All cryptographic services used for SecretStore are based on Novell International Cryptographic Infrastructure (NICI). NICI is used both in NCP-based transmission of secrets and for storage of secrets in eDirectory.
NOTE:Download and install NICI on your workstation independently if you are using Novell Client and NCP-based access.
The encryption performed on the server by the SecretStore service is divided into two separate processes:
Data stored in SecretStore is first encrypted with the Security Domain Infrastructure (SDI) NICI-wrapped key. (SDI is initialized the first time SecretStore is installed into the tree.) This means that the authenticated owner that has rights to SecretStore can use the SecretStore API to decrypt the application's secrets.
The SecretStore service uses NICI to encrypt data that is stored in or retrieved from eDirectory. When the data stored in SecretStore is first created, a symmetric key is generated and stored for the user. This key is wrapped by NICI SDI in a special storage format.
Subsequent reads and writes to the SecretStore cause the key to be unwrapped and used to encrypt and decrypt the stored data. Reading and writing negotiate a supported algorithm for decrypting and encrypting the data. SecretStore always picks the highest strength algorithm available through NICI policies for encrypting the data. Currently this algorithm is 3DES for worldwide usage.
SecretStore secrets are encrypted and transmitted over the network with a NICI algorithm, and the key for this algorithm is encrypted in a NICI session key when using NCP. This key is established between the NICI on the client and NICI on the server at the end of the Novell Client user authentication session. This happens independently from the SecretStore in the end of the eDirectory authentication.
The SecretStore NCP client's wire encryption requests a NICI session key for the server with which it wants to communicate. Then an encryption key for encrypting the data with the common algorithm is negotiated between SecretStore client and SecretStore server. The data is encrypted in the encryption key, and then the encryption key is wrapped in the session key. Both the encrypted data and the wrapped encryption key are sent over the wire to the server where the encryption key is unwrapped with the session key and the data is decrypted with SecretStore wire encryption key.
NOTE:The encryption algorithm is negotiated between two ends beforehand and the highest-strength common algorithm between the client and server is picked for the operation. The algorithm ID is transmitted with the encrypted data,
Remember, in the LDAP mode of SecretStore operations, the client establishes an SSL-based connection with the server and the data is securely transmitted on the wire over SSL.
SecretStore uses session-oriented security, which means that each internal call from the enabled applications is considered a session from beginning to end. After one session is completed, the keys are destroyed and a new set of keys is established for the next client request.