Encryption and the Assisted Sign-On component
The Assisted Sign-On component in Pega Robot Studio is based on the Windows Data Protection API (DPAPI). DPAPI encrypts data by using a private key derived from a user’s Windows identity. Once encrypted, data can only be decrypted by the same Windows user. For more information, refer to the following webpage:
The following sections detail some frequently asked questions about the Assisted Sign-On component:
Where are credentials stored?
Credentials are stored locally on the machine in an encrypted file located by default under the user’s application data roaming directory. The Assisted Sign-On component does not use a central server. The following paths are examples of this location:
- 8.0 and 8.0 SP1 – C:\Documents and Settings\John Doe\AppData\Roaming\OpenSpan\ASO.db
- 19.1 – C:\Users\John Doe\AppData\Roaming\Pegasystems\ASO.db
You can change the file location by modifying the FileLocation option in the AssistedSignOn section of the RuntimeConfig.xml file. You can change the location to other known .NET special folders, Environment variables, or a fully-qualified path.
How are credentials stored?
The Assisted Sign-On component persists the following strings:
- Application name
- User name
DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in the Password Based Encryption Standard (PKCS) #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.
The MasterKey, however, is not used explicitly to protect the data. Instead, a symmetric session key is generated based on the MasterKey, some random data, and an additional hard-coded entropy string that Pega provides. This session key is used to protect the data. The session key is never stored. Instead, DPAPI stores the random data it used to generate the key in the opaque data blob. When the data blob is passed back in to DPAPI, the random data is used to re-create the key and unprotect the data.
For security reasons, MasterKeys expire, which means that after a period of time -- the hard-coded value being three months -- a new MasterKey is generated and protected in the same manner. This expiration prevents an attacker from compromising a single MasterKey and accessing all of a user's protected data.
Can anyone view or decrypt stored credentials?
No. Only the user whose Windows identity was used to encrypt the data can decrypt it. Moreover, the additional entropy string supplied by Pega helps prevent other applications from decrypting the credential data.
Are the credentials encrypted in memory?
Yes. Credentials are encrypted in memory by using a randomly generated entropy that is a valid only for the current Runtime session. Additionally, all credential values are stored with .NET SecureStrings to ensure that they cannot be inspected in memory. For more information, see Encryption settings for Pega Robotic Automation.
Where is the software installed?
The Assisted Sign-On component is installed with Pega Robot Studio and Pega Robot Runtime. Pega Robot Studio is installed on developer desktops. Pega Robot Runtime is installed on Runtime user desktops.
How are passwords managed?
The Assisted Sign-On Component is used by Pega Robot Studio developers when they create automations which are then deployed to the end user desktop and executed by Runtime. Pega Robot Studio's automations run independently on each end user desktop and are not connected to a central management server following deployment. Developers can choose to enforce password management functions within their automations, but there is no server that centrally manages password rules.
How often does the user have to input their credentials?
The Assisted Sign-On component can persist credentials indefinitely. Developers, however, can choose to enforce password management functions within their automations, including periodically prompting for the re-entry or clearing of stored passwords. For instance, a developer can create an automation that initially prompts users for credentials the first time they log on. For subsequent logons, the automation automatically logs in the user until it detects that a login failed. Once a login has failed, the automation prompts the user to re-enter his or her credentials.
Does the software log who accessed credentials or who accessed the tool?
You can enable local logging of the Runtime environment, which will provide general log details. Credential information might be marked as sensitive and, if so, will not appear in the logs.
Is this software commonly deployed by other clients?
Yes. Pega has deployed this capability to several other clients. Implementation of the Assisted Sign-On component varies from account to account depending on their project requirements, internal security policies, and the infrastructure already in place.