Skip to end of metadata
Go to start of metadata

Symptom:

How is the communication between the Men & Mice Suite modules secured from attacks?

Solution

All communication that takes place between Men & Mice Modules over TCP/IP network (IPv4 or IPv6) is encrypted using AES (Rijndael) 128 bit encryption. (see http://csrc.nist.gov/archive/aes/ and http://en.wikipedia.org/wiki/Advanced_Encryption_Standard ).

To pass an initial shared secret (session pass-phrase) for AES, we use a 1024 bit RSA encryption. Different private and public RSA keys are randomly generated each time the server is started and are only stored in memory.

The login sequence is as follows:

  1. Client sends a ‘hello’ message to the server.
  2. The server responds by sending its public RSA 1024 bit key.
  3. The client generates a shared secret (randomly generated key), encrypts it using the server’s public key, and sends the encrypted shared secret to the server.
  4. The server decrypts the shared secret using its private key.
  5. A 128 bit AES encrypted session is started using the shared secret.

The same method is used for communication between Men & Mice Central and the DNS and the DHCP server controllers.

When Men & Mice Central is installed, it generates a random ‘fingerprint’ that is stored on the machine that runs Men & Mice Central.

When an initial connection is performed to a DNS/DHCP controller, Central sends the fingerprint to the controller in question where it is stored. This effectively ‘pairs’ Central with each DNS/DHCP controller.

Every time Central connects to a DNS or a DHCP controller it sends its fingerprint as a part of the connection request. The DNS/DHCP controller matches the fingerprint to its own copy and if the fingerprints don’t match, the connection request is refused. This is to avoid ‘hijacking’ of the DNS or DHCP controllers by an unauthorized copy of Men & Mice Central.