search cancel

Top Secret Implement 256-Bit AES Encryption

book

Article ID: 38986

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

 
Implement 256-Bit AES Encryption for Passwords/Password Phrases
 
 
 

 

Environment

Release:
Component: TSSMVS

Resolution

Implement 256-Bit AES Encryption for Passwords/Password Phrases

Contents

As a system administrator or security administrator, you want user passwords and password phrases to have 256-bit Advanced Encryption Standard (AES) encryption. AES is an algorithm that helps protect sensitive data by using a text encryption method where a cryptographic key and algorithm are applied to a block of data. AES is one of the most secure encryption algorithms available.

Important! A security file that has 256-bit AES encryption enabled cannot be shared with CA Top Secret r15 (and earlier) systems. If you want 256-bit AES encryption while sharing the file, ensure that all shared systems are at least Version 16.

The following illustration shows how an administrator converts from Triple-DES encryption or 128-bit AES encryption to 256-bit AES encryption.

Note: You can also convert passwords/password phrases from Triple-DES encryption to 128-bit AES encryption by running TSSMAINT (with the AESENCRYPT option specified) and then running TSSXTEND to copy the old security file to the new security file; however, we recommend 256-bit AES encryption, which involves a stronger key that offers the most available security.

 

Perform the following tasks to implement 256-bit AES encryption for passwords and password phrases:

  1. Verify your current AES encryption level.
  2. Activate 256-bit AES encryption through one of the following activities:

o    Activate a control option at startup to begin using 256-bit AES encryption.

o    Universally adopt 256-bit AES encryption by replacing your security file with a 256-bit AES encryption-formatted security file.

Important! If converting from Triple-DES, you must use this method.

Verify Your Current AES Encryption Level

To verify your current AES encryption level, issue the following command to display the status of the site security environment:

TSS MODIFY STATUS

The output includes current AES encryption settings.

Example Output:

MAX_ACID_SIZE(0256K)

 RDT2BYTE(Active)

 NEW_PASSWORD(Active)

 VSAM_DIGICERT(Active)

 AES_ENCRYPTION(Active,128)

 LARGE_VSAM_RECORD(Inactive)

 EXPAND_COUNTER(Inactive)

TSS9661I        CA Top Secret PHRASE   Status

 NEWPHRASE(MIN=09,MAX=100,WARN=03,MINDAYS=00,SC=00,MA=00,MN=00)

 PSWDPHRASE(ON )                                        NPPTHRESH(02)

 PPEXP(030)                 PPHIST(03)

TSS9661I        CA Top Secret PASSWORD Status

 NEWPW(MIN=04,MAX=008,WARN=04,MINDAYS=01,NR=1,ID,TS,RS,RT,FA,FN)

 HPBPW(009)                 MSUSPEND(YES)               NPWRTHRESH(2)

 PWEXP(030)                 PWHIST(03)                  PTHRESH(002)

 PWVIEW(NO)

 PWVERIFY(NO)               PWENC(AES )                 PWADMIN(NO)

 AESENC(128)

Activate a Control Option at Startup to Begin Using 256-Bit AES Encryption

Use this method if it is not reasonable for your site to replace your security file and universally convert to 256-bit AES encryption format for passwords/password phrases. For example, you might have 47 systems and find that it does not make business sense for your site to copy 47 files.

Important! If converting from Triple-DES, you cannot use this method. You must run the TSSMAINT program and run TSSXTEND.

Note: After activating the control option, passwords are changed to the new format during each subsequent action; conversion does not occur simply by activating the control option

Follow these steps:

  1. Include the following control option specification in the parameter file:
  2. AESENC(256)
  3. Restart CA Top Secret:
  4. Shut down the product:
  5. P TSS
  6. Start the product:
  7. START TSS
  8. Reply A to message prompt TSS9227A.
    You should receive confirmation that the encryption level is set.

After the conversion, password and password phrase changes will be treated with 256-bit AES encryption, with the passwords and phrases in password history retaining 128-bit AES encryption until more changes take place to alter the history.

Example: Maintaining Password History as Password Changes Occur

A PWHIST(3) control option setting is in place, and the AESENC control option is set to 256. After product restart, passwords are still at 128-bit AES encryption. No conversion to 256-bit AES encryption has taken place. If you change a password, the following password history exists:

  • The current password receives 256-bit AES encryption.
  • The first and second passwords in password history remain at 128-bit AES encryption.

The next time you change the password, the following password history exists:

  • The current password receives 256-bit AES encryption.
  • The first password in password history has 256-bit AES encryption.
  • The second password in password history remains at 128-bit AES encryption.

Replace Your Security File with a 256-Bit AES Encryption-Formatted Security File

To universally adopt 256-bit AES encryption for passwords/password phrases (converting the encryption across all ACIDs on the security file), you can replace your security file with a 256-bit AES encryption-formatted security file.

Important! If converting from Triple-DES, you must use this method.

Follow these steps:

  1. Create a new security file by executing the JCL in CAKOJCL0 member TSSMAINS to run the TSSMAINT program. Ensure that you
  2. specify parameter AES256ENCRYPT.
  3. Run TSSXTEND to copy the old security file to the new security file.
  4. Reinitialize CA Top Secret:
  5. S TSS,,,REINIT
  6. Display the status of the site security environment to confirm that you now have a 256-bit AES encryption-formatted security file:
  7. TSS MODIFY STATUS

The output includes AES encryption settings.
You have successfully converted to 256-bit AES encryption for passwords and password phrases.

 

 

Powered by Wolken Software