portable encryption technologies at sandia n.
Skip this Video
Loading SlideShow in 5 Seconds..
Portable encryption technologies at Sandia PowerPoint Presentation
Download Presentation
Portable encryption technologies at Sandia

Loading in 2 Seconds...

play fullscreen
1 / 12

Portable encryption technologies at Sandia - PowerPoint PPT Presentation

  • Uploaded on

Portable encryption technologies at Sandia. Jeremy Baca Cyber Security Technologies Department Sandia National Labs. Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company for the United States Department of Energy’s

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Portable encryption technologies at Sandia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
portable encryption technologies at sandia

Portable encryption technologies at Sandia

Jeremy Baca

Cyber Security Technologies Department

Sandia National Labs

Sandia is a multiprogram laboratory operated by

Sandia Corporation, a Lockheed Martin Company

for the United States Department of Energy’s

National Nuclear Security Administration

under contract DE-AC04-94AL85000.

Entrust ESP 8 for E-mail Encryption

Credant Deployment

IronKey Pen Drives

Other Software Encryption Technologies

Hardware Encrypted Hard Drives

Blackberry S/MIME integration

Blackberry Enterprise Server Encryption

Entrust Messaging server (EMS)

PKI integration with the new HSPD12 badge

Topics I will cover

Sandia has done inter-operability testing with ESP and the old client and found no major issues with e-mail between the two systems

Tested ESP client in current deployed OS of XP with Office 2003 and Office 2007 and Vista with Office 2007

Changed from SHA1/3DES algorithms to SHA256/AES256

Sandia started deployment of Entrust 8 via SMS on April 23

Sandia has deployed Entrust 8 to over 6,800 computers with a 12% call rate to our help desk

We currently have about 1,800 computers to go with the majority of users hitting cancel when prompted to install

Entrust ESP 8 for E-mail Encryption

Sandia deployed Credant as its data at rest encryption solution

We implanted Credant on all mobile laptops, pen drives, and PDAs

Data is encrypted with common and user encryption keys defined by policy on the server

Keys are generated by the CMG Enterprise server and mapped to a Device/User combination

Authentication is tied to users Windows login. Login options include two factor and one-time password generators

Users are imported from an LDAP directory such as Active Directory that already exists in our enterprise

The initial encryption can take quite a bit of performance from the computer

During normal operation there is still a performance impact of this product. It is most noticed though when there is heavy processor use (compile, renderings). Its generally not noticed with business apps

Credant Deployment

Sandia added the Ironkey pen drives to our approved list of devices after through testing

The Ironkey pen drives employ AES CBC-mode hardware encryption that meets FIPS 140-2

Active Anti-Malware Protection – Secure AutoRun

Remote Administration and Policy Enforcement

Onboard portable applications

Secure Web browser  

Secure Password Manager

Virtual Keyboard password protection for untrusted hosts

Encrypted local backup

Remotely Disable or Terminate Lost and Stolen USB Drives

Deny - Prohibits accessing the data on the device

Disable - Locks out the user the next time the device connects

Destroy - Instructs the device to initiate its self-destruct sequence

IronKey Pen Drives

Sandia did testing on the following products as part of an NNSA research project:



Mobile Amour Guard



PGP Full Disk


Guardin Edge

Sandia along with LANL, Pantex, Savanha River, KCP and Y-12 prepaired a 115 page report for the NNSA on the pros and cons of each product

Other Software Encryption Technologies

Sandia evaluated SeagateFED encrypted hard drives and WAVE management software.

One big problem with this technology is compatibly with hardware. We found most Dell and Lenovo laptops worked with the Segate drive

Key management is major issue and the 3rd party apps do not yet have a solid enterprise solution or full set of enterprise support features

The Seagate is hardware based AES encryption on the entire disk

Encryption has almost no impact on performance of the drive

Hardware Encrypted Hard Drives

Blackberry Issues and Functionality

Directory issues with multiple CA sites

Inaccessible CRL files

Some old Desktops use Entrust message format as default and not S/MIME

Testing at Sandia, ORNL and DOE/HQ

User Certificate can be imported over the wire and work properly, but we still have issues doing this over the cellular network

Certificates status can not be determined cross site using the over the air option (Blackberry device hangs or gives a stale certificate message)

Blackberry tries to communicate directly to the issuing certificate directory and will not chain through the site directories (firewalls between sites cause this to fail)

Had to change master certificate specifications to include a URL CDP point for the Blackberry since it can not use the X.500 CDP point

Blackberry S/MIME integration

Blackberrys by default encrypt all data traffic over the cellular connection from the device to the Blackberry Enterprise Server on the Sandia network

Voice traffic is not encrypted over the cellular connection

Sandia’s Blackberry policy enforces content protection that turns on full data encryption on the device

We set an auto lock time out of 15 minutes

We have also set the device to wipe after ten bad password attempts

Our BES policy also prevents 3-party applications from being installed on the device

We do not allow Blackberry to be connected to non-Sandia computer

Blackberry Enterprise Server Encryption

Entrust Messaging Server - an additional component within the PKI infrastructure to assist user’s secure email by:

Locating others public certificates.

These may be Entrust or another PKI vendors certificates.

Managing other’s public certificates.

Certificates will be stored on the server instead of user’s local systems.

Notifying others to obtain PKI certificates.

Users will be notified to obtain a certificate if one can not be found.

Sandia is testing with an EMS server to see what the impact will be on our environment and should have it implemented by end of 3rd quarter 2009

Entrust Messaging Server (EMS)

The new HSPD12 badges have an integrated smart chip with Entrust certificates issued from EDS. (PIV Authentication, Digital Signature, Key Management)

The new badge also contains multiple data elements for the purpose of verifying identity. They consist of a PIN, a Cardholder Unique Identifier (CHUID), one asymmetric key pair and corresponding certificate for authentication, a digital picture and two digital fingerprints

This data model may be optionally extended to meet agency- specific requirements. This is being looked at to possibly hold certificates for e-mail and digital signatures and for two-factor computer access

PKI integration with the new HSPD12 badge