User:Rocketron5/Emcads

"EMCAD" is a technology patented by "Giritech A/S". It is used for securing access to applications on a network via the Internet.

Overview
EMCAD is an acronym for Encrypted Multi Content Application Deployment System.

It is a name used for a client/server technology conceived by Jimi Jørgensen and Craig Damon in 1997 as a simple way of securing access to applications - without having to install anything on the local host device. Jimi Jørgensen went on to build the original server core which features a dynamic datagram switching engine. A patent covering the technology and the client deployment method was granted in 2005.

The technology is now owned by Giritech A/S and is used in their G/On product, used as an alternative to both traditional VPNs and secure token solutions.

Operating Function
A basic session consists of 4 phases: Connection, Authentication, Resource access and Disconnection

Connection
Typically the client is run from the hard disk or deployed via a USB key capable of auto-launching an application, once inserted in a Windows PC:

1. The client automatically attempts to connect to the named server from a encrypted file. The server generates a random public/private 163-bit ECC key pair, signs the public key and sends the key and the signature to the client.

2. The client validates the signature on the public key against the pre-shared certificate. If the certificate fails to validate, the client will disconnect without further action.

3. If the client validates the signature on the public key, the client will in turn generate a similar public/private 163-bit ECC key pair. The client then assembles a “Client Identity and Facility Package” - a CIF package - containing (among other things) a list of supported ciphers, hashes (for CRC), bit lengths, the symmetric key for the upstream data and some information  regarding the device where the client software are running, including serial numbers for special USB keys.

4. This information is encrypted with the public key from the server and returned.

5. The server decrypts and validates the package (and certificate, if used). If the validation fails, the server disconnects.

6. If the validation is successful, it will validate the client-ID, USB-KEY ID or other information submitted by the client against the specific rule set configured by the administrator on the server, to determine if it should reply or deny.

7. If the client cannot pass the rules defined for access, the server will forcefully close the connection to the client.

8. If the client passes, the server will proceed to select amongst the available ciphers for the session, where the server always will select the strongest available cipher. The server also generates a random symmetric key for the downstream data, encrypts it all with the public-key from the client and forwards the data.

9. The client receives this, switches to symmetric cipher and the client and server exchange “receipts” to validate that the symmetrical engines are operational.

As default, EMCAD service uses 256-bit AES via a 3rd party component. The server can support other symmetrical encryption schemes, also multiple key-lengths, multiple schemes, cipher feedback, output forwarding for the same session and even different ciphers / keys / CRC used for up and downstream for special applications.

The content packet is a proprietary packet format, where the entire content of the packet – which can hold both commands for the server as well as actual content – is encrypted.

TCP/IP is used for the underlying data transport. However, the EMCAD protocol does not rely on any information or headers from the TCP or IP protocols. This means communication is transparent to NAT, PAD or additional tunnelling or encryption.

When a client wants to communicate with the server, it fills in the header fields and optionally attaches the payload. This is then submitted to the embedded EMCAD client data management engine, which in turn encrypts the entire packet with the cipher method used for that session and sends the packet to the server.

When the server receives the packet, it decrypts and validates the packet to see if it was altered in transit, processes the headers and the optional payload and performs the actions. If the packet is to be forwarded on to another user or, for example, another EMCAD server, it will then be re-encrypted based on that particular session.

Authentication
Currently only supports two interactive authentication schemes - a built-in scheme and Microsoft's Active Directory (AD) via the Windows native API. Once a connection has been made, the user is prompted to enter a login name and password. If authentication is successful, the server registers the client as online in the local user directory.

The client can be configured to accept other automated logon methods. These are primarily used when either the client itself or other clients need to establish a session. The most widely used are logon involving randomly generated one-time tokens.

Resource Usage
Once connected to the Server, users can access only those network resources published to their menu, found PC's taskbar.

Users can only see the applications they are entitled to use according to the rights registered against their name or group in the embedded user database or Active Directory. EMCAD supports granular level of rights and embedded commands, and natively supports persistent sessions.

Disconnection
The user either selects “Exit” from the menu or removes the USB key from the host PC. This is sufficient to close the connection to the server.

The USB client only uses the PC’s Internet connection and memory - it has not loaded any software onto the hard drive or used its resources in any other way. This means there are no usable artefacts from the session on the PC that can be used to subsequently exploit the system.

Reference links

 * Patent entry
 * Patent reference
 * VPN
 * List of TCP and UDP port numbers
 * Investindk news Emcads & Giritech
 * Gartner Article
 * Wifi Planet Forum comment
 * Danish tech article (in Danish)
 * German Article
 * Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 (Search for Giritech)