All keys are encrypted at rest using NIST recommended strong encryption methods, and using standard Microsoft cryptographic APIs with settings recommended by API documentation.
Encrypted Values Used by Panel Tools
In some cases it is necessary to provide credentials for a connection provider. This is needed if you are not authenticating to the source or target systems using the Panel Service's service account implicitly. Explicit credentials are stored in the Identity Panel web application after being encrypted with AES256 by Identity Panel.
The AES key in turn is stored in the tenant database (which only has a single tenant for on-premise installations), and is encrypted with the .NET Core Data Protection API, using the DPAPI-NG protection provider. This restricts access to the application pool service account.
When Panel Tools requires the credentials, it makes a decipher request to the web API, and the password is returned over the HTTPS connection. Access to the decipher API is restricted to users with Execute access on JSON settings, which by default includes the Admin role and Writer roles.
Sensitive config.json Values
When you use PanelTool to connect to your SaaS instance for the first time, Panel Tool performs a federated OAuth bearer authentication using the Microsoft Azure Active Directory Authentication Library (AADAL). This requires interaction by the end user (e.g. for MFA). This session is then used to establish a forms authentication password.
The forms authentication password is a 128 bit value generated by a CPRNG. The username is specific to both the user account and server used to access Panel Service. The username and password are written out to config.json so they may be used by Panel Service, and the password is protected with DPAPI using the CurrentUser mode.
Unlike other config.json values, a separate login credential is created for each logged on user, and will be accessible only by the logged in account, regardless of the Auth:ProtectMode setting. This implies that any account used to run Panel Service or Panel Check must have a user profile to enable it for DPAPI, and you must run PanelTool as that service account before Panel Service will start.
SaaS Credentials
When Panel Service connects to SaaS it establishes a forms login pair with a 128 bit password generated by a CPRNG. The username is specific to both the user account and server used to access Panel Service. The username and password are written out to config.json, and the password is protected with DPAPI using the CurrentUser mode.
Unlike other config.json values, a separate pair is created for each logged on user, and will be encrypted to the logged in account regardless of the ProtectMode setting. This implies that any account used to run Panel Service or Panel Check must have a user profile to enable it for DPAPI.
Non-Repudiation
When non-repudiation is enabled it uses the windows certificate store and security model to protect access to the certificate used to sign database records.
Each database record has serialization logic to generate a byte array, and this array is then hashed and signed using EC-DSA256 which is considered equivalent to or better than RSA2048.
Comments
0 comments
Please sign in to leave a comment.