Encryption Strength Used For Passwords And Passphrases On The CA Top Secret Security File?
Article ID: 127050
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
What is the encryption strength used for encrypting the passwords and passphrases on the CA Top Secret security file?
Environment
Release:
Component: TSSMVS
Component: TSSMVS
Resolution
In CA Top Secret r16, there are 3 options for password encryption:
1. Triple-DES encryption. This data security file service use internal processes to make critical data unreadable. Before storing the data in the security file, previously encrypted fields are passed to these processes, thereby creating multiple levels of encryption.
2. 128-bit AES key size algorithm.
3. 256-bit AES key size algorithm.
** The AES algorithm is more secure than Triple-DES but, by design, is more computationally intensive. Carefully review the planning considerations before enabling this control option.
** Published PTF SO05173 added an internal password/passphrase cache that might alleviate performance issues when using 256-bit AES encryption with passwords. Enabling the AESCACHE control option activates AES caching for system entry validation (logon), password verification, and password/passphrase changes.
To determine what level of encryption is currently in use, issue the TSS MODIFY command.
* If using DES encryption, the TSS MODIFY output will show:
TSS9661I CA Top Secret FEATURES Status
…
AES_ENCRYPTION(Inactive)
TSS9661I CA Top Secret PASSWORD Status
…
AESENC(NONE)
* If using AES 128 encryption, the TSS MODIFY output will show:
TSS9661I CA Top Secret FEATURES Status
…
AES_ENCRYPTION(Active,128)
TSS9661I CA Top Secret PASSWORD Status
…
AESENC(128)
* If using AES 256 encryption, the TSS MODIFY output will show:
TSS9661I CA Top Secret FEATURES Status
…
AES_ENCRYPTION(Active,256)
TSS9661I CA Top Secret PASSWORD Status
…
AESENC(256)
1. Triple-DES encryption. This data security file service use internal processes to make critical data unreadable. Before storing the data in the security file, previously encrypted fields are passed to these processes, thereby creating multiple levels of encryption.
2. 128-bit AES key size algorithm.
3. 256-bit AES key size algorithm.
** The AES algorithm is more secure than Triple-DES but, by design, is more computationally intensive. Carefully review the planning considerations before enabling this control option.
** Published PTF SO05173 added an internal password/passphrase cache that might alleviate performance issues when using 256-bit AES encryption with passwords. Enabling the AESCACHE control option activates AES caching for system entry validation (logon), password verification, and password/passphrase changes.
To determine what level of encryption is currently in use, issue the TSS MODIFY command.
* If using DES encryption, the TSS MODIFY output will show:
TSS9661I CA Top Secret FEATURES Status
…
AES_ENCRYPTION(Inactive)
TSS9661I CA Top Secret PASSWORD Status
…
AESENC(NONE)
* If using AES 128 encryption, the TSS MODIFY output will show:
TSS9661I CA Top Secret FEATURES Status
…
AES_ENCRYPTION(Active,128)
TSS9661I CA Top Secret PASSWORD Status
…
AESENC(128)
* If using AES 256 encryption, the TSS MODIFY output will show:
TSS9661I CA Top Secret FEATURES Status
…
AES_ENCRYPTION(Active,256)
TSS9661I CA Top Secret PASSWORD Status
…
AESENC(256)
Additional Information
See the following link for the steps to convert from Triple-DES to 128-Bit AES Encryption for Passwords/Password Phrases:
https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/managing-passwords-and-password-phrases/convert-triple-des-to-128-bit-aes-encryption-for-passwords-password-phrases
See the following link for the steps to implement 256-Bit AES Encryption for Passwords/Password Phrases:
https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/managing-passwords-and-password-phrases/implement-256-bit-aes-encryption-for-passwords-password-phrases
https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/managing-passwords-and-password-phrases/convert-triple-des-to-128-bit-aes-encryption-for-passwords-password-phrases
See the following link for the steps to implement 256-Bit AES Encryption for Passwords/Password Phrases:
https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/managing-passwords-and-password-phrases/implement-256-bit-aes-encryption-for-passwords-password-phrases
Feedback
Yes
No
Powered by
