Encryption method for Secret Questions
search cancel

Encryption method for Secret Questions

book

Article ID: 36051

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

What kind of encryption is used by Identity Manager to protect Secret Questions and Answers?

Environment

Release: CAIDMB99000-12.6.7-Identity Manager-B to B
Component:

Resolution

Regarding the encryption of Secret Questions and Answers and passwords in IDM, 

 

For non-FIPS installations, we use RSA's Jsafe libraries for the RC2 cipher encryption (SHA-1). 

 

The RSA libraries are embedded within the Identity Manager iam_im.ear. 

Our code uses our methods LogicalAttributeContext.decryptString() and LogicalAttributeContext.encryptString(). Both methods use the RSA JSafe library. 

 

The encryption is via RSA and is not proprietary to CA Technologies. These are industry standard libraries and for certfication you would need to contact RSA. 

 

If Identity Manager is installed in "FIPs mode" then the encryption will be done using our FIPS compliant algorithm and done against the FIPS key. 

 

The algorithim in this case is AES. 

We use cipher block chaining, and PKCS5 padding. 

The keys we generate with our keygen tool are 256 bit keys. 

We do use base64 encoding on the raw ciphertext results. 

 

There are no config files for demonstrating that encryption is enabled, as the encryption configuration is updated in the Object Store. In the IDM user console you can view the logical attribute handler and see the encryption settings for the password handler: 

 

System > Logical Attributes > Forgotten Password Handler. 

 

The best way to demonstrate that encryption is occurring is by viewing user records, via ldap brower for example, in the user directory and ensuring the attributes are in an encrypted format.