MI Slackbot must be open to the web in order to process requests submitted by Users.
1. Security Provisions
Sensitive Data fetched by the MI Slackbot is protected against:
- Unauthorized User access
- For details, refer to MI Slack App Security
- Malicious third-party breaches (mitigated through encryption as described in this article)
2. Implementation of Encryption Strategy
- In order to protect data accessed by the MI Slackbot, its configuration file (Slackbot.ini) is encrypted with AES-128 encryption algorithm.
- Slackbot.ini is encrypted partially using pyca/cryptography which implements Fernet encryption. A message encrypted this way cannot be manipulated or read without the key.
- To generate the key, we employ PBKDF2 (Password Based Key Derivation Function 2).
- "Secret Key" is used to encrypt access credentials (app_id and app_key) allowing the MI Slackbot to connect to databases where data is stored.
3. The process of encrypting Slackbot.ini
- MI Slackbot configuration file is encrypted after the MI Slackbot has been installed and launched on a server
- The configuration file with default values is created automatically at
STEP 1. The first time the MI Slackbot is launched, the Installer will look for the bot_instance variable
- If there is no such variable, app_id and app_key credentials will be identified as unencrypted
- bot_instance variable will be created with an assigned hash value (GUID)
STEP 2. app_id and app_key fields will be encrypted with "Secret Key" consisting of:
- bot_instance hash value (generated every time the Slack App is installed)
- commit hash value (stored inside the Slack App docker container)
bot_instance hash value is unique for each MI Slackbot installation as well as for each instance.
commit hash value is different for each Release Version of the MI Slackbot.
When !config command is used to change the app_id (MI External Application ID) and app_key (MI External Application Key), slackbot.ini file is updated and these access credentials are encrypted automatically.
- To learn more about using !config and other commands for the MI Slack App, refer to Managing Slack App settings
4. How the Secret Key is generated
The hash function generating "Secret Key" uses the following Input Parameters :
- Algorithm: an instance of HashAlgorithm
Length (int): desired length of the derived key in bytes
- Maximum is (232 - 1) * algorithm.digest_size
Salt (bytes): a salt
- Secure values are 128-bits (16 bytes) or longer
Iterations (int): the number of iterations to perform the hash function
- This parameter can be used to control the length of time an operation takes
Parameter Values transferred into the function are as follows:
- algo = SHA256
- length = 32
- salt = commit hash (from the docker container)
- iterations = 100000
PBKDF2 applies a hash function ("SHA256") , to the input password (GUID) with a salt value and repeats the process many times (in our case 100000) to produce a derived key.
The "Secret Key" is then used to encrypt the app id and app key access credentials in Slackbot.ini as described in Section 3 of this Article.