Authentication with Control Room

When a Bot Creator or Bot Runner tries to connect to Control Room, the credentials are encrypted using AES (256 bits key length) and RSA (2048 bits key length) and then transmitted on top of the existing layer of Transport Layer Security (TLS).

This extra layer of message level encryption provides protection against network stack issues (such as Heartbleed where OpenSSL was leaking sensitive data from memory) and also adds protection to the last hop of the connection when TLS is terminated at the load balancer. These credentials are decrypted by Control Room and authenticated against the hashed (PBKDF2 and HMAC SHA512 algorithm) user passwords or against via Lightweight Directory Access Protocol (LDAP).