Certificates

A certificate is a digital file issued by a trusted Certificate Authority (CA) that verifies a server or website endpoint is secured with an encrypted connection.

Certificate Types

• Domain-Validated (DV): Verified against a domain registry to confirm site ownership, but does not provide any organizational identifying information. The CA typically validates DV certificates via email, DNS, or HTTP methods. DV certificates are easy to obtain and offer the lowest level of security, as minimal information is required.
• Organization-Validated (OV): Verified against a domain registry to confirm site ownership, along with the organization's location, including country, state, and city. The CA typically validates OV certificates through email, DNS, or HTTP methods. OV certificates take longer to obtain and are more secure than DV certificates, as they require additional organizational information.
• Extended Validation (EV): Verified against a domain registry to confirm site ownership, along with the organization's location, including country, state, and city. In addition, the CA issues EV certificates only after verifying legal registration and confirming the company’s location and the consistency of those records. Validation typically involves email, DNS, or HTTP methods. EV certificates take the longest to obtain and provide the highest level of security.

Simphony architecture supports both server-side and client-side authentication. Server authentication is achieved by configuring the HTTPS connection with a Transport Layer Security (TLS) 1.2-compliant certificate issued by a CA. Client-side authentication is required for Simphony operations and cannot be disabled.

Simphony Workstation Authentication

1. Credentials are transmitted to the application server over an encrypted TLS channel.
2. After the application server validates the credentials, it issues an authentication token, which is returned to the client through an encrypted channel.
3. The client stores the token in an encrypted format within its protected storage.
4. All subsequent messages from the client to the server include a security header encrypted with the public key contained in the authentication token.
5. The server stores a private key for each authenticated client in the database, enabling it to verify the authenticity of incoming requests.

What is Transport Layer Security (TLS)?

TLS is a cryptographic protocol that provides end-to-end communication security over networks and is widely used for internet communications and online transactions. As an Internet Engineering Task Force (IETF) standard, TLS is designed to prevent eavesdropping, tampering, and message forgery. Common applications that use TLS include web browsers, instant messaging, email, and voice over IP (VOIP).

Many businesses use TLS to secure all communications between their web servers and browsers, regardless of whether sensitive data is being transmitted.

TLS’s predecessor, Secure Sockets Layer (SSL), was developed by Netscape in 1995. SSL versions 1.0 and 2.0 contained many security flaws, leading to a complete redesign of the protocol. In 1996, Netscape released SSL version 3.0, which became the basis for TLS 1.0. In 1999, the PCI Council recommended the eventual deprecation of SSL, as TLS 1.0 represented a significant upgrade over SSL 3.0.

TLS vs. SSL

TLS is more efficient and secure than SSL due to stronger message authentication, improved key material generation, and advanced encryption algorithms. For example, TLS supports pre-shared keys, secure remote passwords, elliptic curve keys, and Kerberos, which SSL does not. While TLS and SSL are not directly interoperable, TLS provides backward compatibility for older devices that still use SSL.

The TLS protocol specification defines two layers: the TLS Record Protocol, which provides connection security, and the TLS Handshake Protocol, which allows the client and server to authenticate each other and negotiate security keys before transmitting any data.

The TLS handshake is a multi-step process. In a basic TLS handshake, the client and server exchange "hello" messages, keys, cipher information, and a final "finish" message. This multi-step structure makes TLS flexible for use in various applications, as the format and sequence of exchanges can be adjusted as needed.