Is AES-256 Encryption supported?

Document ID : KB000030042
Last Modified Date : 14/02/2018
Show Technical Document Details

CA VM:Secure does not support AES-256 Encryption.

CA's forward password encryption uses a proprietary one-way cryptographic hash function to encrypt logon and minidisk passwords. Using a one-way hash function for password security is stronger than using an encryption algorithm, which is the category that AES-256, Triple DES, etc. fall into. Encrypted passwords can be inverted(decrypted), whereas passwords hashed using CA’s hash function are practically impossible to invert. 

With encryption, at authentication time an application will decrypt the encrypted password stored in the database and compare it against the user provided password. The problem with this is that if someone obtains the cryptographic algorithm along with the key used by the application, he/she will be able to unencrypt and view the passwords stored in the system. 

With a hash function, at authentication time the password that the user enters will be encrypted first, then compared to the encrypted password that is stored in the database. There is no way to get the clear text password back. Hash is a one-way street. 

CA VM:Secure can use either the proprietary one-way hash function or Triple DES (DES3) encryption for forward password encryption, with hash being more secure than DES3 (or AES-256). If you have a business requirement to use AES-256 for forward password encryption, even though it is less secure than one-way hash, please enter the idea in the CA VM Community site, so we can determine the interest of the idea among the general VM community.