Encryption Technology

Symptom

Information is necessary to be provided to security teams regarding the type of encryption that Login Enterprise utilizes in our products.

Cause

Security requests must be substantiated before implementation of a new software solution into a production environment.

Resolution

Login Enterprise utilizes the following types of encryption throughout the software.

Network communications with the following components occur over encrypted TCP / IP using SSL.

  • Management Console
  • Launchers
  • Engine

Protocols and ciphers used for encrypted communication over HTTPS.

  • SSL Protocols
    • TLSv1.2
    • TLSv1.3
  • Cipher Suite
    • EECDH+ECDSA+AESGCM
    • EECDH+aRSA+AESGCM
    • EECDH+ECDSA+SHA256
    • EECDH+aRSA+SHA256
    • EECDH+ECDSA+SHA384
    • EECDH+ECDSA+SHA256
    • EECDH+aRSA+SHA384
    • EDH+aRSA+AESGCM
    • EDH+aRSA+SHA256
    • EDH+aRSA:EECDH
  • Disabled Ciphers
    • aNULL, eNULL, MEDIUM, LOW, 3DES, MD5, EXP, PSK, SRP, DSS, RC4, SEED

Passwords are stored utilizing AES-256 bit encryption and is FIPS compliant.

AES operational mode is the .NET core default mode CBC.

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.mode?view=netcore-2.2#System_Security_Cryptography_SymmetricAlgorithm_Mode

Certificates

Login Enterprise makes use of the Debian certificate requirements. For each certificate to work correctly there are a number of allowed Ciphers:

Allowed ciphers:

  • EECDH+ECDSA+AESGCM
  • EECDH+aRSA+AESGCM
  • EECDH+ECDSA+SHA256
  • EECDH+aRSA+SHA256
  • EECDH+ECDSA+SHA384
  • EECDH+ECDSA+SHA256
  • EECDH+aRSA+SHA384
  • EDH+aRSA+AESGCM
  • EDH+aRSA+SHA256
  • EDH+aRSA:EECDH

Disallowed ciphers:

  • !aNULL
  • !eNULL
  • !MEDIUM
  • !LOW
  • !3DES
  • !MD5
  • !EXP
  • !PSK
  • !SRP
  • !DSS
  • !RC4
  • !SEED

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html for more info.

Properties
Login PI 3.0 and greater / Login Enterprise