The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar...
Transcript of The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar...
![Page 1: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/1.jpg)
The Public Key MuddleHow to manage transparent end-to-end
encryption in organizations
Dr. Gunnar Jacobson
CEO
Secardeo GmbH
![Page 2: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/2.jpg)
Business Communication• E-Mail
– Desktop (e.g. Outlook) Cloud (e.g. Office 365)– More than 50% opened on Mobile Device
• Instant Messaging (IM)– WhatsApp/WeChat (private) -- Skype for Business– Business use growing faster than private use
• File Exchange– Increasing adoption of
Cloud Storage (Box, DropBox, OneDrive…)
• Voice over IP (VoIP)– Analog/ISDN is replaced by VoIP
![Page 3: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/3.jpg)
Why do we have to encrypt?
• Allianz Top Business Risks 2015:#5: Cyber crime:
#1: Data theft and manipulation
• Risks are caused by
– Internal attackers (data stealing)
– Industrial espionage (APT)
– Intelligence agencies (data interception)
• Countermeasure: End-to-End Encryption
![Page 4: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/4.jpg)
BobBob‘sPrivate Key
Text
Directory
AliceBob‘s
Public Key
Text
Public Key Encryption
![Page 5: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/5.jpg)
End-to-End Encryption - E2EE
![Page 6: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/6.jpg)
E2EE Requirements
• En-/Decryption is done by the (E-mail, IM, File-Exchange, VoIP) App on the device
• Interoperability is a key issue for B2B
• Encryption is legal – without backdoors
• Completely transparent to the user
• Low efforts for public key management
![Page 7: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/7.jpg)
Key Management Challenges
Internet
Alice Bob
„Is my private keyavailable on allof my devices?“
„Do my apps workwith my key?“
![Page 8: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/8.jpg)
Key Management Challenges
Internet
„Can I trustthis public key?“
„How can I retrieveBob‘s public key?“
Alice Bob
„Is my private keyavailable on allof my devices?“
„Do my apps workwith my key?“
![Page 9: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/9.jpg)
Trust Models
Alice BobKBKA
CA
Provider
Bilateral Trust
Web-of-Trust
IntermediaryTrust
Hierarchical Trust
![Page 10: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/10.jpg)
Trust Models
Alice BobKBKA
CA
Provider
Bilateral Trust
Web-of-Trust
IntermediaryTrust
Hierarchical Trust
A hierarchical trust modelbased on X.509 certificates
is the preferred model formedium & large organizations
![Page 11: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/11.jpg)
Public Key Retrieval
• Public Keys are retrieved from
– Keyserver
– Certificate Directory Server
– Intermediary (Service Provider)
• Global retrieval of any user‘s key is required
• Security mechanisms for address harvesting
• Manual or (better) automatic retrieval (LDAP)
![Page 12: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/12.jpg)
Private Key Distribution
• Smartcards are secure and portable but
– Expensive
– Poorly supported on mobile devices
• Software keys
– PKCS#12 is the standard format
– Manual distribution is difficult and costly
– Automated key distribution required
– Limitations caused by MDMs and Apple
![Page 13: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/13.jpg)
E2EE Applications
• Electronic MailPGP
– used by individuals
– Add-on products required
S/MIME & X.509
– Widespread use by organizations
– Supported by all major e-mail clients
• Instant Messaging (IM)– Poor support of XMPP E2EE with PGP & S/MIME
– Popular products use OTR (man. fingerprint check)
![Page 14: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/14.jpg)
Contrary requirements
Business E-Mail Private IM/Chat
Non-Repudiability Repudiability
Key Recovery Forward Secrecy
Organisational Trust Bilateral Trust
Interoperability Proprietary Solution
Compliance -
![Page 15: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/15.jpg)
E2EE Applications (2)
• File Exchange– PGP (used by individuals)
– MS EFS (used within corporate domain)
– Cloud storage (proprietary): BoxCryptor, ViiVo,…
– Cloud storage: SecureZIP (PGP), certDrive (X.509)
• VoIP– Poor support of SRTP E2EE with MIKEY X.509 certs
– Cisco SCCP supports E2EE with X.509 certs
– Popular products use ZRTP(manual check of Short Auth. String)
![Page 16: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/16.jpg)
Key Management for E2EE
High interoperability S/MIME X.509 based
Key Management
Poor interoperabilty Standards exist but Proprietary solutions
dominate
![Page 17: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/17.jpg)
Key Management alternatives
a) Proprietary, vendor driven– Buy best-of-breed products
– Use vendor specific key management
– Vendor/service provider will control your keys
b) Standardized, universal– Rely on open and well established standards
– Use products that support digital certificates
– Build a universal key management infrastructure
– Keep corporate control of your keys
![Page 18: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/18.jpg)
Proprietary Key Management
![Page 19: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/19.jpg)
Proprietary Key Management
Different product vendors:Diversity of Key ManagementInconsistent Trust ModelsHigh efforts for Key DistributionLoss of corporate control of keys
![Page 20: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/20.jpg)
Universal Key Management
![Page 21: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/21.jpg)
Universal Key Management
![Page 22: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/22.jpg)
Universal Key Management
![Page 23: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/23.jpg)
Universal Key Management
MobileDevice
Manage-ment
![Page 24: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/24.jpg)
Universal Key Management
MobileDevice
Manage-ment
xMDMProxy
Key Reco-very Server
![Page 25: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/25.jpg)
Certificate Enrollment Proxy
• Acts like a Windows CA
• Autoenrollment from Non-Microsoft CAs
• Auto-Revocation & -Modification
• Smart Key-Backup & Recovery
• Automated distribution of private keys tomobile devices
• Using accepted certificates from Public CA
![Page 26: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/26.jpg)
Certificate Directory Server
• Automated, secure publishing of internalcertificates
• Automated search for standard E-Mailclients via LDAP and ActiveSync in 140 Directories for
• User-transparent E2EE
• Centralized trust managment & validation
• Ad-hoc issuance for partners who don‘t have a certificate
![Page 27: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/27.jpg)
MDM Proxy
• Solves conflicts with managed iOS
• Forwards MDM protocol messages
• Adds PKCS#12 & password to Exchange profile
• Profile is transferred securely by
– TLS
– Optional E2EE of profile
![Page 28: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/28.jpg)
Summary
• Proprietary E2EE apps cause key managementissues
• An X.509 PKI is the basis for universal corporatekey management– Using globally accepted certificates– Automation of key management tasks– Key distribution to mobile devices
• Use E2EE apps that support X.509– Improve security– Save operational costs– Gain user satisfaction
![Page 29: The Public Key Muddle - EEMA · PDF fileThe Public Key Muddle ... in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH. Business Communication •E-Mail –Desktop (e.g. Outlook)](https://reader033.fdocuments.us/reader033/viewer/2022051722/5a9d35477f8b9a032a8ca34d/html5/thumbnails/29.jpg)
Thank you for your Attention!