neuropil
zero-trust architecture for the internet
Hello from our NGI Architects
_
Marvin
Eliza
Cologne, 12.03.2021
_
_ only protection of bilateral IP connections
_ not protecting different data objects, but apis
_ unsuited for rapid change of
data owners / new data channels
_
_
_ static design: build once, run forever
_ new requirements vs. security design
_ introduce security exceptions on change
_
too bad
_ trust perimeter has changed
_ fragmented information (flows) need protection
_ authn/authz must be possible everywhere
_ data objects governed by
external/internal access policies (AP)
_
_ defines trust levels for data objects
or smaller groups
_ fine grained access to objects possible
_ more insights means minimizing risk
_ Never trust, always verify
_
better
_ data object interactions main driver
for future IT architecture
_ devices produce and consume data
at the same time
_ respect different data owners per device
if one fails, all suffer!
_
_
_ business agility: enables your company
to adapt and survive
_ switch to a different service provider is easy
_ change policies in days (rather than months)
_ enables data reduction and data economy
_
much better
_The capability of an individual or an organization to have control
over their personal and business data. This entails that they should
be able to know which party holds which data, under what conditions (purpose, duration, reward), where data is kept, and are able to re-use
the data at other places.
Source: Data Sovereignty Now
_
team digital sovereignty
_
_ secure, sovereign and sustainable data integration
_ small, secure connector library
_ a decentralized identity space enabling privacy
_ connects everything: devices, edge, processes, applications, users, enterprises
_
_ digital identities
_ dual encryption layer
_ attribute based access control
_ decentralized access delegation
... and more
_
_ stacked identities (realm / audience)
_ addressing hash based
_ DHT to protect metadata discovery
... and more
_
_ installed as a OS library
_ connect once, communicate globally
_ python / lua binding available
_ identity / data based routing
... and more
_
_ stay secure behind closed firewalls
_ standardized security measures
_ limit packet size / throughput
_ "blind broker" nodes
_
_
_ neuropil.org
protocol development & standardization
technical security stack definition
responsible disclosure handling
_ neuropil.io
base service layer
organizational security definition / enforcement
compliance & reviews
_ neuropil.com
Add-On business services
Consulting & Development
_ neuropil.org / approx. 60.000 €
_ protocol definition & verification (6 months)
_ protocol documentation & standardization (6 months)
_ creation of governance body / structures (6 months)
_ foundation of European social enterprise
_
_
Protocol definition & verification (6 months) / approx. 15.000 €
_ distributed time measurements (reusing existing definitions)
_
Protocol definition & verification (6 months) / approx. 15.000 €
_ distributed time measurements (reusing existing definitions)
_
Protocol definition & verification (6 months) / approx. 20.000 €
_definition of the realm protocol messages
_
Protocol definition & verification (6 months) / approx. 15.000 €
_macaroons are better than cookies
_
_ hiding cryptographic complexity
_ installed as a OS library
_ remote token attestation
_ python / lua binding available
_ supporting
_ organizational security (e.g. SIEM)
_ enterprise architecture map (e.g. RAMI 4.0)
_ and more
_
Blake2b("urn:this:is:my:test:identity") => 0x00000000 0x11111111 0x22222222 0x33333333
Blake2b("urn:handle:authorization:request") => 0x11111111 0x22222222 0x33333333 0x44444444
0x11111111 0x22222222 0x33333333 0x44444444
+ 0x00000000 0x11111111 0x22222222 0x33333333
0x11111111 0x33333333 0x55555555 0x77777777
_
_
0x11111111 0x33333333 0x55555555 0x77777777
+ 0x12345678 0x88888888 0x33333333 0x98761234
0x23456789 0xbbbbbbbb 0x88888888 0x1fed89ab
Please note: the derived hash values must only used to identify the correct data channel, data set, identity.
_
<= add one random garbage value
_
let's apply the concept to our data channels
Blake2b("urn:this:is:my:test:identity")
+ Blake2b("urn:this:is:your:test:identity")
+ Blake2b("AES256-GCM")
+ Blake2b("urn:this:is:our:test:subject")
identifies a private aes256 encrypted data channel
let's apply the concept to versioning data channels
Blake2b("urn:this:is:my:test:subject")
+ Blake2b("version=1.2")
+ random garbage value
identifies a private version 1.2 hash value
_
+49 221 16531700
info@pi-lar.net
www.pi-lar.net
marvin@ neuropil.io
eliza@ neuropil.io
pi-lar GmbH
Kreuzgasse 2-4
D-50667 Köln