http://arswiki.org/wiki/index.php?title=Securing_ARS#Securing_Communications_Over_the_Wire
1) Is the user name sent as clear text? Yes, if no encryption level is configured 2) Is the password sent as clear text? Never 3) Are both the user name and passwords sent as clear text? Never 4) Is the encryption a hex or linear conversion of the contents of the password field (and username field)? Or is it a better encrytpion algorithm than that? I elieve it's a proprietary encryption format, unless one of the encryption levels is in use, in which case, it is a (potential) proprietary password encryption wrapped in the level of encryption you've configured. 5) What is the kind of algorithm that is used for this encryption? Something that an average hacker with standard hacking tools available pretty much as freewares could hack into? Or is it using a proprietry algorithm that hasn't been broken into as yet? See the link On the bit about encryption to an Oracle db, I received this note from Doug a while back: -------------- begin message --------------------- Axton, Just curious whether you have tried to turn on the Oracle encryption between the AR System server and the database? Did you have trouble with it? We believe that there is no problem. If you have the Oracle feature for this area turned on and configured correctly, you should have encrypted traffic between the AR System and the database. There is nothing you need to do on the AR System side. We do call the Oracle libraries and if you have the right things configured on the Oracle side, you should be good to go. If you have found differently, I would like to know. I do know that we have had more than one customer test this and they seemed happy with the result of their test. Doug -------------- end message --------------------- The free encryption is: Standard Security: 512-bit RSA algorithm with cipher block chaining for the public/private key pair. For the session key, it :uses a DES (Data Encryption Standard) 56-bit algorithm. It's the strength of the key exchange that is weak. Modern desktop computers can crack these in less than a day. See http://www.rsasecurity.com/rsalabs/node.asp?id=2108 for some interesting bits on cracking DES. Axton On 8/21/06, Joe DeSouza <[EMAIL PROTECTED]> wrote:
** Thanks Mathew, Good information. Good to have basic encryption for free I guess but like you said if you want the real good stuff you got to buy it. I think we are more interested in the premium package and are looking on that option currently Joe. ----- Original Message ---- From: Carey Matthew Black <[EMAIL PROTECTED]> To: [email protected] Sent: Monday, August 21, 2006 9:39:28 AM Subject: Re: Encryption and Remedy ARS 6.3 Joe, ( I know this is now an old thread, but there were some details that were left out that I think are necessary to understand this topic. So here they are.... ) Remedy's API has not passed the password in the clear for years. The password value has been ONLY encoded with an propritary format. (Maybe since v1 if memory serves?) Yes that is not encryption strenght, but it is better than "clear text". And yes the user name was in the clear as well as the rest of the data to/from the ARS server. In v5 Remedy started offering "for cost" encryption packages. In v6 they "give you" a "lowest level" package for free. ( There is some config settings too, but it is all server side as long as your users are using v6 clients. Please verify if the default on your version/patch is on or off. I believe the default is OFF so that they do not break older clients. V7 or V8 might change that. :) The "free" strength is 56 Bit based. Which should be strong enough to keep the rif-raf out. But for the seriously security minded (DOD types) you really need the uber encryption package that is still a "for cost" add on. (and likley a performance drag to some extent. You get nothing for free. Especially when it comes to encryption. :) The other thing of note is that the encryption packages (all of them, even the free one) encryptes all communications and not just password values. (VERY un-like the days of old) So there are other advantages to even using the 56 Bit level. Ref: ConfigGuide-630.pdf Page: 291 (and around that area) Encrypt-Security-Policy Encrypt-Public-Key-Expire Encrypt-Data-Encryption-Algorithm HTH -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. Never ascribe to malice, that which can be explained by incompetence. On 8/17/06, Joe DeSouza <[EMAIL PROTECTED]> wrote: > ** > > > Hello Listers, > > To the best of my knowledge the Remedy User Tool sends authentication > information as clear text over the network.. Correct me if I am wrong.. > > So if the above is right, I do remember Remedy used to sell an encryption > product. Any information on this would be appreciated. > > If no encryption product is used, how does the Mid-Tier client send the > authentication information? Clear Text???? > > Rgds > > Joe D'Souza > Remedy Developer / Consultant, > BearingPoint, > Virginia. > __20060125_______________________This posting was > submitted with HTML in it___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org __20060125_______________________This posting was submitted with HTML in it___
_______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
