Last Mile Communications: Ownership and Security with Lochbox
In 2017, the US Department of Homeland Security issued a security report (DHS, 2017, p. 53) strongly discouraging the use of provably-open mobile calls and SMS text messages while declaring the use of landlines as no more secure. Convenience and complacency are the two main factors for an organization’s failure to secure their “last mile” communications (i.e. voice, video, and texts).
Attorney-client privilege is lost in this last mile when such voice and text com- munications are not clearly delineated and can be consumed by unrelated parties (Ginsburg, 2017). HIPAA-compliance is another example where the securing of these last mile communications is required. While healthcare pro- fessionals are likely to protect themselves in order to avoid penalties (e.g. a
$50,000 fine per SMS text message) through legal waivers, there is little done for the insecure communications with patients and family caregivers over their unsecured devices.
For background see:
• Why IT Security Needs Therapy (Menges, et al., 2022)
• Are you really the product? (Oremus, 2018)
• Chinese hacker group . . . target [supply chain] (Lucian Constantin, 2020)
• Fed shares insight on how to combat synthetic identity fraud (Owaida, 2020)
• The Workaday Life of the World’s Most Dangerous Ransomware Gang (Burgess, Matt, 2022)
• How Democracies Spy on Their Citizens (Farrow, Ronan;, 2022)
OWNER-CONTROLLED KEY SERVER
Lochbox provides account owners with an independently controlled key server for the exclusive maintenance and custody of their organization’s encryption keys. This key server can run on-premise in the owner’s DMZ, in a hosted data center, or in the cloud. The owner has absolute control and access of their key server, minimizing the risks of security breaches.
When first installed, and anytime thereafter, the owner, or the owner’s security administrator creates an asymmetric, public-private key pair. Best practices re- quire that the private key is created on and never leaves this owner controlled server (ISO11770, 2010,2015).
As needed, the owner’s key server then generates a symmetric key for every conversation between end-users within the owner’s organization (ISO11770, 2020).
A business or organization can use Lochbox to coordinate, establish, and conduct communications among their staff and between their staff and clients. Lochbox enforces the business or organization as the owner of the communications.
DISPOSABLE ASYMMETRIC KEY PAIRS FOR DEVICES
Lochbox tracks the authentication of devices separate from the authentica- tion of the device’s human users. When a device first connects to the Lochbox servers, an asymmetric key pair is created on the device so that the private key can securely remain on the device. This key pair is subsequently used to both identify the device to Lochbox and coordinate secure network pipes (e.g. TLS and WebRTC) as well as secure data exchanges (e.g. Diffie-Hellman).
The device certificate (the public portion of the asymmetric key) can be flagged if the device is stolen, has too many failed login attempts, or shows a broken software tamper seal. A flagged device would require the owner’s ad- ministrative approval to reactivate with a new device asymmetric key pair.
AUTHENTICATION OF THE HUMAN USING THE DEVICE
Strong passwords are required to authenticate the human using a device. This includes the use of 2nd factor authentications through authenticator apps, as recommended. (ISO27002, 2013)
CONTENT DECRYPTED FOR AUTHORIZED EYES ONLY
Trusted devices with authenticated users can request the symmetric decryp- tion key for any content that they are directed to present. The requested sym- metric key is first encrypted using the device’s public key certificate then deliv- ered over a secured TLS connection. With the private key only existing on the device, only the device will be able to decrypt the symmetric content decryp- tion key. As the relationship between the owner of the communication content changes, future access to these content decryption keys can be removed or reassigned. (ISO11770, 2020)
SCRUBBING THE DEVICE
Content on the device is only cached in memory and not stored. Local and remote events will cause the memory to be wiped and dumped from the ap- plication’s memory pool. This includes the human logging out, having the login expire, a broken tamper seal on the application, a signal of revocation from the server, or a change of authorization to the content from the owner’s adminis- trator.
Owner-controlled security provides the best practice for protecting last mile communications for businesses and organizations.
Burgess, Matt. (2022, March 16). The Workaday Life of the World’s Most Dangerous Ransomware Gang. WIRED. Retrieved from https://www.wired.com/story/conti-leaks- ransomware-work-life/
DHS. (2017, April). Study on Mobile Device Security. Retrieved from Official website of the Department of Homeland Security: https://www.dhs.gov/sites/default/files/publi- cations/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%20 2017-FINAL.pdf
Farrow, Ronan;. (2022, April 14). How Democracies Spy on Their Citizens. The Surveil- lance States. The New Yorker. Retrieved from https://www.newyorker.com/maga- zine/2022/04/25/how-democracies-spy-on-their-citizens
Ginsburg, S. D. (2017, March 16). How to Lose Attorney-Client Privilege. Retrieved from The American Bar Association: https://www.americanbar.org/groups/litigation/com- mittees/business-torts-unfair-competition/practice/2017/how-to-lose-attorney-cli- ent-privilege/
ISO11770. (2010,2015). Information technology — Security techniques — Key management — Part 1: Framework; Part 3: Mechanisms using asymmetric techniques. Geneva, Switzer- land: International Organization for Standardization.
ISO11770. (2020). Information security — Key management — Part 5: Group key management.
Geneva, Switzerland: International Organization for Standardization.
ISO27002. (2013). Information technology — Security techniques — Code of practice for in- formation security controls. Geneva, Switzerland: International Organization for Stan- dardization.
Lucian Constantin. (2020, March 25). Chinese hacker group APT41 uses recent exploits to target companies worldwide. Retrieved from CSO: https://www.csoonline.com/arti- cle/3534003/chinese-hacker-group-apt41-uses-recent-exploits-to-target-companies- worldwide.html
Menges, U., Hielscher, J., Buckmann, A., Kluge, A., Sasse, M. A., & Verret, I. (2022, February 08).
Why IT Security Needs Therapy. In C. Springer, S. Katsikas, C. Lambrinoudakis, N. Cuppens,
J. Mylopoulos, C. Kalloniatis, W. Meng, . . . M. Sotelo Monge (Eds.), Computer Security. ESORICS 2021 International Workshops (Vol. 13106, pp. 335–356). Springer Interna- tional Publishing. doi: https://doi.org/10.1007/978-3-030-95484-0_20
Oremus, W. (2018, April 27). Are You Really the Product? (The history of a dangerous idea.).
Retrieved from SLATE: https://slate.com/technology/2018/04/are-you-really-face- books-product-the-history-of-a-dangerous-idea.html
Owaida, A. (2020, July 06). Retrieved from we·live·security™ by ESET: https://www.welivese- curity.com/2020/07/06/fed-shares-insight-how-combat-synthetic-identity-fraud/
Copyright © 2022 Lochbox, LLC