Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!lll-tis!ames!killer!tness1!nuchat!splut!jay
From: jay@splut.UUCP (Jay Maynard)
Newsgroups: comp.unix.wizards
Subject: Re: 60-second timeout in Unix login
Message-ID: <386@splut.UUCP>
Date: 26 Feb 88 02:19:50 GMT
References: <10578@brl-adm.ARPA> <721X@jimi.cs.unlv.edu> <465@xios.XIOS.UUCP> <468@minya.UUCP>
Organization: Confederate Microsystems, League City, TX
Lines: 26
Summary: It doesn't have to be a security hole.

In article <468@minya.UUCP>, jc@minya.UUCP (John Chambers) writes:
> If VMS can actually determine that you have used the same password, then it
> is either keeping your unencrypted password somewhere, or it encrypts it the
> same each time.  Either is a major security hole, of course, and you should
> refuse to use the system (on security grounds) until they correct the problem.

Not necessarily. The method IBM uses in RACF to keep track of passwords is
beguilingly simple: They store the password as the encrypted value.

I can hear it now: "Security hole!" Well, almost. You're right in that
using the same encryption method (algorithm and key) would allow a
known-plaintext attack on the encryption key.
IBM gets around this by using the simple trick of using the password itself
(possibly permutated somehow - they don't distribute RACF source microfiche
files :-) as the encryption key. To determine if it's the same, they simply
encrypt it and compare the encrypted values.

If this does allow an attack on the encrypted passwords, let me know so I
can APAR it...

> John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)

-- 
Jay Maynard, EMT-P, K5ZC...>splut!< | GEnie: JAYMAYNARD  CI$: 71036,1603
uucp: {uunet!nuchat,academ!uhnix1,{ihnp4,bellcore,killer}!tness1}!splut!jay
Never ascribe to malice that which can adequately be explained by stupidity.
The opinions herein are shared by none of my cats, much less anyone else.