LISTSERV at the University of Georgia
Menubar Imagemap
Home Browse Manage Request Manuals Register
Previous (more recent) messageNext (less recent) messagePrevious (more recent) in topicNext (less recent) in topicPrevious (more recent) by same authorNext (less recent) by same authorPrevious page (March 2008, week 1)Back to main SAS-L pageJoin or leave SAS-L (or change settings)ReplyPost a new messageSearchProportional fontNon-proportional font
Date:         Wed, 5 Mar 2008 08:09:08 -0500
Reply-To:     Gerhard Hellriegel <gerhard.hellriegel@T-ONLINE.DE>
Sender:       "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From:         Gerhard Hellriegel <gerhard.hellriegel@T-ONLINE.DE>
Subject:      read-password for sas-ds, safe?

Hi there,
we have a problem under zOS to let some groups read selected data via
view, but with no chance to read the base-data. That is not possible with
zOS security, because it read is possible via view, also the access to the
base-library is possible.
I tried to get that with a generated read-pw, like:


-> generate passwd in &pw
-> data base.data(read=&pw);
     set ...;
   run;
   data views.v1 / view=views.v1;
     set base.data(read=&pw);
     where ...;
   run;


That seems to work good.
Now my question:
I've heared that those passwords are not good enough, cause one could get
them back somehow. Ok, my first pw-generating algorithm was like:
use a char at first pos. and add a 7-char long random-number. That is
weak, because with a brute force algorithm in a SAS batch job with a loop
from 0 to 9999999 and a loop through all possible chars for the first
char, in 2-4 hours the pw can be found. Unfortunately the max length is 8
byte...
Now I use something which chooses randomly characters out of 37 possible
(the pw is not case-sensitive). So there are around 2,6e12 combinations,
which might not be found fast enough (it changes once a month).


Do you know any possibility to get that random PW out of the views- or the
data-library? I used a hex-editor to search for it, but only did find
read=XXXXXXXX (another weakness: the length of the PW can be found, also
from the view description).
Do you think, that is secure enough for one month?


I tried to find it with rc = open("base.data
(read="!!"&char"!!"&num"!!")","I");


if rc>0 then I stop it and I have the PW. Fortunately the OPEN seems to
use much time, so that doesn't run fast!
(I don't do that with &num, I use a loop counter and convert it to char
with z7., so I think it is the open which takes much time.)


So once again: any ideas, how to get back the pw? I hope, there is no
possibility!


Thanks,
Gerhard


PS: I use SAS 9.1.3 on a zOS mainframe!
Back to: Top of message | Previous page | Main SAS-L page
listserv.uga.edu
Enterprise Information Technology Services
The University of Georgia
listhelp@uga.edu