End-to-End encryption (passwords)
10.2.1.5. End-to-End Encryption of passwords

End-to-end encryption (E2EE) of user passwords ensures uninterrupted protection from the web browser all the way to Airlock IAM (or even a hardware module, see below). Passwords entered by the user into Airlock IAM's login application are encrypted in the browser using JavaScript and only decrypted at the endpoint where the password is verified.

Even if the feature is designed to be used with web browsers, it can also be used with any other type of HTTP client as long as the client is able to perform the cryptographic required computations.

This approach guarantees a higher level of security than the traditional client-server communication, where the data is typically only encrypted on the transport layer but is kept in plaintext in the server's memory.

Overview

End-to-end encryption of passwords is independent of SSL/TLS.

JavaScript support in the web-browser is required for this feature.

HSM based E2EE of passwords

Airlock IAM can be used in conjunction with E2EE, configure an HSM Keystore instead of a Java Keystore, and follow the instructions in 10.2.1.6. HSM/PKCS #11 support for passwords.

Further information and links