Security Management Guide (G06.29+, H06.08+, J06.03+)
Security Management Guide — 522283-021
B - 1
B How Passwords are Encrypted
When the Safeguard PASSWORD-ENCRYPT configuration attribute is enabled,
passwords are encrypted using the algorithm specified by the PASSWORD-
ALGORITHM attribute. If the value of PASSWORD-ALGORITHM is set to DES, then
passwords are encrypted using DES as a one-way encryption algorithm. If the value of
PASSWORD-ALGORITHM is set to HMAC256, then passwords are encrypted using
HMAC with SHA256 as a one-way hash algorithm. The system can verify passwords
but cannot decrypt them. Passwords encrypted with DES are stored in the USERID
and the USERAX files; while passwords encrypted with HMAC256 are stored in
USERAX file only. When a user supplies a password to log on, it is encrypted and
compared to the value in the user ID file. If they match, the logon attempt is successful.
The plain text that is passed to the encryption algorithm is a function of the user name
and the group name. The key is a function of the password supplied by the user. As a
result, the same password for two different users is encrypted differently.
Setting the Safeguard PASSWORD-ENCRYPT attribute does not cause existing
passwords to be encrypted. They are encrypted the next time they are changed.
The password encryption algorithm used by the safeguard software is based on these
FIP (FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION)
standards:
National Bureau of Standards, FIPS Publication 46, Data Encryption Standard.
January 15, 1977
ANSI X3.92-1981 Data Encryption Algorithm
National Institute of Standards Technology, FIPS Publication 140-2, Standard for
SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES, Level 1. May
25th, 2001
National Institute of Standards Technology, FIPS Publication 180-2, Secure Hash
Standard (SHS). August 1, 2001
National Institute of Standards Technology, FIPS Publication 198, Keyed-Hash
Message Authentication Code (HMAC). March 6, 2002
Note. The three FIP standards, 140-2, 180-2, and 198, are supported only on systems running
G06.29 and later G-series RVUs and H06.06 and later H-series RVUs.