This is the third in a series of messages describing new features in Isode R14.4, scheduled to ship in April 2009. You can see all of the messages on this blog relating to R14.4 by clicking on this link.
In R14.4 we're extend the available X.400 security capabilities, which will be of particular interest to Aviation (AMHS) customers, in achieving full compliance to the ATS Extended Service.
X.400 has a number of end-to-end security services. Message Origin Authentication and Content Integrity have been provided for some while. The significant new capability provided in R14.4 is Message Sequence Integrity.
Message Sequence Integrity
This ensures that messages are received in order, and allows detection of lost or duplicated messages (either accidental or malicious). This service is important for some applications, such as sending flight plans.
Earlier releases provide Message Origin Authentication and Content Integrity by use of a Message Origin Authentication Check (MOAC) per message envelope field. R14.4 adds support for Message Token, which is a per-recipient field. Message Token can be used to provide Message Sequence Integrity, and it also gives an alternate mechanism for providing Content Integrity and Message Origin Authentication. Message Token securely binds the Recipient OR Name to the message, and so also provides proof that the originator sent the message to the specific recipient.
R14.4 also includes an enhancement to the Message Origin Authentication service, by adding a check of the OR Address SubjectAltName in the X.509 Certificate against the OR Address of the originator, in addition to checking the Certificate Subject Name against the Directory Name component of the OR Name. This is a desirable check, as many environments place trust in the OR Address value and use it directly.
We're providing these security services as a part of our X.400 Client Library (P3 and P7), so that the services can be easily used by X.400 applications. The envelope fields are created and checked by the Isode APIs, making the security services very easy to add to applications.
We've has added Message Sequence Integrity checks to XUXA (Isode's demonstration/test X.400 client) using the X.400 Client Library, so that this service can be demonstrated, along with Content Integrity and Message Origin Authentication. XUXA (and the underlying API) allow use of both MOAC and Message Token. An early development screenshot can be found below:
XUXA Sequence Integrity