Authentication
Authentication ensures that a device is “who” it claims to be each time it communicates with the Web/Http Server.
On the server side, device authentication is automatically enabled upon installation of the NotifyLink Enterprise Server. The server generates an 8 character authentication password for each user when they are added to the NLES server. When the user registers a device he/she is prompted for that authentication password. The password is stored on both the server and the device. At registration and each time the device initiates a query for email and PIM, the password serves as a seed from which an AES encryption key is generated. Authentication elements communicated between device and Web/Http server are, therefore, encrypted using the AES algorithms.
The authentication password can be changed at any time through the Administrative or Client portion of the NotifyLink web interfaces. A new random password can be generated by the server or can be typed in manually. If the authentication password is changed, the device will not be able to send/receive email until the password is updated on the device. Until the passwords match, the user will be prompted for the new password each time the device tries to connect to the server.
Should a user change devices or need to reregister an existing device, an administrator or the client must manually release new registration messages by implementing the Synchronize Device option from the administrative or client web. This insures that unauthorized users do not register a device against an NLES user account that does not belong to them.
Detail of the Authentication Steps Between Device and Server
Device
The device uses the authentication password (seed) to generate an AES encryption key used to encrypt authentication elements sent to the server.
The device encrypts the elements to be sent to the server and also sends an encryption SHA-1 hash of the unencrypted characters.
The device does not store the authentication encryption key on the device, only the authentication password is stored (the key is generated each time it is needed).
Server
When the Web/Http server receives an authentication request from the device it decrypts the request and the SHA-1 hash portion of the request, using an AES encryption key generated from the authentication password stored on the server.
The server verifies that the request decrypted successfully and that the decrypted SHA-1 sent in the request matches the SHA-1 hash of the decrypted request.
If decryption is successful and the SHA-1 matches, then the request is processed by the server and a response is sent to the client.
If decryption is unsuccessful or the SHA-1 hash does not match, then the server responds with a message indicating that authentication failed, and the user is prompted for their authentication password.
ActiveSync Device Authentication
Users who register ActiveSync (AS) devices against an NLES user account also use an authentication password. It is entered on the device at registration and must match the authentication password associated with the NLES user account on the server.
Since there is no device application installed on ActiveSync devices, the registration process is somewhat different. In addition to requiring the authentication password at registration, the server captures and stores the unique device ID. This prevents unauthorized users from registering a device against an NLES user account that does not belong to them. Should a user change devices or need to reregister an existing device, an administrator or the client must manually implement the Clear Registration option from the administrative or client web. This clears the unique identifier stored for the device and allows the device to reconnect and send updated information to the server.
Further Measures for Securing the Web/Http Server
To further secure the Web/Http server, you can lock down the virtual directories except for those pages accessed by the mobile devices. For a list of the php pages needing to be left open, contact the Notify Technical Support at support@notifycorp.com