Professional Documents
Culture Documents
v6.6 Reference Guide - Encryption
v6.6 Reference Guide - Encryption
6 Reference Guide
Encryption
Contents
Trademarks and copyrights ........................................................................................................................................2
Contents .......................................................................................................................................................................3
Introduction .................................................................................................................................................................4
Data at rest ...................................................................................................................................................................4
User configurable encryption ..................................................................................................................................4
User configurable encryption key management ....................................................................................................5
Blue Prism user account encryption .......................................................................................................................6
Blue Prism Credential Manager ...............................................................................................................................6
Data encrypted inside the database .......................................................................................................................7
Microsoft SQL server database encryption .............................................................................................................7
Data in use ....................................................................................................................................................................8
Secure String ............................................................................................................................................................8
Blue Prism Safe String .............................................................................................................................................8
Data in motion .............................................................................................................................................................9
Instructional connections in Blue Prism .................................................................................................................9
Windows Communication Foundation (WCF) connections ...................................................................................9
Database connections .............................................................................................................................................9
Encryption process flow ............................................................................................................................................ 10
Third-party cryptographic functionality ................................................................................................................... 10
Obfuscation ................................................................................................................................................................ 11
Cipher obfuscation ................................................................................................................................................ 11
Simple obfuscation ................................................................................................................................................ 11
Source code obfuscation ....................................................................................................................................... 11
Federal Information Processing Standards (FIPS) 140-2 compliance ..................................................................... 12
Useful resources......................................................................................................................................................... 12
Microsoft encryption documentation ................................................................................................................... 12
Microsoft SQL data encryption .............................................................................................................................. 12
WCF Security information...................................................................................................................................... 12
.Net Security Protocols .......................................................................................................................................... 12
.Net Secure String .................................................................................................................................................. 12
Introduction
This document provides a functional and technical point of reference to help with customer concerns,
compliance queries, and incoming Request for Proposals (RFP) around encryption.
Data at rest
Data at rest refers to inactive data stored physically in any digital form.
Algorithm Description
Description
Blue Prism can be configured to use a manually generated key or users can use the Generate Key functionality
in Blue Prism.
Description
Type PBKDF2
Algorithm • RFC2898
• Built into System.Security.Cryptography library in .NET
Framework
• 64000 Iterations
Encryption parameters
• IV – Automatically generated on algorithm initialization, default size.
• Encryption key is hardcoded in obfuscated form within Blue Prism source code.
o This key has been obfuscated using Blue Prism Cipher Obfuscator.
o When using this key, it is held within a Blue Prism Safe String.
• All other settings are .NET Defaults.
• Output is Base64 Encoded.
• Output consists of encrypted information and IV concatenated together.
Currently, Intelligent Automation Skills elements (toolbar information) in the database are encrypted in this
way.
Data in use
Data in use refers to active data which is stored in a non-persistent digital state typically in computer random-
access memory, CPU caches, or CPU registers.
Secure String
Blue Prism uses Microsoft’s Secure String functionality that is built into the .Net framework.
A secure string represents text that should be kept confidential, such as by deleting it from computer memory
when no longer needed.
For more information see:
https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.7
Data in motion
Data that is traversing a network or temporarily residing in computer memory to be read or updated.
TLS/SSL support
Blue Prism is built on the .NET Framework version 4.7. .NET Framework 4.7 and later versions default to the
host operating system configuration, choosing the best security protocol and version. This applies to TCP, WCF,
and HTTP communications. Available protocols and Ciphers are managed by the end user or automatically
handled through Microsoft security updates.
In Blue Prism 6.1 to version 6.5 TLS1.2 was enforced for TCP and HTTP protocols, this was changed to use the
above in version 6.6.
Database connections
The read/write connection between the application server and database. Certificate-based encryption is
supported by leveraging SQL Server functionality which can auto-generate self-signed certificates or leverage
an existing verifiable certificate.
Obfuscation
In addition to encryption, Blue Prism uses obfuscation algorithms. Obfuscation helps to reduce the risk of
sensitive information disclosure by making it less clear and harder to understand. It is often used to
compliment other existing technologies or controls.
Cipher obfuscation
Primarily used to obfuscate credential (Blue Prism credential manager) information.
• Uses an encryption key which is stored in source code.
• The obfuscation routine is a custom cipher created by Blue Prism.
• The sensitive information is pinned in memory before being obfuscated, the memory is then released
immediately after the operation is complete. As a result, the sensitive information is exposed for the
shortest possible amount of time.
• The output is Base64 encoded.
Simple obfuscation
Primarily used for obfuscating information that is serialized/deserialized across boundaries.
• Algorithm consists of applying an XOR operation to the bytes of the sensitive information.
• The algorithm is performed on the sensitive information held in unmanaged memory, so the sensitive
information is not exposed during the operation.
• The output is Base64 encoded.
• This is the default obfuscation method for Blue Prism SafeStrings.
Useful resources
Microsoft encryption documentation
.NET Framework 4.7.2 Symmetric Algorithm MSDN Documentation