CORI v4 Security
Using a 128-bit RSA public/private key pair that has been hard coded into the different applications, the synchronization client (on the Cori v4 application server at the practice site) sends a login ID and PIN. After the ID and PIN have been authenticated by the synchronization server (at CORI), encryption is switched to a different 128-bit RSA public/private key pair. This key pair is unique to one individual practice site, and both halves of the pair are kept private for added security.
Using these unique, site-specific RSA keys, an RC4 encryption layer is established on the TCP/IP stream between synchronization server and the synchronization client. All further communication during this session is encrypted with RC4 symmetric key encryption during transmission, and this symmetric key is discarded after a single session. Research data, classified as a Limited Data Set, is sent to CORI from the database located on your CORI v4 database server, which is often the same machine as the CORI v4 application server. Application updates, in the form of .dll and .exe files, are downloaded to the application server, as are SQL statements updating the database.