The Tectia client/server solution implements the Secure Shell (version 2) protocol as defined by the IETF Proposed Standard RFC specifications. SSH Communications Security is the original developer of Secure Shell and has been an active driver of the Secure Shell standardization in the IETF.

The Tectia client/server solution offers state-of-the-art encryption with broad support for multiple Post Quantum Cryptography (PQC) algorithms to choose from in Tectia Quantum Safe Edition including CRYSTALS-Kyber, FrodoKEM, SABER and Streamlined NTRU Prime that are used in a Hybrid Key Exchange together with a classical ECDH algorithm. Supported symmetric ciphers in Tectia Client and Server include 3DES, AES (CTR, CBC and GCM), Arcfour, Blowfish, SEED, and Twofish. Supported message authentication and public-key algorithms include MD5, SHA-1, SHA-2, Diffie-Hellman, DSA, RSA, ECDSA and Ed25519.

The Tectia client/server solution incorporates a FIPS 140-2 certified cryptographic module to help ensure acceptance in government audits. The FIPS 140-2 Cryptographic Library has been validated for Windows, Solaris, and major Unix platforms. The mode of the cryptographic library can be changed easily in the Tectia Connections Configuration GUI or by editing the configuration file.

Figure 3.1. Activating FIPS mode on Tectia Server

For a list of platforms on which the FIPS library has been validated or tested, see Supported Protocols and Standards.

The Tectia products include versatile command-line tools that can be used for remote login, remote command execution, and file transfer operations. These tools allow easy scripting of automated jobs such as secure file transfers or starting and stopping of services in remote locations.

One of the key features of Secure Shell, in addition to secure terminal access and secure file transfers, is its ability to tunnel TCP-based application connections. The Tectia products support static application tunneling where application client connections are routed through the local TCP port, and then securely tunneled to a remote Secure Shell server. If the tunneled application supports SOCKS (4 or 5), Connection Broker can be configured to act as a SOCKS server for the tunneled applications, creating forwards as requested by the SOCKS transaction.

Before an application can be tunneled, a Secure Shell connection needs to be established. When using the automatic tunneling feature, the Tectia client-side component listens to a specific port and establishes the encrypted connection automatically when the specific application is connecting to the local host port.

The Tectia products themselves support SOCKS (4 and 5) and HTTP proxy for accessing Secure Shell servers located behind firewalls.

Multi-channel support allows users to have multiple terminal sessions, file transfers, and application tunnels that are multiplexed to a single Secure Shell connection without the need to authenticate every session separately.

Administrators can configure the renewal period for session encryption keys according to the security requirements.