castle presentation 08-12-04

Protect the castle from the insideProtect the castle from the insideCreated by William Tabor and Howard HellmanCreated by William Tabor and Howard Hellman

CASTLE TECHNOLOGYCASTLE TECHNOLOGY

• Walls (Firewalls)Walls (Firewalls)

• Draw Bridge (Tunnels)Draw Bridge (Tunnels)

• Moats (DMZs)Moats (DMZs)

HISTORYHISTORY

HISTORYHISTORY

The battle for TroyThe battle for Troy

proved thatproved that

this this does notdoes not work work

HISTORYHISTORY

80% of all theft80% of all theft

occurs from theoccurs from the

insideinside

INTERNALINTERNAL COMMUNICATIONCOMMUNICATION

Is data clear text?Is data clear text?

INTERNAL COMMUNICATIONINTERNAL COMMUNICATION

PROBLEMS WITH CLEAR TEXT COMMUNICATIONPROBLEMS WITH CLEAR TEXT COMMUNICATION

• Instant messagingInstant messaging

• EmailEmail

• Accounting informationAccounting information

INTERNAL COMM – INSTANT MESSAGINGINTERNAL COMM – INSTANT MESSAGING

EXAMPLE #1EXAMPLE #1

The CEO and personnel director of a medium-sized company were messaging each The CEO and personnel director of a medium-sized company were messaging each other about potential layoffs.other about potential layoffs.

This information exchange was detected by individuals within the IT department, This information exchange was detected by individuals within the IT department, and news of the discussion spread through the enterprise unchecked, well before and news of the discussion spread through the enterprise unchecked, well before any decisions could be made.any decisions could be made.

INTERNAL COMM – INSTANT MESSAGINGINTERNAL COMM – INSTANT MESSAGING


Two writers for a well-known daytime drama were messaging each other regarding a Two writers for a well-known daytime drama were messaging each other regarding a significant plot change.significant plot change.

A tabloid reporter intercepted their conversation and printed his scoop.A tabloid reporter intercepted their conversation and printed his scoop.

The show subsequently dropped 15 ratings points. Each point translates into The show subsequently dropped 15 ratings points. Each point translates into advertising revenue of between $10 and $15 million. advertising revenue of between $10 and $15 million.

INTERNAL COMM – EMAILINTERNAL COMM – EMAIL


A car manufacturer spent $240 million on researching and developing an innovative, A car manufacturer spent $240 million on researching and developing an innovative, advanced engine design.advanced engine design.

The company emailed the design to production plant, but the email was intercepted The company emailed the design to production plant, but the email was intercepted by a competing manufacturer. by a competing manufacturer.

The competitor promptly put the new engine design into production, beating the The competitor promptly put the new engine design into production, beating the developer to market – without having to pay a single euro into R&D!developer to market – without having to pay a single euro into R&D!

PROVIDER OF SECURE SYSTEM SOLUTIONSPROVIDER OF SECURE SYSTEM SOLUTIONS

• Virtual Security ApplianceVirtual Security Appliance

• FirewallFirewall

• SSL VPN TunnelSSL VPN Tunnel

• Public Key Infrastructure (PKI) ServicesPublic Key Infrastructure (PKI) Services

• Biometric Secure IdentificationBiometric Secure Identification

• Consulting ServicesConsulting Services

VST SOLUTIONSVST SOLUTIONS

Virtual Security Appliance - FirewallVirtual Security Appliance - Firewall


Virtual Security Appliance - FirewallVirtual Security Appliance - Firewall

• Built on a lightweight version of SELinuxBuilt on a lightweight version of SELinux• Turn any server into a hardened platform .Turn any server into a hardened platform .• Application server becomes undetectable on the network.Application server becomes undetectable on the network.


Virtual Security Appliance – SSL VPNVirtual Security Appliance – SSL VPN


Virtual Security Appliance – SSL VPNVirtual Security Appliance – SSL VPN

• Works with and in Conjunction with Linux FirewallWorks with and in Conjunction with Linux Firewall• Provides non clear text access to the ApplicationProvides non clear text access to the Application• Encryption greater then 2048bitEncryption greater then 2048bit• Can exist in a P5 PartitionCan exist in a P5 Partition

PKIPKI

Public/Private Key InfrastructurePublic/Private Key Infrastructure

idTRUST – PKI INFRASTRUCTUREidTRUST – PKI INFRASTRUCTURE

WHY IS A PKI INFRASTRUCTURE NECESSARY?WHY IS A PKI INFRASTRUCTURE NECESSARY?• Optional key generationOptional key generation

• Validate initial identitiesValidate initial identities

• Issuance, renewal and termination of certificatesIssuance, renewal and termination of certificates

• Certificate validationCertificate validation

• Distribution of certificatesDistribution of certificates

• Secure archival and key recoverySecure archival and key recovery

• Generation of signatures and timestampsGeneration of signatures and timestamps

• Establish and manage trust relationshipsEstablish and manage trust relationships

WHAT HAS BLOCKED PKI FROM GLOBAL USE?WHAT HAS BLOCKED PKI FROM GLOBAL USE?

• CostCost

• PKI Integration with vertical application basePKI Integration with vertical application base

• CA portability and interoperabilityCA portability and interoperability

idTRUST – PKI INFRASTRUCTUREidTRUST – PKI INFRASTRUCTURE

PUBLIC/PRIVATE KEY GENERATIONPUBLIC/PRIVATE KEY GENERATION

LOCAL APPLICATIONLOCAL APPLICATION

• ERP, CRM, SCM….ERP, CRM, SCM….

BROWSERBROWSER

• WebSphere PortalWebSphere Portal

• Linux (PHP)Linux (PHP)

REMOTE SERVER COMMUNICATIONSREMOTE SERVER COMMUNICATIONS

Generate aPublic/Private

Key Pair

WHY USE CRYPTOGRAPHY?WHY USE CRYPTOGRAPHY?

Cryptography can be applied to the following information categories:Cryptography can be applied to the following information categories:

• Information at restInformation at rest

• Information in transitInformation in transit

Cryptography is used to enable information:Cryptography is used to enable information:

• Privacy – information cannot be readPrivacy – information cannot be read

• Integrity – information cannot be modifiedIntegrity – information cannot be modified

• Authentication – information proof of ownershipAuthentication – information proof of ownership

• Non-repudiation – cannot deny involvement in transactionNon-repudiation – cannot deny involvement in transaction

ASYMETTRIC KEY CRYPTOGRAPHYASYMETTRIC KEY CRYPTOGRAPHY

Different keys (secrets) are used for both the encryption and decryption processes:

Public KeyCipher Ciphertext

information

CleartextPublic Key

CipherJ9%B8^cBt

Ciphertext

Asymmetric key“public key”

Asymmetric key“private key”

Decryption ProcessEncryption Process

Asymmetric key cryptography is characterized by the use of two independent but mathematically related keys

J9%B8^cBt

DIGITAL RIGHTSDIGITAL RIGHTS

WHAT IS DIGITAL RIGHTS?WHAT IS DIGITAL RIGHTS?

Gives us the ability to . . . Gives us the ability to . . .

• Assign ownership to documents or dataAssign ownership to documents or data

• Ensure that data has not been altered during transferEnsure that data has not been altered during transfer

• Provide authenticationProvide authentication

CURRENT METHODCURRENT METHOD

• Username and passwordUsername and password

• Card and PINCard and PIN

• RSA TokenRSA Token

• BiometricsBiometrics

USER IDENTIFICATIONUSER IDENTIFICATION

TOMORROW’S SECURITY TODAYTOMORROW’S SECURITY TODAY

• Secure user authenticationSecure user authentication

• PKIPKI

• Virtualized SecurityVirtualized Security

• SSL VPN TunnelsSSL VPN Tunnels

NEXT GENERATION SECURITYNEXT GENERATION SECURITY

USER IDENTIFICATIONUSER IDENTIFICATION

• Crypto-processor cardCrypto-processor card

• Biometrics on cardBiometrics on card

• ACLU friendlyACLU friendly

DATAQUEST TECHNOLOGIES’ SOLUTIONSDATAQUEST TECHNOLOGIES’ SOLUTIONS

SECURE IDENTITY TRUST CARDSECURE IDENTITY TRUST CARD

BIOMETRIC CARD FEATURES & CHARACTERISTICSBIOMETRIC CARD FEATURES & CHARACTERISTICS

• Similar to credit card-sized “Smart Card,” but also contains on-card crypto processorSimilar to credit card-sized “Smart Card,” but also contains on-card crypto processor

• Maintains protected storage for public/private keys, digital certificates and digital Maintains protected storage for public/private keys, digital certificates and digital

signatures to be used during authentication processsignatures to be used during authentication process

• Executes cryptographic operations (verifies fingerprint) Executes cryptographic operations (verifies fingerprint)

• Works in conjunction with card operating system (COS)Works in conjunction with card operating system (COS)

BIOMETRIC SECURE IDENTITY CARDBIOMETRIC SECURE IDENTITY CARD

HOW THE IDENTITY TRUST CARD WORKSHOW THE IDENTITY TRUST CARD WORKS

• User enrolls in the Biometric process Card maintains encrypted hash copy of User enrolls in the Biometric process Card maintains encrypted hash copy of

user’s fingerprint in EEPROMuser’s fingerprint in EEPROM

• When user wishes to authenticate him/herself, he/she simply places the correct When user wishes to authenticate him/herself, he/she simply places the correct

finger on the e-field sensorfinger on the e-field sensor

• The fingerprint is scanned, hashed and encryptedThe fingerprint is scanned, hashed and encrypted

• The crypto processor compares the fingerprint sample to the stored valueThe crypto processor compares the fingerprint sample to the stored value

• Card typically returns success or failure status to systemCard typically returns success or failure status to system

CRYPTO-PROCESSING CHIP LAYOUTCRYPTO-PROCESSING CHIP LAYOUT

VCC

Reset

Clock

GND

I/O

32-bit

Microprocessor

(Microcontroller)

RAM 2K Bytes

ROM 32K+ Bytes

EEPROM 64K+ Bytes

Crypto

Accelerator

(Processor)

ISO 7816 Family of

Smart/Crypto Card

Standards, i.e., power,

Clock & I/O Bus

BIOMETRIC SECURE IDENTITY TRUST CARDBIOMETRIC SECURE IDENTITY TRUST CARD

CARD CUSTOMIZATION CAPABILITIESCARD CUSTOMIZATION CAPABILITIES

• Multiple processors (4,6,8, etc.)Multiple processors (4,6,8, etc.)

• Mix and match 8, 16 and 32 bit processors for focused tasksMix and match 8, 16 and 32 bit processors for focused tasks

• Memory (inter-processor and processor specific)Memory (inter-processor and processor specific)

• Multiple custom data structure (application and processor)Multiple custom data structure (application and processor)

• Potentially contact-based and contact-less cardsPotentially contact-based and contact-less cards

BIOMETRIC READERSBIOMETRIC READERS

● Optical Sensor

● Capacitive Sensor

● E-Field Sensor

USER IDENTIFICATION SUMMARYUSER IDENTIFICATION SUMMARY

• Crypto-processor cardCrypto-processor card

• Biometrics on cardBiometrics on card

• PKI data on cardPKI data on card



Certificate Authority SoftwareCertificate Authority Software

INDUSTRY-SPECIFIC APPLICATIONSINDUSTRY-SPECIFIC APPLICATIONS

MasterTrustCenters

Organizations

Departments,Groups,RegionalCenters

DataQuestMaster Trust

Center (Security Level 1, 2, 3)

Smallbusiness

Level 1, 2Finance

Level 1Level 1, 3

Level 1, 2, 3

Level 1 Level 1, 2

Healthcare

Medical recordsdatabase

Level 3

Level 1, 2, 3

Level 1

Third Party Master Trust

Center Certificateinteroperability

(depends on level of trust)

Trust CenterTrust Center

Trust Center

Smallbusiness

Smallbusiness

Geographic(Regional)

Trust Center

Trust Center Trust Center

Trust Center Trust Center

Trust Center


Works in P5 SystemWorks in P5 System

P5

Firewall SSL VPN

Certificate Authority

Applications

PROFESSIONAL SERVICESPROFESSIONAL SERVICES

• Biometric smart card, trust center and PKI integrationBiometric smart card, trust center and PKI integration

• Secure application design, development and implementationSecure application design, development and implementation

• Enterprise security servicesEnterprise security services

• Custom software and consulting servicesCustom software and consulting services

• Project managementProject management

• Training and educationTraining and education

• Security Inventory Security Inventory

• Security Policies and Procedures Guide DevelopmentSecurity Policies and Procedures Guide Development

• IT Governance Audit/AssessmentIT Governance Audit/Assessment

• Penetration TestingPenetration Testing

• Disaster Recovery Planning and ImplementationDisaster Recovery Planning and Implementation

SECURITY SERVICESSECURITY SERVICES


Questions?Questions?

castle presentation 08-12-04

Documents