Introduction to Guardtime and KSI Blockchain Randy D Bishop Randy - - PowerPoint PPT Presentation

Randy D Bishop

General Manager

Introduction to Guardtime and KSI Blockchain

Randy D Bishop

General Manager Electric Infrastructure

• Systems engineering company, inventors of Keyless Signature Infrastructure (KSI) blockchain technology
• Founded in 2007
• 30+ patents

Technological Advantage:

• PERMISSIONED Blockchain
• Scales rapidly independent of the number of transactions.

Use Cases Digital and Physical Supply Chain SLA Attestation and Transparency Transactive energy Cross platform transactions, monitoring and verification Digital contracts Competitive Advantage: A battle-hardened blockchain stack, in production since 2008 with governments and enterprises relying on the platform today.

• NIST Crypto Algorithm Validation Program
• Common Criteria or NIAP Accreditation
• USAF/Lockheed ATO on classified/sensitive networks and F-35 JSF

Guardtime KSI at a Glance

Guardtime Infrastructure 3

Based on the lessons learned from the 2007 state sponsored cyber-attacks, our scientists were given a challenge: re-think information governance by designing and building a massive scale signature system for electronic data which could prove the time, integrity and identity (human or machine) without reliance on centralized trust authorities.

The Challenge

DATA SIGNATURE

4

Information Security Model: C.I.A.

KSI Blockchain Introduction 5

The root cause for ineffective cybersecurity is the lack of integrity of systems, networks, processes and data. For the last 40 years security has come to mean confidentiality of data in motion. Today with the opening of networks, IOT, and Cloud the integrity of systems becomes paramount.

The Absence of Compromise

A V A I L A B I

• L

I T Y INTEGRITY CONFIDEN- TIALITY

SECURITY MODEL

Integrity Breach Confidentiality Breach

Your car Your braking system stops working Your braking patterns are exposed Your flight Your plane’s instruments report that you are 1,000 feet lower than you actually are Your flight plan is posted on Internet (note: it already is) Your local power station Critical systems compromised leading to shutdown and catastrophic failure Your electricity bill is published online Your pacemaker Shutdown and death Your heartbeat becomes public knowledge Your home Your security system is remotely disabled Your smart TV is watching you… The contents of your fridge are ‘leaked’. You drink how much beer?

Why Does Integrity Matter?

Solution to the Integrity Problem: Register Digital Assets (Metadata) in the Blockchain

7 Keyless Signature Infrastructure

KSI signatures, linked to the blockchain, enable the properties of data to be verified without the need for trusted third parties, keys or credentials that can be compromised.

Upon verification, KSI Signature proves:

• Signing time
• Signing entity
• Data integrity

The Facts of KSI

Case Study: World’s Largest Smart Grid Platform Assurance

Background:

• Elering is a Estonian electricity infrastructure

provider that runs the biggest smart grid installation in the world – over 500,000 smart meters installed.

• Elering’s smart grid data exchange platform

provides open API-s for various service providers to build their services based on gathered data.

• Challenge: How to establish the chain-of-

custody for personal user data moving through multiple service providers?

Presentation title (Insert > Header & Footer) 9

Case Study: World’s Largest Smart Grid Data Platform

10

500K smart meters

Big Data Platform 24 service providers

Smart metering infrastructure Residential / commercial customer Service provider

Case Study: World’s Largest Smart Grid Data Platform

11

Big data storage & analytics Identity management API API

Case Study: World’s Largest Smart Grid Platform Assurance

Service Provider Liability Management

• End-to-end forensic audit trail for all

data and actions

• Pinpointing who did what when in

case of a dispute arising from data usage is quick, irrefutable and final.

• Does not only provide reactive

means for liability allocation, but also shapes Service Provider behavior prior to any incidents.

Presentation title (Insert > Header & Footer) 12

Regulatory Compliance

• Collects, stores and processes

sensitive personal information

• Natively able to independently prove

to the regulators how the PII was handled

• Simplifies compliance with regulatory

requirements considerably.

Data Integrity

• Real-time guarantee of the veracity

status of the data collected, stored and processed in their data exchange platform.

Case Study: Industrial Infrastructure Assurance Zero-day Malware Mitigation in SCADA

Problems solved:

› Malware detection systems depend on known vulnerabilities and can’t protect against zero- day attacks, digital certificates that may or may not be authentic. › The monitoring systems of infected industrial infrastructure can convey a tampered feedback that shouldn't be trusted.

Industrial assets are OK Zero-day vulnerability Integrty instrumented control system Forged certificate Malware source Integrity instrumented monitoring

Data Centric Security

Case Study: DoD Identity and Access Management - IdAM

Current Environment:

• Identities are created and distributed across many physical locations at different organizations,

departments or agencies

• Identities are created and distributed across many disconnected or independent environments such

as cloud or managed services infrastructures

• Disparate identity and access control identity data between facilities and segregated network or

enterprise enclaves

• Identity and Credential Data can be distributed in a ”water fall” manner, allowing more accidental or

malicious change

• Identity Data types and amount will grow as multifactor authentication schemes are enabled
• Data is not cryptographically immutable such as public / private keys
• Policy and Access Control Mechanisms suffer increased cyber threats and are becoming easier

targets that centralized identity providers

Case Study: DoD Identity and Access Management - IdAM

The Challenge:

• Create Tamper Proof evidence of key access control data such as biometric, attribute, and policy data upon

creation

• Provide KSI Signatures as distributable and highly available trust verification
• Identity Data Provenance, from vetting, proofing, distribution and maintenance can be cryptographically bound to

any type of identity data

• Continuous verification of identity data across multiple storage zone or enclaves requires a single signature to

independently verify

• No explicit trust required to verify stored or distributed identity data
• Full accountability and auditability of data using KSI Signatures
• System configuration, logs, policies, and other access control components can be signed as well, providing a fully

trusted platform the identities will flow through

Case Study: DoD Identity and Access Management - IdAM

MFA leverages a combination of the following factors:

• Something You Know – password or PIN
• Something You Have – token or smart card

(two-factor authentication)

• Something You Are – biometrics, such as a

fingerprint , facial construct, voice, or heartbeat (three-factor authentication) Secure IdAM platforms need a new factor:

• Something You Trust – independent proof of

trust and real-time tamper detection for the IdAM platform providing the MFA services

16

Guardtime Blockchain and KSI provide independent evidence that the platform components and identity data have integrity and can be independently verified with various methods that support both connected and disconnected systems

Case Study: DoD Identity and Access Management - IdAM

17

Characteristic Guardtime Solution Support multiple server and host-based operating systems YES Be immediately available and proven in a commercial environment YES Demonstrate means for operation within latent or disconnected network environments YES Demonstrated in an operational environment integrated with industry standard network domain management such as Microsoft’s Active Directory Domain Services YES The Guardtime solution guarantees a scalable, interoperable authentication solution to reduce reliance on passwords and smart card-based authentication across myriad systems and applications

Keyless Infrastructure Security Solution (KISS)

The Problem:

• EDS operating at the grid’s edge require unprecedented levels of security and trustworthiness to verify integrity of

data and manage complex transactive and DER exchanges.

• Grid edge devices lack visibility, control and security to conduct real time energy transactions at the required

speed and scale.

The Solution:

• Atomically verifiable cryptographic signed distributed ledger to increase the trustworthiness, integrity and

resilience of energy delivery systems at the edge

• Verifies time, user, and transaction data protected with immutable crypto signed ledger
• Autonomous detection of data anomalies and reduces burden with normalized evidence across a unified

timeline for incident analysis

• Real time response to unauthorized attempts to change critical EDS data, configurations, applications, and

network appliance and sensor infrastructure

SWIFT 18

Conclusion

• Guardtime’s KSI provides accessible, tamper proof evidence of data integrity for

identity and access management platforms, credential and identity data

• KSI can be used to sign the configuration files, policies and log files of the various

entities in the authentication system

• Depending on the implementation, KSI can be used to sign the credential

database at various stages of authentication, thus providing a chain of custody

Thank you!

Randy D. Bishop General Manager Electric Infrastructure