Security

Communication encryption

Between UserLock agents, Userlock administration consoles and the UserLock service :

For key exchange: standard elliptic curves are used: Elliptic-curve Diffie–Hellman (ECDH) 521-bit, 384-bit, 256-bit.

For the UserLock service, private keys exist only during the current execution.

For the agent, new private keys are created for each connection.

The actual key is derived using the SHA hash on the previously calculated key (SHA-384 or SHA-256).

For symmetric encryption: AES in CBC mode, with a key length depending on the SHA hash used: 256 bits with SHA-384, 128 bits with SHA-256.

On Windows, the CNG API is used. On macOS, OpenSSL is used, but currently without FIPS module.

Password storage

On the server, the UserLock service stores passwords with DPAPI. Only the UserLock service account (NETWORK_SERVICE) can decrypt passwords.

• Advanced
  • Protected Accounts membership
  • Database Reference
  • Logons denied by Active Directory
  • How to enforce firewall requirements on UserLock Server and protected machines
  • Security
  • Advanced prerequisites