the tess server
TESS - A Closer Look
TriStrata's comprehensive solution provides end-to-end information management and protection. With our single integrated system, the TriStrata Management System for Information Security provides for the following:
• Identification and authentication
• Authorization
• Access control
• Data integrity
• Confidentiality
• Electronic signature
• Auditing
• Key recovery under proper authority
• Authorization
• Access control
• Data integrity
• Confidentiality
• Electronic signature
• Auditing
• Key recovery under proper authority
TriStrata supports the most robust methods of cryptography for data encryption. The TriStrata infrastructure enables security at both the application and network layers, providing "out-of-the-box" desktop computer security, e-mail protection, security for sensitive data on laptop computers, even secure virtual private network (VPN) capabilities. Through our Software Developers Kit (TSSDK™) you can extend TriStrata's functionality to your own application, data or network services. The security infrastructure runs on any TCP/IP network including private intranets, public extranets and the global Internet, thereby protecting information from internal as well as external threats.
The Patented TriStrata Seal Process
The user authentication, authorization and encryption/decryption processes are all managed by the TESS security server.
Here's an example - when an individual chooses to encrypt a document via a TSData™, TSDisk™ or TSMail™ client tool, a request is sent transparently to the TESS server. Note that at the beginning of each secure session or encryption request, the user must enter their Personal Pass Phrase – something known to them - which unlocks a unique TriStrata Access Signature that identifies and authenticates that particular client.
Behind the scenes, this security request from the client is sent to the TESS server over a Private Access Line (PAL). PAL encryption uses Triple DES and keys that are generated from a 256-Kilobyte (2-Megabit) secret Access Signature (key) and an additional 112 bits of random data. The secret Access Signature is shared only between the client and TESS, allowing the two parties to authenticate each other. TESS then checks the request against the policies and permissions in its database to ensure that this specific user is authorized to make such a transaction.
If the user is indeed authorized, TESS creates a unique permit that includes the encryption instructions and a seal that contains all the information necessary to decrypt the document. TESS uses Triple-DES in Cipher Block Chaining (CBC) mode to encrypt the seal. The permit and seal are encrypted for secure return to the user. Each permit is received using only an exchange of approximately 500 bytes and is executed at a speed of 2,000 transactions per second.
On the receiving end, the client module recognizes the encrypted information with the seal and sends the seal to TESS. As necessary, the recipient authenticates himself or herself to the system, which breaks the seal and checks it against the recipient's policy and privileges to decrypt and validate the information. When authorized, TESS sends back the permit and the electronic signature, which include the keys for the recipient to decrypt and validate the integrity and authenticity of the message.
The TESS database is further optimized so that authentication of each client is done entirely by number, rather than by name. By assigning every subscriber a globally unique Security Registration Number (SRN), TESS assures the highest possible performance while providing unprecedented levels of authorizations enforcement.
TriStrata's Modular Design
All elements of TriStrata's Management System for Information Security - the TESS security server, the TCM client modules or the TEM entity modules - are designed along a three-layer modular approach. This multi-layer architecture allows for efficient communications between all solutions and provides extensibility to the entire system.
The top layer is for secure access . A TESS server is in part comprised of a relational database. This enables TESS to quickly identify authorized users (or equally important, deny unauthorized parties) both efficiently and under desired corporate policy. A single TESS system can efficiently enable security "events" (or transactions) at the speed of 2,000 or more per second. Deploying multiple TESS replicas, an enterprise or e-commerce customer can handle in excess of one million security transactions per minute.
The center layer consists of services that define the function of the software (such as initializing the system, the ability to enroll end users, the policies that secure specific documents and email messages, etc.). Services are fully modular and independent as each exists as a dynamically linked library and contains all the security functionality for the particular application it supports. New applications and capabilities are easily added as desired, with no impact upon other services or system functionality.
The bottom layer handles the secure communications across the network through a highly efficient protocol that provides for mutual identification, authentication, authorization and key management, in addition to maintaining confidentiality, data integrity, access control, audit and information recoverability - all in a 500-byte round-trip transaction!
The TESS Benefits
At all times TESS remains stateless, contributing to the extremely high performance and its high level of fault tolerance. Since no state information is required, any of its mirrored counterparts can instantly replace a disabled TESS. At no time does a TESS have knowledge of client data , critical to the assurance of privacy and accountability when managing a large number of customers in an extended organization.
Permitting and distributing data encryption tools to authorized users is one thing, but eliminating or modifying user access is often more challenging. In our advanced TriStrata security hierarchy, the most trusted corporate system agents – under specific policies and permissions - can revoke or modify any end user's client enrollment at any time , with immediate results. Once a user has been deleted from the system, he or she can no longer access secured information or perform any other security operation . This revocation takes place instantly and globally – in contrast to conventional schemes involving public and private keys. The TriStrata system ensures that, once an individual is revoked, even documents previously encrypted are instantly inaccessible to that individual.
The TriStrata security system has been approved for worldwide export by the U.S. government, and is designed to protect the information assets of enterprises and e-commerce customers around the world.
Technical Specifications
Features |
Benefits |
||||||||||||
Secure Laptop (TSDisk™) |
|
||||||||||||
Secure Desktop (TSData™) |
|
||||||||||||
Secure Mail (TSMail™) |
|
||||||||||||
Mini TESS and TSSDK™ |
|
||||||||||||
TSSDK™ Libraries |
|
||||||||||||
Dynamic Membership Groups (DMGs) |
|
||||||||||||
Open Crypto Support |
|
||||||||||||
TriStrata Secure VPN (TSVPN™) |
|