Introduction
Security is one of the most important aspects in modern IT security landscapes. A good security concept consists of a multiple layers so that if one is breached, additional layers of protection are still in place. The CoreOne Suite was developed with security by design in mind. This document is aimed to give the reader a basic understanding of common security terms and how and where they are used within the CoreOne Suite. It’s not intended as a complete documentation that covers all aspect from user behavior to optimal password length, but rather aims to clarify some of the more technical aspects.
Fundamentals
The following terms are essential to understand the basic concepts of cryptography. There are many more concepts and functions involved but the subsequent terms should suffice to understand the basic fundamentels.
Cryptography
Cryptography is defined as the practice and study of techniques of securing communication between two parties in the present of a third party. Or in other words, how can Alice communicate with Bob so that no one else (man in the middle) is able to listen in.
Encryption
Encryption is the technique that is applied in cryptography to take a plain text and scramble it into an unreadable format called a ciphered text that can only be read again whilst in the possession of a key.
Decryption
Decryption is the technique that is applied in cryptography to take a ciphered text and convert it back to a plain text.
Key
Both encryption and decryption rely on the concept that only the sender and the receiver are in the possession of a common secret that is used to either encrypt or decrypt a ciphered text. This secret is usually refereed to a the key. An example of such a key is a SSL certificate or to be more precise the private information of said certificate.
Symmetric Encryption
A symmetric encryption is an encryption where we use the same key to encrypt and decrypt messages:
...
Examples for symmetric encryptions are AES
and DES
and any of it’s variation.
Asymmetric Encryption
An asymmetric encryption uses two different keys to encrypt and decrypt a message:
...
The keys in an asymmetric encryption oftentimes consists of key pairs with a public and a private key. A good example of this is the an SSL certificate.
Private & Public Key
As stated above, an SSL certificate for instance consists of a public key that a client uses to encrypt a message that will be sent to the server. The server then uses the private key to decrypt said message. Even if a man in the middle would intercept the message, he would not be able to read it without the private key.
Hash
A hash is a mathematical one-way function that maps any given input to a fixed sized output. For example we can hash a plain-text password that has no length limitation to a fixed sized byte array. There is no mathematical function to calculate the the original password from the byte array. The only way to do so is by brute force.
Code Block |
---|
hash(input) = hash value |
Salted Hash
A regular hash is deterministic, meaning the same input will always result in the same result. So if two users would have the same password, it would result in the same hash. To prevent this, some hash algorithms use a salt value. The calucation is done by adding a random salt value to the calculation.
...
In order to validate the hash value later on, the salt value must be be stored alongside the hash value.
Hash iterations
A hash can not only be applied once but multiple times. By calculating the hash of a plaint text input we have N possible inputs that lead to a certain hash. If we apply the hash M times, we increase the number of possibilities to M*N.
Password Storage
When talking about stored passwords within the CoreOne Suite we need to differentiate the use case based on whether we need the plain text password later on (stored passwords), or we just need to validate a password later on (hashed password).
Stored Password
In order to access certain third party applications or APIs, we need to store credentials (username and password) in a way, so that we can read them at a later point and provide them to the third party in plain text again. Therefore we can not simply store the hash value of the password. Those kind of passwords are stored by using AES-256, a symmetric encryption.
Hashed Password
Logon credentials for the authentication server do not need to be stored in a way that the plain text can be restored. In order to validate a users password it’s enough to calculate the entered passwords hash and compare it to the saved hash. This salted hash is calculated using the scrypt hashing algorithm.
Digital Signature
A digital signature is a mathematical method to verify the authenticity of a message or a document. This is usually done by calculating a hash value over the message using the public certificate of the signer. If the content was modified, the hash will not match the attached hash of the message.
Encrypted Attributes
Within the CoreOne Suite Meta Directory you can choose to store any given attribute as an encrypted value. If you choose so, the values will be symmetrically encrypted using AES-256.
Connections
Connection Strings
Connections Strings that are stored in configuration files on the servers are symmetrically encrypted using AES-256.
HTTP Connections
Any HTTP connection from and to the CoreOne Suite are made by using HTTPS. There are no HTTP connections established.
WCF Connections
Any connection performed using WCF is done over HTTPS and the content of the messages is additionally encrypted using AES-256.
Other Connections
Other connections to various systems may be done using the appropriate protocols. Wherever possible we do use a secure communication channel but not all third party application provide a secure channel. Some legacy application might only support HTTP for example.
Certificates
There are plenty of certificates used within the CoreOne Suite. There are communication certificates for WCF and HTTPS, there are signing certificates for OIDC and SAML messages and so on. You will find more information about them here: System requirement certificates
Configuration Files
All configuration files that contain sensitive information are symmetrically encrypted using AES-256.
Log Files
Any sensitive information such as connection strings, password or personal data about a user is redacted from the log files by default.