Embed Size (px)
Citation preview
Secure File Interchange (SFI)
A Managed Security Solution
Whitenoise Laboratories Inc.November 24, 2006
For use in your enterprise
A service offering to your clients and customers
Canadian Security Market
• $1B in 2004$1B in 2004
• $1.5 B 2007$1.5 B 2007
– Yankee Group, Gartner, IDC, Yankee Group, Gartner, IDC, Data Monitor, Merrill Lynch and Data Monitor, Merrill Lynch and Goldman SachsGoldman Sachs
• Key market drivers include: Key market drivers include:
- Technology evolutionTechnology evolution: IP networking, VoIP, WLAN : IP networking, VoIP, WLAN
- Extension of the network perimeterExtension of the network perimeter to include partners and to include partners and mobile workers mobile workers
- Regulatory complianceRegulatory compliance (PIPEDA), (HIPAA), (Gramm Leach (PIPEDA), (HIPAA), (Gramm Leach Bliley), (Sarbanes Oxley), (Ontario Bill 198, BC Bill 38)Bliley), (Sarbanes Oxley), (Ontario Bill 198, BC Bill 38)
- Identity Management and Access Control : Identity Management and Access Control : Emerging Emerging requirementrequirement
• ““1 out of 10 Laptop computers purchased will be stolen within 12 1 out of 10 Laptop computers purchased will be stolen within 12 months,months, 90% will never be recovered.” 90% will never be recovered.” 2005 CSI/FBI report2005 CSI/FBI report
• ““200,000 HP staff exposed as laptop loss party continues.” 200,000 HP staff exposed as laptop loss party continues.” The Register 22 March 2006
• “Ameriprise: Ameriprise: Laptop StolenLaptop Stolen With Data on With Data on 158,000 Clients158,000 Clients”” Associated Press Wednesday, January 25, 2006
• “ “ Unauthorized accessUnauthorized access showed a dramatic cost increase and showed a dramatic cost increase and replaced denial of service as the replaced denial of service as the second most significantsecond most significant contributor to contributor to computer crimecomputer crime losses during the past year at losses during the past year at $31,233/ incident$31,233/ incident.” .” 2005 CSI/FBI report2005 CSI/FBI report
The Problem
EncryptionEncryptionPrevents any non-authorized party from reading or changing data.Prevents any non-authorized party from reading or changing data.
The strength is measured by the algorithm, the number of possible keys The strength is measured by the algorithm, the number of possible keys and and the key sizethe key size..
Identity ManagementIdentity Management““Identity Management (IDM) is comprised of electronic records that Identity Management (IDM) is comprised of electronic records that represent people, machines, devices, applications, and services.” represent people, machines, devices, applications, and services.” Jamie Lewis CEO Burton GroupJamie Lewis CEO Burton Group
77 % of respondent C-level execs & IT managers of large US enterprises 77 % of respondent C-level execs & IT managers of large US enterprises
view IDM as the view IDM as the primary means of protecting against network intrusions primary means of protecting against network intrusions
resulting from identity theft and as key to compliance efforts in safeguarding resulting from identity theft and as key to compliance efforts in safeguarding
sensitive information.sensitive information. - Unisys survey. - Unisys survey.
Definitions
The Whitenoise Proposition
• An End-to-End Solution:An End-to-End Solution:– Protects data in storage on:Protects data in storage on:
• Desktop, Laptop ComputersDesktop, Laptop Computers• External hard drives or other storage mediaExternal hard drives or other storage media
– Secures data in transit on:Secures data in transit on:• IP Networks, the Internet, Wireless, SatelliteIP Networks, the Internet, Wireless, Satellite
• Our differentiator:Our differentiator:– Provide Systems that are:Provide Systems that are:
• Simpler to useSimpler to use– Less Training Expense/ ResistanceLess Training Expense/ Resistance
• Less expensiveLess expensive• Easier to implement & maintainEasier to implement & maintain• More secureMore secure
Regulatory Compliance Corporate/Personal Data Security
Extends the Network Perimeter: Partners / Mobile Employees
Increase security of standards compliant technology with Whitenoise IP
Traveling Employee
Supplier
Inter/Intranet
Wireless
SFI Server Application
NT 2003
The Company
Executive
Accounting
Marketing
HR
Provides a strong corporate Provides a strong corporate Identity Management & Secure Identity Management & Secure
Document Exchange system over Document Exchange system over any digital mediaany digital media
Internet, Wireless, SatelliteInternet, Wireless, Satellite
Co. Location B
Sales
System is managed by IT System is managed by IT personnelpersonnel
SFI Secure File Interchange for Business
Sensitive information Sensitive information downloaded as required downloaded as required not stored on PCnot stored on PC
Secure File Interchange (SFI)
• Shrink-wrapped Computer based application + keysShrink-wrapped Computer based application + keys– Windows NT 2003, .NET, C#, C++Windows NT 2003, .NET, C#, C++
• Secure exchange of documents over insecure networks (Internet, Satellite, Secure exchange of documents over insecure networks (Internet, Satellite, Wireless)Wireless)– Global reachGlobal reach– EconomicalEconomical– Documents of all types including multi-mediaDocuments of all types including multi-media
• Address weaknesses of other topologiesAddress weaknesses of other topologies– SFI is more economical SFI is more economical – SFI minimizes complex multiple serversSFI minimizes complex multiple servers– SFI does not require trusted 3SFI does not require trusted 3rdrd parties parties– Easy end user adoption and useEasy end user adoption and use– Security – prevention and detection [rapid revocation]Security – prevention and detection [rapid revocation]
• Self contained Self contained – No special skillsNo special skills– Little trainingLittle training
Two factor authentication to gain access to secured network
Something you have in your possession – The key
Something that you know – A strong password
The key impractical to duplicate
Billions of bytes in length – Digital Fingerprint
Incorporates Serial Number & Mfg Information
Whitenoise US Patent pending DIVA™ guards against spoofing
You then remove the key & take it with you
Key structure tested by cryptographic experts at the Univ of California – Berkeley and the Univ of Victoria
USB Based Identity Key
PKI SFI
Simple
AES Encryption
No 3rd Party
Rapid Key Revocation
‘Spoofed’ Keys Protection (DIVA)™ US Pat Pend
Simple Management
One Time AES Session Keys
Affordable
Non-Repudiation
Service Comparison
Applications
• SFI is implementer centric– No trusted 3rd parties– Membership assigned by Enterprise– Strong Identity Management
• Current Version– High Speed encryption– Very fast at end user
• Supports multiple documents of varying types• Simultaneous operation
– Perfect for large file transfers• Printers, Movies, Banks, etc.
• SFI(2)– Standards Compliant (AES SHA 256)– Government and large organizations– FIPS Compliant
Both have maintenance and management subsystems.
AES Key Generation & Document Transmission
WN IDM Key (240,000 bits)User AES key (128 bits)
WN RNG 128/256 AES Session Key
Encrypt Session key w/user AES key
Wrap/Encrypt in WN IDM key
Header
Place in Document Header
SFI Key Server
Encrypt Document
Sender’s Desktop
SHA 256 Ensures document is not altered between sender and receiver.
Transmission of Secure Document
Server contains all user key pairs
Header
HeaderWN IDM KeyUser AES key
Unwrap WN IDM key
Decrypt Session key w/ sender AES Key
AES Session key
Wrap in receiver’s WN IDM key
Re-Encrypt Session key in Rcvr’s Unique AES key
Place in Header & Send
Receiver’s Desktop
SFI Key Server
Receiver advised through e-mail that file is waiting
File may be sent via SFI or Encrypted E-mail
Low Server Overhead = Large Scalable AES Networks
• Client: Session key generation, encryption & IDM Wrap – WN RNG
• Client: File Encryption using Session Key – using either AES or WN
• Server: Decrypt session key + IDM recovers Session Key – < 160µ secs per transaction – Approx. 20 Million / Hr (Theoretical)
• The Documents are never decrypted– Employ one-time AES Session Keys
The Identity Management Key Offset
• The dynamic authentication calls happens between two end-points [i.e. server and device, card, flash memory, router etc.] periodically during each communication
• The critical characteristic is that each-end point can create the identical key stream from its distributed key structure and offset/vector that points to a specific index in the key stream [These have either never been transmitted or never been transmitted in an un-encrypted state.]
– The key stream is like radio active decay: it is both random and deterministic– Radio activity is the most random natural event and yet the half-life is
deterministic – The IDM key stream can be identically recreated and yet any segment of this stream is more random than even radio active decay [there were no statistical failures against the NIST test suite].
• This dynamic authentication call is requesting and comparing random segments of the stream that have never to that point been created or transmitted. [The segments are never used twice.]
Dynamic Identity Verification Authentication (DIVA™) &
etc.-01100011001101001101010100101010000101011010101010-etc.
Last Session Ended Here (‘X’)
+’n’
DIVA (Key) is instructed to begin her song at X + n
DIVA remembers end point of session
Password
Dynamic Identity Verification & Authorization (DIVA™)
• Unique keys assigned to individuals or network points
• Provide very strong identifier
• Possession of the key + strong password structure to activate it establishes user identity [An additional element of authentication is the unique device identifier.]
• DIVA™ uses these attributes to:
– initially ensure that the individual accessing the network is who they say they are (references last point in key reached during last session)
– alert registered user that account is being accessed
– verify their identity throughout the session
– ensure that a duplicate key (intruder) is not in existence
– defend the network if intruder detected (deny access to both)
Rapid threat vector detection and immediate revocation
• Continuous identity verification throughout a session (not just the beginning)
• DIVA Identity Management keys can be used in either distributed or public key topologies
How does DIVA™ protect?
Super-length IDM Key = Lyrics of a user-specific song
Only SFI Server & User key know lyrics of each user’s unique song
Access = Sing next ‘n’ lyrics of song from unique start point given by server for each session (last point + ‘x’- encrypted)
Additional operations = Sing next ‘n’ lyrics of song from last point
2nd DIVA™ (Intruder) appears
Reported Loss or theft of key = instant denial of access
Operations of 2 DIVA = Loss of Sync for one, denial of access to both
SFISFI
Simple Maintenance & Administration
Administrator Screen
Adding New Users
Maintenance & Administration
Logs – (Non-Repudiation)
Additional User Security
• User advised over E-Mail/pager that account is being accessed
• Advised via e-mail that message waiting
•Click on provided link takes user to SFI server
• User sees last 15 logins and IP addresses on login
• Reported lost or stolen key killed instantly
• No 3rd party notification required
Networked Systems (Phase 2)
• Secure network systems servers are capable of networking (Phase 2)• Set up shared directories based on pre-selected (allowed) e-mail addresses• Signaling path set up between servers with unique Whitenoise server keys• Message encrypted in one-time AES session key• Sent to server on which target receiver is resident encrypted in servers IDM key• Receiving server packages session key in receiver’s
IDM and AES keys• Sends to receiver where it is decrypted• No key information is electronically transmitted• Message is never decrypted (readable) at any point
between sender and receiver [trans-encryption
occurs in real time in a streaming fashion in memory only]
Vancouver
Regina
Toronto
Secure File Interchange (SFI) Review
• Add Managed Information Transfer and Storage to service offerings– Storage Space managed and chargeable– Per document/transaction charges
• Additional revenues through securing data storage and transfer• Total solution from desktop/laptop to secured delivery over insecure networks
– Internet, Wireless, Satellite• One time session keys , DIVA™ - prevention, authorization, detection and revocation • Manage service for SME’s
– Far Less expensive– No skills requirement– Little to no training
• Target Legal, Medical, Financial sectors– Regulatory Compliance
• Uses industry/government standard Encryption (AES, SHA) + DIVA™• Provides Transaction Logs
Cavalier Telephone to Add Comprehensive On-Demand Security Services to Business IP Offering
MILFORD, Conn.--(BUSINESS WIRE)--Aug. 17, 2006-- Mid-Atlantic CLEC to Provide SMB Customers Complete and Cost Effective, On-Demand Security Services - No Assembly Required
Secure File Interchange (SFI)
A Managed Security Solution
Whitenoise Laboratories Inc.September 19, 2006
IP Security Tunnel
A Managed Security Solution
Whitenoise Laboratories Inc.September 19, 2006
Whitenoise IP Security Tunnel
• Shrink wrapped computer application + keys
• Encrypted point-to-point and multi-point tunnels
• Immediate integration with IP traffic at data link layer
– File transfer
– VoIP
– Video conferencing
• Encrypted Link Keys issued from key vault
• No appreciable delay( Latency)
for real-time applications
Key Vault
Location A
Location B
Location C
Benefits of the IP Security Tunnel
• Reduce complexity of Inter-location security• Reduce computational overhead & hardware cost
– Inexpensive appliances – Eliminate hardware encryption accelerators
• Maximize throughput & minimize delays• One solution for all IP including VoIP & Video Conferencing• Better solution at 25% - 50% of the cost
PC File Security
A Managed Security Solution
Whitenoise Laboratories Inc.September 6,
2006
PC Level Data Protection Products
• PC File Encryption
• Hard Drive Encryption
• Mail Bag Encryption
• Distribution
– 3rd party distributor/manufacturer
– 3rd party to major accounts
– Direct sales through website
Simple point & click application on USB memory device + unique key encrypts all types of data on computer Hard Drive
No size limit You then remove the key & take it with you Portable (Multiple computers)
Securely send data between home & office The key can’t be duplicated Lost key replaceable
Encrypted Corporate or Personal data on lost or stolen computer is unreadable
Whitenoise PC File EncryptionWhitenoise PC File Encryption
Whitenoise Encrypted MailbagWhitenoise Encrypted Mailbag
• Create a “Mailbag”
– May hold one or many documents of different types
• Multimedia (Video, Music, Voice)
• Spreadsheets
• Text Documents
• Graphics (Drawings, Photographs)
• Etc
• Key is generated from 2 passwords
– Significant security vs. single password
Password
Internet
PC & Removable Hard Drive EncryptionPC & Removable Hard Drive Encryption
• Protects Computer and Removable Hard DrivesProtects Computer and Removable Hard Drives
– Utilizes distributed Encryption Key and Pass phrases Utilizes distributed Encryption Key and Pass phrases – Encrypted “Z” drive cannot be read if removable drive or computer is Encrypted “Z” drive cannot be read if removable drive or computer is
lost or stolenlost or stolen– ““Z” drive is sizeableZ” drive is sizeable– Drag and Drop folders and sub-folders to your encrypted driveDrag and Drop folders and sub-folders to your encrypted drive– Extremely fast Extremely fast
• Plays multimedia content Plays multimedia content while encryptedwhile encrypted• Sensitive Incident video (Security First Responders)Sensitive Incident video (Security First Responders)• Recorded Video Testimony (Law Enforcement)Recorded Video Testimony (Law Enforcement)
New pocket size Mini
50 - 100GB
About Shikatronics
• Shikatronics deals with many of the Major Retailers, Corporate Accounts,
Financial Institutions and Buying Groups in Canada, such as:
Montréal, QC, Wednesday, June 21, 2006 - Shikatronics, a leader in memory manufacturing and distribution in Canada, announced today a distribution agreement with SmartDisk, a global provider in the area of portable, network and multimedia storage products and technologies that enable people to enjoy, share and preserve digital content and information.
Shikatronics A Whitenoise retail product distributor
Whitenoise Laboratories Inc.
• IP IP – Whitenoise Encryption & Identity AlgorithmWhitenoise Encryption & Identity Algorithm
• US/International PatentsUS/International Patents– IPEA advisory all 23 claims allowed (May 2005) PCT/CA2005/000163IPEA advisory all 23 claims allowed (May 2005) PCT/CA2005/000163– USPA 10/299,847 examination all claims allowed (Nov 2006)USPA 10/299,847 examination all claims allowed (Nov 2006)
• Business ModelBusiness Model
– Licensing of Technology to manufacturersLicensing of Technology to manufacturers– Sales of Whitenoise Labs developed encryption products (through distributors)Sales of Whitenoise Labs developed encryption products (through distributors)
• Fully compliant Cdn Federal Gov’t regulationsFully compliant Cdn Federal Gov’t regulations• Vancouver BasedVancouver Based
Strong( CPU/Processor Intensive)
WeakSlow Fast
DES
Triple DES
AES
RC4
Whitenoise
SEAL
StrengthS
peed
Whitenoise Algorithm Positioning
(CPU/Processor Very Efficient)
Blowfish
Encryption Strength
Extremely Secure – Encryption Key stream length exceeds the size of Extremely Secure – Encryption Key stream length exceeds the size of multimedia content to be sent or stored - (Keys built from small amount of multimedia content to be sent or stored - (Keys built from small amount of stored data)stored data)
IDM - Positive identification of receiving deviceIDM - Positive identification of receiving device
Unique communication channel (encrypted) between content server and Unique communication channel (encrypted) between content server and terminal - Secure Key deliveryterminal - Secure Key delivery
Multimedia may be streamed and/or stored for later playMultimedia may be streamed and/or stored for later play
Key associated with terminalKey associated with terminal
Cannot be played on another deviceCannot be played on another device
Supports real time voice, video, music, text and games (yes games)Supports real time voice, video, music, text and games (yes games)
Plays encrypted streams without latencyPlays encrypted streams without latency
Content encrypted once and placed on serverContent encrypted once and placed on server
Title key sent uniquely encrypted in terminal key to user Title key sent uniquely encrypted in terminal key to user
Low overheadLow overhead
Whitenoise Algorithm Attributes
Extremely Secure - Extremely Secure - Keystream length exceeds the size of Data to be Keystream length exceeds the size of Data to be sent or stored (Keys built from small amount of stored data) sent or stored (Keys built from small amount of stored data)
- Keystream Data never transmitted- Keystream Data never transmitted
Fast – Fast – 5 Clock Cycles per Byte (S/W) >2 Bytes / CC (H/W) – Done in FPGA5 Clock Cycles per Byte (S/W) >2 Bytes / CC (H/W) – Done in FPGA
Error Tolerant - Error Tolerant - Only damaged bits affected no reliance on preceding Only damaged bits affected no reliance on preceding or following dataor following data
Efficient - Efficient - Low Processor Requirements – Lower cost devicesLow Processor Requirements – Lower cost devices
Data Type Independent - Data Type Independent - Multimedia Support – Multimedia Support – Voice Data Video Voice Data Video – Real Time – Real Time streaming, Video Surveillancestreaming, Video Surveillance
Manages Linear Offsets - Manages Linear Offsets - Strong Identity & Digital Rights ManagementStrong Identity & Digital Rights Management Applications Applications
- Receiver & Sender synchronized Keystream- Receiver & Sender synchronized Keystream
Scaleable - Scaleable - Small Footprint Small Footprint << 300k – Will run on 8 bit cpu 300k – Will run on 8 bit cpu
Whitenoise Algorithm Attributes
