Advanced Encryption Standard

Device Control uses the Advanced Encryption Standard (AES) 256-bit encryption standard, which provides a powerful, unbreakable encryption method to ensure data is always protected.

AES is based on a design principle known as a substitution permutation network and has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits. The AES cipher is specified as a number of repetitions of transformation rounds that convert the input plain text into the final output of cipher text.

Assuming one byte equals 8 bits, the fixed block size of 128 bits is 128 ÷ 8 = 16 bytes. AES operates on a 4×4 array of bytes, termed the state. Each turn generates a new state from the previous state. The final state after all rounds contains the ciphered text.

Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds is applied to transform cipher text back into the original plain text using the same encryption key. Ivanti works with a 256-bit block. In this case, the algorithm uses 8x6 matrices as states and sub keys. The 256-bit algorithm executes 14 rounds.

To ensure that the symmetric AES key is not visible when stored in the database and cannot be read by anyone who has access to the database, Device Control uses public-private key pair-based encryption to encode a symmetric encryption key. This algorithm uses the same key for encryption and decryption.

The Application Server and kernel clients contain a default embedded encryption key pair that is only used for software evaluation purposes. You create your own key pair before deploying the client in your environment using the Key Pair Generator tool. If a higher level of protection is required, Ivanti strongly recommends storing the private key external to the Application Server. Only the public key should be available to the clients. The private key should only be available to the Application Server, internally or externally.