Overview

FlexSystem Enterprise Software Architecture (FESA) Diagram

Communication Security

 

FESA Client-Server Communication Security Model

FESA Client-Server Model uses FlexSystem's proprietary encryption and compression technology to produce a Secure Channel. This secure channel is a way of transferring data that is resistant to overhearing and tampering.

On top of this secure channel, we provide a way to support the Open Standard secure model and to ensure the confidentiality of data transferred on the network; connections can be optionally encrypted on FESA application server. Besides, it also supports server certificates, so that client devices (Windows & Web) can verify the identity of the server computer.

This document introduces the architecture on applying secure connection on FESA application server.

 

Secure Connections

When the option is enabled, data are transferred in a secure connection (secure channel). Before a secure connection is enabled, client sends a request for key exchange; server and client then perform a key exchange using asymmetric encryption so that the session key is delivered to each other in a secure way. The session key will then be used for the symmetric encryption; a secure connection is established.

 

Key Exchange

To establish a secure connection, client and server perform a handshaking process to exchange a session key. Client uses 1024-bit/2048-bit RSA algorithm to encrypt a new generated pre-master-secret, and sends it to the server; then server uses this pre-master-secret to derive the session key. A session key is cryptographically secure random, and is only valid for one session; it will be generated and exchange for every session.

 

Connection Encryption

Once a session key is derived, a secure connection will be started; data transferred between server and client will be encrypted using 256-bit Advanced Encryption Standard (AES) or 192-bit Triple DES algorithm depends on the configuration of the application server.

 

Specifying a Symmetric Algorithm

The default symmetric algorithm for encrypting connection is AES 256-bit; it can be overridden by specifying an algorithm settings, the available options are AES and 3DES.

 

Server Certificate

Application server can optionally install a server certificate (X.509 certificate) to prove its identity to client computers; and a server certificate includes a public key for session key exchange.

 

Preparation and Applying Server Certificate

To apply a server certificate, you need to submit a Certificate Signing Request (CSR) to your Certification Authority (CA) (e.g. VeriSign, Thawte or even your own CA) to sign the certificate.

 

Summary

Pros & Cons on Different Security Settings

Security Settings Pros Cons
Proprietary Secure Channel - Fast
- Lightweight
- Proprietary Encryption Model
- Non-open Standard
Secure Channel without Digital Certificate - High Secure
- Open Standard Model
- AES 256-bit or 3-DES 192-bit available
- Slower than Proprietary Secure Model
- More Network Traffic than Proprietary Secure Model
Secure Channel with Digital Certificate - Highest Secure
- Open Standard Model with Cert
- AES 256-bit or 3-DES 192-bit available
- Certificate Signing Request (CSR) to Certification Authority (CA) required