SKI: Safe, Secure Distributed Key Exchange
Five Ways SKI Addresses Cybersecurity Gaps
- Safer distribution of encryption keys
- Leverages existing cloud network
- Eliminates openings for DDoS attacks
- Perfect forward secrecy in the event of a compromised key
- Key-distribution component of regulation-compliant encryption
Secure Key Infrastructure and your Business
The Secure Key Infrastructure:
- Leverages a global provider satellite network
- Eliminates the cumbersome/ insecure PKI Certificate Authority process
- Can be licensed and deployed by OEM’s to replace PKI
What is Secure Key Infrastructure?
- Utilizes worldwide satellite network infrastructure for true, double-blinded token exchange (key distribution)
- Uses OAuth, HTTPS, and TLS to secure communications between clients and servers during the Token Exchange process.
- SKI’s native Token Authority (TA) is SCIFCOM
Filling the Cybersecurity Gap for Encrypted Video Streaming
Whether you are streaming video, audio or both, XOTIC® can deliver a secure means to watch and archive the video while removing the concern of malicious parties accessing your feeds. Unlike other ciphers, implemented strictly for the long-term storage of media or used within TLS/SSL protocols that maintain a single secret key, XOTIC is constantly changing to protect your data. Implemented on the device itself, the XOTIC cipher re-keys data in transit with random quantum resilient key lengths ranging from 512-bit to 4,096-bits at set time intervals using Secure Channels’ patent pending Wave Form Encryption™ (WFE). Rest easy with your information stored on-premise or in the cloud with a flexible key exchange network that can shard and distribute the keys for the live feed on internationally distributed repeaters, mitigating the risk of any single point of failure in the security of your information. Protect your information today with a cipher that’s strong enough for post-quantum archival of data, but efficient enough to encrypt every frame of your media.
Addressing the Gaps in OT/Critical Infrastructure Security.
XOTIC Core and Secure Key Infrastructure (SKI).
Industrial facilities and critical infrastructure are digitally transforming their operational technology (OT) to bring it in line with IT and industrial Internet of things (IIoT) systems. The benefits are clear. Warehouses, assembly lines and public utilities gain additional efficiencies through real-time responsiveness, process synchronization, performance analytics and cognitive/AI optimization. OT’s convergence with IT, though, introduces several new cybersecurity weaknesses, risks and attack vectors.
A Siemens report on industrial cybersecurity noted threats to OT systems are more hazardous than those to IT systems. While IT attacks can result in sensitive data breaches, network downtime and lost productivity, compromised OT systems can lead to quality control lapses, personal injury and environmental damage. Attacks on OT and critical infrastructure have already introduced “massive damage” to a steel works blast furnace, tampered chemical mixtures at a water treatment plant, an entire nation knocked offline by a rival service provider, and a power grid takedown through cyberwarfare. The trend shows no signs of slowing as almost 60 percent of facilities using supervisory control and data acquisition (SCADA) systems or industrial control systems (ICS) were breached.
Aggravating this threat are the vulnerabilities prevalent in OT. Legacy components make up a large percentage of OT. They typically haven’t been outfitted with security and are infrequently and notoriously difficult to patch. Their lifetime deployments average 10 to 20 years whereas easily-patched IT systems average three to five years of life. Even air-gapped systems are susceptible to insider threats, which constitute 73 percent of OT cyberattacks. As OT is digitized and brought online, legacy component vulnerabilities are exposed to untold new threats.
The coming 5G technology will fuel widespread adoption of IIoT. However, the proliferation of IIoT devices greatly broadens the OT attack surface as millions of new, poorly-encrypted endpoints can potentially grant unauthorized parties access to vital systems. Manufacturing floor, public utility and Smart city systems could fall under the control of adversaries successful in exploiting IIoT devices. Security research firm F-Secure reported that cyberattacks on overall IoT devices jumped 300 percent in 2019, and Gartner estimated that by 2020 IoT compromises will account for more than 25 percent of cyberattacks. Generally a network’s weakest links, IIoT devices intended to improve safety, maintenance tasks and quality control allow relatively easy access to assailable OT.
Industrial facilities and critical infrastructure need OT to be available, reliable and safe. The data stored in and transmitted between OT, IT and IIoT must remain free from interception or manipulation to meet these goals. Future-ready encryption with a secure, fault-tolerant key exchange form the strongest and last line of cyberdefence for OT and critical infrastructures.
The XOTIC Core/SKI solution solves with:
Strength: The XOTIC Core cryptosystem securely encrypts OT and critical infrastructure data behind quantum-resilient key lengths ranging from 512 bits to more than 8,000. Deployed with SKI, XOTIC Core’s symmetric keys are safely transmitted between OT, IT and critical infrastructure endpoints.
Safety: The solution’s unbreakable encryption for data stored in and transmitted between devices eliminates opportunities for unauthorized parties to exfiltrate sensitive data or manipulate equipment. XOTIC Core and SKI enable facility operators to maintain control over their OT and critical infrastructure.
Readiness: SKI doesn’t rely on the quantum-weak algorithms at the heart of public key infrastructure (PKI) systems. SKI distributes symmetric keys that can withstand attacks from today’s technology and tomorrow’s.
Reliability: SKI can be implemented using a combination of public/private/cloud services and edge networks for redundant key distribution. Its high availability and fault tolerance mitigate DoS/DDoS attacks involving OT/IIoT endpoints.
Simplicity: XOTIC Core’s weightless 60KB footprint easily integrates into the most resource-constrained OT and IIoT devices. SKI deployments incorporate fewer components than those of standard PKI. Its “out of band” operation avoids reliance on questionable “trust actors” to securely distribute encryption keys.
Responsiveness: Increased adjustments in XOTIC Core’s strength add no perceptible latency to equipment performance. It initializes quicker than AES and outperforms streaming ciphers. And XOTIC Core’s distributed symmetric keys require less computational overhead
Adaptability: XOTIC Core and SKI are easily integrated into OT ranging from legacy to state-of-the-art. The solution’s agnostic design delivers consistent protection as OT/IIoT technology continue to evolve.
Perfect Forward Secrecy: XOTIC Core’s scalable one-time pad leverages quantum random number generation to create completely unique keys for unconditional security. SKI distributes XOTIC Core’s ephemeral keys for every signal, packet of data or frame of video. In the highly unlikely event of a compromised key, the security of the rest of the data remains unaffected.
Compliance: The solution exceeds the level of “reasonable security” required with various industry and government cybersecurity controls. XOTIC Core can be deployed in “FIPS mode” with key wrapping for NIST-regulated environments.
Secure Key Infrastructure (SKI): Encryption Peer Review
Author: Dr. Stanislaw Jarecki, University of California, Irvine
1. SKI offers strong security property vs. standard PKI-based and Kerberos-based secure key communication solutions:
Unlike PKI-based solutions, the clients don’t store long-term keys except for standard authentication tokens (password, biometrics). This dramatically limits security exposure in case of client compromises.
Unlike Kerberos-based solutions, the central server (`Token Authority’) has no knowledge of decryption keys, just short-term authentication tokens. This limits the security exposure in case of central server compromise.
SKI achieves these security advantages using a distributed fault-tolerant protocol involving a network of geographically spread Relay servers, and it achieves the above security properties at the price of exposing a transmission key if a significant threshold of Relay servers is compromised.
However, using secret-sharing the probability of such compromise is negligibly low unless the adversary compromises a majority of the Relay servers.
2. SKI offers strong reliability in key delivery, thanks to the fault-tolerance in the key transmission protocol, based on well-known secret-sharing techniques.
3. SKI offers strong privacy properties with respect to the Relay servers, thanks to the double-blinding technique in the key transmission protocol. Only the central Token Authority knows the matching between the sender and the receiver, which is the same as in a Kerberos-style solution, and this information is stored only briefly, so a compromise of the Token Authority does not reveal past communication patterns.