Skip main navigation (Press Enter).
Log in
Toggle navigation
Log in
Community
Topic Groups
Champions
Directory
Program overview
Rising Champions
IBM Champions group
User Groups
Directory
Benefits
Events
Dev Days
Conference
Community events
User Groups events
All TechXchange events
Participate
TechXchange Group
Welcome Corner
Blogging
Member directory
Community leaders
Resources
IBM TechXchange
Community
Conference
Events
IBM Developer
IBM Training
IBM TechXchange
Community
Conference
Events
IBM Developer
IBM Training
Enterprise Knights of IBM Z
×
Enterprise Knights of IBM Z
Providing insights to cyber security & resiliency on our platform
Group Home
Threads
26
Blogs
28
Events
0
Library
40
Members
345
View Only
Share
Share on LinkedIn
Share on X
Share on Facebook
Back to Blog List
Thwarted by IBM Z! –Episode 3
By
Ross Cooper
posted
Fri September 03, 2021 07:46 AM
Like
Authentication is one of the pillars of cybersecurity. It’s crucial that installations have a high level of confidence that users ‘are who they say they are’ before they gain access to a system and to the critical data and processes it manages. There are many considerations and configuration options regarding authentication on z/OS that can have a real impact on an installation’s security posture. z/OS authentication features have been advancing and evolving for decades. Today’s systems can authenticate users with traditional passwords and password phrases and more advanced mechanisms like Multi-Factor Authentication (MFA), PassTickets, JSON Web Tokens (JWT), digital certificates and Kerberos. Other aspects of z/OS authentication have also advanced over the years such as support for more complex passwords and advanced password hashing algorithms.
Multi-Factor Authentication:
One of the best options to increase the level of confidence in z/OS authentication is by enabling MFA. Authentication with solely passwords comes with many well understood risks. MFA can mitigate many of the problems with passwords and is resistant to some of the most common attack pattens. These benefits have prompted many clients to deploy MFA on their z/OS systems.
Password Complexity:
Multi-Factor Authentication often includes a password component, so even in installations that use MFA ensuring strong password processing configuration is still important. There are many aspects of password security that can affect an installations security posture. Users should be encouraged to create strong, unique and complex passwords which are difficult for an attacker to guess. To achieve this a z/OS system needs to take advantage of available password complexity enhancements such as support for mixed-case passwords, additional special characters in passwords and password phrases. When users change their passwords the system should validate that the new password is not one that an attacker may easily predict. On RACF this can be accomplished by implementing the ICHPWX01 / ICHPWX11 new password and new password phrase exits.
Password Hashing:
When a password is changed, RACF stores it in the security database using a password hashing algorithm so that it is not stored in the clear. If an attacker manages to obtain a copy of the security database they can attempt to launch an offline password database attack. This involves the attacker attempting to deduce valid credentials by guessing passwords, performing the password hashing algorithm and then comparing the guessed password hash to the actual database hash. RACF can be configured to provide strong resistance to offline password database attacks by enabling the KDFAES password hashing algorithm. KDFAES employs thousands of rounds of hashing to create strong password hashes which can make these types of attacks much less effective.
User ID Enumeration:
One of the first steps of an attack is gathering information about the target system. Denying information to external entities can make systems more resistant to attacks. One valuable piece of information that is often sought by attackers is a list of the valid user IDs on the system. With this list, attacks against user accounts becomes easier, particularly for accounts with weak passwords. System administrators can take action to prevent user ID enumeration though more secure application configuration. For example, the TSO logon panels can be configured to prevent user ID enumeration by enabling the LOGON PASSWORDPREPROMPT(ON) option in the IKJTSOxx PARMLIB member. This option changes the TSO logon process to authenticate the user before the TSO logon options are displayed.
Encrypted Communications:
Network communications between clients and z/OS servers can also be a point of attack during authentication. When connections are in the clear, other parties on the network can use widely available tools to sniff sensitive information including logon credentials. To protect against these types of attack surfaces, installations should ensure that all network traffic to z/OS is encrypted with secure protocols like TLS and migrate away from insecure protocols like FTP.
Enhanced PassTickets:
Many z/OS installations have authentication flows which use PassTicket technology. PassTickets are a type of authentication token which allows authorized applications to generate a one-time-use token code to authenticate a user to another z/OS application logon interface. Recently IBM introduced enhanced PassTickets which are intended to function in the same way as the existing legacy PassTickets but with several functional and security related improvements. The enhanced PassTickets algorithm uses a modern cryptographic algorithm, has an optionally expanded character set and a configurable validity period. IBM strongly recommends that installations migrate to using enhanced PassTickets to take advantage of these new capabilities and strengths.
These advancements are great capabilities to have available on the z/OS platform, but installations must take advantage of them to realize the benefits. Just because an installation has been doing something for a long time, doesn’t mean it’s the best way to do it anymore. Security professionals must identify and remediate gaps between current configuration and the recommended best practices to improve security posture and have a higher level of confidence in z/OS applications and hosting environments.
Links:
For more information on the discussed authentication topics please refer to the following publications:
IBM Z Multi-Factor Authentication:
https://www.ibm.com/products/ibm-multifactor-authentication-for-zos
Enabling the RACF KDFAES hashing algorithm:
z/OS Security Server RACF System Programmer's Guide - Planning Considerations for enabling KDFAES
https://www.ibm.com/docs/en/zos/2.4.0?topic=customization-planning-considerations-enabling-kdfaes
RACF New Password and New Password Phrase Exits:
https://www.ibm.com/docs/en/zos/2.4.0?topic=exits-new-password-exit
https://www.ibm.com/docs/en/zos/2.4.0?topic=exits-new-password-phrase-exit-ichpwx11
System REXX Sample New Password and New Password Phrase Exit:
https://github.com/IBM/IBM-Z-zOS/tree/main/zOS-RACF/Downloads
Enabling TSO preprompt support:
z/OS TSO/E Customization – Activating password preprompt support
https://www.ibm.com/docs/en/zos/2.4.0?topic=process-activating-passwordpreprompt-support
0 comments
53 views
Permalink
Copy
https://community.ibm.com/community/user/blogs/ross-cooper/2021/09/02/thwarted-by-ibm-z-episode-3
Powered by Higher Logic