Implement 256-Bit AES Encryption for Passwords/Password Phrases
Contents
As a system administrator or security administrator, you want user passwords and password phrases to have 256-bit Advanced Encryption Standard (AES) encryption. AES is an algorithm that helps protect sensitive data by using a text encryption method where a cryptographic key and algorithm are applied to a block of data. AES is one of the most secure encryption algorithms available.
Important! A security file that has 256-bit AES encryption enabled cannot be shared with CA Top Secret r15 (and earlier) systems. If you want 256-bit AES encryption while sharing the file, ensure that all shared systems are at least Version 16.
The following illustration shows how an administrator converts from Triple-DES encryption or 128-bit AES encryption to 256-bit AES encryption.
Note: You can also convert passwords/password phrases from Triple-DES encryption to 128-bit AES encryption by running TSSMAINT (with the AESENCRYPT option specified) and then running TSSXTEND to copy the old security file to the new security file; however, we recommend 256-bit AES encryption, which involves a stronger key that offers the most available security.
Perform the following tasks to implement 256-bit AES encryption for passwords and password phrases:
o Activate a control option at startup to begin using 256-bit AES encryption.
o Universally adopt 256-bit AES encryption by replacing your security file with a 256-bit AES encryption-formatted security file.
Important! If converting from Triple-DES, you must use this method.
To verify your current AES encryption level, issue the following command to display the status of the site security environment:
TSS MODIFY STATUS
The output includes current AES encryption settings.
Example Output:
MAX_ACID_SIZE(0256K)
RDT2BYTE(Active)
NEW_PASSWORD(Active)
VSAM_DIGICERT(Active)
AES_ENCRYPTION(Active,128)
LARGE_VSAM_RECORD(Inactive)
EXPAND_COUNTER(Inactive)
TSS9661I CA Top Secret PHRASE Status
NEWPHRASE(MIN=09,MAX=100,WARN=03,MINDAYS=00,SC=00,MA=00,MN=00)
PSWDPHRASE(ON ) NPPTHRESH(02)
PPEXP(030) PPHIST(03)
TSS9661I CA Top Secret PASSWORD Status
NEWPW(MIN=04,MAX=008,WARN=04,MINDAYS=01,NR=1,ID,TS,RS,RT,FA,FN)
HPBPW(009) MSUSPEND(YES) NPWRTHRESH(2)
PWEXP(030) PWHIST(03) PTHRESH(002)
PWVIEW(NO)
PWVERIFY(NO) PWENC(AES ) PWADMIN(NO)
AESENC(128)
Use this method if it is not reasonable for your site to replace your security file and universally convert to 256-bit AES encryption format for passwords/password phrases. For example, you might have 47 systems and find that it does not make business sense for your site to copy 47 files.
Important! If converting from Triple-DES, you cannot use this method. You must run the TSSMAINT program and run TSSXTEND.
Note: After activating the control option, passwords are changed to the new format during each subsequent action; conversion does not occur simply by activating the control option
Follow these steps:
After the conversion, password and password phrase changes will be treated with 256-bit AES encryption, with the passwords and phrases in password history retaining 128-bit AES encryption until more changes take place to alter the history.
Example: Maintaining Password History as Password Changes Occur
A PWHIST(3) control option setting is in place, and the AESENC control option is set to 256. After product restart, passwords are still at 128-bit AES encryption. No conversion to 256-bit AES encryption has taken place. If you change a password, the following password history exists:
The next time you change the password, the following password history exists:
To universally adopt 256-bit AES encryption for passwords/password phrases (converting the encryption across all ACIDs on the security file), you can replace your security file with a 256-bit AES encryption-formatted security file.
Important! If converting from Triple-DES, you must use this method.
Follow these steps:
The output includes AES encryption settings.
You have successfully converted to 256-bit AES encryption for passwords and password phrases.