Project GRACE

From GCTC Action Cluster Catalog
Revision as of 13:21, 19 April 2018 by Kangwei.woo (talk | contribs)
Jump to: navigation, search
Graceful Remediation with Authenticated Certificateless Encryption
GCTC logo 344x80.png
Gctc-proj-grace.jpg
Project Grace – Towards a Secure Internet
Team Members QuantumCIEL, Cyber Security Agency of Singapore, Government Technology Agency of Singapore, VIBE Cybersecurity, Secure IC, University of Glasgow
Point of Contact Dr KangWei Woo
Participating Municipalities Cyber Security Agency of Singapore, Government Technology Agency of Singapore
Status Development
Website Website for the project.
Download

Description

The present Public Key Infrastructure (PKI) is known to be inadequate for the current scale of the Internet and the situation is exacerbated with the advent of IoT. Project GRACE (Graceful Remediation with Authenticated Certificateless Encryption) implements a security architecture using an advanced form of pairing-based cryptography called Verifiable Identity-based Encryption (VIBE) to provide a simple, scalable and secure key management for the cloud services, the IoT and indeed the Critical Information Infrastructure (CII) which are otherwise vulnerable to the extant and new cyber-physical attacks.

Challenges

  • PKI is costly to operate. Client certificates are rarely used in the applications due to costs.
  • PKI is difficult to operate. Many implementations are error-prone because of the certificates.

Solutions

  • VIBE as a core key management of the open Internet is nominally 70% less costly, relative to PKI.
  • VIBE is certificate-less.
  • Project GRACE integrates the VIBE capabilities directly into the protocol (i.e. TLS) and the systems for greater efficiency.

Major Requirements

The Critical Information Infrastructure (CII) requires protection and resiliency against frequent and massive cyber-physical attacks. It is not coincidental that confidentiality, integrity, and availability (cyber sapce) are closely related to privacy, safety, and reliability (physical space) respectively.

  • Data at rest. Each node in the network (IoT, VM, etc) is assigned an immutable digital identity in the private key stored in the secure hardware. As there is an efficient key management, all critical data (in the files, directories, databases, etc.) are transparently encrypted.
  • Data in use. All crypto functions and the private keys are used only within the secure hardware. All main CPUs/memories are attested to be free of malicious processes to run other applications securely.
  • Data in transit. TLS is GRACE-enabled to provide transport security among devices and virtual machines (VMs).

Performance Targets

Key Performance Indicators (KPIs) Measurement Methods
  • Elimination of known vulnerabilities. Vulnerability assessment, penetration testing with cryptanalysis.
  • Elimination of username/password (except authentication PIN or equivalent) in the secure transactions either in the P2P mode or with a cloud service.
  • Real-time security audit is possible by system attestation.
  • The architecture is application-agnostic since the security controls are implemented at the system level and they blend into the existing infrastructure and platforms. This design ensures easy and wide-spread adoption across any domain or industry.

The GRACE system and its operation are certifiable to ISO 27001:2013.

Standards, Replicability, Scalability, and Sustainability

Project GRACE adopts the best practices which exceed those in ISO 27002:2013. It implements the platform interfaces (hardware, hypervisor, OS, cloud services, IoT, etc.) and the IETF standard for transport security, i.e. TLS.

Cybersecurity and Privacy

Project GRACE contains a complete implementation of the security controls (authentication, authorization, audit - AAA) to achieve the security objectives (Confidentiality, Integrity and Availability - CIA). Privacy is closely related to confidentiality. Both the CIA and AAA triads are rooted in the secrecy of the private keys which bootstrap the protection of the environments against the cyber-physical attacks.

Impacts

  • Provide a simple scheme where it is difficult to commit errors of implementation.
  • Provide a scalable scheme to address very large networks (centralized, distributed or mesh – billions of entities) at a great reduction in complexity - O(N) over PKI - complexity O(N2).
  • Provide a secure scheme rooted in hardware with counter-measures against the crippling side-channel attacks.

Demonstration/Deployment

Project GRACE provides the end-to-end security architecture. It shall be deployed in a live environment with active user loads to the cloud and within the cloud.