In some environments, distributed applications have to deal with the fact that the network is not physically secure. For example, unauthorized parties can listen to a dialog by attaching analyzers to a physical line or capturing wireless transmissions.
In these environments, use applications protection and authentication of transmitted data to assure a secure dialog.
The following properties control the use of the various per-packet services:
Property |
Description |
|---|---|
CS_SEC_ CONFIDENTIALITY |
Enables data confidentiality service. Data confidentiality encrypts all transmitted data and assures that strangers cannot understand in-transit data. |
CS_SEC_ INTEGRITY |
Enables data integrity service. Data integrity service assures that attempts to tamper with in-transit data are detected. |
CS_SEC_ DATAORIGIN |
Enables data origin stamping. Data origin stamping assures that received data was really sent by the client or the server. |
CS_SEC_ DETECTREPLAY |
Enables replay detection service. Replay detection assures that attempts by strangers to replay captured transmissions are detected. |
CS_SEC_ DETECTSEQ |
Enables sequence verification service. Sequence verification detects transmissions that arrive in a different order than they were sent. |
CS_SEC_ CHANBIND |
Enables channel binding service. Channel binding stamps each transmission with an encrypted description of the client’s and server’s addresses. |
Applications that use the services described in this
section incur a per-packet overhead on all communication between
the client and the server. Data authentication services should not
be used unless application security is more important than application
performance.
All per-packet services will perform one or both of the operations below for each TDS packet to be sent over a connection:
Encryption of the packet’s contents
Computation of a digital signature that encodes the packet contents as well as other needed information.
If an application selects multiple per-packet services, each operation is performed only once per packet. For example, if the application selects the data confidentiality, sequence verification, data integrity, and channel binding services, then each packet is encrypted and accompanied by a digital signature that encodes the packet contents, packet sequence information, and a network channel identifier.
See the Open Client Client-Library/C Reference Manual for more information about these security services, and about use of security services in client applications.
