Security concept of the OpenBSD operating system

 

The SEPPmail Secure E-Mail Gateway has further reinforced the security of the operating system, which is already known as very secure, by means of the "bottom-up" procedure. All unnecessary libraries were removed and only essential functions were retained.

The solution is "real" firmware: During an update, the entire system is updated. This makes it also testable and reproducible.

(see also www.openbsd.org/papers/asiabsdcon2015-pie-slides.pdf)

 

 

Core application security concept

 

The appliance is an encapsulated application. All external interfaces are kept as simple as possible. Only those interfaces which are absolutely necessary have been implemented. Packed with all associated applications, the firmware has a size of less than 200 MB.

 

 

Security concept GINA web interface

 

The web interface is intentionally kept very simple and provides only the absolutely necessary but sufficient functions. All board resources were utilised to secure the web server – for example to ward off "denial of service" (DoS) attacks. Furthermore, only precisely predefined data fields are accepted for input. Each data field is checked for validity upon delivery. This prevents the ingress of harmful codes. The hardened, encapsulated web server runs as an unprivileged user.

 

 

Data protection

 

•CA key, private key, session key, GINA user key
 

oThe main machines are encapsulated in the DMZ so that no direct access from the outside is possible.
 

oIf it is desired/required that the PKI data be stored only in the Intranet, the solution can be separated. In this scenario, web access is established using (GINA) proprietary machines (satellites) without proprietary data storage in the Internet DMZ.
 

oAs a rule, the security concept of the appliance, in combination with the available monitoring options (Samhain, Audit Log, SNMP etc.), makes an HSM unnecessary. If an additional backup of private keys is desired, the connection of an HSM (for example, Safenet or Thales) is possible.
 

oIf desired, the system can be hardened according to PCI DSS (Payment Card Industry Data Security Standard). In this case, the entire system – disks and kernel – is once more encrypted using AES XTS 256.
(see also www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf)
 

•Pin/passwords
 

oPasswords are used for the access of an external recipient to their GINA email and/or downstream to the AES256 key on the appliance for the decryption of their email. The latter never leaves the well protected SEPPmail Secure E-Mail Gateway.

 

 

Certifications

 
The appliance can also be configured to operate in PCI DSS (Payment Card Industry Data Security Standard) compliant environments. Corresponding installations are already being used successfully by some customers. In October 2014, the system was checked for the first time.

 

From the manufacturer's point of view, it is currently questionable for various reasons whether and which "standardised" certifications are useful. The market for "security certifications" is growing rapidly and is becoming difficult to navigate. Some foreign companies also want to inspect the source code. We cannot grant such request for security reasons.

 

 

 

Current security gaps or exploits

 

SEPPmail reacts - if affected - to known security gaps or exploits within a very short time frame with a security update. This update is provided to all customers via the normal update mechanism.

Due to the components used and their improved security, however, the SEPPmail Secure E-Mail Gateway is not affected by most security gaps anyways. For instance "Heartbleed" or "Poodle" did not represent any danger for the solution.