When will we be secure? Nobody knows for sure – but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customers’ stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use. Such assurances are lacking in most of today’s commercial security products and services.

When we look at the standards and defacto-standards based security system as a whole we can readily identify that the whole, and many of its parts, are not fit for purpose.

Case example: RFID. The vast majority of RFID devices are designed to promiscuously identify themselves to ANY reader that queries them. The RFID ecosystem has not been designed to protect the identity of users from disclosure to unauthorised persons. The best example is the Banking RFID case where the first generation American RFID enhanced credit card discloses the full name of the card holder to anyone that asks. See also the recent RFID attack (July 2008) that compromised the security of over 2 billion smart cards.

Case example: certificate authorities. Speaking simply, certificate authorities are paid money to testify to the identity of a users and web servers on the Internet: Banks pay certificate authorities money to allow customers to validate they are talking directly to the bank, and not a criminal. An attack in November 2008 demonstrated that a malicious party can falsely represent itself as the  'trusted' certificate authority RapidSSL, a company owned by Verisign. This mean the attackers could convince almost all users that it was ANY bank, financial institution, government organisation, or commercial website in the world. This is a fault with both (a) the choice of weak cryptographic algorithm, and (b) an ongoing structural weaknesses in the certificate authority ecosystem.

Case example: central points of failure. The above example with the certificate authority illustrated that a SINGLE compromised certificate authority is capable of arbitrarily forging an identity to every person that trusts that certificate authority. Another example of central point of security failure exist in the Kerberos federated authentication protocol. The security industry is littered with central points of failure, such as those with public key cryptography...

Case example: public key cryptography. All e-commerce and secure website browsing is performed using cryptographic algorithms that are at risk of abrupt and catastrophic failure by large code-breaking quantum computers. The arrival of such computers would be a simultaneous global security failure. Unfortunately increasing the strength / key-length of the algorithm does not protect against these attacks. To protect communications against quantum computers you must stop encrypting data using RSA, D&H and ECC asymmetric algorithms.

Large scale security failures of this kind are currently the norm in the commercial security sector. There is no question that a new security ecosystem that is fit for purpose needs to be built.

Synaptic is designing such a security ecosystem, one that comprehensively addresses all the above mentioned problems in an integrated coherent framework.

The current way which organisations approach security can be recognised as an underlying market failure which consists of fire fighting security problems, silo'd implementation of technologies, uncontrolled application development practices and a failure to address systemic problems. Organisations tend to deal with one problem at a time that results in the deployment of point solutions to treat singular problems. This failure is typical of an uncontrolled marketplace evolving with little or no co-ordination.

The security of information is concerned with the risks to information being compromised either by disclosure (confidentiality), unreliability (integrity) or being unreachable (availability), collectively this is known as information risk.
...
The methodologies that exist are inadequate and do not reveal the true holistic nature of the risks. Frameworks, tools and techniques for identifying and understanding the interdependent nature of cumulative risk within large complex infrastructures also do not exist with any degree or usability or prospect of commercialisation today.

Synaptic is designing a new Universal Security Ecosystem that is designed to address the underlying market failure which is visible in the failure of many of our standards-based or de facto standard security systems against conventional computing and low-resource attacks. Synaptic has taken a cross-discipline cross-domain approach to identifying and harmonising the common security requirements found in similar but traditionally different application domains. Protection against quantum computers is simply "one" requirement that must be satisfied if the new ecosystem is to be Universal in nature.

You may like to read "Why have established standards that everyone trusts, why change?" above to learn more about the conventional risks facing our current security ecosystem.

Now for key management purposes (key exchanges, digital signatures), against the RSA and the Diffie-Hellman and stuff (ECC), they flat-line under a quantum computer. It’s not just a cut the key size in half.
…
So this becomes an invitation to the research community to get cracking lads. We need new algorithms that are robust at least to the square root factor under a quantum computer attack that can be used for non-repudiation, and public key processes.  Open problem. Aching problem – work on it, please!

Synaptic is an active research, design and development company that offers the world's only scalable many-to-many key exchange based on symmetric technologies. The importance of basing the key exchange on symmetric technologies is that these techniques are already trusted by cryptographers and governments to be secure against classical and quantum computers. The combination of Synaptic Labs' key exchange technology and digital signatures based on the Lamport-Diffie-Merkle technologies presents a comprehensive high assurance solution to the open problem Snow has spoken out on.

We quote the wikipedia page on Information Security:

The terms reasonable and prudent person, due care and due diligence have been used in the fields of Finance, Securities, and Law for many years. In recent years these terms have found their way into the fields of computing and information security. U.S.A. Federal Sentencing Guidelines now make it possible to hold corporate officers liable for failing to exercise due care and due diligence in the management of their information systems.

In the business world, stockholders, customers, business partners and governments have the expectation that corporate officers will run the business in accordance with accepted business practices and in compliance with laws and other regulatory requirements. This is often described as the "reasonable and prudent person" rule. A prudent person takes due care to ensure that everything necessary is done to operate the business by sound business principles and in a legal ethical manner. A prudent person is also diligent (mindful, attentive, and ongoing) in their due care of the business.

In the field of Information Security, Harris (Harris, Shon "All-in-one CISSP Certification Exam Guide" (2nd Ed. ed.). Emeryville, CA: McGraw-Hill/Osborne) offers the following definitions of due care and due diligence:

"Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees." And, [Due diligence are the] "continual activities that make sure the protection mechanisms are continually maintained and operational."

Synaptic is designing a low-cost security solution to manage known classical security risks such as central points of failure, and the known and highly anticipated quantum computing risk with a higher level of assurance regarding correct operation. When Synaptic Labs' suite of products emerges on the market the continued use of weaker information security systems will need to be carefully considered. Along similar lines of reasoning, the insurance industry is exploring how to incent best information security practices to encourage higher levels of information assurance for organisations and the sensitive data entrusted to organisations to manage.

In most commercial business applications it is possible to increase security by "adding an additional step" that does not modify the source code or binaries of existing business logic. For example:

• Your system uses RSA-1024, 3DES-168 and SHA-256 to secure communications between back-end servers. Synaptic are designing solutions that are inserted between your two back-end server and re-encrypt the sensitive commercial data using techniques that can offer 100 year security ratings. With Synaptic Labs' solution this can be achieved using the trusted SHA-256 or SHA-512 operation as the work horse. This is similar in function to running a Virtual Private Network to secure unencrypted LAN traffic between two offices.
  
• Synaptic Labs' Group, Enterprise and Universal key exchanges are designed to automatically encrypt the session key using the RSA functionality present in the smart card. This layered defense mechanism ensures that the security of the key exchange is NO WEAKER than the de facto standard RSA key exchange.
• Long term digital signatures can be signed first with RSA, and then signed again with Lamport-Diffie-Merkle signature scheme. This increases the digital signature length but provides a longer duration of security.

In all three cases we are performing two sets of operation: The standards based technique, and the higher assurance technique. The security of the system will be no weaker than the standards based techniques. The primary disadvantage is that the operations will now require two sets of cryptographic operations to be performed which may result in a small increase in communications bandwidth and latency. For the vast majority of applications this performance hit will be negligible. In applications where performance is critical additional hardware can be used to offload the computational work and reduce latencies.

As with all business, there are trade-offs. Security mechanisms are additional steps performed over-and-above the business function itself, however that business may not be possible if the function cannot be performed without certain assurances security mechanisms in place. Understandably, reworking the existing security mechanisms may not be viable or permitted at this time. In many cases current security standards must be met. Change takes time, but the security risks exist now. Adding an additional layer around existing systems to provide higher assurances without modification to source code or change of low-level protocols may be an excellent low-risk low-cost short term measure to provide additional security assurances against the known security risks that may impact you, your associates and customers.

We anticipate that most commercial systems will adopt our technologies in an incremental fashion to bolster their existing infrastructure. As our technologies are deployed, gain the confidence of the industry and gain market traction the existing systems can be revised to achieve a higher level of information assurance and improved system performance.

RSA has been the dominant public key algorithm for over 25 years (2009). RSA was patented in 1977 and became the industry de facto standard shortly after it's publication. RSA provided a ground breaking service that could not be achieved by the unpatented technologies at the time of its introduction. Chances are that you and your company have relied on RSA to perform cryptographic operations. Today RSA is at risk of abrupt and catastrophic failure:

Now for key management purposes (key exchanges, digital signatures), against the RSA and the Diffie-Hellman and stuff (ECC), they flat-line under a quantum computer. It’s not just a cut the key size in half.
…
So this becomes an invitation to the research community to get cracking lads. We need new algorithms that are robust at least to the square root factor under a quantum computer attack that can be used for non-repudiation, and public key processes.  Open problem. Aching problem – work on it, please!

There is currently no public key technology for key exchanges, open-source or otherwise, considered ready to address this problem:

Synaptic offers a unique suite of proprietary and patent pending technologies with functionality not previously available in the open community that satisfy the threat of quantum computer attacks and many other classical attacks. Synaptic Laboratories LTD has and will continue to openly publish security specifications so that they can be cryptographically studied. Synaptic technologies will be combined with Lamport-Diffie-Merkle digital signatures and existing open standards where appropriate to create a complete security platform.

For example, Synaptic technologies are designed to take advantage of existing open-standards that are known to be post quantum secure such as AES-256 and SHA-2 where this is desired or viable. Synaptic Labs' offers a range of patent pending technologies that upgrade existing standards based algorithms such as AES-128 and DES-56 to achieve increased range of cryptographic function and achieve full 256-bit security ratings against quantum computers using PQSAES or PQSDES.

 

An advantage of decisively proprietary standards is that they can mandate a uniform security platform between organisations that choose to adopt the technology. If done correctly this can ensuring a consistently higher level of security in that environment. Synaptic seeks to achieve this result in our universal security ecosystem.

 

S-USE has been designed to wrap-around vulnerable components as used in commercial of the shelf system. For example S-USE can wrap around standards based RSA and ECC key-exchanges, allowing them to be used in the usual way while S-USE prevents attackers from obtaining the output of RSA / ECC operations. This layering of primitives is serves as a defense-in-depth strategy.

Synaptic Labs' Universal Security Ecosystem (S-USE) itself can be built using standards based cryptographic algorithms such as AES-256 and SHA-2.

Synaptic is currently exploring high assurance design techniques and formal methods for specifying and building our universal security ecosystem (see star points below for more information). As part of this process the formal specifications will be openly published and studied by independent cryptographic and security experts. Generally speaking, each component technology has been designed using conservative and established cryptographic techniques. Where appropriate we use unmodified standards based cryptographic components. Synaptic Labs' goal is to create a security ecosystem that achieves a overall high level of assurance to the community than is possible using current standard or de facto standard protocols and implementations.

Business now relies on information infrastructures that are interlinked and interdependent. We need to understand how to predict and mitigate these risks with a view to aid reaction and recovery within these infrastructures.
...
Complex systems exist in all aspects of society ranging from stock market analysis to climate change, and information systems and infrastructures are no exception. As an information system matures it typically converges with others to add a richer functionality. This reliance upon extrinsic factors to deliver a service adds extra layers of complexity and interdependency, which are not fully understood and are to some degree uncontrollable.

The way in which these hidden interdependencies pervade our everyday lives is staggering and, in some cases, may go unchecked for many years until an incident occurs that revels the true nature of the interdependences' impact.

The design of security systems must take into account the vast interconnectedness of our information and control systems. Information security must protect information throughout the life span of the information, from the initial creation of the information on through to the final disposal of the information. The information must be protected while in motion and while at rest. During its life time, information may pass through many different information processing systems and through many different parts of information processing systems.

Silo'd point solutions, operating with different security ratings, are not capable of uniformly addressing the security requirements of the sensitive data the systems have been entrusted to manage.

Synaptic is building a cross platform, cross domain security solution that addresses the common security problems faced by these systems in a coherence and uniform way, enabling a higher level of information assurance over sensitive information's life cycle. An example of this at a lower level can be seen in Synaptic Labs' design of the PQSDES cipher-hash function which enables (a) commodity smart cards to achieve 100+ year security against classical and quantum computer attacks, run next generation digital signatures without retooling, (b) yet PQSDES remains highly efficient on desktop and suitable for high end server applications with hardware acceleration.

The privacy, security and dependability requirements of the citizen are, therefore, much broader than the pure protection of personal data and the continued accessibility of critical services. Any transaction that is performed in the Information Society, any process that is established electronically and any service that is offered over ICT must be trustworthy, i.e. dependable and inherently secure. This can also mean that the citizen can justifiably trust (in the sense of ‘depend on’) that certain information flows do not happen - or by design only happen in a way where citizen retains control. In a privatized, decentralized and dispersed communications environment, the number of central control organisations will significantly decrease. 

Nevertheless, citizens should be able to determine whom they are willing to trust (for what purposes, and to what extent), but there can also be a large set of parties involved in services and processes, such that a trust decision might be highly complicated or even impossible for citizens to make.
...
One should not assume that stakeholders do not care about their security merely because they do not understand the consequences of certain actions. The perception of risk can vary significantly from actual risk and, in the short term, convenience may lead some early adopters to make hazardous decisions.

Many if not most of today's security systems fail to take into account the genuine security requirements of all stakeholders. To quote Professor Ross J Anderson of Security Engineering at Cambridge University Computer Laboratory:

The conventional wisdom is that security priorities should be set by risk analysis. However, reality is subtly different: many computer security systems are at least as much about shedding liability as about minimising risk. Banks use computer security mechanisms to transfer liability to their customers; companies use them to transfer liability to their insurers, or (via the public prosecutor) to the taxpayer; and they are also used to shift the blame to other departments (“we did everything that GCHQ/the internal auditors told us to”).

Synaptic Laboratories are designing our universal security ecosystem to satisfy the legitimate security, commercial and personal requirements of all stakeholders. We do this by designing a system that minimises all avenues of attack by unauthorised or malicious parties. This creates a framework or platform which is intended to reduce the number of locations that application specific logic can fail.

The security benefit of this approach is that it reduces the number of weaknesses which might be exploited in unexpected ways to attack the primary investors or promoters of the technology.

The commercial benefit of this approach is that it increases trust and enhances inter-organisational and international collaboration by avoiding points of contention that may expose one or more parties to greater risk or hold one or more parties less accountable.

The benefit to the community is an increased trust in the IT systems that form an intrinsic and pervasive foundation in our critical infrastructure.

Of course Synaptic are designing our Universal security ecosystem to be low-cost so as to enable it to compete effectively with lesser-security solutions.

Many applications stay in use for much longer than anticipated, but during the extended lifetime they will be functioning in an environment for which they have not been designed, resulting in completely new vulnerabilities and risks.

IT systems are often designed using 'crisis management' techniques: they solve immediate problems with little or no consideration of the long term requirements of the systems. Short term commercial incentives can lead to adoption of marginally secure key lengths that will undoubtedly become insecure in the mid range future, exposing all stakeholders to unnecessary risks. For example a very large number of current systems today still use 1024-bit key lengths for RSA:

Florence Luy asks the question:
'Is the writing on the wall for 1024-bit (RSA) encryption?'

Dutch mathematician Hendrik Willem Lenstra:
'The answer to that question is an unqualified yes.'

Deploying a marginally secure system offers the illusion of security, an illusion that fades with time. The risks are compounded because it can be extremely difficult to educate entrenched organisations that they need to adjust key lengths to a size that is appropriate for current environment. The result is insecure cryptographic components being used in commercial products or services.

To illustrate this exact problem, a recent attack in NOVEMBER 2008 exploited a weak 'standards based' algorithm. The MD5 algorithm was adopted as a standard hash function many years ago. MD5 was a precursor to the SHA family of hash functions. To maintain maximum interoperability a decision was made to continue issuing digital certificates that used the MD5 algorithm. The recent attack demonstrated how a malicious party could falsely represent itself as a 'trusted' certificate authority run by RapidSSL (which is owned by Verisign) through a clever attack against the weak MD5 component. The attackers could forge fake certificates that would be accepted as genuine by all mainstream web browsers such as Internet Explorer, Netscape and Safari. The attackers could then setup a hoax server pretending to be ANY bank, financial institution, government organisation, or commercial website in the world. This attack would be successful against organisations that had paid money for digital certificates that were price differentiated on account of stronger cryptographic algorithms used in their certificate.

The use of marginally or short term secure cryptographic operations CAN and has been demonstrated in at least one situation to affect the collective security of the global community.

The situation is made worse by the widely acknowledged threat of large code-breaking quantum computers. The arrival of quantum computers would result in today's mainstream security systems abruptly and catastrophically failing. The veil of security will be lifted, exposing a world of sensitive material to unauthorised parties who will then seek to exploit the disclosure. Furthermore access control to the management planes of our business and government infrastructure will be exposed. It is not possible to retroactively protect the sensitive information that has been transmitted yesterday or today using RSA, D&H, or ECC. The only step that can be taken is to stop the rot by shifting to post quantum secure primitives.

When we take these factors into consideration is important to our individual and collective security to universally adopt long term secure primitives.

Synaptic is developing a whole ecosystem of cryptographic primitives that can offer 100 year security ratings against classical and quantum computing attacks with high assurance. For more information see our technologies page.

Given today’s common hardware and software architectural paradigms, operating systems security is a major primitive for secure systems – you will not succeed without it. This area is so important that it needs all the emphasis it can get. It is the current ‘black hole’ of security.

The problem is innately difficult because from the beginning (ENIAC, 1944), due to the high cost of components, computers were built to share resources (memory, processors, buses, etc.). If you look for a one-word synopsis of computer design philosophy, it was and is SHARING. In the security realm, the one word synopsis is SEPARATION: keeping the bad guys away from the good guys’ stuff!

So today, making a computer secure requires imposing a ‘separation paradigm’ on top of an architecture built to share. That is tough! Even when partially successful, the residual problem is going to be covert channels.

Mainstream security systems in the civilian market are designed predominantly to run on commodity desktop and servers. These commodity desktops and servers run operating systems that are particularly exposed to security risks.

Consider the use of smart cards, smart badges, or other hardware tokens for especially critical functions.  Although more costly than software, when properly implemented the assurance gain is great.  The form-factor is not as important as the existence of an isolated processor and address space for assured operations – an ‘Island of Security,’ if you will.  Such devices can communicate with each other through secure protocols and provide a web of security connecting secure nodes located across a sea of insecurity in the global net.

Synaptic has designed its Universal Security Ecosystem to run efficiently on ambient intelligence, smart cards, network attached hardware security modules and hardware accelerator boards. We have filed patent applications over innovative security techniques that take advantage of the unique security properties present in hardware security modules to achieve a level of security higher than security systems designed for running on desktops. Integration with modern operating systems and applications is achieved by interfacing them with the security technologies run on the smart cards.

Assurance is best addressed during the initial design and engineering of security systems, NOT as an after market patch. The earlier you include a security architect in your design process, the greater the likely hood of a successful and robust design.

As the quip goes, he who gets to the (module) interface first wins.

Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance", AusCERT 2008

High assurance methods range from processes formal languages for specification, formal proofs that implementations satisfy specifications, through to processes for managing companies. We list a few below:

• ISO 9000: is a family of standards for quality management systems. It is intended for use in any organization which designs, develops, manufactures, installs and/or services any product or provides any form of service. It provides a number of requirements which an organization needs to fulfil if it is to achieve customer satisfaction through consistent products and services which meet customer expectations.
  
• IEC 61508: "Functional safety of electrical/electronic/programmable electronic safety-related systems", is intended to be a basic functional safety standard applicable to all kinds of industry, this includes systems designed primarily to protect against failures with serious economic implications. Nuclear Power Plants and their constituent systems must satisfy a Safety Integrity Level 4 (SIL-4).
• ISO/IEC 27000: Best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS).
• ISO/IEC 15408: Common Criteria is a framework in which computer system users can specify their security requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.
• The B-Method: a formal specifications and programming language used to build secure systems that comply with Standards 61508, 50126, 50128 and 50129.
• Built in self tests, range checking of inputs and assertion checking of specified behavioural features to ensure that the system is doing what we want it to do.

Synaptic is exploring adopting or adapting these and other techniques as we move to begin the formal specification and high assurance implementation of our security ecosystem. These features will distinguish Synaptic Labs' suite of technologies from current standard or de facto-standards based system which are not specified, designed or implemented to similar levels of quality.

A Single Point of Failure, (SPOF), is a part of a system which, if it fails, will impact the whole system in a negative way. They are undesirable in any system, be it a network, software application or other industrial system. In security systems a single point of failure may be any operation which allows unauthorised persons to access or modify sensitive information or misrepresent themselves to others.

Single points of failure are best addressed at the architecture level, as is being done with Synaptic Labs' suite of technologies. This can be done through compartmentalisation of roles and responsibilities, by splitting responsibility over multiple independent parties, by layering different types of mutually reinforcing protective material around sensitive information (for example: encrypting sensitive data with two fundamentally different types of cryptographic operation), and so on.

It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders!

Unfortunately many of our security systems have a multitude of SPOF. These failures may be as simple as requiring one trusted party such as a certificate authority, its staff, and all its computers to always act honestly. Even if the staff of a CA act honestly, a hacker may be able to break the security of one of the computers and force it to act dishonestly.

Synaptic is designing our security ecosystem to reduce the number of SPOF, and where present, employ conservatively strong components and take what steps can be taken to proactively mitigate the risks. Where ever possible we use distributed decentralised techniques as one method of reducing SPOF. Synaptic Labs' Group, Enterprise and Universal key exchange technologies are prominent examples of how Synaptic Labs' wider security ecosystem offering will address SPOF.

Synaptic Labs' Universal Security Ecosystem (S-USE) is built entirely from technologies that have a long history of use in one or more of the CRYPTOGRAPHIC, SECURITY, FINANCE/BANKING and DEFENCE industries. S-USE is not based on number-theoretic principles, it is not based on a elegant new form of abstract algebra, and it is not based on subtle one-way trap door functions that may take 20+ years of intense cryptographic scrutiny by specialized experts before the global security community can be confident it is secure.

S-USE is a robust belts-and-brace offering that has been purpose built to achieve high-margins of security if a way that can be readily verified by most experienced cryptographers without specialist knowledge. It is based entirely on the security of known symmetric cryptographic operations, operations that the cryptographic and quantum computing community openly states offers the best potential for achieving long term security. A variant of S-SUSE can be built entirely using AES-256 and SHA-512 as the foundations of it's security. The variant being proposed by Synaptic as a universal system capable of use in the BILLIONS of smart cards already in production is based around upgrading the 100% standards compliant DES-56 block cipher to use up-to 512-bit keys and generate 768-bit message digests to offer full 256-bit security ratings against future computers.

Synaptic is designing a new security ecosystem that is designed to address a wide range of security risks from multiple sources of attack or failure that are not uniformly addressed by existing standards and commercial off the shelf systems. These include:

• Ensuring that the cryptographic protocols:
  • uphold the security interests of all parties
  • protect radio frequency ID devices from being tracked by malicious parties
    
  • enable increased audit-ability and transparency of operations performed within the system
  • reduce the occurrences of "single point of failure" which would result to a complete security breach
  • address the identified security risks found in a wide range of applications domains
• Ensuring that the cryptographic components (block ciphers, hash functions, key exchanges):
  
  • can achieve 100 year security ratings against an unabated continuation of Moore's law (computers doubling in speed every 4 years)
  • can achieve 100 year security ratings against optical and quantum computers

The holistic approach taken by Synaptic allows the community to study one interoperable cryptographic framework intended to secure data over its complete life cycle as it travels between different types of information processing systems, over different types of networks, and between different organisations entrusted to process the data by its respective stakeholders. Synaptic Labs' objective is to build a high assurance security framework suitable for the most sensitive applications that can be deployed in the lowest cost commodity devices.

The security of the digital world has become a fundamental stake

for the citizen with respect to his individual freedom and protection of his computerized identity and privacy,

for the company with respect to the protection of its computerized industrial assets, the security of its business transactions and the trust level of its information networks, and

for the state with respect to the reliability of operations and the reduction in the vulnerability of large and critical infrastructures: electricity and water distribution systems, communication methods and means, and information and communication systems pertaining to these infrastructures.

The cost of business includes the appropriate collection and storage of data, the appropriate distribution of that data to those authorised on a need-to-know basis, ensuring information is only passed to those that have demonstrated the capacity to appropriately manage the information, the destruction of data when it is no longer required, and appropriately managing the liabilities and mitigating the damages that may occur if any one of those steps fail.

Synaptic Labs' security ecosystem is designed to provide a robust cryptographic platform that addresses these business requirements in a high assurance way, protecting your interests, that of your associates, and those who have entrusted sensitive information into your hands.

A singular cross-platform environment that enables robust security operations to be performed uniformly in devices ranging from low-cost smart cards through to high performance hardware accelerators and uniformly across organisational boundaries will streamline the process of establishing a suitable operating environment which can then be more effectively managed with a lower operational cost and occurrence of security breach.

The privacy, security and dependability requirements of the citizen are, therefore, much broader than the pure protection of personal data and the continued accessibility of critical services. Any transaction that is performed in the Information Society, any process that is established electronically and any service that is offered over ICT must be trustworthy, i.e. dependable and inherently secure. This can also mean that the citizen can justifiably trust (in the sense of ‘depend on’) that certain information flows do not happen - or by design only happen in a way where citizen retains control. In a privatized, decentralized and dispersed communications environment, the number of central control organisations will significantly decrease. 

Nevertheless, citizens should be able to determine whom they are willing to trust (for what purposes, and to what extent), but there can also be a large set of parties involved in services and processes, such that a trust decision might be highly complicated or even impossible for citizens to make.
...
One should not assume that stakeholders do not care about their security merely because they do not understand the consequences of certain actions. The perception of risk can vary significantly from actual risk and, in the short term, convenience may lead some early adopters to make hazardous decisions.

Loss of trust in a system can have devastating consequences. This has been demonstrated with the back-lash against RFID products, the tarnishing of brand names, and the recent collapse of the global financial system.

Briefly and simply, assurance work makes a user or a creditor more confident that the system works as intended without flaws, without surprises, even in the presence of malice. … The major shortfall is absence of assurance or safety mechanisms in software. If my car crashed as often as my computer does, I’d be dead by now.

The security industry must develop products that enable commercial organisations to protect their own interests, and those of their associates and stakeholders. With the availability of these products commercial organisations must adopt these technologies to achieve the necessary level of assurance the community requires to continue the job of doing business.

Synaptic technologies will offer you the ability to provide your customer:

 

1. long term assurance that can be incrementally adapted at low cost and low risk;
2. long term assurance that can be implemented at lower cost in smaller devices without the use of at-risk technologies; and
3. the ability to build their products and run their companies on a stable security foundation, rather than on security technologies that are marginally secure, or at risk of abrupt and catastrophic failure.

 

Credibility is the cornerstone of business. Independent certification is a method of communicating important qualities about the organisation to others. The failure of certain certification processes creates uncertainty in the market place which leads to global instability. Failure of a certification process (or the complete absence of a certification process) creates opportunity for products developed under a given level of certification to penetrate into the market place.

High quality certification processes exist today that remain credible in today's uncertain market place. These are the standards that are used to ensure aircraft stay in the air, that mechanical equipment operates in a fail-safe way, that nuclear power plants don't periodically blow up. Any product or service can be delivered using high assurance methods, however most are currently not.

Deploying certified high assurance IT infrastructure is one way a company can credibly differentiate themselves in a market littered with security compromises and failure of trust. Adopting high assurance processes within a company requires that the IT infrastructure is purpose built for the task. Synaptic is building the secure communication portions of that platform.

Building on Synaptic Labs' platform will differentiate your company, products and services by:

 

• being the first to offer high assurance long term security with the lowest risk of later decryption (and simultaneously avoid the maintenance costs to periodically update your products in the field); and
• entering a new ecosystem of industry leading companies that secures all their products and internal systems from smart cards through to high-end servers with a security platform that offers an unprecedented level of assurance against the risk of security failure.

 

Deployment of secure communications infrastructure is an asset that may increase company profitability by reducing internal and external security risks, reducing potential for theft, and minimising exposure to financial liabilities. Synaptic Labs' universal security infrastructure is designed to allow a uniform infrastructure to be deployed on all devices within an organisation and between organisations. It is also designed to allow high-assurance technologies to be deployed in commodity devices at less cost than conventional security systems, enabling the price-driven portions of the market to adopt technologies that have long-term positive ramifications for the global community at large.

Synaptic anticipates that deploying high assurance products, services and training will become the new minimum standard for the all commercial activities, irrespective of the application domain.