Standards and Algorithms
Spotfire provides the following standards and algorithms for encryption.
Purpose | Encryption/Hashing algorithm | Comment |
---|---|---|
Backend HTTP over TLS (HTTPS) |
Default (with modern protocols and cipher suites enabled): TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 The following cipher suites are supported for backwards compatibility only: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_AES_CBC_128_SHA256, TLS_AES_CBC_256_SHA256 |
The TLS protocol for Spotfire Server 11.4 and forward is TLSv1.3, when communicating with the node manager or the Java-based services, and TLSv1.2 when communicating with .NET-based services. (Previous versions of the node manager can use TLSv1.2, TLSv1.1 or TLSv1 before being upgraded.) If all (modern) protocols and cipher suites are enabled on
the computer running the Spotfire Web Player service, then the cipher suite
chosen for all communication is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
Note: Support for the TLS_DHE_RSA_WITH_AES_* and TLS_AES_CBC_*
cipher suites are kept only for backwards compatibility and will be removed in
a later version.
|
Backend certificates | Asymmetric keys: automatically generated 2048-bit RSA keys (configurable for certificates representing TSS instances, but not configurable for other components). Signature algorithm: SHA256withRSA (configurable). | Keystore: PKCS12. |
Data transfers | SHA-512, but also supports SHA-256, SHA-1 and MD5 |
For error-detection checksums in the Digest/Content-MD5 HTTP headers, as defined by RFC 3230 and RFC 1864. |
Encryption of service passwords | AES-128 | |
HTTP over TLS (HTTPS) | The TLS protocol version, the encryption algorithm and the key strength are configurable using standard Java procedures. | See JDK Providers Documentation. |
Hashing of user passwords | PBKDF2 | SHA-512, SHA-256 or SHA-1 can be used for password hashes created by older versions of Spotfire Server. |
Information Link cache | SHA-256 | For calculation of cache keys used for comparison. |
JDBC over TLS | The TLS protocol version, the encryption algorithm and the key strength are configurable using standard Java procedures. | See JDK Providers Documentation. |
JDBC using vendor-specific cryptography | The Oracle Database JDBC driver supports the following algorithms: Legacy: RC4-40, RC4-56, RC4-128, RC4-256, DES-40-CBC, DES-56-CBC, 3DES-112 and 3DES-168. Recommended: AES-128, AES-192 and AES-256. | See JDK Providers Documentation. |
JMX over TLS | The TLS protocol version, the encryption algorithm and the key strength are configurable using standard Java procedures. | See JDK Providers Documentation. |
Kerberos/GSSAPI | Legacy: DES-CRC, DES-MD5, RC4-HMAC and AES-128-CTS-HMAC-SHA1-96. Recommended: AES-256-CTS-HMAC-SHA1-96. | Uses the built-in Java support for the Kerberos and GSS-API protocols. See JDK Providers Documentation. |
LDAP over TLS (LDAPS) | The TLS protocol version, the encryption algorithm and the key strength are configurable using standard Java procedures. | See JDK Providers Documentation. |
NTLM v2 | According to the protocol specification. | |
OAuth2 | RSA-OAEP-256 | For encryption of access and refresh tokens according the JWE standard (RFC 7516). |
OAuth2 | A128GCM | For encryption of access and refresh tokens according the JWE standard (RFC 7516). |
OAuth2 | SHA-256 | For client verification according to the PKCE standard (RFC 7636). |
Script trust hashes | SHA-1 and SHA-512 | JavaScript, custom queries, TERR scripts, Python scripts, IronPython scripts, and other data functions are trusted based on hash value. |
Server configurations | SHA-1 | For error-detection checksums. |
Software distributions files ("deployments") | SHA-1 | For error-detection checksums. |
Temporary data files | AES-128, AES-192 and AES-256 | |
Visualization mods | SHA-512 and ASiC-E Containers (Associated Signature Containers) | Visualization mods can be trusted based on hash value or signer certificates. |
- Spotfire Analyst, Spotfire Web Player, and Spotfire Automation Services
The applications in the Spotfire environment use the following encryptions.