6.

6 Reference Guide
Encryption

Document Revision 1.0

 6.6 Reference Guide | Encryption
Trademarks and copyrights

Trademarks and copyrights

The information contained in this document is the proprietary and confidential information of Blue Prism Limited and should not be
disclosed to a third party without the written consent of an authorized Blue Prism representative. No part of this document may be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying without the written
permission of Blue Prism Limited.
© Blue Prism Limited, 2001 – 2019
®Blue Prism is a registered trademark of Blue Prism Limited
All trademarks are hereby acknowledged and are used to the benefit of their respective owners.
Blue Prism is not responsible for the content of external websites referenced by this document.
Blue Prism Limited, 2 Cinnamon Park, Crab Lane, Warrington, WA2 0XP, United Kingdom
Registered in England: Reg. No. 4260035. Tel: +44 870 879 3000. Web: www.blueprism.com

Commercial in Confidence Page 2 of 12

 6.6 Reference Guide | Encryption
Contents

Contents
Trademarks and copyrights ........................................................................................................................................2
Contents .......................................................................................................................................................................3
Introduction .................................................................................................................................................................4
Data at rest ...................................................................................................................................................................4
User configurable encryption ..................................................................................................................................4
User configurable encryption key management ....................................................................................................5
Blue Prism user account encryption .......................................................................................................................6
Blue Prism Credential Manager ...............................................................................................................................6
Data encrypted inside the database .......................................................................................................................7
Microsoft SQL server database encryption .............................................................................................................7
Data in use ....................................................................................................................................................................8
Secure String ............................................................................................................................................................8
Blue Prism Safe String .............................................................................................................................................8
Data in motion .............................................................................................................................................................9
Instructional connections in Blue Prism .................................................................................................................9
Windows Communication Foundation (WCF) connections ...................................................................................9
Database connections .............................................................................................................................................9
Encryption process flow ............................................................................................................................................ 10
Third-party cryptographic functionality ................................................................................................................... 10
Obfuscation ................................................................................................................................................................ 11
Cipher obfuscation ................................................................................................................................................ 11
Simple obfuscation ................................................................................................................................................ 11
Source code obfuscation ....................................................................................................................................... 11
Federal Information Processing Standards (FIPS) 140-2 compliance ..................................................................... 12
Useful resources......................................................................................................................................................... 12
Microsoft encryption documentation ................................................................................................................... 12
Microsoft SQL data encryption .............................................................................................................................. 12
WCF Security information...................................................................................................................................... 12
.Net Security Protocols .......................................................................................................................................... 12
.Net Secure String .................................................................................................................................................. 12

Commercial in Confidence Page 3 of 12

 6.6 Reference Guide | Encryption
Introduction

Introduction
This document provides a functional and technical point of reference to help with customer concerns,
compliance queries, and incoming Request for Proposals (RFP) around encryption.

Data at rest
Data at rest refers to inactive data stored physically in any digital form.

User configurable encryption

This selectable method of encryption is used for:
• Blue Prism Credential Manager
• Work Queue encryption (must be enabled by the end user)
• Exception screen shots (must be enabled by the end user)
• Usage by the internal VBO that provides encryption capabilities
Blue Prism only uses recognized encryption standards and includes Federal Information Processing Standard
(FIPS) compliant options. The end user can choose the algorithm, generate the encryption keys, and dictate
where to store the key, file, or database.
The currently available algorithms are:

Algorithm Description

AES -Crypto Service Provider (Default) • Mode – CBC

FIPS Compliant • Padding – PKCS7
• Key size – Dependent on platform (128, 192, 256)

AES Rijndael Managed • Mode - CBC

• Padding – PKCS7
• Key size – 256

Triple DES (Retired) • Mode - CBC

FIPS Compliant • Padding – PKCS7
• Key size – 192

The following statements apply to all algorithms in the table above:

• All options are built into the System.Security.Cryptography library in the .NET framework
• All options use .NET default encryption configuration settings, apart from key size which is derived from
the key generated for that algorithm (found in “Encryption key information”)
• The end user is unable to modify or pass any parameters to the selected algorithm.

Commercial in Confidence Page 4 of 12

 6.6 Reference Guide | Encryption
Data at rest

User configurable encryption key management

The following information explains how the encryption key used for user configurable encryption is generated
and where it will be stored:
• Blue Prism Application Server (recommended)
The encryption key is stored on the application server. In this situation the key must be manually
deployed to each application server within the environment. This is the most commonly selected
scenario as it ensures the key is stored separately to the encrypted data. It supports clients that
connect via an application server.
• Database
The encryption key is stored in the Blue Prism database. This is appropriate for scenarios where there
is not an application server deployed. It supports clients that connect directly to the database and
those that connect via an application server.

Description

Locations • Database (Not Recommended)

o Base64 encoded.BPAKeyStore table
• Blue Prism Server (Recommended)
o In a separate file to other information
o Encrypted symmetrically using AES256
o Encryption key is hardcoded in Blue Prism source code
o Obfuscated using Blue Prism CipherObfuscation algorithm (for more
information, see Cipher obfuscation)
o All encryption settings are .NET Framework defaults
o IV is randomly generated and stored with encrypted text
o Encryption algorithm type is also stored inside file with encrypted text

Generation • Generated using RNGCryptoServiceProvider()

• Built into System.Security.Cryptography library in .NET Framework.
• Key Size is dependent on the algorithm:
o AES256 = 32 bytes
o Triple DES (Retired) = 32 bytes
• Base 64 encoded and stored in SafeString on creation.

Blue Prism can be configured to use a manually generated key or users can use the Generate Key functionality
in Blue Prism.

Commercial in Confidence Page 5 of 12

 6.6 Reference Guide | Encryption
Data at rest

Blue Prism user account encryption

The following information details the protections that are applied to the Blue Prism user account credentials
that are held in the database when using native authentication.

Description

Mechanism Hashing Algorithm

Type PBKDF2

Salt • Stored in Blue Prism database

• Base64 Encoded
• 32 Bytes
• Generated by RNGCryptoServiceProvider which is built into
System.Security.Cryptography library in .NET Framework

Hash • Stored in Blue Prism database

• Base64 Encoded
• 32 Bytes

Algorithm • RFC2898
• Built into System.Security.Cryptography library in .NET
Framework
• 64000 Iterations

User inputted password • Stored in SecureString until its processed by algorithm

• Pinned in memory at the last possible moment

Other Protection Mechanisms • Timing attack prevention

• Compares the hash bytes in constant time to prevent HMAC
timing attacks

Blue Prism Credential Manager

The Credentials Management functionality provides a secure repository for login details required to access
target applications. Credentials are stored in the Blue Prism database but are encrypted in such a way that only
authorized users can retrieve them. The encryption key is stored separately, on the Blue Prism application
server machine and is used to provide credentials to validated clients.
For more information, see User configurable encryption.

Commercial in Confidence Page 6 of 12

 6.6 Reference Guide | Encryption
Data at rest

Data encrypted inside the database

Some information in the Blue Prism data is stored as encrypted data within the rows on the tables. This ensures
that if the database was compromised, the data would still need to be decrypted to be exposed.
By default, this information is encrypted symmetrically using Rijndael Managed which is built into the .NET
Framework System.Security assembly.

Encryption parameters
• IV – Automatically generated on algorithm initialization, default size.
• Encryption key is hardcoded in obfuscated form within Blue Prism source code.
o This key has been obfuscated using Blue Prism Cipher Obfuscator.
o When using this key, it is held within a Blue Prism Safe String.
• All other settings are .NET Defaults.
• Output is Base64 Encoded.
• Output consists of encrypted information and IV concatenated together.
Currently, Intelligent Automation Skills elements (toolbar information) in the database are encrypted in this
way.

Microsoft SQL server database encryption

Database encryption can be provided by the default Microsoft encryption mechanism (Transparent Data
Encryption - TDE) but must be implemented by the end user.
For more information, see:
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-
encryption?view=sql-server-2017

Commercial in Confidence Page 7 of 12

 6.6 Reference Guide | Encryption
Data in use

Data in use
Data in use refers to active data which is stored in a non-persistent digital state typically in computer random-
access memory, CPU caches, or CPU registers.

Secure String
Blue Prism uses Microsoft’s Secure String functionality that is built into the .Net framework.
A secure string represents text that should be kept confidential, such as by deleting it from computer memory
when no longer needed.
For more information see:
https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.7

Blue Prism Safe String

Safe String is a wrapper around Secure String which is built into the .NET Framework. It ensures that when
sensitive information, such as passwords, is being processed in memory it is held in a secure container that
cannot be compromised if an attacker was able to inspect a memory snapshot of the application at that time.
Safe String is fully serializable across boundaries between the Application Server and Interactive Client using
both .NET Remoting and Windows Communication Foundation (WCF) services.
The Safe String payload is obfuscated before serializing to a transportable format. The default obfuscation
method is Simple Obfuscation, however, some pieces of information such as machine configurations and
credentials are obfuscated using Cipher Obfuscation. For more information, see Cipher obfuscation.

Commercial in Confidence Page 8 of 12

 6.6 Reference Guide | Encryption
Data in motion

Data in motion
Data that is traversing a network or temporarily residing in computer memory to be read or updated.

Instructional connections in Blue Prism

Blue Prism recommends certificate-based encryption is applied by manually deploying an appropriate
certificate to each runtime resource and updating the device start up parameters.

TLS/SSL support
Blue Prism is built on the .NET Framework version 4.7. .NET Framework 4.7 and later versions default to the
host operating system configuration, choosing the best security protocol and version. This applies to TCP, WCF,
and HTTP communications. Available protocols and Ciphers are managed by the end user or automatically
handled through Microsoft security updates.

In Blue Prism 6.1 to version 6.5 TLS1.2 was enforced for TCP and HTTP protocols, this was changed to use the
above in version 6.6.

Windows Communication Foundation (WCF) connections

The WCF connection used in Blue Prism has the following user-selectable encryption methods:
• Message encryption and Windows authentication
• Transport encryption and Windows authentication
• Transport encryption
• None (for debug purposes only)
The WCF configuration used for message level encryption is created programmatically and uses the .NET
standard encryption scheme of AES256 this cannot be altered.
For more information see:
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/programming-wcf-security

Database connections
The read/write connection between the application server and database. Certificate-based encryption is
supported by leveraging SQL Server functionality which can auto-generate self-signed certificates or leverage
an existing verifiable certificate.

Commercial in Confidence Page 9 of 12

 6.6 Reference Guide | Encryption
Encryption process flow

Encryption process flow

When a client device submits data that needs to be stored using reversible encryption, or requests data that is
stored using reversible encryption, the device that is responsible for carrying out the conversion between plain
text and cipher text will be dependent on how the client device is connected to the environment.
• Application server connection (recommended) – The application server is responsible for converting
between plain-text and cipher-text for client devices that connect via a Blue Prism application server.
When appropriately configured, the plain text will be transmitted between client and server over a
secure channel, and the cipher text will be transmitted between the server and the database over a
secure channel.
• Direct database connection (not recommended) – Client devices that have a direct connection to the
Blue Prism database will be responsible for requesting the key and locally converting the data item
between plain and cipher text. When appropriately configured the cipher text and key will be
transmitted between the client and database over a secure channel.
Once the conversion has taken place the memory on the device is immediately cleared and disposed of. This is
irrespective of where the conversion takes place.

Third-party cryptographic functionality

Cryptographic functionality used by Blue Prism is provided by the following third-party products:
• Microsoft Windows Operating System – Provides encryption algorithms and transport mechanism.
• Microsoft .Net Framework – Provides the core functionality for the Blue Prism Credential Manager.
• Microsoft Windows Communication Foundation (WCF) – Blue Prism connections to Application
Server, Blue Prism supports message level encryption via the Microsoft communication Foundation
WCF.
• Microsoft SQL Server – Database encryption can be provided by the default Microsoft encryption
mechanism (Transparent Data Encryption – TDE) but must be implemented by the end user.

Commercial in Confidence Page 10 of 12

 6.6 Reference Guide | Encryption
Obfuscation

Obfuscation
In addition to encryption, Blue Prism uses obfuscation algorithms. Obfuscation helps to reduce the risk of
sensitive information disclosure by making it less clear and harder to understand. It is often used to
compliment other existing technologies or controls.

Cipher obfuscation
Primarily used to obfuscate credential (Blue Prism credential manager) information.
• Uses an encryption key which is stored in source code.
• The obfuscation routine is a custom cipher created by Blue Prism.
• The sensitive information is pinned in memory before being obfuscated, the memory is then released
immediately after the operation is complete. As a result, the sensitive information is exposed for the
shortest possible amount of time.
• The output is Base64 encoded.

Simple obfuscation
Primarily used for obfuscating information that is serialized/deserialized across boundaries.
• Algorithm consists of applying an XOR operation to the bytes of the sensitive information.
• The algorithm is performed on the sensitive information held in unmanaged memory, so the sensitive
information is not exposed during the operation.
• The output is Base64 encoded.
• This is the default obfuscation method for Blue Prism SafeStrings.

Source code obfuscation

The majority of the Blue Prism source code is obfuscated using an industry leading obfuscation tool.
Source code obfuscation dramatically reduces the risk of successful reverse engineering and malicious
patching, by increasing the complexity of the task and the time needed to carry it out.

Commercial in Confidence Page 11 of 12

 6.6 Reference Guide | Encryption
Federal Information Processing Standards (FIPS) 140-2 compliance

Federal Information Processing Standards (FIPS) 140-2 compliance

As of Version 6.6 Blue Prism can be deployed and used on devices that enforce FIPS-compliant algorithms. To
implement this, several changes have been made to ensure that Blue Prism adheres to FIPS. The Blue Prism
application server, interactive client, and runtime resources now check to see if the group policy to use FIPS-
compliant algorithms for encryption, hashing, and signing is enabled. If the policy is enabled, non-FIPS
compliant encryption schemes cannot be selected in the Encryption Scheme and Work Queue system settings
on the interactive client, nor can they be selected when configuring an encryption scheme for the application
server. In addition to this, any AutomateC commands that use non-FIPS compliant options cannot be run.
As part of this development, users are now notified if FIPS compliant group policy is enabled and the following
occur:
• A process or object runs that references a non-FIPS compliant encryption scheme – an error displays
and the process/object stops running.
• Logging into an interactive client or starting a runtime resource that has a non-FIPS compliant
encryption scheme – users are prompted to remove non-FIPS compliant schemes before continuing.
• An application server uses a non-FIPS compliant encryption scheme – the server will stop working and
log an error.

Useful resources
Microsoft encryption documentation
.NET Framework 4.7.2 Symmetric Algorithm MSDN Documentation

Microsoft SQL data encryption

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-
encryption?view=sql-server-2017

WCF Security information

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/programming-wcf-security

.Net Security Protocols

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

.Net Secure String

https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.7

Commercial in Confidence Page 12 of 12