Password Encryption In CA Top Secret.

Document ID : KB000054147
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

What is the encryption strength used in encrypting the passwords in the CA Top Secret security file?

Solution:

Currently, CA Top Secret uses normal DES encryption for passwords. CA Top Secret employs DES and Triple DES for encryption purposes. These data security file services use internal processes to make critical data unreadable. Before storing the data in the security file, previously encrypted fields are passed to these processes, there by creating multiple levels of encryption.

Best practices recommend that no individual should be given explicit read or update access to the CA Top Secret Security File, Backup Security File, or Recovery File, unless required for recovery processing.

The next release of CA Top Secret (r14) will have an option to have AES encryption used. This will require a new security file to be allocated in CA Top Secret r14 and TSSXTEND run to copy the existing (backup) file.

For AES Encryption for Passwords and Password Phrases.
By default, passwords and password phrases are encrypted using the Triple-DES 3 encryption method. The Advanced Encryption Standard (AES), which is a FIPS-approved cryptographic algorithm, can also be used for encrypting passwords and password phrases. In r14, AES encryption is used when a security file is initialized with TSSMAINT and the AESENCRYPT parameter was specified.

Once the r14 security file is allocated, use the PWENC control option to select the AES encryption method.
This control option has the following format:
PWENC(AES|ICSF)

AES
(Default) Indicates that AES encryption is performed by software routines.

ICSF
Indicates that AES encryption is performed by ICSF hardware.