I checked the B.O. website and found on their forum that BO uses DES5. I searched the web, but could not find anything on it. Does anyone know what it means? I found out DES3 is 168 byte encryption, does that mean DES5 is 260 byte encryption? Thanks in advance.
skundu (BOB member since 2004-06-28)
The encryption is proprietary. You will not be able to find out what you want. There is an SDK around the admin module in V6 that may help.
Steve Krandel 
(BOB member since 2002-06-25)
If you are trying to decrypt the data you are in for a real challenge. 
If you are just trying to convince someone that their passwords are safe, then that’s another matter. Note that not all data is encrypted in the repository, so things like document names, user names, and so on are in plain text.
The documents are compressed as they are stored, so there is some minor “encryption-like” activity that takes place there.
What, specifically, are you trying to accomplish?
Dave Rathbun (BOB member since 2002-06-06)
Trying to convince someone that the application is secure. Specifically user names/passwords to the actual application and more so the user name password to the reporting database. Thanks.
skundu (BOB member since 2004-06-28)
Why not speak to BusinessObjects? If you explain what your objective is I would hope they would provide you with some basic information.
Nick Daniels 
(BOB member since 2002-08-15)
User names (reporting users that is) are stored as clear text. Passwords are encrypted.
Connection data is encrypted as well, probably using the same algorithm. It can be compromised as any system can be by human factors (writing passwords down, leaving terminals unlocked, telling someone the password, picking passwords that are easily guessed, and so on). As long as you have proper physical security in place (no access to the server) you can probably convince them that the data is safe.
If this is a make-or-break point to make a sale, I’m sure that someone at BusinessObjects would be more than happy to talk you through the general details. As Steve said, the actual algorithm and keys used are not published.
Dave Rathbun 
(BOB member since 2002-06-06)
We actually license Business Objects as a 3rd party vendor, so they do not handle any of our questions/concerns (at least not mine).
skundu (BOB member since 2004-06-28)
The Bomain.key is encrypted using the 16 rounds DES standard. The algorithm can use between 1 and 16 rounds.
Here is more than you will ever want to know about DES encryption.
http://cseserv.engr.scu.edu/StudentWebPages/iplut/HistoryofCryptographyModern.htm
stretch_21 (BOB member since 2002-08-15)
By the way… in the future you may want to consider following up your topic in the same discussion instead of opening a new line of questioning regarding related information. That will keep the information in a single thread and make it easier for others with the same questions.
I believe this was the original thread…
digpen (BOB member since 2002-08-15)