Re: Encryption and Remedy ARS 6.3

[McKenzie, James J C-E LCMC HQISEC/L3]

**

Joe:

 

I can answer the first three questions:

 

Starting with ARS 6.3 (as far as I know), all transmissions between the client and the ARS server are encrypted by default.  The type and method of encryption are unknown to me, but could be based on a well-known encryption method.

The Remedy Encryption product provides higher levels of encryption based upon larger keys.  The default encryption supposedly uses a 56 bit key, but it could be larger or smaller.

 

James McKenzie

---

From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 10:39 AM
To: arslist@ARSLIST.ORG
Subject: Re: Encryption and Remedy ARS 6.3

**

Roger, James, Ed, Rick,

 

Thanks for your responses...

 

To the best of my knowledge Encryption between the ARS and the Oracle server was never and isn't as yet supported. This is because when you enable Oracle encryption, the .so file that the installation process needs to be compiled with is not supported with the ARS installer and its binaries. To support this Remedy would need to recompile its installation scripts which to the best of my knowledge wasn't done and isn't done as yet. Yes we do plan to use a sniffer tool to verify what actually happens.

 

I guess I did not really cleary state my question to the list on my original post - so I'll explain better below....

 

Basically my customer has raised a few concerns about security which I hope to share with you guys as best as I can. I invite your replies to these questions..:-

 

1) Is the user name sent as clear text?

 

2) Is the password sent as clear text?

 

3) Are both the user name and passwords sent as clear text?

 

4) Is the encryption a hex or linear conversion of the contents of the password field (and username field)? Or is it a better encrytpion algorithm than that?

 

5) What is the kind of algorithm that is used for this encryption? Something that an average hacker with standard hacking tools available pretty much as freewares could hack into? Or is it using a proprietry algorithm that hasn't been broken into as yet?

 

I guess these are more the questions that I would be interested to get answers to.
 

Joe D'Souza

Remedy Developer / Consultant,

BearingPoint,

Virginia.

__20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___