Encryption options for a SecureLogin user

  • 7940455
  • 19-Aug-2009
  • 26-Apr-2012

Environment

Novell SecureLogin SSO


Situation

What are the encryption/decryption options for a user’s Single Sign-on credentials?

Resolution

SecureLogin encrypts SSO data to protect a user’s credentials from unauthorized access/use. Depending on the version of NSL you are running, there are a number of options available.

The SSO administrator can centrally define the desired encryption method via user object, group policy object or OU.

Version 2.x and 3.0.x

  • User defined passphrase key

User is prompted for a question and answer when SecureLogin loads for the very first time. The passphrase question is asked if the user’s Directory password is reset by someone other than them (e.g. the administrator).

Version 3.5.x and 6.x

In version 6.x of SecureLogin, the ability to disable the passphrase system was introduced.

  • User defined passphrase key
  • Randomly generated key (user defined passphrase system disabled)

With the passphrase system disabled, the user is not prompted for a passphrase question and answer, nor are they prompted to answer the question if their AD password is reset by someone other than them (e.g. by an administrator using MMC).

Version 6.x and later

In version 6 of SecureLogin, credentials can be encrypted using the user’s certificate/public key. This means only the user’s private key (that is stored on the smart card and is PIN protected) can be used to decrypt their credentials. If required, keys can be archived/escrowed by the CA (if such policies are enforced) in order to recover SSO credentials (that have been encrypted using lost keys) in case smart cards are lost, stolen etc.

ActivIdentity Card Management System (CMS) can be used to co-ordinate this process. If key escrow is in place, the keys are typically securely stored (e.g. securely in the CA or in a HSM) and the card management system handles key recovery by communicating with the CA. Alternatively, a passphrase can be used as a backup method but this is not as secure.

  • PKI credentials (public key for encryption and private key for decryption)
  • User defined passphrase key
  • Randomly generated key (passphrase system disabled)
  • Randomly generated key stored on the smart card (passphrase system disabled)
  • If using PKI credentials to encrypt data, passphrases can be completely disabled