Security Questions

Problem statement

We have the following security questions:

  • What type and length of Key is used for secret encryption i.e. 32-bit AES key, 3DES key, etc?
  • What mode of encryption is used i.e. GCM, CBC, etc?
  • Where this key is stored i.e. in Azure Key Vault etc?
  • Is there any master key used for encrypting individual keys? if so, what are the specifications for the master key, and where is it stored?

Solution

  • Auth0 encrypts data at rest using AES-256. Data in transit is encrypted using TLS with versions 1.2+ allowed.
  • Volume-level data encryption is done using AES-256-GCM through AWS EBS encryption. Field-level data encryption is done using AES-256-CBC w/ symmetric key and HMAC-SHA-256.
  • Tenant keys are a 2048-bit RSA key pair which is unique per tenant. Tenant signing keys and secrets are stored encrypted in separate databases. Tenant signing keys are 2048-bit RSA asymmetric signing key pairs that are stored securely using AES 256-bit encryption.
  • Customer-sensitive data encryption keys and Auth0’s Secure Identity Platform service configuration and secrets leverage the AWS Parameter Store for storage, where each SecureString value is encrypted using AES 256-bit symmetric encryption with customer master keys stored in an AWS KMS.
  • Asymmetric customer key or the private portion of an asymmetric customer key cannot be exported from the KMS.
  • For password hashing, Auth0 uses a bcrypt password hashing algorithm with a 128-bit salt and 10 rounds.
  • Rules secrets are also with AES-256-CBC and HMAC-SHA-256. However, for Actions secrets, we use AES-256 GCM. Secrets related to MFA are also stored with AES-256-GCM.Note: field-level data encryption algorithm is expected to change in the future (not defined date yet) from AES-256-CBC + HMAC-SHA-256 to AES-256 GCM.
1 Like