This article covers the basics of Vedivi secure connection establishement.

It is mainly aimed at providing an understanding of the security mechanism used by Vedivi to exchange data to its remote sibling.

Overview

Vedivi uses Secure Socket Layer (SSL) to create secure and reliable connections between two sides. It automatically manages potential disconnections of the underlying SSL socket (timeout, proxy settings), by creating a new underlying socket.Only if it cannot reach the remote side will it then close the Vedivi Connection.

Vedivi's use of SSL offers many benefits:

• Proxy/Firewall: Can be tunneled through a Proxy/Firewall.
• Security:SSL encryption is used, providing the same level of security as secured websites.
• Authentication:An SSL dual authentication can be used (1 private key on each side), to ensure both sides are connected to the right computer.
• Integrity: Only outbound TCP connections are made, so the integrity of the network security is maintained.

Relay Servers

Vedivi does automatically take care of relaying data when necessary.

Vedivi Relay Server will be used when two Vedivis cannot establish a direct connection between each other.

So if you have one computer behind a Firewall (i.e. your office) and the other directly connected to the internet (i.e. home), Vedivi will attempt to establish a Bridge between them using a direct connection.

If on the other hand none of your computers are directly on the Internet, or the Vedivis cannot establish a direct route, a Vedivi Relay Server will be used to allow the connection.

Note: Only encrypted data is relayed, so a relayed connection is as secure as a direct connection (see "How it works" below).

Basic SSL Concept

SSL uses asymetrical key for authentication and self generated symetrical keys for data encryption.

Asymetrical key (also called Public/Private keys) means two keys are necessary to code/decode data:

• Public Key: Used to encode the message, but cannot decode it. It can be distributed widely.
• Private Key: Used to decode the message. It must be kept on the server only.

So basically, although everybody having the Public Key can encode a message, only the owner of the Private Key can decode it. This makes it the perfect mechanism for authentication as you know that the only person who can respond to you message must have the Private Key.

Authentication is essential, because it ensures you are connecting to the right computer and tells the remote computer who you are.

When for instance you connect to a WebSite to buy a product online, you want to be sure that you are connected to the right WebSite and not a hacked replica only interested in steeling you card details.

To achieve this, the WebSite will have a Private Key certified by a Certification Authority, you will start a conversation encoded with the corresponding Public Key, and if it responds, you know it is the right WebSite

This authentication however is not enough for a tool like Vedivi, because for our WebSite example, the WebSite does not care about who is connecting to it, only the customer needs to make sure it is the right WebSite.

In Vedivi however, the two sides have to make sure they talk to the right remote computer. That is why Vedivi allows dual authentication, which is basically the same concept but applied in both directions.

This means both Vedivi sides will have to generate a Private Key and communicate the corresponding Public Key to the remote Vedivi.

Note: To avoid potential wrongdoing, we do not provide ways to extract the Private Key.

How it works

Vedivi connectivity is done in several steps:

1. Sign-On 1:Vedivi establishes a secure SSL connection with aVedivi Server and authenticates itself with the credentials provided by the user.
2. Sign-On 2: The second Vedivi establishes a secure SSL connection with Vedivi Server and authenticates itself with the credentials provided by the user.
3. Secure Tunnel establishement: The two Vedivi now establish an SSL tunnel between themselves, so that only these Vedivis can decipher each other messages.
4. Data Encryption & exchange: Vedivi can now exchange data securely, as only the remote Vedivi has the private key to decipher the encoded data.

Note: The relay server is only routing encrypted data at this point, and cannot decipher anything as it does not possesses the private key required.