ACF2 password encryption implications of XDES or AES1 or AES2
search cancel

ACF2 password encryption implications of XDES or AES1 or AES2

book

Article ID: 235839

calendar_today

Updated On:

Products

ACF2

Issue/Introduction

 GSO PSWD has PSWDENCT(XDES) which does not meet approved cryptographic standards.   
 If this is changed to AES1 or AES2, what are the differences between, XDES/AES1/AES2?
 AES is an approved standard and the ACF2 manual has AES1, what is the difference?

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

There are two other values that can be specified AES1 and AES2
Here are the descriptions from the doc.

PSWDENCT(XDES|null|AES1|AES2)

Specifies which password encryption algorithm ACF2  uses to encrypt user passwords and password phrases.
AES1 specifies that AES-CMAC using AES 128 is used.
AES2 specifies that AES-CMAC using AES 256 is used.
Entering a null value () specifies the default, which is XDES.
 
AES 256 support is available in ACF2  V16.0.
You can use CPF Command Propagation and Password Synchronization between
LPARS with different password encryption PSWDENCT(XDES|AES1|AES2) settings without experiencing problems.
 
Default: XDES, which specifies the ACF2  XDES algorithm is used for password encryption processing.


XDES and AES1 do not have any real performance implications.
AES2 does have major implications due to the amount of time it takes to encrypt passwords.
This is because AES256 encryption requires many iterations of the encryption process to provide the correct level of encryption.