IRM - EMC Community Network

More documents

Recommendations

Info

is used to decrypt it. For further information on cryptography, a good reference is the book Applied Cryptography 1by Bruce Schneier.FIPSThe IRM Server, starting with Version 4.6, is compliant with Federal Information Processing Standards 140-2(hereafter referred to as FIPS). As part of being compliant, the IRM Server uses the FIPS certified cryptographiclibrary, RSA BSAFE® Crypto-C Micro Edition via the RSA BSAFE Micro Edition Suite (MES).With Version 4.6 – 4.7, new instances created using the IRM Server operate in FIPS mode (also true for newinstances on an upgraded IRM Server). As of Version 5.0, the administrator has a choice of whether tocreate/upgrade the instance to FIPS mode. For backwards compatibility, any IRM Server instance upgraded to V4.6does not operate in FIPS mode. As stated, an IRM Server instance in FIPS mode uses only the RSA Micro EditionSuite cryptographic library. In non-FIPS mode, the IRM Server instance uses an earlier version of the RSA BSAFEcryptographic library.Besides the cryptographic library used, here are the main differences in the operation of an IRM Server instance inFIPS mode as opposed to an instance in non-FIPS mode:•A non-FIPS IRM Server instance allows the user to select Secure Socket Layer (SSL) to connect to theLDAP directory server. A FIPS IRM Server instance requires TLS to communicate with the LDAP directory server.•A FIPS IRM Server instance communicates to the IRM clients using TLS V1.0. An IRM Server in non-FIPS mode uses SSL V3.0. During an initial connection, the IRM client may try one protocol then the other toconnect to the IRM Server. The IRM client may already know which protocol to use if the client has previouslyconnected to the IRM Server or is connecting to an IRM Server as part of the process of opening protected content.•IRM clients can open content protected by IRM Server instances in FIPS mode, as well as contentprotected by IRM Servers in non-FIPS mode. However, the IRM client is not allowed to open protected contentfrom a FIPS mode IRM server while protected content from a non-FIPS IRM Server is opened, and vice versa.An IRM Server in FIPS mode and the IRM clients that support FIPS can be part of a FIPS compliant environment.Setting up a FIPS compliant environment is beyond the scope of this document, but you can find information aboutFIPS and the RSA MES product at the RSA and Federal government websites:•http://www.rsa.com•http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#828•http://csrc.nist.gov/groups/STM/cavp/1 ISBN 0-471-11709-9Overview of Technical Architecture Page 8
Separation of Keys and ContentMany systems that strive to extend control over information after it has been distributed have adopted an approachin which encrypted key vouchers are granted to users once they have authenticated or performed an operation suchas paying for the content. These systems encrypt the policy options and keys in a voucher that is stored on therecipient‘s system. The viewing client implements a secret algorithm to decrypt the voucher, pull out the keys, andthen decrypt the content and enforce the policy. One drawback to these systems is that a nefarious user can executeoff-line attacks to discover the secret algorithm. Once such a user has discovered this algorithm, he can generate anddistribute his own application that will crack all content protected with this scheme. There have been severalexamples of this happening. The other drawback to this approach is that once the voucher is provided to therecipient, there is no reliable way to modify or revoke his or her access. The recipient can always make a copy of thestate of the system and reproduce that state at a future time when they want to access the information.The IRM system takes a different approach. Keeping key and policy information on the IRM Server prevents offlineattacks. Furthermore, you do not need to rely on a secret algorithm for securing a voucher. Also in the IRMscheme, all time-based decisions are made based on the IRM Server‘s clock (as opposed to the local client clock),which is not subject to manipulation by a malicious user.Persistent Security & ControlUsers may e-mail, rename, and even make copies of a protected document. The information in each rendition is stillprotected. Should the information owner decide to change use permissions on protected content, all copies of theprotected content are affected. For example, the information owner can take away viewing permissions on adocument after it has been e-mailed to multiple users and stored on their PCs.Let‘s look at an example. You send out a sales document to a number of people, then later discover a critical error.In the meantime, that document has been edited, renamed and sent to even more people. As the information owner,you can revoke access permissions, at which point none of the recipients will be able to open any copy. You couldthen distribute an updated copy.Here‘s another example. You protect sensitive legal information in a document and send it to business partners andselect internal employees. At one point, you are no longer business partners with one particular company. You canrevoke access for the users in that particular company alone. All other users still have access.Time HandlingAll time-based decisions are made based on the IRM Server‘s clock as opposed to the local client clock. Theexception to this is when offline access permission is granted. This is where a user is granted the permission to viewprotected content while unable to connect to the IRM Server. Since offline access is granted for a limited amount oftime (e.g., 3 days), the client machine‘s clock is used to determine when the document was opened offline.However, should malicious users change the clock‘s time on their computer once they start working offline to gainadditional time, they invalidate all offline access permissions.Should an information owner wish to view the activity log, all times are based on the server clock but displayed inthe client‘s time zone.System ComponentsLet‘s take a closer look at the components within the IRM architecture.IRM ServerThe IRM Server is a service that accepts connections from various clients, authenticates users, and managesauthorization to, and dissemination of, encryption keys and policies for protected content. The system ensures thatOverview of Technical Architecture Page 9
Page 1 and 2: EMC CORPORATIONEMC Documentum Infor
Page 3 and 4: Abstract:EMC Documentum solutions f
Page 5 and 6: Users and Groups ..................
Page 7: Once the content is registered (enc
Page 11 and 12: When protected content is opened in
Page 13 and 14: configured to leverage existing aut
Page 15 and 16: One of the goals of the IRM system
Page 17 and 18: John Smith can only view the docume
Page 19 and 20: writing a custom program to grab th
Page 21 and 22: IRM can be configured in an active-

IRM - EMC Community Network

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?