Skip to main content
Version: Cloud

Additional security aspects

Some of the security aspects within Omada Identity are relevant for several of the solution's components. Elements such as shared secret or password encryption key are not associated with ES or OPS only, but span across the entire Omada Identity. This page provides an overview of these aspects, and it is relevant for all the components of Omada Identity.

Security aspects relevant to Omada Identity Cloud and on-premises

This section covers security aspects that are relevant for both on-prem and cloud deployments of Omada Identity.

Encryption

Omada Identity uses a PBES2-based encryption method as defined by the JSON Web Encryption (JWE) standard to protect sensitive data. This approach follows industry best practices by combining a strong key derivation function with authenticated encryption.

The encryption mechanism applies the following components:

  • PBKDF2 with SHA-512 (Password-Based Key Derivation Function 2) as the key derivation function.

    explanation

    An algorithm strengthens passwords by repeatedly hashing them. This process makes it much harder for attackers to guess or brute-force the original password because it slows down every attempt with thousands of hash iterations.

  • AES-256-GCM (A256GCM) as the encryption mode.

    explanation

    It is a modern encryption standard that both protects the confidentiality of data and verifies that it has not been tampered with. It uses a 256-bit key for strong security and includes built-in integrity checks, so if the encrypted data is changed in any way, the decryption process will detect it.

  • A random salt generated for every encryption operation.

    explanation

    Even if the same password is used multiple times, the derived encryption key will always be different.

  • A random initialization vector (IV) generated for every encryption operation.

    explanation

    Even if the same plaintext is encrypted multiple times with the same key, the ciphertext will always differ.

  • A configurable iteration count to balance performance and security requirements.

    explanation

    The PBKDF2 iteration count master setting allows system administrators to specify the number of iterations for the PBKDF2 key derivation function. The default value is set to 210,000, which aligns with modern security recommendations for PBKDF2 with SHA-512. For more technical details, look up this seetting in Master settings – Security.

    Performance Considerations

    While higher values for the PBKDF2 iteration count can improve security by making brute-force attacks more computationally expensive, they can also impact system performance. To strike the right balance between performance and security, evaluate your security needs and system capabilities when configuring this setting.