At ISL Online we address security very seriously. We apply industry-standard security technologies to protect your data and comply with the strictest security standards. Banks, government bodies and global brands choose ISL Online for our high level of security.
RSA or ECDSA with Diffie-Hellman Key Exchange
ISL Online uses the following terminology when describing remote control session establishment:
• Server Connection – the initial TLS connection ISL Light establishes with an ISL Conference Proxy server (ICP)
• Standard Connection – an end-to-end encrypted connection (TLS) between two ISL Light endpoints, where packets are relayed by an ISL Conference Proxy (ICP) server. It consists of two logical components: the Control Channel and the Remote Desktop Data Stream.
• Control Channel – ISL Online's terminology for the component of the Standard Connection that keeps the connection between two endpoints active. The Remote Desktop Data Stream is only possible as long as the Control Channel is active.
• Remote Desktop Data Stream – ISL Online's terminology for the component of the Standard Connection that transfers encrypted data packets from one endpoint to another. The Remote Desktop Data Stream includes images of the remote desktop, files exchanged between the endpoints during the
session, and audio/video communication between the Operator and the Client, among other data. It consumes the majority of the bandwidth. If possible, the Remote Desktop Data Stream is offloaded to a Direct Connection.
• Direct Connection – an end-to-end encrypted direct connection (TLS) between two ISL Light endpoints. In certain setups, it is relayed by a TURN server. To establish a remote desktop session from your local computer to a remote computer, you need to start the ISL Light application, which possesses the RSA 2048-bit public key of the ISL Conference Proxy (ICP) server. The initial TLS connection (Server Connection) is established once the ISL Light application confirms it is connecting to the ISL Conference Proxy (ICP) server using the provided public key.
Once both endpoints (Operator and Client) have established a Server Connection, they use RSA keys to establish a Standard Connection between them. This is achieved by negotiating AES 256-bit symmetric encryption keys using the Diffie-Hellman cryptographic algorithm.
If available, a Direct Connection will be established between the two endpoints, allowing the contents of the session to be sent directly from one endpoint to the other without being relayed via the ISL Conference Proxy (ICP) server. The Direct Connection is created by using keys from the Elliptic Curve Digital Signature Algorithm (ECDSA P-256) to negotiate AES 256-bit symmetric encryption keys, employing the Diffie-Hellman cryptographic algorithm. While the initial Standard Connection remains active, it now serves solely as a Control Channel, managing the session connectivity without containing any information about the content of the Remote Desktop Data Stream.
AES 256-Bit End-to-End Encryption
Regardless of the connection type (Standard Connection or Direct Connection), the content of the Remote Desktop Data Stream between the local and remote computer is transferred through a secure tunnel, protected by symmetrical AES 256-bit end-to-end encryption, to meet the highest security standards.
Security Diagram
Note: Following the top security standards we added support for SHA-2 certificates. Code is now signed twice on our end, with SHA-1 and SHA-2 signature to enable backwards compatibility with older systems that support only SHA-1 and to provide the best possible security to systems that support SHA-2.
Learn more about security policy: https://www.islonline.com/documents/security/security-statement-en.pdf.
Related Articles: