Using BroadSAFE TM Technology 07/18/05



Similar documents
BroadSAFE Enhanced IP Phone Networks

Complying with PCI Data Security

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Alliance Key Manager Solution Brief

McAfee Firewall Enterprise 8.2.1

CRYPTOGRAPHY AS A SERVICE

Applying Cryptography as a Service to Mobile Applications

McAfee Firewall Enterprise 8.3.1

How To Understand And Understand The Security Of A Key Infrastructure

TLS and SRTP for Skype Connect. Technical Datasheet

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Secure Network Communications FIPS Non Proprietary Security Policy

An Introduction to Cryptography as Applied to the Smart Grid

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Overview. SSL Cryptography Overview CHAPTER 1

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Chapter 7 Transport-Level Security

Commercially Proven Trusted Computing Solutions RSA 2010

Certificate Authorities and Public Keys. How they work and 10+ ways to hack them.

Cornerstones of Security

DRAFT Standard Statement Encryption

Table of Contents. Introduction. Audience. At Course Completion

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

IoT Security Platform

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

PrivateServer HSM Integration with Microsoft IIS

Ciphire Mail. Abstract

Secured Communications using Linphone & Flexisip

OBM (Out of Band Management) Overview

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Building Robust Security Solutions Using Layering And Independence

Payment Transactions Security & Enforcement

Cryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager

Key Management Interoperability Protocol (KMIP)

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Certification Report

SSL/TLS: The Ugly Truth

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Web Security Considerations

Authenticity of Public Keys

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

ipad in Business Security

SBClient SSL. Ehab AbuShmais

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

Security Policy Revision Date: 23 April 2009

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Data Protection: From PKI to Virtualization & Cloud

Bit Chat: A Peer-to-Peer Instant Messenger

Key Management Best Practices

As enterprises conduct more and more

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Hardware Security Modules for Protecting Embedded Systems

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Transport Level Security

Implementing Cisco IOS Network Security v2.0 (IINS)

How To Encrypt Data With Encryption

Network Security Part II: Standards

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

An Overview of Communication Manager Transport and Storage Encryption Algorithms

Securing Distribution Automation

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

Cryptography and Key Management Basics

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Chapter 17. Transport-Level Security

Lecture VII : Public Key Infrastructure (PKI)

CRYPTOGRAPHY IN NETWORK SECURITY

Acano solution. Security Considerations. August E

Introduction. An Overview of the DX Industrial Router Product Line. IP router and firewall. Integrated WAN, Serial and LAN interfaces

SecureDoc Disk Encryption Cryptographic Engine

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

FIPS Level 1 Security Policy for Cisco Secure ACS FIPS Module

VoIP Security. Seminar: Cryptography and Security Michael Muncan

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Alliance Key Manager A Solution Brief for Technical Implementers

TABLE OF CONTENTS NETWORK SECURITY 2...1

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Netzwerksicherheit Übung 6 SSL/TLS, OpenSSL

Savitribai Phule Pune University

White Paper. The risks of authenticating with digital certificates exposed

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Transcription:

Using BroadSAFE TM Technology 07/18/05

Layers of a Security System Security System Data Encryption Key Negotiation Authentication Identity Root Key Once root is compromised, all subsequent layers of security are compromised All security systems start with root level key (Cryptographic Identity)

Deployment of Technology Stateless Key Management Client (μhsm) Standalone for strong device authentication Network connected devices Key Management flexibility with low system cost impact Client / Server Key Management Model Trusted Platform Module (TPM) Standalone key management capability (peer to peer) Standards based solution Larger silicon footprint

BroadSAFE Security BroadSAFE Hardware Security Technology Tamper resistant hardware for key storage Standard CMOS processing provides integration capability Private key generation internal to device (internal True Random Number Generator) Deployed Now Existing switching products Existing networking VoIP Devices Interoperates with TPM architecture (v1.1b and v1.2) BroadSAFE Flexibility Interoperable with security standards (IPsec, SSL, TLS, SRTP, SIP, 802.1x, etc.) Open / Standards Based Key Management Interface Capability to provide custom based solutions

Unique DSA Key Pair DSA Key Generation Simple key generation based on internal generated random number 160 bit key is random number processed per FIPS186-2 Unique per device Key generation time in usec versus several minutes for RSA of equivalent strength Modulus and Generator values can be well known (stored in ROM versus NVM) NVM requirements ONLY 160 bits for DSA Key DSA Key Pair Creation Done during device manufacture No programming required at OEM or end user Certificate can be issued to travel with device Public value can be stored outside the security boundary Private key is only used to sign data within hardware security boundary Private key is never exposed

Manufacturing Flow DSA Private key (K DI-PRIV ) generated in protected security hardware (never exposed, unknown to manufacture) Blank Packaged Device Programming Programmed Device D CFG D AUTH = HMAC-SHA1(K CR-PUB ) K DI-PRIV, K AES, K HMAC, D CFG, D AUTH Protected Environment DSA Public Key (K DI-PUB ) signed by manufacturer to generate certificate Device K Registration DI-PUB K W-PRIV Registered Device K DI-PRIV, K AES, K HMAC, D CFG, D AUTH Warranty Server (WS) {K DI-PUB }K W-PRIV Certificate Database

Simple Strong Authentication Device μhsm Request Certificate Authenticator μhsm Public Key (K DI-PUB ) System NVM Submit Device Certificate Signed by Manufacturer Private key (K W-PRIV ) Authenticator verifies signature using the manufacturer public key (K W-PUB ). Establishes that the public key of this module K DI-PUB is certified by the manufacturer. μhsm signs challenge using private identity key (K DI-PRIV ) Send random challenge Send signed challenge Authenticator generates a challenge (unique random 160 bit number). Authenticator verifies signed challenge using certified public key (K DI-PUB ). Communication Path (non-secure) Establishes that this particular device holds the private key K DI-PRIV that corresponds to the certified public key K DI-PUB. Authenticating the manufacturer of the module. NOTE: Every device contains a unique K DI-PRIV and corresponding K DI-PUB

BroadSAFE TM Key Protection Keys must be protected in Hardware Key material is the target of attack Aggregation of key material increases the value / risk of attack Key management aggregates key material Key generation Key backup Key policy Key value goes up over time Software almost impossible to make secure across all platforms (Microsoft, Linux, IOS, etc.) Hardware key protection for about the same cost as software BroadSAFE Automated Hardware Key Management System Integration of strong hardware key protection into client devices Embedded Hardware Technology

Key Management Cryptography necessitates key management Handling of cryptographic keys in your system Have you locked the door and left the key under the mat? Key Handling Generation of keys Set capabilities and security limits of keys (policy) Implement key backup and recovery Prepare keys for storage Key revocation and destruction Multiple layers of security Authorized Key Usage Smart-card K of N access control Key linked to particular user / application / etc. Secure Audit Logs Tracking key usage to provide audit trail Liability protection Certified Security FIPS140-2 Level 3 Security Keys are never exposed outside of hardware in clear-text

Key Delivery Strong device authentication Established as part of generating a session with authenticator Key Delivery Ephemeral DH session can be used to deliver device keys Secure tunnel for key delivery to μhsm Security Protocol Agnostic Any security protocol that uses Public Key Technology Protection of device, system, user identity Private keys of certificates encrypted so only unique μhsm can use them

Security Applications μhsm Data In Asymmetric Public Key Algorithms (DSA, RSA, DH) Key Exchange Protocols (IKE, SSL/TLS Handshake) Key Exchange Private Key(s) Data Out Communication Peer Key Management Interface (strong authentication) Clear Data Session Key Symmetric Algorithm (3DES, AES, HMAC-SHA1) Encrypted Data

BroadSAFE System Strong Cryptographic Authentication who you are versus who you say you are Unique embedded private key identity for each device Hardware Protection of Certificates and Keys Identity is never compromised Key material never leaves the tamper resistant hardware in clear text FIPS140-2 Level 2 and Level 3 Solutions Available Basis for any standard cryptographic security system (IPsec, SSL, TLS, etc.) Secure Management Encrypted and authenticated Management traffic Automated policy and key updates Upgrade functions cryptographically in hardware after the device has been deployed

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information