360 likes | 513 Vues
Secure File Interchange (SFI). A Managed Security Solution. For use in your enterprise A service offering to your clients and customers. Whitenoise Laboratories Inc. November 24, 2006. Canadian Security Market. $1B in 2004 $1.5 B 2007
E N D
Secure File Interchange (SFI) A Managed SecuritySolution For use in your enterprise A service offering to your clients and customers Whitenoise Laboratories Inc. November 24, 2006
Canadian Security Market • $1B in 2004 • $1.5 B 2007 • Yankee Group, Gartner, IDC, Data Monitor, Merrill Lynch and Goldman Sachs • Key market drivers include: • Technology evolution: IP networking, VoIP, WLAN • Extension of the network perimeter to include partners and mobile workers • Regulatory compliance (PIPEDA), (HIPAA), (Gramm Leach Bliley), (Sarbanes Oxley), (Ontario Bill 198, BC Bill 38) • Identity Management and Access Control : Emerging requirement
The Problem • “1 out of 10 Laptop computers purchased will be stolen within 12 months, 90% will never be recovered.” 2005 CSI/FBI report • “200,000 HP staff exposed as laptop loss party continues.” The Register 22 March 2006 • “Ameriprise: Laptop Stolen With Data on 158,000 Clients”Associated Press Wednesday, January 25, 2006 • “ Unauthorized access showed a dramatic cost increase and replaced denial of service as the second most significant contributor to computer crime losses during the past year at $31,233/ incident.” 2005 CSI/FBI report
Definitions Encryption Prevents any non-authorized party from reading or changing data. The strength is measured by the algorithm, the number of possible keys and the key size. Identity Management “Identity Management (IDM) is comprised of electronic records that represent people, machines, devices, applications, and services.” Jamie Lewis CEO Burton Group 77 % of respondent C-level execs & IT managers of large US enterprises view IDM as the primary means of protecting against network intrusions resulting from identity theft and as key to compliance efforts in safeguarding sensitive information. - Unisys survey.
The Whitenoise Proposition • An End-to-End Solution: • Protects data in storage on: • Desktop, Laptop Computers • External hard drives or other storage media • Secures data in transit on: • IP Networks, the Internet, Wireless, Satellite • Our differentiator: • Provide Systems that are: • Simpler to use • Less Training Expense/ Resistance • Less expensive • Easier to implement & maintain • More secure Regulatory Compliance Corporate/Personal Data Security Extends the Network Perimeter: Partners / Mobile Employees Increase security of standards compliant technology with Whitenoise IP
SFI Secure File Interchange for Business System is managed by IT personnel Executive Sensitive information downloaded as required not stored on PC Co. Location B Accounting Inter/Intranet Wireless The Company Sales SFI Server Application NT 2003 Marketing Traveling Employee Provides a strong corporate Identity Management & Secure Document Exchange system over any digital media Internet, Wireless, Satellite HR Supplier
Secure File Interchange (SFI) • Shrink-wrapped Computer based application + keys • Windows NT 2003, .NET, C#, C++ • Secure exchange of documents over insecure networks (Internet, Satellite, Wireless) • Global reach • Economical • Documents of all types including multi-media • Address weaknesses of other topologies • SFI is more economical • SFI minimizes complex multiple servers • SFI does not require trusted 3rd parties • Easy end user adoption and use • Security – prevention and detection [rapid revocation] • Self contained • No special skills • Little training
USB Based Identity Key • Two factor authentication to gain access to secured network • Something you have in your possession – The key • Something that you know – A strong password • The key impractical to duplicate • Billions of bytes in length – Digital Fingerprint • Incorporates Serial Number & Mfg Information • Whitenoise US Patent pending DIVA™ guards against spoofing • You then remove the key & take it with you Key structure tested by cryptographic experts at the Univ of California – Berkeley and the Univ of Victoria
Service Comparison PKI SFI Simple AES Encryption No 3rd Party Rapid Key Revocation ‘Spoofed’ Keys Protection (DIVA)™ US Pat Pend Simple Management One Time AES Session Keys Affordable Non-Repudiation
Applications • SFI is implementer centric • No trusted 3rd parties • Membership assigned by Enterprise • Strong Identity Management • Current Version • High Speed encryption • Very fast at end user • Supports multiple documents of varying types • Simultaneous operation • Perfect for large file transfers • Printers, Movies, Banks, etc. • SFI(2) • Standards Compliant (AES SHA 256) • Government and large organizations • FIPS Compliant Both have maintenance and management subsystems.
AES Key Generation & Document Transmission Sender’s Desktop SFI Key Server WN IDM Key (240,000 bits) User AES key (128 bits) 128/256 AES Session Key Header WN RNG Encrypt Document Encrypt Session key w/user AES key SHA 256 Ensures document is not altered between sender and receiver. Wrap/Encrypt in WN IDM key Place in Document Header
Transmission of Secure Document Re-Encrypt Session key in Rcvr’s Unique AES key SFI Key Server Server contains all user key pairs Wrap in receiver’s WN IDM key Header Place in Header & Send Receiver’s Desktop Unwrap WN IDM key Header WN IDM Key User AES key Decrypt Session key w/ sender AES Key Receiver advised through e-mail that file is waiting File may be sent via SFI or Encrypted E-mail AES Session key
Low Server Overhead =Large Scalable AES Networks • Client: Session key generation, encryption & IDM Wrap • WN RNG • Client: File Encryption using Session Key • using either AES or WN • Server: Decrypt session key + IDM recovers Session Key • < 160µ secs per transaction • Approx. 20 Million / Hr (Theoretical) • The Documents are never decrypted • Employ one-time AES Session Keys
The Identity Management Key Offset • The dynamic authentication calls happens between two end-points [i.e. server and device, card, flash memory, router etc.] periodically during each communication • The critical characteristic is that each-end point can create the identical key stream from its distributed key structure and offset/vector that points to a specific index in the key stream [These have either never been transmitted or never been transmitted in an un-encrypted state.] • The key stream is like radio active decay: it is both random and deterministic • Radio activity is the most random natural event and yet the half-life is deterministic – The IDM key stream can be identically recreated and yet any segment of this stream is more random than even radio active decay [there were no statistical failures against the NIST test suite]. • This dynamic authentication call is requesting and comparing random segments of the stream that have never to that point been created or transmitted. [The segments are never used twice.]
etc.-01100011001101001101010100101010000101011010101010-etc. +’n’ Dynamic Identity Verification Authentication (DIVA™) & DIVA remembers end point of session Last Session Ended Here (‘X’) Password DIVA (Key) is instructed to begin her song at X + n
Dynamic Identity Verification & Authorization (DIVA™) • Unique keys assigned to individuals or network points • Provide very strong identifier • Possession of the key + strong password structure to activate it establishes user identity [An additional element of authentication is the unique device identifier.] • DIVA™ uses these attributes to: • initially ensure that the individual accessing the network is who they say they are (references last point in key reached during last session) • alert registered user that account is being accessed • verify their identity throughout the session • ensure that a duplicate key (intruder) is not in existence • defend the network if intruder detected (deny access to both) • Rapid threat vector detection and immediate revocation • Continuous identity verification throughout a session (not just the beginning) • DIVA Identity Management keys can be used in either distributed or public key topologies
How does DIVA™ protect? Super-length IDM Key = Lyrics of a user-specific song Only SFI Server & User key know lyrics of each user’s unique song SFI Access = Sing next ‘n’ lyrics of song from unique start point given by server for each session (last point + ‘x’- encrypted) Additional operations = Sing next ‘n’ lyrics of song from last point 2nd DIVA™ (Intruder) appears Operations of 2 DIVA = Loss of Sync for one, denial of access to both Reported Loss or theft of key = instant denial of access
Simple Maintenance & Administration Administrator Screen Adding New Users
Maintenance & Administration Logs – (Non-Repudiation)
Additional User Security • User advised over E-Mail/pager that account is being accessed • Advised via e-mail that message waiting • Click on provided link takes user to SFI server • User sees last 15 logins and IP addresses on login • Reported lost or stolen key killed instantly • No 3rd party notification required
Networked Systems (Phase 2) • Secure network systems servers are capable of networking (Phase 2) • Set up shared directories based on pre-selected (allowed) e-mail addresses • Signaling path set up between servers with unique Whitenoise server keys • Message encrypted in one-time AES session key • Sent to server on which target receiver is resident encrypted in servers IDM key • Receiving server packages session key in receiver’s IDM and AES keys • Sends to receiver where it is decrypted • No key information is electronically transmitted • Message is never decrypted (readable) at any point between sender and receiver [trans-encryption occurs in real time in a streaming fashion in memory only] Vancouver Toronto Regina
Secure File Interchange (SFI) Review • Add Managed Information Transfer and Storage to service offerings • Storage Space managed and chargeable • Per document/transaction charges • Additional revenues through securing data storage and transfer • Total solution from desktop/laptop to secured delivery over insecure networks • Internet, Wireless, Satellite • One time session keys , DIVA™ - prevention, authorization, detection and revocation • Manage service for SME’s • Far Less expensive • No skills requirement • Little to no training • Target Legal, Medical, Financial sectors • Regulatory Compliance • Uses industry/government standard Encryption (AES, SHA) + DIVA™ • Provides Transaction Logs Cavalier Telephone to Add Comprehensive On-Demand Security Services to Business IP Offering MILFORD, Conn.--(BUSINESS WIRE)--Aug. 17, 2006-- Mid-Atlantic CLEC to Provide SMB Customers Complete and Cost Effective, On-Demand Security Services - No Assembly Required
Secure File Interchange (SFI) A Managed SecuritySolution Whitenoise Laboratories Inc. September 19, 2006
IP Security Tunnel A Managed SecuritySolution Whitenoise Laboratories Inc. September 19, 2006
Whitenoise IP Security Tunnel Shrink wrapped computer application + keys Encrypted point-to-point and multi-point tunnels Immediate integration with IP traffic at data link layer E-mail File transfer VoIP Video conferencing Encrypted Link Keys issued from key vault No appreciable delay( Latency) for real-time applications Key Vault Location A Location B Location C
Benefits of the IP Security Tunnel • Reduce complexity of Inter-location security • Reduce computational overhead & hardware cost • Inexpensive appliances • Eliminate hardware encryption accelerators • Maximize throughput & minimize delays • One solution for all IP including VoIP & Video Conferencing • Better solution at 25% - 50% of the cost
PC File Security A Managed SecuritySolution Whitenoise Laboratories Inc. September 6, 2006
PC Level Data Protection Products • PC File Encryption • Hard Drive Encryption • Mail Bag Encryption • Distribution • 3rd party distributor/manufacturer • 3rd party to major accounts • Direct sales through website
Whitenoise PC File Encryption • Simple point & click application on USB memory device + unique key • encrypts all types of data on computer Hard Drive • No size limit • You then remove the key & take it with you • Portable (Multiple computers) • Securely send data between home & office • The key can’t be duplicated • Lost key replaceable • Encrypted Corporate or Personal data on lost or stolen computer is unreadable
Whitenoise Encrypted Mailbag • Create a “Mailbag” • May hold one or many documents of different types • Multimedia (Video, Music, Voice) • Spreadsheets • Text Documents • Graphics (Drawings, Photographs) • Etc • Key is generated from 2 passwords • Significant security vs. single password Password Internet
PC & Removable Hard Drive Encryption Protects Computer and Removable Hard Drives Utilizes distributed Encryption Key and Pass phrases Encrypted “Z” drive cannot be read if removable drive or computer is lost or stolen “Z” drive is sizeable Drag and Drop folders and sub-folders to your encrypted drive Extremely fast Plays multimedia content while encrypted Sensitive Incident video (Security First Responders) Recorded Video Testimony (Law Enforcement) New pocket size Mini 50 - 100GB
Shikatronics A Whitenoise retail product distributor About Shikatronics Montréal, QC, Wednesday, June 21, 2006 - Shikatronics, a leader in memory manufacturing and distribution in Canada, announced today a distribution agreement with SmartDisk, a global provider in the area of portable, network and multimedia storage products and technologies that enable people to enjoy, share and preserve digital content and information. • Shikatronics deals with many of the Major Retailers, Corporate Accounts, Financial Institutions and Buying Groups in Canada, such as:
Whitenoise Laboratories Inc. • IP • Whitenoise Encryption & Identity Algorithm • US/International Patents • IPEA advisory all 23 claims allowed (May 2005) PCT/CA2005/000163 • USPA 10/299,847 examination all claims allowed (Nov 2006) • Business Model • Licensing of Technology to manufacturers • Sales of Whitenoise Labs developed encryption products (through distributors) • Fully compliant Cdn Federal Gov’t regulations • Vancouver Based
Whitenoise Algorithm Positioning EncryptionStrength Strength Strong ( CPU/Processor Intensive) Whitenoise (CPU/Processor Very Efficient) Speed Triple DES AES Blowfish RC4 DES SEAL Weak Slow Fast
Whitenoise Algorithm Attributes Extremely Secure – Encryption Key stream length exceeds the size of multimedia content to be sent or stored - (Keys built from small amount of stored data) IDM - Positive identification of receiving device Unique communication channel (encrypted) between content server and terminal - Secure Key delivery Multimedia may be streamed and/or stored for later play Key associated with terminal Cannot be played on another device Supports real time voice, video, music, text and games (yes games) Plays encrypted streams without latency Content encrypted once and placed on server Title key sent uniquely encrypted in terminal key to user Low overhead
Whitenoise Algorithm Attributes Extremely Secure - Keystream length exceeds the size of Data to be sent or stored (Keys built from small amount of stored data) - Keystream Data never transmitted Fast – 5 Clock Cycles per Byte (S/W) >2 Bytes / CC (H/W) – Done in FPGA Error Tolerant - Only damaged bits affected no reliance on preceding or following data Efficient - Low Processor Requirements – Lower cost devices Data Type Independent - Multimedia Support – Voice Data Video – Real Time streaming, Video Surveillance Manages Linear Offsets - Strong Identity & Digital Rights Management Applications - Receiver & Sender synchronized Keystream Scaleable - Small Footprint < 300k – Will run on 8 bit cpu