Technical

How does it work?

At its simplest level identifier based encryption is enabled by associating an email address with a smart card identity that has been enrolled in two or more online trusted third party servers.

Similar to key exchanges performed over the Enterprise and Universal KX systems, a simplified description of the secure e-mail protocol on the Enterprise system may work as follows:

• the sender prepares an e-mail
• the email is processed by a plug-in module to the email client
• the body of the email is encrypted using an unkeyed all-or-nothing transformation (wiki)
• the target details of the e-mail, and 512-bits of the encrypted message are sent to the senders smart card
• the smart card hashes the e-mail address using SHA-256 and queries the trusted third party servers it is enrolled with to confirm they hold a relationship with the target id
• the smart card prepares a new random number for each of the online TTP that know the target
• the smart card securely sends each TTP one of the random numbers
• the smart card hashes the random numbers sent to the TTP to generate a session key
• the smart card then encrypts 512-bit of the encrypted message using the session key
• the smart card returns the 512-bits of twice encrypted message to the e-mail plug-in
• the encrypted and twice encrypted message is sent to the target address using the standard email client
  
• the receiver receives the encrypted e-mail
• the e-mail plug-in sends the sender details and the 512-bits of twice encrypted body of the email to their smart card
• the smart card queries the trusted online third parties it has relationships with and receives the portions of key material associated with that email and the identity of the smart card that sent the portions of key material
• the smart card ensures that the online TTP are all in agreement concerning the identity of the sender before continuing to decrypt the message
• the smart card hashes these key parts to create the session key and then decrypts one layer of the 512-bits of twice encrypted message and returns the portion back to the e-mail client plug-in
• the e-mail client plug-in reverses the all-or-nothing transformation and presents the information to the user

How well studied are the cryptographic techniques used in the system?

All the techniques in the system are well studied and familiar to most cryptographers.

As illustrated above the system can be build using globally accepted cryptographic primitives such as AES-256 and SHA-2.

Threshold secret schemes are mathematically very simple and are a mature area of research. For example split secret sharing schemes are used to manage today's mainstream public key certificate infrastructure. Many of the ad hoc mesh network protocols use multi-path key distribution techniques.

How fast is the service?

The performance of Synaptic Labs' Identifier Based Encryption in many applications is a one-off cost that is bound by the cost of network communications. After the contact details for an identity is discovered and a key exchange is performed, all the required information for ongoing direct communications is available to the smart cards.

How does SIBE overcome the previous limitations of the competition?

Traditional symmetric protocols for performing IBE, such as the Kerberos protocol, are known but suffer from the limitation that the online trusted server can decrypt all the messages and forge messages attributed to another identity. Modern asymmetric protocols which derive a public key and private key pair from an e-mail address also suffer from the same limitations, that is the online trusted server can decrypt all messages and forge messages attributed to another identity.

The Synaptic Identifier Based Encryption (SIBE) is the world's first globally scalable scheme that prevents a collusion of (n-1) of the (n) participating, independently managed, online trusted servers from decrypting the sensitive messages sent between users of the system. Furthermore Synaptic Labs' is the first explicitly 10-to-100 year post quantum secure identifier based encryption proposal.

The SIBE is a feature that extends Synaptic Labs' Enterprise and Universal Key Exchange protocols. The SIBE is designed for use on low-cost smart cards and network attached hardware security modules. Secure desktop communications are enabled through the use of smart cards that run the host Synaptic key exchange protocols.

What is the minimum configuration?

The minimum configuration of the Synaptic Identifier Based Encryption is two smart card clients, two relay servers implemented on two independently managed hardware security modules, SHA-256 and access to a small portable Faraday cage during smart card enrolment.

How can I integrate SIBE with my existing system?

Synaptic is developing an application programming interface, a simple secure tunnel protocol and a graphical user application around the Enterprise and Universal KX. These interfaces will support the SIBE functionality.

Further Information

Additional information is available via the menu bar on the right of the screen under the Identifier Based Encryption menu item.

The Identifier Based Encryption functionality has been described in a paper published on ePrint. That paper is an extended version of a short 4 page peer reviewed technical abstract presented at the U.S. Oak Ridge National Laboratory - Cyber Security and Information Intelligence Research Workshop.

Synaptic Laboratories and the Gozo Business Chamber (EU) have co-founded the ICT Gozo Malta cluster of excellence. This cluster of excellence will work in close collaboration with key Government and private stakeholders and leading International companies to develop many of Synaptic Labs' innovative technologies. The Identifier Based Encryption functionality will be implemented as part of the ICT Gozo Malta Global-scale Cyber Security project and Exoskeleton extensions. The relationships between projects is visually illustrated here.