Presentation on theme: "Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011."— Presentation transcript:
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011
SSLX Features and Benefits Real-Time Security – real-time authentication of users and servers Superior Performance – up to 300 times faster Easy to Deploy – no certificates to distribute or manage Easy to Use – transparent to end-users, easy for administrators Scalable Trust – enables new business models and enhances existing ones Federated Trust – provides flexible, dynamic networking of users and services Transparency – uses existing SSL infrastructure without changes, and provides automatic switching to SSL if SSLX is not available Improvements allow SSLX to be used all the time, creating a faster, safer Internet SSLX is Next-Generation SSL
How SSLX Works Circle of Trust Web Browser Server SSLX Public Administrator Directory Services Private Directory Service
SSLX Infrastructure Governing body awards and monitors Public Directory Services Trusted third-party installs DS application and database Available: Windows server SSLX-VPN closed-community secure communication package/device Available: Windows server Enables a real-time, easily verifiable trust partnership Web Browser Server SSLX Public Administrator Directory Service Private Directory Service User updates browser with Add-on for Firefox Site admin upgrades server. Available module: Apache mod_sslx
SSLX Summary Superior features and benefits – open source, high quality code available for testing, pilot, demonstration and/or full production Implementation has no obstacles – easily fits into existing infrastructure without any disruption of current SSL capability Full documentation – method, process, architecture and code available for download, peer review, analysis, comment, correction and optimization Quality business model – multiple parties engaged to allow a real world- community Trust Partnership SSLX offers a successful transition to the next- generation of internet security SSLX is Next-Generation SSL
Federated Trust Web applications often require dynamic collaboration among users and services. The federated trust model of SSLX allows services to be provided that can create dynamic communities of trust so that applications can provide transaction level security where all parties are properly authenticated in a continuous manner. Communities of trust can be ‘shared’ between individuals and their respective communities. Of Users and Services Enables users and services to establish a network of trust that is based on the requirements of the application rather than fitting the application to the security model.
Community of Trust Enables Dynamic Collaboration SSLX allows users to connect privately with other people, share data and documents online and add or delete user access in real-time. SSLX ensures that only authorized individuals can access the content as defined by the content owner. SSLX provides user-managed security for web applications using standard browser access.
How SSLX Works – Verified Setup Optional Easy Instant As often as desired Required Easy Instant As often as desired Verified Setup (VSU) Web servers (or browsers) initially authenticate to a Directory Service by providing several publicly verifiable data elements using two distinct communication channels and two distinct data encryption mechanisms. The result is mutually authenticated, real-time, third-party trust communication 256-bit, shared, Session Master Key Server Web Browser Directory Service
How SSLX Works – Real-time Handshake 1. SSLX Request 2. Secure Replies 4. Secure Reply 3. Verify Request Real-time Handshake 1.Initial SSLX communication begins with a browser request for a secure page 2.The server securely replies with one half of the Session Master Key (SMK) to an agreed upon DS. The server also replies securely directly back to the browser with the second half of the SMK and the DS identifier. 3.The browser then sends a request for the other key half to the DS using the identifier. 4.The DS then securely replies and the browser now has a SMK to continue secure communications with the server. Handshakes can be done as often as required by the site or browser. There are 5 SSLX handshake security levels – a composite is shown Server Web Browser Directory Service
How SSLX Works – Secure Traffic Authentication Every communication in each direction includes the use of the SMK to generate unique authentication output that can only be verified by the other end of the established connection using the same SMK Data Encryption Every communication in each direction uses the SMK to generate a unique 128-bit (or higher) AES government standard encryption key to secure all content. The AES key can only be recreated by the other end of the established connection using the same SMK to properly decrypt each communication Continuous Mutual Authentication and Data Encryption After a successful handshake, the browser and server now have a 256-bit Session Master Key (SMK) which is used in the core SSLX algorithm to provide authentication and data encryption Server Web Browser
How SSLX Works – Public Verification Optional DS and/or WS Verification Public Verification At any time during a connection, either the server administrator or the web browser may check the public veracity of the Directory Service with the SSLX Public Administrator (SSLXPA). Each party can also check the public veracity of the other within the records of the DS. Public scrutiny happens in real-time, at any time Optional DS and/or Browser Verification SSLX Public Administrator Server Web Browser Directory Service
How SSLX Works Real-Time Handshake Continuous Mutual Authentication & Data Encryption Public Verification Verified Setup Verified Setup Public Verification SSLX Public Administrator Server Web Browser Directory Service
SSLX Public Administrator Respected, independent third-party oversees SSLX trust Provides governance of worldwide Public Directory Services (DS) - similar to ICAAN with DNS Leads worldwide representative Policy Board ensuring fair representation of diverse DS community members Determines and administers fee structure for community of DS Allocates licenses for DS to operate franchise Provides quality control and compliance standards for DS Authority for DS lookup, validating DS for users Additional revenue opportunity through advertising to lookup viewers
Directory Service Respected, independent third-party manages SSLX trust between server and browser Provides real-time key exchange under multiple SSLX security levels Offers public search and display of Verified Setups (VSUs) for web domains all the way down to the individual server IP address Offers private repository of browser performed VSUs in order to mutually authenticate a specific client browser Follows SSLXPA directed quality control, data integrity, information protection and public display requirements Determines and administers fee structure for premium trust services, including extended validation Revenue opportunities: server IP monitoring and alerts, anti- phishing, on-the-fly alerts, spoof watches, portfolio site management, advertising, etc. If granted a sublicense, provide Private DS licensing for SSLX- VPN secure private community communication
Private Directory Service Controlled third-party, generally managed by the site content owner(s), to provide SSLX trust between servers and member browsers. Provides real-time key exchange under multiple, but generally a specified, SSLX security level Offers private search and display of Verified Setups (VSUs) for member browsers including the specific authentication credentials dictated by this private community Offers private search and display of the VSU information for the controlled domain(s) and server(s) for the member browser Follows their own directed quality control, data integrity, information protection and display requirements. Determines and administers SSLX User ID codes and other member credential requirements. Unique configuration of security levels, extranet connectivity, login requirements, site content layering – all can be individually configured to meet the unique requirements of the closed community.