In instances where a software token is used to access an application or system, are stored keys and software token files encrypted using an industry standard algorithm and smartcards compliant to FIPS level 2 or above?
Token data in Active Directory is stored using a proprietary encryption method. However, this is with regards to how the token assignment is done at the attribute level, this is not something that gets communicated through the authentication process.
Depending on the token type, the process of passing a token response is based on the encryption method selected, i.e. AES, DES or Triple DES. OATH Compliant is also an option.
- Third party hardware (non-OATH) token data stored in the defender-tokenData attribute are encrypted using vendor specific algorithms.
- For Defender software tokens and OATH tokens the data stored in the defender-tokenData attribute are encrypted using an MD5 message digest cipher with a hard-coded key that is permuted at run-time.
- For Soft tokens, the sensitive information is encrypted on the mobile device which is used to generate a one-time password. Optionally, we can require out-of-band identity proofing to grant access to download the authentication token software package over a one-time https URL.