Encryption Strength Used For Passwords And Passphrases On The CA Top Secret Security File?

Document ID : KB000127050
Last Modified Date : 13/02/2019
Show Technical Document Details
Question:
What is the encryption strength used for encrypting the passwords and passphrases on the CA Top Secret security file?
Answer:
In CA Top Secret r16, there are 3 options for password encryption:

1. Triple-DES encryption. This data security file service use internal processes to make critical data unreadable. Before storing the data in the security file, previously encrypted fields are passed to these processes, thereby creating multiple levels of encryption.  

2. 128-bit AES key size algorithm.  

3. 256-bit AES key size algorithm.  

** The AES algorithm is more secure than Triple-DES but, by design, is more computationally intensive. Carefully review the planning considerations before enabling this control option.

** Published PTF SO05173 added an internal password/passphrase cache that might alleviate performance issues when using 256-bit AES encryption with passwords. Enabling the AESCACHE control option activates AES caching for system entry validation (logon), password verification, and password/passphrase changes.  


To determine what level of encryption is currently in use, issue the TSS MODIFY command.
 

* If using DES encryption, the TSS MODIFY output will show: 

TSS9661I        CA Top Secret FEATURES Status

AES_ENCRYPTION(Inactive)
 
TSS9661I        CA Top Secret PASSWORD Status

AESENC(NONE)
 

* If using AES 128 encryption, the TSS MODIFY output will show: 

TSS9661I        CA Top Secret FEATURES Status

AES_ENCRYPTION(Active,128)
 
TSS9661I        CA Top Secret PASSWORD Status

AESENC(128)

 
* If using AES 256 encryption, the TSS MODIFY output will show: 

TSS9661I        CA Top Secret FEATURES Status

 AES_ENCRYPTION(Active,256)
 
TSS9661I        CA Top Secret PASSWORD Status

 AESENC(256)
Additional Information:
See the following link for the steps to convert from Triple-DES to 128-Bit AES Encryption for Passwords/Password Phrases:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/managing-passwords-and-password-phrases/convert-triple-des-to-128-bit-aes-encryption-for-passwords-password-phrases 

See the following link for the steps to implement 256-Bit AES Encryption for Passwords/Password Phrases:
 
https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/managing-passwords-and-password-phrases/implement-256-bit-aes-encryption-for-passwords-password-phrases