Decenter Security Engine
Decenter Security Engine
Security Syborg: Deorchestrates - Manages - Monitors
Decentralized Heterogeneous Blockchain Identity Management_
[ TYPE : Built-in ]
SynchroKnot vSoC comes built-in with Decentralized Heterogeneous Blockchain Identity Management.
The vSoC Decentralized Heterogeneous Blockchain Identity Management is an extremely fast and secure authentication and authorization system governed by the vSoC Security Syborg which allows the tenants to log into the vSoC with their Blockchain ID and Blockchain Private Key.
The Blockchain Private Key is only used in the web browser to internally sign a Nonce Fingerprint, and is not sent to the vSoC in any manner whatsoever.
There are no passwords, checksums, salts, signatures, hashes, keys etc kept on the vSoC. Only the Blockchain ID of the user[s] is present on the vSoC. Everything is secured via the power of proven Blockchain Cryptography.
The vSoC Security Syborg only sees every user as a Blockchain ID.
Here is the basic modus operandi:
▸ 1] Identify the people to whom you want to give access rights and the type of access [ SynchroKnot-Root or SynchroKnot-non-Root ]
▸ 2] Add their Blockchain ID [ public blockchain address - Eg. Bitcoin Address ] to the vSoC[s]. That's it.
▸ The user can log in successfully with his / her Blockchain ID and the Blockchain ID of the Spatial Cluster.
▸ Once successfully authenticated, a Signed Nonce Fingerprint, among other things, is injected into the browser cookie. No need to login again [unless the user logs out or a log out timer has been put in place].
▸ Additional feature to the Decentralized Heterogeneous Blockchain Identity Management is Authentication Calibration and the Level 2 Security, Level 3 Security and Level 4 Security Power Modules.
▸ All these unique-to-industry features which bring about utmost flexibility can only be found in and with SynchroKnot vSoC.
Level 2 Security - Blockchain + LDAP and/or Active Directory_
[ TYPE : Power Module ]
Level 2 Security provides multi-faceted fault-tolerant authentication capability with Active Directory and / or LDAP Servers.
In addition to Blockchain Authentication, as required, users can be made to authenticate with their Calibration code and LDAP and / or Active Directory password with fast response times even when some back-end LDAP and / or Active directory servers may be down or not responsive.
The type and combination of authentication can be customized per user.
There is no such authentication capability with the integrated flexibility of Level 3 Security seen in the industry today that provides speed of authentication even amidst possible failures of multiple back-ends, the ease of setup and management, and the flexibility of choosing the type and combination of authentication per user!
▸ User[s] can authenticate to a combination of individual or multiple LDAP and / or Active Directory server[s].
▸ Each user can be assigned with a separate list of LDAP and / or AD server[s] with an existing or new user-id/username present on them.
Level 3 Security - Blockchain + Secure Shell - SSH_
[ TYPE : Power Module ]
Level 3 Security provides multi-faceted fault-tolerant authentication capability with Secure Shell - SSH enabled Servers.
In addition to Blockchain Authentication, as required, users can be made to authenticate with their Calibration code and SSH password or SSH Private Key with fast response times even when multiple back-end SSH servers may be down or not responsive.
▸ SSH servers that users authenticate against with their password or private key can further be enabled with AuthControl for Distributed Fault-Tolerant Authentication Management & Identification Control.
▸ User[s] can be made to authenticate to a combination of individual or multiple SSH servers.
▸ Each user can be assigned with a separate list of SSH server[s] with an existing or new user-id/username present on them.
▸ There is no such authentication capability with the integrated flexibility of Level 4 Security seen in the industry today that provides speed of authentication even amidst possible failures of multiple back-end SSH servers, the ease of setup and management, and the flexibility of choosing the type and combination of authentication per user!
Level 4 Security : Authentication Calibration_
[ TYPE : Power Module ]
Authentication Calibration is Level 4 Security. It is a layer of security above the Decentralized Heterogeneous Blockchain Identity Management. It is monitored and managed by the vSoC Security Syborg.
Authentication Calibration protects against stolen/unauthorized use of private Blockchain keys.
When Level 2 Security is enabled, Authentication Calibration helps protect against compromised passwords of the Active Directory and / or LDAP servers.
When Level 3 Security is enabled, Authentication Calibration helps protect against compromised SSH login passwords and SSH keys.
Here is the basic modus operandi:
▸ 1] The organization/group shares a calibration code internally with their members [Eg. pin, sentence etc.] which can be updated daily, weekly, bi-weekly, monthly etc. as required.
▸ 2] If Authentication Calibration is enabled for a spatial cluster, then the users logging into that particular vSoC will be required to submit their calibration code.
▸ Authentication Calibration has an additional capability of managing the session of the users with the built-in authentication calibration session management. If this feature is enabled, and the calibration code is changed/updated, the users will have to authenticate again with the new calibration code.
▸ Authentication Calibration Session Management has an override feature that disables authentication calibration and authentication calibration session management for the users in override list.
▸ Works with Level 2 and Level 3 Security Power Module if it is enabled. Successful authentication of the calibration code is required before authentication via Level 2 Security and / or Level 3 Security is invoked.
▸ Authentication Calibration on a vSoC is enabled with only the SHA512 Checksum of the Calibration Code given to the members, and not the Calibration Code itself.
Interstellar - Decentralized FLAT Layer 2 Network Bifurcation_
[ TYPE : Power Module ]
Interstellar is network bifurcation and isolation managed and monitored by the Security Syborg at networking Layer 2 [Ethernet level].
Apart from the flexibility of assigning the Spatial Cluster of the Tenant with a single/double/triple stacked VLAN, the Interstellar and ARPLESS Interstellar Power Modules allow the Tenant to further create Interstellars at the deep networking layer 2 level without involving the Infrastructure Provider.
The Security Syborg gives the unique and secure ability to the Tenant to directly manage, monitor and bifurcate their own Tenant network [Spatial Cluster] which is not possible in the current cloud computing and networking paradigm due to the manner of the design & architecture of the centralized infrastructure in place.
☼ Interstellars are virtual network birfurcations [separations] at Layer 2. ☼
☼ Interstellars allow a single Decentralized Virtual Machine to be in multiple "Network Dimensions" or multiple Interstellars at the same time! ☼
☼ Likewise, multiple Decentralized Virtual Machines can be in multiple "Network Dimensions" or multiple Interstellars at the same time!!! ☼
Below are some of the features of Interstellar:
▸ ☼ Fully Flattens, Bifurcates and Secures the network at Layer 2. Works transparently irrespective of stacked / unstacked vlans, and without deviating from standard Ethernet semantics. ☼
▸ ☼ Based on the vSoC Security Syborg built-in features of Interstellar Identification, Interstellar Resonance Identification and Interstellar OUI.☼
▸ Each vNIC of the virtual machine MAC address has a 28 bit Interstellar Identification. Assign your own choice of Interstellar IDs.
▸ Each Decentralized Virtual Machine with the same Interstellar ID can communicate with eachother irrespective of their local or global locations. All other traffic from the virtual machine is not allowed to touch the network.
▸ In the case where a virtual machine needs to resonate [ communicate ] across different Interstellars at the same time, additional Interstellar IDs can be accomodated in the form of Interstellar Resonance IDs. Both Interstellar and Interstellar Resonance IDs remain intact even when the virtual machines relocate.
▸ Interstellar OUI allows direct interaction of the virtual machines with the existing physical data center infrastructure [ routers, switches, gateways, appliances & devices ]. Simply add the needed OUI[s] [ organizationally unique identifier - a 24-bit number that uniquely identifies a vendor or manufacturer ] and gain transparent access.
▸ Interstellars [ in collaboration with other SynchroKnot features ] allow for flexible carving of the IP network[s] of the virtual machines by allowing the creation of large networks [ eg: /7, /8, /16 etc ] without having to set up routing and gateways to move across subnets or be concerned about broadcasts.
▸ Interstellars are fully controlled by the Tenants without the need to interact with or involve the Infrastructure Provider.
ARPless Interstellar - Totally Hapless Without ARPless_
[ TYPE : Power Module ]
ARPless creates a secure vacuum for trusted communication between Decentralized Virtual Machines, and also with the existing physical infrastructure. ARPless is now fully amalgamated with Interstellar for exceptional security!
▸ ☼ ARPless does not allow forced traffic diversion from poisoned ARP caches of virtual machines to reach undesired destination[s]. ☼
▸ ☼ ARPless ignores requests from virtual machines that impersonate the original and authentic IP and MAC address pairs in order to force-divert traffic or gain access. ☼
▸ ☼ ARPless securely and intelligently auto-responds to the virtual machines when they make an ARP request [ no agent / software needs to be installed inside the virtual machine[s] ]. It does not allow ARP requests from the virtual machines to get onto the network. ☼
▸ ☼ ARPless can further limit ARP traffic within the secure vacuum. ☼
▸ ☼ ARPless practically makes ARP spoofing, ARP cache poisoning, or ARP poison routing very difficult-to-impossible, which in turn substantially reduces the possibilities of other attacks stemming from it, such as denial of service, man-in-the-middle, or session hijacking. ☼
▸ ARPless intelligently handles and manages the following opcodes : 1 Request, 2 Reply, 3 Request_Reverse, 4 Reply_Reverse, 5 DRARP_Request, 6 DRARP_Reply, 7 DRARP_Error, 8 InARP_Request and 9 ARP_NAK.
▸ ARPless further uses blockchain cryptography to only accept metadata signed by at least 3 departments / teams / members before it can be successfully deployed. This ensures that security policies, accountability and awareness are at the same level across the team[s], department[s] and organization[s] [upcoming feature].
AuthControl - Distributed Fault-Tolerant Authentication & Authorization_
[ TYPE : Power Module ]
AuthControl is a Distributed Fault-Tolerant Authentication Management, Authorization & Identification Control System for the Decentralized Virtual Machines and physical hardware [eg. computers, tablets, mobile phones etc].
AuthControl serves as a scalable, secure and simple alternative to LDAP, Active Directory and other similar systems.
After the requisite AuthControl mapping of users to their respective Blockchain IDs, the user[s] can log in or access resources transparently with their standard Linux username and password + 5 digit unique pin.
In AuthControl, the user[s] are responsible for managing their own password. The user's password SHA512 checksum is kept in their encrypted Spacesuit. No more dependence on the service provider or organization for lost or compromized passwords, as no password is stored in the Decentralized Virtual Machines or other physical hardware. The organization can set the standard guidelines for users to create strong passwords.
This 5 digit pin is set on each vSoC by the SynchroKnot Root User [i.e tenant], and is the same for all the users logging in via that particular vSoC, therefore there is no complexity of managing a unique pin for each user. This pin can be changed regularly and communicated to the users using any standard secure method that might already be in place for communication within the organization.
Depending on the nature of the circumstance, user access can be restricted/limited by either simply changing the PIN on the vSoC or resetting/disabling the user's password in their Spacesuit.
☼ AuthControl also has a distinguished capability of creating a unique numerical value corresponding to the operating system User ID [uid] and Group ID [gid]. For example, AuthControl algorithmically generates a new unique numerical value for an existing/new operating system user, and then, that existing operating system User ID [uid] can be modified to have the new AuthControl-generated unique numerical value. ☼
☼ With AuthControl-generated unique numerical value there is no need to depend anymore on any centralized system and database to generate new user IDs that have a unique numerical value or check for their authenticity, as AuthControl itself will algorithmically always return the same unique numeric User ID / Group ID for that username anywhere ☼ WITHOUT ☼ having to poll another application or use the network. ☼
☼ With AuthControl, User IDs can be instantly checked for changes/manipulations and be reinstated automatically if changed. It can also report/alert without having to poll, check and compare with central or distributed databases. ☼
░ Users with AuthControl mapping to their Blockchain IDs can log in or access resources transparently with their standard Linux Username and Password + 5 Digit PIN using the following methods:
▸ Graphical Login
▸ Graphical Screen Saver Login [ eg. screen lock ]
▸ Non-Graphical Login
▸ SUDO
▸ SU
▸ SSH
▸ SCP
▸ SFTP
▸ SSHFS
▸ FTP
▸ VNC - Virtual Network Computing
▸ RDP - Remote Desktop Protocol
▸ CUPs
▸ CRON
▸ SAMBA
▸ File Manager - Create Network Place with SFTP, SAMBA and FTP
▸ All password requirements via Control Center
▸ Practically anything that uses Standard PAM for authentication!
░ Fault Tolerant - AuthControl algorithmically checks for failures of up to 5 vSoCs [ geographically dispersed if needed ] before returning unreachable.
░ Load Balanced - Each user or groups of users can be assigned different vSoCs for load balancing [ with additional option of fault-tolerance ].
░ Scalable - Add more vSoCs and point more users to them.
░ Simple - Very easy to set up and manage. Works transparently with Linux PAM without modifying standard PAM modules, and is end-to-end encrypted [ uses standard HTTPS for communication ].
Blockchain SSH Public Key Infrastructure [ PKI ] Management_
[ TYPE : Power Module ]
Blockchain SSH Public Key Infrastructure [ PKI ] Management allows for transparent fast login to Decentralized Virtual Machines via SSH using standard username [ non-root ].
▸ In the target Decentralized Virtual Machine only the setup script needs to be executed the first time, and then the Linux [or other operating system] username [ID] needs to be mapped to the Blockchain ID of the SynchroKnot. That's it.
▸ For fully secure access, the user's Linux and Blockchain Identity must be interlock-mapped. The SynchroKnot root user must add the Linux user ID to the Spacesuit of the user that was given SSH access. Only the SynchroKnot root user can perform this operation.
▸ Users manage their own public key(s) [ Base64 encoded & up to 10 keys ] in their Spacesuit on upto 5 different vSoCs [which may be geographically dispersed to protect against network and infrastructure failures].
▸ Only the authorized SynchroKnot [user] can add or remove his/her public key(s). Even the SynchroKnot root user cannot perform this operation. This feature prevents others from mistakenly/illegitimately denying access.
Decentralized Access Control & Security - SDAC | VMSDAC_
[ TYPE : Built-in ]
The SynchroKnot Decentralized Access Control & Security - SDAC and VMSDAC allows for automatic, realtime, decentralized, secure & controlled access between SynchroKnots [users] and Decentralized Virtual Machines irrespective of their location.
The SynchroKnot [ user ] can have single/multiple SDAC ID[s] and each Decentralized Virtual Machine can also have single/multiple VMSDAC IDs.
The single/multiple user SDAC IDs are automatically calibrated against the single/multiple VMSDAC IDs in realtime everytime to determine authorized access.
Sypher_
[ TYPE : Built-in ]
SynchroKnot Sypher is built-in Fast Pseudo-Encryption / Obfuscative-Encoding for all Spacesuits [ Decentralized Virtual Machine and User] and internal communication between vSoCs. When used with TCP at network layer 3, Sypher is used first, and then the data is sent using HTTPS.
Decentralized Blockchain Authority Gateway_
[ TYPE : Built-in ]
SynchroKnot Decentralized Blockchain Authority Gateway on each vSoC does verification and authorization of all the incoming REST requests using Blockchain Cryptography in real-time.
▸ Performs fast user verification and authorization in real-time.
▸ Checks and stops malicious injections coming in via REST requests and Cookies.
▸ Checks and stops SPAM in RESTful key and value pairs and Cookies.
NoReplay - Prevention of Replay Attacks_
[ TYPE : Power Module ]
NoReplay prevents Replay attacks on the vSoCs.
NoReplay is designed specifically for broadcast, multicast and unicast decentralized UDP where replay attacks are near impossible to deter.
SynchroKnot Limited, Hong Kong, SAR of China [ website - content ] by SynchroKnot is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Based on a work by its creator Mehul Sharma at SynchroKnot Limited, Hong Kong, SAR of China : synchroknot.[com|cloud|org].