Home > Technology > Communication Security


FESA Client-Server Communication Security Model
FESA Client-Server Model uses FlexSystem's proprietary encryption and compression technology to produce a Secure Channel. This secure channel is a way of transferring data that is resistant to overhearing and tampering.

On top of this secure channel, we provide a way to support the Open Standard secure model and to ensure the confidentially of data transferred on the network; connections can be optionally encrypted on FESA application server. Besides, it also supports server certificates, so that client devices (Windows & Web) can verify the identity of the server computer.

This document introduces the architecture on applying secure connection on FESA application server.

FESA Client-Server Communication Security Model

  • Secure Connections
  • When the option is enabled, data are transferred in a secure connection (secure channel). Before a secure connection is enabled, client sends a request for key exchange; server and client then perform a key exchange using asymmetric encryption so that the session key is delivered to each other in a secure way. The session key will then be used for the symmetric encryption; a secure connection is established.

  • Key Exchange
  • To establish a secure connection, client and server perform a handshaking process to exchange a session key. Client uses 1024-bit/2048-bit RSA algorithm to encrypt a new generated pre-master-secret, and sends it to the server; then server uses this pre-master-secret to derive the session key. A session key is cryptographically secure random, and is only valid for one session; it will be generated and exchange for every session.

  • Connection Encryption
  • Once a session key is derived, a secure connection will be started; data transferred between server and client will be encrypted using 256-bit Advanced Encryption Standard (AES) or 192-bit Triple DES algorithm depends on the configuration of the application server.

  • Specifying a Symmetric Algorithm
  • The default symmetric algorithm for encrypting connection is AES 256-bit; it can be overridden by specifying an algorithm settings, the available options are AES and 3DES.

  • Server Certificate
  • Application server can optionally install a server certificate (X.509 certificate) to prove its identity to client computers; and a server certificate includes a public key for session key exchange.

  • Preparation and Applying Server Certificate
  • To apply a server certificate, you need to submit a Certificate Signing Request (CSR) to your Certification Authority (CA) (e.g. VeriSign, Thawte or even your own CA) to sign the certificate.


    Summary

    Pros & Cons on Different Security Settings
    Security Settings Pros Cons
    Proprietary Secure Channel - Fast
    - Lightweight
    - Proprietary Encryption Model
    - Non-open Standard
    Secure Channel without Digital Certificate - High Secure
    - Open Standard Model
    - AES 256-bit or 3-DES 192-bit available
    - Slower than Proprietary Secure Model
    - More Network Traffic than Proprietary Secure Model
    Secure Channel with Digital Certificate - Highest Secure
    - Open Standard Model with Cert
    - AES 256-bit or 3-DES 192-bit available
    - Certificate Signing Request (CSR) to Certification Authority (CA) required

    Quick Links
    + Brochure
    + Contact Us
    + Events
    + Training Schedule



    FlexSystem HRMS


    FESA Financial

    Copyright © 2018 FlexSystem Limited. All Rights Reserved. All other trademarks are the property of their respective owners.