"Secure Folder: File or Folder Encryption"

If you receive errors when attempting to view this white paper, please install the latest version of Adobe Reader.

"SECUDE Secure Folder offers the highest level of data protection for sensitive and confidential data – not only locally and on network drives (Data-At-Rest), but also during transfer from PC to file server (Data-In-Transit)."
Source : SECUDE International AG

Resources Related to Secure Folder: File or Folder Encryption:

• Encryption (Wikipedia)

Secure Folder: File or Folder Encryption

Executive Summary

Secure Folder provides you with a secure electronic desktop workstation. Files and indeed entire folders (directories) can be secured for your personal use, or configured in such a way that they are available for the shared, exclusive use of a selected group. With transparent encryption and advanced management, Secure Folder enables outstanding ease of use and the highest degree of security for sensitive data. Secure Folder uses an acknowledged secure asymmetrical encryption method and secure symmetrical encryption algorithms to guarantee the security of your data in a safe. Safes are administered and monitored with the aid of the Safe Control application. Based on public key mechanisms, Secure Folder guarantees dynamic management of user groups even in very large corporations. This allows Secure Folder to offer scalable group capability.

Table of Content

• Executive Summary
• 1. Introduction
  • 1.1. What is Secure Folder
• 2. Descript ion of Secure Folder
  • 2.1. Data security and network encryption
  • 2.2. Autonomous security management
  • 2.3. Simple operation
  • 2.4. Flexible administration
  • 2.5. Use of Secure Folder
  • 2.6. Main components
    • 2.6.1. Secure Folder (Safe Control)
  • 2.7. Features
  • 2.8. Encryption concept
  • 2.9. Local state of a safe
  • 2.10. Roles in a safe environment
  • 2.11. Certificates and keys
    • 2.11.1. Certificate management
    • 2.11.2. The certificate server and certificate storage
• 3. Overview of architecture
  • 3.1. Smartcard integration
• 4. Summary
• 5. Technical prerequisites
  • 5.1. System requirements
  • 5.2. Software requirements
  • 5.3. Hardware support
  • 5.4. Support from signature algorithms
  • 5.5. Support from encryption algorithms
  • 5.6. Supported standards
• 6. Abbreviations

1. Introduction

This document describes the functions of Secure Folder and its associated components. It is also intended to provide an overview of the features and performance characteristics of this product. Sensitive information, such as research, financial, customer and personal data, must only be accessible to certain work groups and project teams. This calls for easily managed, group-capable solutions that support secure document handling without interfering with running work processes.

1.1. What is Secure Folder

Secure Folder provides you with a secure electronic desktop workstation. Files and indeed entire folders (directories) can be secured for your personal use, or configured in such a way that they are available for the shared, exclusive use of a selected group.
With transparent encryption and advanced management, Secure Folder enables outstanding ease of use and the highest degree of security for sensitive data. Secure Folder uses an acknowledged secure asymmetrical encryption method and secure symmetrical encryption algorithms to guarantee the security of your data in a safe. Safes are administered and monitored with the aid of the Safe Control application. Based on public key mechanisms, Secure Folder guarantees dynamic management of user groups even in very large corporations. This allows Secure Folder to offer scalable group capability.

2. Descript ion of Secure Folder

Secure Folder is a software program for handing sensitive data on Windows XP and Windows 2000 platforms. Files and the contents of entire folders (directories) can be encrypted and configured as necessary for joint use by a selected group. Unlike many similar products on the market, Secure Folder protects data not just on a data carrier, but also throughout its transmission path (i.e. when data is being transmitted across a network). Secure Folder was specifically developed with a view to incorporating it seamlessly in a Public Key Infrastructure (PKI).

2.1. Data security and network encryption

Statutory requirements and increasing corporate espionage are forcing more and more companies to protect confidential data. Secure Folder makes it easy to protect sensitive data locally and on network drives. This data encryption solution is based on recognized secure methods. Because it has an intelligent authorization system, it can be used by work groups.

2.2. Autonomous security management

Users and administrators are authenticated with certificate-based security tokens (Soft Token or Smartcard). Unlike other commonly used solutions, Secure Folder allows you to elegantly separate security management and system administration. Because of this, the data cannot be seen even by system administrators. Depending on the definition of the security administrator's role, even that person may not be able to view the data, it is accessibly solely to the designated users of a safe.

2.3. Simple operation

Work groups can be defined flexibly using dynamic configuration options plus simple, intuitive safe administration without having to make compromises in security. Secure Folder thus ensures the greatest possible security in a user friendly environment.

2.4. Flexible administration

Safes can be managed by the users themselves or by administrators who have been defined in the context of a company-wide security policy. At the most basic level, opening and managing safes is subject to minimal requirements, and these tasks can be performed in their entirety by all users. In larger corporations, it is advisable to appoint at least one administrator to monitor and administer the user activities.

2.5. Use of Secure Folder

In principle, the software requires a public key infrastructure in order to work, because authentication at the safes is carried out via the private keys, which are created and issued together with the certificates by a trusted instance, a "Certification Authority" (e.g. SECUDE TrustManager Enterprise/Business or a third-party CA). The form of the certificate-based authentication is acknowledged to be highly secure, particularly if the key is stored on a smartcard.

2.6. Main components

2.6.1. Secure Folder (Safe Control)

Safes are secure containers that help you to organize and protect files and directories. The safes (which may be located on a network drive or locally) can be used jointly by any number of users with the corresponding rights. With the Safe Control Application, administrators can create and manage safes, and add new users and administrators. The users can open and close safes, and find out which other users belong to the group with access rights to the safe. The events relating to each safe can be monitored and logged with the aid of an audit function.

2.7. Features

• Integral protection for sensitive data
• Effective across all drives: local, mobile, and remote access
• Group access to encrypted files. Members of a work group (safe users) have shared use of a safe.
• Dynamic management of user groups based on public key mechanisms
• Strict separation of security administration and system administration
• Client-based encryption / decryption: network traffic is protected at all times
• Transparent file encryption ("on the fly"). A safe runs entirely in the background.
• When it is open, your application will not detect its presence.
• Data is encrypted and decrypted automatically by the encryption driver.
• When the safe is closed, the applications cannot access your data
• Automatic PIN interrogation when a user accesses a closed safe via an application
• Audit function for logging safe activities

2.8. Encryption concept

Every file in a safe is encrypted with a randomly generated, symmetrical key. The safe key is a cryptographic key and is encrypted with the public key of any authenticated user of the safe concerned. It is used to access all files in the safe and to encrypt the files in the safe. The safe key is decrypted with the safe user's private key, which is contained in the security token. The safe key enables the user to access all the files in a given safe.

2.9. Local state of a safe

A safe can be either open or closed:

• Safe open: The safe is open on the local workstation computer. The contents of the safe can be accessed transparently from this computer. The encryption driver recognizes the safe key. All accesses to files in a safe are encrypted and decrypted entirely transparently.
• Safe closed: The safe is closed on the local computer. However, it may still be open on another computer.

2.10. Roles in a safe environment

A role is a defined type of Secure Folder user. One person may have several different roles. Description of different roles:

The safe creator role is assigned to a user when the certificate for the PKI is generated. Any number of safe creators can be defined.

2.11. Certificates and keys

An important principle and advantage of Secure Folder is that of certificate-based authentication. This method depends on certificates that conform to the X.509v3 standard. The certificates themselves contain various items of information, which allow the software to authenticate the user, and can also serve as authorization for the user to access certain functionalities. A user's certificate is issued and signed by a higher-level instance, a "Certification Authority"; in this way, it can be checked that the certificate is genuine. One or more key pairs (private and public keys) belong to each token and can be issued in various ways by the "Certification Authority". The format of key pairs is determined by the carrier medium with which they are associated. Secure Folder supports both a unique format of Soft Tokens and smartcards via a standardized interface. The PKCS standards defined by RSA have become established as the interfaces with the key deposits. Interoperability for smartcards is assured by the PKCS#11 standard and the PC/SC interface.

2.11.1. Certificate management

The basis of any certificate management system is a CA (Certification Authority), whose tasks are to assign a certificate to each user, issue the key pairs, and sign the certificates as a way of checking their authenticity. Certificates are signed with a electronic signature using the CA's private signature key. Accordingly, this is the foundation of the entire trust structure, and should be afforded the highest degree of protection. By virtue of this trust structure, the entity is referred to as a "trust center" a trusted certificate service provider. In order to preserve the highest degree of protection, CAs are often used "offline" and the results are provided in the form of Soft Tokens, smartcards, PIN letters and revocation lists.

2.11.2. The certificate server and certificate storage

Secure Folder can access various types of certificate servers:

• LDAP A directory service contains the certificates and CRLs and permits access via the LDAP.
• Active Directory Access to the Microsoft Active Directory for user data, user groups, certificates and CRLs.

3. Overview of architecture

SECUDE Secure File can be seamlessly integrated in Microsoft Windows Explorer to provide access to the major functions in context-sensitive menus. The SECUDE libraries are called from there.

3.1. Smartcard integration

The objective of our software is to detect the smartcard automatically if the driver has been correctly configured. Therefore, Secure Folder is also shipped with an up-to-date identification list of commercially available smartcards. Additions can also be made to this list later. Again, if the attacker has access to a computer owner willing to unlock the drive, there is no need for such a complicated attack.

4. Summary

Secure Folder protects your confidential data effectively and securely, locally and in networks, and can easily be incorporated in an existing Microsoft Windows environment.

Safe creator, safe administrators and safe users are authenticated by means of certificate-based security tokens (smartcard or Soft Token) with respect to a given safe. A "Certification Authority" is needed in order to be able to issue certificates. Associated rights can be assigned when a certificate is created. This ensures that there is a clear "separation of powers" between security administrators and system administrators.

Based on public key mechanisms, Secure Folder assures dynamic management of user groups, even for very large numbers of users. A safe runs entirely in the background. The selected files are automatically encrypted in the background. When a safe is open, an application will not detect its presence. Network traffic is protected at all times, because encryption and decryption is carried out on the client side. Access to a safe can be granted to a practically unlimited number of users, assuring that all such users can access the encrypted data at the same time.

Secure Folder is a certificate-based, group-capable, easily administered solution that supports secure document handling without interfering with running work processes.

5. Technical prerequisites

5.1. System requirements

• PC 486 or Pentium (recommended: at least 16 MB hard disk space)
• Microsoft Windows 2000, Microsoft Windows XP, Microsoft Vista or Microsoft Windows Server 2003, Microsoft Windows Server 2007

5.2. Software requirements

• Microsoft Internet Explorer 5.5 or higher

5.3. Hardware support

• PC/SC smartcard readers
• CT API (PIN Pad Terminals)
• SECUDE trust manager Smartcards
• Smartcards compliant with legal provisions governing electronic signatures
  • Datev
  • TeleSec
  • Signtrust
• TCOS Smartcards
  • TCOS 2.0 MIN
  • TIKS
  • NetKey
  • NetKey2000
  • NetKeyE4 Triple Key
  • NetKey 3.0
• PKCS#11 Smartcards
  • StarCos
  • CardOS
  • AET SafeSign Middleware (G&D)
  • Siemens HiPath SIcurity
  • Aladdin
  • RSA
  • Gemplus
  • Microsoft Cryptographic API (CAPI) compatible smartcards and Soft Token

5.4. Support from signature algorithms

• RSA/DSA + SHA-1

5.5. Support from encryption algorithms

• DES3
• IDEA (SECURE, SECLAN)
• AES2 (128-, 192-, 256-bit)

5.6. Supported standards

• LDAP
• OCSP
• X.509v2
• PKCS#11
• PKCS#12
• PC/SC

About SECUDE

SECUDE offers comprehensive SAP Security solutions to business and government partners around the world. With our Identity & Access Management and System Security Assessment technologies and services, we effectively protect enterprise data across the IT landscape.

SECUDE is a member of SECUDE AG and was founded in 1996 out of a partnership between SAP AG and Fraunhofer Institute in Darmstadt, Germany. Headquartered in Zurich, Switzerland, we have a worldwide partner and customer base with offices in North America, Europe, the Middle East, and Asia.

For further information, please consult
www.secude-ag.com
SECUDE AG
Bergegg 6376 Emmetten,
NW Switzerland
Tel : +41 (0) 44 575 19 10
info@secude.com

Copyright © 2009 SECUDE AG. All Rights Reserved.

This SECUDE-branded software and its corresponding documentation is the exclusive property of SECUDE AG of Emmetten, NW, Switzerland and is protected under the various Copyright Laws around the world and by various other intellectual property laws. Use of this software and/or its documentation and any copying thereof by end users is subject to the terms of a License Agreement with SECUDE AG. The wrongful use or copying of this software and/or documentation subjects infringers to both criminal and civil liabilities

The SECUDE and FinallySecure trademarks are owned by SECUDE AG, protected internationally and used by SECUDE AG pursuant to an exclusive license. All other trademarks, service marks, and trade names referenced herein are the property of their respective owners

ANY USE, COPYING, REPRODUCTION, ALTERATION, TRANSMISSION, OR TRANSLATION OF THESE MATERIALS, IN WHOLE OR IN PART, IN ANY FORM OR BY ANY MEANS, IS STRICTLY PROHIBITED WITHOUT THE PRIOR WRITTEN PERMISSION OF SECUDE AG. IF THIS MATERIAL IS PROVIDED WITH SOFTWARE LICENSED BY SECUDE, THE INFORMATION HEREIN IS PROVIDED SUBJECT TO THE TERMS OF THE WARRANTY PROVIDED WITH THE PRODUCT LICENSE. IF THIS MATERIAL IS NOT PROVIDED WITH LICENSED SOFTWARE, THE INFORMATION HEREIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN EITHER CASE, THERE ARE NO OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR QUALITY. IN NO EVENT SHALL SECUDE AG OR ANY OF ITS AFFILIATES BE LIABLE FOR ANY DIRECT OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE MATERIALS AND/OR INFORMATION CONTAINED HEREIN

Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you

SECUDE AG takes reasonable measures to ensure the quality of the data and other information produced herein. However, these materials may contain technical inaccuracies or typographical errors, and are not guaranteed to be error-free. Information may be changed or updated without notice. SECUDE AG has no obligation to update these materials based on changes to its products or services or those of third parties. SECUDE AG may also make improvements or changes to the products or services described in this information at any time without notice. SECUDE AG frequently releases new versions and updates to its software, and therefore images shown in this document may be slightly different from what you see on your screen

SECUDE AG
CH-6376 Emmetten
- Switzerland D-64293 Darmstadt –
Germany Sales: info@secude.com
Technical support: support@secude.com
Documentation: documentation@secude.comwww.secude.com