FESA Client-Server Communication Security Model

FESA Client-Server Model uses FlexSystem's proprietary encryption and compression technology to produce a Secure Channel. This secure channel is a way of transferring data that is resistant to overhearing and tampering.

On top of this secure channel, we provide a way to support the Open Standard secure model and to ensure the confidentially of data transferred on the network; connections can be optionally encrypted on FESA application server. Besides, it also supports server certificates, so that client devices (Windows & Web) can verify the identity of the server computer.

This document introduces the architecture on applying secure connection on FESA application server.

 

  • Secure Connections

    • When the option is enabled, data are transferred in a secure connection (secure channel). Before a secure connection is enabled, client sends a request for key exchange; server and client then perform a key exchange using asymmetric encryption so that the session key is delivered to each other in a secure way. The session key will then be used for the symmetric encryption; a secure connection is established.

 

  • Key Exchange

    • To establish a secure connection, client and server perform a handshaking process to exchange a session key. Client uses 1024-bit/2048-bit RSA algorithm to encrypt a new generated pre-master-secret, and sends it to the server; then server uses this pre-master-secret to derive the session key. A session key is cryptographically secure random, and is only valid for one session; it will be generated and exchange for every session.

 

  • Connection Encryption

    • Once a session key is derived, a secure connection will be started; data transferred between server and client will be encrypted using 256-bit Advanced Encryption Standard (AES) or 192-bit Triple DES algorithm depends on the configuration of the application server.

 

  • Specifying a Symmetric Algorithm

    • The default symmetric algorithm for encrypting connection is AES 256-bit; it can be overridden by specifying an algorithm settings, the available options are AES and 3DES.

 

  • Server Certificate

    • Application server can optionally install a server certificate (X.509 certificate) to prove its identity to client computers; and a server certificate includes a public key for session key exchange.

 

  • Preparation and Applying Server Certificate

    • To apply a server certificate, you need to submit a Certificate Signing Request (CSR) to your Certification Authority (CA) (e.g. VeriSign, Thawte or even your own CA) to sign the certificate

 

Summary

Pros & Cons on Different Security Settings