About Application Server-Client Communication Encryption
The Application Server uses a symmetric encryption system to communicate with the client.
There are several methods that generate symmetrical public-private key pairs. The most well-known method is based on the RSA algorithm. The security this algorithm provides relies on the difficulty of factoring large prime numbers. Device Control uses the RSA algorithm with a key size of 2048 bits, making it extremely difficult to compromise. The security of a strong cryptographic system depends on the secrecy of the key and key size.
The need for strong cryptographic security underscores the importance of generating your own key pair during installation and using a long seed value, before deploying Device Control clients in your environment. The private key should not be communicated to the clients and should reside on the Application Server computer or stored on an external medium for added security.
Digital Signatures and Certificate Authorities (CA)
For complete data security, digital signatures are combined with digital certificates that authenticate the identity of a sender.
Using a digital signature ensures, to a certain extent, the authenticity of the sender. Since only the public key of the sender can decrypt the digital signature, this only ensures that the sender has the private key corresponding to the public key used to decrypt the digital signature. To confirm the authenticity of the sender, a digital certificate is used. A digital certificate is an electronic document that certifies that a particular user owns a certain public key. A third party, called the certificate authority (CA), signs this document. You need to install the Microsoft CA service to create your own CA to use with Device Control encryption.
Digital Signatures
Device Control uses digital signatures to ensure the integrity of the private and public key pair. A digital signature is a stamp attached to a data transmission that can be used to determine whether an intervening malicious user tampered with the transmission.
The digital signature for a message is generated as follows:
- A message digest or hash is generated using a set of hashing algorithms. A message digest is:
- A summary of the data transmitted.
- Always smaller than the message.
- Detects even the slightest change in the data that produces a different hash.
- The private key of the sender is used to encrypt the message hash that is the digital signature.
- The digital signature is attached to the message which is then sent to the recipient.
The recipient then performs the following:
- Uses the public key of the sender to decrypt the digital signature and obtain the message hash generated by the sender.
- Uses the same message hash algorithm as the sender to generate a message hash for the received message.
- Compares the two message hashes. If the message hashes are not exactly the same, a third-party tampered with the message or there was a problem with the data transmission.
You can be assured that the digital signature was originated by the sender, not by a malicious user, because only the public key of the sender can decrypt the digital signature. If the decryption using the public key renders a faulty signature hash, either the signature, or the data, is not exactly what the sender originally transmitted.