'=?utf-8?Q?Re:_Auditor's_finding?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    =?utf-8?Q?Re:_Auditor's_finding?=
From:       Scott Ford <scott_j_ford () YAHOO ! COM>
Date:       2014-02-19 18:17:40
Message-ID: 285181.41146.bm () smtp208 ! mail ! ne1 ! yahoo ! com
[Download RAW message or body]

Phil,


Thanks , as someone knda new to encryption that helps me understand it.






Regards,

Scott Ford

www.identityforge.com





From: Phil Smith III
Sent: ‎Wednesday‎, ‎February‎ ‎19‎, ‎2014 ‎10‎:‎09‎ ‎AM
To: RACF Discussion List





"Sokolsky, Hayim Z." wrote, in part:
>1. RACF does not store "password hashes", it stores a one-way DES encrypted
value for password checking. RACF actually encrypts the UserID using the
password to generate the encryption key. If you know the password, you can
generate the resulting encrypted value. If you don't know the password, you
don't know the password.

"DES-encrypted" and "one-way" don't really go together. The key might not be
available from a key server, but it's still Just Encrypted, is reversible.
Presumably RACF doesn't reverse it, instead encrypting the input string
(going "forward" instead of "backward"), but it could.

The real difference between this and a hash is that a hash is by definition
*not* reversible, since it's lossy. But de facto, same difference, since in
either case, you'd "break" it by processing input strings until you found
one that matched the value. And in either case, the heat-death of the
universe is likely to precede your discovery of a match.

I'm actually surprised that they don't use a hash, perhaps salted with the
userid: that would achieve much the same result, and (I expect) be faster.
But maybe when this was implemented, that wasn't the case (the fact that DES
is used instead of AES supports that guess).

FWIW, SHA-2 is stronger than DES, though perhaps not stronger than this
pseudo-double-DES.

...phsiii (apologizing for being pedantic, but it seemed worth clarifying!)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic