Transcript Slide 1
Secure File Interchange (SFI)
A Managed Security Solution
For use in your enterprise
A service offering to your clients and customers
Whitenoise Laboratories Inc.
November 24, 2006
Canadian Security Market
•
•
•
$1B in 2004
$1.5 B 2007
– Yankee Group, Gartner, IDC, Data Monitor, Merrill Lynch and
Goldman Sachs
Key market drivers include:
- Technology evolution: IP networking, VoIP, WLAN
- Extension of the network perimeter to include partners and
mobile workers
- Regulatory compliance (PIPEDA), (HIPAA), (Gramm Leach
Bliley), (Sarbanes Oxley), (Ontario Bill 198, BC Bill 38)
- Identity Management and Access Control : Emerging
requirement
The Problem
•
“1 out of 10 Laptop computers purchased will be stolen within 12
months, 90% will never be recovered.” 2005 CSI/FBI report
•
“200,000 HP staff exposed as laptop loss party continues.” The
Register 22 March 2006
•
“Ameriprise: Laptop Stolen With Data on 158,000 Clients”
Associated Press Wednesday, January 25, 2006
•
“ Unauthorized access showed a dramatic cost increase and
replaced denial of service as the second most significant
contributor to computer crime losses during the past year at
$31,233/ incident.” 2005 CSI/FBI report
Definitions
Encryption
Prevents any non-authorized party from reading or changing data.
The strength is measured by the algorithm, the number of possible keys
and the key size.
Identity Management
“Identity Management (IDM) is comprised of electronic records that
represent people, machines, devices, applications, and services.”
Jamie Lewis CEO Burton Group
77 % of respondent C-level execs & IT managers of large US enterprises
view IDM as the primary means of protecting against network intrusions
resulting from identity theft and as key to compliance efforts in safeguarding
sensitive information. - Unisys survey.
The Whitenoise Proposition
•
An End-to-End Solution:
Regulatory Compliance
– Protects data in storage on:
Corporate/Personal Data Security
• Desktop, Laptop Computers
• External hard drives or other storage media
– Secures data in transit on:
• IP Networks, the Internet, Wireless, Satellite
•
Our differentiator:
– Provide Systems that are:
• Simpler to use
– Less Training Expense/ Resistance
• Less expensive
• Easier to implement & maintain
• More secure
Extends the Network
Perimeter: Partners / Mobile
Employees
Increase security of standards
compliant technology with
Whitenoise IP
SFI Secure File Interchange for Business
System is managed by IT
personnel
Co. Location B
Executive
Sensitive information
downloaded as required
not stored on PC
Accounting
Inter/Intranet
The Company
Sales
Wireless
SFI Server Application
Traveling
Employee
Supplier
Marketing
NT 2003
Provides a strong corporate
Identity Management & Secure
Document Exchange system over
any digital media
Internet, Wireless, Satellite
HR
Secure File Interchange (SFI)
•
Shrink-wrapped Computer based application + keys
– Windows NT 2003, .NET, C#, C++
•
•
•
Secure exchange of documents over insecure networks (Internet,
Satellite, Wireless)
– Global reach
– Economical
– Documents of all types including multi-media
Address weaknesses of other topologies
– SFI is more economical
– SFI minimizes complex multiple servers
– SFI does not require trusted 3rd parties
– Easy end user adoption and use
– Security – prevention and detection [rapid revocation]
Self contained
– No special skills
– Little training
USB Based Identity Key
Two factor authentication to gain access to secured network
Something you have in your possession – The key
Something that you know – A strong password
The key impractical to duplicate
Billions of bytes in length – Digital Fingerprint
Incorporates Serial Number & Mfg Information
Whitenoise US Patent pending DIVA™ guards against spoofing
You then remove the key & take it with you
Key structure tested by cryptographic experts at the Univ of California – Berkeley and
the Univ of Victoria
Service Comparison
PKI
SFI
Simple
AES Encryption
No 3rd Party
Rapid Key Revocation
‘Spoofed’ Keys Protection
Simple Management
One Time AES Session Keys
Affordable
Non-Repudiation
(DIVA)™ US Pat Pend
Applications
•
SFI is implementer centric
– No trusted 3rd parties
– Membership assigned by Enterprise
– Strong Identity Management
•
Current Version
– High Speed encryption
– Very fast at end user
• Supports multiple documents of varying types
• Simultaneous operation
– Perfect for large file transfers
• Printers, Movies, Banks, etc.
•
SFI(2)
– Standards Compliant (AES SHA 256)
– Government and large organizations
– FIPS Compliant
Both have maintenance and management
subsystems.
AES Key Generation & Document Transmission
Sender’s Desktop
SFI Key
Server
WN IDM Key (240,000 bits)
User AES key (128 bits)
WN RNG
128/256 AES
Session Key
Header
Encrypt
Document
Encrypt Session key w/user AES key
Wrap/Encrypt in WN IDM key
Place in Document Header
SHA 256 Ensures document is
not altered between sender and
receiver.
Transmission of
Secure Document
Re-Encrypt Session key in
Rcvr’s Unique AES key
Server contains all
user key pairs
SFI Key
Server
Wrap in receiver’s
WN IDM key
Header
Place in Header
& Send
Receiver’s Desktop
Unwrap WN IDM key
Header
Decrypt Session key w/ sender
AES Key
AES Session key
WN IDM Key
User AES key
Receiver advised through e-mail
that file is waiting
File may be sent via SFI or
Encrypted E-mail
Low Server Overhead = Large Scalable AES Networks
• Client: Session key generation, encryption & IDM Wrap
– WN RNG
• Client: File Encryption using Session Key
– using either AES or WN
• Server: Decrypt session key + IDM recovers Session Key
– < 160µ secs per transaction
– Approx. 20 Million / Hr (Theoretical)
• The Documents are never decrypted
– Employ one-time AES Session Keys
The Identity Management Key Offset
• The dynamic authentication calls happens between two end-points [i.e.
server and device, card, flash memory, router etc.] periodically during
each communication
• The critical characteristic is that each-end point can create the identical
key stream from its distributed key structure and offset/vector that points
to a specific index in the key stream [These have either never been
transmitted or never been transmitted in an un-encrypted state.]
– The key stream is like radio active decay: it is both random and deterministic
– Radio activity is the most random natural event and yet the half-life is
deterministic – The IDM key stream can be identically recreated and yet any
segment of this stream is more random than even radio active decay [there
were no statistical failures against the NIST test suite].
• This dynamic authentication call is requesting and comparing random
segments of the stream that have never to that point been created or
transmitted. [The segments are never used twice.]
Dynamic Identity Verification Authentication (DIVA™) &
Last Session Ended Here (‘X’)
DIVA remembers end point of
session
etc.-01100011001101001101010100101010000101011010101010-etc.
+’n’
Password
DIVA (Key) is instructed to begin her song at X + n
Dynamic Identity Verification & Authorization (DIVA™)
Rapid threat vector detection and immediate revocation
• Continuous identity verification throughout a session (not just the beginning)
• DIVA Identity Management keys can be used in either distributed or public key
topologies
•
•
•
•
Unique keys assigned to individuals or network points
Provide very strong identifier
Possession of the key + strong password structure to activate it establishes user
identity [An additional element of authentication is the unique device identifier.]
DIVA™ uses these attributes to:
– initially ensure that the individual accessing the network is who they say they
are (references last point in key reached during last session)
– alert registered user that account is being accessed
– verify their identity throughout the session
– ensure that a duplicate key (intruder) is not in existence
– defend the network if intruder detected (deny access to both)
How does DIVA™ protect?
Super-length IDM Key = Lyrics of a user-specific song
Only SFI Server & User key know lyrics of each user’s unique song
Access = Sing next ‘n’ lyrics of song from unique start point
given by server for each session (last point + ‘x’- encrypted)
Additional operations = Sing next ‘n’ lyrics of song from last
point
2nd DIVA™ (Intruder) appears
Operations of 2 DIVA = Loss of Sync for one, denial
of access to both
Reported Loss or theft of key = instant denial of access
SFI
Simple Maintenance & Administration
Administrator Screen
Adding New Users
Maintenance & Administration
Logs – (Non-Repudiation)
Additional User Security
• User advised over E-Mail/pager that
account is being accessed
• Advised via e-mail that message waiting
•Click on provided link takes user to SFI
server
• User sees last 15 logins and IP addresses
on login
• Reported lost or stolen key killed instantly
• No 3rd party notification required
Networked Systems (Phase 2)
•
•
•
•
•
•
•
•
•
Secure network systems servers are capable of networking (Phase 2)
Set up shared directories based on pre-selected (allowed) e-mail addresses
Signaling path set up between servers with unique Whitenoise server keys
Message encrypted in one-time AES session key
Sent to server on which target receiver is resident encrypted in servers IDM key
Receiving server packages session key in receiver’s
Vancouver
Toronto
IDM and AES keys
Sends to receiver where it is decrypted
No key information is electronically transmitted
Message is never decrypted (readable) at any point
between sender and receiver [trans-encryption
occurs in real time in a streaming fashion in memory only]
Regina
Secure File Interchange (SFI) Review
•
•
•
•
•
•
•
•
Add Managed Information Transfer and Storage to service offerings
– Storage Space managed and chargeable
– Per document/transaction charges
Additional revenues through securing data storage and transfer
Total solution from desktop/laptop to secured delivery over insecure networks
– Internet, Wireless, Satellite
One time session keys , DIVA™ - prevention, authorization, detection and revocation
Manage service for SME’s
– Far Less expensive
– No skills requirement
– Little to no training
Target Legal, Medical, Financial sectors
– Regulatory Compliance
Uses industry/government standard Encryption (AES, SHA) + DIVA™
Provides Transaction Logs
Cavalier Telephone to Add Comprehensive On-Demand Security Services to Business IP Offering
MILFORD, Conn.--(BUSINESS WIRE)--Aug. 17, 2006-- Mid-Atlantic CLEC to Provide SMB Customers Complete
and Cost Effective, On-Demand Security Services - No Assembly Required
Secure File Interchange (SFI)
A Managed Security Solution
Whitenoise Laboratories Inc.
September 19, 2006
IP Security Tunnel
A Managed Security Solution
Whitenoise Laboratories Inc.
September 19, 2006
Whitenoise IP Security Tunnel
•
•
•
•
•
Shrink wrapped computer application + keys
Encrypted point-to-point and multi-point tunnels
Immediate integration with IP traffic at data link layer
– E-mail
– File transfer
– VoIP
– Video conferencing
Key Vault
Location A
Encrypted Link Keys issued from key vault
No appreciable delay( Latency)
for real-time applications
Location B
Location C
Benefits of the IP Security Tunnel
•
•
•
•
•
Reduce complexity of Inter-location security
Reduce computational overhead & hardware cost
– Inexpensive appliances
– Eliminate hardware encryption accelerators
Maximize throughput & minimize delays
One solution for all IP including VoIP & Video Conferencing
Better solution at 25% - 50% of the cost
PC File Security
A Managed Security Solution
Whitenoise Laboratories Inc.
September 6, 2006
PC Level Data Protection Products
•
•
•
•
PC File Encryption
Hard Drive Encryption
Mail Bag Encryption
Distribution
– 3rd party distributor/manufacturer
– 3rd party to major accounts
– Direct sales through website
Whitenoise PC File Encryption
Simple point & click application on USB memory device + unique key
encrypts all types of data on computer Hard Drive
No size limit
You then remove the key & take it with you
Portable (Multiple computers)
Securely send data between home & office
The key can’t be duplicated
Lost key replaceable
Encrypted Corporate or Personal data on lost
or stolen computer is unreadable
Whitenoise Encrypted Mailbag
•
•
Create a “Mailbag”
– May hold one or many documents of different types
• Multimedia (Video, Music, Voice)
• Spreadsheets
• Text Documents
• Graphics (Drawings, Photographs)
• Etc
Key is generated from 2 passwords
– Significant security vs. single password
Password
Internet
PC & Removable Hard Drive Encryption
•
Protects Computer and Removable Hard Drives
– Utilizes distributed Encryption Key and Pass phrases
– Encrypted “Z” drive cannot be read if removable drive or computer is
lost or stolen
– “Z” drive is sizeable
– Drag and Drop folders and sub-folders to your encrypted drive
– Extremely fast
• Plays multimedia content while encrypted
• Sensitive Incident video (Security First Responders)
• Recorded Video Testimony (Law Enforcement)
New pocket size Mini
50 - 100GB
A Whitenoise retail product distributor
Shikatronics
About Shikatronics
Montréal, QC, Wednesday, June 21, 2006 - Shikatronics, a leader in memory manufacturing and
distribution in Canada, announced today a distribution agreement with SmartDisk, a global provider in
the area of portable, network and multimedia storage products and technologies that enable people to
enjoy, share and preserve digital content and information.
•
Shikatronics deals with many of the Major Retailers, Corporate Accounts,
Financial Institutions and Buying Groups in Canada, such as:
Whitenoise Laboratories Inc.
•
IP
– Whitenoise Encryption & Identity Algorithm
• US/International Patents
– IPEA advisory all 23 claims allowed (May 2005) PCT/CA2005/000163
– USPA 10/299,847 examination all claims allowed (Nov 2006)
•
Business Model
– Licensing of Technology to manufacturers
– Sales of Whitenoise Labs developed encryption products
(through distributors)
•
•
Fully compliant Cdn Federal Gov’t regulations
Vancouver Based
Whitenoise Algorithm Positioning
Strength
Encryption
Strength
Strong
Triple DES
AES
Blowfish
DES RC4
SEAL
Weak
Slow
Fast
Speed
( CPU/Processor
Intensive)
Whitenoise
(CPU/Processor
Very Efficient)
Whitenoise Algorithm Attributes
Extremely Secure – Encryption Key stream length exceeds the size of
multimedia content to be sent or stored - (Keys built from small amount of
stored data)
IDM - Positive identification of receiving device
Unique communication channel (encrypted) between content server and
terminal - Secure Key delivery
Multimedia may be streamed and/or stored for later play
Key associated with terminal
Cannot be played on another device
Supports real time voice, video, music, text and games (yes games)
Plays encrypted streams without latency
Content encrypted once and placed on server
Title key sent uniquely encrypted in terminal key to user
Low overhead
Whitenoise Algorithm Attributes
Extremely Secure - Keystream length exceeds the size of Data to be
sent or stored (Keys built from small amount of stored data)
- Keystream Data never transmitted
Fast – 5 Clock Cycles per Byte (S/W) >2 Bytes / CC (H/W) – Done in FPGA
Error Tolerant - Only damaged bits affected no reliance on preceding
or following data
Efficient - Low Processor Requirements – Lower cost devices
Data Type Independent - Multimedia Support – Voice Data Video – Real Time
streaming, Video Surveillance
Manages Linear Offsets - Strong Identity & Digital Rights Management
Applications
- Receiver & Sender synchronized Keystream
Scaleable - Small Footprint < 300k – Will run on 8 bit cpu