SOClass™ SECURITY
The security issue has been pushed out
from obscurity to the spotlight during the last few
years. Due to well-publicized pirate threats and attacks,
almost everyone, from programmers to decision or policy
makers understand -or at least pretend to understand
- why good security is particularly important in Internet
deployed applications. Unfortunately, though interest
in security has grown, a weak understanding persists
on how to achieve strong security among programmers
and system administrators. If it is necessary to gain
familiarity with a growing body of literature, research,
technology, and terminology before grasping the main
concepts, it is even more difficult to apply practically
these complex technologies. Realizing proficiency in
all security aspects bears an enormous cost. Not with
SOClass platform.
SOClass
programmers have it easier than ever, with integrated,
ready-to-use tools to build secure solutions. For example
object ownership and electronic signature functionality
are available in the integrated Governement Class Framework
(GCF). It is enough to declare an operation sign-able,
and end-users can e-sign their work with a click of
the mouse whilst the system will automatically display
which document versions were signed, when and by whom.
The foundation of computer strong security,
including e-signature, is a type of cryptography known
as public-key cryptography or asymmetric cryptography.
Public-key cryptography differs from traditional symmetric,
or shared-key cryptography, in its use of two related,
but slightly different, keys. The owner of the key-pair
must keep the private key secret whilst the other key,
known as the public key, may be distributed far and
wide. The keys in the key pair are complementary. Only
the private key can decrypt information encrypted with
the public key, and vice versa. Only the public key
verifies information signed with the private key, and
vice versa.
There are several popular public-key
algorithms. The most popular is known as RSA - because
Rivest, Shamir, and Adleman invented it. SOClass includes
a proprietary implementation of RSA of a 1024-bits strength.
For advanced users, it is however possible to plug-in
specific encryption libraries from third parties, or
to develop proprietary algorithms.
Another crucial aspect of computer security
in distributed environment deals with the confidentiality
and authenticity of data exchanged through the network,
sometimes via public telecom lines. Hackers can easily
interrupt these communications, if not properly enciphered.
The standard SOClass package relies on the popular Secure
Socket Layer (SSL) algorithm to ensure privacy. The
SSL protocol uses a combination of public-key and symmetric
key encryption. For those customers desirous of implementing
proprietary encryption modules, SOClass provides necessary
openness.
SOClass respects the four major
aspects of system security:
System resources access. GCF security mechanisms restrict
document access as well as scope of users’ operations,
and guarantee that document operations remain within
a pre-defined operation domain. SOClass complies with
secure domains, permissions and security policies.
Authentication. The Application Provider and users are
properly authenticated through the use of X500 certificates.
Smart cards are supported.
Privacy. This encompasses client-server communication
and various mechanisms ensuring information privacy
at different stages. For example the user’s password
or pass-phrase is stored nowhere, thus secure. What’s
stored in the administration database is the result
of a hash of the password.
Integrity. SOClass preserves data integrity during distributed
processing and database transactions.
Due to the fact that Internet allows
information to pass through intermediate computers,
pirates can easily interfere with communications between
client and server computers. SOClass features built-in
mechanisms that prevent security breaches in Internet
transactions, and in particular:
Eavesdropping. Information remains intact, but its privacy
is compromised. For example, someone could get your
credit card number, record a sensitive conversation,
or intercept classified information.
Tampering. Information in transit is changed or replaced
and then sent on to the recipient. For example, someone
could alter an order for goods or change a person's
resume.
Impersonation. Information passes to a person who poses
as the intended recipient. Impersonation can take two
forms:
Spoofing.
A person can pretend to be someone else. For example,
a person can pretend to have the email address john.doe@soclass.com,
or a computer can identify itself as a site called www.soclass.com
when it is not. This type of impersonation is known
as spoofing.
Misrepresentation. A person or organization
can misrepresent itself. For example, suppose that the
site www.pirate.com pretends to be a furniture store
when it is really just a site that takes credit-card
payments but never sends any goods.
.gif){kind=tracking}