What encryption method does CA ACF2 use to store passwords and password phrases?

Document ID : KB000011365
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CA ACF r12.0, and prior releases, uses XDES Password Encryption Subroutine, ACSCODEP, which uses a two-step encryption process that transforms the eight-byte password plus a key (TOD clock) into a four or eight byte cipher. This encryption process is one-way and irreversible. As a result, the password is never displayed. XDES takes the DES encryption method and applies a proprietary algorithm.

In CA ACF2 r14.0, and again in CA ACF2 r16.0, CA ACF2 enhanced the product to give password encryption an option.

Question:

What encryption method does CA ACF2 use to store passwords and password phrases?

Environment:
z/OS and ACF2.
Answer:

In the GSO PSWD record, there are options:

PSWDENCT( XDES | AES1 | AES2 )

The default, XDES, will work the same as CA ACF2 r12.0 and before. By selecting AES1, added in CA ACF2 r14.0, this will use the AES-CMAC encryption method with 128-bit keys.  AES is a symmetric block cipher used to protect sensitive data. A block cipher is a method of encrypting text where a cryptographic key and algorithm are applied to a block of data. AES is one of the preferred and most secure encryption algorithms available.  CA ACF2 r16.0 added AES with 256-bit encryption using the keyword AES2.

  TSO ACF

  SET CONTROL(GSO)

  CHANGE PSWD PSWDENCT(option)

  F ACF2,REFRESH(PSWD)

As always, changes to the PSWD record only take effect when a user changes their password.

To support AES passwords and password phrases, new fields on the logonid record, PSWDAES1, PSWA1TOD and PSWA1VAL have been added to the CA ACF2 ACFCFDE DSECT.  A new field on the user profile PWPHRASE record PWPA1TOD has been added. In addition, new fields MLATODA1 and MLAPSWDA1 have been added to the CA ACF2 @MLID definition and MLAREC DSECT. The addition of these new fields expands the size/length of the CA ACF2 mini lid area.

ACF2 r16.0 also added option:

ONEPWALG
Saves password/password phrase changes under a single algorithm. Once ONEPWALG is set, the next password/password phrase change encrypts under the current value that is specified in the PSWDENCT and clears out the other values and TOD stamps for those values. All systems sharing logonid or infostorage databases must be able to evaluate passwords/password phrases encrypted with the PSWDENCT

For more information on all these options, see the Administrator Guide, the GSO PSWD record.

Note: If DDB password synchronization is being used, AES1 and AES2 is not supported. XDES must be used.

Additional Information:

The Federal Information Processing Standard 140-2 (FIPS 140-2) details security standards and guidelines issued by the National Institute of Standards and Technology (NIST) for U.S. government departments and agencies. This standard is also recognized globally by institutions and corporations. The Advanced Encryption Standard (AES) is the computer security standard set forth by NIST to replace Data Encryption Standard (DES) used to protect sensitive information.

The National Institute of Standards and Technology (NIST) has recently specified the Cipher-based Message Authentication Code (CMAC). CMAC [NIST-CMAC] is a keyed hash function that is based on a symmetric key block cipher, such as the Advanced Encryption Standard [NIST-AES]. CMAC with AES-128 is named AES-CMAC.