Encryption & Password Security

<< Click to display Table of Contents >>

Navigation:  IT-Security & Audit >

Encryption & Password Security

Encryption - General Information

 

The Infoserver is able to apply advanced encryption methods on passwords and TCP communication (SSL). In the default configuration, only the password encryption is active, meaning that passwords saved in the Infoserver.ini and the database are encrypted as well as login-data submitted on the administration website. The default encryption-method is an RIJ (Rijndael/AES: symmetric encryption) algorithm with fixed key-length of 128 bit.

 

Additionally, it is possible to activate encrypted communications (SSL) for HTTP (Infoclient connections and administration website). Since SSL demands some sort of certification, the Infoserver can either create self-signed certificates or can use certificates issued by a certification authority.

 

Password Security

 

All admin and domain passwords used by the Infoserver are saved encrypted . Roles must use their domain password for logging in. The passwords of Roles are not saved in the Infoserver, but a compare-request is sent to the domain and a successfull login is only granted, if an "OK" is returned. The login in the administration interface is encrypted as well, meaning that the user-credentials are encrypted before sending them to the Infoserver.

 

The Admin passwords (Login & MailToInfo) as well as the password for access to the Native Domain are saved encrypted in the configuration file. The admin's password can only be decrypted by the Infoserver. The admin's password can be edited in the Infoserver administration website. For editing the admin's password please check the chapter Password.

 

In case the Infoserver admin password was lost or is unknown, then you can reset the password by changing the encrypted value back to the standard password of the admin (bestinformed) in the configuration-file Infoserver.ini and restarting the Cordaware_bestinformed_best_web service thereafter.

 


[general]

password =K0jTn4NoAmsADGJlc3RpbmZvcm1lZGgDYQFhAWEB

 

Passwords of the domain admins are saved encrypted in the Infoserver database and can only be decrypted by the Infoserver. These passwords can only be edited from the administration interface of the Infoserver. A reset in the database is only possible for those users, which have access to the database and the right to write to the appropriate table. Please note that tampering with any data in the database is at your own risk!

 

Therefore, passwords are saved and encrypted in the database. For the domain-administration, the user and his password can be set up in the domain solely for Cordaware bestinformed for avoiding the use of a productive user.