1 / 12

Portable encryption technologies at Sandia

Portable encryption technologies at Sandia. Jeremy Baca Cyber Security Technologies Department Sandia National Labs. Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company for the United States Department of Energy’s

Ava
Download Presentation

Portable encryption technologies at Sandia

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Portable encryption technologies at Sandia Jeremy Baca Cyber Security Technologies Department Sandia National Labs Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

  2. Entrust ESP 8 for E-mail Encryption Credant Deployment IronKey Pen Drives Other Software Encryption Technologies Hardware Encrypted Hard Drives Blackberry S/MIME integration Blackberry Enterprise Server Encryption Entrust Messaging server (EMS) PKI integration with the new HSPD12 badge Topics I will cover

  3. Sandia has done inter-operability testing with ESP and the old client and found no major issues with e-mail between the two systems Tested ESP client in current deployed OS of XP with Office 2003 and Office 2007 and Vista with Office 2007 Changed from SHA1/3DES algorithms to SHA256/AES256 Sandia started deployment of Entrust 8 via SMS on April 23 Sandia has deployed Entrust 8 to over 6,800 computers with a 12% call rate to our help desk We currently have about 1,800 computers to go with the majority of users hitting cancel when prompted to install Entrust ESP 8 for E-mail Encryption

  4. Sandia deployed Credant as its data at rest encryption solution We implanted Credant on all mobile laptops, pen drives, and PDAs Data is encrypted with common and user encryption keys defined by policy on the server Keys are generated by the CMG Enterprise server and mapped to a Device/User combination Authentication is tied to users Windows login. Login options include two factor and one-time password generators Users are imported from an LDAP directory such as Active Directory that already exists in our enterprise The initial encryption can take quite a bit of performance from the computer During normal operation there is still a performance impact of this product. It is most noticed though when there is heavy processor use (compile, renderings). Its generally not noticed with business apps Credant Deployment

  5. Sandia added the Ironkey pen drives to our approved list of devices after through testing The Ironkey pen drives employ AES CBC-mode hardware encryption that meets FIPS 140-2 Active Anti-Malware Protection – Secure AutoRun Remote Administration and Policy Enforcement Onboard portable applications Secure Web browser   Secure Password Manager Virtual Keyboard password protection for untrusted hosts Encrypted local backup Remotely Disable or Terminate Lost and Stolen USB Drives Deny - Prohibits accessing the data on the device Disable - Locks out the user the next time the device connects Destroy - Instructs the device to initiate its self-destruct sequence IronKey Pen Drives

  6. Sandia did testing on the following products as part of an NNSA research project: Credant WinMagic Mobile Amour Guard BeCrypt Utimaco PGP Full Disk Pointsec Guardin Edge Sandia along with LANL, Pantex, Savanha River, KCP and Y-12 prepaired a 115 page report for the NNSA on the pros and cons of each product Other Software Encryption Technologies

  7. Sandia evaluated SeagateFED encrypted hard drives and WAVE management software. One big problem with this technology is compatibly with hardware. We found most Dell and Lenovo laptops worked with the Segate drive Key management is major issue and the 3rd party apps do not yet have a solid enterprise solution or full set of enterprise support features The Seagate is hardware based AES encryption on the entire disk Encryption has almost no impact on performance of the drive Hardware Encrypted Hard Drives

  8. Blackberry Issues and Functionality Directory issues with multiple CA sites Inaccessible CRL files Some old Desktops use Entrust message format as default and not S/MIME Testing at Sandia, ORNL and DOE/HQ User Certificate can be imported over the wire and work properly, but we still have issues doing this over the cellular network Certificates status can not be determined cross site using the over the air option (Blackberry device hangs or gives a stale certificate message) Blackberry tries to communicate directly to the issuing certificate directory and will not chain through the site directories (firewalls between sites cause this to fail) Had to change master certificate specifications to include a URL CDP point for the Blackberry since it can not use the X.500 CDP point Blackberry S/MIME integration

  9. Blackberrys by default encrypt all data traffic over the cellular connection from the device to the Blackberry Enterprise Server on the Sandia network Voice traffic is not encrypted over the cellular connection Sandia’s Blackberry policy enforces content protection that turns on full data encryption on the device We set an auto lock time out of 15 minutes We have also set the device to wipe after ten bad password attempts Our BES policy also prevents 3-party applications from being installed on the device We do not allow Blackberry to be connected to non-Sandia computer Blackberry Enterprise Server Encryption

  10. Entrust Messaging Server - an additional component within the PKI infrastructure to assist user’s secure email by: Locating others public certificates. These may be Entrust or another PKI vendors certificates. Managing other’s public certificates. Certificates will be stored on the server instead of user’s local systems. Notifying others to obtain PKI certificates. Users will be notified to obtain a certificate if one can not be found. Sandia is testing with an EMS server to see what the impact will be on our environment and should have it implemented by end of 3rd quarter 2009 Entrust Messaging Server (EMS)

  11. The new HSPD12 badges have an integrated smart chip with Entrust certificates issued from EDS. (PIV Authentication, Digital Signature, Key Management) The new badge also contains multiple data elements for the purpose of verifying identity. They consist of a PIN, a Cardholder Unique Identifier (CHUID), one asymmetric key pair and corresponding certificate for authentication, a digital picture and two digital fingerprints This data model may be optionally extended to meet agency- specific requirements. This is being looked at to possibly hold certificates for e-mail and digital signatures and for two-factor computer access PKI integration with the new HSPD12 badge

  12. Questions Portable encryption technologies at Sandia

More Related