NCache Security and Encryption

NCache provides powerful security and encryption features that help ensure that your cache is protected from unauthorized access and your sensitive application data is secured both in the cache store and also during the transmission over network between your application and the cache servers. And, you can do all of this without any code changes.

NCache Security and Encryption via SSL/TSL

NCache provides "no-code-change", powerful security features to protect your data and network transmissions from unauthorized access.

The optionally enabled Transport Layer Security/ Secure Socket Layer (TLS/SSL) encryption, secures data exchange between the NCache cache server and the authorized NCache cache client(s). Users can enable any issued or self-signed SSL certificate to connections with the client(s), or can enable component-to-component connections in NCache. This guarantees encrypted data transmission.

NCache 4.8 supports secure (encrypted and authenticated) client-server communications using the TLS 1.2 security protocol. This is the same protocol used for HTTPS web communications.

To create a TSL (or SSL for earlier versions of NCache) certificate, the following prerequisites must be considered:

  • The certificate must have a private key.
  • All NCache services must be running.
  • The private key must be exportable to all nodes including the client machines.

To configure encrypted communications using TLS 1.2 :

  1. All the Server and Client Nodes running NCache must have a common certificate installed. The common certificate used for secure communication is in the "Local Computer" or "Current User" store. The certificate is installed in the local computer’s store called "trusted root certificate authorities (CAs)", and the certificate is associated with a private key. The private key is called the "TLS key".
  2. All the Servers Nodes running NCache and the Client Nodes using NCache should have the "TLS key” under the NCache registry key.

    To access the NCache registry key, from NCache Manager, go to HKLM > Software > Alachisoft NCache > TLS and enable TLS 1.2 with values as follows:

    • "Enabled" (Reg_Dword/int32) = Turning the feature (1) On or (0) Off.
    • "RequireClientCertificate" (Reg_Dword/int32) = Requiring the certificate at the client end, (1) Yes or (0) No. Note: The "RequireClientCertificate" should always be '1'.
    • "CertificateName" (Reg_Sz/String) = The common name on the certificate.
    • "Thumbprint" (Reg_Sz/String) = The thumbprint (Identifier) of the certificate, requires an exact case-match.

  3. Changes in the registry will take affect after the NCache services have been restarted from the task manager.

NOTE: there is a slight impact to performance by activating encrypted communications.

Cache Security: Authentication

NCache security ensures that only authorized connections to the cache are accepted either for cache usage or for administration. All other connections are rejected.

When NCache security is enabled, all connections to the cache cluster must first be authenticated against Active Directory at the cache server.

You must provide credentials at the time of establishing a connection to the cache. And, if your credentials are not authenticated, the connection request is denied. You can specify user credentials in the following places:

  1. NCache client configuration files
  2. When calling NCache.InitializeCache(…) API from your application
  3. In NCache Manager for administering the cache

NCache keeps your password encrypted in the NCache configuration files and in NCache Manager wherever you specify it.

Cache Security: Authorization

After NCache authenticates a connection to the cache successfully, it checks NCache security configuration files at the cache server in order to authorize this connection. Each connection to the cache can be categorized as one of the followings:

  1. User: can access the cache for read/write but not administers it. A "user" is defined at cache level.
  2. Admin: can access the cache for read/write and also administers it. An "admin" is defined at cache server level.

You can specify authorization information through NCache management tools at the time of enabling security. You can then add additional "users" or "admins" to the security authorization as needed.


NCache Data Encryption Feature

Figure 1: NCache Data Encyption Feature


Data Encryption

If your application deals with confidential and sensitive data that you want to secure and you're using an in-memory distributed cache, you need to ensure that your distributed cache protects this sensitive data from unwanted access through encryption.

NCache provides a rich set of encryption algorithms that are nearly impossible to break. This ensures that your sensitive data is really protected well. NCache provides the following encryption algorithms that you can choose from:

  1. 3DES: very strong 168-bit encryption
  2. AES-128: very strong 128-bit encryption
  3. AES-192: very strong 192-bit encryption
  4. AES-256: very strong 256-bit encryption

NCache data encryption and decryption occurs inside the NCache client application process. This means that all data travelling over the network between your application and the cache cluster is already encrypted. Similarly, only encrypted data is stored in cache store.

You can enable encryption through NCache management tools without any programming effort on your part. Once encryption is enabled, NCache client automatically starts encrypting your objects before sending them to the cache cluster. And, it automatically decrypts objects fetched from the cache before delivering them to your application.

You provide an encryption key that NCache uses which is kept inside NCache security configuration files at each cache server in an encrypted manner. Encryption key is automatically sent to clients to be used in memory upon a successful connection.

What to Do Next?