Skip to main content

Function Detail (Realization of Secure Data Transfer)

For secure usage, HCP tools provides functions that ensure confidentiality and integrity of transferred data and authenticate it to identify correct peers of communication.

  • Use PKI (Public Key Infrastructure) technologies and authenticate peers of communication by them.
  • The international standard of AES (Advanced Encryption Standard) protects transferred data to prevent confidential information from being disclosed.
  • Privilege separation and access control list function realizes an appropriate access control.
  • Payload validation detects data errors over networks.
  • Transfer resuming makes efficient transfer even if unexpected transfer aborting happens.

Authentication#

HCP tools supports the following standard authentication functions.

  • PAM (Pluggable Authentication Modules) authentication
  • Public key authentication
  • Windows Logon Authentication

And it provides the following configurations about its authentcation functions.

TypeConfdiguration ItemDescription
PAM (Pluggable Authenticaton Module) (Linux)PAMAuthenticationPAM configuration
RSA (Rivest-Shamir-Adleman cryptosystem)PubkeyAuthenticationRSA configuration
LPA (Local Password Authentication)LocalPasswordAuthenticationLPA configuration
WLU (Windows Logon User)WinLogonUserAuthenticationWLU configuration

PAM authentication of HCP tools also supports LDAP (Lightweight Directory Access Protocol) authentication if the deployment environment can provide it for logind, sshd or other services. In that case, the HCP tools performs the LDAP authentication using the configuration file of /etc/pam.d/hcpd.

On Windows servers, HCP tools can provide Windows Logon function for clients including the domain authentication by Active Directory (just inserting a domain name before a user name).

Related Options

CommandShort NameOption NameDescription
hcp/hsync/hrm/hcp-ls/hmkdir/hpwd/hmv/hln/hchmod/hchownwss-no-check-certificateIgnoring server certificate validation on WebSocket SSL/TLS
userSpecify username in advance
passwordSpecify password in advance

Related Configurations

CategoryConfiguration NameDescription
Server ConfigurationLocalPasswordAuthenticationLPA (Local Password Authentication) authentication
PAMAuthenticationPAM (Pluggable Authenticaton Module) authentication
PubkeyAuthenticationRSA (Rivest-Shamir-Adleman cryptosystem) authentication
WinLogonUserAuthenticationWindows authentication
PerformSystemAuthenticationRegardlessUsersControl applying system authentication (PAM auth, Windows logon)
AuthorizedKeysSearchDirSpecify directory for searching public keys (RSA auth)
AuthorizedKeysFileSpecify file for finding a public key (RSA auth)
AuthorizedKeysCommandSpecify command for finding a public key (RSA auth)
AuthorizedKeysCommandUserSpecify user to run the command (RSA auth)
CACertificateFileSpecify file of CA (Certificate Authorities) certificates
CACertificatePathSpecify directory including CA (Certificate Authorities) certificates (Reserved)
CARevocationFileSpecify file of CRL (Certificate Revocation List)
CARevocationPathSpecify directory including CRLs (Reserved)
OCSPRevocationEnabledControl performing OCSP (Online Certificate Status Protocol) on client authentication
LocalUserFileSpecify file configuring users hcpd recognizes
LocalPasswordFileSpecify file holding credentials of LPA (Local Password Authentication)
AllowUsersSpecify user name pattern to allow login
AllowGroupsSpecify group name pattern to allow login
DenyUsersSpecify user name pattern to deny login
DenyGroupsSpecify group name pattern to deny login
Client ConfigurationLocalPasswordAuthenticationLPA (Local Password Authentication) authentication
PAMAuthenticationPAM (Pluggable Authenticaton Module) authentication
PubkeyAuthenticationRSA (Rivest-Shamir-Adleman cryptosystem) authentication
WinLogonUserAuthenticationWindows authentication
PrivateKeySearchDirSpecify directory for searching private keys (RSA auth)
PrivateKeyFileSpecify file for finding a private key (RSA auth)
PubkeyAuthenticationPriorConfigure priority of RSA authentication

Utilization of PKI (Public Key Infrastructure)#

HCP tools use PKI function to make secure communication with correct peers.

The tools support the following algorithms and file formats of private keys, public keys and certificates for the secure communicaiton.

The algorithms for the keys are,

  • RSA

And the file formats for the keys and certificates are,

  • PKCS1
  • PKCS8
  • X.509 Certificate
  • OpenSSH ver.x
  • PuTTY ver.2 and ver.3

Encryption#

It is important to encrypt transferred data when you make transfer of files over networks.

Encryption is to encode data to another form which any third person cannot read. It reduces risks that data is disclosed by their wiretaping.

HCP tools provides communication security like SSH/TLS. You don't have to make any configuration for that security as usual. However, you can change that configuration on servers and clients to change an encryption algorithm that will be used between them.

  • Communication Message Encryption

    This is a function to encrypt messages transferred between a client and a server.

    In HCP tools, you can make configuration of encryption algorithms for encrypting transferred messages and digest algorithms for validating that messages and file payloads. Negotiation of configurations on a client and a server determines a set of algorithms that will be used on actual communication.

Related Configuration

CategoryConfiguration NameDescription
Server ConfigurationAcceptableCryptMethodEncryption method for message communication
AcceptableDigestMethodDigest method for validation of message and file data
RequireDataIntegrityCheckingSetting requirement of MAC (Message Authentication Code)
Client Common ConfigurationAcceptableCryptMethodEncryption method for message communication
AcceptableDigestMethodDigest method for validation of message and file data
DisableDataIntegrityCheckingDisable MAC or not
AcceptDataIntegrityCheckingOnRejectionAcceptance of rejection for disabling MAC
  • Communication Security Negotiation

    This is a function to negotiate a security of communication method between a client and a server.

    HCP tools provides the secure communication between clients and servers based on PKI technology under a security function by server certificates.

    A private key for each server certificate will be loaded from the following path in default.

    /etc/hcp/key/server.key (Linux.x86)

    C:/ProgramData/Clealink/HCP Tools/key/server.key (Windows)

    When a public key exits and the file name adds ".pub" to the name of the private key, the server use the keys as a pair for the secure communication. When the public key dose not exist, the server will use a server certificate specified at the configuration of ServerCertificateFile.

    In HCP tools, clients will perform validation of the server certificate about the Common Name, the NotBefore/NotAfter, the certificate chain to the root CA (Certificate Authority) and the CRL (Certificate Revocation List).

Related Configuration

CategoryConfiguration NameDescription
Server ConfigurationUseServerCertificateSecurityEnable server certificate security or not
RequireServerCertificateSecuritySet requirement of the security to clients
ServerKeyFileServer key path for the server certificate security
ServerCertificateFileServer certificate path for the server certificate security
ServerCertificateChainFilePath of intermediate certificates for the server certificate (one or more)
Client Common ConfigurationRequireServerCertificateSecuritySet requirement of the server certificate security to servers
RejectFallbackServerCertificateSecurityDisable fallback into communication without the security or not
IgnoreCertificateCNInvalidIgnore the common name of the server certificate in its validation
IgnoreCertificateDateInvalidIgnore fields of NotBefore and NotAfter of the certificate in its validation
IgnoreUnknownCAIgnore validation of CA certificate and intermediates of the certificate
IgnoreRevocationIgnore validation of CRL for the certificate
WSSIgnoreCertificateCNInvalidSame to IgnoreCertificateCNInvalid on Web Socket SSL/TLS
WSSIgnoreCertificateDateInvalidSame to IgnoreCertificateDateInvalid on Web Socket SSL/TLS
WSSIgnoreUnknownCASame to IgnoreUnknownCA on Web Socket SSL/TLS
WSSIgnoreRevocationSame to IgnoreRevocation on Web Socket SSL/TLS (Reserved)
CACertificateFileFile path where CA certificates and intermediates are saved
CACertificatePathDirectory path where files including CA certificates and intermediates are saved (Reserved)
CARevocationFileFile path where CRL are saved
CARevocationPathDirectory path where files including CRL are saved (Reserved)
WSSCACertificateFileSame to CACertificateFile on Web Socket SSL/TLS
OCSPRevocationEnabledEnable OCSP (Online Certificate Status Protocol) or not
StrictHostKeyCheckingServer host key's acceptance policy configuration

Access Control#

HCP tools provides the following functions to give appropriate access rights authenticated users.

  • Privilege Separation
  • ACL (Access Control List)
  • Admission Control
  • Document Points

Related Configuration

CategoryConfiguration NameDescription
Server ConfigurationUserDirectoryFallbackAvailableFallback control from user home (for backward compatibility)
RejectOnUserHomeDirectoryNotFoundAccess rejection when a directory of user home is not found
  • Privilege Separation

    This is a function to separate access rights of users from the privilege of root to make safe usage on the users subject its rights.

    HCP tools configures privilege separation on a server for its client sessions. Under the privilege separation working, processing in each client session on the server works on a process separated from another process of the server waiting for clients and having the root privilege as usual. On the client process separated from the waiting one, some access rights subject to UID/GID and supplemental groups determined from authentication results will be applied to each processing. If you change that configuration each user, please modify /etc/hcp/users. Applicable supplemental groups are up to 1000. When that groups are over that limitation, they will be ignored (only UID and GUI applied).

    If you disable the privilege separation, the client sessions works under the access rights of Linux daemon and Windows service running. And on Windows service, the privilege separation will be not applied when authentication is performed rather than Windows logon, e.g. LPA authentication and RSA authentication.

Related Configuration

CategoryConfiguration NameDescription
Server ConfigurationUsePrivilegeSeparationSet privilege separation
PrivilegeSeparationMinimumUIDMinimum UID applicable for privilege separated sessions
PrivilegeSeparationMinimumGIDMinimum GID applicable for privilege separated sessions
PrivilegeSeparationUserDefault user on privilege separation (applied when any user is not determined)
PrivilegeSeparationUmaskUmask on privilege separation for authenticated users
PrivilegeSeparationUmaskAnonymousUmask on privilege separation for anonymous
ApplyUserPermissionApply user's access rights to file permissions on destination (not on privilege separation)
NoSupplementalGroupInPrivilegeSeparationDisable supplemental groups
  • ACL (Access Control List)

    This is a function to control accesses from clients based on network features subject to access control lists.

    On HCP tools, the function also provides specification of congestion control of HpFP for the accept rules.

Related Configuration

CategoryConfiguration NameDescription
Server ConfigurationAccessListDefine ACL (Access Control List)
AllowDefine Allow rules on ACL
DenyDefine Deny rules on ACL
  • Admission Control

    This is a function to limit number of connections working at the same time to control and save server resources, e.g. bandwidth, memory and CPU, for communication.

Related Configuration

CategoryConfiguration NameDescription
Server ConfigurationMaxTotalConnectionLimit of connections (total)
MaxTcpConnectionLimit of TCP connections
MaxUdpConnectionLimit of UDP (HpFP) connections
MaxWsConnectionLimit of Web Socket connections
MaxConnectionPerUserLimit of connections each user
MaxConnectionPerSecLimit of connections to accept each second
  • Document Points

    This is a function to configure areas on the server file system to which clients are available to access. This function is defined by HCP tools and is configured on its servers. The function provides controls of reading, writing, overwriting and deleting around files and directories to allow or deny that operations.

Related Configuration

CategoryConfiguration NameDescription
Server ConfigurationDocPointDefine a document point
DocPathSpecify a path on file system on the document point
PermitAccessReadSet reading access configuration
PermitAccessWriteSet writing access configuration
PermitAccessOverwriteSet overwriting access configuration
PermitAccessDeleteSet deleting access configuration
PermitAccessRandomReadSet reading in random access configuration (Reserved)
PermitAccessRandomWriteSet writing in random access configuration (Reserved)

Data Integrity Validation#

This is a function to detect unexpected problem over networks during file transfer. The function perform message validation by MAC (Message Authentication Code) and detect data errors over networks or unexpected changes of data across them.

Please use it on being enabled (performing message validation) as usual.

Related Configration

CategoryConfiguration NameDescription
Server ConfigurationRequireDataIntegrityCheckingSet requirement of data integrity checking by MAC
Client Common ConfigurationDisableDataIntegrityCheckingDisable the data integrity checking
AcceptDataIntegrityCheckingOnRejectionSet acceptance of rejection to disabling it

Transfer Resuming#

This is a function to make efficient works when unexpected abortion happens on file transfer due to network problems. You can restart the transfer from the position where the previous transfer stopped if it will be aborted due to some reasons.

The hcp command of HCP tools provides an option of --resume (-r in short) to restart by the user operation and another one of --auto-resume to do automatically.

In the --resume option, you should specify a file to which the hcp command records its running results (saved as .hcp.out as usual) to restart it.

In the --auto-resume, the command restart the transfer when its abortion happened due to a network error. When you abort the transfer by a user operation such as Ctrl+C, restarting it will be not initiated and it will be just stopped. When you use a private key for authentication, it is recommended to use private keys without encryption. A passphrase required to decrypt the key will be cached on the memory in the process performing the transfer to avoid interactive operations for re-authentication happening after creating new connections.

And you can change a number of trials and an interval between trials for the --auto-resume option as the client configuration.

Related Option

CommandShort NameOption NameDescription
hcprresumeResume the previous transfer
auto-resumeRun resuming automatically (when aborted due to network problems)

Related Configuration

CategoryConfiguration NameDescription
Client Configuration (hcp)AutoResumeTrialsNumber of auto resuming trials
AutoResumeTrialIntervalInterval time between trials (in seconds)