WindTalker VECTOR™

 WindTalker VECTOR™
Baseline Configuration Build 2.1
Introduction _____________________________________________________________________________________
This document serves as the master features descriptions for WindTalker VECTOR™. Terminology used in
this document is in accordance with the WindTalker Terminology Guide published separately from this
document. This document does not specify any system requirements unless anecdotally.
Format of Feature Descriptions ________________________________________________________________
Feature Name
Short description of what the feature does or performs will be presented next.
Detailed implications for the User will be presented next, to provide the effect of using this feature, as
well as any benefits of using the particular feature.
Feature Categories ____________________________________________________________________________
•
•
•
•
•
General
Credentialing & Profiles
Key Archival & Vaulting
Filtering & Geo-Fencing
Role Key Tiers
These categories are designed to organize this document into realistic segments for readability.
Features of this system can be reorganized for collateral as desired. The purpose of this document is to
outline with specificity the features of the baseline WindTalker VECTOR™. This includes the WindTalker
VECTOR™, the Controller Application, and the SDKs.
Note about the Controller Application: The WindTalker Controller application is where most of the
WindTalker features are managed. For this reason, the features are broken down into logical
categories.
WindTalker™: set your data free
www.windtalkersecurity.com
SECTION 1: General Features _________________________________________________________________
Key Serving
WindTalker serves cryptographic keys across any IP-addressable network.
WindTalker is a standardized web service. The system abstracts the concept of a cryptographic key
into what is known as Role Keys. Role Keys provide all the cryptographic material to derive keys to be
used for confidentiality and integrity of sensitive information, as well as other data fields to provide
rapid and easily identifiable characteristics to a given Role Key such as a name and color.
There are two distinct and separate services on a VECTOR server. The first is used by plug-ins and
WindTalker-enabled applications to provide Role Keys and their derived encryption key material. The
second is a more restricted service accessed by the WindTalker Controller application, for managing
the system.
Controller Application
WindTalker comes with a robust Controller application to manage the system.
The WindTalker Controller is how administrators manage the WindTalker system. It is designed to be
accessed remotely as a remote application. This helps prevent man-in-the-middle intercepts while
allowing remote access to the application for system administrators. A built-in virtual keyboard can be
used to prevent key-logging attempts on systems where the Controller Application is installed.
Additionally, the Controller Application uses the same secure connection technology for management
processes as it does for normal Role Key security requests made by plug-ins and other WindTalkerenabled software. Throughout this document, various features will refer to their management via the
Controller application.
No Certificates Required
X509 certificates require an existing Public Key Infrastructure (PKI). WindTalker doesn’t need them.
WindTalker’s advanced connection technology uses dual elliptic curve Diffie-hellman (ECDH)
exchanges with advanced protections against man-in-the-middle attacks.. WindTalker requires this
secure connectivity for everything that uses the VECTOR system. WindTalker’s secure tunnel seamlessly
works within an organization’s existing network security controls (SSL, TLS, IPSec, VPN, etc.) but does not
require them for secure communications. WindTalker can be used over both secure and insecure
networks.
Holistic Key Management
A few keys can unlock a world of easy data protection – anywhere, any time.
WindTalker is a holistic way to secure the cloud. Your data can protect itself anywhere. The same blue
‘Operations’ Role Key can secure your Word documents, your phone calls, your text and chat, and
even your stored database – in any database. WindTalker is a single comprehensive tool that makes
security a one-step solution.
Simplified Security
We kept what works; changed what doesn’t.
WindTalker is a “digital do-over,” built on the DNA of best-in-class information security practices. We
took the things that work, skipped the parts that hackers have figured out, and then started covering
whiteboards with ideas. We shook the entire process upside down, turned it on its ear, then locked it
down and made it easy to use. You can even build WindTalker-enabled applications yourself – without
being a cryptographer.
WindTalker™: set your data free
www.windtalkersecurity.com
Software Development Kit
Extend WindTalker to your applications with ease.
WindTalker is easy to integrate. We have given our methods names like: encrypt, find key, and get key
value. The programmers at WindTalker understand good SDKs. You’ll spend less time worrying about
security, and more time polishing your own code.
Prolific Logs
WindTalker logs provide accountability.
WindTalker logs everything. We make it possible to see who is accessing – or trying to access – your
information and your system. Our engineers are currently developing new monitoring tools that will
make real-time system monitoring a snap. You can even use your existing log monitoring tools if you
like.
Interchangeable Algorithms
WindTalker is encryption engine-agnostic, allowing you to adapt your encryption at will.
We use AES-256 as our default algorithm, but have integrated 3DES, Twofish and Blowfish as well, and
additional algorithms are available. You can select any of these algorithms for any Role Key. If a
newer algorithm comes along, we will add it to our growing library. We stay well ahead of the radar
detectors. No need to re-invent the encryption wheel either – WindTalker is all about how encryption is
applied.
Windows, JAVA, Android
WindTalker is blurring boundaries rapidly.
WindTalker is all about making life easier. We wrote our SDKs to be compatible with Windows
Cryptography Next Generation Library (WIN CNG), Bouncy Castle (JAVA encryption library) and
Spongy Castle (Android instantiation of Bouncy Castle). We went further – our libraries talk to each
other!
iOS and C/C++ are in development, so stay tuned.
Central Control of Security
WindTalker puts universal cryptographic control at a central command point.
Whether due to malice or simple human error, the “inside job” frequently causes priceless data to be
compromised. With WindTalker, access is easily controlled from a single centralized application.
Permissions can be granted or revoked immediately to make security manageable and highly
responsive.
Role Key Objects
WindTalker turns cryptographic keys into something anyone can understand.
WindTalker Role Keys are designed make sense to the end user. Protection that is based on established
roles or security protocols is easy to comprehend. The system assigns a name and color to each Role
Key as well. This makes for easy identification and a greatly enhanced user experience. WindTalker
manages the actual cryptographic values and hashes under the hood. Controller operators cannot
even access the values directly. This adds to the security of the system. No one needs to see the
cryptographic key values for any reason, and Role Keys themselves are never actually used to encrypt
data directly, rather they are used to derive data encryption keys. When people quickly learn that the
“Blue Key” is the Role Key that is to be used to protect Social Security numbers, the user training is
complete. Easy identification and name/color pairing make WindTalker extremely intuitive.
WindTalker™: set your data free
www.windtalkersecurity.com
Complete Extensibility
Many companies want their source code to remain private. WindTalker answers this call.
Want security in your software without it being visible to anyone else? Are you providing software to
your clients and need to provide them cloud-capable security that actually protects their data
anywhere? WindTalker will unleash your developers in new ways. Extend WindTalker in any direction
you desire. Protect anything. Stay in the native file format. Invent new file formats. With WindTalker, you
can simplify, simplify, simplify. Set your data free with easy-to-use, easy-to-sell, and easy-to-administer
Role Based Access Security (RBAS)™ – a generation beyond RBAC.
WindTalker Servers: Next Generation Security in a Box
WindTalker comes as a box, can be loaded bare-metal, or can run as a virtual machine.
WindTalker is already available as a Software as a Service (SaaS) solution and can be globally
provisioned within minutes. Alternatively, WindTalker can be installed on individual servers, or can be
run as a set of virtual machines. The WindTalker framework can support any level of scaling required for
even the largest of enterprises. Global Role Key distribution is now a reality.
WindTalker™: set your data free
www.windtalkersecurity.com
SECTION 2: Credentialing & Profiles ___________________________________________________________
Advanced Credentialing
WindTalker credentials both man and machine, providing flexible security that extends outside the
enterprise.
WindTalker makes it possible to grant permissions based on not only who a person is, but on which
device they are using WindTalker. This allows security managers to permit certain Role Key access on
machines and computers at work, while restricting what information is available on personal devices or
portable corporate devices in the field. Role Keys can be assigned in three categories:
User – User Role Keys are available to a User on any WindTalker-enabled device/application.
Machine – Machine Role Keys are available to an authorized device or computer as long as any
authorized WindTalker User is logged in.
User and Machine – User and Machine Role Keys are provided to a User if both they and the device
they are on are authorized a particular Role Key.
These specifications support tailoring permissions far beyond any existing traditional key management
systems.
Role Key Permissions
Read, Write and Print permissions can be managed for each Role Key.
WindTalker supports specific permission flags for each Role Key. These permissions are set for each User
and the Roles to which they are assigned. They can be tailored individually. It is up to the plug-in or
application to enforce these permissions. When a User receives a Role Key, they also receive the flags
by which this permission can be enforced. This allows massive flexibility for developers to provide
extremely tight security protocols within their applications.
Editable Role Keys
Changing the name, color or any other parameter of a Role Key is a snap.
The Controller application provides for easy modification of Role Key fields under the Role
Management menu item. Note: If you alter an algorithm setting, the VECTOR server will automatically
archive the existing values of that Role, and then reassign a new cryptographic value to the new
algorithm. This is done to enable access to data already protected by the original Role and its original
algorithm.
Role Key Scheduling for Users
Tailoring permissions has never been so easy.
With WindTalker, you can now schedule limitations for a Role Key for any User. You can set different
schedules for each Role Key a User has access to. Total freedom, immense capability, the way you
want it to be. The Controller application allows any Role Key assigned to any User, to be scheduled for
times it is available. If no schedule is set, the Role Key is always available to that User when logged in
on a WindTalker application or device (default).
Profile Management
WindTalker provides convenient ways to assign Role Keys to Users.
WindTalker™: set your data free
www.windtalkersecurity.com
WindTalker’s Controller allows administrators to define Profiles to which Role Keys can be assigned. For
example if all nurses need access to the Nursing, Medications, Personal Health Information and Patient
Tracking Role Keys, those Roles can be assigned to the All Nurses profile. Then any new nurses hired
can be assigned to that profile, and the correct Roles are automatically assigned. More importantly, a
great deal of effort is saved if suddenly a new Role Key needs to be allocated to every nurse. Simply
adding it to the profile makes it accessible by all nurses. The opposite is also true if a Role Key is no
longer permitted to all nurses.
WindTalker™: set your data free
www.windtalkersecurity.com
SECTION 3: Key Archival & Vaulting __________________________________________________________
Easy Archival: Changing a Role Key Value
WindTalker makes replacing a cryptographic value as easy as a mouse click.
If a Role Key is, for any reason, compromised, assumed to be compromised, or if a security manager
simply wants to alter its value, the controller allows this with a simple mouse click. Archiving a Role Key
automatically replaces its cryptographic value as well as its HMAC value. It is done instantly.
Auto Updating of Archived Keys
Your system manager just archived a Role Key. What about my existing documents?
With WindTalker, when an application or plug-in properly requests a Role Key that has been archived,
the VECTOR server responds by providing two values: The old value for decryption, and the current
value for re-encryption. This means that in order to update any document whose protected data was
temporarily orphaned when the Role Key was archived, all a User must do is open the document.
WindTalker updates the document automatically. (This functionality is the responsibility of the
application or plug-in, as per the WindTalker SDK). Auto-scout tools can be used to perform this
operation on document repositories.
Scheduled Archival
Archival scheduling is for those who want to be especially cautious with their data.
We believe in making security painless, powerful, and easy to be picky about. If you want to
automatically use fresh values for your Role Keys, you can automatically schedule any given Role Key
for automatic Archival on a Daily, Weekly, Monthly, or Annual method. Policy management can be
established to fit any level of security needs with this powerful feature.
Archive Vaulting
For rapidly or constantly archived Role Keys, Vaulting is available.
Most security managers will set a time-period of support for how long archived Role Keys will be
available on the system. After this period, they will typically Vault the Role Key Archives. This dismounts
the Role Keys into a file, and those Archived Role Keys will no longer be available. If a plug-in requests
a Vaulted Role Key, the return error code will indicate to the plug-in that that particular Archived Role
Key has been Vaulted. The system administrator or security manager can remount a given Role Key to
be used and then re-Vault as desired. This allows database size control and security by limiting the
number of Archived Role Keys being retained on the system.
SECTION 4: Filtering & Geo-Fencing _________________________________________________________
IP Filtering
WindTalker goes beyond access control by providing the ability to grant or restrict Role Keys by IP
address or range.
One of the extremely powerful features of WindTalker is the ability to add yet another layer of hackerproofing to the system by means of IP filtering. While it is possible to spoof IP addresses, WindTalker
enables IP filtering in both whitelisting and blacklisting. This gives administrators another way to
WindTalker™: set your data free
www.windtalkersecurity.com
determine exactly who gets what access and from where. Simply setting an allowable set of IP ranges,
or restricting known malicious IP ranges in the Controller application allows far better security control of
WindTalker. This is a very powerful capability that is a snap to use.
Geo-Fencing
As if IP filtering was not enough….Now you can restrict or grant Role Keys down to a spot on the planet.
Want to make the Blue Key only available inside city limits? How about restricting Top Secret access to
the Green Zone in Iraq? How about preventing any NATO user access from anywhere within China?
Wow, if only that was possible…wait, it is! WindTalker allows precision control of both whitelisted and
blacklisted geo-fences for any given Role Key. Stack this on top of IP filtering, and WindTalker’s robust
credentialing (user/Device), and you get access control previously unimaginable. This concept was
developed for our military customers, but we make it available to anyone. Grant permissions based on
location to whatever geo-position and range you need. Any location-based smart device can use this
feature. Mobility has never been so secure.
WindTalker™: set your data free
www.windtalkersecurity.com
SECTION 5: Role Key Tiers ______________________________________________________________________
WindTalker Trees: Tiered Role Keys
Three hierarchical levels of Role Keys allow access to subordinate Role Keys in one-to-many supervisory
situations.
For effective management and appropriate access to individually-secured data, call-center personnel
may need to be granted access to a customer’s Role Key on a temporary basis. WindTalker calls these
tiers: Trunk, Branch and Leaf.
• Trunk Users can see any Branch or Leaf Role Keys.
• Branch Users can see any Leaf Keys.
Although the system supports two tiers, rarely is the second level of tiers necessary. Tiered Role Keys is a
feature normally required exclusively by the government for classification purposes, and as such is
typically only useful in commercial situations that require separation of access to a customer or client
Role Key on a temporary supervisory nature. This feature allows a single call-center agent to be
granted access to one of potentially millions of individually distributed Role Keys (customer keys),
without requiring the system to maintain a relationship for that call center employee and every
potential client.
This is an advanced feature of the system, and should be implemented very carefully in specific
situations exclusively. It provides flexibility that must be applied correctly.
We are available to assist any organization that desires to implement these types of security layers in
their enterprise. WindTalker™: set your data free
www.windtalkersecurity.com