FileAssurity Introduction
Security Technology used in FileAssurity
ArticSoft products have been designed to provide you with easy to use facilities for protecting your information. Underpinning these products are technical mechanisms: encryption and digital signature techniques; that actually deliver the security. These mechanisms are sometimes referred to as part of a Public Key Infrastructure (PKI) or digital signature technology.
Signing and signature forming mechanisms
The encryption algorithm used to form a digital signature by the ArticSoft products is RSA (after Rivest, Shamir and Adelman, its inventors). If a user requests that a key pair is generated automatically by an ArticSoft product, the default key length for the algorithm is set to 2048 bits. Where a user already has an RSA key pair generated and instructs an ArticSoft product to use that key pair, the public and private key size is defined by the certificate wrapping the public key and will be used. No specific advice is offered on the selection of key lengths, although it is generally considered that a longer key length will provide encrypted results that make it harder for an attacker to forge a signature or obtain secret information. Generally it is thought that a key length of 512 bits should be avoided.
A digital signature is formed by encrypting a message digest or hash of the content to be signed. The technique used by ArticSoft is SHA-1 (Secure Hash Algorithm) in conformance to the specification published by NIST (National Institute of Science and Technology, USA). The hash length used in current implementations is 160 bits, but ArticSoft are monitoring the standards being proposed by NIST for implementations of this algorithm with hash lengths of 256, 384 and 512 bits.
Digital signatures protecting files are transparent to the recipient although they may be inspected by using the ArticSoft Key Manager if required.
Signature verification mechanisms
ArticSoft products will verify any signatures generated by an ArticSoft product consistent with the key information provided in the certificate containing the signerÆs public key. Imported keys and certificates must be in the format specified in the standard PKCS#12 or .p7b, and the certificate must conform to the standard X.509 version 2 or version 3. Where X.509 certificate paths are provided, the certificate will be verified back through a certificate chain, if provided, to the root certificate held in the Trusted Authorities list on the computer system doing the verification.
The list of Trusted Authorities provided by ArticSoft at the time the first ArticSoft product is loaded by the user consists of the known valid certificates from the lists published with either the Netscape or Microsoft browser, together with a limited number of sources that are generally understood to be Authorities that have been publicly listed on Internet reference sites. ArticSoft does not make any warranty for the accuracy or correctness of this information and the user is responsible for satisfying themselves about the validity of such information. ArticSoft will update the list of Authorities from time to time and make available such lists from its website, on a best efforts basis.
Users are free to add or delete Trusted Authorities at any time, but ArticSoft does not take any responsibility for information deleted in error or provide mechanisms for un-deleting list entries. ArticSoft recommend that users maintain regular backups of their keystore (which includes the Authority list) in case an Authority is deleted in error.
When a user adds an Authority to the list, the relevant ArticSoft product will carry out a mathematical check on the certificate signature and will not add the new Authority if this fails. If a certificate chain is present that points back to an Authority already in the Authority list, a mathematical check will be carried out on the chain back to the listed Authority. Again, if the mathematical test fails the new Authority will not be added. No other checks will be carried out. When a user adds a new Authority they must satisfy themselves as to the authenticity of the new Authority.
Encryption or confidentiality and privacy methods
ArticSoft products follow the convention of using a symmetric encryption algorithm to make information private, and transferring the key of the encryption algorithm to the recipient using an asymmetric (public key) algorithm.
The key used in the symmetric algorithm is generated each time it is required. Generation of random bit strings (random numbers) is carried out in conformance to FIPS (Federal Information Processing Systems, USA) 197 recommendations.
The symmetric algorithm implemented by all ArticSoft products is AES (Advanced Encryption Standard, previously called Rijndael) using a 256 bit key length.