Tech Note 0016
Security features of DEI software
DEI software uses a variety of methods to control access to your data within your systems and while it is in transit. This article provides an overview of the security features of DEI software, including the features of specific products.
Each MTP/IP datagram includes a 32-bit transaction identifier whose sole purpose is to identify incoming datagrams. This is in addition to separate session, sequencing, and flow control identifiers. By using a dedicated transaction identifier, MTP/IP makes it very difficult for an attacker to successfully inject data into an ongoing transaction. TCP/IP, by contrast, uses only a sequence number for validation, which makes it more vulnerable to injection attacks.
The MTP/IP Core Software Development Kit supports packet level just-in-time encryption and decryption. This allows applications complete freedom to choose their encryption algorithms and keys while ensuring high performance and minimal integration effort.
MTP/IP guarantees that upon successful completion of a data transport transaction, the data it delivers at the destination will be byte-for-byte identical to the data it was given at the source. Data in transit is protected by multiple checksums, a patented transport state management system, and optional encryption with tamper protection. See Tech Note 0028 for more about data transport integrity.
The ExpeDat and SyncDat applications all offer the Advanced Encryption Standard (AES) algorithm with 128-bit keys. Content encryption may not be enabled by default, so be sure to apply the appropriate option if you desire encryption.
In most WAN environments, encryption creates minimal CPU overhead. But if your network is very fast (e.g. multigigabit), then enabling encryption may reduce throughput depending on the number of CPU cores available. If you find that encryption is necessary but hurting performance, switch to a system with more CPU cores or consider using a packet based hardware Virtual Private Network, such as IPsec. Note that MTP/IP cannot be used with SSL VPNs as they do not support packet level data transport.
The ExpeDat and SyncDat servers can authenticate transactions via usernames and passwords. These credentials may be verified by the server operating system's native authentication mechanism (SysAuth), a private password file (AuthFile), your own custom authentication handler (AuthHandler), or any combination of the three.
SysAuth is the default and allows connectivity to existing PAM, Active Directory, LDAP, and other databases.
All operations, including encryption, authentication, and data transfer take place using the same MTP/IP communication path on a single UDP port. There are no protocol hand-offs, grace periods, token passes, or other such vulnerabilities that are inherent in the hybrid transport systems.
Encrypted Password Storage
The ExpeDat and SyncDat command line clients, movedat and syncdat, can store usernames and passwords in an encrypted database. This allows users to type a password once, and not have to re-enter it for several hours. This credential caching may be disabled for heightened authentication of interactive users. Credential storage may also be made permanent to allow scripts to run without exposing passwords on command lines. The DropDat client embeds an encrypted password within each droplet.
The ExpeDat and SyncDat servers control file access primarily through the use of operating system access privileges. Users who authenticate with a system username and password will have the same file access permissions as they would if they logged in via a shell. Users who authenticate with the private database or an authentication handler can be assigned to existing system user and group ids (for unix systems), and can be assigned additional restrictions such as being limited to one directory or being read-only.
Both ExpeDat and SyncDat will attempt to preserve basic file access attributes whenever the client and server operating systems support them. For unix based systems, this includes the file mode, user id, and group id. For Windows, it consists of the Read-Only flag. Access control lists are not explicitly copied, but can be inherited from parent directories.
Data Expedition, Inc. does not provide data storage or handling services. All DEI software runs on customer provided infrastructure which DEI does not control and cannot access without explicit customer assistance. DEI's handling of information which customers choose to disclose, such as in the course of receiving technical support, is covered by the "Confidential Information" or similar section of the applicable Software License Agreement.
Tech Note History
|Nov||10||2022||Added Authentication Handler option|
Updated Encrypted Password Storage
|Jun||22||2017||Updated encryption performance advice|
|Jan||26||2012||Tech Note 0028|