Secure Keys and Secrets on any Device
Secure Keys and Secrets on any Device
Enable Secure Transactions from Insecure Devices.
Any App. Any Device. Any Use Case
Unbound Crypto-of-Things (CoT) ensures that your apps are secure regardless of the security posture of the device on which they’re deployed. A unified, single API is used to deploy a virtual root of trust that protects crypto keys at the application level, ensuring they cannot be compromised, cloned or tampered even if the device is infected by malware or controlled by an adversary.
Completely abstracted from underlying hardware, CoT can be deployed on any endpoint device and platforms; from IoT and mobile to laptops and even application servers and containers in the cloud or data center. Enable high trust operations like document signing, payments, blockchain transactions and authentication from any endpoint device.
UNMATCHED CONTROL & VISIBILITY
Tamper-proof, real-time auditing
Automated, streamlined provisioning
Intuitive, easy-to-use, crypto-agile API
Immune to malware & client-side attacks
Keys can’t be compromised, cloned or tampered with
Secures crypto keys for ALL use cases
Eliminating the Single Point of Compromise
Unbound’s Distributed Trust Platform is different from traditional software-based schemes that use a private key and either keep it in memory or attempt to obfuscate it. Instead, with Unbound, secrets can be accessed and used by the applications without ever exposing the key or secret material in the clear at any point in its lifecycle. Key material is never whole. Rather, each key exists as two random key shares, separated completely: one share on the device and one share on a remote server.
The inherent separation between and endpoint device and a remote server stretches the secure boundary far beyond the traditional physical casing of the device, ensuring that keys on endpoint devices remain secure at all times, even in the presence of malware or malicious actor fully controlling the endpoint device.
What's Made Possible with Unbound Crypto-of-Things?
Central Management and Real Time Tamper Proof Audit Trail
Unbound CoT requires communication between the endpoint and the CoT server for performing any crypto operation. Thus, the CoT server includes real time tamper-proof audit log of any crypto operation performed on the endpoint, allowing detection of crypto key usage anomalies in real time.
In case an endpoint is suspected as compromised, Unbound CoT allows ultimate control by ensuring instant revocation of any crypto key that is secured with CoT. Deletion of the relevant key share on the CoT server immediately renders the key useless, ensuring that any assets protected by this key are safe.
Brute-force Proof Authentication Factors
Unbound CoT provides various authentication factors that can be used to authorize any usage of the cryptographic key. The authentication takes place using MPC algorithm between the endpoint and the CoT server, thus preventing brute force attacks on the endpoint side.
Unbound CoT is very simple to integrate within your applications, with a simple, intuitive and easy to use SDK. The software is very lightweight and integrates with virtually any device, including laptops, mobile, wearables and other IoT devices.
Future-ready and Agile Cryptography
Unbound CoT is future-ready, so your cryptography infrastructure can be too. With the emergence of Quantum Computing, Blockchain, and crypto vulnerabilities, changes in crypto are faster than ever. Unbound provides a crypto-agile system that ensures you will be up and running the latest crypto, with update cycles measured in days to weeks, not months or years.
Architecture: Non-continuous Secure Boundary
Each Unbound CoT system is comprised of a central server (CoT server) that is installed and managed by the customer. Various endpoint devices that run CoT software (CoT library) connect to the CoT server, creating a series of pairs – where each pair consists of a single endpoint device and the CoT server. Each of the pair nodes hold one share of a key. Together, CoT software on the device and the CoT server form the secure boundary of Unbound CoT.
Applications on the device use the CoT library API for consuming cryptographic service for the keys that are managed within the library, effectively creating a virtual secure enclave on the device. All connections between CoT devices to the CoT server are protected using server authentication (TLS). Key shares are constantly refreshed, so in order to maliciously obtain key material an attacker must compromise both the device and the CoT server simultaneously.
Secured By a Root of Trust
Root of Trust for Any Endpoint Device
Unbound CoT completely abstracts the underlying hardware, effectively enhancing any endpoint device with a virtual root of trust that has a unified, single API used among all devices and platforms supported. In addition, the CoT utilizes secure hardware if such exist on the device, to provide even higher level of security.
Root of Trust for Applications and Containers in the Cloud and Data Center
Unbound CoT effectively creats a virtual root of trust for any application, server or container in the cloud or data center. In addition, the CoT utilizes secure hardware such as a TPM or Intel Software Guard Extensions (SGX) if such exist on the endpoint, to provide even higher level of security.
Security That Goes Beyond
The CoT limitless Secure Boundary adds a newly created dimension to security architectures. The inherent separation between and endpoint device and a remote server stretches the secure boundary far beyond the traditional physical casing of the device, ensuring that keys on endpoint devices remain secure at all times, even in the presence of malware or malicious actor fully controlling the endpoint device.
Operating Systems and Platform
|Component||Device Type||Supported Operating Systems|
|Cot Endpoint||Mobile (smartphones, tablets, wearables)||Android, iOS|
|Desktop/laptop||Windows , Mac, Linux|
|Virtual/physical server, container||Linux, Windows|
|CoT Server||Virtual/physical server||Linux, Windows|
- Mobile: Simple and easy to use SDK
- Desktop/laptop/server: PKCS#11, Java (JCE) Microsoft CNG, OpenSSL
- Full Suite B support
- Asymmetric: RSA (2048, 3072, 4096), Elliptic Curve Cryptography with P256 | P384 | P521 curves
- Symmetric: AES (128, 256)
- Hash/HMAC: SHA-256, SHA-384
- Additional modules: Secure password verification using PIN/Native biometrics, Post-Quantum Crypto (PQC), cryptocurrency and blockchain, generic secrets
Endpoint Additional Authentication
- Device-native fingerprint
- Face Recognition
- PIN, password
Leverage On-Device Secure Hardware for Additional Protection
- Mobile: iOS secure element, Android TEE
- Desktop/laptop/server: TPM, TXT, SGX
- Active/Active and Active/Passive modes (with external load balancer)
Management and Administration
- Command Line Interface (CLI)
- Management REST API
- Full multi-tenancy support with cryptographically isolated domains
- Common Crieteria (in process)
- Cryptographically isolated domains: up to 10,000
- Maximum total endpoints for all tenants commutatively: up to 250,000,000
- Keys: bound by disk space only
- Capacity in transactions per second (TPS) for sample configurations:
|Basic Unit||Sample ‘S’ Cluster||Sample ‘M’ Cluster||Sample ‘L’ Cluster|
|1 pair of servers,
1 core per server
|1 pair of servers,
2 cores per server
|2 pairs of servers,
4 cores per server
|4 pairs of servers,
8 cores per server
|AES-GCM 128 single block||200||400||1600||6400|
Capacity is derived from the number of CPU cores in the CoT server cluster. Scaling the Basic CoT server unit is done by scaling up or scaling out, and is fully linear, as illustrated in the sample clusters above
Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.
HOW TO GO BEYOND BYOK WITH CYOK
Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.
UNBOUND KEY CONTROL
Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.