CALEA Compliant “Front Door”
without “Back Door” Security Vulnerabilities
Communications used in collaboration within organizations and among particular groups in multiple organizations requires a high degree of trust and security. Our solution is a powerful, innovative, secure and scalable software solution to meet these requirements. And it complies with CALEA law.
CALEA Compliance. Our solution provides a rich suite of communications and workgroup tools. It designates one of the organization’s user sign-in identification as the Registrar. By design, this user id cannot participate in any group communications, but when requested by law enforcement agencies it can be used to access the private and encrypted communication data of a member or members of the organization.
The solution is CALEA compliant because the Registrar has access to and can report the data to the law enforcement through a “Front Door” solution, and it fixes the “Going Dark” problem because the Registrar can decrypt the communication data.
The central idea regarding our technology solution, called the Cyberspace Identity System or CIS, is (a) identity management and (b) secure communication.
CIS Identity Management is based on the Public Key Infrastructure (PKI) X.509 Certificate format and CRL Profile and the related Internet standards. Like other X.509 applications, the CIS is reliable and secure, but unlike other X.509 applications, our solution is built on a decentralized architecture with distributed key system and doesn't depend on the X.509 Certificate hierarchy and therefore the CIS can scale with the size of the network.
- User Identification. Before a user can use the system, the user id must be registered with the CIS. During the sign-up session, the user id that is being used to sign-up is validated against the registration and will not be allowed to sign up if it cannot be validated. Once signed up, the user is assigned a CIS identity which includes a set of keying materials and a PKI key pair (public and private keys).
- Device Identification. During the sign-up session, the device information is added to the user CIS identity and kept in the server to assure that the same user id cannot be signed up from another device. And the user CIS identity is also kept on the device. For example, the user public key is secure hashed using a 256bit secret key and the result is kept in the device. Each time the user signs in, the public key, which is kept in the server, is hashed using the same secret key and the result is compared against the value stored in the device.
CIS Secure Communication builds trusted communities of users based on mutually agreed connectivity and unbreakable strong encryption, while working together to exclude inappropriate membership and intruders. Our solution is built on the principle of strong end-to-end encryption. First, the end point, including user and device, has to be identified and verified. Then we apply the most recently developed industry and government standard strong encryption technologies to methods of data encryption and transmission.
- Customize to your security needs. Our solution approach relies on government and enterprise standards including PKI and encryption protocols but goes well beyond simply packaging standard modules to create a product that can be adapted to meet an organization's specific requirements and enables the organization to maintain complete control over its operation, not relying on external authenticating or administrative operation.
- Secure and trusted connectivity based on identity. Our end-to-end encryption builds on trusted Internet connection where each end of the connection recognizes the other. To create a connection in our solution, the user (requesting user) must send to CIS the user and device sign-in identification, PKI public key and other CIS assigned keying materials to use as identity of the end point. And once the identity is assured, the PKI key pairs can be use to connect to other end point and create trusted connection and to exchange trusted mutual keying materials with the other user (receiving user).
- Mutual inclusive private communications. CIS secure connections are always mutual inclusive. When the receiving user accepts the request to connect, the user must also go through the CIS identification and verification by the same procedure as used for the requesting user. These processes are designed to prevents the invasion of interlopers whose attempts to connect (requesting or receiving) will be rejected as unidentifiable.
- Scalable multi-user secure channels. The successful connection establishment creates a secure channel that connects the users, encrypts and transports the information between them. One user can initiate or accept connection from multiple users using multiple independent secure channels. CIS has no architectural limitation on the number of connections a user device can establish.