REBOL Security Features
Robust security is mandatory for modern collaborative environments and applications.
Return to: IOS Home Page
Companies, organizations, and individuals require complete confidence that data, information, and applications remain private, regardless of the type of system or network used. REBOL supports a robust security model:
- Security is the Default
Unlike the web, email, and instant messaging, all IOS communications and data transfers are always encrypted. Not only are messages and files encrypted, but so are all upward and downward system requests, status replies, and meta data. Although IOS is a closed network, no VPN (virtual private network) or other complex software is necessary, and IOS maintains full security over any type of network connection, including wireless networks.
- High Strength Encryption
IOS supports two proven and well-tested methods of encryption. Either the U.S. Advanced Encryption Standard (AES) or Blowfish standard can be used. Both 128 bit (domestic) and 56 bit (international) strengths are supported with full cypher block chaining (CBC) to prevent "known plain text" attacks. Dynamic negotiation of encryption strength is supported for international organizations.
- Unique Session Keys
Each time an IOS client creates a new connection to an IOS server, a unique encryption key is generated to be used for all of its client-server communications. This is an RSA session key exchange.
IOS clients will connect only to servers that supply valid certificates. You cannot use a client to connect to servers other than those for which it was intended. Every server uses a different RSA certificate, eliminating the possibility of "man in the middle" attacks or server spoofing.
All IOS servers are protected from unauthorized access. Only IOS clients that possess the correct server key and provide a valid password can access an IOS server. Even if a user knows a password, if his client does not have the correct internal access key, no server access is possible. As a further security measure, all passwords are encoded by the server using SHA1 hashed values with salt randomization.
- File and Directory Sandboxes
All local file accesses are restricted to local directories, "sandboxes", that have been specified in advance. Any attempt to access files outside of the specified sandbox areas will pause the program and inform the user of the situation. The user is given the choice of terminating the program immediately.
- Port and Address Masking
Network connections can be restricted to specific IP addresses, sets of addresses, or address masks. In addition, port numbers for both outgoing and incoming connections can be supplied. Any attempt to create connections outside of the allowed parameters will pause the program, inform the user of the situation, and allow termination.
- File Integrity Checksum
By default, all IOS files are protected from tampering by the use of an SHA1 checksum. The transfer of the checksum itself is encrypted, and the checksum can also be used to detect local changes in files.
- File Storage Encryption
In addition to the above techniques that apply to the access and transfer of information over the network, IOS optionally supports two other types of file encryption: Local file encryption can be used to protect files as they are stored on client and server devices. Even if a system is lost, stolen, or otherwise compromised, the file is protected. Server file encryption allows the secure storage of private information on publicly accessible servers, such as a normal web server.
- Fileset Permissions
Private files are supported. The visibility and access to files can be public or can be restricted on a per user or per group basis. This allows private files to be shared between selected users or as private file storage for a single user. Users who do not have access to a file group do not even know what files are part of that group.
- User Capabilities
Per-user permission flags can be specified to control file operations, system attribute modification, user creation and deletion, user permissions, password changing, event logging, and more.