DigiFLAK 2013

FLAK Technologies

DIGIFLAK PROJECT

DigiFLAK 2013

CONTENTS

DIGIFLAK PROJECT

1. SeOS – SecuritOS2. FLiC – FLAK Licensee3. LogME4. FLAKmobile5. FLAKstream6. FLAKnet

…build total digital safety zone…care for your values…login with NO passwords…be protected everywhere …prevent viruses and malware…connect to each other

HOW TO…

SeOS. Main Technology Principles

DigiFLAK 2013

SeOS (SecuritOS)SeOS is an embedded Operating System for FLAK devices which performs high-speed cryptographic calculations on big data arrays running within the FLAK Secure Core

Decryption and sign check of applications before every start

Allocation of separate secured address space to applications

Provision of special API to high-speed cryptographic accelerators to applications: DES, 3DES, AES, SHA1, SHA128, SHA256, MD5 and others

PCSC#11 standard support Multilevel key management system – key ladder

with all level keys protection from illegal access Asymmetric algorithms ECC and RSA support High-speed data filtering according to various

criteria License management technology (FLiC) support SeOS API functions support for multi application

environment

Main Functions

DIGIFLAK PROJECT

Apps SeOS

API

API

Linux

Main Core

Secure Core

SeOS

FLiC. Main Technology Principles

DigiFLAK 2013

* Secuter (Eng. Security Computer ) – a dedicated device, minicomputer with secure cores inside

FLiC (FLAK Licensee Control)DigiFlak proprietary flexible and high-capacity mechanism for processing and management of license rights to any digital data such as video, audio, software, eBooks, etc.

License processing takes place in isolated and secured environment which guarantees no illegal access to the keys and prevents license rights interference. With FLiC technology it is possible to re-encrypt data in real time which means thattechnology supports DRM (CAS) DTCP-IP and DRM (CAS) HDCP bridges.

Smart, fast and secured

DIGIFLAK PROJECT

Easy to trust and integrate

FLiC is fully consistent with the FLAK basic concept on simple and convenient usage of information security technologies. FLiC can both be used as a standalone DRM-solution (with its own software for the server side), and provide a "safe" framework for third-party CAS and DRM solutions. DRM and CAS

support

With FLic it is possible to make easy integration to with all well-known DRM and CAS solutions extending its their security

Based on theFLAK platform the FLiC technology provides a totally safe license management and mechanism to control access to all digital entities

Unique contentsecurity

FLAK secuter processes DRM-protected content and encrypts output data either according to DTCP-IP specification or to HDMI standard. In the first instance the output content can be played by a PC (a built-in player with DTCP-IP support) or transmitted to connected home devices such as TVs or tablets. The second case can be applied to the FLAK devices with HDMI interface which guarantees maximum level of protection to exclusive content. All content goes from the secuter to HDMI and can be received by any device with an HDMI support.

How it works

DigiFLAK 2013

DRM (CAS) -> DTCP-IP or HDCP BRIDGE

HIGHEST LEVEL OF PROTECTION FOR VALUABLE CONTENT WITH A “CONTENT PROVIDER – USER

SCREEN” SCHEME!!!

DIGIFLAK PROJECT

Isolated trusted environmentTablet

Content provider

DRM protected content

HDCP iDTV with HDMI

PC with a DTCP player

DTCP-IP encryption

In most cases a license for commercial software looks like a file with different parameters used: permissions / restrictions of operations, license duration, number of users, etc. The license file which is unique to each copy of software is stored within a protected memory of FLAK secuter and can never be extracted outside. All transactions with licenses (installation, control, update, review) are executed in an isolated environment of the secuter with either a FLiC software module or software developers’ module. !NB Developers can move part of the basic software functionality into the secuter which is strongly recommended !!!

How it works

DigiFLAK 2013

SOFTWARE PROTECTION

FORGET THE PROBLEM OF YOUR SW ILLEGAL DISTRIBUTION OR USAGE!!!

Isolated trusted environment

Software running on PC

License server

SW License providing

PC-Secuter protected session

License storage

DIGIFLAK PROJECT

LogME. Threats and Recommendations

Use only “rules to follow” passwords

Limit number of wrong password entries

Don’t save passwords on PC Don’t login via keyboard Check source of WEB login

form

Don’t store passwords on WEB servers

Use open/public keys and certificates methods for authentication

Provide maximum security to the email account itself

Password lexical algorithms’ match

Password theft from user PC (imitation, key loggers, browser cash

analyzers)

Password theft from WEB service servers

All user accounts are dependent on email

account security

DigiFLAK 2013

DIGIFLAK PROJECT

Are you really able to follow all these mazy rules???

No less than 20 random symbols’ auto-password generated by hardware facilities of the FLAK secuter;

Password is unique for every user account; User doesn’t know the password; Password never comes out of the device secured internal core in unencrypted form; Could not be simpler and securer.

Password based and certificate based solutions are provided:

LogME. Main Technology Principles

DigiFLAK 2013

DigiFlak proprietary chrysalis intended for safe and easy authentication procedure on remote WEB sites

DIGIFLAK PROJECT

(password based)

During initial registration on a remote WEB site the secuter acquires an SSL certificate from the server. Then it initiates its own SSL session with the WEB browser (with a FLAK certificate), gets the login name from the user and generates a random password according to certain security rules. After that the secuter gets login name from the browser, encrypts both the login name and generated password and sends it to the remote WEB site. Simultaneously, the server certificate, login name and generated key are stored in a secure file system of the secuter.

Initial registration

Login procedure

1. SSL certificate acquisition

2. Login request

3. Login dispatch

6. Encrypted login name and password sending

4. Password generation

5. Certificate and login/password pair safekeeping

SSL server

SSL client

SSL client

SSL server

DigiFLAK 2013

At the next login the secuter authenticates the server with the stored certificate and if it is a success both the login name and password are sent to the server in SSL session. The user communicates with the site via the secuter certificate which is a guarantor of safe connection.

PositiveAdvantages

Following proven technology principles like secure login/password storage and easy registration/login procedures this approach allows implementation with no expenses on the server side since all sites now support password authentication.

NO SERVER MODIFICATION REQUIRED!!!

DIGIFLAK PROJECT

(certificate based)

The approach is based on mutual SSL authentication with a client-authenticated TLS handshake. The client certificate authenticates the user and instead of a password, a private key is stored in the secuter. In this case there are only public keys on the server side and their theft will not work to potential attackers.

DigiFLAK 2013

This approach solves security problems with the account data stored on the server. It also doesn’t require upgrade of the server and can be activated on the server side with a system setup.

1. SSL certificate acquisition

2. Login request

3. Login dispatch

5. SSL client certificate sending

4. Certificategeneration and safekeeping

SSL server

SSL client

SSL client

SSL server

Authentication

Advantages

TOTAL SECURITY PROVIDED!!!

DIGIFLAK PROJECT

DigiFLAK 2013

FLAK server siteHome

Your backup FLAKYour FLAK

Everywhere

LogME. Useful features

Data sync

With Data Sync approach you can forget about your fear to forget!

Afraid to forget your device?in bar, taxi, friend’s home, old suit..

OR

Backup with FLAK servers will allow you to enjoy mobile security as well!

Android or iOS LogME app

Your FLAK

DIGIFLAK PROJECT

FLAKstream. Main Principles

DigiFLAK 2013

FLAKstreamFLAK proprietary technology of high throughput real-time network traffic scanning and analysis powered by Kaspersky SafeStream

HOW IT WORKS

DIGIFLAK PROJECT

FLAKstream technology allows for filtering incoming and outgoing IP packets based on specified criteria and signature analysis according to given URL values. This technology efficiently implements functions of streaming antivirus, firewall, parental control, Data Leakage Prevention, etc. All incoming and outgoing IP traffic to/from the host PC is intercepted by the secuter, where all data is filtered and scanned by the FLAK engine employing dedicated hardware accelerators. After detecting a potential or real threat the secuter blocks the infected object and warns the user of a possible danger.

NO NEGATIVE INFLUENCE ON HOST PERFORMANCE.TREATS, VIRUSES AND MALWARE ARE BLOCKED BEFORE GETTING INTO PC.

FLAK Device

Internet

Untrusted Internet data

Verified internet to the user Redirect to FLAK

FirewallStream antivirusParental control

DLP

FREE WIFI

Business dinnerFLAK mobile

FLAKnet. Main Principles

DigiFLAK 2013

FLAKnetWith FLAKnet proprietary technology you can create secure virtual networks with no specific knowledge or surplus cost

HOW IT WORKS

DIGIFLAK PROJECT

With FLAKnet technology the FLAK secuter users can integrate their personal computers and mobile devices in a secure virtual network without complicated settings and profound knowledge. It is just enough to enter flak-ID of the device to be connected to the network and get a mutual confirmation on the connection. A virtual network can be based on any physical connections to Internet. The secuter will automatically determine and configure all connection settings. To compare flak-id and the current IP address of the device FLAKnet sync server is used. After setting up a connection the secuter sends information about its current IP address to the sync server and gets back information about the IP address of the connected device. Connections and network management are supported by open source software, like openVPN.

CREATE A SECURE VIRTUAL NET? FLAK MAKES IT EASY!!!

Company Headquarters

Secured Network

FLAK PRO

Business trip

FREE WIFI

FLAK Classic

FLAKmobile. Main Principles

DigiFLAK 2013

FLAKmobile DigiFlak proprietary solution, applying FLAK platform and technologies like FLiC, LogMe, FLAKstream, FLAKnet, etc. to mobile domain

Solution for USB OTG devices

DIGIFLAK PROJECT

The solution assumes FLAK mobile secuter connection to microUSB interfaces of mobile devices. The Flak Mobile (as FLAK Classic (non mobile) does) supports USB 2.0 and NFC interfaces as well as basic FLAK applications including Firewall and VPN. It doesn’t have external network interface – the FLAK driver on Host intercepts all incoming and outgoing traffic and forwards it to the secuter via a microUSB.

SMALL DIMENTIONS 1x2cm LOW CONSUMPTION microUSB INTERFACE

microUSB

NFC

FLAK Mobile. Main Principles

DigiFLAK 2013

DIGIFLAK PROJECT

This solution consists of SeOS implementation for ARM TrustZone and LogMe, FLiC, FLAKNet, FLAKstream technologies as applications for Android/IOS/Windows OS. Thus, if a mobile device supports TrustZone, then SeOS is installed as a complementary OS. The FLAK technologies are implemented as SW applications for the primary OS.

Solution for devices with ARM TrustZone or Intel TxT support

NO EXTERNAL DEVICEUSAGE OF WELL-RECOMMENDED TECHNOLOGIESFLAK APPS IN ANDROID PLAY MARKET AND IOS APP STORE

Secure OS

Within this approach the FLAK secuter is required for primary personalization of the mobile device and sync or backup of confidential information and licenses. The same approach is applicable for mobile devices with Intel Trusted eXecution Technology (Intel TxT) support

Thank you for your attention!www.digiFLAK.com

DigiFLAK 2013

DIGIFLAK PROJECT