Problem statement
We have the following security questions:
- What type and length of Key is used for secret encryption i.e. 32-bit AES key, 3DES key, etc?
- What mode of encryption is used i.e. GCM, CBC, etc?
- Where this key is stored i.e. in Azure Key Vault etc?
- Is there any master key used for encrypting individual keys? if so, what are the specifications for the master key, and where is it stored?
Solution
- Auth0 encrypts data at rest using AES-256. Data in transit is encrypted using TLS with versions 1.2+ allowed.
- Volume-level data encryption is done using AES-256-GCM through AWS EBS encryption. Field-level data encryption is done using AES-256-CBC w/ symmetric key and HMAC-SHA-256.
- Tenant keys are a 2048-bit RSA key pair which is unique per tenant. Tenant signing keys and secrets are stored encrypted in separate databases. Tenant signing keys are 2048-bit RSA asymmetric signing key pairs that are stored securely using AES 256-bit encryption.
- Customer-sensitive data encryption keys and Auth0’s Secure Identity Platform service configuration and secrets leverage the AWS Parameter Store for storage, where each SecureString value is encrypted using AES 256-bit symmetric encryption with customer master keys stored in an AWS KMS.
- Asymmetric customer key or the private portion of an asymmetric customer key cannot be exported from the KMS.
- For password hashing, Auth0 uses a bcrypt password hashing algorithm with a 128-bit salt and 10 rounds.
- Rules secrets are also with AES-256-CBC and HMAC-SHA-256. However, for Actions secrets, we use AES-256 GCM. Secrets related to MFA are also stored with AES-256-GCM.Note: field-level data encryption algorithm is expected to change in the future (not defined date yet) from AES-256-CBC + HMAC-SHA-256 to AES-256 GCM.