Tech Note 0016
Security features of DEI software
DEI software uses a variety of methods to control access to your data within your systems and while it is in transit. This article provides an overview of the security features of DEI software, including the features of specific products.
Each MTP/IP datagram includes a 32-bit transaction identifier whose sole purpose is to identify incoming datagrams. This is in addition to separate session, sequencing, and flow control identifiers. By using a dedicated transaction identifier, MTP/IP makes it very difficult for an attacker to successfully inject data into an ongoing transaction. TCP/IP, by contrast, uses only a sequence number for validation, which makes it more vulnerable to injection attacks.
The MTP/IP Core Software Development Kit supports packet level just-in-time encryption and decryption. This allows applications complete freedom to choose their encryption algorithms and keys while ensuring high performance and minimal integration effort.
MTP/IP guarantees that upon successful completion of a data transport transaction, the data it delivers at the destination will be byte-for-byte identical to the data it was given at the source. Data in transit is protected by multiple checksums, a patented transport state management system, and optional encryption with tamper protection. See Tech Note 0028 for more about data transport integrity.
The ExpeDat and SyncDat applications all offer the Advanced Encryption Standard (AES) algorithm with 128-bit keys. Content encryption may not be enabled by default, so be sure to apply the appropriate option if you desire encryption.
In most WAN environments, encryption creates minimal CPU overhead. But if your network is very fast (e.g. multigigabit), then enabling encryption may reduce throughput depending on the number of CPU cores available. If you find that encryption is necessary but hurting performance, switch to a system with more CPU cores or consider using a packet based hardware Virtual Private Network, such as IPsec. Note that MTP/IP cannot be used with SSL VPNs as they do not support packet level data transport.
The ExpeDat and SyncDat servers can authenticate transactions via usernames and passwords. In most installations these will be passed to the operating system login authentication service, allowing integration with NIS, Active Directory, LDAP, or any other services supported by the OS. The servers also support use of a private authentication database. Passwords stored in the private database can be hashed for on-disk security.
All operations, including encryption, authentication, and data transfer take place using the same MTP/IP communication path. There are no protocol hand-offs, grace periods, token passes, or other such vulnerabilities inherent in hybrid transport systems. It is recommended that users maintain this discipline by having ExpeDat Desktop prompt for passwords when implementing ExpeDat Web Integration, and by using encrypted password storage when implementing scripts as described below.
Encrypted Password Storage
The ExpeDat and SyncDat command line clients, movedat and syncdat, can store usernames and passwords in an encrypted database. This allows users to type a password once, and not have to re-enter it for several hours. This credential caching may be disabled for heightened authentication of interactive users. Credential storage may also be made permanent to allow scripts to run without exposing passwords on command lines.
The ExpeDat and SyncDat servers control file access primarily through the use of operating system access privileges. Users who authenticate with a system username and password will have the same file access permissions as they would if they logged in via a shell. Users who authenticate with the private database can be assigned to existing system user and group ids (for unix systems), and can be assigned additional access restrictions such as being restricted to one directory or being read-only.
Both ExpeDat and SyncDat will attempt to preserve basic file access attributes whenever the client and server operating systems support them. For unix based systems, this includes the file mode, user id, and group id. For Windows, it consists of the Read-Only flag. Access control lists are not explicitly copied, but can be inherited from parent directories.
Data Expedition, Inc. does not provide data storage or handling services. All DEI software runs on customer provided infrastructure which DEI does not control and cannot access without explicit customer assistance. DEI's handling of information which customers choose to disclose, such as in the course of receiving technical support, is covered by the "Confidential Information" or similar section of the applicable Software License Agreement.
Tech Note History
Updated Encrypted Password Storage
|Jun||22||2017||Updated encryption performance advice|
|Jan||26||2012||Tech Note 0028|