bunker mail security
TRANSCRIPT
SIMPLE. STRONG. ENCRYPTION.
SecurityOverviewBunkerMail encryptionand key exchange
October 7, 2010 GlobalCrypto.com
© 2010. Global Crypto Systems.
Challenges with PCI-DSS
Requirement 3: (Encrypt at Rest)
“Protect stored cardholder data”
Crypto-key distribution
Requirement 4: (Encrypt in Motion)
“Encrypt transmission of cardholder data across open, public networks”
Requirement 8: (Strong Authentication)
“Assign a unique ID to each person with computer access”
© 2010. Global Crypto Systems.
© 2010. Global Crypto Systems.
We distribute Crypto keys to web users
We hide crypto in digital pictures Steganography!
User credential contains (AES encrypted):
RSA-1024 user key pair (public-private)
RSA-2048 public key for BunkerMail application
Dual digital signatures for Authentication
© 2010. Global Crypto Systems.
Authentication
Strong, Multi-Factor Authentication >Picture = Virtual Smartcard>Password is never transmitted or stored
Bi-directional Authentication
Sessions are encrypted using unique AES key exchanged upon Authentication (via our PKI)
HTTPS used in addition, (redundant)
globalcrypto.com/knowledge-center-overview
© 2010. Global Crypto Systems.
Authentication
© 2010. Global Crypto Systems.
Encryption—end-to-end
Private Note and Attachments are encrypted with unique AES keys.
AES keys are encrypted with BunkerMail public key (RSA-2048).
BunkerMail decrypts the AES keys and re-encrypts them with the public key(s) of recipients
AES keys are escrowed if a user is not in the system (no public key yet)
© 2010. Global Crypto Systems.
© 2010. Global Crypto Systems.
Ideal technical solution
Encrypts at rest
Encrypts in motion, end-to-end
Provides audit logging, robust audit trail
Housed in a secure data center
Provides encrypted, automated archival
Enforces strong, unique access controls
Simple to use