The document discusses new enhancements in RACF password security including a stronger encryption algorithm (KDFAES), support for additional special characters in passwords, improvements to password syntax requirements, and other password policy controls. It provides guidance on activating the new features including applying necessary software updates and testing in a non-production environment first.

1. © 2012 IBM Corporation
IBM Security Systems
1© 2013 IBM Corporation
A new leap forward …
in RACF password security
Luigi Perrone
Technical Pre-Sales System Engineer
IBM Security Systems
luigi_perrone@it.ibm.com

2. © 2013 IBM Corporation
IBM Security Systems
2
 password length
 password quality
 encryption strength
 password DB access control
 policy controls
 user education
Elements of password security
What are the more important characteristics for password security ?
All of these aspects should be considered together to provide a
multi-layered and interdependent set of defenses

3. © 2013 IBM Corporation
IBM Security Systems
3
General guidelines
 Short password change interval
…..to minimize the chance that a password can be cracked during its lifecycle
 Good password history
…..to keep users from reusing the same password. In this mode an attacker does not essentially
have the sufficient time to crack it !
 Real strong encryption
…..to force the use of time and resources in a brute-force attack.
Some interesting suggestions
...are they implemented ?

4. © 2013 IBM Corporation
IBM Security Systems
4
 Effective access control of the password database
…..to ensures that nobody can start an offline attack against encrypted passwords
 Invalid password revoke count policy
…..to prevents repeated guesses against a user's password
 Revoke count low
.....if all history vales were cracked the changes of guessing which one might be the
current password would be reduced
 User education
…..for example don’t use the same password in RACF and in the other websites !
Other guidelines

5. © 2013 IBM Corporation
IBM Security Systems
5
A new stronger encryption algorithm KDFAES for passwords and password phrases. Easily activation with
the SETROPTS command:
SETROPTS PASSWORD(ALGORITHM(KDFAES))
RACF can help in password policy !
RACF provides enhancements to mantain an effective password policy
KDFAES
Encryption

6. © 2013 IBM Corporation
IBM Security Systems
6
 The new encryption algorithm is KDFAES (Key Derivation Function with AES).
The key derivation function appends random data to the password or password phrase, and then iteratively
hashes it with SHA256 to derive a 256-bit encryption key. This key is then used to AES-encrypt the user ID
appended with other data. The result is the password hash.This hash is stored in the RACF database along
with the random data, and other parameters, that were used to derive it
 A function is provided to convert existing DES passwords to the new format without requiring the
passwords to be changed. This does not convert password phrases or password phrase history
You can use the new ALTUSER PWCONVERT keyword:
ALTUSER userID PWCONVERT
 With a simple SEARCH command you can create the commands to convert all users to KDFAES
SEARCH CLASS(USER) CLIST('ALTUSER ' ' PWCONVERT')
 Now you can demonstrate to an auditor that passwords and password phrases are encrypted under the
new algorithm with the help of new fields created by the IRRDBU00 utility. A sample query is also
provided
New KDFAES algorithm

7. © 2013 IBM Corporation
IBM Security Systems
7
RACF now provide the support for 14 additional special characters in passwords
SETROPTS PASSWORD(SPECIALCHARS)
The password space is increased, and thus the work factor that is involved in cracking a
password. It also allows users to choose passwords that are less likely to exist in a list of
frequently used passwords that are the first ones that are attempted in a cracking effort.
Two new values are available for SETROPTS password rules:
 SPECIAL : includes all of the new special characters plus the national characters ‘#’(X’7B’),
‘$’ (X’5B’) and “@” (X’7C’)
 MIXEDALL: allows all password characters. Can be used to force selections from each
character grouping (upper case, lower case, numeric, and national/special) depending on
the number of MIXEDALL positions and SETROPTS MIXEDCASE is in effect.
Special characters in the password
$@#.<+|&!*-%_>?:=

8. © 2013 IBM Corporation
IBM Security Systems
8
Higher quality in password syntax
• The user can have a password phrase without a password. This allows for a much longer
authenticator, without the effort and exposure of also maintaining a password, or having to write,
install, and maintain an exit
ALTUSER userID NOPASSWORD
• The LISTUSER command identifies a phrase-only user by the attributes NOPASSWORD and
PASSPHRASE
A new password syntax control: a password had
to contain at least one character from each of four
different categories: uppercase letters, lowercase
letters, numeric digits, and symbolic characters
(which include the existing national characters
and the newly supported special characters).
This can help prevent users from choosing weak
passwords

9. © 2013 IBM Corporation
IBM Security Systems
9
 ALTUSER command improvement: to mark a user's password and password phrase as expired, without
having to change its value. You can force a password change without needing to generate and
communicate a random temporary password.
ALTUSER userID EXPIRED
 ALTUSER command improvement: to clean up password history after changing the SETROPTS
PASSWORD(HISTORY(n)) value. This replaces the need for the CUTPWHIS utility available as a
download on the RACF website.
ALTUSER userID PWCLEAN
More password improvements

10. © 2013 IBM Corporation
IBM Security Systems
10
While the new algorithm and special character support can be activated using the SETROPTS command,
consider the following before activating them:
Considerations before activation
• Create a backup copy of your RACF database
• Apply OA43998 and OA43999 to all systems sharing the RACF database
• Make sure all necessary PTFs are applied to other products that are
affected by this support
• Check programs you have written to ensure that they can tolerate the new
function
• Determine if the new function affects RACF exits, if present on your system
• If you are using RACF downloads, determine if they are affected
• Consider effects on the performance and space usage of your RACF
database.
• Activate and test the new functions in your application test environment
before activating them in your production environment
Note: The new encryption algorithm uses the Central Processor Assist For Cryptographic Function (CPACF) to perform SHA-
256 operations. When the CPACF is not available, SHA-256 is performed in software. Therefore, consider planning a
performance test to ensure that the increased computational complexity does not create a performance issue on these older
processors.

11. © 2013 IBM Corporation
IBM Security Systems
1111
Thanks !