When using persistent caching, the mangement console encrypts host credentials, as follows:
- It generates a salt or retrieves it from the Java KeyStore, a storage facility for cryptographic keys and certificates, if it has previously been stored in the keystore.
- It uses the salt to generate a unique 128-bit encryption key for the authenticated user. The key generation algorithm is the PBKDF2 algorithm using HMAC with SHA1. This algorithm is designed to prevent brute force attacks on the password by ensuring that the same passwords will result in different keys and by increasing the work factor by iterating many times over the key generation function.
- It uses the generated key to encrypt the credentials (including user name, password, and any elevation credentials) using the AES algorithm in CBC mode. It then uses Message Authentication Code (MAC) using the HMAC with SHA-256 algorithm to verify the integrity of the saved data.