SLIDE 1 The Public Key Muddle
How to manage transparent end-to-end encryption in organizations
CEO
Secardeo GmbH
SLIDE 2 Business Communication
– Desktop (e.g. Outlook) Cloud (e.g. Office 365) – More than 50% opened on Mobile Device
– WhatsApp/WeChat (private) -- Skype for Business – Business use growing faster than private use
– Increasing adoption of Cloud Storage (Box, DropBox, OneDrive…)
– Analog/ISDN is replaced by VoIP
SLIDE 3 Why do we have to encrypt?
- Allianz Top Business Risks 2015:
#5: Cyber crime: #1: Data theft and manipulation
– Internal attackers (data stealing) – Industrial espionage (APT) – Intelligence agencies (data interception)
- Countermeasure: End-to-End Encryption
SLIDE 4 Bob
Bob‘s Private Key
Text Directory Alice
Bob‘s Public Key
Text
Public Key Encryption
SLIDE 5
End-to-End Encryption - E2EE
SLIDE 6 E2EE Requirements
- En-/Decryption is done by the (E-mail, IM,
File-Exchange, VoIP) App on the device
- Interoperability is a key issue for B2B
- Encryption is legal – without backdoors
- Completely transparent to the user
- Low efforts for public key management
SLIDE 7 Key Management Challenges
Internet Alice Bob
„Is my private key available on all
„Do my apps work with my key?“
SLIDE 8 Key Management Challenges
Internet
„Can I trust this public key?“ „How can I retrieve Bob‘s public key?“
Alice Bob
„Is my private key available on all
„Do my apps work with my key?“
SLIDE 9 Trust Models
Alice Bob
KB KA
CA
Provider
Bilateral Trust Web-of-Trust Intermediary Trust Hierarchical Trust
SLIDE 10 Trust Models
Alice Bob
KB KA
CA
Provider
Bilateral Trust Web-of-Trust Intermediary Trust Hierarchical Trust A hierarchical trust model based on X.509 certificates is the preferred model for medium & large organizations
SLIDE 11 Public Key Retrieval
- Public Keys are retrieved from
– Keyserver – Certificate Directory Server – Intermediary (Service Provider)
- Global retrieval of any user‘s key is required
- Security mechanisms for address harvesting
- Manual or (better) automatic retrieval (LDAP)
SLIDE 12 Private Key Distribution
- Smartcards are secure and portable but
– Expensive – Poorly supported on mobile devices
– PKCS#12 is the standard format – Manual distribution is difficult and costly – Automated key distribution required – Limitations caused by MDMs and Apple
SLIDE 13 E2EE Applications
PGP – used by individuals – Add-on products required S/MIME & X.509 – Widespread use by organizations – Supported by all major e-mail clients
– Poor support of XMPP E2EE with PGP & S/MIME – Popular products use OTR (man. fingerprint check)
SLIDE 14
Contrary requirements
Business E-Mail Private IM/Chat
Non-Repudiability Repudiability Key Recovery Forward Secrecy Organisational Trust Bilateral Trust Interoperability Proprietary Solution Compliance
SLIDE 15 E2EE Applications (2)
– PGP (used by individuals) – MS EFS (used within corporate domain) – Cloud storage (proprietary): BoxCryptor, ViiVo,… – Cloud storage: SecureZIP (PGP), certDrive (X.509)
– Poor support of SRTP E2EE with MIKEY X.509 certs – Cisco SCCP supports E2EE with X.509 certs – Popular products use ZRTP (manual check of Short Auth. String)
SLIDE 16
Key Management for E2EE
High interoperability S/MIME X.509 based Key Management Poor interoperabilty Standards exist but Proprietary solutions dominate
SLIDE 17
Key Management alternatives
a) Proprietary, vendor driven
– Buy best-of-breed products – Use vendor specific key management – Vendor/service provider will control your keys
b) Standardized, universal
– Rely on open and well established standards – Use products that support digital certificates – Build a universal key management infrastructure – Keep corporate control of your keys
SLIDE 18
Proprietary Key Management
SLIDE 19
Proprietary Key Management
Different product vendors: Diversity of Key Management Inconsistent Trust Models High efforts for Key Distribution Loss of corporate control of keys
SLIDE 20
Universal Key Management
SLIDE 21
Universal Key Management
SLIDE 22
Universal Key Management
SLIDE 23 Universal Key Management
Mobile Device Manage- ment
SLIDE 24 Universal Key Management
Mobile Device Manage- mentx MDM Proxy Key Reco- very Server
SLIDE 25 Certificate Enrollment Proxy
- Acts like a Windows CA
- Autoenrollment from Non-Microsoft CAs
- Auto-Revocation & -Modification
- Smart Key-Backup & Recovery
- Automated distribution of private keys to
mobile devices
- Using accepted certificates from Public CA
SLIDE 26 Certificate Directory Server
- Automated, secure publishing of internal
certificates
- Automated search for standard E-Mailclients
via LDAP and ActiveSync in 140 Directories for
- User-transparent E2EE
- Centralized trust managment & validation
- Ad-hoc issuance for partners who don‘t have a
certificate
SLIDE 27 MDM Proxy
- Solves conflicts with managed iOS
- Forwards MDM protocol messages
- Adds PKCS#12 & password to Exchange profile
- Profile is transferred securely by
– TLS – Optional E2EE of profile
SLIDE 28 Summary
- Proprietary E2EE apps cause key management
issues
- An X.509 PKI is the basis for universal corporate
key management
– Using globally accepted certificates – Automation of key management tasks – Key distribution to mobile devices
- Use E2EE apps that support X.509
– Improve security – Save operational costs – Gain user satisfaction
SLIDE 29
Thank you for your Attention!
