DS-Client to DS‑System Authentication
Creation Date: April 30, 1997
Revision Date: September 26, 2002
Product: DS‑Client
Summary
To prevent unauthorized access to the DS‑System, several protection layers are implemented on the DS‑System computer to ensure that only authorized computers are able to gain access to DS‑System storage. Those protection layers can be divided into following categories.
Network access layer
1. Outside connections can only be initiated on a separate network interface with the TCP/IP protocol.
2. The only TCP and UDP ports enabled are those used by the DS‑System and DS‑Client services.
3. The incoming DS‑Client connection's IP address (or range) is validated against the DS‑Client profile (optional).
4. User ID and password validation is performed for dialup connections (T1/ISDN access).
5. CLID (caller ID) validation is performed for T1/ISDN access (optional).
Configuration layer
The DS‑Client must pass valid Customer Account and DS‑Client numbers to the DS‑System.
Registration layer
1. The DS‑Client performs an automated, one‑time registration with the DS‑System (if "requires registration" is selected).
• The registration is performed automatically on the first DS‑Client connection to the DS‑System.
• If re‑registration is required, a registration request must be explicitly enabled by the DS‑System operator at the request of the DS‑Client user.
2. The Registration process passes information constructed from the DS‑Client computer's hardware and system on every connection request.
Once a DS‑Client is registered, the DS‑System can optionally validate DS‑Client registration information for every subsequent connection attempt. Registration validation provides a high level of confidence that the DS‑Client computer attempting to connect is the same computer that performed the registration.
3. The DS‑Client registration validation will fail in the following circumstances:
• if you reinstall the operating system of the DS‑Client computer
• install the DS‑Client on a different computer
• boot a different operating system on the DS‑Client computer (e.g. if you have a dual‑boot machine.)
• change hardware components like the system hard drive or network card
Encryption authentication layer
Encryption Key Cookies: The Registration process also saves encryption key cookies (meaningless data encrypted with DS‑Client keys, that are passed on every connection request) that the DS‑System validates on each connection attempt. This prevents a DS‑Client from connecting to the DS‑System with changed or corrupted encryption keys.
Additional conditions for connection request failure
1. Customer Account or DS‑Client does not have 'active' status.
2. DS‑System shutdown is in progress.
3. DS‑System activities are disabled.
4. DS‑Client Service period violation (service period expired).
5. Account Key required and not configured for customers with multiple DS‑Clients.