Slackbot.ini Encryption

MI Slackbot must be open to the web in order to process requests submitted by Users.

1. Security Provisions

Sensitive Data fetched by the MI Slackbot is protected against:

  1. Unauthorized User access
  2. Malicious third-party breaches (mitigated through encryption as described in this article)

2. Implementation of Encryption Strategy

ENCRYPTION METHOD

  • In order to protect data accessed by the MI Slackbot, its configuration file (Slackbot.ini) is encrypted with AES-128 encryption algorithm.
  • Slackbot.ini is encrypted partially using pyca/cryptography  which implements Fernet encryption. A message encrypted this way cannot be manipulated or read without the key.
  • To generate the key, we employ PBKDF2 (Password Based Key Derivation Function 2).

ENCRYPTED VALUES

  • "Secret Key" is used to encrypt access credentials (app_id and app_key) allowing the MI Slackbot to connect to databases where data is stored.

3. The process of encrypting Slackbot.ini

PREREQUISITES

  •  MI Slackbot configuration file is encrypted after the MI Slackbot has been installed and launched on a server
  •  The configuration file with default values is created automatically at /opt/mi/iv/engine/config/slackbot.ini

STEP 1. The first time the MI Slackbot is launched, the Installer will look for the  bot_instance variable

  1. If there is no such variable, app_id and app_key credentials will be identified as unencrypted
  2. bot_instance variable will be created with an assigned hash value (GUID)

STEP 2. app_id and app_key fields will be encrypted with "Secret Key" consisting of:

  1. bot_instance hash value (generated every time the Slack App is installed)
  2. commit hash value (stored inside the Slack App docker container)

bot_instance hash value is unique for each MI Slackbot installation as well as for each instance.

commit hash value is different for each Release Version of the MI Slackbot.

When !config command is used to change the app_id (MI External Application ID) and app_key (MI External Application Key), slackbot.ini file is updated and these access credentials are encrypted automatically.

4. How the Secret Key is generated

The hash function generating "Secret Key" uses the following Input Parameters :

  1. Algorithm: an instance of HashAlgorithm
  2. Length (int): desired length of the derived key in bytes
    • Maximum is (232 - 1) * algorithm.digest_size
  3. Salt (bytes): a salt
    • Secure values are 128-bits (16 bytes) or longer
  4. Iterations (int): the number of iterations to perform the hash function
    • This parameter can be used to control the length of time an operation takes

Parameter Values transferred into the function are as follows:

  1. algo = SHA256
  2. length = 32
  3. salt = commit hash (from the docker container)
  4. iterations = 100000

PBKDF2 applies a hash function ("SHA256") , to the input password (GUID) with a salt value and repeats the process many times (in our case 100000) to produce a derived key.

The "Secret Key" is then used to encrypt the app id and app key access credentials in Slackbot.ini as described in Section 3 of this Article.

0 Comments

Add your comment

E-Mail me when someone replies to this comment