Multi-Platform Conferencing & Groupware by JDH.

White Paper - Your Security Blanket - Web-4MTM

JDH Technologies L.L.C.

There are three areas of security within Web-4M that we address in this document, password security, link security and document library security.

Password Security

Passwords are doubly encrypted (with a one time key) using the NIST standard Secure Hash Algorithm (SHA-1). This ensures protection against password sniffing as data are transferred between the client and the server in the login process.

Link Security

Almost all Web-4M interactions between the clients and the server are messages sent via socket connections on the intranet or the Internet connecting the computers. (The one exception is the document library, discussed below). This includes the chat, whiteboard, slideshow tools, email, news, and calendar functions. These messages can be sent unencrypted over the network, meaning that if the network itself is insecure (as are most networks and certainly the Internet), the messages are vulnerable to being sniffed and read by machines on the same networks, or by any machine in the end-to-end path between the two machines.

Web-4M offers a "secure link" mode of operation to avoid this problem,. When the secure link option is turned on, the client randomly chooses a 128 bit secret key, using the timing of the login keystrokes as the source of randomness. This secret key is then communicated to the server using the El-Gamal public key encryption algorithm. The client and the server then set up links to use the Blowfish algorithm for all data passing between them. The Blowfish algorithm was developed by Bruce Schneier, author of "Applied Cryptography," and in studies so far, no known weaknesses have been found.

The Web-4M administrator controls whether encryption is always on, always off, or can be turned on and off by users. By forcing the encryption always on, users cannot intentionally or inadvertently turn off encryption and make insecure transfers.

Browseable Document LibraryTM; Security

In the document library, documents are accessed via an html request. The default configuration of Web-4M uses the existing web page server to access documents. This webserver is the same one that provides access to the Web-4M applet itself. Since anyone accessing the webserver can potentially access the data in the library, Web-4M hides the document library directory structures by appending a 32-bit number to the directory names at the top level of the document library.

For added security, a separate webserver is shipped with Web-4M. When the system administrator enables this webserver, documents can only be accessed by this "auxiliary webserver". This auxiliary webserver use an "authorization module" which is connected to Web-4M, so that only requests coming through Web-4M f will be answered.

Use of the auxiliary webserver should provide almost all the security needed for most applications. An optional SSL module for the auxiliary webserver is available to secure html data vulnerable to sniffing as it travels along the network. This brings the security of html transfers up to the level as used on the web for e-commerce and credit card applications, using the same industry standard protocols.

Encryption Level Features
No Link Encryption Links are not secure; data may be sniffed as it travels between the clients and the server.
User Controlled Encryption Links can be secured, avoiding the problem of sniffing, but users may turn encryption off and make insecure transfers
Admin Controlled Encryption Administrators may force encryption to be turned on and stay on. No possibility of accidental security lapses.

Table 1 gives the security features as a function of the link encryption.

Webserver Used for the Browseable Document Library Features
Existing webserver Browseable document library is hidden and reasonably secure, but can potentially be accessed by unauthorized users
Web-4M auxiliary webserver Browseable document library is secure and may only be accessed by users in the Web-4M system. Data may still be vulnerable as it travels down the network to the client.
Web-4M auxiliary webserver with SSL option Browseable document library is secure and may only be accessed by users in the Web-4M system. Data is encrypted using standard Web-based E-commerce and credit card security mechanisms.

Table 2 gives the security features as a function of the webserver used for accessing the Browseable Document Library.


©Copyright 2001
JDH Technologies
All Rights Reserved.
Legal Notice.
Web-4M - Multi-Platform Conferencing & Groupware by JDH.