CompuSec® e-Identity® is a Security Suite that protects Notebook and Desktop PCs in government environment. It provides Access Control, Single Sign On, Hard Disk Encryption, CD encryption, File Encryption, Network Encryption and VoIP Encryption. CompuSec® e-Identity® comes with an e-Identity® security device, either a smart card with USB reader or an USB token. The product provides security when the computer is lost, a storage media is stolen and for data transmitted through unsecured channels.
Application
CompuSec® e-Identity® is made for government customers who want more than just a password protection. The high level of security achieved is combined with a flexible and transparent mode of operation. Individuals, small groups of users as well as large organizations use the product. CompuSec® e-Identity® combines a set of essential security functions, providing users the option to configure the product to their own needs. Large organizations manage CompuSec® using features such as unattended installation, centralized rollout, support for disk images, central software distribution, service functions and central user management.
Encryption Algorithm Overview
| AES for applications where standard algorithms are accepted (Training, etc.) |
| Custom defined algorithms with 256 bit key length (shorter keys are not supported) |
| Substitution-Permutation Network based on the Rijndael algorithm |
| 16 proprietary S-Boxes for state substitution and round key generation |
| Adjustable encryption rounds between 14 and 29 rounds (Available 9-2010) |
| ECC public key algorithm for DataCrypt |
Cryptography
CompuSec® e-Identity® can be used with custom defined algorithms following the basic design principles of AES. Sixteen proprietary S-Boxes can be used instead of the standard, publicly known single AES substitution box. The key length is fixed to 256 bit. Short keys of 128 or 192 bit are not supported. The number of rounds is adjustable from 14 to 29. A higher number of rounds decrease the performance proportional. The generation of the round keys uses all 16 S-Boxes. Whenever the standard AES box is used the algorithm is 100% compatible to the FIPS-197 standard.
Protection Mechanisms
When the PC is switched off all key material and algorithms are lost from the volatile main memory after a relatively short time. No keys or algorithm data are stored in the PC itself. All secrets are contained in the e-Identity token or the smart card. The e-Identity releases these secrets only after a successful authentication. The secrets are still safe when an e-Identity is lost but the password is kept secret.
During run time the keys and the algorithm are inside the hard disk encryption driver. All sensitive encryption is performed inside this driver. The driver memory is not accessible from applications. Swap files and Hibernation files are also encrypted.
Password Management
The password strategies can be defined according to the organizational need. This includes password lifetime, password usage count, password change options, minimum and maximum length and more. In situations where passwords are forgotten, a challenge-response procedure with the GlobalAdmin station provides an easy and secure method for users to obtain their new password.
Single Sign On
Two alternatives for Single Sign On are provided. In the first method, the e-Identity® of the user stores the system
logon password together with the user ID and the domain name. This replaces the traditional logon procedure at the operating
system. The second and more advanced method provided by CompuSec® e-Identity® uses a digital certificate of the user
together with its private key inside the e-Identity®. This certificate-based logon at the domain server is the preferred
way for domain users and is fully integrated into the Microsoft operating systems. The certificate based Single Sign On
requires the GlobalAdmin station which may be used as a full Certification Authority (CA). Lotus Notes users will store
their ID file in the e-Identity® and also use the certificates of the e-Identity®.
Full Hard Disk Encryption
The hard disk encryption of CompuSec® e-Identity® uses a fast implementation of the Rijndael algorithm. The hard disk
encryption includes the operating system. Multiple operating systems are supported on a single computer. The initial encryption
can be performed before the computer is used by the user or transparent in the background allowing the user to work on the PC,
interrupt the encryption process and shut down the computer at any time. The support of the hibernation mode is very important
to mobile users. Hibernation of the PC requires the contents of the RAM to be stored in hibernation file onto the hard disk
before the PC is powered down. When the PC is restarted, the contents in the hibernation file will be loaded into the RAM.
When coming out from hibernation, the user is required to authenticate again to decrypt the encrypted hard disk key before
resuming work on the PC. As such, it is safe to use the hibernation mode in the machine. Most hard disk encryption products
in the market do not support this mode.
Encryption of Removable Media, CD-ROM and DVD
CD / DVD and other removable media devices such as Memory Sticks and USB thumb drives can be encrypted by CompuSec®
e-Identity®. The encryption for CD / DVD uses the CDCrypt feature to support internal and external CD burners. With
central administration, an encryption policy may define whether a user may or may not switch the mode from encrypted to
non-encrypted when using such devices. As such, an organization can easily enforce a policy to use only encrypted
Removable Media Devices and CD-RW / CD-R / DVD to minimize the threat of data theft. Such encryption is unobtrusive and
does not change the way the user works with these devices.
Encryption of Individual Files - DataCrypt
CompuSec® e-Identity® includes a module that enables users to encrypt individual files called DataCrypt. DataCrypt
will enable users to encrypt mail attachments and send them via email, ftp etc. The data will travel safely over whatever
medium chosen to allow CompuSec® users to safely exchange files. DataCrypt can also be used as a software module and
can forwarded to other users without a license, free of charge. DataCrypt employs Public-Key-Cryptography based on elliptic
curves to generate keys for encryption and decryption. DataCrypt also uses a new technology called 'Sealing' that will hide
all structures in the header of the encrypted file, giving additional protection against 'traffic analysis' during the transport.
Email Signing & Encryption
CompuSec® e-Identity® provides the necessary encryption modules to encrypt and sign e-mail using Microsoft Outlook,
Outlook Express or Lotus Notes. The required digital certificates for e-mail security are stored in the user's e-Identity®.
The cryptographic software comes with a signed Cryptographic Service Provider (CSP). The e-mail security module uses the
S/MIME standard to guarantee the exchangeability with other users not using CompuSec® yet.
Encryption of Server Files & Subdirectories - SafeLan
File and Directory Encryption with CompuSec® e-Identity® can be performed for local or network files and/or
directories. This function called SafeLan will ensure that all files written or copied into the encrypted directory
will automatically be encrypted and remaining completely transparent to the end user. This also means that a user
without an authorized directory key will not have access to the directory and will also be unable to see the files.
This function is used to separate users of the same file server in a strong cryptographic way and also ensures that
server administrators cannot see the contents of the encrypted files. SafeLan supports NTFS, Novell, FAT and network
based file systems.
Encryption of Voice Communication - [ClosedTalk]TM
[ClosedTalk]TM is a component of CompuSec® e-Identity® used for encrypted voice
communication between CompuSec® users. The built-in sound system of the computer is used for [ClosedTalk]
TM. No IP telephone is needed. [ClosedTalk]TM uses
Internet to transport the voice data from one user to the other. E-mail addresses are used to contact communication
partners. An e-mail address is self-explanatory and easier to remember than traditional phone numbers.
[ClosedTalk]TM uses a gatekeeper service to find the communication partner on the network.
An ECC Diffie-Hellman key generation protocol is used to provide secure session keys for each talk.
Identity Management
CompuSec® e-Identity® manages the identity of the user for applications. For existing
applications requiring passwords, CompuSec® e-Identity® learns the users' passwords, stores them in an
encrypted format and automatically inserts the correct password into the application when required. This is
available for local and WEB based applications.
Advance VPN Client For Secure Connection to Government Networks
CompuSec® e-Identity® provides IP encryption for WAN and LAN users. An enhanced IPSec client is a selectable
function of CompuSec® e-Identity®. The IP encryption client supports pool address modes, data compression,
multiple dial-in points and other features, which are explained in detail in our Cryptor product literature. The IP
encryption of CompuSec® needs an Cryptor of the government product line as counterpart in the network.
IP Network Encryption Compatibility
CE-Infosys Government network encryption products work seamlessly with each other.
This requires that the products are using the same algorithm and share the same keys. Both are 100% under
customer control. The following lists the encryption products that can cooperate in a government network:
- ANIS MicroCryptor
- ANIS GigaCryptor
- PocketCryptor *
- MicroCryptor *
- PowerCryptor *
- GigaCryptor *
- IPCrypt Client * using e-Identity token or smart card
- CompuSec * using e-Identity token or smart card
* Government Version
Installation & Management
CompuSec® e-Identity® for Government is managed by a central management station. This GlobalAdmin station manages
all the CompuSec® e-Identity® installations and provides functions for unattended installations, automatic software
rollout and software update, remote password reset and a complete management of the VPN functions. CompuSec®
e-Identity® can be used as an integrated part of a organization wide PKI structure. Details are described in the
GlobalAdmin product literature. For large organizations with multiple locations, a remote e-Identity® loading station
is available. A supplementary product for the user help desk is also available to assist support staff with the remote
password reset functions. Automatic synchronization with Microsoft user management and Active Directory is provided for
the management of CompuSec® e-Identity®.
> top <
