Security

Communication encryption

Between UserLock agents and the UserLock service :

For key exchange: standard elliptic curves are used: Elliptic-curve Diffie–Hellman (ECDH) 521-bit, 384-bit, 256-bit.

For the UserLock service, private keys exist only during the current execution.

For the agent, new private keys are created for each connection.

The actual key is derived using the SHA hash on the previously calculated key (SHA-384 or SHA-256).

For symmetric encryption: AES in CBC mode, with a key length depending on the SHA hash used: 256 bits with SHA-384, 128 bits with SHA-256.

On Windows, the CNG API is used. On macOS, OpenSSL is used, but currently without FIPS module.

Between the macOS UserLock agent and the UserLock service:

The Microsoft AES Cryptographic Provider is used.

For key exchange: "RSA public key exchange" algorithm, with a key length of 1024 bits.

For symmetric encryption: "AES block encryption" algorithm, with a key length of 128 bits.

Password storage

On the server, the UserLock service stores passwords with DPAPI. Only the UserLock service account (NETWORK_SERVICE) can decrypt passwords.

• Advanced
  • Protected Accounts membership
  • Database Reference
  • Logons denied by Active Directory
  • How to apply requirements on UserLock Server and protected machines
  • Security
  • Advanced prerequisites