Presentation 16 th April 2015 What is it Distributed Management Systems Innovative Methodology from UK owned company with accompanying Protocol that allows Key Generation, Key Distribution and Key Change without the need for PKI Complete system does not rely any third party technology One of the 4 inventions has US and EU Patents Published with no prior art quoted by Examiner
What can it do Identity Assurance: enables Mutual, Multi-factor Authentication with handheld Tokens or Contactless Smartcards that can be integrated with Gateways and Web Applications for secure remote access Mutually Authenticated, Secure Communication in Internet of Things (IoT). Secure Messaging: can send short, secret messages over public data network to a specific person Instant Disaster Recovery: integral dynamic backup to remote Server
Why is it better CASQUE SNR provides Mutual, Multifactor Authentication using Contactless, Active Tokens that work on any client- Workstations, Laptops, Tablets, Smartphones Insider Attacks and Token Clones are denied success Secure Communication in IoT preventing Man-in-the-Middle attacks Complete System (Hardware and Software) can be placed in Escrow allowing Customer the full capability to recreate the system if any interruption of support
Who says it is good CASQUE SNR (www.casque.co.uk) product has been certified at source code level by UK s CESG (part of GCHQ) (www.cesg.gov.uk) under the CAPS scheme and can be part of a secret solution The product is NATO approved and DIPCOG preferred CASQUE SNR is in daily use in UK's Ministry of Defence
Mechanics The protocol is Challenge/Response Each challenge is unique (never repeated) with synchronising numbers so no replay attack is possible Examples of Challenge Messages include secret message for display, generate OPT, instruct Token to change its Key Token does not contain complete keys so not a protected item- can be sent by post Standalone Program allows customer to populate Tokens using Customer s own seed material so impossible to have a SecurID or Gemalto penetration attack compromise as Manufacturer and System Integrator not part of the risk
Immunity Key update can be set to occur automatically after each login or after one or more days or at the administrator s whim so clones cannot succeed The keys are generated with Customer imported seed and system dependent nonces so a copy of the Authentication Server cannot reproduce the same generated keys
Provable Security Passive Tokens Biometrics CASQUE SNR Active Tokens Resistant to Insider Attack Recovery from Compromise Passwords
Classic Token Multiple Token Manifestations Self Contained Token with internal, re-chargeable battery (no time expiry) containing EAL5+ secure chip Challenge delivered with 3 flashing blocks either processed by a Browser Helper or animated with WebGL Works where mobiles are banned!
Smartcard Token Javacard 3.0.1: EAL 5+, FIPS 140-2 Level 3 Giesecke & Devrient (G&D) Smart Café Card with NXP Semiconductor chip (DMS Ltd is an accredited developer of G&D) Challenge is processed in the Secure Element in Javacard
Smartcard as Token The Client (Smartphone or Tablet) needs to fully support NFC working and PC/SC commands Note: despite claims not all hardware have such full functionality Most Android Smartphones (e.g. Samsung Galaxy) work, Blackberry 10 should work Most Android Tablets (e.g. Nexus) work Some Windows Tablets (e.g. Lumia) should work
Tablets with no NFC In this case, a NFC dongle is inserted Windows Tablet Browser invokes the CASQUE SNR Player to deal with the received challenge Response from Secure Element in CASQUE SNR Smartcard is stored in Clipboard for the User to paste into Login form
Mobile as a surrogate Token Phone with NFC CASQUE SNR Challenge presented as a QR image, Mobile Phone s camera CASQUE SNR Mobile App converts image to data and sends NFC to CASQUE SNR Smartcard App suppresses all external network communications whilst in progress
Mobile as a surrogate Token kjj8vs7kh513 Response from Secure Element in Javacard sent NFC to CASQUE SNR App in Phone and is displayed on Phone s screen for User to enter into Workstation
Application Examples In 24 x 7 use by UK MOD Client Workstation is made robust with access only to the Gateway address
Lockheed Martin Managed Service Application Examples in operation 2014 Custom Application provided as Managed Service
Application Examples Use of Secret Message Server sends encrypted file containing log of proposed transactions User decrypts with CASQUE SNR Secret message key received via CASQUE SNR Token User examines log and uses revealed confirmed message key to confirm and end session If the Server does not receive confirmed message, key transactions are reversed/flushed and session ends User can requested completed transactions log file again sent encrypted
ACC Application Examples Secure, Mutually Authenticated Comms for the Internet of Things (IoT) In the IoT, the typical topology is not just Server and web client but Server, local Hub and local Satellites. Examples of this tri-party communication include Server, Ground Station and local UAVs and Server, Home Hub and local, intelligent sensor based controllers. There is little degradation expected between the Hub and the local Satellites so efficient, encrypted UDP messages can be used
ACC Application Examples Available for 32 & 64 bit Windows and Linux Handlers for Pitch Simulator The Hand Shake assumes that the Server via its accompanying Authentication Server knows one of the symmetric keys stored in the Satellite. In this method each side encrypts its own generated Random using the nominated symmetric key. Note this guarantees that mutual authentication must have occurred. The combined Random, likewise encrypted, is used as the session key. This means a Man-in-the-Middle attack is not feasible. Once the Server to Hub secure connection is running, the Satellite and Hub can do their own Handshake
Superior Passive Tokens Biometrics CASQUE SNR Active Tokens Resistant to Insider Attack Recovery from Compromise Passwords The CASQUE SNR Smartcard manifestation can displace the current Market Leader (RSA SecurID) : Cheaper, more secure (no Clones, no Insider Attacks, no MitM, no MitB), has wider applications (IoT), easier to install and upgrade (no time expiry on Tokens) and has just began its patent cover (main patents for RSA have long expired).