Recent data breaches at major corporations have CEOs across the board on heightened alert. After all, it’s their reputations on the line. “Breaches are going to start costing CEOs their jobs – or their paychecks. Because of that, I’m hoping that now security will become more of a priority for them,” said Brian Marshall, VP at Vanguard Integrity Professionals, in a recent SHARE presentation.
Companies that handle sensitive information must make sure to keep their cyber defenses primed against attacks, especially ones aimed at stealing cardholder data, and this means they need to have methods in place for authenticating users.
At SHARE Providence 2017, Marshall spoke about mainframe user authentication, including multi-factor authentication (MFA), IRSXT00 for CICS, TSO PREPROMPT, and APAR OA43999.
Most people know about multi-factor authentication. The general idea is that each additional factor increases assurance that someone involved in a communication or requesting access is who, or what, they say they are.
The three most common categories of factors are often described as something you know (the knowledge factor), something you have (the possession factor) and something you are (the inherence factor). Possession factors like time-based tokens or sequence-based buttons are Marshall’s preferred category, since they can be easily and inexpensively delivered via cellphone, and phone apps can generate secure one-time passwords.
Marshall explained that mainframe session managers are one of the biggest barriers to MFA adoption: because they cannot cache one-time use passwords to authenticate to subsequent sessions, session manager value is greatly diminished.
IBM has overcome this with an MFA for z/OS solution that uses “pass tickets” for all of the sessions. The downside to pass tickets is that they use encryption keys, which must be guarded.
IRSXT00 for CICS
CICS has always had a performance problem when it comes to authentication, according to Marshall, because the VERIFY exit is relatively expensive. CICS is inherently single-threaded, so if authentications take a long time, or many users log on at the same time, all CICS transactions are held up.
A few years ago, IBM added a method that improves performance by using SAF callable service IRRSXT00. CICS will not correctly validate multi-factored users for any vendor that does not support this interface.
This change has caused numerous problems for MFA and CICS, as a side effect of this was that performing a sign-on with a PHRASE and NEW PHRASE of Password and New Password, was sent through validation twice. This has now been fixed with APAR PI67905 and PI75324.
By having PASSWORDPREPROMPT(ON) specified on the LOGON statement of IKJTSOxx, the user will be prompted for the password, which must be correct, before the full panel (with user attributes visible) is presented. This forces the user to provide both the user ID and the password before further processing can occur.
Rather than saying “invalid userid” or “invalid password,” TSO PREPROMPT simply says no, so that an attacker can’t bang on the door until they find a valid user ID. Since an internal or external hacker will no longer have any idea whether a user ID is any good, they’ll have much less information with which to try to take over your system.
OA43999 was a much-needed APAR from IBM related to password encryption in your RACF database. The biggest hurdle that people are attempting to overcome right now is that the encryption of the password when logging in to CICS has created some performance issues, said Marshall. So, this APAR should be installed, and Marshall recommends implementing the algorithm KDFAES for your users.
Mainframe user authentication – including MFA, IRSXT00 for CICS, TSO PREPROMPT and APAR OA43999 – is an essential component of mainframe security, helping ensure that users are who they say they are and keeping bad actors out of your systems.
To learn more about authentication of users, including tips about passwords and passphrases, watch the full video from Brian Marshall’s “Security Potpourri” presentation in the SHARE Content Center.