Thanks Christie,
Anyone knows anything about the estimated costs for these products? Cost of the base product plus support? I was trying to call Remedy Support for basic information on their Encryption products, but I'm not quite sure I enjoy their bacground music if I have to listen to it for more than 20 minutes!
Guys at least change the damn %*#$&@^ record! Least they could do if the call wait period is as much as it is - have some good stuff playing :-)
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
----- Original Message ----
From: "Christie, Garron" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 2:13:26 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 12:10 PM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
**
From: "Christie, Garron" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 2:13:26 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
You can get 128, 1024, and I think 4096 packages, not sure what the costs are, but if I remember correctly, it involves deploying a separate package to all the clients.
HTH,
Garron Christie
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 12:10 PM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
James,
Thanks for your response. 56 bit key is a little lower than I thought it should be at.. Too many tools out there in the market that could break that down... I was hoping it would be higher than that. I think I heard some talk around the security departments that they expect stuff to be at least at a level of 128 bit encryption..
Any idea what level of encryption does the Remedy Encryption products use? Does this product work well if you have integrated into LDAP?
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
----- Original Message ----
From: "McKenzie, James J C-E LCMC HQISEC/L3" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 1:44:30 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 10:39 AM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
**
From: "McKenzie, James J C-E LCMC HQISEC/L3" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 1:44:30 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
Joe:
I can answer the first three questions:
Starting with ARS 6.3 (as far as I know), all transmissions between the client and the ARS server are encrypted by default. The type and method of encryption are unknown to me, but could be based on a well-known encryption method.
The Remedy Encryption product provides higher levels of encryption based upon larger keys. The default encryption supposedly uses a 56 bit key, but it could be larger or smaller.
James McKenzie
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 10:39 AM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
Roger, James, Ed, Rick,
Thanks for your responses...
To the best of my knowledge Encryption between the ARS and the Oracle server was never and isn't as yet supported. This is because when you enable Oracle encryption, the .so file that the installation process needs to be compiled with is not supported with the ARS installer and its binaries. To support this Remedy would need to recompile its installation scripts which to the best of my knowledge wasn't done and isn't done as yet. Yes we do plan to use a sniffer tool to verify what actually happens.
I guess I did not really cleary state my question to the list on my original post - so I'll explain better below....
Basically my customer has raised a few concerns about security which I hope to share with you guys as best as I can. I invite your replies to these questions..:-
1) Is the user name sent as clear text?
2) Is the password sent as clear text?
3) Are both the user name and passwords sent as clear text?
4) Is the encryption a hex or linear conversion of the contents of the password field (and username field)? Or is it a better encrytpion algorithm than that?
5) What is the kind of algorithm that is used for this encryption? Something that an average hacker with standard hacking tools available pretty much as freewares could hack into? Or is it using a proprietry algorithm that hasn't been broken into as yet?
I guess these are more the questions that I would be interested to get answers to.
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
