-
Notifications
You must be signed in to change notification settings - Fork 14
Security Architecture
IBM Data Shift implements enterprise-grade security measures to protect data during device migrations. This page provides an overview of the security features for administrators and security teams conducting security reviews or compliance assessments.
All network communications between devices are encrypted and authenticated, ensuring that sensitive data remains protected throughout the migration process.
IBM Data Shift enforces TLS 1.2 or higher for all network communications between devices.
Key Points:
- Minimum TLS version: 1.2
- Cipher suite: TLS_PSK_WITH_AES_256_GCM_SHA384
- Encryption: AES-256-GCM (Advanced Encryption Standard with 256-bit keys)
- Authentication: SHA-384 for HMAC
- All data in transit is encrypted end-to-end
Benefits:
- Confidentiality: All transferred data is encrypted with AES-256
- Integrity: Galois/Counter Mode (GCM) provides authenticated encryption
- Modern Security: Resistant to padding oracle attacks and other common vulnerabilities
IBM Data Shift uses Pre-Shared Key (PSK) authentication to ensure that only authorized devices can establish connections. This eliminates the need for certificate management while providing strong mutual authentication.
How It Works:
- Passcode Generation: A unique passcode is generated on the source device
- Out-of-Band Verification: The user manually enters this passcode on the destination device
- Key Derivation: The passcode is used to derive a cryptographic key using HMAC-SHA384
- Mutual Authentication: Both devices must possess the same passcode to establish a connection
Security Properties:
- No Network Transmission: The passcode itself is never transmitted over the network
- Mutual Authentication: Both devices authenticate each other
- Forward Secrecy: Each session uses ephemeral keys derived from the PSK
- Replay Protection: TLS nonces prevent replay attacks
- Man-in-the-Middle Protection: Without the correct passcode, attackers cannot decrypt or inject traffic
Build-Unique Identity: Each build of IBM Data Shift includes a unique PSK identity generated at compile time. This ensures that different builds cannot intercommunicate, even if they share the same passcode, providing additional security for controlled deployments.
IBM Data Shift uses Bonjour (mDNS) for local network device discovery with the following security considerations:
Discovery Features:
- Service Type:
_migrator._tcp(or custom identifier) - Local network only - discovery is limited to the local network segment
- Peer-to-peer mode enabled for direct device-to-device communication
- No proxy usage to prevent proxy-based attacks
Network Isolation:
- Connections are limited to the local network
- Direct peer-to-peer connections without requiring infrastructure
- Passcode-protected listener - server only accepts connections with valid passcodes
- No internet or external servers required
IBM Data Shift implements a custom application-layer protocol on top of TLS to provide additional security:
Protocol Features:
- Message type identification and validation
- Payload length validation to prevent buffer overflow attacks
- Metadata transmission for file attributes
- Structured data transfer with type safety
Security Benefits:
- Length Validation: Prevents buffer overflow attacks
- Type Safety: Ensures only valid message types are processed
- Structured Parsing: Reduces attack surface by enforcing message format
- Metadata Separation: Allows secure transmission of file attributes
IBM Data Shift configures TCP with security-focused settings:
- Keepalive Enabled: Detects connection failures and prevents stale connections
- Fast Detection: 1-second intervals for quick identification of connection issues
- No Delay: Reduces latency and prevents timing-based attacks
The application continuously monitors connection states and handles failures gracefully:
- Real-time connection state monitoring
- Automatic TLS negotiation verification
- Timeout protection (120 seconds for operations)
- Retry logic with exponential backoff to prevent resource exhaustion
- Trusted Networks: Perform migrations on trusted, private networks
- Physical Proximity: Keep devices in close physical proximity during migration
- Verify Devices: Confirm device hostnames before proceeding with connection
- Monitor Progress: Watch for unexpected connection failures or errors
- Secure Passcode: Use the passcode displayed on the new device and don't share it
- Network Configuration: Ensure Bonjour/mDNS traffic is allowed on local networks
- PPPC Deployment: Deploy Privacy Preferences Policy Control profiles for necessary permissions
- Logging: Enable detailed logging for security audits when needed
- Update Policy: Keep IBM Data Shift updated to receive security patches
- Configuration Profiles: Use MDM to deploy secure configuration settings
- Network Segmentation: Consider network segmentation for sensitive migrations
- Code Review: All network-related code undergoes security review
- Dependency Management: Regular updates of cryptographic libraries
- Static Analysis: SwiftLint and security scanning tools are used
- Penetration Testing: Regular security assessments of the protocol
- Incident Response: Documented procedures for security vulnerabilities
| Threat | Mitigation |
|---|---|
| Eavesdropping | TLS 1.2+ with AES-256-GCM encryption |
| Man-in-the-Middle | PSK authentication with HMAC-SHA384 |
| Replay Attacks | TLS nonces and session keys |
| Unauthorized Access | Passcode-protected connections |
| Network Scanning | Bonjour service requires passcode to connect |
| Data Tampering | Authenticated encryption (GCM mode) |
| Connection Hijacking | TCP keepalive and state monitoring |
| Denial of Service | Timeout mechanisms and retry limits |
| Buffer Overflow | Length validation in protocol headers |
| Protocol Confusion | Strict message type validation |
IBM Data Shift's security implementation aligns with:
- NIST SP 800-52 Rev. 2: Guidelines for TLS implementations
- NIST SP 800-107 Rev. 1: Recommendation for applications using approved hash algorithms
- RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
- RFC 4279: Pre-Shared Key Ciphersuites for TLS
- Apple Platform Security: Follows Apple's security best practices for macOS applications
IBM Data Shift is designed with privacy in mind:
- No Cloud Services: All data transfer occurs directly between devices
- No External Servers: No data is sent to external servers or cloud services
- Local Processing: All file analysis and processing happens locally
- No Telemetry: The app does not collect or transmit usage data
- User Control: Users have full control over what data is migrated
For proper operation, IBM Data Shift requires the following macOS permissions:
-
Full Disk Access (
SystemPolicyAllFiles) -
Desktop Folder Access (
SystemPolicyDesktopFolder) -
Documents Folder Access (
SystemPolicyDocumentsFolder) -
Downloads Folder Access (
SystemPolicyDownloadsFolder) - Local Network Access (for device discovery)
These permissions should be granted via a Privacy Preferences Policy Control (PPPC) configuration profile. See the PPPC Configuration Guide for details.
All security-relevant events are logged through the app's logging system:
- Connection establishment and termination
- TLS negotiation details (version and cipher suite)
- Authentication attempts
- Protocol errors and violations
- File transfer operations
- Timeout and retry events
Logs can be accessed via Console.app for security audits and troubleshooting.
If you discover a security vulnerability in IBM Data Shift, please report it responsibly:
- Do not disclose the vulnerability publicly
- Contact the project maintainers (see MAINTAINERS.md)
- Provide detailed information about the vulnerability
- Allow reasonable time for a fix to be developed and deployed
For detailed technical security documentation, including code references and implementation details, see:
- SECURITY.md - Comprehensive technical security documentation
- Architecture Diagram - System architecture overview
IBM Data Shift implements multiple layers of security to protect data during device migrations:
- Confidentiality: All data is encrypted in transit with AES-256-GCM
- Integrity: Data cannot be tampered with undetected
- Authentication: Only authorized devices can connect
- Availability: Robust error handling and retry mechanisms
The combination of TLS 1.2+, PSK authentication, custom protocol framing, and robust connection management provides enterprise-grade security suitable for sensitive data migrations.
Last Updated: 2026-02-20
Document Version: 1.0
Based on IBM Data Shift v1.4.0