Post on 14-Dec-2015
transcript
©KOOLSPAN | Confidential and Proprietary
Secure CommunicationsSecured by TrustChip® Encryption Engine
KoolSpan – Samsung S-1 Corp. (SafeTalk)
©KOOLSPAN | Confidential and Proprietary
KoolSpan – SafeTalkComo estan protegiendo sus comunicaciones mas sensibles?
• Viajes al exterior (Monitoreo por parte de Gobiernos de cada pais)
• Movimiento Ejecutivo/Proteccion
• Despliegue de personal / Activos
• Postura de Seguridad Física
• Proteccion de data confidencial
• Cumplimientos Regulatorios Cumplimiento (HIPAA, SOX, FISMA, GLBA, Dodd-Frank Act)
• Politicas de Comunica Internas
• Informacion Clasificada
2
©KOOLSPAN | Confidential and Proprietary
Many Attack Vectors
Operator A Operator B
Access atNetwork FacilityTower
Spoofing
IllegalMonitoring
Unwanted Surveillanceby a Foreign Government
Hacker Exploit of Lawful Call Monitoring Taps
3rd Party Application Exploits
3
©KOOLSPAN | Confidential and Proprietary
Secure Data (TrustBox)
TrustText – Secure SMSTrustCall – Secure Voice
xI843tT 2Wz
8+/p #@RBvc
Trusted Apps – Chat, Video (TDK) etc.
WiFi
Trust Satellite
Suite de Productos
Trusted Platform
©KOOLSPAN | Confidential and Proprietary
• TrustChip® siendo la columna vertebral a traves de proteccion de hardware micro-SD
• Voz Segura, Texto y data a estandares FIPS 140-2
• Trabaja con 2G, 3G, 4G and LTE
• Funciona entre diferentes Carriers (GSM or CDMA)
• Alcance Global: En mas de 150 paises
• TrustSuite = TrustCall, TrustText, TrustBox (data)
• Llamada se convierte en VOIP (data) = Ahorros Significantes ***
S-1 trabaja con Koolspan para proveer cifradoextremo a extremo de Voz, Texto y Data
Encriptado movil de voz, texto y transferencia de data (archivos) de extremo a extremo utilizando smartphones via GSM y Wi-Fi para BlackBerry, Android y iPhone
5
©KOOLSPAN | Confidential and Proprietary
TrustCall Ecosystem
TrustBridge PBX
Android, Blackberry
or IOS Smart Phone
TrustRelay
Internet
TrustCall Desk
Any Enterprise Phone
Android, Blackberry
or IOS Smart Phone
TrustCall Desk
EnterpriseNetwork
TrustCall PC
©KOOLSPAN | Confidential and Proprietary
KoolSpan Background- Oficinas Corporativas en Area de Washington, DC
- Fundada in 2003
• 16 Patentes, 32 Pendientes
• NIST / FIPS 140-2 Solution Set
• Clientes de Gobierno y Comercial
• Clientes en mas de 60 Countries
• Soluciones Robustas y con varios Premios de Industria
• Mencionado en libros de espionaje y accion
©KOOLSPAN | Confidential and Proprietary
ComponentesTrustChip®
Data StorageNAND Flash
CPUMemory S
D In
terfa
ce
CryptoEngine
KoolSpanFirmware
Hardened 32-bit
Processor
SecureKey
Storage
microSD“Mobile Encryption Engine”
• Hardened, self-contained security
• No puede ser reprogramado
• Todo en uno - autenticacion, adminsisttracion de claves y encriptado
• Soporte Multi-applicativo
• Puede ser Administrado Remotamente
• Compatibilidad amplia, microSD (USB con adaptador)
• Claves invulnerables al “rooting” del telefono
8
©KOOLSPAN | Confidential and Proprietary9
Call Notificatio
n
Management Notification & Communications
Call Communications
TrustCall Call Set Up
Call Set UpDevice Discovery
Carrier Network or WiFi Initiation
©KOOLSPAN | Confidential and Proprietary
Core TrustChip functions:– Add TrustGroup Installs new TrustGroup into a TrustChip– Remove TrustGroup Deletes TrustGroup from a TrustChip– Password Reset a user’s TrustChip password/PIN– Stun Temporarily disable a TrustChip– Destroy Keymatter “zeroized”, TrustChip inoperable
• Enterprise or MSS Server
• Encrypted, Remote, OTA Management
• Manages keys, users and application config
• Each transaction uniquely encrypted/sequenced to specific TrustChip – Replay Attack protection
• All transactions have complete feedback loop
Remote Key Management/Enterprise Management:TrustCenter™
©KOOLSPAN | Confidential and Proprietary
Two Factor Authentication- Algo que tiene: El TrustChip- Algo que sabe: PIN/Password hasta 120
Caracteres
TrustChip puede ser bloqueado- TrustChip <-> SIM- TrustChip <-> Dispositivo
TrustChip puede ser Inactivado/Destruido Remotamente
11
Caracteristicas de Administracion de Seguridad : TrustChip™
©KOOLSPAN | Confidential and Proprietary
SeniorStaff
EncryptedKey
Storage
TrustGroups® enable Communities of Interest (COI) to communicate securely
TrustGroups® are…• Collections of 1,024 256-bit Symmetric Keys• Shared by all TrustGroup members• Used for authentication • Securely loaded OTA by TrustCenter• Never exposed outside TrustChip during use• Each TrustChip can support 45 TrustGroups• There is no implied trust between groups
Sales
IT
ProposalTeam
ProjectX
DoD-FBI
FBI-NYPD
KoolSpan All
Fireteam2
Remote Key Management/Enterprise Management:TrustGroups®
©KOOLSPAN | Confidential and Proprietary
Use of Multiple TrustGroups® for Secure Voice
UniversalTrustGroup
Operations
Executive
AliceSr. VP
CarlosPartner
UniversalTrustGroup
BobDirector
Operations
Universal TrustGroup
UniversalTrustGroup
Information Systems
Executive
DaveVP
©KOOLSPAN | Confidential and Proprietary
• IP-based (Carrier Networks, Wi-Fi, SATCOM (IP)
• Carrier-Grade: Official Secure Voice for AT&T (Encrypted Mobile Voice)
• Cross-Carrier: GSM (AT&T, T-Mobile, INTNL), CDMA (VZW, Sprint)
• Cross-Platform: Blackberry, Android (Various), iPhone (Q3/4)
• Hardware-Anchor: Defendable TrustChip Engine
• Low Profile: Standard Devices, Simple App, Discreet Chip
• Easy Management: Remote OTA (TrustCenter)
• Scalable/Flexible/COI Focus: (TrustGroups)
• Rapid Deployment: Relay Server
• SBU-Grade: AES-256 Encryption (FIPS 140-2)
• Peer-to-Peer: Seamless Encryption
TrustCall Secure Voice
©KOOLSPAN | Confidential and Proprietary
Low bandwidth consumption◦ Approximately 16Kbps, full duplex
◦ 100 minutes of calling uses about 23.4MB of data
◦ Designed to support GSM Edge network bandwidth capabilities
Low power consumption◦ Only connects to relay server during calls
Proprietary VoIP Gateway/relay server◦ Very low overhead
◦ SMS/KNS used for call setup/peer call request
TrustCall Secure Voice
©KOOLSPAN | Confidential and Proprietary
Cellular Operator Network/Internet
Secure Voice<<UDP>>
Secure Voice<<UDP>>
16
Secure VoIP Bridge- Call Set up- Notification
Service
PBX
Internal EnterpriseNetwork
SIP/RTP
TrustBridgeEnable Secure Mobile to Desktop conversations PBX
Integration
©KOOLSPAN | Confidential and Proprietary
TrustChip Encrypted File Transfer
TrustGroups are granted and revoked
Universal TrustGroupMobile TrustGroup
©KOOLSPAN | Confidential and Proprietary
TrustChip RoadmapWhere We’re at…Where We’re Going
iPhone 4/4s and 5/5s: Jan 2013 - Launched
◦ Protective sleeve with an SD Card slot TrustBridge: Mar 2013 - Launched
◦ Enable secure Mobile to Enterprise conversations TrustText for iPhone: Q1 2014 – End of February
◦ Compatible with Blackberry and Android TrustBox: Q1 2014 – Beta now, End of February Launch
◦ Sending of encrypted attachments (file transfer and DAR) TrustCall PC: End of Q1 2014
◦ Laptops, tablets, PC and desktop phone PKI Integration (Soft Certificates/HSPD-12): Q1 2014 TrustChip App Validation/Root of Trust: Q1/2 2014
©KOOLSPAN | Confidential and Proprietary
• Eliminate Smart Card Readers: PKI functionality organic to the TrustChip
• Low Profile: No sleds, sleeves or smart cards exposed from the device
• Hybrid Key Usage: PKI for authentication, TrustGroups for encryption
• Standards Based PKI: Hardware protected derived credentials
• Certificate Security: Certificates invulnerable to jailbreaking or phone rooting
• Remote Management: Add or remove PKI certificates via the TrustCenter
• Compatibility: Ability to perform PKCS#11 and PKCS#7 operations
• TrustAPI: Exposes PKCS#7, PKCS#12 and PKCS#15 drivers
• PKI Middleware: Open SSL standards-based crypto, standard crypto libraries
• Next Step: TrustChip w/Smartcard integrated circuit – Local loading of certs
TrustChip PKI Evolution
©KOOLSPAN | Confidential and Proprietary
• App Challenge and Response: Mutual authentication between TrustChip and apps to
verify and validate that the TrustChip is present and is the correct device, and that
individual apps are intact and have not been modified or tampered.
• Application Code Signing: TrustChip will serve as an anchor and secure repository for
code/application signatures, allowing for the applications to self-validate or for
management applications to invoke validation via application signature.
• Trusted Application Installation: Application installation system in which application
packages are encrypted and wrapped with a special installation package that will only
allow the application to be installed if the device has a TrustChip with the appropriate
TrustGroup.
Root of Trust – Application SecurityHardware Anchor for Mobile Applications
©KOOLSPAN | Confidential and Proprietary
Simple set of API's and samples that allow for rapid TrustChip application development
Integrated with application as “application layer device driver”
Bilateral Protocol – Encrypted live sessions for two TrustChips
Unilateral Protocol – Encrypted data streaming (such as multicast) or file storage
Binaries licensed for redistribution
“Crypto-Enabling” AppsTrustAPI - TrustChip® Developer Kit (TDK)
Provides FIPS crypto for:
• Android J2SE+Native
• BlackBerry OS
• Win32/J2SE+Native
• Linux
• MAC OS
• Windows Mobile/Phone
©KOOLSPAN | Confidential and Proprietary
Suite B Algorithms added to TrustAPI
TrustChip PKI Support using soft certificates deployed OTA from TrustCenter
Next Generation TrustChip with integratedsmartcard
“Derived credential” – NIST FIPS 800-157
FIPS+EAL TrustChip
Today – FIPS 140-2 Level 1
2013-Q2 Q3Q22014-Q1Q42013-Q3 Q4
SuiteB
SuiteB
SuiteB
SuiteB
FIPS 140-2 Level 3 of current TrustChipSuite
B
TrustChip PKI Evolution - Roadmap
©KOOLSPAN | Confidential and Proprietary
TrustChip Dispositivos Samsung Aprobados
Galaxy S2 (I9100) Galaxy S2 (I777)
Note (N7000)
Galaxy S3 (I747)
Galaxy S3 (I9300)
Galaxy S4
Y demas dispositivos Samsung con MicroSD slot
©KOOLSPAN | Confidential and Proprietary
Android Secure VoiceSelectContact
Choose “Secure”Or “Normal” Call Connected!Incoming
Call Authenticating
24
©KOOLSPAN | Confidential and Proprietary
Android TrustText – Secure SMS
Launch TrustText App Reply Received
Choose Contact
Type MessageMessage Sent
25