Portable encryption technologies at Sandia

Jeremy BacaCyber Security Technologies Department

Sandia National Labs

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company

for the United States Department of Energy’s National Nuclear Security Administration

under contract DE-AC04-94AL85000.

Topics I will cover

• Entrust ESP 8 for E-mail Encryption• Credant Deployment• IronKey Pen Drives• Other Software Encryption Technologies• Hardware Encrypted Hard Drives• Blackberry S/MIME integration• Blackberry Enterprise Server Encryption• Entrust Messaging server (EMS)• PKI integration with the new HSPD12 badge

Entrust ESP 8 for E-mail Encryption

• Sandia has done inter-operability testing with ESP and the old client and found no major issues with e-mail between the two systems

• Tested ESP client in current deployed OS of XP with Office 2003 and Office 2007 and Vista with Office 2007

• Changed from SHA1/3DES algorithms to SHA256/AES256

• Sandia started deployment of Entrust 8 via SMS on April 23

• Sandia has deployed Entrust 8 to over 6,800 computers with a 12% call rate to our help desk

• We currently have about 1,800 computers to go with the majority of users hitting cancel when prompted to install

Credant Deployment

• Sandia deployed Credant as its data at rest encryption solution

• We implanted Credant on all mobile laptops, pen drives, and PDAs

• Data is encrypted with common and user encryption keys defined by policy on the server

• Keys are generated by the CMG Enterprise server and mapped to a Device/User combination

• Authentication is tied to users Windows login. Login options include two factor and one-time password generators

• Users are imported from an LDAP directory such as Active Directory that already exists in our enterprise

• The initial encryption can take quite a bit of performance from the computer

• During normal operation there is still a performance impact of this product. It is most noticed though when there is heavy processor use (compile, renderings). Its generally not noticed with business apps

IronKey Pen Drives

• Sandia added the Ironkey pen drives to our approved list of devices after through testing

• The Ironkey pen drives employ AES CBC-mode hardware encryption that meets FIPS 140-2

• Active Anti-Malware Protection – Secure AutoRun

• Remote Administration and Policy Enforcement

• Onboard portable applications– Secure Web browser   – Secure Password Manager– Virtual Keyboard password protection for untrusted hosts– Encrypted local backup

• Remotely Disable or Terminate Lost and Stolen USB Drives

– Deny - Prohibits accessing the data on the device

– Disable - Locks out the user the next time the device connects

– Destroy - Instructs the device to initiate its self-destruct sequence

Other Software Encryption Technologies

• Sandia did testing on the following products as part of an NNSA research project:– Credant

– WinMagic

– Mobile Amour Guard

– BeCrypt

– Utimaco

– PGP Full Disk

– Pointsec

– Guardin Edge

• Sandia along with LANL, Pantex, Savanha River, KCP and Y-12 prepaired a 115 page report for the NNSA on the pros and cons of each product

Hardware Encrypted Hard Drives

• Sandia evaluated SeagateFED encrypted hard drives and WAVE management software.

• One big problem with this technology is compatibly with hardware. We found most Dell and Lenovo laptops worked with the Segate drive

• Key management is major issue and the 3rd party apps do not yet have a solid enterprise solution or full set of enterprise support features

• The Seagate is hardware based AES encryption on the entire disk

• Encryption has almost no impact on performance of the drive

Blackberry S/MIME integration

• Blackberry Issues and Functionality– Directory issues with multiple CA sites– Inaccessible CRL files– Some old Desktops use Entrust message format as default and not

S/MIME– Testing at Sandia, ORNL and DOE/HQ– User Certificate can be imported over the wire and work properly, but

we still have issues doing this over the cellular network– Certificates status can not be determined cross site using the over the

air option (Blackberry device hangs or gives a stale certificate message)

– Blackberry tries to communicate directly to the issuing certificate directory and will not chain through the site directories (firewalls between sites cause this to fail)

– Had to change master certificate specifications to include a URL CDP point for the Blackberry since it can not use the X.500 CDP point

Blackberry Enterprise Server Encryption

• Blackberrys by default encrypt all data traffic over the cellular connection from the device to the Blackberry Enterprise Server on the Sandia network

• Voice traffic is not encrypted over the cellular connection

• Sandia’s Blackberry policy enforces content protection that turns on full data encryption on the device

• We set an auto lock time out of 15 minutes

• We have also set the device to wipe after ten bad password attempts

• Our BES policy also prevents 3-party applications from being installed on the device

• We do not allow Blackberry to be connected to non-Sandia computer

Entrust Messaging Server (EMS)

• Entrust Messaging Server - an additional component within the PKI infrastructure to assist user’s secure email by:– Locating others public certificates.

• These may be Entrust or another PKI vendors certificates.

– Managing other’s public certificates.• Certificates will be stored on the server instead of user’s

local systems.– Notifying others to obtain PKI certificates.

• Users will be notified to obtain a certificate if one can not be found.

• Sandia is testing with an EMS server to see what the impact will be on our environment and should have it implemented by end of 3rd quarter 2009

PKI integration with the new HSPD12 badge

• The new HSPD12 badges have an integrated smart chip with Entrust certificates issued from EDS. (PIV Authentication, Digital Signature, Key Management)

• The new badge also contains multiple data elements for the purpose of verifying identity. They consist of a PIN, a Cardholder Unique Identifier (CHUID), one asymmetric key pair and corresponding certificate for authentication, a digital picture and two digital fingerprints

• This data model may be optionally extended to meet agency- specific requirements. This is being looked at to possibly hold certificates for e-mail and digital signatures and for two-factor computer access

Portable encryption technologies at Sandia