|Graceful Remediation with Authenticated Certificateless Encryption|
Project Grace – Towards a Secure Internet
|Team Members||QuantumCIEL, Cyber Security Agency of Singapore, Government Technology Agency of Singapore, VIBE Cybersecurity, Secure IC, University of Glasgow|
|Point of Contact||Dr KangWei Woo|
|Participating Municipalities||Cyber Security Agency of Singapore, Government Technology Agency of Singapore|
|Website||Website for the project.|
|Download||Tech Jam Presentation|
The present Public Key Infrastructure (PKI) is known to be inadequate for the current scale of the Internet and the situation is exacerbated with the advent of IoT. Project GRACE (Graceful Remediation with Authenticated Certificateless Encryption) implements a security architecture using an advanced form of pairing-based cryptography called Verifiable Identity-based Encryption (VIBE) to provide a simple, scalable and secure key management for the cloud services, the IoT and indeed the Critical Information Infrastructure (CII) which are otherwise vulnerable to the extant and new cyber-physical attacks.
- PKI is costly to operate. Client certificates are rarely used in the applications due to costs.
- PKI is difficult to operate. Many implementations are error-prone because of the certificates.
- VIBE as a core key management of the open Internet is nominally 70% less costly, relative to PKI.
- VIBE is certificate-less.
- Project GRACE integrates the VIBE capabilities directly into the protocol (i.e. TLS) and the systems for greater efficiency.
The Critical Information Infrastructure (CII) requires protection and resiliency against frequent and massive cyber-physical attacks. It is not coincidental that confidentiality, integrity, and availability (cyber space) are closely related to privacy, safety, and reliability (physical space) respectively.
- Data at rest. Each node in the network (IoT, VM, etc) is assigned an immutable digital identity in the private key stored in the secure hardware. As there is an efficient key management, all critical data (in the files, directories, databases, etc.) are transparently encrypted.
- Data in use. All crypto functions and the private keys are used only within the secure hardware. All main CPUs/memories are attested to be free of malicious processes to run other applications securely.
- Data in transit. TLS is GRACE-enabled to provide transport security among devices and virtual machines (VMs).
|Key Performance Indicators (KPIs)||Measurement Methods|
The GRACE system and its operation are certifiable to ISO 27001:2013.
Standards, Replicability, Scalability, and Sustainability
Project GRACE adopts the best practices which exceed those in ISO 27002:2013. It implements the platform interfaces (hardware, hypervisor, OS, cloud services, IoT, etc.) and the IETF standard for transport security, i.e. TLS.
Cybersecurity and Privacy
Project GRACE contains a complete implementation of the security controls (authentication, authorization, audit - AAA) to achieve the security objectives (Confidentiality, Integrity and Availability - CIA). Privacy is closely related to confidentiality. Both the CIA and AAA triads are rooted in the secrecy of the private keys which bootstrap the protection of the environments against the cyber-physical attacks.
- Provide a simple scheme where it is difficult to commit errors of implementation.
- Provide a scalable scheme to address very large networks (centralized, distributed or mesh – billions of entities) at a great reduction in complexity - O(N) over PKI - complexity O(N2).
- Provide a secure scheme rooted in hardware with counter-measures against the crippling side-channel attacks.
Project GRACE provides the end-to-end security architecture. It shall be deployed in a live environment with active user loads to the cloud and within the cloud.