DigiFLAK 2013 FLAK Technologies DIGIFLAK PROJECT.
-
Upload
eliezer-bridgers -
Category
Documents
-
view
234 -
download
2
Transcript of DigiFLAK 2013 FLAK Technologies DIGIFLAK PROJECT.
DigiFLAK 2013
FLAK Technologies
DIGIFLAK PROJECT
DigiFLAK 2013
CONTENTS
DIGIFLAK PROJECT
1. SeOS – SecuritOS2. FLiC – FLAK Licensee3. LogME4. FLAKmobile5. FLAKstream6. FLAKnet
…build total digital safety zone…care for your values…login with NO passwords…be protected everywhere …prevent viruses and malware…connect to each other
HOW TO…
SeOS. Main Technology Principles
DigiFLAK 2013
SeOS (SecuritOS)SeOS is an embedded Operating System for FLAK devices which performs high-speed cryptographic calculations on big data arrays running within the FLAK Secure Core
Decryption and sign check of applications before every start
Allocation of separate secured address space to applications
Provision of special API to high-speed cryptographic accelerators to applications: DES, 3DES, AES, SHA1, SHA128, SHA256, MD5 and others
PCSC#11 standard support Multilevel key management system – key ladder
with all level keys protection from illegal access Asymmetric algorithms ECC and RSA support High-speed data filtering according to various
criteria License management technology (FLiC) support SeOS API functions support for multi application
environment
Main Functions
DIGIFLAK PROJECT
Apps SeOS
API
API
Linux
Main Core
Secure Core
SeOS
FLiC. Main Technology Principles
DigiFLAK 2013
* Secuter (Eng. Security Computer ) – a dedicated device, minicomputer with secure cores inside
FLiC (FLAK Licensee Control)DigiFlak proprietary flexible and high-capacity mechanism for processing and management of license rights to any digital data such as video, audio, software, eBooks, etc.
License processing takes place in isolated and secured environment which guarantees no illegal access to the keys and prevents license rights interference. With FLiC technology it is possible to re-encrypt data in real time which means thattechnology supports DRM (CAS) DTCP-IP and DRM (CAS) HDCP bridges.
Smart, fast and secured
DIGIFLAK PROJECT
Easy to trust and integrate
FLiC is fully consistent with the FLAK basic concept on simple and convenient usage of information security technologies. FLiC can both be used as a standalone DRM-solution (with its own software for the server side), and provide a "safe" framework for third-party CAS and DRM solutions. DRM and CAS
support
With FLic it is possible to make easy integration to with all well-known DRM and CAS solutions extending its their security
Based on theFLAK platform the FLiC technology provides a totally safe license management and mechanism to control access to all digital entities
Unique contentsecurity
FLAK secuter processes DRM-protected content and encrypts output data either according to DTCP-IP specification or to HDMI standard. In the first instance the output content can be played by a PC (a built-in player with DTCP-IP support) or transmitted to connected home devices such as TVs or tablets. The second case can be applied to the FLAK devices with HDMI interface which guarantees maximum level of protection to exclusive content. All content goes from the secuter to HDMI and can be received by any device with an HDMI support.
How it works
DigiFLAK 2013
DRM (CAS) -> DTCP-IP or HDCP BRIDGE
HIGHEST LEVEL OF PROTECTION FOR VALUABLE CONTENT WITH A “CONTENT PROVIDER – USER
SCREEN” SCHEME!!!
DIGIFLAK PROJECT
Isolated trusted environmentTablet
Content provider
DRM protected content
HDCP iDTV with HDMI
PC with a DTCP player
DTCP-IP encryption
In most cases a license for commercial software looks like a file with different parameters used: permissions / restrictions of operations, license duration, number of users, etc. The license file which is unique to each copy of software is stored within a protected memory of FLAK secuter and can never be extracted outside. All transactions with licenses (installation, control, update, review) are executed in an isolated environment of the secuter with either a FLiC software module or software developers’ module. !NB Developers can move part of the basic software functionality into the secuter which is strongly recommended !!!
How it works
DigiFLAK 2013
SOFTWARE PROTECTION
FORGET THE PROBLEM OF YOUR SW ILLEGAL DISTRIBUTION OR USAGE!!!
Isolated trusted environment
Software running on PC
License server
SW License providing
PC-Secuter protected session
License storage
DIGIFLAK PROJECT
LogME. Threats and Recommendations
Use only “rules to follow” passwords
Limit number of wrong password entries
Don’t save passwords on PC Don’t login via keyboard Check source of WEB login
form
Don’t store passwords on WEB servers
Use open/public keys and certificates methods for authentication
Provide maximum security to the email account itself
Password lexical algorithms’ match
Password theft from user PC (imitation, key loggers, browser cash
analyzers)
Password theft from WEB service servers
All user accounts are dependent on email
account security
DigiFLAK 2013
DIGIFLAK PROJECT
Are you really able to follow all these mazy rules???
No less than 20 random symbols’ auto-password generated by hardware facilities of the FLAK secuter;
Password is unique for every user account; User doesn’t know the password; Password never comes out of the device secured internal core in unencrypted form; Could not be simpler and securer.
Password based and certificate based solutions are provided:
LogME. Main Technology Principles
DigiFLAK 2013
DigiFlak proprietary chrysalis intended for safe and easy authentication procedure on remote WEB sites
DIGIFLAK PROJECT
(password based)
During initial registration on a remote WEB site the secuter acquires an SSL certificate from the server. Then it initiates its own SSL session with the WEB browser (with a FLAK certificate), gets the login name from the user and generates a random password according to certain security rules. After that the secuter gets login name from the browser, encrypts both the login name and generated password and sends it to the remote WEB site. Simultaneously, the server certificate, login name and generated key are stored in a secure file system of the secuter.
Initial registration
Login procedure
1. SSL certificate acquisition
2. Login request
3. Login dispatch
6. Encrypted login name and password sending
4. Password generation
5. Certificate and login/password pair safekeeping
SSL server
SSL client
SSL client
SSL server
DigiFLAK 2013
At the next login the secuter authenticates the server with the stored certificate and if it is a success both the login name and password are sent to the server in SSL session. The user communicates with the site via the secuter certificate which is a guarantor of safe connection.
PositiveAdvantages
Following proven technology principles like secure login/password storage and easy registration/login procedures this approach allows implementation with no expenses on the server side since all sites now support password authentication.
NO SERVER MODIFICATION REQUIRED!!!
DIGIFLAK PROJECT
(certificate based)
The approach is based on mutual SSL authentication with a client-authenticated TLS handshake. The client certificate authenticates the user and instead of a password, a private key is stored in the secuter. In this case there are only public keys on the server side and their theft will not work to potential attackers.
DigiFLAK 2013
This approach solves security problems with the account data stored on the server. It also doesn’t require upgrade of the server and can be activated on the server side with a system setup.
1. SSL certificate acquisition
2. Login request
3. Login dispatch
5. SSL client certificate sending
4. Certificategeneration and safekeeping
SSL server
SSL client
SSL client
SSL server
Authentication
Advantages
TOTAL SECURITY PROVIDED!!!
DIGIFLAK PROJECT
DigiFLAK 2013
FLAK server siteHome
Your backup FLAKYour FLAK
Everywhere
LogME. Useful features
Data sync
With Data Sync approach you can forget about your fear to forget!
Afraid to forget your device?in bar, taxi, friend’s home, old suit..
OR
Backup with FLAK servers will allow you to enjoy mobile security as well!
Android or iOS LogME app
Your FLAK
DIGIFLAK PROJECT
FLAKstream. Main Principles
DigiFLAK 2013
FLAKstreamFLAK proprietary technology of high throughput real-time network traffic scanning and analysis powered by Kaspersky SafeStream
HOW IT WORKS
DIGIFLAK PROJECT
FLAKstream technology allows for filtering incoming and outgoing IP packets based on specified criteria and signature analysis according to given URL values. This technology efficiently implements functions of streaming antivirus, firewall, parental control, Data Leakage Prevention, etc. All incoming and outgoing IP traffic to/from the host PC is intercepted by the secuter, where all data is filtered and scanned by the FLAK engine employing dedicated hardware accelerators. After detecting a potential or real threat the secuter blocks the infected object and warns the user of a possible danger.
NO NEGATIVE INFLUENCE ON HOST PERFORMANCE.TREATS, VIRUSES AND MALWARE ARE BLOCKED BEFORE GETTING INTO PC.
FLAK Device
Internet
Untrusted Internet data
Verified internet to the user Redirect to FLAK
FirewallStream antivirusParental control
DLP
FREE WIFI
Business dinnerFLAK mobile
FLAKnet. Main Principles
DigiFLAK 2013
FLAKnetWith FLAKnet proprietary technology you can create secure virtual networks with no specific knowledge or surplus cost
HOW IT WORKS
DIGIFLAK PROJECT
With FLAKnet technology the FLAK secuter users can integrate their personal computers and mobile devices in a secure virtual network without complicated settings and profound knowledge. It is just enough to enter flak-ID of the device to be connected to the network and get a mutual confirmation on the connection. A virtual network can be based on any physical connections to Internet. The secuter will automatically determine and configure all connection settings. To compare flak-id and the current IP address of the device FLAKnet sync server is used. After setting up a connection the secuter sends information about its current IP address to the sync server and gets back information about the IP address of the connected device. Connections and network management are supported by open source software, like openVPN.
CREATE A SECURE VIRTUAL NET? FLAK MAKES IT EASY!!!
Company Headquarters
Secured Network
FLAK PRO
Business trip
FREE WIFI
FLAK Classic
FLAKmobile. Main Principles
DigiFLAK 2013
FLAKmobile DigiFlak proprietary solution, applying FLAK platform and technologies like FLiC, LogMe, FLAKstream, FLAKnet, etc. to mobile domain
Solution for USB OTG devices
DIGIFLAK PROJECT
The solution assumes FLAK mobile secuter connection to microUSB interfaces of mobile devices. The Flak Mobile (as FLAK Classic (non mobile) does) supports USB 2.0 and NFC interfaces as well as basic FLAK applications including Firewall and VPN. It doesn’t have external network interface – the FLAK driver on Host intercepts all incoming and outgoing traffic and forwards it to the secuter via a microUSB.
SMALL DIMENTIONS 1x2cm LOW CONSUMPTION microUSB INTERFACE
microUSB
NFC
FLAK Mobile. Main Principles
DigiFLAK 2013
DIGIFLAK PROJECT
This solution consists of SeOS implementation for ARM TrustZone and LogMe, FLiC, FLAKNet, FLAKstream technologies as applications for Android/IOS/Windows OS. Thus, if a mobile device supports TrustZone, then SeOS is installed as a complementary OS. The FLAK technologies are implemented as SW applications for the primary OS.
Solution for devices with ARM TrustZone or Intel TxT support
NO EXTERNAL DEVICEUSAGE OF WELL-RECOMMENDED TECHNOLOGIESFLAK APPS IN ANDROID PLAY MARKET AND IOS APP STORE
Secure OS
Within this approach the FLAK secuter is required for primary personalization of the mobile device and sync or backup of confidential information and licenses. The same approach is applicable for mobile devices with Intel Trusted eXecution Technology (Intel TxT) support
Thank you for your attention!www.digiFLAK.com
DigiFLAK 2013
DIGIFLAK PROJECT