Bunker mail security

SIMPLE. STRONG. ENCRYPTION.

SecurityOverviewBunkerMail encryptionand key exchange

October 7, 2010 GlobalCrypto.com

© 2010. Global Crypto Systems.

Todd Merrill, CEO GlobalCrypto

@ToddMerrill

[email protected]


Challenges with PCI-DSS

Requirement 3: (Encrypt at Rest)

“Protect stored cardholder data”

Crypto-key distribution

Requirement 4: (Encrypt in Motion)

“Encrypt transmission of cardholder data across open, public networks”

Requirement 8: (Strong Authentication)

“Assign a unique ID to each person with computer access”



We distribute Crypto keys to web users

We hide crypto in digital pictures Steganography!

User credential contains (AES encrypted):

RSA-1024 user key pair (public-private)

RSA-2048 public key for BunkerMail application

Dual digital signatures for Authentication


Authentication

Strong, Multi-Factor Authentication >Picture = Virtual Smartcard>Password is never transmitted or stored

Bi-directional Authentication

Sessions are encrypted using unique AES key exchanged upon Authentication (via our PKI)

HTTPS used in addition, (redundant)

globalcrypto.com/knowledge-center-overview


Authentication


Encryption—end-to-end

Private Note and Attachments are encrypted with unique AES keys.

AES keys are encrypted with BunkerMail public key (RSA-2048).

BunkerMail decrypts the AES keys and re-encrypts them with the public key(s) of recipients

AES keys are escrowed if a user is not in the system (no public key yet)



Ideal technical solution

Encrypts at rest

Encrypts in motion, end-to-end

Provides audit logging, robust audit trail

Housed in a secure data center

Provides encrypted, automated archival

Enforces strong, unique access controls

Simple to use

Bunker mail security

Technology

unique aes key

bunkermail public key

public networksrequirement

crypto keys

unique id

unique access controlssimple

user credential

strong authenticationassign