Security Measures

Last update: 28.03.2025

Zero-Knowledge

Fudo ShareAccess utilizes advanced cryptographic algorithms to deliver zero-knowledge security, ensuring that the platform operator has no insight into sensitive data transmitted through Fudo ShareAccess. All session data is encrypted end-to-end, between the user’s device and Fudo Enterprise, which is securely deployed within the organization’s network.

Fudo Enterprise establishes a secure connection to Fudo ShareAccess, safeguarded by the SSH protocol. When end-users access resources, encrypted protocols such as SSH or RDP over TLS are employed. For users accessing resources via a Webclient, HTTPS protocol ensures a secure connection between their browser and Fudo Enterprise.

Authentication data forwarded between Fudo Enterprise and the end-user, including one-time passwords, is encrypted using the user’s RSA public key with the RSA OAEP scheme. This encryption method renders the data inaccessible to attackers, further enhancing security.

Fudo ShareAccess securely stores user account information, such as email addresses, along with private keys, which are encrypted using AES-GCM with a 256-bit key. This key is derived from the user’s password through PBKDF2 with 600,000 iterations, ensuring robust protection. Additionally, Fudo ShareAccess maintains records of connected Fudo Enterprise instances, reinforcing seamless and secure operations.

Authentication

All REST requests sent to Fudo ShareAccess are signed with the user’s ECDSA private key. The private part of the key is securely stored and accessible only within the user’s browser. Request signatures are verified by Fudo ShareAccess, and if the request requires forwarding to Fudo Enterprise, it undergoes an additional verification process there.

For enhanced security, two-factor authentication (2FA) using Time-based One-Time Passwords (TOTP) is also introduced.

Session Storage

All SSH and RDP sessions are securely stored on Fudo Enterprise, which is deployed within the organization’s network. Neither Fudo ShareAccess nor its operator has access to session data.

Web Application Firewall

All HTTP requests, both to the homepage and the API, are safeguarded by a Web Application Firewall (WAF) configured with the most popular and up-to-date security rules. If someone attempts to hack the system using common HTTP server attack methods, the WAF blocks such requests before they reach the application servers.

DDoS Protection

All our public addresses are protected by the AWS Shield service, providing basic defense against DDoS attacks.

Data Encryption

All data stores, including server hard drives and databases, are encrypted at the cloud level. Additionally, all communication between services is secured using TLS encryption.

Security Information and Event Management

All servers are continuously monitored by a SIEM service. This enables tracking of access methods, detection of operating system anomalies, verification of system file checksums, identification of vulnerabilities, and more.

Logs

All servers utilize remote logging services. Application logs are isolated from other logs and do not contain sensitive data. Logs are securely stored outside application servers and are accessible exclusively to the Fudo ShareAccess team through non-public access.

Related topics:

• Supported Protocols
• Data Model
• Requirements