PC Security System By Crypto AG.

Total HC-6360 Information PC Security Security System By Crypto AG Crypto AG / HC6360-e.ppt / 9927 / 1 PC Security System By Crypto AG. File Encryption Message Encryption Disk Encryption Virtual Memory Encryption Crypto AG / HC-6360.ppt / 9727 / ## Page 1

Desktop and Notebook PC s Windows NT 4.0 Windows 2000 Accessory: PC Card Adapter for desktop PC s Crypto AG / HC6360-e.ppt / 9927 / 3 Security Risks and Counter Measures Network Stored Data Internet Security Transmitted Data Message Security Crypto AG / HC6360-e.ppt / 9927 / 4 Local Security Page 2

Open Systems and Security Open Area Protected Area Open System: Customer can install own software Secure Area Open Systems cannot be fully protected. Protection can only be achieved for certain areas Full Security for Workstations can only be guaranteed when using closed systems like the HC-6830 Secure Field Communcation Terminal Crypto AG / HC6360-e.ppt / 9927 / 5 Main Components Local Security Access File Encryption (local, Server, File Transfer) Disk Encryption Virtual Memory Encryption Message Security Internet Security Message Encryption (E-Mail) Integration into E-Mail Systems Disk Lock Crypto AG / HC6360-e.ppt / 9927 / 6 Page 3

Local Security Encryption of files stored locally or on server Automatic decryption upon selection of encrypted file (double-click) Wipe Function (secure delete) Transparent Disk Encryption for extended hard disk partitions and floppy disks Access Protection to encrypted drives and encryption / decryption services Swap File Clean-up Temp File Redirection Crypto AG / HC6360-e.ppt / 9927 / 7 Message & File Encryption Manual operation - Type and include files into CryptoPad application - Select in Explorer context menu - Drag & Drop files onto CryptoPad application - Works with single or multiple files Decryption - Automatically on double-click - Manually in Explorer context menu Includes Compression and Integrity Check Crypto AG / HC6360-e.ppt / 9927 / 8 Page 4

Message & File Encryption: Crypto Context Menu - Starts CryptoPad and sends file(s) via E-Mail application - Starts CryptoPad and saves file(s) encrypted to specified directory - Decrypts selected file and saves file(s) to specified directory - Starts CryptoPad and saves file(s) encrypted in current directory - Decrypts selected file and saves file(s) in current directory - Deletes selected file(s) Crypto AG / HC6360-e.ppt / 9927 / 9 File Encryption Master Communication Key (MCK) File(s) Include Crypto File Note File(s) Save encrypted Disk File Server Notes May be added to the file(s) to be encrypted Crypto AG / HC6360-e.ppt / 9927 / 10 Page 5

Example: File Encryption CryptoPad Explorer Explorer Work Flow Select ( Add Note ) Encrypt Crypto AG / HC6360-e.ppt / 9927 / 11 Message Encryption Send messages and files encrypted by E-Mail Automatic decryption upon selection of encrypted message (double-click) Works with all MAPI supporting E-Mail applications Crypto AG / HC6360-e.ppt / 9927 / 12 Page 6

Message Encryption E-Mail Address Master Communication Key (MCK) File(s) Include Crypto File Note File(s) Send Encrypted Message Body (Plain) Attachments Crypto File Other Attachments (Plain) Send Crypto AG / HC6360-e.ppt / 9927 / 13 Message Encryption: Send Encrypted Message by E-Mail Windows Desktop CryptoPad Example: Microsoft Outlook Express Work Flow Start Write Encrypt Address Send Crypto AG / HC6360-e.ppt / 9927 / 14 Page 7

Message Encryption: Send Encrypted File by E-Mail CryptoPad Example: Microsoft Outlook Express Explorer Work Flow Select ( Add Note ) Encrypt Address Send Crypto AG / HC6360-e.ppt / 9927 / 15 Disk Encryption Fully transparent - no user interaction required Supports - Non-boot hard disk partitions - Floppy disks Operational after Windows start-up Login required for access to encrypted disks Lockable with Internet Security Automatic initial disk encryption after installation Crypto AG / HC6360-e.ppt / 9927 / 16 Page 8

Disk Encryption Hard Disk Crypto PC Card C:\ (Boot Partition) D:\ RAM A:\ Floppy Disk Transparent Disk Encryption Crypto AG / HC6360-e.ppt / 9927 / 17 Virtual Memory Encryption Crypto PC Card Hard Disk Random Key RAM Virtual Memory Partition Virtual Memory Encryption Crypto AG / HC6360-e.ppt / 9927 / 18 Page 9

PC Configuration with Encrypted Disk Partitions Boot Partition C:\ Windows Web Browser Mail Client Unprotected Swap File deleted on shut-down Temp Files redirected to protected drive when accessible D:\ Applications Protected Access Protection Disk Encryption E:\ : Data Integrity Check for Crypto components on boot partition Crypto AG / HC6360-e.ppt / 9927 / 19 Data Security on Network PC s Never access an unprotected network (e.g. Internet or LAN) from a workstation with confidential data! Data can be accessed directly from the network when connected! Use separated Workstations for network access! This is not always possible, e.g. when travelling with a notebook Internet Security will provide some level of protection to minimise the risk - Protects against Direct Access from the network to confidential data - Does not protect against specific Trojan Horses Crypto AG / HC6360-e.ppt / 9927 / 20 Page 10

Internet Security Separation of Internet infrastructure and other applications and data on different disk partitions Boot Partition: - Windows operating system - Web Browser - Communication application (e.g. E-Mail) Partitions with data and other applications must be encrypted Encrypted disk partitions will be locked when accessing the internet Messages protected before accessing the Internet may be located on the Internet (boot-) partition and eventually be sent via Internet Mail Crypto AG / HC6360-e.ppt / 9927 / 21 Internet Security Personal Computer Password C:\ C:\ Windows, Browser, Mail Secure Messgs D:\ Transparent Disk Encryption RAM Modem Internet Data Applications Local / Internet Crypto AG / HC6360-e.ppt / 9927 / 22 Page 11

Internet Security Disk Lock Crypto AG / HC6360-e.ppt / 9927 / 23 Control Application Crypto PC Card status display in the Windows task bar Login / Logout Hardware test PC Security configuration settings Key Management Crypto AG / HC6360-e.ppt / 9927 / 24 Page 12

Control Application Crypto AG / HC6360-e.ppt / 9927 / 25 Security and Administration Crypto AG / HC6360-e.ppt / 9927 / 26 Page 13

The Security Services Security Services - Confidentiality service for communication data in storage - Data integrity service - Access control service Crypto AG / HC6360-e.ppt / 9927 / 27 Security Elements A security chain is as strong as its weakest link! Detachment from manufacturer: - Customer managed algorithm - Access to encryption and decryption services Highly sophisticated hardware-based algorithm Flexible security management Hardware-based access control mechanisms Easy and reliable operation Crypto AG / HC6360-e.ppt / 9927 / 28 Page 14

Detachment Philosophy Security elements fully under customer control: The Communication Keys The Storage Key The Access Passwords A vital part of the Algorithm HCA-420 HCA-420 Crypto AG / HC6360-e.ppt / 9927 / 29 Algorithm Highly Sophisticated Algorithms HCA-420 for Encryption / Decryption embedded in Crypto AG s Security Chip HCC-420 Hardware based True Random Generator embedded in Security Chip HCC-420 Cryptological Parameters (Master) Communication Key Variety over 10 37 Algorithm Customisation Customisation by CMP: Variety over 10 38 Customer Definitions Total Variety of Customer Definition over 10 75 Crypto AG / HC6360-e.ppt / 9927 / 30 Page 15

Message & File Encryption Mechanisms: Sender Customer defined MCK Domain CK one-time HC-420 HCA-420 HCA-420 Security Chip HCC-420 Crypto AG / HC6360-e.ppt / 9927 / 31 Message & File Encryption Mechanisms: Receiver Customer defined MCK Domain CK one-time HC-420 HCA-420 Security Chip HCC-420 HCA-420 Crypto AG / HC6360-e.ppt / 9927 / 32 Page 16

Key Life Cycles Communication Key CK is randomly generated to encrypt only one Message Master Communication Key MCK is generated by Customer s Security Administrator and used until the next Key Change Validity duration for MCK is defined at generation time CK1 CK2 CK3 CK4 MCK-1 MCK-2 t Crypto AG / HC6360-e.ppt / 9927 / 33 Security Module (PC Card) Tamper Proof Security Chip HCC-420 with - Cipher Algorithm HCA-420 - True Random Generation of Keys Plain Keys, PINs and other classified Data never leave the Security Chip Algorithm is fully protected against copying, readout, modifications Crypto AG s Security Chip HCC-420 Crypto AG / HC6360-e.ppt / 9927 / 34 Page 17

Security Management: Communication Topology MCK Domain A MCK Domain B MCK Domain C MCK Domain D Crypto AG / HC6360-e.ppt / 9927 / 35 Security Management MCK CMP Detachment of first Security Module (PC Card) according to customer s centralized rules (CMP) Manual input of MCK into first Security Module Distribution of securely copied Security Modules to the other communication partners Crypto AG / HC6360-e.ppt / 9927 / 36 Page 18

Installation Steps Define initial values - Customer Managed Parameter (CMP) - Disk Key (SK_Disk) Automatic initial disk encryption Define Master Communication Keys (MCK) Copy cards - Installer cards - Administrator cards - User cards Crypto AG / HC6360-e.ppt / 9927 / 37 CMP Definition Crypto AG / HC6360-e.ppt / 9927 / 38 Page 19

SK_Disk Definition Crypto AG / HC6360-e.ppt / 9927 / 39 Master Communication Key Definition Crypto AG / HC6360-e.ppt / 9927 / 40 Page 20

Security Administration and Access Hierarchy Installer Card Administrator Card Available Functions Adm PW Op PW Available Functions Adm PW Op PW User Card Available Functions Adm PW Op PW Correct entry of Administrator Password deblocks card blocked by operator Administrator Password Operator Password Crypto AG / HC6360-e.ppt / 9927 / 41 Security Administration Hierarchy Functions Installer Administrator User PC Card PC Card PC Card Access Blocking of own Card x x x Deblocking on 2nd Card x x PIN Reset + Deblocking on 2nd Card x x Management Defiintion of Communication Keys (MCK) x x Initial Settings (CMP, SK) x Copy Installer Cards with PIN x Crypto AG / HC6360-e.ppt / 9927 / 42 Installer Cards without PIN x Administrator Cards with PIN x x Administrator Cards without PIN x x User Cards with PIN x x User Cards without PIN x x Factory Reset x Page 21

Passwords Operator Password Four to eight alphanumeric characters Password error counter: card is blocked after three consecutive wrong entries of the password Administrator Password With or without password error counter - Four to eight alphanumeric characters with error counter - 32 hexadecimal characters without error counter Correct entry deblocks card by resetting the operator s password error counter Crypto AG / HC6360-e.ppt / 9927 / 43 Related Products HC-7830 VPN Encryption - Secure Virtual Private Network (VPN) - Ciphering at IP level HC-6378 PC Security and VPN Encryption - PC Security and Secure Virtual Private Network combined in one installation on a single Crypto PC Card Crypto AG / HC6360-e.ppt / 9927 / 44 Page 22