What encryption methods are used in MicroStrategy 9.x?
MicroStrategy 9.x employs two main encryption algorithms. These are the Tiny Encryption Algorithm (TEA) and the RACE Integrity Primitives Evaluation MD-160 (RIPEMD-160) fast cryptographic hash function method.
Tiny Encryption Algorithm
The Tiny Encryption Algorithm (TEA) is a cryptographic algorithm that uses operations from orthogonal algebraic groups. It encrypts in a 64-bit block cipher with a 128-bit key length. TEA is very secure; to date, there have been no known successful cryptanalyses of TEA. More information can be found about this algorithm at the Needham and Wheeler’s original paper at Cambridge University Computer Lab.
RIPEMD-160 is a 160-bit cryptographic fast hash function tuned for 32-bit processors. In general, a hash function is a transformation that takes an input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)). Its primitive operations are: left-rotation (or “left-spin”) of words, bitwise Boolean operations (AND, NOT, OR, ex-clusive-OR) and, two’s complement modulo 232 addition of words. RIPEMD-160 was proposed when 128-bit hash functions no longer offered enough security under brute force collision search attacks. More information can be found about RIPEMD-160 at RSA Security’s CryptoBytes Technical Newsletter Volume 3, No. 2 – Autumn 1997.
Where are the encryption methods used in MicroStrategy 9.x?
Browser (4-tier mode client) to MicroStrategy Web/Web Server:
When a user first logs in to a MicroStrategy project in MicroStrategy Web, the browser transmits the user password in clear text by default under standard authentication. If NT Authentication is used, standard NT validation takes place via NT security. If the user requires stronger security Secure Socket Layer may be used to encrypt this communication. Once the session has been established, there is no need to pass the password between the browser and MicroStrategy Web Server.
Client (3-tier mode client) machines to MicroStrategy Intelligence Server:
When the user logs into a MicroStrategy project using a 3-tier mode client such as MicroStrategy Agent, MicroStrategy Architect, and/or MicroStrategy Administrator – Object Manager, the user password is encrypted using RIPEMD-160 before transmission to MicroStrategy Intelligence Server.
MicroStrategy Web/Web Server to MicroStrategy Intelligence Server:
From MicroStrategy Web/Web Server to MicroStrategy intelligence Server, the user password is encrypted using TEA.
MicroStrategy Intelligence Server Server Definition:
As the MicroStrategy Intelligence Server is a Microsoft Windows NT service, it will need to connect to the Metadata database automatically. The metadata password is stored in the local machine’s registry and is encrypted via TEA.
Client machines Project Source Defintion:
When client machines (e.g., MicroStrategy Desktop, MicroStrategy Administrator – Object Manager etc.) connect using Direct connections to MicroStrategy project (i.e., not through MicroStrategy Intelligence Server), the metadata password is stored in the local machine’s registry. This is encrypted via TEA.
MicroStrategy project DBLogin:
In order to connect to the Warehouse database on behalf on the MicroStrategy f user, the warehouse database password is stored in the DBLogin object in the MicroStrategy metadata. This password is stored encrypted via TEA. Starting MicroStrategy 7.2, using Warehouse Pass-Through security will by-pass the use of DBLogin. When this method of user login is used, the warehouse password is encrypted using TEA before transmission to the MicroStrategy Intelligence Server. This is then decrypted at the MicroStrategy Intelligence Server for the required Open Database Connectivity (ODBC) connections.
MicroStrategy Passwords in the Metadata:
The metadata password is encrypted using RIPEMD160 and is stored in the metadata in encrypted form. The password is never decrypted. Rather, when a user tries to log on, the password is encrypted with the same and compared to the stored value. If the results match what is stored in the metadata, the user is granted access to the project source.