Project: Global-scale Cyber Security (IdM-CKM)


Inter-enterprise identity and key management designed to support global scalability

Hosted by your organisation, by a group of mutually suspicious organisations seeking higher security assurances through collaboration, or by third parties from the cloud as a public service to the global community, the Synaptic Labs' identity management and cryptographic key management proposal is designed to satisfy the needs of small business through to nation states. 

Identity Management and Cryptographic Key Management Context

Focusing on the issues around identity management and cryptographic key management.  For an accessible introduction to the current cyber security issues, see this link.

Identity and cryptographic key management (IdM-CKM): The Yin and Yang of cyber security

In our interconnected and interdependent global village it is essential that we can identify the correct devices, people and organisations when we talk with them, grant them access to our systems or do business together around the world.  This is one of the essential pillars of cyber security.  A related essential pillar is how we exchange (and manage) cryptographic keys to establish secure communications between people and organisations across the globe.  These two pillars are interwoven, and so we describe them as being the Yin and Yang of cyber security.  

All existing Internet security employs both identity management (such as certificate authorities) and key management techniques (such as exchange of short-lived keys and the policy driven storage-and-recall of longer-lived keys).  However Internet security products and protocols have traditionally focussed their efforts predominantly on one aspect of the two pillars, often in the context of a very specific case-use.  Internet security protocols have also assumed a trust model that does not work well in an international context of mutually suspicious organisations.  In contrast, the Synaptic Labs' unified identity management and cryptographic key management model is designed to accommodate all essential identity and key management functions from within the one platform.  Furthermore it is designed from the onset as a multi-stakeholder and multi-jurisdiction solution. 

The existing at risk security systems (public key technologies and infrastructures) have cost billions to deploy, and are essential for all eCommerce, eGovernment and much more.  Unfortunately this infrastructure has serious limitations that threaten to undermine our global security.  It is in recognition of the limitations and our global dependence on these systems that the clarion call for a revolution in identity management and key management has subsequently emerged from Federal Agencies in the United States.

Requirements outlined by the US Government, DHS, NIST and EU for new IdM and CKM

"The community’s demands and expectations on the ability to control our identities, mutually authenticate each other and co-operatively manage inter-organisation security increases proportionally with our (international) dependence on the Internet."

In 2009 the U.S. President's Cyberspace Policy Review set out 10 near-term objectives.  The review called for the U.S. to “build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation”.  In response to the cyberspace police review, the U.S. Department of Homeland Security (DHS) has made the call for new global-scale Identity Management (2009).  Likewise, the U.S. National Institute of Standards and Technology (NIST) has made the call for new global-scale cryptographic key management.  These organisations have each set out the open hard problems that must be solved by their respective projects to achieve these goals.  Furthermore, the European Union has created laws that demand greater empowerment of the individual and the organisation with regard to their digital identity and privacy.

Synaptic Laboratories Limited new global IdM-CKM initiative is targeted to deliver a holistic solution that exceeds many of the expectations of the U.S. Agency calls and is aligned with the E.U. vision of stakeholder empowerment.  Most importantly, our new solution can wrap around and protect the existing massive investments into public key infrastructures so existing systems can remain standards compliant and interoperable. 

What is global-scale identity management (IdM)? 

According to the Department of Homeland Security - Roadmap for Cybersecurity Research, "Global-scale identity management concerns identifying and authenticating entities such as people, hardware devices, distributed sensors and actuators, and software applications when accessing critical information technology (IT) systems from anywhere."

A global-scale identity management system must be able to scale to manage the identification of potentially every organisation and human on the planet, and the billions of sensor and computer devices in their support.  A global-scale identity management system must be universally trustworthy.  To achieve this, it must uphold and protect the legitimate interests of all stake-holders.

An identity management system capable of addressing the technical and trust requirement for global scalability automatically addresses the needs of smaller closed identity management systems between a group of organisations.  Synaptic Labs' IdM-CKM proposal is designed to be suitable for deployment by small private groups all the way up to be public Internet-scale services.

New global-scale IdM is important - more detail on Government initiatives

The clarion call for a revolution in identity management has emerged from Federal Agencies in the United States as well as within the European Union.  These calls started as silo'd National ID schemes, evolved into internationally interoperable electronic ID schemes, and have reached their logical peak in the call for a global-scale identity management scheme.

The E.U. co-funded e-ID STORK project has been established to create a European electronic identity interoperability platform that will allow citizens to establish new e-relations across borders, just by presenting their national eID. The role of the STORK platform is to identify a user to a service provider.  In the E.U. the explicit consent of the owner of the data, the user, is always required before his data can be sent to the service provider.  More speifically, the user centric approach found in STORK is required by the legislative requirements of all the E.U. countries involved in the project.

The U.S. President’s May 2009 Cyberspace Policy Review calls for the creation of an online environment, or an Identity Ecosystem, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on.

In response to this call, the U.S. Department of Homeland Security (DHS) is calling for global-scale identity management (Nov 2009).  Countless critical systems and services require authenticated authorization for access and use, and global-scale identity management will be a critical enabler of future IT capabilities.  Global-scale identity management is aimed specifically at government and commercial organizations with diverse interorganizational relationships that today are hampered by the lack of trustworthy credentials for accessing shared resources.

What is global-scale cryptographic key management (CKM)?

Key management is the provisions made in a cryptography system design that are related to generation, exchange, storage, safeguarding, use, vetting, and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

The U.S. National Institute of Standards and Technology (NIST) is calling for global-scale cryptographic key management (April 2009).

"Cryptographic Key Management (CKM) is a fundamental part of cryptographic technology and is considered one of the most difficult aspects associated with its use.  Of particular concern are the scalability of the methods used to distribute keys and the usability of these methods. NIST has undertaken an effort to improve the overall key management strategies used by the public and private sectors in order to enhance the usability of cryptographic technology, provide scalability across cryptographic technologies, and support a global cryptographic key management infrastructure."  - NIST CKM Project Website

A global-scale cryptographic key management system must be able to scale to manage the key material for every human on the planet, the billions of sensor and computer devices, and the fine-grain keys that manage conditional access to sensitive portions of information.  A global-scale key management system must be universally trustworthy.  To achieve this, it must uphold and protect the legitimate interests of all stake-holders.

A key management system capable of addressing the technical and trust requirement for global scalability automatically addresses the needs of smaller closed key management systems between a group of organisations.  Synaptic Labs' IdM-CKM proposal is designed to be suitable for deployment by small private groups all the way up to be public Internet-scale services.

New global-scale CKM is important - more detail on the Government initiative

"This [NIST] Cryptographic Key Management Workshop is the kickoff activity in a “leap-ahead” effort that we are undertaking as a part of the National Cybersecurity Initiative.  The President recently announced the results of a Cyberspace Policy Review.  Cybersecurity is a critical element in our national security posture. Our reliance on the internet is becoming nearly total.  ... The role of key management in cybersecurity is critical. ... One requirement is to have scalable solutions in very large applications. While we know how to handle key management reasonably effectively for up to a million people, we need to go a couple of orders of magnitude beyond that in the relatively near future."  – William C. “Curt” Barker,  NIST Computer Security Division Chief and NIST Cybersecurity Advisor, NIST IR-7609

Technical argument for comprehensively addressing IdM and CKM in one project

The New Oxford American Dictionary defines a secret as “something that is kept or meant to be kept unknown or unseen by others”.

Key management is responsible for managing the life cycle of a secret, whereas identity management is responsible for identifying the users that may access or know or use the secret.  Furthermore, electronic identity (eID) management systems frequently use secrets to authenticate identities.  Consequently eID systems must employ cryptographic key management techniques.

It follows that electronic identity management systems and cryptographic key management systems are as mutually interdependent as Yin and Yang.  By addressing both IdM and CKM simultaneously, in a balanced manner, we ensure that we maximize the synergies and minimize opportunities for a weakness in one to compromise the other. 

Has the combination of IdM with CKM been published anywhere?

While the issues related to identity management and cryptographic key management are tightly entwined, traditionally projects assign a strong bias to a particular feature or specific case use.  For example, identity management projects often focus on mapping identifiers (such as company name or website address) to a secret key managed by a user without implementing any features that would enable the storage and recall of long-lived keys.  Conversely key management systems focus on managing the life cycle of long-lived keys with much less emphasis on managing the identities of users in the system.  Often this is limited to identity management within the enterprise (user name and accounts) and does not scale between enterprises.

Synaptic Laboratories Limited has published a new global-scale IdM-CKM model that permits the integration of all identity management and key management services in one cloud based service.  This permits the one system to be used for long-lived key management, for key distribution and also for managing identity assertions.  This model has been presented to and published in the proceedings of the US National Cyber Security Summit, the NATO Cyber Security Symposium (2010), the Oak Ridge National Laboratory Annual Cyber Security and Information Intelligence Workshop (April 2010) and the IEEE Key Management Summit (May 2010).  This global-scale IdM-CKM initiative is targeted to deliver a holistic solution that exceeds many of the expectations of the various U.S. Agency calls and is aligned with the E.U. vision of stakeholder empowerment.

Both industry and Government acknowledge problems plague today's IdM and CKM solutions (2010)

At the 2-day IEEE Key Management Summit held in Lake Tahoe, Nevadah, USA (May 2010), the CTO of Synaptic Laboratories addressed the cryptographic security experts in the audience asking if the opinions expressed by Dr. Peter Gutmann (world recognized PKI expert) about today's (public key) security infrastructure was as bad as described.  According to Luther Martin (Chief Security Architect of Voltage Security, and on the program committee of the IEEE KMS event) in his blog posting: "it didn't take long for the group to reach a consensus.  A few people simply said, `Yes, it really is.' That's about as far as the discussion got.  After that, there really wasn't much more to say."

Subsequently in October 2010 Andrew McLaughlin, the White House Deputy CTO for Internet Policy publicly, asserted that the U.S. Government is helpless against fake security certifications, a problem that emerges due to the trust model employed in the current (public key) security systems. "We are looking at a multijurisdictional, multistakeholder problem for which there is no governmental solution," said McLaughlin, a former Google executive. "Because of the multijurisdictional and multistakeholder nature of the problem, government can't fix it and government shouldn't fix it," McLaughlin said.

It is exactly this multi-jurisdictional and multi-stakeholder problem that Synaptic Labs global-scale identity management and cryptographic key management models address in an innovative way that protects and upholds the legitimate interests of all stake-holders.

For more information see Synaptic Labs' slide-show summary of the known problems identified by public key infrastructure experts.

EU requirements for user-centricity

Based on text and quotes from two related EU FP6 SecurIST publications [here and here]:

"In the E.U., privacy is generally defined as a right of self-determination, namely, the right of individuals to determine for themselves when, how and to what extent information about them is communicated to others."  

SecurIST calls for international user-centric IdM in which the end users are empowered to determine his or her own security and dependability requirements and preferences.

"User-centric mechanisms are required to allow controlled release of personal, preference-related and location-based information, and to deliver assurances to owners about how personal information will be used by third parties."  

This marks a shift "from Security and Dependability by 20th century central command and control approaches", towards architectures that could lead to an "open and trustworthy Information Society through empowerment" of the individual with the purpose of protecting the central systems, the citizen and society interests (i.e. protecting the legitimate interests of all stake holders).

"Responsibility, authority and control have to move more towards the end user."

What is global-scale identifier based encryption (G-IBE)?

In many personal and business contexts we may only know the email address or website of a company without knowing the identities of the people who can answer the email or manage the website.  For example, we may be content to know that the email address This e-mail address is being protected from spambots. You need JavaScript enabled to view it  will get us in contact with one of many possible authorized sale representatives at that company.  In this type of context if would be ideal if we could establish secure communications with anybody just by knowing their email address or website (or some other public identifier).  

Expert participants at the U.S. Federal Cyber Security Summit (NITRD NCLY) have promoted (public key) ID-based Encryption schemes (which use e-mail addresses to manage secure communications) as a possible solution to increasing the uptake of security:  

“In particular, we propose that a significant effort be devoted to evaluating identity-based cryptography (IBE) as a viable key-management model for enterprises and other controlled, hierarchical institutions, in lieu of the individual web-of-trust model which has proven all but unusable at scale.  While not intended to be a universal solution, it is our opinion that techniques like IBE hold the potential to immediately dismantle numerous roadblocks to widespread adoption of cryptography in industry and government

There are many limitations to commercially available (public key) Identity-based Encryption schemes which prevent it being a universal solution.  These limitations prevent their use in a global context, where anybody from any organisations can talk to anybody in any other organisation just by e-mail addresses. 

The Synaptic Labs global-scale IdM-CKM proposal supports the creation of a single global directory capable of managing secure communications between anybody in the world just by using their e-mail address (actually, by any Uniform Resource Identifier). We call this global-scale Identifier Based Encryption (G-IBE).  Our proposal is uniquely capable of addressing the critical trust, security, key-management and life-cycle problems that are present in (public key) Identity-based encryption schemes that limit their suitability for use within inter-enterprise and global Internet-scale contexts.  

end faq


Synaptic Labs' vision for the global-scale IdM-CKM?

The creation of a universally trustworthy and dependable identity management and key management platform suitable for use in day-to-day and mission critical operations.  It is specifically designed to operate in multijurisdictional and multistakeholder environments.  This platform should deliver unprecedented confidentiality, integrity, availability, reliability, safety and authenticity assurances for all stakeholders against continuous and evolving insider and outsider attacks (i.e. all malicious actors), in a way that is credible and can be audited.  Furthermore this platform should facilitate operational continuity in the face of natural or man made physical disasters.

How do you intend to achieve this vision?

We have taken a clean-slate approach to global-scale identity management and cryptographic key management.

Central to realizing Synaptic Labs' vision of universally trustworthiness and dependability is the use of an innovative distributed and decentralized architecture that permits all client transactions to be distributed across several autonomously owned and managed service providers.  This distributed and decentralised architecture permits the multistakeholder trust issues to be resolved, specifically by ensuring client transactions remain secure against the simultaneous compromise of (N-1) out of (N) participating service providers as a result of insider collusion, or outsider attacks.  More specifically we employ the democracy supporting principles of `seperation of powers' and `checks and balances' to provide balanced security, accountability and privacy for all stakeholders/users.

In addition to the above core principle, we will employ the use of Synaptic Labs' TruSIP 4clouds platform to achieve unprecedented confidentiality, integrity, availability, reliability, safety and authenticity assurances for each service provider (and subsequently the clients of that service provider) against continuous and evolving insider and outsider attacks.

We will achieve secure IdM and CKM services for all stakeholders:

  • using commercial off the shelf (COTS) hardware and operating systems, where each component is managed in a particular way; and
  • by enabling at risk standards-based security applications to be protected, without requiring modification, so existing systems will remain standards compliant and interoperable.

What are the unique-value-propositions of Synaptic Labs' proposal?

Synaptic Labs' global-scale identity management and cryptographic key management platform has no known competitors: 

  • it has been designed from the ground up as an holistic global-scale cryptographic project
  • it has been designed from the onset to protect the legitimate interests and enhance the security of all stakeholders, even within a multi-jurisdiction, multi-stakeholder system
  • it can address the open hard problems that undermine today's (mainstream, X.509 public key) security systems
  • it provides many of the design features called for by the US Department of Homeland Security Future InfoSec Roadmap, including protection against a wide range of insider attacks including from trusted staff through to malware in the hardware and software
  • it can be used to protect and enhance existing at-risk (public key) security cryptosystems using evolutionary improvements of known-and-trusted (symmetric key and fault-resistant) techniques while maintaining existing standards compliance and interoperability
  • it employs an intrusion and malware resistant design to improve confidentiality, integrity and availability of services for the service provider (more attractive services to clients, better business continuity) and dependent clients
  • it can be used to provision a diverse range of client services by mapping traditionally specialized services (key distribution, key agreement, key management, name server, assertion server, file server, secure email, secure instant messaging) in a uniform way within one system
  • it has an decentralised trust model which can be deployed locally and internationally.  It employs the democracy supporting "Principles Of Laws" and can be deployed in a manner that empowers all stake-holders and promotes goodwill and engenders trust between the participants, be they corporate competitors and nation states.
  • it has been designed with E.U. principles of user-centricity in mind

This global scale identity management and cryptographic key management project can be built using commercial-off-the-shelf hardware, operating systems and programming languages.

Synaptic Labs' platform addresses three key calls.  First, the U.S. Networking and Information Technology Research and Development (NITRD) Program call to create and employ a digital immune system (multi-layered protection, decentralised control, diversity, pattern recognition) in next generation systems.  Second, the DHS call for combating insider attacks and malware, achieving survivability and availability.  Third, the NIST CKM Project managers' call for a CKM design supporting billions of users without the use of public key technologies.

What does your proposal look like?

The global-scale identity management and cryptographic key management is hosted in the cloud and can be accessed from the desktop.  Online services are provisioned by 3 or more autonomous service providers working in a collaborative manner.  Clients are assigned smart cards which are enrolled into the service providers.  Software is installed on the client side (on the desktop, or on the network servers) to provide local security services (utilizing services provisioned from servers/cloud) to the client.

For more detailed information we encourage you to watch one or more of the videos from Synaptic Labs' cyber security video page.

Phase 1: Inter-enterprise split-path key exchange and identifier based encryption

Implementing inter-enterprise split path key exchange (key distribution) with support for management of keys by public identifies (identifier based encryption).  These features are required for applications that secure information while in transit (network security).  The keys are often disposed of after the communication is finished.

he public identifiers map email-accounts and domain names to smart cards held by users that can demonstrate control (ownership) over the account and domain names.  This is sufficient in practice for most secure internet applications (such as secure email, and secure web-surfing).

Example end-user applications that can benefit from the phase 1 platform include security wrappers for today's ubiquitous standards based Internet security protocols such as secure email, secure web-surfing (SSL/TLS), secure virtual private networks (IPsec) and proprietary applications in banking and Galileo that require key management solutions suitable for use between mutually suspicious organisations.

Phase 2: Inter-enterprise key management for data at rest

Enhancing the Phase 1 platform so that it can perform inter-enterprise key management for data at rest.  This includes managing key material for databases, tape backup, and other situations where the key must be managed over a relatively long period of time (days to years).  These keys typically have policies that enforce strict access controls to who can and cannot recall or update the keys.

End-user contexts that can use services from the phase 2 platform include: inter-enterprise collaborative management of sensitive data and smart grids.

Phase 3: International multi-attested assertions and credentials

Enhancing the Phase 2 platform by implementing international multi-attested assertions and credentials.  This will overlap the functionality of, and address the limitations of, current federated public key certificate authorities.  The purpose of this is to manage the mapping of electronic identities with actual people and organisations.

end faq

Recent News!

Prev Next

ICT Gozo Malta Project wins National Ent…

26 Apr 2012

ICT Gozo Malta Project wins National Enterprise Award

The ICT Gozo Project co-founded by The Gozo Business Chamber and Synaptic Laboratories Ltd were joint winners of a 20,000 Euro prize in the National Enterprise Support Awards 2011, an event sponsored by Government of Malta and the European Commission,...

Read more

Synaptic Laboratories Ltd. to represent …

26 Apr 2012

Synaptic Laboratories Ltd. to represent ICT Gozo Malta Project, and also to present at, the Dubrovnik Nuclear Threats and Security Conference 2012

The activities of the ICT Gozo Malta Project and Synaptic Laboratories continue to draw international attention, resulting in invitations to provide expert speakers at leading scientific events.  Recently Synaptic Laboratories Ltd., as ICT GM co-founders and project designers, were contacted by...

Read more

Cyber Security and Awareness Seminar

28 Nov 2011

Cyber Security and Awareness Seminar

On the 23rd November 2011 we held a unique Cyber Security and Awareness Seminar, targeted to all groups and held at MITA’s offices, who also sponsored the event.  Entrence was free with complimentary refreshments.  The seminar was organised by ICT Gozo Malta...

Read more

News:Cyber Security Seminar

16 Nov 2011

News:Cyber Security Seminar

Cyber Security Seminar ICT Gozo Malta and BCS Malta to organize International Cyber Security Seminar with bi-directional links to Brazil’s Annual Security Leaders Congress and world leading security experts. An International Cyber Security Seminar will be held at MITA’s Offices on Wednesday...

Read more

News: Participation in Brasil Security L…

04 Nov 2011

News: Participation in Brasil Security Leaders Congress

Synaptic Laboratories' Chief Technical Officer Benjamin Gittins has been invited to participate in the Annual Brasil Security Leaders Congress on the 23 Nov. 2011.  This 2 day Congress is attended by some 300 CEO/CIO/CTO level executives from public and industry...

Read more

News: Gozo may have it's own Silicon Val…

27 Oct 2011

News: Gozo may have it's own Silicon Valley

Just the moment you start reading this article, a new technology has been invented, produced, tested or used. Technologies took over the way we communicate, think, travel or learn and it has infiltrated  human lives in a manner that no...

Read more

News: ICT Gozo Malta Launch

12 Aug 2011

News: ICT Gozo Malta Launch

 Official launch of ICT Gozo Malta Project Click on image to view Launch videosWe are pleased to announce that on 5th AUGUST  2011, the ICT Gozo Malta Project was formally launched by the Hon. Giovanna Debono, Minister for Gozo. Speakers also...

Read more

News: Government Funding for Project

25 Apr 2011

News: Government Funding for Project

The Government of Malta has provided funding, through the Eco-Gozo initiative, to launch Phase 1 of the ICT Gozo Malta Project. Contract Signing Ceremony   with the Honourable Giovanna Debono, Minister for Gozo. 

Read more

News: Malta Chamber participation

04 Mar 2011

News: Malta Chamber participation

The Malta Chamber of Commerce, Enterprise and Industry have added their weight and support to this project, recently confirming their participation and collaboration.

Read more

News: Malta Enterprise support initiativ…

24 Feb 2011

News: Malta Enterprise support initiative

Malta Enterprise express support for the ICT Cluster initiative in Gozo.  Tasked with assisting networks to develop further into business clusters, Malta Enterprise supports this initiative

Read more

News: MITA participation and support

20 Jan 2011

News: MITA participation and support

The Government's Malta Information Technology Agency (MITA) recently expressed clear support for the ICT Gozo Malta project confirming their participation in the project to identify common goals and potential areas of collaboration.

Read more

News: Brazilian Banking Expertise

22 Nov 2010

News: Brazilian Banking Expertise

Brazilian banking security expert Professor Fabian Martins will assist ICT Gozo Malta to develop its members global cyber security solution suited to the credit card market.

Read more
GBC1 SLL-Logo_150  A Collaborative Project co founded by
PaceIT & The Gozo Business Chamber and
Synaptic Laboratories Ltd

Eco Gozo Logo

Eco-Gozo – a Better Gozo Action Plan 2010 – 2012
Project part-financed by the Government of Malta - Ministry for Gozo