Information on how CCS data is protected and encrypted in the core infrastructure
search cancel

Information on how CCS data is protected and encrypted in the core infrastructure

book

Article ID: 244667

calendar_today

Updated On: 05-30-2025

Products

Control Compliance Suite Standards Server Control Compliance Suite Control Compliance Suite Standards Module Control Compliance Suite Standards Database

Issue/Introduction

Control Compliance Suite (CCS)

You would like to know how the CCS data is protected and encrypted in the core infrastructure, including data transmissions for collecting and evaluating data and how passwords and other sensitive data are encrypted.

Environment

CCS 12.6.x

CCS 12.7

Resolution

CCS Encryption information:

Last updated May 30, 2025

CCS uses Microsoft Windows communication foundation (WCF) to ensure a secured communication between CCS components like console, Application server and Data processing service. CCS also uses OpenSSL 1.1.1n for Secure Communication. 

1) All the symmetric and asymmetric encryption algorithms and key lengths and how the algorithms are used are in the chart below.

Cipher/Algorithm

Name

Key Length(s)

Mode(s)

Purpose

AES

256

Block Mode

Encrypt and Decrypt - data, keys and credentials.
Digital signatures, encrypted channel for communication, Password encryption

RSA(+RSA-PKCS1-KeyEx)

1024,2048

 

Used for authenticating the agents and managers (handshake mechanism)

X509 certificates with RSA asymmetric algorithm

2048, 3072, 4096

 

Encrypt and Decrypt – files (Agent remote Upgrade - APU)
       

 

2) How encryption keys are generated or managed by CCS:

Algorithm

Modulus sizes supported

Purpose

Elliptic Curve Key Generation

256, 233

Authentication, Access Control, Hashing

Diffie-Hellman

512,1024,2048,4096

Authentication, Access Control, Hashing

 

3) All communication protocols used:

Protocol

 

How Used

SSH

Client-Server Communication

SHA 2

Hashing

X509 certificates

PKCS standards in Remote Agent update APU

HTTPS, TLS 1.2, TLS 1.1, TLS 1.0

Client-Server Communication. Uses only TLS 1.2 as default. But supports TLS 1.0 & 1.1 for backward compatibility.


CCS also uses passphrases to generate symmetric keys to encrypt and decrypt configuration information, including passwords, connection details, and command-based checks and script-based checks.
See the documentation below for more information:
About passphrases for Application Server Service and Encryption Management Service

Powered by Wolken Software