Thanks Christie!
Thats nice information.. should have checked out their site :-) I just lack that time these days on this project..
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
----- Original Message ----
From: "Christie, Garron" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 3:01:57 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 12:41 PM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
**
__20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___
From: "Christie, Garron" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 3:01:57 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
You got me curious, so I looked into it a little. I was incorrect as far as the strength of the encryption packages. Check out http://documents.bmc.com/products/documents/91/34/59134/59134.pdf
Here is what is says (Sorry for the format - don't have time to clean it up):
BMC Remedy AR System provides a variety of access
control features that protect sensitive applications and
data. Password protection ensures that only authorized
users are permitted to enter the system. And
group permissions restrict authorized users to access
only those system resources, such as applications,
forms, fields, and even records, that they are authorized
to view or change.
For complete protection, however, you also need to
ensure that sensitive information is protected from
eavesdroppers as it is passed “over the wire” among
the various components of the system. Secure Sockets
Layer (SSL) encryption encrypts information communicated
between Web browsers and Web servers,
protecting it from eavesdroppers.
Now, with BMC® Remedy® Encryption, you can
encrypt the information passed over the wire between
your BMC Remedy AR System Server and the other
components to which it connects, such as Web servers
and BMC Remedy AR System clients. So, you can
provide complete end-to-end encryption of information
— all the way from end users to the final data
storage. As a result, you protect critical information
from eavesdroppers inside and outside the firewall.
Protect your sensitive applications and data
from unauthorized access. Use BMC Remedy
Encryption to help provide complete endto-
end encryption of information.
If your organization is like most, you need to expose critical BMC® Remedy® Action Request System®
(AR System®) applications and data to an increasing number of users — both inside and outside the
organization. Many of these applications and data deal with sensitive information. So, it is imperative
that you protect them from unauthorized access by users, not only from outside the firewall, but from
inside, as well. According to studies, while the threat of external hackers is certainly growing, insider
security breaches are also on the rise. For this reason, you need to protect your sensitive applications
and data from all unauthorized users — whether internal or external.
BMC REMEDY SERVICE MANAGEMENT PRODUCT DATASHEET
BMC Remedy Encryption
Bring Complete End-to-end Encryption to
BMC Remedy Action Request System Applications
Strong Public Key/Private Key Technology
BMC Remedy Encryption employs public
key encryption technology to secure the links
to the BMC Remedy AR System server. The
BMC Remedy AR System server generates
the public key and private key and makes
the public key available to BMC Remedy AR
System clients, which includes Web servers.
The client generates a secret code and uses
the public key to encrypt it when it sends it
back to the BMC Remedy AR System server.
The BMC Remedy AR System server then
decrypts the secret code and both the client
and the server then generate a symmetric
data encryption key using the secret code
and other data. As a result, the symmetric
encryption key is never transmitted over the
wire and is not exposed to eavesdroppers,
ensuring strong security.
Meet a Variety of Security Needs
BMC Remedy Encryption is available in two
versions that differ in the strength of their keys.
You can select the version that best meets
your security requirements.
> BMC Remedy Encryption –
Performance Security
Implements open standards library to
generate 128-bit equivalent public key
pairs and the RC4 data encryption key
algorithm to generate 128-bit equivalent
symmetric keys
> BMC Remedy Encryption –
Premium Security
Implements open standards library to
generate 2048-bit equivalent public key
pairs and the RC4 data encryption key
algorithm to generate 2048-bit equivalent
symmetric keys (also includes Performance
Security key technologies)
Usage Scenario
How does it all pull together? If you take the
average end user accessing a BMC Remedy
AR System application through a Web browser
or Windows client, they’ll now be able to
experience end-to-end data security.
Web
When an end user submits a request through
their browser, the information they’ve submitted
can be encrypted with the Secure
Sockets Layer (SSL), the popular security
protocol supported by most Web servers.
From there, the request is sent from the
Web server to the BMC Remedy AR System
server. With BMC Remedy Encryption, the link
between the servers can be encrypted based
on an encryption level that meets the needs
and restrictions of your company. You can
choose to use either the basic encryption
that ships with the BMC Remedy AR System
(56-bit equivalent) or, for more stringent security
requirements, you can use the 128-bit equivalent
Performance Security or the 2048-bit
equivalent Premium Security — each of which
provides an end-to-end encryption link along
the data route.
Windows
Along the same lines, a user accessing a
BMC Remedy AR System application through
the Windows user tool can also send and
receive data over an encrypted link to the
BMC Remedy AR System server using BMC
Remedy Encryption.
About BMC Remedy Action Request System
BMC Remedy AR System is a Service Process
Management (SPM) solution that provides a
single, consolidated platform for automating
and managing service management business
processes. BMC Remedy AR System is the
foundation for the BMC® AtriumTM Configuration
Management Database (CMDB), as well as
BMC® Remedy IT Service Management for the
Enterprise, BMC® Remedy Customer Service
and Support, and thousands of partner and
customer-built Service Management applications.
With its request-centric, forms-driven,
workflow-based architecture, the BMC Remedy
AR System environment is optimized for efficiencies
in Service Management business
control features that protect sensitive applications and
data. Password protection ensures that only authorized
users are permitted to enter the system. And
group permissions restrict authorized users to access
only those system resources, such as applications,
forms, fields, and even records, that they are authorized
to view or change.
For complete protection, however, you also need to
ensure that sensitive information is protected from
eavesdroppers as it is passed “over the wire” among
the various components of the system. Secure Sockets
Layer (SSL) encryption encrypts information communicated
between Web browsers and Web servers,
protecting it from eavesdroppers.
Now, with BMC® Remedy® Encryption, you can
encrypt the information passed over the wire between
your BMC Remedy AR System Server and the other
components to which it connects, such as Web servers
and BMC Remedy AR System clients. So, you can
provide complete end-to-end encryption of information
— all the way from end users to the final data
storage. As a result, you protect critical information
from eavesdroppers inside and outside the firewall.
Protect your sensitive applications and data
from unauthorized access. Use BMC Remedy
Encryption to help provide complete endto-
end encryption of information.
If your organization is like most, you need to expose critical BMC® Remedy® Action Request System®
(AR System®) applications and data to an increasing number of users — both inside and outside the
organization. Many of these applications and data deal with sensitive information. So, it is imperative
that you protect them from unauthorized access by users, not only from outside the firewall, but from
inside, as well. According to studies, while the threat of external hackers is certainly growing, insider
security breaches are also on the rise. For this reason, you need to protect your sensitive applications
and data from all unauthorized users — whether internal or external.
BMC REMEDY SERVICE MANAGEMENT PRODUCT DATASHEET
BMC Remedy Encryption
Bring Complete End-to-end Encryption to
BMC Remedy Action Request System Applications
Strong Public Key/Private Key Technology
BMC Remedy Encryption employs public
key encryption technology to secure the links
to the BMC Remedy AR System server. The
BMC Remedy AR System server generates
the public key and private key and makes
the public key available to BMC Remedy AR
System clients, which includes Web servers.
The client generates a secret code and uses
the public key to encrypt it when it sends it
back to the BMC Remedy AR System server.
The BMC Remedy AR System server then
decrypts the secret code and both the client
and the server then generate a symmetric
data encryption key using the secret code
and other data. As a result, the symmetric
encryption key is never transmitted over the
wire and is not exposed to eavesdroppers,
ensuring strong security.
Meet a Variety of Security Needs
BMC Remedy Encryption is available in two
versions that differ in the strength of their keys.
You can select the version that best meets
your security requirements.
> BMC Remedy Encryption –
Performance Security
Implements open standards library to
generate 128-bit equivalent public key
pairs and the RC4 data encryption key
algorithm to generate 128-bit equivalent
symmetric keys
> BMC Remedy Encryption –
Premium Security
Implements open standards library to
generate 2048-bit equivalent public key
pairs and the RC4 data encryption key
algorithm to generate 2048-bit equivalent
symmetric keys (also includes Performance
Security key technologies)
Usage Scenario
How does it all pull together? If you take the
average end user accessing a BMC Remedy
AR System application through a Web browser
or Windows client, they’ll now be able to
experience end-to-end data security.
Web
When an end user submits a request through
their browser, the information they’ve submitted
can be encrypted with the Secure
Sockets Layer (SSL), the popular security
protocol supported by most Web servers.
From there, the request is sent from the
Web server to the BMC Remedy AR System
server. With BMC Remedy Encryption, the link
between the servers can be encrypted based
on an encryption level that meets the needs
and restrictions of your company. You can
choose to use either the basic encryption
that ships with the BMC Remedy AR System
(56-bit equivalent) or, for more stringent security
requirements, you can use the 128-bit equivalent
Performance Security or the 2048-bit
equivalent Premium Security — each of which
provides an end-to-end encryption link along
the data route.
Windows
Along the same lines, a user accessing a
BMC Remedy AR System application through
the Windows user tool can also send and
receive data over an encrypted link to the
BMC Remedy AR System server using BMC
Remedy Encryption.
About BMC Remedy Action Request System
BMC Remedy AR System is a Service Process
Management (SPM) solution that provides a
single, consolidated platform for automating
and managing service management business
processes. BMC Remedy AR System is the
foundation for the BMC® AtriumTM Configuration
Management Database (CMDB), as well as
BMC® Remedy IT Service Management for the
Enterprise, BMC® Remedy Customer Service
and Support, and thousands of partner and
customer-built Service Management applications.
With its request-centric, forms-driven,
workflow-based architecture, the BMC Remedy
AR System environment is optimized for efficiencies
in Service Management business
Briefly:
For complete protection, however, you also need to
ensure that sensitive information is protected from
eavesdroppers as it is passed “over the wire” among
the various components of the system. Secure Sockets
Layer (SSL) encryption encrypts information communicated
between Web browsers and Web servers,
protecting it from eavesdroppers.
Now, with BMC® Remedy® Encryption, you can
encrypt the information passed over the wire between
your BMC Remedy AR System Server and the other
components to which it connects, such as Web servers
and BMC Remedy AR System clients. So, you can
provide complete end-to-end encryption of information
— all the way from end users to the final data
storage. As a result, you protect critical information
from eavesdroppers inside and outside the firewall.
ensure that sensitive information is protected from
eavesdroppers as it is passed “over the wire” among
the various components of the system. Secure Sockets
Layer (SSL) encryption encrypts information communicated
between Web browsers and Web servers,
protecting it from eavesdroppers.
Now, with BMC® Remedy® Encryption, you can
encrypt the information passed over the wire between
your BMC Remedy AR System Server and the other
components to which it connects, such as Web servers
and BMC Remedy AR System clients. So, you can
provide complete end-to-end encryption of information
— all the way from end users to the final data
storage. As a result, you protect critical information
from eavesdroppers inside and outside the firewall.
Meet a Variety of Security Needs
BMC Remedy Encryption is available in two
versions that differ in the strength of their keys.
You can select the version that best meets
your security requirements.
> BMC Remedy Encryption –
Performance Security
Implements open standards library to
generate 128-bit equivalent public key
pairs and the RC4 data encryption key
algorithm to generate 128-bit equivalent
symmetric keys
> BMC Remedy Encryption –
Premium Security
Implements open standards library to
generate 2048-bit equivalent public key
pairs and the RC4 data encryption key
algorithm to generate 2048-bit equivalent
symmetric keys (also includes Performance
Security key technologies)
BMC Remedy Encryption is available in two
versions that differ in the strength of their keys.
You can select the version that best meets
your security requirements.
> BMC Remedy Encryption –
Performance Security
Implements open standards library to
generate 128-bit equivalent public key
pairs and the RC4 data encryption key
algorithm to generate 128-bit equivalent
symmetric keys
> BMC Remedy Encryption –
Premium Security
Implements open standards library to
generate 2048-bit equivalent public key
pairs and the RC4 data encryption key
algorithm to generate 2048-bit equivalent
symmetric keys (also includes Performance
Security key technologies)
Garron
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 12:41 PM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
Thanks Christie,
Anyone knows anything about the estimated costs for these products? Cost of the base product plus support? I was trying to call Remedy Support for basic information on their Encryption products, but I'm not quite sure I enjoy their bacground music if I have to listen to it for more than 20 minutes!
Guys at least change the damn %*#$&@^ record! Least they could do if the call wait period is as much as it is - have some good stuff playing :-)
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
----- Original Message ----
From: "Christie, Garron" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 2:13:26 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 12:10 PM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
**
From: "Christie, Garron" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 2:13:26 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
You can get 128, 1024, and I think 4096 packages, not sure what the costs are, but if I remember correctly, it involves deploying a separate package to all the clients.
HTH,
Garron Christie
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 12:10 PM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
James,
Thanks for your response. 56 bit key is a little lower than I thought it should be at.. Too many tools out there in the market that could break that down... I was hoping it would be higher than that. I think I heard some talk around the security departments that they expect stuff to be at least at a level of 128 bit encryption..
Any idea what level of encryption does the Remedy Encryption products use? Does this product work well if you have integrated into LDAP?
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
----- Original Message ----
From: "McKenzie, James J C-E LCMC HQISEC/L3" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 1:44:30 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 10:39 AM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
**
From: "McKenzie, James J C-E LCMC HQISEC/L3" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Thursday, August 17, 2006 1:44:30 PM
Subject: Re: Encryption and Remedy ARS 6.3
**
Joe:
I can answer the first three questions:
Starting with ARS 6.3 (as far as I know), all transmissions between the client and the ARS server are encrypted by default. The type and method of encryption are unknown to me, but could be based on a well-known encryption method.
The Remedy Encryption product provides higher levels of encryption based upon larger keys. The default encryption supposedly uses a 56 bit key, but it could be larger or smaller.
James McKenzie
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 10:39 AM
To: [email protected]
Subject: Re: Encryption and Remedy ARS 6.3
Roger, James, Ed, Rick,
Thanks for your responses...
To the best of my knowledge Encryption between the ARS and the Oracle server was never and isn't as yet supported. This is because when you enable Oracle encryption, the .so file that the installation process needs to be compiled with is not supported with the ARS installer and its binaries. To support this Remedy would need to recompile its installation scripts which to the best of my knowledge wasn't done and isn't done as yet. Yes we do plan to use a sniffer tool to verify what actually happens.
I guess I did not really cleary state my question to the list on my original post - so I'll explain better below....
Basically my customer has raised a few concerns about security which I hope to share with you guys as best as I can. I invite your replies to these questions..:-
1) Is the user name sent as clear text?
2) Is the password sent as clear text?
3) Are both the user name and passwords sent as clear text?
4) Is the encryption a hex or linear conversion of the contents of the password field (and username field)? Or is it a better encrytpion algorithm than that?
5) What is the kind of algorithm that is used for this encryption? Something that an average hacker with standard hacking tools available pretty much as freewares could hack into? Or is it using a proprietry algorithm that hasn't been broken into as yet?
I guess these are more the questions that I would be interested to get answers to.
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
