Synergex
Home | PVCS | Synergy/DE
Media
Home » Media » Article
Media Center

An Ounce of Encryption is Worth a Pound of Cure


In a world where sensitive and confidential information is stored and transferred daily, you need to have confidence that your data is secure. Synergy/DE 9.3 has new encryption capabilities that will enhance your application’s data security. In this series of articles, we’ll start by discussing network encryption for both xfServer and xfServerPlus, then move on to data encryption.

Network encryption, as the name suggests, encrypts only data transferred across a network. That is, encryption and decryption occur only on the network; the actual encrypted data is never seen by the application. Network encryption is available with both xfServer and xfServerPlus. In this article, we’ll go over some of the network encryption basics that apply to both products, and then we’ll discuss how to use encryption with xfServer. In the next issue, we’ll go into detail on using encryption with an xfServerPlus application when connecting to an xfNetLink .NET or xfNetLink Synergy client.

With the new network encryption options, you can configure a server to either accept or demand encrypted transfers. We call these options SLAVE and MASTER modes.

  • A server configured in SLAVE mode allows an application to select the files for which data transfers are to be encrypted.
  • A server configured in MASTER mode allows only encrypted transfers. As long as the client is capable of encryption, all data transfers are encrypted, and encryption is transparent to the application.

Another network encryption option is the cipher suite to use. There are three cipher options to consider: LOW, MEDIUM, and HIGH. Typically, LOW uses a 56-bit cipher like DES, MEDIUM (which is the default) uses a 128-bit cipher like RC4 or IDEA, and HIGH uses a 256-bit cipher like AES. However, the actual cipher used is always determined by an agreement between the client and the server OpenSSL implementations. The higher the cipher, the stronger the encryption, but the drawback is slower processing time required to encrypt and decrypt the data. When selecting a cipher level, you will need to balance your security needs with the desired performance.

Much like using the HTTP document transport API, you’ll need to install OpenSSL on the server and any client needing encrypted access. (An exception to this is xfNetLink .NET clients, which use the SSL built into the .NET Framework; we’ll discuss this further in the next article in this series.) For details about where to get OpenSSL for your operating system, see Synergex KB article 100001979.

Finally, you’ll need an SSL certificate (PEM file) installed on the server. If you have a certificate from a public certificate authority (like VeriSign, Thawte, etc.) you can use it, or you can opt to use a self-signed local certificate that you create for yourself. Once OpenSSL is installed and your PEM file is in place, to start rsynd with encryption enabled you can use the Synergy Configuration Program (on Windows) or start rsynd from the command line with the desired encryption options.

Now let’s look a little closer at how you can use encryption in your xfServer application. Maybe you have an application where sensitive data (like credit card or social security numbers) needs to be transferred to a remote data server. Because of several government regulations (PCI, Sarbanes-Oxley, HIPAA, etc.), you are told to encrypt this data when it’s transferred over unsecure networks.

The easiest way to do this without making any changes to the application is to configure xfServer running on the data server to run in MASTER encryption mode. But you may decide that this would be overkill. After all, it may be the case that most of the data accessed from the data server is not sensitive, or that you have only a handful of clients who access data from outside your secure local network. In that case, you can opt for the SLAVE mode approach. Client applications that require secure transfers can then be configured to request that data transferred to and from a specific file be encrypted. All other connections will continue to transfer data unencrypted. To specify encryption in the client application, you would specify “/encrypt” in the OPTIONS string on the OPEN statement:

OPEN( ch, mode, filename, options:”/encrypt”)

You may also decide that particular files on your data server contain sensitive data that should always be encrypted when accessed over a network. To enforce encrypted data transfers on a particular Synergy DBMS ISAM file, you can set the “network_encrypt” flag on the file. This can either be done when the file is created or later by using the isutl patch option:

isutl -p -qfile=network_encrypt filename

When opening a file with the network_encrypt flag set, any remote access via xfServer is automatically encrypted. If encryption is not enabled on the server, or if the client is not capable of encryption, access to the file is denied. Note that using the network_encrypt flag also restricts remote access via NFS and mapped drives when accessed from a Synergy/DE application.

This information should help get you started thinking about how best to implement encryption in your xfServer application. These concepts are described in more detail in “Using Encryption” in the “Configuring xfServer” chapter of the Synergy/DE 9.3 Installation Configuration Guide, where you will also find more information on setting up OpenSSL. For details on supported versions of OpenSSL for all operating systems, see “OpenSSL Requirements” in the “Requirements and Considerations” chapter of the same manual.

In addition to encryption features, Synergy/DE 9.3 includes many other improvements to help you enhance your applications. See our Web site for details.