|
Security Strategies for Mixed Use Mobile Computing Devices
Navy SBIR FY2011.2
| Sol No.: |
Navy SBIR FY2011.2 |
| Topic No.: |
N112-168 |
| Topic Title: |
Security Strategies for Mixed Use Mobile Computing Devices |
| Proposal No.: |
N112-168-0761 |
| Firm: |
SecureComm, Inc
67 S Higley Road
Suite 103-105
Gilbert, Arizona 85296 |
| Contact: |
David Wheeler |
| Phone: |
(480) 577-7042 |
| Web Site: |
www.securecommconsulting.com |
| Abstract: |
Effective protection for data-at-rest in mobile devices cannot be achieved by merely adding encryption and integrity features. Current smartphones contain hundreds of vulnerabilities that allow malware to overcome an App's containment (e.g. sandbox) to access and exfiltrate sensitive data and data protection capabilities. SecureComm proposes the Data@Ease 2.0 software development framework for Android Apps as a comprehensive, malware resistant, data-at-rest solution that provides two-layer COTS protection for data and additional anti-tamper sandboxing. To protect keys and data from exfiltration and modification by malware, Data@Ease 2.0 provides transparent cryptographic protection for data-at-rest and data-in-transit using open source cryptographic libraries, enhanced with anti-tamper technology, and a key management hierarchy with an authenticated Root-of-Trust. Data@Ease 2.0 is an enhancement of SecureComm's Data@Ease 1.5 framework which provides APIs for the open source cryptographic libraries and both an App and end-user authentication service. Data@Ease 2.0 is suitable for tactical JTRS radio and enterprise networks alike, providing a strong authentication service without the key management and certification entanglements of other solutions. The Auth Service provides crucial protection of user and App credentials, providing strong protections against unauthorized use of those credentials to access network resources. Data@Ease 2.0 can be extended with CAC card access. |
| Benefits: |
Data@Ease 2.0 is a cost effective framework and Auth Service that, as an after-market software add-on, is easily incorporated into any network's security arsenal; whether this network be a tactical JTRS network or enterprise network. An App developer simply need compile the Data@Ease 2.0 libraries into their App to provide a mechanism to protect the App's data from unauthorized access or malware incursion. Network providers wishing to offer their users the ability to access the network from their smart mobile devices, can incorporate the Data@Ease 2.0 Auth Service into their network access points and provide their users with a list of Data@Ease enabled Apps that are authorized to be used on the provider's network. The Auth Service provides crucial protection of user and App credentials, providing strong protections against unauthorized use of those credentials to access network resources. The combined use of the Auth Service with the security features in the Data@Ease Enabled App, provide a level of malware resistance and cryptographic key protections to an enabled App that, based on analysis of publically available information, appear to be unmatched in currently available smartphone security solutions. It is not anticipated that this will change until virtualization is affordable and widely incorporated into multiple vendor's smartphones for use in data protection (appx 3-5 years from now). Even when virtualization is widely used for data protection in smartphones, if the hypervisor doesn't fully virtualize hardware devices, there may be potential vulnerabilities in the guest OS that may allow a program to leak out of the virtualized environment and attack the hypervisor. Many of the published solutions that were compared for this SBIR revealed a lack of ability to address the malware threat at all layers of software in the smartphone; nor did they provide two-layer COTS protection for data (another Data@Ease feature). Given the Advanced Persistent Threat and recent hacking exploits by Anonymous and LulzSec, better protections against zero-day exploits are also necessary. Data@Ease provides such protections via anti-tamper technology. Another stand out feature of Data@Ease 2.0 (in the Phase 1 options), is that reverse engineering of Data@Ease 2.0 will be significantly more difficult as compared to other readily available solutions.
The Auth Service is written to support insertion into an embedded system, like the JTRS radio, and is designed to be extensible and scalable to support many simultaneous connections if resident on a web server. The Auth Service does not depend upon pre-provisioned data, certificates or keys, reducing the mission planning efforts that are prone to operator error and troubleshooting activities. This characteristic makes it ideal for a tactical environment.
|
Return
|