CASQUE SNR Presentation 16 th April 2015

Transcription

1 Presentation 16 th April 2015 What is it Distributed Management Systems Innovative Methodology from UK owned company with accompanying Protocol that allows Key Generation, Key Distribution and Key Change without the need for PKI Complete system does not rely any third party technology One of the 4 inventions has US and EU Patents Published with no prior art quoted by Examiner

2 What can it do Identity Assurance: enables Mutual, Multi-factor Authentication with handheld Tokens or Contactless Smartcards that can be integrated with Gateways and Web Applications for secure remote access Mutually Authenticated, Secure Communication in Internet of Things (IoT). Secure Messaging: can send short, secret messages over public data network to a specific person Instant Disaster Recovery: integral dynamic backup to remote Server

3 Why is it better CASQUE SNR provides Mutual, Multifactor Authentication using Contactless, Active Tokens that work on any client- Workstations, Laptops, Tablets, Smartphones Insider Attacks and Token Clones are denied success Secure Communication in IoT preventing Man-in-the-Middle attacks Complete System (Hardware and Software) can be placed in Escrow allowing Customer the full capability to recreate the system if any interruption of support

4 Who says it is good CASQUE SNR ( product has been certified at source code level by UK s CESG (part of GCHQ) ( under the CAPS scheme and can be part of a secret solution The product is NATO approved and DIPCOG preferred CASQUE SNR is in daily use in UK's Ministry of Defence

5 Mechanics The protocol is Challenge/Response Each challenge is unique (never repeated) with synchronising numbers so no replay attack is possible Examples of Challenge Messages include secret message for display, generate OPT, instruct Token to change its Key Token does not contain complete keys so not a protected item- can be sent by post Standalone Program allows customer to populate Tokens using Customer s own seed material so impossible to have a SecurID or Gemalto penetration attack compromise as Manufacturer and System Integrator not part of the risk

6 Immunity Key update can be set to occur automatically after each login or after one or more days or at the administrator s whim so clones cannot succeed The keys are generated with Customer imported seed and system dependent nonces so a copy of the Authentication Server cannot reproduce the same generated keys

7 Provable Security Passive Tokens Biometrics CASQUE SNR Active Tokens Resistant to Insider Attack Recovery from Compromise Passwords

8 Classic Token Multiple Token Manifestations Self Contained Token with internal, re-chargeable battery (no time expiry) containing EAL5+ secure chip Challenge delivered with 3 flashing blocks either processed by a Browser Helper or animated with WebGL Works where mobiles are banned!

9 Smartcard Token Javacard 3.0.1: EAL 5+, FIPS Level 3 Giesecke & Devrient (G&D) Smart Café Card with NXP Semiconductor chip (DMS Ltd is an accredited developer of G&D) Challenge is processed in the Secure Element in Javacard

10 Smartcard as Token The Client (Smartphone or Tablet) needs to fully support NFC working and PC/SC commands Note: despite claims not all hardware have such full functionality Most Android Smartphones (e.g. Samsung Galaxy) work, Blackberry 10 should work Most Android Tablets (e.g. Nexus) work Some Windows Tablets (e.g. Lumia) should work

11 Tablets with no NFC In this case, a NFC dongle is inserted Windows Tablet Browser invokes the CASQUE SNR Player to deal with the received challenge Response from Secure Element in CASQUE SNR Smartcard is stored in Clipboard for the User to paste into Login form

12 Mobile as a surrogate Token Phone with NFC CASQUE SNR Challenge presented as a QR image, Mobile Phone s camera CASQUE SNR Mobile App converts image to data and sends NFC to CASQUE SNR Smartcard App suppresses all external network communications whilst in progress

13 Mobile as a surrogate Token kjj8vs7kh513 Response from Secure Element in Javacard sent NFC to CASQUE SNR App in Phone and is displayed on Phone s screen for User to enter into Workstation

14 Application Examples In 24 x 7 use by UK MOD Client Workstation is made robust with access only to the Gateway address

15 Lockheed Martin Managed Service Application Examples in operation 2014 Custom Application provided as Managed Service

16 Application Examples Use of Secret Message Server sends encrypted file containing log of proposed transactions User decrypts with CASQUE SNR Secret message key received via CASQUE SNR Token User examines log and uses revealed confirmed message key to confirm and end session If the Server does not receive confirmed message, key transactions are reversed/flushed and session ends User can requested completed transactions log file again sent encrypted

17 ACC Application Examples Secure, Mutually Authenticated Comms for the Internet of Things (IoT) In the IoT, the typical topology is not just Server and web client but Server, local Hub and local Satellites. Examples of this tri-party communication include Server, Ground Station and local UAVs and Server, Home Hub and local, intelligent sensor based controllers. There is little degradation expected between the Hub and the local Satellites so efficient, encrypted UDP messages can be used

18 ACC Application Examples Available for 32 & 64 bit Windows and Linux Handlers for Pitch Simulator The Hand Shake assumes that the Server via its accompanying Authentication Server knows one of the symmetric keys stored in the Satellite. In this method each side encrypts its own generated Random using the nominated symmetric key. Note this guarantees that mutual authentication must have occurred. The combined Random, likewise encrypted, is used as the session key. This means a Man-in-the-Middle attack is not feasible. Once the Server to Hub secure connection is running, the Satellite and Hub can do their own Handshake

19 Superior Passive Tokens Biometrics CASQUE SNR Active Tokens Resistant to Insider Attack Recovery from Compromise Passwords The CASQUE SNR Smartcard manifestation can displace the current Market Leader (RSA SecurID) : Cheaper, more secure (no Clones, no Insider Attacks, no MitM, no MitB), has wider applications (IoT), easier to install and upgrade (no time expiry on Tokens) and has just began its patent cover (main patents for RSA have long expired).