Project: Exoskeletons for security standards

Software to wrap around and protect deployments of at-risk (X.509 based public key) security standards. This project is an extension of the global-scale IdM-CKM project.

Context

Today's Internet (defacto) security standards are at risk

On entering office, President Obama directed a 60-day, comprehensive, “clean-slate” review to assess U.S. policies and structures for cyber security.  The review published in May 2009 concluded that:  

“Cyberspace touches practically everything and everyone.  It provides a platform for innovation and prosperity and the means to improve general welfare around the globe.  But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprises, and individual rights. … The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient.”

Today's Internet relies almost entirely on (the X.509) security standards that emerged in the late 1980.  Many serious security and implementation problems have plagued these standards.  In October 2010 Andrew McLaughlin, the White House Deputy CTO for Internet Policy publicly, asserted that the U.S. government is helpless against fake security certifications, a problem that emerges due to the trust model employed in the current (public key) security systems.  Unfortunately, in the civilian X.509 trust model, there are 40+ certificate authorities located in different countries that have the power to make security assertions on EVERY website on the Internet.  Some of those authorities make absolutely no verification (Zero verification) that they are issuing correct certificates to authorised parties. 

Problems in the X.509 security standards, such as fake security certificates, undermine the utility of all security protocols and products that rely on it.  This includes: secure e-mailsecure webpages used for online e-commerce (HTTPSSSL, TLS), virtual private networks (IPsec, SSL VPN), and so on.

ICT Gozo Malta member Synaptic Laboratories Limited has proposed a comprehensive global-scale identity-management and cryptographic identity management solution to this problem.  The purpose of the Exoskeleton project described on this page is to develop an efficient method of protecting today's Internet security systems that rely on the X.509 standards, without modifying them.  

What is an Exoskeleton?

In nature, an exoskeleton is an external skeleton that supports and protects an animal's body.

In Computer networks, a tunneling protocol encapsulates the payload protocol with a different delivery protocol.  A simple example of tunneling is the Voice over Internet Protocol (VoIP) which caries telephone calls over the Internet. 

In Computer networks, a secure tunnel is a type of tunneling protocol that uses cryptography in the delivery protocol to protect the payload protocol.  A secure tunnel can be thought of as a type of exoskeleton that supports and protects the payload protocol by wrapping around it without modifying it.  A simple example is the ubiquitous "Secure Socket Layer (SSL) / Transport Layer Security (TLS)" protocol which wraps around unencrypted network connections and transports the payload over the Internet in a secure way.

The purpose of the ICT Gozo Malta Exoskeleton initiative is to create a new family of secure tunnels that wrap around and protect existing security standards without modifying them.  The Exoskstelon approach means there are no changes to the original standards, and existing interoperability between implementations is maintained.

end faq

Proposal

Our vision to protect existing cyber security standards

The creation of a universally trustworthy and dependable cybersecurity infrastructure that wraps around and protects the deployment of today's at at-risk Internet security standards.  This infrastructure is specifically designed to operate in multijurisdictional and multistakeholder environments.  This platform should ensure the intended security properties of existing Internet security standards (with regard to confidentiality, integrity and availability) are met or exceeded.  Where possible, the cyber security infrastructure should improve the function of existing public key systems, while not relying exclusively on them for security.  

Achieving this vision

We have taken a clean-slate approach to solving the core problems found in Identity Management, Cryptographic Key Management and Secure Computation (TruSIP 4clouds).  The objective of the Exoskeleton initiative is to create a suite of software technologies that can protect today's Internet security that are currently used in production capacity, without requiring the modification of deployed software or hardware.

Our proposal is to create protocol aware secure tunnels that wrap around and protect the output of existing security standards.  We call these protocol aware secure tunnels Exoskeletons to differentiate them from other security protocols in use today. 

The Exoskeleton technologies will employ the use of our global-scale Identity Management and Cryptographic Key Management platform, which in turn employs our TruSIP 4clouds model.  The Janelda future network projectwill support the use of Exoskeletons in the client access nodes, in this way Current Internet and Future Internet users can achieve secure communications effortlessly. 

Our unique-value-propositions

The purpose of the exoskeleton is to enable the rapid protect today's at risk security standards without modification.  To do this we seek to create Exoskeletons that employ our global-scale Identity Management and Cryptographic Key Management platform to create secure tunnels that wrap around and protect the output of today's Internet security systems. 

We are not aware of any alternative proposals designed to address the trust problems with the X.509 PKI standards they rely on. We are not aware of any initiatives to provide instant post-quantum secure protection for today's at risk public key based security systems.  The techniques used in our Exoskstelon approach means there are no changes to existing security standards, and existing interoperability is maintained between applications.

Elements in the design

On the server side we employ the our global-scale Identity Management and Cryptographic Key Management platform, which in turn employs our TruSIP 4clouds model.

For each person enrolled into the system, each person will be assigned one (or more) smart cards.  Those smart cards are enrolled with 3 or more IdM-CKM service providers before being issued to card holders.  The smart card is used within the IdM-CKM ecosystem.  (In the future we will explore integrating the IdM-CKM system with OpenID to enable single-sign on with sites running at-risk public key standards). 

On the client desktop, it is preferred that a suite of software drivers are downloaded and installed.  This approach is 'consistent' with SSL/TLS, VPN and other solutions which require software installed at the point where security is enabled.  

At the client local area network level, it is possible to enhance network security modules (such as firewalls, network address translation, intrusion detection and prevention devices, ...) to transparently enable Exoskeletons.  In this way it is possible to secure the wide-area-network traffic of an entire office without modifying any of the desktops.  This lowers the barrier while mitigating many known security risks. 

At the client back-office, it is possible to run Exoskeletons as proxies. This is similar to the technique used by some SSL accelerators which offload all SSL traffic to a module sitting in-front of the web-server, file-server or so on. 

    Exoskeleton: Secure Socket Layer

    Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols commonly found in eCommerce, eGovernment and many other Internet enabled applications.  SSL and TLS are designed to provide communications security for normal Internet network sessions (point-to-point communications across a large network).  SSL/TLS software is typically called by applications that wish to encrypt data before it is transmitted onto the unsecured network. 

    Unfortunately, SSL/TLS uses at risk X.509 public key cryptography to provide identity management and key exchange operations.  There are products on the market today to attack SSL/TLS (see this paper for detailed information and full disclosure on the SSL attacks).  The Exoskstelon approach means there are no changes to the SSL/TLS standards, and existing SSL/TLS interoperability is maintained.

    The Synaptic Labs SSL/TLS Exoskeleton security enhancement will act as a wrapper or filter in front of the existing SSL/TLS protocols and protect various at-risk aspects of the protocol from attacks.  Furthermore, in response to U.S. Federal calls, our proposal is post quantum secure. 

    Exoskeleton: Virtual Private Network (IPsec)

    virtual private network (VPN) is a computer network in which some of the links between VPN nodes are carried by a public network such as the Internet.   This might be used to extend the reach of a private local-area network (LAN) in one building to users working in another building.   It might also be used to allow telecommuting workers to access their LAN from out in the field.  VPNs are quite flexible and distributed organisations of any size can deploy them in a variety of ways to satisfy their secure data communications requirements.  For example, banks use Secure VPN’s to secure inter-bank traffic and ATM’s.  Today most VPNs use cryptographic algorithms and protocols to protect against the inherent insecurity of the public networks.  Secure VPNs ensure that network traffic transmitted over the public network is encrypted and protected from malicious modification.  Secure VPNs further ensure only authorised users can access the network.

    IPsec is a common secure virtual private network technology.  It is a mandatory requirement in all computers that implement the modern Internet Protocol version 6 standard.  Unfortunately, IPsec uses at risk X.509 public key cryptography to provide identity management and key exchange operations. 

    The Synaptic Labs IPsec Exoskeleton security enhancement will act as a wrapper or filter in front of the existing IPsec protocol and protect various at-risk aspects of the protocol from attacks.  Furthermore, in response to U.S. Federal calls, our proposal is post quantum secure.  The Exoskstelon approach means there are no changes to the IPsec standards, and existing IPsec interoperability is maintained.

    Many IPsec servers employ a "Remote Authentication Dial In User Service" (RADIUSserver.  Synaptic Labs RADIUS Exoskeleton will enhance and protect that protocol. 

    Exoskeleton: Virtual Private Network (SLL VPN)

    virtual private network (VPN) is a computer network in which some of the links between VPN nodes are carried by a public network such as the Internet.   This might be used to extend the reach of a private local-area network (LAN) in one building to users working in another building.  It might also be used to allow telecommuting workers to access their LAN from out in the field.  VPNs are quite flexible and distributed organisations of any size can deploy them in a variety of ways to satisfy their secure data communications requirements.  For example, banks use Secure VPN’s to secure inter-bank traffic and ATM’s.  Today most VPNs use cryptographic algorithms and protocols to protect against the inherent insecurity of the public networks.  Secure VPNs ensure that network traffic transmitted over the public network is encrypted and protected from malicious modification.  Secure VPNs further ensure only authorised users can access the network.

    SSL VPN is a common secure virtual private network technology that uses the Secure Socket Layer protocol to perform security operations.  Unfortunately, SSL/TLS uses at risk X.509 public key cryptography to provide identity management and key exchange operations.  This means that SSL VPN products are also at risk.  

    The Synaptic Labs SSL VPN Exoskeleton security enhancement will act as a wrapper or filter in front of the existing SSL VPN protocol and protect various at-risk aspects of the protocol from attacks.  Furthermore, in response to U.S. Federal calls, our proposal is post quantum secure.  The Exoskstelon approach means there are no changes to the SSL VPN standards, and existing SSL VPN interoperability is maintained.

    Exoskeleton: Secure E-mail 

    There are three common protocols for secure e-mail.  

    The Internet standard for secure email is called S/MIME (Secure/Multipurpose Internet Mail Extensions).  Unfortunately, S/MIME uses at risk X.509 public key cryptography to provide identity management and key exchange operations.

    A common defacto standard for secure email is called Pretty Good Privacy (PGP).  PGP can use the at risk X.509 federated certificate-authority trust model, or it can use a web-of-trust model which does not scale very well with large number of users.  Furthermore, according to Ed Gerck in his overview of certificate systems: A public key infrastructure is only as valuable as the standards and practices that control the issuance of certificates and including PGP or a personally instituted web of trust could significantly degrade the trustability of that enterprise's or domain's implementation of public key infrastructure.

    A relatively new secure-email approach employs Identity Based Encryption (IBE).  In this model each organisation runs it's own certificate authority and is responsible for managing the identities.  Secure email between users can be achieved by mathematically transforming the public key of that certificate authority with the target e-mail address.  In the most common commercial systems, the enterprise server can read and falsify messages between any user in it's realm of control (see non-repudiation).  Compromise of one IBE server results in complete and total security failure for all previously protected communications managed over the life time of that server.  IBE systems rely on public key cryptographic primitives that are known to be at risk. 

    ICT Gozo Malta member Synaptic Laboratories' global-scale IdM-CKM proposal is designed to address the trust limitations found in the above three proposals, while exploiting innovative techniques that mimic some of their more desirable properties.  For example, our IdM-CKM proposal allows for management of key material by public identifiers, such as by e-mail address or website domain name.  Advantageously in our approach the servers cannot decrypt messages, non-repudiation is maintained, and there is no 'single-point of trust failure' for all messages (or key exchanges).  Our IdM-CKM proposal also allows for a multiple-attested identity assertions similar to the web-of-trust, but done in a way that is structured (all assertions managed in the cloud) and scales with regard to the number of users. 

    The Synaptic Labs Secure Email Exoskeleton security enhancement will act as a wrapper or filter in front of the existing unprotected e-mail (MIME) and S/MIME emails.  Our approach will benefit from key management by e-mail address in a robust inter-enterprise, globally-scalable, manner.  When wrapping around S/MIME, the Exoskeleton will protect various at-risk aspects of the S/MIME protocol from attacks.  Furthermore, in response to U.S. Federal calls, our proposal is post quantum secure.  The Exoskstelon approach means there are no changes to the MIME or S/MIME standards, and existing mail interoperability is maintained.

    Exoskeleton: Secure Shell (SSH)

    Secure Shell is a suite of low-level security tools used extensively by many millions of computer administrators and software developers.  

    SSH runs on desktops and servers and enables computers to be remotely administrated.  SSH also supports creation of secure Internet (TCP/IP) tunnels between computers.  A secure tunnel offers a quick and low cost method of securing network traffic between a client and server without modifying the source code of the client or server.  

    SSH does not normally use X.509 public key cryptography to provide identity management and key exchange operations. However, SSH is not post quantum secure and so is known to be at risk of anticipated attacks in the future. 

    The Synaptic Labs SSH Exoskeleton security enhancement will act as a wrapper or filter in front of the existing SSH protocols and protect various at-risk aspects of the protocol from attacks.  Furthermore, in response to U.S. Federal calls, our proposal is post quantum secure.  The Exoskstelon approach means there are no changes to the SSH standards, and existing SSH interoperability is maintained.  In addition, the SSH Exoskeleton can benefit from advanced identity management functionality provided by our global-scale IdM-CKM proposal. 

    Exoskeleton: UDP/IP

    The User Datagram Protocol over Internet Protocol (UDP/IP) is one of the 2 core protocols for transporting information over the Internet (the other is TCP/IP).  UDP/IP is the simpler protocol and is responsible for sending short messages in an unreliable way.  Sometimes described as "Send and Pray", the packet of data is sent and there is no guarantee it will get to it's destination. UDP/IP is frequently used for streaming audio and video data to users.  

    The UDP/IP protocol does not employ any confidentiality or authentication mechanisms.  In the Internet users may choose to employ a virtual private network (VPN) or use the Secure Sockets Layer (SSL) protocol to protect sensitive UDP/IP traffic.  Unfortunately, these protocols rely on at risk X.509 public key cryptography to provide identity management and key exchange operations.  

    The Synaptic Labs UDP/IP Exoskeleton can be used to protect unsecured UDP/IP traffic without the use of VPN or SSL/TLS.  In response to U.S. Federal calls, our proposal is post quantum secure.

    Exoskeleton: TCP/IP

    The Transmission Control Protocol over Internet Protocol (TCP/IP) is one of the 2 core protocols for transporting information over the Internet (the other is UDP/IP).  TCP/IP is the more complex protocol and is responsible for sending long messages in a reliable way.  TCP/IP is used for most network traffic.

    The TCP/IP protocol does not employ any confidentiality or authentication mechanisms.  In the Internet users may choose to employ a virtual private network (VPN) or use the Secure Sockets Layer (SSL) protocol to protect sensitive traffic sent over TCP/IP.  Unfortunately, these protocols rely on at risk X.509 public key cryptography to provide identity management and key exchange operations.

    The Synaptic Labs TCP/IP Exoskeleton can be used to protect unsecured TCP/IP traffic without the use of VPN or SSL/TLS.  In response to U.S. Federal calls, our proposal is post quantum secure.

    end faq

    Recent News!

    Prev Next

    ICT Gozo Malta Project wins National Ent…

    26 Apr 2012

    ICT Gozo Malta Project wins National Enterprise Award

    The ICT Gozo Project co-founded by The Gozo Business Chamber and Synaptic Laboratories Ltd were joint winners of a 20,000 Euro prize in the National Enterprise Support Awards 2011, an event sponsored by Government of Malta and the European Commission,...

    Read more

    Synaptic Laboratories Ltd. to represent …

    26 Apr 2012

    Synaptic Laboratories Ltd. to represent ICT Gozo Malta Project, and also to present at, the Dubrovnik Nuclear Threats and Security Conference 2012

    The activities of the ICT Gozo Malta Project and Synaptic Laboratories continue to draw international attention, resulting in invitations to provide expert speakers at leading scientific events.  Recently Synaptic Laboratories Ltd., as ICT GM co-founders and project designers, were contacted by...

    Read more

    Cyber Security and Awareness Seminar

    28 Nov 2011

    Cyber Security and Awareness Seminar

    On the 23rd November 2011 we held a unique Cyber Security and Awareness Seminar, targeted to all groups and held at MITA’s offices, who also sponsored the event.  Entrence was free with complimentary refreshments.  The seminar was organised by ICT Gozo Malta...

    Read more

    News:Cyber Security Seminar

    16 Nov 2011

    News:Cyber Security Seminar

    Cyber Security Seminar ICT Gozo Malta and BCS Malta to organize International Cyber Security Seminar with bi-directional links to Brazil’s Annual Security Leaders Congress and world leading security experts. An International Cyber Security Seminar will be held at MITA’s Offices on Wednesday...

    Read more

    News: Participation in Brasil Security L…

    04 Nov 2011

    News: Participation in Brasil Security Leaders Congress

    Synaptic Laboratories' Chief Technical Officer Benjamin Gittins has been invited to participate in the Annual Brasil Security Leaders Congress on the 23 Nov. 2011.  This 2 day Congress is attended by some 300 CEO/CIO/CTO level executives from public and industry...

    Read more

    News: Gozo may have it's own Silicon Val…

    27 Oct 2011

    News: Gozo may have it's own Silicon Valley

    Just the moment you start reading this article, a new technology has been invented, produced, tested or used. Technologies took over the way we communicate, think, travel or learn and it has infiltrated  human lives in a manner that no...

    Read more

    News: ICT Gozo Malta Launch

    12 Aug 2011

    News: ICT Gozo Malta Launch

     Official launch of ICT Gozo Malta Project Click on image to view Launch videosWe are pleased to announce that on 5th AUGUST  2011, the ICT Gozo Malta Project was formally launched by the Hon. Giovanna Debono, Minister for Gozo. Speakers also...

    Read more

    News: Government Funding for Project

    25 Apr 2011

    News: Government Funding for Project

    The Government of Malta has provided funding, through the Eco-Gozo initiative, to launch Phase 1 of the ICT Gozo Malta Project. Contract Signing Ceremony   with the Honourable Giovanna Debono, Minister for Gozo. 

    Read more

    News: Malta Chamber participation

    04 Mar 2011

    News: Malta Chamber participation

    The Malta Chamber of Commerce, Enterprise and Industry have added their weight and support to this project, recently confirming their participation and collaboration.

    Read more

    News: Malta Enterprise support initiativ…

    24 Feb 2011

    News: Malta Enterprise support initiative

    Malta Enterprise express support for the ICT Cluster initiative in Gozo.  Tasked with assisting networks to develop further into business clusters, Malta Enterprise supports this initiative

    Read more

    News: MITA participation and support

    20 Jan 2011

    News: MITA participation and support

    The Government's Malta Information Technology Agency (MITA) recently expressed clear support for the ICT Gozo Malta project confirming their participation in the project to identify common goals and potential areas of collaboration.

    Read more

    News: Brazilian Banking Expertise

    22 Nov 2010

    News: Brazilian Banking Expertise

    Brazilian banking security expert Professor Fabian Martins will assist ICT Gozo Malta to develop its members global cyber security solution suited to the credit card market.

    Read more
    GBC1 SLL-Logo_150  A Collaborative Project co founded by
    The Gozo Business Chamber and
    Synaptic Laboratories Ltd

    Eco Gozo Logo

    Eco-Gozo – a Better Gozo Action Plan 2010 – 2012
    Project part-financed by the Government of Malta - Ministry for Gozo
    www.eco-gozo.com

    feedback
    feedback
    feedback