Encryption methods
All communication between users and each Bravura Security Fabric server is over HTTPS. This means that client devices make TLS-encrypted connections to the Bravura Security Fabric server and check that the server’s certificate matches its DNS name, before initiating any meaningful communication.
Similarly, to secure the communication to the application's backend database, see the OLE DB driver connection settings provided by Microsoft.
Bravura Security Fabric in any of its license types (Pass, Identity, or Privilege), stores secret data in two forms:
Hashes, for secrets the application does not have to use, only compare historically
Symmetrically encrypted, for secrets the application has to use, including:
To allow console users or API automation to login to the application
To allow connector pack agents' logons into target systems and other integrations
To disclose as privileged data with disclosure plugins or remote disclosure
User passwords and password history are hashed using Salted SHA-512 passwords. The exceptions are the passwords of the product administrator and API profiles, which are AES-encrypted.
Passwords used by Bravura Security Fabric are encrypted in the Bravura Security Fabric database using a site-specific encryption key. This key is stored on the Bravura Security Fabric server, in the Windows registry and is itself encrypted using an obfuscation key embedded in the Bravura Security Fabric software (in accordance with best practices prescribed by NIST SP 800-38F - https://csrc.nist.gov/publications/detail/sp/800-38f/final ).
All encryption here is symmetric, using 256-bit AES.
The same goes for workstation keys and all other keys listed in the table below.
Both the live data maintained by Bravura Security Fabric and backups of its data set require protection against would-be intruders. To provide this protection, Bravura Security Fabric must be configured on a hardened, locked-down server, in a physically secure site. Bravura Security provides a server hardening guide for this purpose.
Communication between application servers for data and file replication with product proxies and other add-ons such as password change interceptors is encrypted with a proprietary AES protocol. That configuration is part of the product installation settings . Later on, some of these keys can be managed using the resetkey tool.
The following table lists the various encryption methods employed throughout Bravura Security Fabric .
Bravura Security Fabric key | Data | Algorithm | Key |
|---|---|---|---|
Communication Key | Shared with other Bravura Security Fabric services on the network and is used to negotiate session keys when two Bravura Security Fabric remote services communicate over the network. | 256-bit AES | Random |
Database Encryption Key | The database encryption key is typically used for any data at rest encryption. All sensitive data in the Bravura Security Fabric database is encrypted using this key. It is also used to encrypt sensitive registry values. For example, passwords used to log in to target systems and answers to security questions. | 256-bit AES | Random |
Connector Encryption key | Used to encrypt sensitive data for communication with the connectors; for example, Bravura Security Fabric uses the Connector encryption key to encrypt and decrypt passwords and administrative credentials used by connectors and exit traps as well as all communication and operations run by the connectors. | 256-bit AES | Random |
IDMLib Encryption key | The IDMLib encryption key is used to when performing encryption or decryption of data from within a Python base plugin. Typically this data is both encrypted and decrypted by the plugin and is not used directly by the core product suite. | 256-bit AES | Random |
Workstation Initial Authentication Key | This key is used for the initial authentication of a new workstation to an instance server. The key is generated during the instance install and must be the same for all nodes in an instance. The purpose of this key is to protect communications while the workstation key is negotiated or re-negotiated. | 256-bit AES | Random |
Workstation Communication Key | This key is used for encrypting bi-direction communications between workstation add-ons and instance servers. This key unique to a particular workstation and is negotiated when the workstation add-on first registers itself with the instance. Periodically the workstation and instance will re-negotiate new keys and expire old ones. If multiple add-ons are installed on the workstation, each add-on will share the same workstation communication key. | 256-bit AES | Random |
Session Key | This is the encryption key used to encrypt session data that is passed between the CGIs and the web browser clients. | 256-bit AES | Random |
M-Tech Key | Hard-coded single static key that is the same for all customers. This key is only used in a few places. For example, license file encryption. | 256-bit AES | Random |
Key Encryption Key | A static key embedded in the Bravura Security binaries that is used to protect and validate against key tampering for all of the other encryption keys in the product. It is possible to externalize this key to any supported Hardware security module for some use cases. | 256-bit AES | Random |