Policy Server :: Smobjexport : Encryption

Document ID : KB000049359
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

I would like to know:

  1. What are the cryptographic algorithms used by smobjexport?
  2. What are the sizes of the cryptographic keys used by smobjexport?
  3. How are the Agent and Session Ticket Keys secured during smobjexport?
  4. How is the integrity checked in smobjexport/import?

Solution:

Here are the answers :

  1. Cryptographic Algorithms used when Policy Server is in "FIPS compatibility mode" and in "FIPS migration mode"

    For Compat mode, SiteMinder uses RC2 Algorithm;
    For migration mode, SiteMinder uses AES:

    To identify which encryption is being used, every sensitive data is appended with RC2 or AES tags as:

    {RC2} Ron's cipher #2 - NOT-FIPS
    {AES} Advanced Encryption Standard/FIPS140-2

  2. Key Sizes when Policy Server is in "FIPS compatibility mode" and in "FIPS migration mode"

    FIPS Migration mode , AES key size is 128 bits.
    FIPS Compatibility mode , RC2 key size is 128 bits.

    Policy Servers uses lots of keys.

    FIPS COMPAT MODE:
    COMPONENT : Algorithm : KEY Size :
    Policy Store and Key Store Keys : RC2 : 128
    Agent Key: RC2 with an HMAC-SHA1 digest : 128
    Session Ticket Key : RC2 with an HMAC-SHA1 digest: 128

    FIPS ONLY MODE:

    Policy Store and Key Store Keys : AES : 128
    Agent Key: AES with an HMAC-SHA256 digest : 128
    Session Ticket Key : AES with an HMAC-SHA256 digest: 128

    Roll Over :
    Agent Key and Shared Secret rollover will superficially appear unchanged. When the Policy Server is in either FIPS-migration or FIPS-only mode, it will employ the AES and SHA-256 algorithms to encrypt the keys/secrets instead of RC2, MD5, and SHA-1.

  3. How are the Agent and Session Ticket Keys secured during smobjexport?

    The specific encryption, hashing, and MAC algorithms required for FIPS-only mode operation are different than the classic SiteMinder cryptographic algorithms, but the overall structure of the cryptographic protocols will be preserved.

    For FIPS COMPAT mode, Sensitive data like agent and session ticket keys are encrypted in algorithm in RC2 CBC;
    For FIPS ONLY mode, Sensitive data like agent and session ticket keys are encrypted algorithm in AES KEYWRAP;

  4. How is the integrity of the exported Keys checked ?

    All Sensitive data that is exported using smobjexport will be decrypted and encrypted using Encryption key seed present in Encryptionkey.txt.
    Every time data is exported, smobjexport tool performs a decrypt of sensitive data and encrypt the data. That is the reason why every export of sensitive data is different.

    You cannot manually modify encrypted sensitive data and import it. If someone wants to use different password, then you need to export data using -c option, which exports the data in clear text.
    After manually changing the Secret Tag field, which contains sensitive data in clear text. You could re-import the exported the data using same '-c' option.