DS-Client Encryption Keys
Creation Date: October 7, 1997
Revision Date: September 22, 2009
Product: DS‑Client
Summary
To secure customer information that is transferred to the DS‑System, the DS‑Client encrypts every file it sends to the DS‑System with encryption keys provided by the customer. The files are stored and remain encrypted on DS‑System storage at all times. The decryption process occurs during the restore operation on the DS‑Client itself. This ensures that any information transferred and stored outside the customer location is always encrypted. Currently, the DS‑Client uses either the DES encryption algorithm (56‑bit encryption key), or AES encryption algorithm (128-bit, 192-bit, or 256-bit).
Configuration and Location of Encryption Keys
The DS-Client encryption keys are configured during DS-Client installation. Encryption keys are stored in the DS-Client database in an encrypted format, so even an administrator with full access to the DS-Client computer cannot find out the values of the encryption keys. For Grid DS-Clients, all DS-Clients in the same Grid must be configured with the same Private and Account Encryption Keys (both Types and Values).
DS‑Client Encryption Key Types and Usage
The DS‑Client can be configured with two encryption keys: a private key and an account key:
Private Key (Mandatory) | This is a default encryption key that always used by the DS‑Client except in the cases outlined below. |
Account Key (Optional) | If the customer account has more than one DS‑Client installation, each DS‑Client for this customer account must be configured with the same account key. A DS‑Client that is configured with the wrong (or no) account key will not be granted connection to DS‑System. The account key is used to encrypt customer files if the DS‑Client discovers (during the backup process) that a backup file was already backed up to the DS‑System by another DS‑Client within same customer account. In this case, the file will be located in the account library area and encrypted with the account key. |
Encryption Key Verification
To ensure that DS‑Client uses the same encryption keys as were initially configured (reinstalling DS‑Client or hackers), DS‑System is able to verify the DS‑Client key integrity on every connection. This is accomplished by comparing the encryption cookies (code generated with the encryption key, but not the key itself) that the DS‑Client sends on every connection request, with the cookies that the DS‑System received during DS‑Client registration.
Intentional or unintentional changes to the encryption keys will make data stored on the DS‑System unusable. This verification process ensures integrity of both private and account keys (account key verification ensures that all DS‑Clients for the same customer account are configured with the same account key).
Retrieving the DS-Client Encryption Keys
The DS-Client has the capability to forward its encryption keys to the DS-System for safekeeping. This option must be enabled by your service provider.
AES Disclaimer
The DS-Client integrates Dr. Brian Gladman’s implementation of the AES (Rijndael) algorithm designed by Joan Daemon and Vincent Rijmen.
This implementation is referenced in the information on the AES development efforts on the Computer Security Resource Center website maintained by NIST (National Institute of Standards and Technology - USA). For more information please visit the following URLs:
•http://csrc.nist.gov/CryptoToolkit/aes/rijndael
•http:/fp.gladman.plus.com/cryptography_technology
Here is the copyright notice for Dr. Brian Gladman’s implementation:
-----------------------------------------------------------------
Copyright (c) 2001 Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK
TERMS
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1.Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
This software is provided 'as is' with no guarantees of correctness or fitness for purpose.
-----------------------------------------------------------------
ncG1vNJzZmirY2Ourq3ZqKWar6NjsLC5jpqqop%2Bilnqlu8KupJ6mpJbBqrvNaH%2BepKBkkZR5oqWgnqakWn9xlMSlp2h8g2KQrbXEp6uYgJWhvXCQsmZ6paGVo8Ggkc2cqbKopJ68r6uqnrCsZpipuq0%3D