APPX Router - Session Encryption
The APPX Router provides link level encryption and authentication between PC clients and the APPX Router. Encryption is a separately licensed feature of Across the Boards and pcMAINFRAME, available only in the United States.
Currently available encryption modules support the industry standard Blowfish encryption algorithm, and can use either 40 or 128 bit keys. Session keys are negotiated with a key negotiation protocol based on the Diffie-Hellman algorithm. The key negotiation factors in shared secrets, user IDs and passwords, and provides for session authentication as well. The Router provides encryption and authentication support without increasing the workload on the mainframe.
Configuration and Operation
Encryption is provided by enhancements to the APPX/TCP device drivers, and loadable encryption modules. These modules support one or more modes of operation, and each side of the link (eg. the PC client and the APPX Router) are configured with a list of "encryption modes" that are acceptable to that side. At session startup, the two sides will negotiate an acceptable encryption mode. If so configured, the two sides may agree on a non-encrypted mode of operation as well.
The session key is constructed from the Diffie-Hellman exchange, a shared secret, and password. The shared secret and password are never exchanged, but are used only in key generation and authentication. The key generation/authentication process also makes use of the SHA1 ("Secure Hash Algorithm-1") algorithm. The key generation/authentication process uses 1024 bit exchanges.
A list of users and other security information must be defined. The APPX Router can be configured to carry this information locally or can access an external database of security data. pcMAINFRAME uses the external database option. It supplements the existing the existing PCID security structure with additional security profile information to provide authentication data to the APPX Router.
The administrator can configure exactly what the encryption requirements are for various classes of users. For example, users accessing a host application from outside the company might be required to encryption, but encryption might be optional for internal users. Based on the source address of the connection, the authenticated user ID and associated security profile, the APPX Router can enforce additional restrictions on what transactions the user can access.
By providing easy to use and transparent encryption and authentication support for your APPX application, the APPX Router allows customers and end-users to use your application over the Internet without security worries. By eliminating the need for expensive dedicated access and complex VPNs, your application is easier and cheaper to deploy, allowing you reach a larger customer base, with fewer support headaches.