An Ounce of Encryption Is Worth a Pound of Cure — Part 2

Spotlight on Synergy/DE 9.3: Network Encryption with xfServerPlus


By John Brunett, Senior Software Engineer, & Mark Cooper, Lead Systems Programmer

This is the second article in a three-part series about the new encryption capabilities in Synergy/DE 9.3. See the first article, Network Encryption with xfServer, for an overview of network encryption.

With Synergy/DE 9.3, you have the ability to use encryption with xfServerPlus methods when connecting to xfNetLink .NET and xfNetLink Synergy. As with xfServer, when using encryption with xfServerPlus you can choose between master and slave encryption. When using master encryption, all method calls will be encrypted. When using slave encryption, you can choose which method calls you would like to be encrypted. Note that encryption causes a slight performance hit, as all of the data passed must be encrypted and decrypted on both the xfServerPlus side and the xfNetLink side. With this in mind, you may find it beneficial to use slave encryption and only encrypt the methods that pass sensitive data, such as personal customer data or credit card information.

As we discussed last time, you’ll need to install OpenSSL on the xfServerPlus server and, if you’re using xfNetLink Synergy, on all the client machines. For the xfNetLink .NET client, however, the encryption library comes from the .NET Framework and the Windows operating system. There’s nothing extra to install, but if you’re on Windows Vista/2008 or higher, you’ll need to select which cipher suite to use. To do this, just run the Local Group Policy Editor (gpedit.msc), where you can choose from the cipher suites available and arrange them in the order you want.

If you choose to use slave encryption, you’ll need to specify which methods you’d like to encrypt. This is done by selecting the “Enable encryption” checkbox in the Method Definition Utility (or using the encrypt=true property in the xfMethod attribute). You need to set this for each method that you want to be encrypted. For xfNetLink Synergy, you’ll also need to indicate that encryption is required when making the RXSUBR or RX_SETRMTFNC call, by appending “/encrypt” to the end of the method ID. For xfNetLink .NET, when the C# classes are generated, each method that is marked as encrypted will be generated with a custom attribute that tells the .NET client that this method is to be sent encrypted. When using master encryption, there is no need to mark methods for encryption in the MDU, as all methods are sent using encryption.

When the client connects with xfServerPlus, the client and server check to see if encryption is being used and, if so, whether it is master or slave. The client then sends xfServerPlus a list of ciphers that it supports. The server goes through the list, in order, and chooses the first match that it also supports. Usually, the client orders the list with the most secure ciphers first, so that the most secure cipher supported by both the client and server is selected.

When using encryption, you’ll want to make a connection, perform all of your method calls, and then disconnect. If you connect, call a single method, and disconnect, repeating this process for each call, you’ll end up doing the cipher negotiation for each method call, which can degrade performance. With xfNetLink .NET, you may want to use pooling for the best performance, as the connections (and consequently the cipher negotiation) are made when the pool is first populated rather than with each method call. Remember to set the “return to pool” option to true to allow the connection to be returned to the pool when you are through using it. By using pooling in combination with slave encryption, so that only the essential data is encrypted, you can achieve both security and a high level of performance for your application.

For more information about implementing encryption in your xfServerPlus–xfNetLink application, see “Using Encryption” in the “Configuring and Running xfServerPlus” chapter of the Developing Distributed Synergy Applications manual. For details on supported versions of OpenSSL for all operating systems, see “OpenSSL Requirements” in the “Requirements and Considerations” chapter of the Installation Configuration Guide.

In addition to encryption, Synergy/DE 9.3 includes many other features to help you enhance your application. See our Web site for details.