SSLX Features and Benefits
Download
Report
Transcript SSLX Features and Benefits
Secure Sockets Layer eXtended
(SSLX)
Next Generation Internet Security
Overview Presentation
April 2011
SSLX Features and Benefits
SSLX is Next-Generation SSL
• Real-Time Security – real-time authentication of users and servers
• Superior Performance – up to 300 times faster
• Easy to Deploy – no certificates to distribute or manage
• Easy to Use – transparent to end-users, easy for administrators
• Scalable Trust – enables new business models and enhances existing
ones
• Federated Trust – provides flexible, dynamic networking of users and
services
• Transparency – uses existing SSL infrastructure without changes, and
provides automatic switching to SSL if SSLX is not available
Improvements allow SSLX to be used all the time,
creating a faster, safer Internet
How SSLX Works
Circle of Trust
Web
Browser
Server
Directory Services
SSLX Public Administrator
Private
Directory
Service
SSLX Infrastructure
Web
Browser
Server
User updates
browser with
Add-on for
Firefox
Site admin upgrades
server.
Available module:
Apache mod_sslx
Directory Service
SSLX Public Administrator
Trusted third-party installs
DS application and database
Available: Windows server
Governing body awards and
monitors Public Directory Services
Private
Directory
Service
SSLX-VPN closed-community
secure communication
package/device
Available: Windows server
Enables a real-time, easily verifiable trust partnership
SSLX Summary
SSLX is Next-Generation SSL
• Superior features and benefits – open source, high quality code available for
testing, pilot, demonstration and/or full production
• Implementation has no obstacles – easily fits into existing infrastructure
without any disruption of current SSL capability
• Full documentation – method, process, architecture and code available for
download, peer review, analysis, comment, correction and optimization
• Quality business model – multiple parties engaged to allow a real worldcommunity Trust Partnership
SSLX offers a successful transition to the nextgeneration of internet security
Federated Trust
Of Users and Services
Enables users and services to establish a network of trust that
is based on the requirements of the application rather than
fitting the application to the security model.
Web applications often require dynamic
collaboration among users and services. The
federated trust model of SSLX allows services to
be provided that can create dynamic communities
of trust so that applications can provide transaction
level security where all parties are properly
authenticated in a continuous manner.
Communities of trust can be ‘shared’ between
individuals and their respective communities.
Community of Trust
Enables Dynamic Collaboration
SSLX allows users to connect privately with other people,
share data and documents online and add or delete user
access in real-time.
SSLX ensures that only authorized
individuals can access the content as
defined by the content owner.
SSLX provides user-managed security for web
applications using standard browser access.
How SSLX Works – Verified
Setup
Web
Browser
• Optional
• Easy
• Instant
• As often as desired
Verified Setup (VSU)
Server
Web servers (or browsers) initially authenticate
to a Directory Service by providing several
publicly verifiable data elements using two
distinct communication channels and two
distinct data encryption mechanisms.
Directory Service
• Required
• Easy
• Instant
• As often as desired
256-bit, shared, Session Master Key
The result is mutually authenticated, real-time,
third-party trust communication
How SSLX Works – Real-time
Handshake
Web
Browser
1. SSLX Request
Server
2. Secure Replies
Real-time Handshake
1. Initial SSLX communication
begins with a browser request for
a secure page
2. The server securely replies with
one half of the Session Master
Key (SMK) to an agreed upon
DS. The server also replies
securely directly back to the
browser with the second half of
the SMK and the DS identifier.
3.
The browser then sends a request
for the other key half to the DS
using the identifier.
4.
The DS then securely replies and
the browser now has a SMK to
continue secure communications
with the server. Handshakes can
be done as often as required by
the site or browser.
Directory Service
There are 5 SSLX handshake security levels – a composite is shown
How SSLX Works – Secure
Traffic
Web
Browser
Continuous Mutual Authentication
and Data Encryption
Server
After a successful handshake, the browser and
server now have a 256-bit Session Master Key
(SMK) which is used in the core SSLX
algorithm to provide authentication and data
encryption
Authentication
Data Encryption
Every communication in each
direction includes the use of the
SMK to generate unique
authentication output that can
only be verified by the other end
of the established connection
using the same SMK
Every communication in each
direction uses the SMK to generate
a unique 128-bit (or higher) AES
government standard encryption
key to secure all content. The AES
key can only be recreated by the
other end of the established
connection using the same SMK to
properly decrypt each
communication
How SSLX Works – Public
Verification
Web
Browser
Optional DS
and/or WS Verification
Public Verification
Server
At any time during a connection, either the
server administrator or the web browser may
check the public veracity of the Directory Service
with the SSLX Public Administrator (SSLXPA).
Each party can also check the public veracity of
the other within the records of the DS. Public
scrutiny happens in real-time, at any time
Directory Service
Optional DS and/or
Browser Verification
SSLX Public Administrator
How SSLX Works
Real-Time Handshake
Web
Browser
Server
Continuous Mutual Authentication
& Data Encryption
Verified
Setup
Directory Service
Public
Verification
Verified
Setup
Public
Verification
SSLX Public Administrator
SSLX Public
Administrator
• Respected, independent third-party oversees SSLX trust
• Provides governance of worldwide Public Directory Services (DS) similar to ICAAN with DNS
• Leads worldwide representative Policy Board ensuring fair
representation of diverse DS community members
• Determines and administers fee structure for community of DS
• Allocates licenses for DS to operate franchise
• Provides quality control and compliance standards for DS
• Authority for DS lookup, validating DS for users
• Additional revenue opportunity through advertising to lookup viewers
Directory Service
•
Respected, independent third-party manages SSLX trust between
server and browser
•
•
•
Provides real-time key exchange under multiple SSLX security levels
Offers public search and display of Verified Setups (VSUs) for web
domains all the way down to the individual server IP address
Offers private repository of browser performed VSUs in order to
mutually authenticate a specific client browser
•
Follows SSLXPA directed quality control, data integrity,
information protection and public display requirements
•
Determines and administers fee structure for premium trust
services, including extended validation
Revenue opportunities: server IP monitoring and alerts, antiphishing, on-the-fly alerts, spoof watches, portfolio site
management, advertising, etc.
•
•
If granted a sublicense, provide Private DS licensing for SSLXVPN secure private community communication
Private Directory Service
• Controlled third-party, generally managed by the site content owner(s), to provide
SSLX trust between servers and member browsers.
•
•
•
Provides real-time key exchange under multiple, but generally a specified, SSLX
security level
Offers private search and display of Verified Setups (VSUs) for member
browsers including the specific authentication credentials dictated by this
private community
Offers private search and display of the VSU information for the controlled
domain(s) and server(s) for the member browser
• Follows their own directed quality control, data integrity, information protection
and display requirements.
• Determines and administers SSLX User ID codes and other member credential
requirements.
• Unique configuration of security levels, extranet connectivity, login requirements,
site content layering – all can be individually configured to meet the unique
requirements of the closed community.
Contact Information
[email protected]
www.TheRPMLab.com