Joe:
I think there are two additional levels. One uses Triple-DES at 168 bits and the highest is something like 1024 bit RSA. I could be wrong though. It would be best to contact your Sales folks at BMC for further details.
James McKenzie
________________________________
From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 11:10 AM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
**
James,
Thanks for your response. 56 bit key is a little lower than I thought it should be at.. Too many tools out there in the market that could break that down... I was hoping it would be higher than that. I think I heard some talk around the security departments that they expect stuff to be at least at a level of 128 bit encryption..
Any idea what level of encryption does the Remedy Encryption products use? Does this product work well if you have integrated into LDAP?
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
----- Original Message ----
From: "McKenzie, James J C-E LCMC HQISEC/L3" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 1:44:30 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
Joe:
I can answer the first three questions:
Starting with ARS 6.3 (as far as I know), all transmissions between the client and the ARS server are encrypted by default. The type and method of encryption are unknown to me, but could be based on a well-known encryption method.
The Remedy Encryption product provides higher levels of encryption based upon larger keys. The default encryption supposedly uses a 56 bit key, but it could be larger or smaller.
James McKenzie
________________________________
From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 10:39 AM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
**
Roger, James, Ed, Rick,
Thanks for your responses...
To the best of my knowledge Encryption between the ARS and the Oracle server was never and isn't as yet supported. This is because when you enable Oracle encryption, the .so file that the installation process needs to be compiled with is not supported with the ARS installer and its binaries. To support this Remedy would need to recompile its installation scripts which to the best of my knowledge wasn't done and isn't done as yet. Yes we do plan to use a sniffer tool to verify what actually happens.
I guess I did not really cleary state my question to the list on my original post - so I'll explain better below....
Basically my customer has raised a few concerns about security which I hope to share with you guys as best as I can. I invite your replies to these questions..:-
1) Is the user name sent as clear text?
2) Is the password sent as clear text?
3) Are both the user name and passwords sent as clear text?
4) Is the encryption a hex or linear conversion of the contents of the password field (and username field)? Or is it a better encrytpion algorithm than that?
5) What is the kind of algorithm that is used for this encryption? Something that an average hacker with standard hacking tools available pretty much as freewares could hack into? Or is it using a proprietry algorithm that hasn't been broken into as yet?
I guess these are more the questions that I would be interested to get answers to.
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
__20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___
__20060125_______________________This posting was submitted with HTML in it___
__20060125_______________________This posting was submitted with HTML in it___
