The algorithm takes the username, encrypts it via the DES algorithm and uses the password as the key. The resultant ciphertext is stored in the RACF database.
When a user logs in, the user enters their userID and their password. The mainframe takes the userID, encrypts with DES using the password as the key. The mainframe then compares the result of this new ciphertext with the ciphertext stored in the database. If they match, the mainframe lets the user in.
The issue is, the userIDs follow a standard and DES has a very weak keyspace, therefore password crackers like John the Ripper have an easy time of discovering the password.
So, unfortunately DES does not meet requirement 8.4 of the PCI DSS, the credit card security standard required by the card brands.
Yes, steve-myers, I don't have a clear understanding of mainframes. Over the past 20 years, I built, secured and supported distributed systems. <shrug> I do know that this particular mainframe that I'm auditing has problems and I'm attempting to educate myself and provide solutions to my customer rather than being an ignorant black/white auditor (which is a common failing in my experience). That's why I'm here asking this question.
I'd be happy to support my claims of how passwords work on the mainframe with references to the RedBooks that I have read. I have not been able to find any solution to this problem of DES other than using LDAP which is smart from the respect that password storage on LDAP servers such as Oracle, Tivoli, AD (yes, you can use Active Directory as an LDAP authentication server), etc store the passwords securely.
So, I take it that none of the folks here have seen a custom exit? Does everyone use built in RACF/ACF2/TopSecret settings or the DES functions?
Here's a link to a password cracker: http://2000clicks.com/links/Computers/I ... racker.htm
and an excellent presentation on how to break into mainframe systems: http://www.stuhenderson.com/XBRKZTXT.PDF