How does SphereShield encrypt the information it stores?

Owned by Agat Support
Last updated: Mar 27, 2022 by Avi J. Levin (Unlicensed)
1 min read

1.Bastion

  1. SSL certificate: Stored in the Windows certificate store or in an encrypted PFX file.

If a Certificate is stored in encrypted PFX file the password to the file is encrypted using a proprietary algorithm with obfuscated key hard-coded into the application. The encrypted password is stored in a configuration XML file on the Bastion server.

2. Web Service Filters (LAC and EWS)

       1. Database access password - Encrypted using a proprietary algorithm with obfuscated key hard-coded into the application. The encrypted password is stored in a configuration XML file on the Bastion server.

3. SIP Filter

       1. The database connection string is encrypted using the Windows DPAPI.

4. Access Portal

  1. ConnectionStrings section in config file: encrypted with RSA algorithm as a standard section protection mechanism.

  2. LDAP/SMTP passwords and other sensitive data in DB: encrypted with AES algorithm, the encryption key and IV are stored in the applicationSettings.config file. 

5. Database [Dedicated Credentials only]

      1. User-created passwords (not AD passwords) are stored using the Bcrypt hash.

      2. If SphereShield is configured to use native NTLM authentication (not the SphereShield custom login window) the passwords are also stored in the MD4 hash format.

SphereShield user generated passwords are stored in the MD4 hash format because they need to be available to SphereShield to authenticate Skype for Business clients using NTLM v2, which requires a MD4 hash of the password to work.
This is a constraint imposed by the use of NTLM in the Skype for Business client and isn’t possible to change.
Windows servers store AD passwords in the same way.