| PROTECT THE KEYS TO EVERYTHING Distributed Key Protection and Making Encryption Accessible PROTECT THE KEYS TO EVERYTHING

| PROTECT THE KEYS TO EVERYTHING

Distributed Key Protection and Making Encryption Accessible

PROTECT THE KEYSTO EVERYTHING

| PROTECT THE KEYS TO EVERYTHING2

DSM splits secret keys between 2 different servers Cryptographic operations take place without ever bringing the key

together in memory or disk RSA, ECDH (ECIES), ECDSA, AES, HMAC, Password verification

MULTIPARTY COMPUTATION (MPC) TECHNOLOGY

THE KEY IS NEVER IN ANY SINGLE PLACE TO BE STOLEN


DISTRIBUTED KEY PROTECTION (DSM)

Random key split refresh:Attacker must obtain both parts simultaneously


HIGH SECURITY WITH DYADIC

Viruses

Different admins on each server (mitigate insider threat and targeted credential theft)

Different operating systems (mitigate malware and zero days)

Different physical location (mitigate physical theft)


HSM vs DSMHSMs1. Expensive to deploy and maintain 2. Difficult to upgrade to support new

algorithms3. Not elastic; hard to scale up or scale down4. Support only limited range of use-cases5. Essential where regulator-mandated

Dyadic DSM – A virtual HSM1. Easy to deploy and maintain2. Easy to update and upgrade3. Elastic and sacalable4. Supports wider range of use cases (e.g., cloud,

endpoint)5. Preferable where regulator doesn’t require HSM


DEPLOYMENT PROCEDURE• Identify keys and credentials for protection• Decide on DSM deployment configuration

(admins, OSs, location, topology)• Allocate DSM servers and install DSM

software• Install and configure DSM agents on relevant

servers• Import and/or generate keys

Web server

Database server

Application server

DSM Agent

DSM Agent

DSM Agent

DSM

Deployment


Integrations• Core Distributed Crypto Pack

o RSA decryption and signingo Elliptic Curve Cryptographyo Innovative password protection solution

• Supported API’so PKCS#11 – Fully integrated with PKCS#11 Applications (e.g., Tomcat, Oracle Database TDE)o Microsoft CNG – Fully integrated with Microsoft products using KSP (e.g., Microsoft CA, IIS TLS/SSL, IPsec)o OpenSSL engine – Fully integrated with Linux products using OpenSSL (e.g., TLS/SSL, SSH)o DSM SDK for .NET, Java, Python and PHP.

• Easy Deployment and Maintenanceo Up and running in under 30 minuteso Comprehensive secured management system (disaster recovery, backup, import, elasticity)


• If an application server is hacked, the attacker can impersonate a legit application and use the DSM to decrypt.

• HOWEVER:o This is an online attack (versus offline attack) and thus the attacker has less time and a

much greater risk of getting caughto The password protection and combined password/encryption solutions are immuneo Password – DSM only answers YES/NOo Combined – Attacker must know correct password to decrypt (like application)

o Decrypting a large DB this way takes a long time, which an attacker usually doesn’t haveo All DSM access is audited; all decrypted records will be known, reducing attack impact o Built-in anomaly detection module which will block these kinds of attacks

Online Attacks Protection


• DSM suite includes a web console for monitoring the DSM activity

• All activity management and usage is audited to a variety of configurable audit targets: DB, file, syslog, event-log, etc.

• DSM has a local audit log on each server and a combined audit log to allow tamper proof auditing

• DSM audit can be easily integrated with standard monitoring tools such as Splunk, logstash, etc.

Auditing and Monitoring


PERFORMANCE


Dyadic DSM SSL Performance• DSM is constructed from sets of independent pairs

• Performance of a single pair suffices for most enterprise applications

• Both scale up and scale out will have linear effect on performance

System CPU count per machine

Password validation/sec

Decryption/sec (RSA 2048)

Small 1 X 2.1 Ghz 200 320

Medium 2 X 2.1 Ghz 400 650

Large 4 X 2.1 Ghz 800 1250

Extra large 8 X 2.1 Ghz 1860 3000


SOFTWARE DEFINED ENCRYPTION


Load database schema

Choose fields to encrypt

Provide information on chosen fields

Get wrapper code to use in applications

321

SDE Workflow


SDE Workflow – Setup Phase


SDE Workflow – Usage


SDE - Providing Information on Chosen Fields


After setting the required encryption, Dyadic generates wrapper code for easy integration. Use the generated code to call the encrypt/decrypt API before & after the SQL statements.

SDE - Code Generation


SDE – Security Levels (Making Customers Fully Aware)

Standard encryption is strong, semantically secure



To enable search by EQUALS, deterministic encryption is used; the key is different for each column



To enable search by EQUALS with JOIN, deterministic encryption is used with the same key throughout (weaker)



When items are unique, deterministic encryption is “fully secure” (so Very Strong again)



Passwords are hashed and then encrypted under a strong key. They are verified (via MPC) without every decrypting



Order-preserving encryption is very weak; this is made explicit (with a full explanation)



To enable JOIN with order-preserving encryption, the same key is used throughout (ultra weak)


• Many customers do not encrypt due to difficulty• SDE makes encryption easy• No expertise at all necessary• SDE automatically generates best encryption method based on functional requirements

• All keys are protected by the DSM

• The result:• No encryption knowledge needed• No headache about where to store the key• Minimal changes to database (types do not change)• No one has a reason not to encrypt databases anymore

SDE – Summary


STRONG MOBILE AUTHENTICATION


THE PAYMENT SECURITY CHALLENGE Online transactions require strong authentication to prevent malicious activities Users are reluctant to use mechanisms that force them to change the way they work Cumbersome security mechanisms lead to missed business opportunities

ELIMINATE THE SECURITY VS. BUSINESS NEEDS CONFLICT


DISTRIBUTED MOBILE AUTHENTICATION

Authentication and transaction signing by using a private key distributed between the mobile device and server(s) on premise

Based on digital certificate, optional two factor authentication (device + PIN code)

No single point of compromise Built in non-repudiation – server alone cannot perform operations Strong security, transparent to the user


Transaction Signing

Server User B Key Part b

User A Key Part b

User C Key Part b

Signed Transaction

Dyadic

User D Key Part b

User E Key Part b

User N Key Part b

User A – Key Part a

1Transaction Request

2

3


Transaction Signing - Push

Server User B Key Part b

User A Key Part b

User C Key Part b

Transaction Request

Dyadic

User D Key Part b

User E Key Part b

User N Key Part b

Distributed Signing


Laptop

1

2

3

4


Protection from device loss, theft and counterfeiting/replication Secure mobile-based transaction approval Does not disrupt existing user flows Immediate signing key revocation upon a security incidentNo need for physical tokens/smartcards

MOBILE AUTHENTICATION - SECURITY


Secure one-time-password (OTP) generation PKI-based, OTP is generated on mobile and signed jointly by mobile and by the Dyadic server Signing private-key is distributed between mobile device and a server on premise, eliminating single

points of breach PKI-based means server breach does not lead to full compromise

MOBILE-BASED OTP


Enhancing Existing OTP Using MPC

Application ServerUser B Key Part b

User A Key Part b

User C Key Part b

OTP

Dyadic

User D Key Part b

User E Key Part b

User N Key Part b


Dyadic Aux

1

23 4

Existing Auth. Server

Verify OTP


Stolen device –o Server-side revocation immediately renders stolen-device uselesso Optional PIN-code for two-factor authentication

Malware on device – all transactions pass through Dyadic server, enabling auditing and anomaly detection

Device cloning – key distribution is constantly refreshed. Refresh requests from different sources leads to immediate revocation

STRONG SECURITY


SUMMARY


THE DYADIC SOLUTION

PROVIDES EASY AND STRONG SECURITY IN VIRTUAL ONLY ENVIRONMENT

STRONG SECURITYSecrets are transparently operational for all legitimate uses, but are inexistent for attackers

ENCRYPTION MADE EASYPlatform agnostic, used through configuration or through a simple API

EXTENSIVE PROTECTIONSingle installation protects multiple use-cases

| PROTECT THE KEYS TO EVERYTHING

THANK YOU

Documents

| PROTECT THE KEYS TO EVERYTHING Distributed Key Protection and Making Encryption Accessible PROTECT THE KEYS TO EVERYTHING