Encryption Strength Used For Passwords And Passphrases On The CA Top Secret Security File?

book

Article ID: 127050

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction



What is the encryption strength used for encrypting the passwords and passphrases on the CA Top Secret security file?

Environment

Release:
Component: TSSMVS

Resolution

In CA Top Secret r16, there are 3 options for password encryption:

1. Triple-DES encryption. This data security file service use internal processes to make critical data unreadable. Before storing the data in the security file, previously encrypted fields are passed to these processes, thereby creating multiple levels of encryption.  

2. 128-bit AES key size algorithm.  

3. 256-bit AES key size algorithm.  

** The AES algorithm is more secure than Triple-DES but, by design, is more computationally intensive. Carefully review the planning considerations before enabling this control option.

** Published PTF SO05173 added an internal password/passphrase cache that might alleviate performance issues when using 256-bit AES encryption with passwords. Enabling the AESCACHE control option activates AES caching for system entry validation (logon), password verification, and password/passphrase changes.  


To determine what level of encryption is currently in use, issue the TSS MODIFY command.
 

* If using DES encryption, the TSS MODIFY output will show: 

TSS9661I        CA Top Secret FEATURES Status

AES_ENCRYPTION(Inactive)
 
TSS9661I        CA Top Secret PASSWORD Status

AESENC(NONE)
 

* If using AES 128 encryption, the TSS MODIFY output will show: 

TSS9661I        CA Top Secret FEATURES Status

AES_ENCRYPTION(Active,128)
 
TSS9661I        CA Top Secret PASSWORD Status

AESENC(128)

 
* If using AES 256 encryption, the TSS MODIFY output will show: 

TSS9661I        CA Top Secret FEATURES Status

 AES_ENCRYPTION(Active,256)
 
TSS9661I        CA Top Secret PASSWORD Status

 AESENC(256)

Additional Information

See the following link for the steps to convert from Triple-DES to 128-Bit AES Encryption for Passwords/Password Phrases:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/managing-passwords-and-password-phrases/convert-triple-des-to-128-bit-aes-encryption-for-passwords-password-phrases 

See the following link for the steps to implement 256-Bit AES Encryption for Passwords/Password Phrases:
 
https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/managing-passwords-and-password-phrases/implement-256-bit-aes-encryption-for-passwords-password-phrases