Yes; The KDFAES algorithm is used to encrypt passwords and password phrases, but not OIDCARD data. It is designed to be resistant to offline attacks by incorporating the following properties:
Each instance of a RACF® password injects randomly generated text into the encryption process. This prevents the use of pre-computed password hashes. That is, an offline attack must perform the full encryption process for every password guess, as opposed to simply comparing the password hash against a list of pre-computed values. This slows down the attack, making it take much longer to guess passwords. Thousands of hash operations are performed against the password and random text in order to generate a key which is then used to encrypt the user ID. This also serves to slow down an offline attack, which must perform the same number of operations for each password guess. However, the authorized user logging on to the system using his clear text password will not notice the increased overhead. Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get&search=markjac...@protonmail.com ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, May 10, 2019 10:34 AM, Dana Mitchell <mitchd...@gmail.com> wrote: > On Fri, 10 May 2019 00:24:18 -0400, Bob Bridges robhbrid...@gmail.com wrote: > > > The lesson I take from this, and pass on to > > my clients, is that read access to the security database is a huge exposure > > and in most cases - that is, for most user IDs - completely unnecessary. > > Doesn't the KDFAES password encryption algorithm make itmuch more difficult > to crack passwords, given access to the RACF database? I realize nothing is > impossible to crack.. but at least not currently feasible with current > available hardware. > > Dana > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
