Question
Lloyds Banking Group PLC
GB
Last activity: 17 May 2022 7:07 EDT
Algorithm and key length used for CDK generation
We are enabling encryption using platform cipher with the CMK sourced from azure key vault.
From pega documentations and other conversations, we gather that pega generates a CDK (saved in a pega table) which will be used to encrypt/decrypt the application data and this CDK is actually encrypted/decrypted using the CMK.
And that the CDK will use AES-256 to encrypt/decrypt the application data.
The question we have been asked by our security architects is what is the algorithm and the key length used to generate the CDK by pega?
***Edited by Moderator Marije to add Capability tags***
Updated: 14 Apr 2022 7:37 EDT
Pegasystems Inc.
GB
@LEELABIRAMS6337 can you confirm that you checked the Encryption Key Management documentation?
I can see that Lloyds posted a similar forum question here.
At the time the response was this:
"Pega generates internal CDK by using Java's SecureRandom algorithm.
CDK encrypted by using a configured master key and stored in the data base. We never store plaintext CDKs in Database. "
Can you clarify what details you need regarding the key length so that I can verify with the subject matter expert?
Lloyds Banking Group PLC
GB
@MarijeSchillern Thank you as usual for your prompt response.
I did go through all the available documentations that I could get my hands on for encryption including the post that you have referred but doesn't appear to provide the "full" details we need.
Per our security standards, the CDK should be generated with a minimum of 128 bit entropy using an approved generation method and while Java secure random algorithm is an approved generation method for us, we would like to know the entropy used to generate the CDK?
Lloyds Banking Group PLC
GB
@MarijeSchillern Did the above provide the context of the question we are after and if we could have any details around that please?
Pegasystems Inc.
GB
@LEELABIRAMS6337 I did not hear back from the team I forwarded your enquiry to.
I will chase them again.
Updated: 9 May 2022 5:15 EDT
Pegasystems Inc.
IN
@MarijeSchillern@LEELABIRAMS6337 We use SecureRandom implementation with SHA1PRNG algorithm ( https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SecureRandom ).
From documentation
"The name of the pseudo-random number generation (PRNG) algorithm supplied by the SUN provider. This algorithm uses SHA-1 as the foundation of the PRNG. It computes the SHA-1 hash over a true-random seed value concatenated with a 64-bit counter which is incremented by 1 for each operation. From the 160-bit SHA-1 output, only 64 bits are used."
Lloyds Banking Group PLC
GB
@sivar1 We are happy with the SHA1PRNG algorithm as that meets our standard. However, we still need confirmation on the length of the key being outputted? Are you saying that the length will be 64 bit based on the documentation snippet you pasted above? If that is the case how can we change that to use 128 bit length as that is the minimum per our security standard.
Pegasystems Inc.
IN
@LEELABIRAMS6337 , We use SHA1PRNG default behavior. I think, it is not possible to tune output bits.
Lloyds Banking Group PLC
GB
@sivar1Thank you and sorry to again come back to this.
Being asked to provide a definitive response regarding the output of the key length and so would you be able to please confirm if its 160 or 64 bit?