't distribute RACF source microfiche
files :-) as the encryption key. To determine if it's the same, they simply
encrypt it and compare the encrypted values.
If this does allow an attack on the encrypted passwords, let me know so I
can APAR it...
> John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)
--
Jay Maynard, EMT-P, K5ZC...>splut!< | GEnie: JAYMAYNARD CI$: 71036,1603
uucp: {uunet!nuchat,academ!uhnix1,{ihnp4,bellcore,killer}!tness1}!splut!jay
Never ascribe to malice that which can adequately be explained by stupidity.
The opinions herein are shared by none of my cats, much less anyone else.
More information about the Comp.unix.wizards
mailing list