Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Alex Chartier

October 2007

 

 

Interviewee: Alex Chartier, General Manager, Admiral Secure Products Ltd.

 


Subject: "Closed Loop" Fax Security

 

 

Question: What is "Closed-Loop" Faxing?

 

Chartier:  Closed-Loop faxing is a term used to describe a community of fax users who generally only fax amongst themselves. This community might be a company, a government agency, a common interest organization (such as the HR departments of a multinational, or the World Health Organization). A good example of this would be the Canada Revenue Agency who faxes taxpayer information between CRA offices.

 

Question: What are some faxing security issues in closed-loop faxing?

 

Chartier:  The most common security issue is what we call Inadvertent Disclosure. Faxes arrive at a destination fax machine and sit in the receive tray visible to anyone who happens to pass by. It is human nature to take a look to see if the received fax might be for them, and who can resist taking a quick look at the contents?

 

The second most common security issue we call Misdirection. Misdirection occurs when someone types in the wrong fax number or hits the wrong speed dial button. The fax is sent to the wrong recipient fax machine. The result of Misdirection is disclosure of the fax information. In closed-loop faxing the disclosure might not have as big an exposure as it might in open faxing since the disclosure is contained within the community of interest; nonetheless it has been disclosed to potentially unauthorized parties.

 

The third most common security issue and one that most people don’t consider we call Impersonation or Identity theft. With access to the Internet and document composition software such as Microsoft Word, anyone can collect artwork from company web-sites and create a document that appears to be the real deal. Does anyone ever question the authenticity of a document they receive by fax? Felons have been released from jail as a result of fraudulent fax documents.

 

We would be remiss if we didn’t touch on Active Interception, the classic wire tapping of spies. It is unlikely that you would be attacked in this manner unless the information being faxed is of extreme sensitivity or could prove to be very financially rewarding, but we should point out that intercepting fax transmissions is a trivial task. If your fax information falls into either of these categories perhaps it is worth considering.

 

Question: What fax security solutions are available?

 

Chartier:  There are both procedural and technological techniques to combat these issues. One of the simplest measures to take is to place the fax machine in a locked office where only authorized personnel can gain access; a mailroom with a dedicated fax operator perhaps.

 

Dedicated fax operators generally make less dialing mistakes than casual operators. Fax machines should be labeled with instructions to verify the number dialed before pressing the Send button. Recipients should always follow up with a telephone call to confirm fax authenticity for faxes that require action which could be detrimental if it turned out to be fraudulent.

 

From a technology point of view there are a number of options. In closed-loop faxing it is possible to configure your telephone PBX systems to only allow fax phone numbers only within the group; some PBX systems offer the option of prompting for a passcode prior to allowing the fax to be transmitted; and some fax machines provide faxmail options to store incoming faxes and demand a password before printing.

 

At the high end you might consider PKI-Based encryption technology. Devices that frontend each fax machine and provide cryptographically strong authentication and encryption of all faxes transmitted with the closed-loop. These technologies virtually eliminate the security issues discussed above.

 

Question: How does PKI based encryption fax security work? What are the advantages?

 

Chartier:  PKI Based encryption devices use government grade cryptographic algorithms to perform authentication to ensure fax communications are authorized within the closed-loop. User authentication ensures that only authorized users can transmit faxes and to which recipient fax machines. Secure mailbox storage retains the received fax images until the authorized recipient enters their unique user ID and PIN before the fax is printed. Encryption between the devices protect against the unlikely but possible threat of interception.

 

PKI Based devices provide the highest level of protection against Inadvertent Disclosure, Misdirection, Impersonation and Active Interception. As a reference point the banking industry uses PKI technology to connect bank machines to their private networks.

 

Question: In closing, how could our subscribers learn more about PKI based fax encryption security?

 

Chartier:  The following PKI definition can be found on the Wikipedia definitions web-site;

 

In cryptography, a public key infrastructure (PKI) is an arrangement that binds the public keys with the respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. This is carried out by software at the CA. For each user the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in the public key certificate. Elliptic curve cryptography (ECC) is an approach to public-key cryptography based the algebraic structure of elliptic curves over finite fields.

 

Admiral Secure Products Ltd utilizes the Certicom Security Builder library and the Elliptic Curve Cryptosystem (ECC) for all of its PKI certificate generation, verification and key management functions. ECC has been standardized by international standards bodies. Relevant standards are:

 

ANSI X9.62
Elliptic Curve Digital Signature Algorithm
ANSI X9.63 Elliptic Curve Key Agreement and Key Transport
IEEE P1363 Standard Specifications for Public Key Cryptography

 

ECC is extremely well suited for real time fax encryption due to the very tight timing windows in the fax protocol. The following segment is taken from the Certicom cryptography FAQ which can be found at: http://www.certicom.com/index.php?action=res,ecc_faq

 

ECC devices require less storage, less power, less memory, and less bandwidth than other systems. This allows you to implement cryptography in platforms that are constrained, such as wireless devices, handheld computers, smart cards, and thin-clients. It also provides a big win in situations where efficiency is important.

 

Subscribers can learn more about PKI based fax encryption by visiting the Admiral Secure Products web-site at http://www.admiralsecure.com/sc5000.htm under the Industry Standard Cryptography section.


For More Information
 

To learn more about Neotel visit www.neotel.ca

 

 

Sales@neotel.ca

(905) 948-9229

  

 

 

Now Hiring

 

 

 

 

 

 


Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY