Secure Channels Process Hardened Encryption and Resource Environment
With all of the recent cyber leaks, account breaches, unauthorized disclosures, and the like it would be fair to say that present data security not only is failing but has failed and that it doesn’t seem to matter what type of intrusion protection or security a system has. Eventually, as proven in the news, someone is going to get to the data in a manner that is unauthorized or illegal or just simply unwarranted or any combination thereof. The question has to be asked: “Is the data worth protecting and if so then how can it be done?”
There are a multitude of answers out there: Build a fortress around the physical data storage Encrypt the data with FIPS compliant standards Make the data unreachable from the outside Ensure that the people with access are authorized The problem with these solutions is that they have all been tried and all have failed. The case of Edward Snowden is a classic example of this. Here is data stored in the U.S.A.’s National Security Agency (NSA) so we know it was physically surrounded with a “fortress”. It was (or should have been) encrypted with modern standards. The data was for internal use only so there were no external breaches. Mr. Snowden was authorized to access the data. All of this and he still stole classified data and was able to release it to the detriment of the U.S. If all possible solutions were tried and applied and yet still breached then is there a workable solution?The short answer is yes: SPHERE. The long answer is the following explanation of the philosophy behind SPHERE; it’s implementation; and usage patterns.
As the title of this paper stated – SPHERE stands for Secure Channels Process Hardened Encryption and Resource Environment. That might seem to be quite the verbiage but it is very specific and descriptive. Let’s tear it apart and examine each piece.
Secure Channels is a company born out of necessity discovered while working with large enterprise customers and attempting to make, keep, and maintain their data integrity and security. The genesis for Secure Channels started in the early 90’s when one of its co-founders designed a copy-protection scheme for floppy discs that is still in use today. As the decade and century closed they also got deeply involved in cryptography with a world class software company. As time went on it would seem that a certain destiny was converging as Secure Channels other 2 co-founders were also involved in cryptography but from other angles. A chance meeting in Europe led to these two meeting and a partnership/friendship formed out of a common interest to find a way to use cryptography for the betterment of corporate data. Another chance meeting years later in Europe led to the introduction of the first person discussed into this alliance. Over time all three separately converged on the idea of deep data security and so formed Secure Channels.
One of the driving forces was the PKMS2 (Pattern Key, Multi Strength, Multi Segment) process being patented. Once this patent was done then all of a sudden Secure Channels had in its grasp the means it was waiting for: the ability and means to secure data via encryption that would render the data, for all intents and purposes, unbreakable. So here was a means to secure data in a data center but the world was changing and becoming far more mobile. PKMS2’s depth of security requires computing power that usually is not available on a mobile platform. What was needed was a similar technique that would work on mobile platforms. Fortunately, one of the early enterprise contract required mobile platform usage so another process was already in development. This new technique was born in the mobile world and thus was able to provide a similarly high level of security on mobile platforms. This new technique is called SHEILD for “Secure Channels Hardened Intentional Encryption for Lesser Devices”.
By using variable length (technically unlimited in size) passwords from selected encryption algorithms AES, TwoFish, PGP, etc., and keys based on the Public Key Infrastructure (aka PKI) it is possible to encrypt the data as to make it unbreakable without knowing how it was encrypted. What PKMS2 does in short, is encrypt the data in segments with each segment’s length determined by the password or key to be used for that segment. The keys are selected based on a pattern given and used in a round-robin fashion until all the data is encrypted. To ensure deeper security the initial data can be encrypted in its entirety and the final encrypted data can also be encrypted in its entirety. By segmenting the data; using ‘n’ keys/passwords, using a pattern to run through the keys PKMS2 renders the data virtually unbreakable. The only way to break the data is to know ALL the keys/passwords used; the pattern used to run through the keys; and whether or not initial and/or final encryption was done. Simply attacking the data cannot break it as there is no way to know when a segment is decrypted.
Like was mentioned earlier SHIELD is not fully covered via patent so details here will be shallow. SHEILD focuses on symmetric keys and thus can be quick on mobile platforms. SHIELD uses multiple proprietary mathematical filters to encrypt the data. In addition to over 350 mathematical patterns available SHIELD can also use industry standard patterns like AES256. The speed of SHIELD is such that 21 filters can be applied to a 165K data file, using keys no less than 64K, in less than 1 second. It is this speed that allows SHIELD to be used on and in mobile scenarios. So with PKMS2 patented and SHIELD about to be patented Secure Channels needed to draw all of its work together under one platform and thus SPHERE was developed.
What is needed to resolve a number of security issues is not to physically surround the data center but to digitally surround the data. SPHERE’s design is one of wrapping the data in such a way as to make the data utterly useless without full knowledge of a number of factors. In the past digital data security has relied solely on the encryption patterns and key. If the pattern is known and the key is known then the security of the data is zero. Where SPHERE is different is that it wraps layered processes around the data in such a way that it takes Knowledge of the manner in which the layers were applied; Knowledge of the standard and proprietary encryption patterns; Knowledge of all of the keys used; Knowledge of the pattern by which the keys were applied; Knowledge of the customer defined ‘uniqueness’ of the processing The data resource is wrapped or enveloped in such a way that it creates an incalculable combination of possibilities to decrypt and thus renders the data virtually unbreakable.
Secure Channels, through acquisition, has acquired a fully functional cloud based OS like platform that is fully MFA based and exposed via REST and WS-* API. This platform was designed to run fully standalone in the cloud but also branched to run privately in a corporate data center. This platform is the basis for SPHERE. Due to the flexibility of SPHERE an entire scripting language was developed to drive the encryption process. These scripts can be completely unique per customer. Each encryption function is fully standalone and thus each script can be uniquely created in almost an unlimited pattern. One customer might encrypt their data with a script that specifies functions A,B,C whereas another customer might specify the same functions but in B,A,C order. This flexibility adds immeasurable depth to the security of the data. One customer might use pictures for passwords whilst another might use Japanese phrases. Since SPHERE has no limit to the number of functions; number of keys/passwords; no limit to the size of said keys/passwords then the ability to encrypt data to an unbreakable level is strictly under customer control. With the depth of PKMS2, the speed of SHIELD, Secure Channels finds that it can deploy its security systems into enterprise data centers; PC workstations; or mobile devices. The sky truly is the limit since SPHERE is about enabling the customer to secure and encrypt THEIR data THEIR way and under THEIR control.
The question was asked earlier “Is the data worth protecting and if so then how can it be done?” Secure Channels has developed SPHERE such that the answer to the question is a resounding yes. As has been seen in the news we can assume data will be stolen but by applying SPHERE to the data the data itself becomes meaningless outside of a SPHERE enabled system.