What is tiCrypt?
tiCrypt is a complete cryptographic private cloud solution that allows organizations to be CMMC 2.0, NIST 800-53, NIST 800-171-172 and ITAR compliant.
There are two primary parts of tiCrypt: the front end and the back end.
The front end is the UX and user-facing portion of the tiCrypt software. The back-end is the esoterical system admin portion of the tiCrypt software.
What is Cryptography?
Cryptography, by definition, is the study of secure techniques that allow only the sender and intended recipient of a message to view the contents.
The word Cryptography is derived from the greek word Kryptos which means hidden. This is very similar to encryption, which is the act of scrambling up ordinary text and then unscrambling it in order to understand the content of the message. When transmitting any type of data, the most common use of cryptography is to encrypt and decrypt.
What does it mean to Encrypt and Decrypt?
By definition, encrypt means to conceal or convert data into some form of disguised code, also known as cipher code.
Decrypt is the exact opposite; it transforms a code from cipher into intelligible code.
The simplest form of cryptography uses the symmetric or "secret key" system. This means that data is encrypted using the key, and then both the encoded message and the key are sent to the receiver.
The receiver can then decrypt the message using the key. The issue with this method is that if a third party intercepts the message and symmetric key before it gets to the receiver, they can decrypt the message.
It is simply not safe enough.
To address these uses, cryptologists came up with the asymmetric system. For this method, every user has both a public and a private key. The public can be shared whereas the private key MUST be protected. A sender requests the public key from the intended receiver, encrypts the message and sends it. When the recipient receives the message, only their private key can be used to decrypt the message. This means that even if a third party interceptyed the message, there is no possible way for them to decode it unless they have the recipients private key.
The following diagram displays how public and private keys from two users can be used to encrypt and decrypt. Alice and Bob alone cannot encrypt or decrypt. Once they have each other's public key, they can "combine" it with their private key which grants them the "password."
The tiCrypt front-end contains three major user portions:
In tiCrypt, every user is given a public and private key. All users must login to the system using their private key. Every time a user does something such as sharing a file or adding resources to a group, behind the scenes, the user is encrypting the resource and when the recipient wants to view it, they use their private key.
The Vault tab provides the functionality required for ad-hoc sharing, secure file preview, group sharing, and other storage functionality. It is designed for users and researchers to transfer files securely into the system. The vault oversees current users, groups and projects and has the functionality of creating inboxes for external contributors (more about this in the tiCrypt mailboxes chapter).
The Management tab serves as permission control and management of the users. Here, admins can develop the user profiles and their teams, the workflow structure of the projects, and the virtual machine management as well as system back-ups. In tiCrypt, the management tab may be one of the most complex tabs due to its functionalities and effect on the system. Most of the admin work is taking place in the management tab.
If you are a system admin, you may want to read 'Administrators Best Practices'
Virtual Machines Tab
The Virtual Machines tab allows users to start and manage VMs. Users spend most of their time in the virtual machine environment.
For the Users
Vault is tiCrypt's in-house file and directory management feature, that allows users to securely move files from one directory to next, share files with another tiCrypt user, given the different constraints of when a user can actually access a file's contents.
Along with that, the vault also includes the functionality of Inbox, to help users dedicate a directory specifically for receiving purposes. The backbone underlying this feature is public key cryptography as data confinement is achieved using independent keys for each resource. The key management nightmare is avoided in tiCrypt through public key cryptography.
This is the heart of tiCrypt which allows secure computation by upholding security through isolation. It secures the VM right from the start and spins up a new image of the underlying OS each time not to carry over any chance of risk from the last execution. The access to VM is again PKI based; which allows the VM to be owned by users and not admins.
Auditing allows this to be a reporting feature in its own concern; as every action is tracked as files move in and out of the VM and gives a clear history of what happened; allowing one to verify if required. VMs allow complete ownership to researchers as no tool/ mechanism restrictions are in place; rather all the security is upheld at tiCrypt level with no compromise to provide secure processing.
'My Profile' iterates what a user can do when it comes to navigating ownership and self-management. In particular, the user profile encapsulates the different actions a user can do based on a given set of permissions:
- Drives: Create/ Manage drives mounted on to VM that are secured by powers of encryption.
- Teams: Belong to a team and communicate with the members of the team.
- Groups: Allows to create a collective- to assist collaboration, a group per se for easy assignment to projects; and dealing with its users with given constraints.
- Mailbox: A bookkeeping feature to quickly navigate to inbox directories and exposes an access point to allow one to bring data in using web interfaces
- Projects: Belong to a project and communicate with the project members.
- Certifications: This is a place where one can relay restrictions as needed of a certain assessment to permit access to say a certain project. This modal iterates all the certifications a user has and allows one to manage their validity in tiCrypt here.
- Permissions: This is the knowledge dump as to what actions one is authorized to do.
- Tasks: This is like a view of recently completed/ running tasks- a modal essentially tracking the progress and relaying it to the user.
- User Menu: Place to edit and manage one's profile and look over the resource consumption of the team with its limits.
- Notifications: Allows viewing of all actions that take place during the user sessions, as well as tasks and log history.
For the Admins
A feature that allows the administrators to manage users' team ownership and their authentication and authorization access to tiCrypt. It essentially allows an admin to grant users' activation status, and their belonging to the collaboration collectives like teams, and projects. Permissions are used here as access control lists over the underlying PKI. All the actions for this feature are not required to be done one at a time; but rather as bulk edits and that's a capability that tiCrypt provides.
To allow for resource constraints on a collection of users, the idea of teams has been introduced in tiCrypt. This management is with the administrators- as it allows one to add/ remove users and edit to the concerned resource limits.
To manage the trade-off between friction and ease of access; projects are the idea that allows resources to be tagged against them and then allow authorization to all the users in that. Essentially, a security tagging mechanism that allows for any type of resource, even drives or VMs to be protected, and only shared with other users who are part of that project. Once a resource or group has been tagged by a project label, the way it can be manipulated or accessed is significantly restricted.
As the name suggests, this feature allows admins to create a backup of collections of users/projects/teams specified by domains. This can be done incrementally or as a full backup; allowing for kind of a checkpoint mechanism, but again with the encryption at its root.
All tiCrypt resources are encrypted under PKI. At its core, each user has a private key that can be used to decrypt the user's copy of the resource encryption key. Should a user lose their key, the data (files, messages, drives) is impossible to recover, just given the academic limits the encryption entails. In order to allow users to regain access to their data in case of key loss or to allow data access for law enforcement in extenuating circumstances, tiCrypt provides a sophisticated key-escrow mechanism that can recover a user's private key and thus re-establish access- and that's the Escrow mechanism. This is achieved by the idea of segregation of duties and posing a limit to one's admin power- essentially imposing increased friction to reduce the chance of any fraud.