Technical Specifications - All Products

Product Development Software

ASISCaseManager®, ASISCaseManager® Professional, ASISCaseManager® Enterprise, ASISCorporateSecurity®, ASISCorporateSecurity® Profesional and ASISCorporateSecurity® Enterprise have been developed using Microsoft Visual Basic.NET. 

Please Note: ASIS reserves the right to change all standard technical specifications without notification.

System Requirements

Client

Server (LAN Configuration)

Server (WAN Configuration)

Database Option Supported

Standard

ASISCaseManager® and ASISCorporateSecurity® have been developed using Microsoft Visual Basic.NET and are designed to use the Microsoft® SQL Server 2005 Express as the entry level database. This database configuration is suitable for either Notebook computers or PC's networked across a Local Area Network (LAN).

Products with Optional Database Configuration

ASISCaseManager® Professional and ASISCorporateSecurity® Professional have been designed to use Microsoft® SQL Server 2005 database utilizing a 'Two Tier' architecture.

ASISCaseManager® Enterprise, and ASISCorporateSecurity® Enterprise have been designed to use Microsoft® SQL Server 2005 database utilizing a 'N Tier' architecture.

The 'Enterprise' versions of ASISCaseManager® and ASISCorporateSecurity® are suitable to be deployed across a Wide Area Network (WAN).

SECURITY (All versions)

Password Encryption/Hashing

ASISCaseManager® and ASISCorporateSecurity® use SHA-1 with a 512 bit key to hash user passwords.

(Surpasses the Australian Communications - Electronic Security Instruction (ACSI - 33 - March 2005 release). Further information can be found at:Defence Signals Directorate)

Overview of Password Hashing

During the first login (or following a password change), a salt value is calculated (see below) and is added to the password. The result is then hashed using, for instance, SHA-1 (512 bits). The username is stored along with the hash value of the user's password and the salt value. On subsequent logins, the stored user salt is added to the password entered by the user and the result is hashed using the same algorithm. The resulting hash value is compared with the stored hash value of the username. If the hash is the same, the probability is very, very high that the password entered is the right one.

What is a salt?

A salt is a value added to a password during login authentification, before it is hashed. The value can be anything. A random value, the user id, a sequential number, ... The value is added to the password using, generally, a simple concatenation; but it could be something else (a XOR, for instance). The salt is stored, in the clear along with the username and the hash value. Its purpose is to prevent mass dictionnary attacks. A mass dictionnary attack is when an attacker has precomputed a table of frequently used password and their hash value. The attacker uses this table to lookup in the password database and try to find a match. It is computationally infeasible to precompute a table of all possible variations of frequently used password when salt is used.

Example of 'N-tier' (distributed threE-tier) architecture

Presentation Layer MS Visual Basic forms are used for data presentation Workflow Layer Cache infrequently changing data as XML/HTML Transform data from ADO 2.1 disconnected recordsets to XML Store user context data as XML in location-independent manner (cookie, session state, or back end) Business Logic Layer Revised interfaces optimized for scalability Microsoft English Query transforms English to SQL Data Access SQL Server ODBC driver ADO 2.1 MTS manages ADO/ODBC connection(s) Database SQL Server 2005 Modified schema for increased scalability and performance