Communication Security

COMMUNICATION SECURITY

FESA Client-Server Communication Security Model

FESA Client-Server Model uses FlexSystem’s proprietary encryption and compression technology to produce a Secure Channel. This secure channel is a way of transferring data that is resistant to overhearing and tampering.

 

On top of this secure channel, we provide a way to support the Open Standard secure model and to ensure the confidentially of data transferred on the network; connections can be optionally encrypted on FESA application server. Besides, it also supports server certificates, so that client devices (Windows & Web) can verify the identity of the server computer.

comsecu_01

Secure Connections

When the option is enabled, data are transferred in a secure connection (secure channel). Before a secure connection is enabled, client sends a request for key exchange; server and client then perform a key exchange using asymmetric encryption so that the session key is delivered to each other in a secure way. The session key will then be used for the symmetric encryption; a secure connection is established.

 

Key Exchange

To establish a secure connection, client and server perform a handshaking process to exchange a session key. Client uses 1024-bit/2048-bit RSA algorithm to encrypt a new generated pre-master-secret, and sends it to the server; then server uses this pre-master-secret to derive the session key. A session key is cryptographically secure random, and is only valid for one session; it will be generated and exchanged for every session.

 

Connection Encryption

Once a session key is derived, a secure connection will be started; data transferred between server and client will be encrypted using 256-bit Advanced Encryption Standard (AES) or 192-bit Triple DES algorithm depends on the configuration of the application server.

 

Specifying a Symmetric Algorithm

The default symmetric algorithm for encrypting connection is AES 256-bit; it can be overridden by specifying an algorithm settings, the available options are AES and 3DES.

 

Server Certificate

Application server can optionally install a server certificate (X.509 certificate) to prove its identity to client computers; and a server certificate includes a public key for session key exchange.

 

Preparation and Applying Server Certificate

To apply a server certificate, you need to submit a Certificate Signing Request (CSR) to your Certification Authority (CA) (e.g. VeriSign, Thawte or even your own CA) to sign the certificate.

Summary

Pros & Cons on Different Security Settings

 Security Settings  Pros  Cons
Proprietary Secure Channel
  • Fast
  • Lightweight
  • Proprietary Encryption Model
  • Non-open Standard
Secure Channel without Digital Certificate
  • High Secure
  • Open Standard Model
  • AES 256-bit or 3-DES 192-bit available
  • Slower than Proprietary Secure Model
  • More Network Traffic than Proprietary Secure Model
Secure Channel with Digital Certificate
  • Highest Secure
  • Open Standard Model with Cert
  • AES 256-bit or 3-DES 192-bit available
  • Certificate Signing Request (CSR) to Certification Authority (CA) required