End-to-end encryption (E2EE) of user passwords ensures uninterrupted protection from the web browser all the way to Airlock IAM (or even a hardware module, see below). Passwords entered by the user into Airlock IAM's login application are encrypted in the browser using JavaScript and only decrypted at the endpoint where the password is verified.
Even if the feature is designed to be used with web browsers, it can also be used with any other type of HTTP client as long as the client is able to perform the cryptographic required computations.
This approach guarantees a higher level of security than the traditional client-server communication, where the data is typically only encrypted on the transport layer but is kept in plaintext in the server's memory.
End-to-end encryption of passwords is independent of SSL/TLS.
JavaScript support in the web-browser is required for this feature.
HSM based E2EE of passwords
Airlock IAM can be used in conjunction with E2EE, configure an HSM Keystore instead of a Java Keystore, and follow the instructions in 10.2.1.6. HSM/PKCS #11 support for passwords.
Further information and links
- ●Configuration in the Loginapp REST API: In the Password Authentication Step, use the Default End-To-End Encryption Password Repository.
- ●Configuration in the JSP-Loginapp: 17.4.1.1.3. Password end-to-end encryption configuration
Note that there is no web UI for password end-to-end encryption, i.e, it is not supported by the Loginapp REST UI.
See also 17.5.5.1. Password-related features (JSP-Loginapp migration).