-
Title
How does Safeguard Authentication Services (SAS) encrypt data? What encryption does SAS use? -
Description
How does SAS encrypt data on the network? What encryption does SAS use?
-
Resolution
Authentication
SAS uses the same high-security Kerberos authentication that Windows clients use. SAS uses the highest encryption that is available from the Domain Controllers.
When using Windows 2000/2003, this is Kerberos HMAC-RC4. When using VAS 3.3.2+ and Windows 2008 Domain Controllers (or newer), AES256 or AES128 is used.
LDAP Queries
All important LDAP queries are secured (for data integrity and privacy) using GSS-SASL ( rootDES queries such as defaultNamingContext and highestCommittedUSN queries use anonymous bind). -
Additional Information
From the vas.conf man pages:
[libvas]
<snip>
ldap-gsssasl-security-layers = <security level>
Default value: 0
By default, when communicating with Active Directory, the QAS API automatically encrypts LDAP traffic for data integrity and privacy. This option allows the SASL security layer to be set to a specific level. With the default value of 0, all traffic will be secured using the highest security that is supported by the LDAP server. If non-zero, the value interpreted as a bit mask as described by RFC 4752: 1 = No security layer, 2 = Integrity protection, 4 = Privacy protection. The following example shows how to turn off security. This may be useful for debugging purposes, or to reduce load when there is no need for network integrity or privacy.
ldap-gsssasl-security-layers = 1