How is the Data Transfered from and to the Edge Services Secured?

The Edge Services are not only set to auto-update themselves and do not expose anything on your network, but they also use multiple layers of encryption to secure connectivity with Delve's cloud.

The Edge Services are configured to update automatically

The Edge Services (ES) require Internet access on port 80/443 as described in the minimal networking requirements because the ES are configured to auto-update themselves through this Internet channel.
The ES are built on a hardened up-to-date Ubuntu distribution and will therefore manage updates in a secure way like any Linux distribution does over the official PGP-signed channels.
Delve is also in a position to push updates directly to its ES should it be required.

The Edge Services do not expose anything on the local network

The ES are specially configured in order to not expose any service or port (not even SSH) to your local network. As such, the only interface that exists for us to communicate information to you is through the regular TTY console of the virtual machine that hosts this ES. 

The connectivity with the Edge Service is protected by multiple layers of modern encryption

Every ES is uniquely identified with dedicated cryptographic keys, so that we can do repudiation should your network become compromised and you require a brand new ES.

Additionally, the entirety of the traffic is encrypted and authenticated using modern cryptography:

  • The control channel over which temporary session keys are exchanged is secured by TLS 1.2 using modern authenticated cryptography: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
  • There is an additionnal layer of HMAC-SHA512 authentication on top of the TLS control channel (further mitigating DoS and TLS stack attacks): no packet will be accepted on the opened ports on both sides if they are not HMAC’d with the right respective pre-shared key (cryptographic firewalling). The keys are unique per Edge Service and set at generation time.
  • The data channel packets are encrypted with temporary session AES-256-CBC keys, and the data channel packets are also authenticated with HMAC using SHA512 message digest algorithm. The data channel encryption protocol uses encrypt-then-mac (i.e. first encrypt a packet, then HMAC the resulting ciphertext), which prevents padding oracle attacks. The keys are unique per Edge Service and set at generation time, and can be repudiated.