000036199 - Disable SHA1 hashing in Audit logs in RSA Adaptive Authentication (OnPrem) 7.x

Document created by RSA Customer Support Employee on Apr 3, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036199
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
IssueCustomer asks:
  • How can they see the plain text for user names in Audit logs?
  • How to decrypt the hashed names?
ResolutionHow to see the plain text for user names in Audit logs:

Audit logs have the username hashed with SHA-1 algorithm which is a one way method.
You can remove the hashing for the Audit log user IDs here:
User-added image

Uncheck this field and the values should be now plain text from the time you save to the future entries.
The entries should look like this after the change:
2018-03-27 09:54:12,021 -0700 | [] | [0ff7-:065234cf161:53ece7c6-] | [test | dummy | 16 | | S4SxW/9u5XlhUklaIw5F49fpR9k= | RISK_ANALYSIS | fef7-:065234cf161:53ece7c6-_TRX | fef7-:065234cf161:53ece7c6-_TRX | SESSION_SIGNIN | [&FORENSIC_EVENT_TYPE=SESSION_SIGNIN&FORENSIC_SCORE=1000&POLICY_OUTCOME=ALLOW]]

How to decrypt the hashed names:

We don’t decrypt the names.  There is no way of decrypting SHA-1 since it is a one way encryption method.  What we do to find the information for the users, is to encrypt the plain value again and look for it in the logs.
For example, to look for the activity in the audit logs of a user with ID “test” we hash the value using an online tool like http://passwordsgenerator.net/sha1-hash-generator/:

User-added image

Then look in the logs for the hashed value: A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 (hashed string for 'test').
All log entries using that hash are related to that user.