Overview of an encrypted session in SOS

A collection of information about SourceOffSite, including solutions to common problems.

Moderator: SourceGear

Post Reply
lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Overview of an encrypted session in SOS

Post by lbauer » Thu Mar 11, 2004 2:26 pm

SourceOffSite uses the Blowfish Encryption Algorithm
<http://www.counterpane.com/blowfish.html> for encryption.

The log in process using encryption in SourceOffSite works as follows:

When the connecting client receives the challenge from the server (after
connecting to the secure port), it looks for a crypto key for that particular
server. If the key is found, it loads the key and creates a session key. The
username is sent to the server and the Client uses the crypto key to encrypt
the user's VSS password, session key, and validation hash before sending
that information to the server.

When the server receives the username, it looks for a key for that user in
its keys database. If found, it then attempts to decrypt the remaining
packets (containing the password, session key, and validation hash). If
that all works correctly, then the server responds with an OK message in
cleartext, and then all remaining communication for that session will be
encrypted with the session key. Each session key is generated with a
cryptographically secure random number generator.
Also, if anything goes wrong at each step, the session is terminated.
Linda Bauer
SourceGear
Technical Support Manager

Post Reply