From d89a2a55e429e46f1aab8928bbc9cf1f3b02c2ea Mon Sep 17 00:00:00 2001 From: ccorsin Date: Thu, 14 Dec 2023 15:25:03 +0100 Subject: [PATCH] Edit menu and overview --- src/assets/table-all-attackers.drawio.svg | 4 ++ src/assets/table-reduced-attackers.drawio.svg | 4 ++ src/component/Layout.tsx | 2 +- src/pages/OverView.tsx | 66 +++++++------------ src/utils/navigationConfig.tsx | 8 +-- 5 files changed, 37 insertions(+), 47 deletions(-) create mode 100644 src/assets/table-all-attackers.drawio.svg create mode 100644 src/assets/table-reduced-attackers.drawio.svg diff --git a/src/assets/table-all-attackers.drawio.svg b/src/assets/table-all-attackers.drawio.svg new file mode 100644 index 0000000..41859e6 --- /dev/null +++ b/src/assets/table-all-attackers.drawio.svg @@ -0,0 +1,4 @@ + + + +
Attacker
Attacker
Access
Access
Threats
Threats
Passive 3rd party
Passive 3rd party
Insider
Insider
may get a copy of the disks content
may get a copy of the disks content
Man in the middle
Man in the middle
External network
External network
may intercept the data in transit
may intercept the data in transit
Infrastructure admin
Infrastructure admin
Physical access + Network
Physical access + Network
may externally look at memory, disk contents
and network traffic
may change hardware or spoof server names, redirect traffic
may externally look at memory, disk contents...
System admin
System admin
OS level access
OS level access
may access and change memory, disks content and network traffic
may modify the code or run malicious co
may access and change memory, disks content and networ...
Application admin
Application admin
Authorization stack
Authorization stack
may escalate privileges to access the data
may escalate privileges to access the dataText is not SVG - cannot display \ No newline at end of file diff --git a/src/assets/table-reduced-attackers.drawio.svg b/src/assets/table-reduced-attackers.drawio.svg new file mode 100644 index 0000000..3fb6c47 --- /dev/null +++ b/src/assets/table-reduced-attackers.drawio.svg @@ -0,0 +1,4 @@ + + + +
Attacker
Attacker
Access
Access
Threats
Threats
Passive 3rd party
Passive 3rd party
Encryption at rest
Encryption at rest
Cosmian Covercrypt: post-quantum encryption with access policies
Protects against the “Harvest now, deecrypt later” risk + limits key leakage
Cosmian Covercrypt: post-quantum encryption with access po...
Man in the middle
Man in the middle
Encryption in transit
Encryption in transit
TLS
TLS
Infrastructure admin
Infrastructure admin
Memory Encryption
Memory Encryption
Cosmian Enclave or Cosmian VM: verifiable encrypted memory at runtime
Cosmian Enclave or Cosmian VM: verifiable encrypted memory...
System admin
System admin
Sealed Encrypted Memory
Sealed Encrypted Memory
Cosmian Enclave: verifiable enclaved encrypted memory at runtime that is immutable from the outside (the underlying OS)
Cosmian Enclave: verifiable enclaved encrypted memory at r...
Application admin
Application admin
Covercrypt encryption
Covercrypt encryption
Client-side encryption with Cosmian Covercrypt: access policies in user decryption keys prevent the user from decrypting data not authorized by its key
Client-side encryption with Cosmian Covercrypt: access pol...Text is not SVG - cannot display \ No newline at end of file diff --git a/src/component/Layout.tsx b/src/component/Layout.tsx index 3f47a90..33ee1ad 100644 --- a/src/component/Layout.tsx +++ b/src/component/Layout.tsx @@ -46,7 +46,7 @@ const Layout = (): JSX.Element => { } - title="Client-side Encryption – Interactive tutorial" + title="Interactive tutorial" userMenu={
Documentation diff --git a/src/pages/OverView.tsx b/src/pages/OverView.tsx index 1b0111d..17e9128 100644 --- a/src/pages/OverView.tsx +++ b/src/pages/OverView.tsx @@ -1,63 +1,45 @@ import { Link } from "react-router-dom"; -import Decryption from "../assets/client_side_decryption.drawio.svg"; -import Encryption from "../assets/client_side_encryption.drawio.svg"; +import TableAll from "../assets/table-all-attackers.drawio.svg"; +import TableReduced from "../assets/table-reduced-attackers.drawio.svg"; + import { ImageWrapper, SingleContent } from "../component/Layout"; const OverView = (): JSX.Element => { - const origin = window.location.origin; + // const origin = window.location.origin; return ( -

Cosmian Client-side Encryption

+

Architecture - Attackers, Threats and Solutions

- Regain control of every byte of your data in the cloud, even during runtime. Cosmian brings a robust encryption for SaaS - applications, ensuring all data remains in the right hands, fortified with the latest advancements in post-quantum encryption. + The first step in understanding how to secure data and applications in a zero-trust environment is to look at potential attackers + and their threat model. We assume the application code is safe and that we do not need to protect against the software developer.

-

Why use Cosmian Client-side Encryption?

+ + All attackers table + +

Protection against all attackers

- With minimal cipher expansion and latency, Cosmian’s encryption solution sets a new benchmark in enterprise-grade performance, - supporting even the most demanding production workloads. + Client-side encryption is the only ubiquitous solution that protects against all attackers because data is encrypted by the data + owner under its own key before it reaches any of these attackers. Enabling client-side encryption without loss of functionality + usually requires a modification to the application and the use of a few Cosmian products: Cosmian Covercrypt, Cosmian KMS and + possibly Cosmian VM and Cosmian Findex.

With Cosmian’s Client-side Encryption, data remains encrypted in transit, at rest, and even during runtime. This breakthrough in - data protection provides the highest assurance of data privacy and security. -

-

Cosmian solution

-

- Cosmian provides code blocks, libraries and tools that make using its technologies to implement client-side encryption easy. + data protection provides the highest assurance of data privacy and security. We providecode blocks, libraries and tools that make + using its technologies to implement client-side encryption easy. +

+ → Client-side encryption example +

+

Protection against a reduced list of attackers

- With client-side encryption, content is encrypted from the customer's browser - or any API connector - before it is transmitted to - the cloud application servers. The customer manages the encryption keys in its Key Management Service (KMS). This approach - significantly reduces the attack surface, as the application and data layers within the zero-trust environment process only - encrypted data and have no clear text access to the decryption keys. + When the threat model is limited to a reduced list of attackers, other solutions may be used. The following table summarizes the + solutions that Cosmian provides to protect against each attacker.

- Cosmian Client-side Encryption - Cosmian Client-side Decryption + Reduced attackers table -

State-of-the-art post-quantum encryption with embedded access policies

-

- To further enhance the security provided by application-level encryption, employing a robust encryption scheme like Covercrypt is - crucial. Covercrypt mitigates the risks associated with key leakage from the presentation layer and addresses potential security - risks such as rights escalation attacks and authorization misconfigurations.
- → Cosmian Covercrypt overview -

-

Search encrypted data

-

- One of the drawbacks of using application-level encryption is that the storage layer cannot search for data, and most applications - rely on search features for data extraction. This is because the search engine cannot decrypt the data and, therefore, cannot index - it. To solve this issue, Cosmian provides Findex, a searchable encryption scheme that allows the building of encrypted indexes. -
- → Cosmian Findex overview -

-

Key distribution

-

- Using Cosmian's Key Management Service (Cosmian KMS) and Public Key Infrastructure (PKI), users can safely share their keys via the - zero trust layer. -
- → Cosmian PKI overview -

); }; diff --git a/src/utils/navigationConfig.tsx b/src/utils/navigationConfig.tsx index f7c01dd..40c2db6 100644 --- a/src/utils/navigationConfig.tsx +++ b/src/utils/navigationConfig.tsx @@ -62,7 +62,7 @@ export const navigationConfig: NavigationConfig = { }, "build-encrypted-indexes": { key: 2, - label: "Build Encrypted Indexes", + label: "Search Encrypted Data", children: { "about-findex": { key: 0, @@ -98,7 +98,7 @@ export const navigationConfig: NavigationConfig = { }, "distibute-keys": { key: 3, - label: "Distribute keys between clients", + label: "Distribute keys", children: { "about-pki": { key: 0, @@ -158,7 +158,7 @@ export const navigationConfig: NavigationConfig = { }, "confidential-vm": { key: 4, - label: "Cosmian VM", + label: "Compute using Encrypted Code and Data", children: { "about-cosmian-vm": { key: 0, @@ -200,7 +200,7 @@ export const navigationConfig: NavigationConfig = { }, "client-side-encryption": { key: 4, - label: "Client-side Encryption example", + label: "Encrypt Client-Side", children: { "about-cse": { key: 0,