White Paper - Your Security Blanket - Web-4MTM
JDH Technologies L.L.C.
There are three areas of security within Web-4M that we address in this document, password security, link security and document library security.
Passwords are doubly encrypted (with a one time key) using the NIST standard Secure Hash Algorithm (SHA-1). This ensures protection against password sniffing as data are transferred between the client and the server in the login process.
Almost all Web-4M interactions between the clients and the server are messages sent via socket connections on the intranet or the Internet connecting the computers. (The one exception is the document library, discussed below). This includes the chat, whiteboard, slideshow tools, email, news, and calendar functions. These messages can be sent unencrypted over the network, meaning that if the network itself is insecure (as are most networks and certainly the Internet), the messages are vulnerable to being sniffed and read by machines on the same networks, or by any machine in the end-to-end path between the two machines.
Web-4M offers a "secure link" mode of operation to avoid this problem,. When the secure link option is turned on, the client randomly chooses a 128 bit secret key, using the timing of the login keystrokes as the source of randomness. This secret key is then communicated to the server using the El-Gamal public key encryption algorithm. The client and the server then set up links to use the Blowfish algorithm for all data passing between them. The Blowfish algorithm was developed by Bruce Schneier, author of "Applied Cryptography," and in studies so far, no known weaknesses have been found.
The Web-4M administrator controls whether encryption is always on, always off, or can be turned on and off by users. By forcing the encryption always on, users cannot intentionally or inadvertently turn off encryption and make insecure transfers.
Browseable Document LibraryTM; Security
In the document library, documents are accessed via an html request. The default configuration of Web-4M uses the existing web page server to access documents. This webserver is the same one that provides access to the Web-4M applet itself. Since anyone accessing the webserver can potentially access the data in the library, Web-4M hides the document library directory structures by appending a 32-bit number to the directory names at the top level of the document library.
For added security, a separate webserver is shipped with Web-4M. When the system administrator enables this webserver, documents can only be accessed by this "auxiliary webserver". This auxiliary webserver use an "authorization module" which is connected to Web-4M, so that only requests coming through Web-4M f will be answered.
Use of the auxiliary webserver should provide almost all the security needed for most applications. An optional SSL module for the auxiliary webserver is available to secure html data vulnerable to sniffing as it travels along the network. This brings the security of html transfers up to the level as used on the web for e-commerce and credit card applications, using the same industry standard protocols.
Table 1 gives the security features as a function of the link encryption.
Table 2 gives the security features as a function of the webserver used for accessing the Browseable Document Library.
All Rights Reserved.