Basic Concept

SyncOS and SyncOffice sandbox is supported by the certification and authorization infrastructure. The core tool for certificate management and authorization are SyncOffice Manager and Authenticator. By using SyncOffice Authenticator, customer can build his own authorization infrastructure.

Teleon License Pack

To use SyncOffice Manager, customer needs to order a license pack from Teleon client site. After order is placed, a license key for ordered license pack will be sent to customer's account on client site. Different pack type supports different quantity of end-user devices, from 3 devices to 200 devices.

After launch SyncOffice Manager, customer login to Teleon service using assigned license key and customer's client user name. The supported quantity of devices is constrained by the license pack type.

Customer and End-user

The term of "customer" refers to a Teleon client entity. He may be a professional, a freelancer or an administrator of a corporation. End-user refers to the final user of SyncOS and SyncOffice suite application. Customer issues certificates to his end-users and provide RAS server for his end-user's authorization.

Certificate

Teleon service certificate is an INI-file format file. Each entry of certificate INI file is encrypted. Typical encryption algorithm used is AES. Each certificate used by SyncOffice needs to be placed in the same folder of the application. Certificate for a SyncOS USB drive is copied into the USB drive by the administrator using SyncOffice Manager. Certificate for a SyncOffice-VA can be inserted into the .iso image file by the administrator using WinISO etc tool.

Typically, each certificate can only work on one specific device. Certificate assigned for computer-A cannot be used for computer-B's SyncOffice. Similarly, SyncOS USB drive created for computer-A cannot be used for computer-B (it can boot up but won't pass authorization).

In rare situation if needed, customer can assign multiple certificates for one device, each for a different end-user. In such a case, those end-users share a common computer, each end-user uses the same computer in different time slot.

Certificate Signing Request (CSR)

To link a certificate to a specific device is done by Certificate Signing Request (CSR). To create a certificate for a device, end-user need to create a CSR file for the device, and send the CSR file to his administrator via any means. CSR file carries the device fingerprint a certificate needed. To create a CSR, end-user can run a standalone application CSRGen, or use SyncOffice Login Extension's CSR creation function.

For customer to generate and issue a certificate, first thing to do is to import/open a CSR file. All following certificate creation and configurations are all based on this CSR fingerprint data.

Document Password Key

Documents under LibreOffice are mainly protected by document password. SyncOffice add a salt to the document password, often called document password salt key. Once SyncOffice pass login audit and authorization, document open or save operation will apply the salt key to the ordinary password.

Password key has two levels: company level and group level. Company level salt key is used for isolating all documents from access from foreign users outside company.

Each user group should be given a unique group level salt key. An user of group1 cannot open/edit group2 user authored document, due to their group salt key are different. Cross department users can be assigned to multiple groups. A user assigned to group1 and group3 can open/edit documents shared within group1 and within group3.

Asymmetric Style Key

Normally document password keys are stored in a certificate file. Administrator can apply Asymmetric Style Key feature for the certificate. Once this feature is activated on a certificate, document password key is split into two parts, one part is still stored within the certificate, while another part is uploaded into RAS/RSS server and will be fed back when doing authorization.

This feature improves certificate security, but adds constraint that RAS/RSS must be present for authorization.

Local Access Control and Passcode

When user does login from SyncOffice Login-Extension, an authorization process starts. In some cases, the network connection may not be present for SyncOffice or SyncOS/SyncOffice-VA, so RAS/RSS backed remote authorization is not possible. In such a case, normally authorization can only be done locally via auditing against certificate file stored data. It's obviously not perfect as the authorization is not against the real time state of the user/device, but rather against a state at certificate creation time, which may be obsolete. This introduces the concept of Local Access Control and use of AccessCode/Access-Passcode.

Local Access Control mechanism defines how to do authorization locally besides or beyond remote RAS/RSS server. It's typically used for the case when Internet connection is not available.

In case of customer administrator want fully control over the SyncOffice/SyncOS authorization on a certificate, he can apply Local Access Control attribute on this certificate. Once this attribute activated, whether or not RAS/RSS remote server is available or not, the authorization process will create a real time random AccessCode and prompt the end-user to get its buddy Access Passcode from his administrator. Getting from end-user his real time random AccessCode, the administrator uses SyncOffice Manager or Authenticator to populate its companion Access Passcode and then inform the end-user to input it to finish the authorization process.

RAS and RSS

In best practice, customer should provide his own remote authorization server (RAS) to his end-users. This is best for security. Teleon provide a simple utility SyncOffice Authenticator for this purpose. Customer can run it on a Windows PC, on a smart phone or tablet if he ordered its mobile edition. This simple RAS should be constantly online with a static IP address. Once the RAS set up done, all certificates under the same realm should be configured to use its IP and port.

The authorization request from end-user device will be sent in a sequence: first to RAS, if no RAS is available then request will be sent to Teleon RSS server if use-RSS attribute is activated in the certificate. Teleon remote support service (RSS) is an auxiliary service and it's not a guaranteed service. Teleon do not suggest customer to use RSS. But customer still can select to use it as a fallback option in case of his own RAS connection is not stable.

SyncOffice Runtime Settings

In SyncOffice Login Extension, the third menu feature is Runtime Settings. Runtime Settings allow an end-user to apply his own document key instead of shared with his company group. This is useful when the end-user works both under a company realm as well as his private realm. He can switch the runtime setting between the two realms.

In some cases, customer may use SyncOffice in freeware mode without certificate. For example, an individual/freelancer can freely download SyncOffice-VA and uses it without Teleon service support and SyncOffice Manager. In such case, he can use this Runtime Settings function to define his own password salt key to protect a document and apply footprint feature to stick the document to the specific PC/device.