IBM Support

Password Encryption

Troubleshooting


Problem

This document contains information on Password Encryption.

Resolving The Problem

OS Passwords

Here is an explanation of how the passwords for operating system user profiles are encrypted at each password level:

1. For systems running at QPWDLVL of 0 or 1, the password is used as the key to encrypt a known character string, which is different for each user profile, using the DES (symmetric) algorithm. The password itself is not encrypted nor stored on the system. The data encrypted using the password as the key is what is stored on the system.
2. For systems running at QPWDLVL of 2 or 3, the password is concatenated to a known character string, which is different for each user profile, and is hashed using the SHA-1 algorithm. This is a one-way cryptographic hash algorithm. The resulting hashed value is what is stored on the system.
3. For systems running at QPWDLVL 4, the OS uses a Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit) encryption for the scheme.

When it is time to authenticate a profile, the system will take the clear text password that the user entered (on the signon screen, eg.), run the same algorithm and compare the new encrypted result with the encrypted result that was created at password change time.

There is never a comparison done of the clear text password itself. A clear text password is never stored, so a clear text password is never available to be retrieved. With either encryption algorithm, passwords are one-way encrypted meaning you can never decrypt and get back the clear text password.

NOTE: Password Level 4 is available starting at release V7R5 of the Operating System. 

SST Passwords

The rules for Service Tools (SST/DST) passwords follow:

Rule 1

Service Tools user IDs and passwords are different IDs than are used for operating system sign-on. Therefore, there is a QSECOFR IBM-shipped user profile for the operating system. However, the Service Tools profile (also named QSECOFR) is a different profile. The same is true of all service tools profiles on the system.

Rule 2

Service Tools user IDs are not case sensitive; however, Service Tools passwords are case sensitive.

Rule 3

Service Tools now has two levels of password authentication. The default level is called DES (Data Encryption Service) authentication. The higher level of authentication is called SHA (Secure Hash Algorithm Authentication). Dedicated Service Tools (DST) must be used to change from DES to SHA authentication. Once a system has been upgraded to SH authentication, it can not be returned to DES authentication without a scratch installation.
 

Password encryption using Data Encryption Standard (DES), Secure Hash Algorithm (SHA),  and Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit).

Password level 1, DES encryption

When you use DES encryption, service tools user IDs and passwords have the following characteristics:

  • Use 10-digit, uppercase user IDs.
  • Use 8-digit, case-sensitive passwords. When you create a user ID and password, the minimum required for the password is 1 digit. When you change a password, the minimum required is dependent upon the minimum password length.
  • Passwords for user IDs do not expire after 180 days.
  • Even though passwords don't expire at password level 1, they still can be created as expired.
  • By default, the initial passwords for IBM-supplied service tools user IDs are set as expired.

Password level 2, SHA encryption

When you use SHA encryption, service tools user IDs and passwords have the following characteristics:

  • Use 10-digit, uppercase user IDs.
  • Use 128-digit case-sensitive passwords. The password must follow the password rules set in SST. This includes the minimum and maximum password length.
  • By default, passwords are initially set as not expired (unless explicitly set on the display to expire).
Password level 3, Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit) encryption

When you use PBKDF2 with HMAC SHA512 encryption, service tools user IDs and passwords have the following characteristics:

  • Use 10-digit, uppercase user IDs.
  • Use 128-digit case-sensitive passwords. The password must follow the password rules set in SST. This includes the minimum and maximum password length.
  • By default, passwords are initially set as not expired (unless explicitly set on the display to expire).
NOTE: Password Level 3 is available starting at release V7R5 of the Operating System. 

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0;7.1.0;7.2.0;7.3.0;7.4.0;7.5.0"}]

Historical Number

527692798

Document Information

Modified date:
04 May 2022

UID

nas8N1012873

Page Feedback