Communication Security

FlexClient-Server Model uses FlexSystem's proprietary encryption and compression technology to produce a Secure Channel. This secure channel is a way of transferring data that is resistant to overhearing and tampering.

 

On top of this secure channel, we provide a way to support the Open Standard secure model and to ensure the confidentially of data transferred on the network; connections can be optionally encrypted on FESA application server. Besides, it also supports server certificates, so that client devices (Windows & Web) can verify the identity of the server computer.

 

This document introduces the architecture on applying secure connection on FESA application server.

 

FESA Client-Server Communication Security Model

 

Secure Connections

When the option is enabled, data are transferred in a secure connection (secure channel). Before a secure connection is enabled, client sends a request for key exchange; server and client then perform a key exchange using asymmetric encryption so that the session key is delivered to each other in a secure way. The session key will then be used for the symmetric encryption; a secure connection is established.

 

Key Exchange

To establish a secure connection, client and server perform a handshaking process to exchange a session key. Client uses 1024-bit/2048-bit RSA algorithm to encrypt a new generated pre-master-secret, and sends it to the server; then server uses this pre-master-secret to derive the session key. A session key is cryptographically secure random, and is only valid for one session; it will be generated and exchange for every session. 

 

Connection Encryption

Once a session key is derived, a secure connection will be started; data transferred between server and client will be encrypted using 256-bit Advanced Encryption Standard (AES) or 192-bit Triple DES algorithm depends on the configuration of the application server.

 

Specifying a Symmetric Algorithm

The default symmetric algorithm for encrypting connection is AES 256-bit; it can be overridden by specifying an algorithm settings, the available options are AES and 3DES.

 

Server Certificate

Application server can optionally install a server certificate (X.509 certificate) to prove its identity to client computers; and a server certificate includes a public key for session key exchange.

 

Preparation and Applying Server Certificate

To apply a server certificate, you need to submit a Certificate Signing Request (CSR) to your Certification Authority (CA) (e.g. VeriSign, Thawte or even your own CA) to sign the certificate.

 


 

Summary

 

 Pros & Cons on Different Security Settings 

 

 

Security Settings

Pros

Cons

Proprietary Secure Channel

ü Fast

ü Lightweight

ü Proprietary Encryption Model

× Non-open Standard

Secure Channel without Digital Certificate

ü High Secure

ü Open Standard Model

ü AES 256-bit or 3-DES 192-bit available

× Slower than Proprietary Secure Model

× More Network Traffic than Proprietary Secure Model

Secure Channel with Digital Certificate

ü Highest Secure

ü Open Standard Model with Cert

ü AES 256-bit or 3-DES 192-bit available

× Certificate Signing Request (CSR) to Certification            Authority (CA) required

Back