Credential Encryption Algorithm
search cancel

Credential Encryption Algorithm


Article ID: 130859


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


Our Auditors need a high understanding of how passwords(credentials) are stored in the Database. Eg what is the encryption algorithm and other security features. 


Password Authority 4.5.3.x


This is the note from Product Management regarding Password Authority security. 

Referencing the 4.5.3.x version of Standalone PA 

Communication protocol is HTTPS TLS 1.0 for browsers using GUI or CLI connections. Also for clients and proxy agents registering with CSPM. 

The CSPM server uses a white-box protected AES 256 bit key (the “boot key”) to encrypt an AES256 white-box protected key (the “server key”) which is used to then encrypt userID, passwords and sensitive data stored in the database. The server key can be optionally rotated (good practice). The built-in CSK encryption can be replaced with Keys from a network attached SafeNet LUNA SA HSM replacing; the boot-Key and server key for database encryption. 

All Win-Proxy agents and A2A clients have an initial AES 256 (white-box protected) key. Once the Proxy or Client is registered with the CA PAM server, the initial key is replaced with a unique AES 256 key for each win-Proxy/agent. When CSPM server needs to send data to the Proxy or Client, it decrypts the data and then re-encrypts with the specific AES key associated with the target Proxy or client before sending over HTTP (payload is encrypted). As with the Server Key, the A2A Client and Proxy keys can be rotated on a regular basis. 

Integrity verification is a SHA#1 value. Database comparison look ups also use hash values which are SHA#1