«FLAK» secuters (security computers) provide ultra-protected, easy-to-use and low-cost solution for login with NO PASSWORD, robust and FREE ANTIVIRUS and FIREWALL protection, hardware-based DRM and software licensee control, secure access to your files and services through the use of dedicated security certified chip-sets, security OS «SecuritOS» and a set of unique technologies.
2. DigiFLAK
2013
CONTENTS
DIGIFLAK PROJECT
1. SeOS – SecuritOS
2. FLiC – FLAK Licensee
3. LogME
4. FLAKmobile
5. FLAKstream
6. FLAKnet
…build total digital safety zone
…care for your values
…login with NO passwords
…be protected everywhere
…prevent viruses and malware
…connect to each other
HOW TO…
3. SeOS. Main Technology Principles
DigiFLAK
2013
SeOS (SecuritOS)
SeOS is an embedded Operating System for FLAK devices which performs high-speed
cryptographic calculations on big data arrays running within the FLAK Secure Core
Decryption and sign check of applications before
every start
Allocation of separate secured address space to
applications
Provision of special API to high-speed
cryptographic accelerators to applications: DES,
3DES, AES, SHA1, SHA128, SHA256, MD5 and
others
PCSC#11 standard support
Multilevel key management system – key ladder
with all level keys protection from illegal access
Asymmetric algorithms ECC and RSA support
High-speed data filtering according to various
criteria
License management technology (FLiC) support
SeOS API functions support for multi application
environment
Main Functions
DIGIFLAK PROJECT
Apps
SeOS
API
API
Linux
Main Core
Secure Core
SeOS
4. FLiC. Main Technology Principles
DigiFLAK
2013
* Secuter (Eng. Security Computer ) – a dedicated device, minicomputer with secure cores inside
FLiC (FLAK Licensee Control)
DigiFlak proprietary flexible and high-capacity mechanism for processing and
management of license rights to any digital data such as video, audio, software,
eBooks, etc.
License processing takes place in isolated and secured
environment which guarantees no illegal access to the keys
and prevents license rights interference. With FLiC
technology it is possible to re-encrypt data in real time
which means that
technology supports
DRM (CAS) DTCP-IP
and DRM (CAS) HDCP
bridges.
Smart, fast and secured
DIGIFLAK PROJECT
Easy to trust and integrate
FLiC is fully consistent with the FLAK basic concept on
simple and convenient usage of information security
technologies. FLiC can both be used as a standalone
DRM-solution (with its own software for the server
side), and provide
a "safe" framework for
third-party CAS and DRM
solutions. DRM and CAS
support
With FLic it is
possible to make easy
integration to with all
well-known DRM and
CAS solutions
extending its their
security
Based on the
FLAK platform the FLiC
technology provides a
totally safe license
management and
mechanism to control
access to all digital entities
Unique content
security
5. FLAK secuter processes DRM-protected content and
encrypts output data either according to DTCP-IP
specification or to HDMI standard. In the first instance
the output content can be played by a PC (a built-in
player with DTCP-IP support) or transmitted to
connected home devices such as TVs or tablets. The
second case can be applied to the FLAK devices with
HDMI interface which guarantees maximum level of
protection to exclusive content. All content goes from
the secuter to HDMI and can be received by any device
with an HDMI support.
How it works
DigiFLAK
2013
DRM (CAS) -> DTCP-IP or HDCP
BRIDGE
HIGHEST LEVEL OF PROTECTION FOR VALUABLE
CONTENT WITH A “CONTENT PROVIDER – USER
SCREEN” SCHEME!!!
DIGIFLAK PROJECT
Isolated trusted environmentTablet
Content provider
DRM protected
content
HDCP iDTV with HDMI
PC with a DTCP player
DTCP-IP encryption
6. In most cases a license for commercial software looks
like a file with different parameters used: permissions
/ restrictions of operations, license duration, number
of users, etc. The license file which is unique to each
copy of software is stored within a protected memory
of FLAK secuter and can never be extracted outside. All
transactions with licenses
(installation, control, update, review) are executed in
an isolated environment of the secuter with either a
FLiC software module or software developers’
module.
!NB Developers can move part of the basic software
functionality into the secuter which is strongly
recommended !!!
How it works
DigiFLAK
2013
SOFTWARE PROTECTION
FORGET THE PROBLEM OF YOUR SW
ILLEGAL DISTRIBUTION OR USAGE!!!
Isolated trusted environment
Software running on PC
License server
SW License providing
PC-Secuter
protected session
License storage
DIGIFLAK PROJECT
7. LogME. Threats and Recommendations
Use only “rules to
follow” passwords
Limit number of wrong
password entries
Don’t save passwords on PC
Don’t login via keyboard
Check source of WEB login
form
Don’t store passwords
on WEB servers
Use open/public keys
and certificates methods
for authentication
Provide maximum
security to the email
account itself
Password lexical
algorithms’ match
Password theft from
user PC (imitation, key
loggers, browser cash
analyzers)
Password theft from
WEB service servers
All user accounts are
dependent on email
account security
DigiFLAK
2013
DIGIFLAK PROJECT
Are you really able to follow all these mazy rules???
8. No less than 20 random symbols’ auto-password generated by hardware
facilities of the FLAK secuter;
Password is unique for every user account;
User doesn’t know the password;
Password never comes out of the device
secured internal core in unencrypted form;
Could not be simpler and securer.
Password based and certificate based solutions are provided:
LogME. Main Technology Principles
DigiFLAK
2013
DigiFlak proprietary chrysalis intended for safe and easy
authentication procedure on remote WEB sites
DIGIFLAK PROJECT
9. (password based)
During initial registration on a remote WEB site the
secuter acquires an SSL certificate from the server.
Then it initiates its own SSL session with the WEB
browser (with a FLAK certificate), gets the login name
from the user and generates a random password
according to certain security rules. After that the
secuter gets login name from the browser, encrypts
both the login name and generated password and
sends it to the remote WEB site. Simultaneously, the
server certificate, login name and generated key are
stored in a secure file system of the secuter.
Initial registration
Login procedure
1. SSL certificate
acquisition
2. Login
request
3. Login
dispatch
6. Encrypted login name
and password sending
4. Password generation
5. Certificate and login/password
pair safekeeping
SSL server
SSL client
SSL client
SSL server
DigiFLAK
2013
At the next login the secuter authenticates the server
with the stored certificate and if it is a success both the
login name and password are sent to the server in SSL
session. The user communicates with the site via the
secuter certificate which is a guarantor of safe
c o n n e c t i o n .
Positive
Advantages
Following proven technology principles like secure login/password storage and easy
registration/login procedures this approach allows implementation with no
expenses on the server side since all sites now support password authentication.
NO SERVER MODIFICATION REQUIRED!!!
DIGIFLAK PROJECT
10. (certificate based)
The approach is based on mutual SSL authentication with
a client-authenticated TLS handshake. The client
certificate authenticates the user and instead of a
password, a private key is stored in the secuter. In this
case there are only public keys on the server side and
their theft will not work to potential attackers.
DigiFLAK
2013
This approach solves security problems with the account
data stored on the server. It also doesn’t require upgrade
of the server and can be activated on the server side with a
s y s t e m s e t u p .
1. SSL certificate
acquisition
2. Login
request
3. Login
dispatch
5. SSL client certificate
sending
4. Certificate
generation and safekeeping
SSL server
SSL client
SSL client
SSL server
Authentication
Advantages
TOTAL SECURITY PROVIDED!!!
DIGIFLAK PROJECT
11. DigiFLAK
2013
FLAK server site
Home
Your backup FLAKYour FLAK
Everywhere
LogME. Useful features
Data sync
With Data Sync approach you can forget
about your fear to forget!
Afraid to forget your device?
in bar, taxi, friend’s home, old suit..
OR
Backup with FLAK servers will allow you
to enjoy mobile security as well!
Android or iOS LogME app
Your FLAK
DIGIFLAK PROJECT
12. FLAKstream. Main Principles
DigiFLAK
2013
FLAKstream
FLAK proprietary technology of high throughput real-time network traffic scanning
and analysis powered by Kaspersky SafeStream
HOW IT WORKS
DIGIFLAK PROJECT
FLAKstream technology allows for filtering incoming and
outgoing IP packets based on specified criteria and signature
analysis according to given URL values. This technology
efficiently implements functions of streaming antivirus,
firewall, parental control, Data Leakage Prevention, etc. All
incoming and outgoing IP traffic to/from the host PC is
intercepted by the secuter, where all data is filtered and
scanned by the FLAK engine employing dedicated hardware
accelerators. After detecting a potential or real threat the
secuter blocks the infected object and warns the user of a
possible danger.
NO NEGATIVE INFLUENCE ON HOST PERFORMANCE.
TREATS, VIRUSES AND MALWARE ARE BLOCKED
BEFORE GETTING INTO PC.
FLAK Device
Internet
Untrusted Internet data
Verified internet to the user Redirect to FLAK
Firewall
Stream antivirus
Parental control
DLP
13. FREE WIFI
Business dinner
FLAK mobile
FLAKnet. Main Principles
DigiFLAK
2013
FLAKnet
With FLAKnet proprietary technology you can create secure virtual networks with no
specific knowledge or surplus cost
HOW IT WORKS
DIGIFLAK PROJECT
With FLAKnet technology the FLAK secuter users can integrate their
personal computers and mobile devices in a secure virtual network
without complicated settings and profound knowledge. It is just
enough to enter flak-ID of the device to be connected to the network
and get a mutual confirmation on the connection. A virtual network
can be based on any physical connections to Internet. The secuter will
automatically determine and configure all connection settings. To
compare flak-id and the current IP address of the device FLAKnet sync
server is used. After setting up a connection the secuter sends
information about its current IP address to the sync server and gets
back information about the IP address of the connected device.
Connections and network management are supported by open source
software, like openVPN.
CREATE A SECURE VIRTUAL NET?
FLAK MAKES IT EASY!!!
Company Headquarters
Secured Network
FLAK PRO
Business trip
FREE WIFI
FLAK Classic
14. FLAKmobile. Main Principles
DigiFLAK
2013
FLAKmobile
DigiFlak proprietary solution, applying FLAK platform and technologies like
FLiC, LogMe, FLAKstream, FLAKnet, etc. to mobile domain
Solution for USB OTG devices
DIGIFLAK PROJECT
The solution assumes FLAK mobile secuter connection to microUSB interfaces of mobile devices.
The Flak Mobile (as FLAK Classic (non mobile) does) supports USB 2.0 and NFC interfaces as well
as basic FLAK applications including Firewall and VPN. It doesn’t have external network interface
– the FLAK driver on Host intercepts all incoming and outgoing traffic and forwards it to the
secuter via a microUSB.
SMALL DIMENTIONS 1x2cm
LOW CONSUMPTION
microUSB INTERFACE
microUSB
NFC
15. FLAK Mobile. Main Principles
DigiFLAK
2013
DIGIFLAK PROJECT
This solution consists of SeOS implementation for ARM TrustZone and
LogMe, FLiC, FLAKNet, FLAKstream technologies as applications for Android/IOS/Windows
OS. Thus, if a mobile device supports TrustZone, then SeOS is installed as a complementary
OS. The FLAK technologies are implemented as SW applications for the primary OS.
Solution for devices with ARM TrustZone or Intel TxT support
NO EXTERNAL DEVICE
USAGE OF WELL-RECOMMENDED TECHNOLOGIES
FLAK APPS IN ANDROID PLAY MARKET AND IOS APP STORE
Secure OS
Within this approach the FLAK secuter
is required for primary personalization
of the mobile device and sync or
backup of confidential information and
licenses. The same approach is
applicable for mobile devices with Intel
Trusted eXecution Technology (Intel
TxT) support
16. Thank you for your attention!
www.digiFLAK.com
DigiFLAK
2013
DIGIFLAK PROJECT