Overview

What does the Enterprise Key Exchange do?

Generally speaking, in cryptographic applications key exchanges are used to negotiate a secret symmetric key (a random number) between two users. The negotiated key is then used by other symmetric cryptographic primitives such as block ciphers, stream ciphers and hash functions to enable messages to be securely transmitted between users at higher speeds. In many cryptographic applications the identity of one or more of the users exchanging key material is authenticated as part of the key exchange. This is called an authenticated key exchange. E-commerce uses authenticated key exchanges to validate the identity of the website to the user.

The Synaptic Enterprise Key Exchange (Enterprise KX) is an authenticated key exchange technology designed to provide 10 to 100 year security for inter-organisation communications and communications within an industry sector.  It is suitable for establishing secure communications between 10's to millions of users.

The Enterprise KX is designed for use on low-cost smart cards and network attached hardware security modules. Secure desktop communications is enabled through the use of smart cards that run the Enterprise KX protocols.

What problem does Enterprise KX solve?

The Synaptic Enterprise KX solves several important problems:

• how to build a high assurance many-to-many key exchange that is secure against code-breaking quantum computers without the use of quantum physics
• how to create a many-to-many key exchange network with a 100+ year security rating over traditional data networks that can support millions of users
• how to securely initiate a secure communications infrastructure in a way that ensures that the technical administrators cannot subvert the system, even if they had access to a code-breaking quantum computer
• how to scale symmetric key-exchange protocols across decentralised federated systems of control in a way that can be trusted by the users of the system

What environments is Enterprise KX intended for?

The Synaptic Enterprise KX is intended to support the day-to-day data processing operations in environments that are entrusted to manage sensitive data that belongs to other people. Given large organisations and industry sectors may need to hold a trusted relationship with millions of users it is important that these organisations adopt conservative security techniques that satisfy the wide-ranging security expectations of those people. Given the complexity of the relationship within an organisation and between competing organisations that work together to provide services to the community it is important that the key exchange infrastructure is capable of engendering trust. The Synaptic Enterprise KX architecture is capable of achieving this in this environment. The Synaptic Enterprise KX is a low cost solution that can be readily adapted to existing smart card personalisation programs.

For a key exchange system that is capable of supporting billions of enrolled parties and their associated complex trust relationships see Synaptic Labs' Universal Key Exchange technology.

What applications is Enterprise KX intended for?

The Synaptic Enterprise KX is ideal for applications where there is a potentially large number of smart cards enrolled within a single interoperable system over its life time. The Enterprise KX is extremely flexible and can be applied in a very large number of applications. Examples include:

• secure communications between people within a corporation or a small consortium
• secure communications between people inside a given industry or government agency
• wireless RFID credit and debit bank cards
• secure access cards
  
• drivers licenses, medical cards, identity cards
• next generation e-Passports
• ambient intelligence / sensor networks
• as a secure private extension to the Universal Key Exchange infrastructure

What advantages does Enterprise KX have over the nearest competition?

Advantages over mainstream key exchanges based on public key technology

A primary advantage that the Synaptic Enterprise Key Exchange has over mainstream public key algorithms such as RSA and ECC is that the Enterprise KX can offer a high level of security for a longer duration of time with higher assurance.

Technologies such as RSA and ECC are computationally expensive operations. In an effort to reduce short term manufacturing and operational costs organisations employ short key lengths that execute faster and with less effort. The down side is that shorter keys are less secure against classical attacks. The use of marginally secure cryptographic primitives introduces a maintenance cycle that requires devices and systems in the field to be periodically upgraded to longer key-lengths or new algorithms. As the number of digitally empowered humans increases and enterprises become larger and more complex to support this growth in empowerment the time and cost to upgrade these system becomes increasingly significant. For example EMVco estimates it will take 10 to 15 years to upgrade their infrastructure to a new security protocol. The risk of a security breach within a multi-version security system increases significantly.

Synaptic Labs' Enterprise KX can offer a security rating of a 100 years using using only a few invocations to the US NIST SHA-512 hash function. This is several orders faster (that is, computationally less expensive) than running today's recommended RSA-2048 and ECC-192 in most computing environments. By using cryptographic primitives that offer security ratings that will not need revising in the foreseeable future against any anticipated attacks corporations can break free of this cycle and reduce medium to long-term operational costs while protecting the interests of all stake holders in their system.

Another important advantage the Synaptic Enterprise KX has is that it uses well-known cryptographic techniques that are widely conjectured by the cryptographic community to offer the best security against code-breaking quantum computers. In stark contrast it is widely conjectured that RSA and ECC will abruptly and catastrophically fail against code-breaking quantum computers. That is code-breaking quantum computers are conjectured to break RSA and ECC roughly as fast as classical computers can execute RSA or ECC to perform key exchanges. The impact of a sudden catastrophic failure of this magnitude is not limited to the overwhelming majority of electronic systems online but also to the vast quantities of electronic information previously recorded by attackers and government intelligence agencies. Clearly international security depends on each country's ability to maintain their respective data integrity and data privacy and their ability to communicate securely with other countries.

Advantages over mainstream key exchanges based on symmetric key technology

The Synaptic Enterprise Key Exchange technology uses techniques that are similar to those found in other online key exchange technologies such as the ubiquitous Kerberos protocol and some ad hoc wireless mesh based networks.

The Kerberos protocol was designed for applications where a central authority wanted to control access to their resources. Kerberos works well in this limited context of owner and controller but suffers from serious security problems when it is used to protect communications between the users of the system, or where it is used in federated identity and authentication applications when more than one authority is involved.

Kerberos is not well suited to user-to-user secure communications because the Kerberos server responsible for authenticating the users with each other is able to decrypt all their communications. To quote Whitfield Diffie, CTO of Sun Microsystems and a co-inventor of public key cryptography: "I could not understand the cryptography in which more than two people knew the key". Asymmetric cryptography was invented by Whitfield Diffie, Martin Hellman and Ralph Merkle to solve this problem. Synaptic Labs' Enterprise KX technology comprehensively addresses this same problem using symmetric techniques.

Kerberos is not well suited for federated identification and authentication applications because of known security failures in the protocol. This problem stems from a fundamental limitation in the Kerberos architecture. Synaptic Labs' Enterprise KX technology comprehensively addresses both the cryptographic and human trust requirements of this problem through the use of multiple online servers and the compartmentalisation of sensitive information.

Synaptic Labs' Enterprise KX shares technical similarities with many ad hoc mesh based key exchange technologies. Ad hoc wireless mesh based key exchange infrastructures are tightly integrated into the mesh network infrastructure and are envisaged as a low cost method to protect the network and its users from adversaries outside of the network. Synaptic Labs' Enterprise KX is designed as an overlay network intended to protect key material transported over the network from attacks outside and inside the key exchange network.

These technical similarities aid the cryptanalysis and increase the assurance levels in Synaptic Labs' key exchange technologies. However we note that according to independent experts Synaptic Labs' Enterprise Key Exchange and Universal Key Exchange offer the world’s first scalable many-to-many key exchange protocol based on standards-based symmetric primitives suitable for replacing mainstream public key cryptography. Synaptic has filed for several patent applications over the first principles of the technologies used in our systems.

What other components are required to make a complete system?

The typical online cryptographic system designed to enable secure communications between two users requires a privacy primitive (block cipher or stream cipher), a cryptographic hash function, a key exchange algorithm and may also use a digital signature algorithm.

Synaptic intends to offer the enterprise key exchange as part of a complete system that includes data privacy and data integrity operations that offer a higher level of security than currently provided by commercial systems that use standards based ciphers such as AES with 256-bit keys. For example the Synaptic Post Quantum Secure DES cipher (PQSDES) will enable interoperable communications between extremely low cost smart cards, ambient intelligence devices and desktops with 512-bit keys.

Can Enterprise KX use standards-based cryptographic components?

Yes. Synaptic Labs' Enterprise KX can be deployed using the US NIST's strongest cryptographic primitives for data privacy and hashing: AES-256 and SHA-512 respectively. While it is strictly not required, the RSA algorithm present in smart cards can be used to provide an additional layer of assurance for the key exchange operation (that is, the Enterprise KX wraps around the inner RSA key-exchange operation).

How much will it cost?

Synaptic Labs' Enterprise Key Exchange technology for both users and servers can be deployed on low cost hardware security modules (HSM) such as smart cards. The use of smart cards as online key exchange servers dramatically reduces the cost of achieving a high assurance solution suitable for small to medium sized organisations.

Alternatively the Enterprise KX technology can be deployed on rack-mount HSM to increase the scalability of the system and to offer a secure platform for deploying secure business applications.

The choice of hardware platform will have a significant impact on the final cost of the system.

Where can I register my interest?

We welcome all expressions of interest in our range of key exchange technologies. After your registration has been approved you may be granted access to additional information such as slide shows and other technical documentation as it becomes available.

Further Information

Additional information is available via the menu bar on the right of the screen under the Enterprise Key Exchange menu item.

The Enterprise Key Exchange was presented by Synaptic Labs at the IEEE Key Management Summit 2010.  The presentation titled: "Survey of symmetric key distribution techniques" can be watched as streaming video here.

The Enterprise Key Exchange has been described in a short 4 page peer reviewed technical abstract presented at the U.S. Oak Ridge National Laboratory - Cyber Security and Information Intelligence Research Workshop. A longer and more detailed version of that extract has been published on ePrint.

Synaptic Laboratories and the Gozo Business Chamber (EU) have co-founded the ICT Gozo Malta cluster of excellence. This cluster of excellence will work in close collaboration with key Government and private stakeholders and leading International companies to develop many of Synaptic Labs' innovative technologies. The Enterprise Key Exchange proposal will be implemented as part of the ICT Gozo Malta Global-scale Cyber Security project and Exoskeleton extensions. The relationships between projects is visually illustrated here.