Implement 256-Bit AES Encryption for Passwords/Password Phrases

ctsfz
As a system administrator or security administrator, you want user passwords and password phrases to have 256-bit Advanced Encryption Standard (AES) encryption. AES is an algorithm that helps protect sensitive data by taking each instance of a CA Top Secret password and injecting randomly generated text into the encryption process. This process prevents the use of precomputed password hashes.
The AES algorithm performs thousands of hash operations against the password and random text to generate a key that encrypts the password. This process also slows down an offline attack, which must perform the same number of operations for each password guess.
  • Due to the required number of hashing iterations with 256-bit AES encryption, CPU consumption increases noticeably during system entry validation (logon), password verification, and password/passphrase changes. CP Assist for Cryptographic Function (CPACF) is a set of cryptographic instructions providing improved performance. If available, CA Top Secret utilizes these instructions during 256-bit AES encryption processing. PTF SI00733 has been published to identify this warning and will be kept current.
  • Published PTF SO05264 added an internal password/passphrase cache that might alleviate performance issues when using 256-bit AES encryption with passwords. Enabling the AESCACHE control option activates AES caching for system entry validation (logon), password verification, and password/passphrase changes.
  • A security file that has 256-bit AES encryption enabled cannot be shared with CA Top Secret r15 (and earlier) systems. If you want 256-bit AES encryption while sharing the file, ensure that all shared systems are at least Version 16.
  • If you use the RENAME command on an ACID that has a password and/or passphrase converted to 256-bit AES encryption, those credentials cannot be used by the renamed ACID to log on. You must assign new credentials as part of the RENAME procedure to allow the renamed ACID to log on.
The following illustration shows how an administrator converts from Triple-DES encryption or 128-bit AES encryption to 256-bit AES encryption.
  • You can also convert passwords/password phrases from Triple-DES encryption to 128-bit AES encryption by running TSSMAINT (with the AESENCRYPT option specified) and then running TSSXTEND to copy the old security file to the new security file; however, we recommend 256-bit AES encryption, which involves a stronger key that offers the most available security.
  • The AES algorithm is more secure than DES but, by design, is more computationally intensive. Carefully review the planning considerations before enabling AES encryption.
Implement 256-bit AES encryption for passwords and password phrases
Implement 256-bit AES encryption for passwords and password phrases
Perform the following tasks to implement 256-bit AES encryption for passwords and password phrases:
  1. Verify your current AES encryption level.
  2. Activate 256-bit AES encryption through one of the following activities:
    • Activate a control option at startup to begin using 256-bit AES encryption.
    • Universally adopt 256-bit AES encryption by replacing your security file with a 256-bit AES encryption-formatted security file.
      If converting from Triple-DES, you must use this method.
Verify Your Current AES Encryption Level
To verify your current AES encryption level, issue the following command to display the status of the site security environment:
TSS MODIFY STATUS
The output includes current AES encryption settings.
Example Output:
MAX_ACID_SIZE(0256K) RDT2BYTE(Active) NEW_PASSWORD(Active) VSAM_DIGICERT(Active)
AES_ENCRYPTION(Active,128)
LARGE_VSAM_RECORD(Inactive) EXPAND_COUNTER(Inactive) TSS9661I CA Top Secret PHRASE Status NEWPHRASE(MIN=09,MAX=100,WARN=03,MINDAYS=00,SC=00,MA=00,MN=00) PSWDPHRASE(ON ) NPPTHRESH(02) PPEXP(030) PPHIST(03) TSS9661I CA Top Secret PASSWORD Status NEWPW(MIN=04,MAX=008,WARN=04,MINDAYS=01,NR=1,ID,TS,RS,RT,FA,FN) HPBPW(009) MSUSPEND(YES) NPWRTHRESH(2) PWEXP(030) PWHIST(03) PTHRESH(002) PWVIEW(NO) PWVERIFY(NO)
PWENC(AES )
PWADMIN(NO)
AESENC(128)
AESCACHE(OFF)
Activate a Control Option at Startup to Begin Using 256-Bit AES Encryption
Use this method if it is not reasonable for your site to replace your security file and universally convert to 256-bit AES encryption format for passwords/password phrases. For example, you might have 47 systems and find that it does not make business sense for your site to copy 47 files.
Important!
If converting from Triple-DES, you
cannot
use this method. You must run the TSSMAINT program and run TSSXTEND.
After activating the control option, passwords are changed to the new format during each subsequent action; conversion does not occur simply by activating the control option).
Follow these steps:
  1. Include the following control option specification in the CA Top Secret parameter file:
    AESENC(256)
  2. Restart CA Top Secret:
    1. Shut down the product:
      P TSS
    2. Start the product:
      START TSS
  3. Reply A to message prompt TSS9227A.
    You should receive confirmation that the encryption level is set.
After the conversion, password and password phrase changes will be treated with 256-bit AES encryption, with the passwords and phrases in password history retaining 128-bit AES encryption until more changes take place to alter the history.
Example: Maintaining Password History as Password Changes Occur
A PWHIST(3) control option setting is in place, and the AESENC control option is set to 256. After product restart, passwords are still at 128-bit AES encryption. No conversion to 256-bit AES encryption has taken place. If you change a password, the following password history exists:
  • The current password receives 256-bit AES encryption.
  • The first and second passwords in password history remain at 128-bit AES encryption.
The next time you change the password, the following password history exists:
  • The current password receives 256-bit AES encryption.
  • The first password in password history has 256-bit AES encryption.
  • The second password in password history remains at 128-bit AES encryption.
Replace Your Security File with a 256-Bit AES Encryption-Formatted Security File
To universally adopt 256-bit AES encryption for passwords/password phrases (converting the encryption across all ACIDs on the security file), you can replace your security file with a 256-bit AES encryption-formatted security file.
If converting from Triple-DES, you must use this method.
Follow these steps:
  1. Create a new security file by executing the JCL in CAKOJCL0 member TSSMAINS to run the TSSMAINT program. Ensure that you specify parameter AES256ENCRYPT.
  2. Run TSSXTEND to copy the old security file to the new security file.
  3. Reinitialize CA Top Secret:
    S TSS,,,REINIT
  4. Display the status of the site security environment to confirm that you now have a 256-bit AES encryption-formatted security file:
    TSS MODIFY STATUS
    The output includes AES encryption settings.
    You have successfully converted to 256-bit AES encryption for passwords and password phrases.