Troubleshooting
Problem
This document contains information on Password Encryption.
Resolving The Problem
OS Passwords
Here is an explanation of how the passwords for operating system user profiles are encrypted at each password level:
1. | For systems running at QPWDLVL of 0 or 1, the password is used as the key to encrypt a known character string, which is different for each user profile, using the DES (symmetric) algorithm. The password itself is not encrypted nor stored on the system. The data encrypted using the password as the key is what is stored on the system. |
2. | For systems running at QPWDLVL of 2 or 3, the password is concatenated to a known character string, which is different for each user profile, and is hashed using the SHA-1 algorithm. This is a one-way cryptographic hash algorithm. The resulting hashed value is what is stored on the system. |
3. | For systems running at QPWDLVL 4, the OS uses a Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit) encryption for the scheme. |
When it is time to authenticate a profile, the system will take the clear text password that the user entered (on the signon screen, eg.), run the same algorithm and compare the new encrypted result with the encrypted result that was created at password change time.
There is never a comparison done of the clear text password itself. A clear text password is never stored, so a clear text password is never available to be retrieved. With either encryption algorithm, passwords are one-way encrypted meaning you can never decrypt and get back the clear text password.
NOTE: Password Level 4 is available starting at release V7R5 of the Operating System.
SST Passwords
The rules for Service Tools (SST/DST) passwords follow: Rule 1 Service Tools user IDs and passwords are different IDs than are used for operating system sign-on. Therefore, there is a QSECOFR IBM-shipped user profile for the operating system. However, the Service Tools profile (also named QSECOFR) is a different profile. The same is true of all service tools profiles on the system. Rule 2 Service Tools user IDs are not case sensitive; however, Service Tools passwords are case sensitive. Rule 3 Service Tools now has two levels of password authentication. The default level is called DES (Data Encryption Service) authentication. The higher level of authentication is called SHA (Secure Hash Algorithm Authentication). Dedicated Service Tools (DST) must be used to change from DES to SHA authentication. Once a system has been upgraded to SH authentication, it can not be returned to DES authentication without a scratch installation. Password encryption using Data Encryption Standard (DES), Secure Hash Algorithm (SHA), and Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit). Password level 1, DES encryptionWhen you use DES encryption, service tools user IDs and passwords have the following characteristics:
Password level 2, SHA encryptionWhen you use SHA encryption, service tools user IDs and passwords have the following characteristics:
Password level 3, Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit) encryption
When you use PBKDF2 with HMAC SHA512 encryption, service tools user IDs and passwords have the following characteristics:
NOTE: Password Level 3 is available starting at release V7R5 of the Operating System.
|
Historical Number
527692798
Was this topic helpful?
Document Information
Modified date:
04 May 2022
UID
nas8N1012873