BlueSalt — The New Patented Data Encryption Security System for Making Data Centers Fool-proof

This is the story about my patent titled “BlueSalt Security” owned by IBM, an invention in data security that is about an unique strongest ever encryption system for sensitive data like that of financial, government or federal as well as industrial enterprises, where it binds the data to environment in a way so that even in case of war, terrorist attacks or riots when the data-centers are captured physically by the enemy, the data can not be retrieved back.

 

This is the story about my patent titled “BlueSalt Security” owned by IBM, an invention in data security that is about an unique strongest ever encryption system for sensitive data like that of financial, government or federal as well as industrial enterprises, where it binds the data to environment in a way so that even in case of war, terrorist attacks or riots when the data-centers are captured physically by the enemy, the data can not be retrieved back. This is also designed for modern IoT (Internet of Things) as well as BYOD (Bring Your Own Device) kind of setups. Another important aspect is that BlueSalt encryption does not need to store the key used in the encryption process for decryption and getting the data back, unlike traditional cryptographic approaches where the key is stored in crypto-processors and similar methods, there by making it the most secured data encryption approaches.

In current age of microprocessors, the information security is critical. Specially in case of financial institutions/banks, research centers & labs, high profile data-centers, high confidential enterprise, military, government locations where high confidential information is stored, it becomes a necessary to ensure highest level of security to be implemented to avoid any cyber-attack, theft of information.

Many organisations have adopted multiple security approaches, starting from physically securing the data-centers to adding firewall and using high level of encryption to the systems in order to protect the data. Some examples are self-destruction of data on multiple failed attempts in the authentications process. Higher grade of encryption used in storage and databases are very common in IT services industry. Similarly in IT industry also isolating critical projects with higher degree of client sensitive data, are carried out in isolated physically secured location or (e.g. forming Odessy for projects ).

However all authentication process has some limitations — for example: in case the hacker gets hold of the physical system with passwords used at multi levels he can access the information. Also during the time the information system comes under terrorist attack, or during the time of war or riot etc. the physical systems can be captured and moved to another location and environment to decipher the information stored.

To improve security to the highest degree in cryptographic methods and approaches, IBM BlueSalt allows to bind the encryption process to system’s environment and state under which it is supposed to be running. IBM’s BlueSalt makes use of system’s built in as well as additional set of external sensors that are either part of the local environment or part of remote network or under Internet of Things (IoT) kind of framework, to generate salt for encryption process.

From history there are plenty of real-world examples are available on the physical capture of devices containing sensitive information. BlueSalt makes it impossible to retrieve the information in such cases. Specially in case of modern day scenario of data centers it is more complex. Many data centers contain easy-to-exploit physical vulnerabilities that don’t require hacking into the network. Also we no longer live in an on-premises world with a defendable perimeter. According to Gartner, over half of information workers report using three or more devices for work. The topic these point to such dimensions — Data centers are a bit unique when it comes to security ..including physical security , In Physical security: The overlooked domain , “With today’s complex threats, physical security has unfortunately taken a back seat”.

For such scenarios, BlueSalt tries to bring a solution by focusing on goodness such as — It would be really strengthen the security of the information if the system’s encryption of data does not only depend on passphrases or key files that are generated from some password, pin. The information should be bound to a particular environment or state so that any deviation from that state will fail in decryption of the data, this would mean that by carrying out storages or the whole system that contains sensitive data cannot be decrypted in a different environmental conditions. An attacker could not simply fake a “salt” value just by knowing passphrases/key/PIN associated with encryption method, as the salt will be based on environmental variables.

Under BlueSalt method, once an encryption is made considering the parameters of the controllable (surrounding temperature, luminosity, Bluetooth/infrared/wifi signatures, IP addresses/passphrase/bio-metric data etc. ) and non-controllable (GPS or geo-location co-ordinates of the system , direction/orientation of the system etc. ) parameters results in a higher level of encryption where any deviation in the environmental change (e.g. increase in room temperature due to fire, physical orientation, direction of the system changed even in the same location, or system being moved to a different location, or absence of any of the running Bluetooth, infrared or wifi signatures) will result in a failed decryption of information and additionally it might take precautionary measures (e.g. shutting down the system or inform nearby security centers etc. )

The salt value generated through BlueSalt can be used in any existing Cryptography technologies like SHA-1, Blowfish etc. where there is support for creating keys for encryption. IBM BlueSalt can even be simply used in a system to encrypt the hard-disk or databases salt value generated. And when ever the salt value does not match the decryption fails.

In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.

In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. BlueSalt Encryption is a method that uses one or combination of many parameters of the system’s surrounding environment and state in-order to create a salt to be used in the encryption key. Some examples of the parameters regarding environment is collected via the enabled sensor are:

1. System position in 3D space including direction — typically can be collected via the sensors like gyroscope, accelermeter , compass and /or any other system orientation, state detection mechanism that can point out the system in the 3D space.

2. System location — Latitude &longitude and or any parameter which can be obtained via any indoor location technology or standard GPS or geo-location and/or similar technologies.

3. Available connection points signatures — Surrounding Bluetooth, wifi, NFC, infrared or any other devices signatures available in the surrounding.

4. Temperature — surrounding environment temperature condition values.

5. Pressure and height from sea level — barometer data

6. Light luminosity & humidity etc. of the surrounding

7. Motion data — accelerometer readings

8. Proximity sensor data

9. Biometric data — any biometric information of authorised person(e.g. face recognition/eyelid recognition /fingerprint)

10. Ip address of the system — both internal / external etc.

11. Custom value — passphrase/ pins etc.

12. Any other environmental or system state (physical / virtual ) parameters.

The salt generated is a function of one or any combination of these parameters, which is used in the data encryption process. At the time of decryption of data again the salt is generated in the same process and is used to decrypt the data. As long as all the parameters are same, the decryption becomes successful, else it will fail.

Unless the originally set salt at the time of encryption is matched at the decryption process the system does not allow the decryption process to be carried out or the decryption process fails resulting out the meaningless decryption.

BlueSalt is also designed for modern IoT (Internet of Things) as well as BYOD (Bring Your Own Device) kind of setups. Another important aspect is that BlueSalt encryption does not need to store the key used in the encryption process for decrypting and getting the data back, unlike traditional cryptographic approaches where the key is stored in crypto processors and similar methods, there by making it the most secured data encryption approaches.

In the following diagram , there are two different systems in different environments. So the salt generated Salt A is not same as Salt B. Even if just one of the parameter is changed that will impact the salt generated and will result in failure in generation of proper decryption key.

BlueSalt based cryptographic eco-system in any network

The BlueSalt method binds the information to it’s original environment and state. If such encryption is enabled, then two systems even in the same location will have unique and non-replicable encryption keys even if the user provided pass phrases are same.

(FIG: Conceptual diagram showing data encryption through BlueSalt.)

In such cases typically, all respective systems can use their own environmental variables to create salt for encryption and decryption process which will be unique and will be impossible to replicate in another system or environment. This is shown in the following figure where SaltA and SaltB are unique.

(FIG: BlueSalt implemented network environment.)

Alternatively a common shared salt value is created using parameters from different systems in the network. The following diagram shows that scenario:

(FIG: BlueSalt implemented alternative network example)

BlueSalt based cryptographic eco-system in a network with IoTs

In IoT (Internet of Things) scenario, various distributed sensors (shown as sensor units in the diagram below) can be used to form the ‘salt’ for the cryptography. For example — apart from using a target system’s local environment and state, remotely placed sensors can be placed to strengthen the salt value. In such a situation a BlueSalt based cryptographic eco-system can be formed, where multiple systems and their respective environmental and state related parameters can be collected and combined to form a salt for cryptography. This kind of eco-system can help in managing one or multiple systems with sensitive/confidential/critical data by multiple stakeholders.

Note: in this kind of eco-system different sensor units and data-centres may operate in same or combination of locations in intranet(local network) and cloud(remote network).

(FIG: BlueSalt implemented IoT)

BlueSalt enabled theft prevention framework

BlueSalt method not only helps in creating the salt for the cryptography so that the system ( storage or database) is encrypted, but it can also be used to define a framework that can prevent data theft.

In such a framework, the failed attempts of accessing the data from the system initiates some predefined (by system admin) preventive actions such as showing warning, or self-destructing the system data, or auto sending out SOS messages to designated security officials etc.

How BlueSalt works?

To improve security to the highest degree in cryptographic methods and approaches, BlueSalt allows to bind the encryption process to system’s environment and state under which it is supposed to be running. BlueSalt makes use of system’s built in as well as additional set of external sensors that are either part of the local environment or part of remote network or under Internet of Things (IoT) kind of framework, to generate salt for encryption process.

In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. Under BlueSalt method, once an encryption is made considering the parameters of the controllable (surrounding temperature, luminosity, Bluetooth/infrared/ wifi signatures, IP addresses/passphrase/bio-metric data etc. ) and non-controllable (GPS or geo-location co-ordinates of the system , direction/orientation of the system etc. ) parameters results in a higher level of encryption where any deviation in the environmental change (e.g. increase in room temperature due to fire, physical orientation, direction of the system changed even in the same location, or system being moved to a different location, or absence of any of the running Bluetooth, infrared or wifi signatures) will result in a failed decryption of information and additionally it might take precautionary measures (e.g. shutting down the system or inform nearby security centers etc. )

Typical BlueSalt encryption scenario:

Typical BlueSalt decryption scenario:

Ideally the goal of BlueSalt is to make it impossible to retrieve the data unless all the conditions are met. So the optimum usage of BlueSalt does not store anything in the system . However alternative data recovery option can be used if needed. This recovery option uses multiple encryption levels and storing encrypted version of key in system. The following diagram shows the encryption supporting an alternative environment for data retrieval:

And here is how the decryption is supported for alternative environment :

Hopefully, with BlueSalt, the new age data centers, BYODs and critical data storages can be made more safe and secure by adding additional layer on security.

This idea/invention is patented in US, India and internationally by IBM. The patent details of the invention:

BlueSalt Security — US9590957 A1,  Issued on :7 March 2017, Inventor: Samir Dash, Assigned to & Owned by: IBM

Samir Dash is working as Associate Design Director at IBM based in Bengaluru, India. The above article is personal and does not necessarily represent IBM’s positions, strategies or opinions.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s