Technical

How does it work?

The Synaptic Universal Key Exchange technique introduces the concept of grouping together online key exchange server that share a common interest into federations to increase the scalability of the basic Enterprise Key Exchange technology.

In the Enterprise Key Exchange technology each secure path is protected by a "trusted third party". In the Universal Key Exchange technology we substitute this notion of a trusted third party with a federation of trusted third parties that share common interests, values or nationality.

Each federation has two or more independent TTP organisations. Each TTP organisation manages one or more TTP servers. Each server within the federation can establish secure communications with every other server through the use of large symmetric keys previously negotiated between them. For example each server may have a smart card that was initialised using the Synaptic Group Key Exchange technology. There are several secure scalable initialisation techniques, but we will not discuss them here at this time.

Let us consider a global layer of federations which will be used for interoperability between users. These federations will group organisations by similar ideology or allegiance. For purpose of illustration only we might partition organisations as follows: all western democratic nations in one federation, all democratic socialist organisation in a different federation, all Asian organisations in a federation, and the remaining countries in a final federation. Each smart card is enrolled in one organisation from each of the four federations. In theory each smart card could be assigned to a unique set of servers from the four federations. Communications between any two smart cards at worst requires a maximum of 8 online servers, two from each federation.

While many users are unlikely to believe any one federation will resist the temptation to monitor their portion of the key exchange, many users will perceive it as highly unlikely that collusion will occur between four of the eight organisations belonging to four vastly different federations.

A careful selection of federations that brings together like minded groups will simultaneously result in federations that have increasing distrust or disinterest in the other federations. If governments uses this global communications infrastructure to secure their communications then there is greater interest in ensuring that collusion does not occur by organisations belonging within their federation, and in between federations operating at a global level. Any group seeking to increase their assurance against collusion can extend the system with their own private federation of online key exchange servers.

Additional techniques for improving the trust model within this type of federated ecosystem of online servers have been invented and patent applications filed over them.

See resources section below for more information.

How well studied are the cryptographic techniques used in the system?

All the techniques in the system are well studied and familiar to most cryptographers.

As illustrated on the technical page for the Enterprise Key Exchange the system can be build using globally accepted cryptographic primitives such as AES-256 and SHA-2.

Threshold secret schemes are mathematically very simple and are a mature area of research. For example split secret sharing schemes are used to manage today's mainstream public key certificate infrastructure. Many of the ad hoc mesh network protocols use multi-path key distribution techniques.

Faraday cages for protecting data centers are used by large organisations and governments around the world. The US and NATO TEMPEST standards for Faraday enclosures to protect against monitoring of compromising emanations can be found in the NATO TEMPEST SECAN Doctrine and Information Publication SDIP-27 and USA national security telecommunications and information systems security advisory memoranda (NSTISSAM) TEMPEST publications.

The strength of the system is in its simplicity of construction, its use of smart cards, and the way in which it manages the human trust relationships.

How fast is the key exchange?

Synaptic Labs' Universal Key Exchange has three stages (a) an enrolment stage between the smart cards and the trusted third party (TTP) servers, (b) an initial key exchange between the two smart cards that have previously not met, (c) ongoing key exchanges between the two smart cards that have previously exchange key material.

The enrolment stage requires cryptographic operations that are a little slower than a RSA key exchange.

The initial key exchange between any two devices is predominantly influenced by the overhead of communication latencies.

Ongoing key exchanges between any two devices that have exchanged keys is faster (and computationally less expensive) than key exchanges based on the RSA algorithm.

What advantages does Universal KX have over the nearest competition?

The Universal Key Exchange and Enterprise Key Exchange share many common design features. For the common set of advantages please read here.

A distinguishing feature of the Synaptic Universal Key Exchange is that it enables any group of entities to actively participate in key exchanges to increase their assurance.

Traditional asymmetric key exchange technologies are designed under the assumption that the singular key-exchange operation will remain secure. If the key exchange operation fails, the security of the entire system is compromised.

Traditional symmetric key exchange technologies are designed under similar assumptions to the asymmetric key exchange technologies above.

The Synaptic Enterprise KX and Universal KX protocols are threshold based schemes that remain secure against a collusion of (n-1) out of n trusted paths. The Universal Key Exchange creates 2 or more of those paths using servers residing in the key exchange overlay network.  The number of secure paths and the selection of online serves from the overlay network to participate on those paths may be different for every key exchange operation performed on the Universal KX system. Furthermore the overlay network has been organised in a way that enables global interoperability between users even if they do not trust some of the service providers.  This inherent flexibility in the protocol readily supports the addition of user-defined trusted communications paths for secure communications within a well defined group of users.

For example key exchanges between smart cards enrolled in a company can automatically detect and take advantage of the companies key exchange servers. These key exchange servers managed by the company may require that specific cryptographic algorithms trusted by the company are used for that secure key exchange path. In this way the company and its employees benefits from stronger security for sensitive internal business communications when their system is operational while simultaneously avoiding catastrophic failure if an insider within the organisation breaches the security of their key-exchange servers.

Similar increases in security can be readily achieved within groups of companies, industry consortiums and national regions.

To be clear we emphasise that participation of an additional party in the key exchange process cannot reduce the data privacy or integrity of a key-exchange operation.  Likewise, the system does mandate that a specific server must be used in every key exchange.

As with the Enterprise key exchange, only the first key exchange operation between users who have not previously met need to use the key exchange services of the Universal KX network. After this initial one time operation the users can then communicate securely directly using the large symmetric secrets stored securely in the non-volatile memory of their smart cards.

What is the minimum configuration?

The minimum configuration of the Synaptic Universal Key Exchange is two smart card clients, three relay servers implemented on three independently managed hardware security modules, SHA-256 and access to a small portable Faraday cage during smart card enrolment.

What additional features does it support?

The Synaptic Universal Key Exchange will be combined with the RSA public key algorithm (or an ECC algorithm) to satisfy existing standards and to provide a layered level of defense against adversaries that do not have access to code-breaking quantum computers.

The Synaptic Group Key Exchange can be used when enrolling a smart card into a high-assurance trusted third party server.

How many users does it support in one system?

The number of users within the system is technically unlimited.

A virtually unlimited number of end-to-end keys can be exchanged between smart cards if the smart cards employ the use of a remote online database where the content is entirely encrypted using a secret key generated by the smart card.

The Universal KX is explicitly designed to address the complex trust relationships that exist when relying on services provided by parties with whom the user does not have an established trust relationship. It achieves the necessary trust levels by partitioning organisations in a way that amplifies the existing relationships and allowing users to exploit the mutual distrust between these differing groups of organisation.

How can I integrate Universal KX with my existing system?

Synaptic is developing an application programming interface, a simple secure tunnel protocol and a graphical user application around the Universal KX. The application programming interface will allow the key exchange technology to be integrated into software applications in the normal way. The secure tunnel protocol will allow existing point-to-point network applications to simply change the network address of the destination to a local secure tunnel server which securely relays the material to the destination. The first generation of the graphical application will be a simple work-group collaboration instant messaging program.

Further Information

Additional information is available via the menu bar on the right of the screen under the Universal Key Exchange menu item.

The Universal Key Exchange was presented by Synaptic Labs at the IEEE Key Management Summit 2010.  The presentation titled: "Synaptic Labs' global-scale Identity Management and Cryptographic Key Management Proposal" can be watched as streaming video here.

The Universal Key Exchange has been described in a short 4 page peer reviewed technical abstract presented at the U.S. Oak Ridge National Laboratory - Cyber Security and Information Intelligence Research Workshop. A longer and more detailed version of that paper has been published on ePrint.

Synaptic Laboratories and the Gozo Business Chamber (EU) have co-founded the ICT Gozo Malta cluster of excellence. This cluster of excellence will work in close collaboration with key Government and private stakeholders and leading International companies to develop many of Synaptic Labs' innovative technologies. The Universal Key Exchange proposal will be implemented as part of the ICT Gozo Malta Global-scale Cyber Security project and Exoskeleton extensions. The relationships between projects is visually illustrated here.