Environment
Novell SecureLogin
NSL6.x
NSL7.x
NSL6.x
NSL7.x
Situation
A few questions and answers regarding SecureLogin security.
Resolution
1. How are SecureLogin encryption keys generated?
Random keys are generated using MSCAPI. Keys are 3DES (192 bit) or AES(256 bit). 3DES is the default encryption. Use of AES is a preference option available for XP or newer operating systems.
2. How is the key secured?
User keys are encrypted a second time using either the passphrase or the password before being stored. This is also done with either 3DES or AES according to the preference setting.
3. How is the encryption key stored?
User keys are encrypted using either 3DES or AES and are stored in the directory. If SecretStore has been enabled the key is encrypted again with NICI (128 bit) before being stored in the directory. If the local cache has been enabled the 3DES or AES encrypted key is also stored in the workstation registry.
4. Is the local NSL cache file always encrypted?
Yes
5. Has anyone run a brute force attack against the local NSL cache file?
Not to our knowledge. However, NSL has passed FIPS 142 certification which includes security breach testing.
6. Can someone copy the local NSL cache file and key to login?
No. The Key is encrypted.
7. What security certifications does NSL have?
SecureLogin is FIPS 142 compliant.
8. Is there any security and best practices guides for roll out?
The default settings are what we recommend. Also, Novell Technical Services recommends using passphrases (default). Setting passphrase to "hidden" breaks non-repudiation; an admin can change password and gain access to the cache.
Random keys are generated using MSCAPI. Keys are 3DES (192 bit) or AES(256 bit). 3DES is the default encryption. Use of AES is a preference option available for XP or newer operating systems.
2. How is the key secured?
User keys are encrypted a second time using either the passphrase or the password before being stored. This is also done with either 3DES or AES according to the preference setting.
3. How is the encryption key stored?
User keys are encrypted using either 3DES or AES and are stored in the directory. If SecretStore has been enabled the key is encrypted again with NICI (128 bit) before being stored in the directory. If the local cache has been enabled the 3DES or AES encrypted key is also stored in the workstation registry.
4. Is the local NSL cache file always encrypted?
Yes
5. Has anyone run a brute force attack against the local NSL cache file?
Not to our knowledge. However, NSL has passed FIPS 142 certification which includes security breach testing.
6. Can someone copy the local NSL cache file and key to login?
No. The Key is encrypted.
7. What security certifications does NSL have?
SecureLogin is FIPS 142 compliant.
8. Is there any security and best practices guides for roll out?
The default settings are what we recommend. Also, Novell Technical Services recommends using passphrases (default). Setting passphrase to "hidden" breaks non-repudiation; an admin can change password and gain access to the cache.