|
|
Win-Hand's Security
Why should you use a remote access "solution" when its security is "probably impossible to break"?
Why not have a security system you can control?
The competition claims their security is "good enough"...
A few security facts:
| |
1) The #1 security leak regarding remote logins is the misplace or misuse of the user's credentials
|
2) Security systems put their faith in encryption technologies like SSL and AES which have an enormous
amount of combinations. But those systems have a security leak right from the start by feeding
their encryption engine with repeating 4 to 8 character passwords!!!
For example, 128-bit SSL is being used with passwords of 36 to 48-bit!!!
(This only used 48-bit of combinations to feed the SSL engine which is a security leak).
|
3) Most users don't use passwords like "e2Fu9W61", people use passwords like "Stephanie13"
Hackers use hacking dictionaries which contain common words including common names,
words from the dictionary, and other phonetically correct words like "toto".
| |
4) 64-bit SSL was cracked in 1,757 days in 2002 (without the use of a password hacking dictionaries)
|
5) Example: The password is in the format "[CommonWord][1-3Digits]"
There is roughly 30,000 words in the English dictionary. That gives us 30,000,000 combinations.
Someone having access to your communication line may look at your transmission.
With a simple 2.4 GHz PC, a hacker can try 10,000 combinations per second using 128-bit AES.
This means the hacker can try half the dictionary in 25 minutes (30M/10K/60Sec/2) (with one PC).
Until you change your password, the hacker will be able to login to any of your PCs...
| |
6) Other common misunderstandings about security
|
|
At MT Impossible Corp., we take remote access seriously and we believe there is only one suitable security:
| End-to-End security + never-repeating Private Encryption Keys. |
Win-Hand's Security (v8.0 and after)
|
|
For Win-Hand version 7.3 and before (PDA to PC) click here
|
|
Definitions: | |
SEKs
...
|
Session Encryption Keys
When using Win-Hand (except when connecting using a Guest Password), you are carrying
a non-reusable reservoir of Session Encryption Keys (SEKs) of 256-bit each.
The SEKs you are carrying are generated privately by your PC.
For each session, a new 256-bit Session Encryption Key (SEK) is consumed from the reservoir to encrypt
the data of that session. That SEK is never re-used again; it is always discarded at the time it is retrieved.
This security is equivalent to typing-in a new random 52 character password for each connection.
Before your SEKs are all consumed, you should install new keys (generated by your PC to be access).
|
|
Password
|
Account Password
This is a 6 character password producing a 30-bit binary key. It is used by
the Win-Hand Connection Servers allowing you to identify and access your PCs.
When you connect to your PCs, you will need both your SEKs (presumingly in a Memory stick)
and you will also need to type in your Win-Hand Account Password of 6 characters.
This Password is never transmitted during any Win-Hand connection. The Win-Hand Connection Server
uses a challenge/response encoding mechanism to validate your credentials.
|
|
AK
|
Account Key
This is a 98-bit binary key that was sent to your email account and installed in the Mobile computers
you wish to grant access to your Win-Hand account. (Its filename looks like "WinHand_AccountKey*.prc".
This key is private between your Mobile device and the Win-Hand Connection Server.
When accessing your account, this 98-bit key is combined with your 30-bit password to produce
a 128-bit Account Encryption Key (AEK).
The AK is never transmitted during any Win-Hand connection.
|
How does Win-Hand address the above "security facts":
| |
1) How to Prevent the misuse of the login credentials:
Win-Hand's solution: Use SEKs which removes the dependency on secret credentials.
If the SEKs are lost, access will be denied using the Win-Hand Password.
This means you need 2 things to connect: Your SEK and your Password.
In the security world, this is known as "I have something, I know something"
|
2) Prevent diluting the combinations of the Encryption Engine
Win-Hand's solution: Use 256-bit completely random SEKs.
|
3) How to Prevent the use of simple passwords
Win-Hand's solution:
a) Your Account Key (AK) is generated completely randomly by the Win-Hand system
b) Your 6 character Password is generated completely randomly by the Win-Hand system
c) Your SEKs are generated under your control by your PC to be access and are
completely random, completely private between your PC and your mobile devices
|
4) Prevent breaking the encryption engine
Win-Hand's solution:
a) Use 256-bit AES which has (3x10^38) more combinations than 128-bit SSL
b) Add a layer over AES to hide its repeating patterns (details; section 1.2)
|
5) Win-Hand Example:
Win-Hand SEKs are random 256-bit (one each session),
That is 1x10^77 combinations.
Someone having access to your communication line may look at your transmission.
With a 2.43 GHz dual processor, a hacker can try 20,000 combinations/sec using 256-bit AES.
This means the hacker can try half the combinations in 25x10^71 seconds (using only one PC).
This is 79,275 trillion*trillion*trillion*trillion*trillion years.
When the hacker finds your SEK, he/she can see the data of the session where that key was used
but the hacker can't connect to your PCs because that SEK has been obsolete for a very long time.
At MT Impossible Corp., this security is the meaning we like to put on the world Impossible.
|
|
What if you loose your SEKs or your Password?:
Win-Hand's security is contained into two parts:
• Your Mobile computer (containing your AK and your SEKs);
• Your Password (which we presume is stored in your head).
If you loose one or the other, you still have security.
If you loose both your SEKs and your Password, your Win-Hand security is compromised:
you should access your Remote PC, disable Win-Hand and contact us to create a new account for you.
|
|
