Credential Encryption Algorithm

book

Article ID: 130859

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction



Our Auditors need a high understanding of how passwords(credentials) are stored in the Database. Eg what is the encryption algorithm and other security features. 

Environment

Password Authority 4.5.3.x

Resolution

This is the note from Product Management regarding Password Authority security. 

Referencing the 4.5.3.x version of Standalone PA 

Communication protocol is HTTPS TLS 1.0 for browsers using GUI or CLI connections. Also for clients and proxy agents registering with CSPM. 

The CSPM server uses a white-box protected AES 256 bit key (the “boot key”) to encrypt an AES256 white-box protected key (the “server key”) which is used to then encrypt userID, passwords and sensitive data stored in the database. The server key can be optionally rotated (good practice). The built-in CSK encryption can be replaced with Keys from a network attached SafeNet LUNA SA HSM replacing; the boot-Key and server key for database encryption. 


All Win-Proxy agents and A2A clients have an initial AES 256 (white-box protected) key. Once the Proxy or Client is registered with the CA PAM server, the initial key is replaced with a unique AES 256 key for each win-Proxy/agent. When CSPM server needs to send data to the Proxy or Client, it decrypts the data and then re-encrypts with the specific AES key associated with the target Proxy or client before sending over HTTP (payload is encrypted). As with the Server Key, the A2A Client and Proxy keys can be rotated on a regular basis. 


Integrity verification is a SHA#1 value. Database comparison look ups also use hash values which are SHA#1