Вы находитесь на странице: 1из 13

TRANSEC

Advanced Overview

2008 VT iDirect, Inc.

TRANSEC Operation

iDirect ACC and DCC Encryption Channels


Operational Encryption
Public Key Infrastructure
Acquisition & Authentication
Acquisition Obfuscation
Key Rolls
Handling Security Compromises

Encryption Channels
Acquisition Ciphertext Channel (ACC)
Only used during Acquisition and Authentication
Based on ACC key using AES 256 CBC symmetric encryption
Key is initially distributed to the remote manually then updated
over the air in operation
Key is rolled every 28 days by default. Key is stored if the power
is turned off. Remote must manually rekey if it is out of network
for two keyrolls.

Data Ciphertext Channel (DCC)


The DCC channel encrypts all user data traffic with the DCC key
using AES 256 CBC symmetric encryption
Masks activity with random blocks of data when remotes have no
data to send Wall of Data
Key is updated over the air every 8 hours by default. Not stored if
power is cycled.

Operational Encryption

Wall of Data

Hub System
XLM

XXLMXXLLMLX LLVLMXX

VMXXMM
XXXMVLL

KR

IV
VMXXMM
XXXMVLL

KR

IV

TOS

00110101101001 SADA

LLVLMXX

XLM

XXLMXXLLMLX

ACCkey

ACCkey

IPencryptor

DCCkey

DCCkey

IPencryptor

Evolution e8000
Series Remotes
$%^#$#%@^&&#

SADA

TOS

SADA

TOS

$%^#$#%@^&&#

Demand
Header DID

WAN

DCCkey

ProtocolProcessor

TRANSEC Hub

Evolution e8000
Series Remotes

IPencryptor

Public Key Infrastructure (PKI)

Host private keys/public keys


Asymmetric cryptography
Each host has a set of self generated private and public
keys used for certificate exchange and verification
2048 bit long private / public keys (RSA)
These keys protect all network key exchanges

Each network element has a X.509 certificate


A certificate is a document that connects a public key to
an identity
Used to authenticate remotes and build a chain of trust
Certificates are issued by iDirect CA

Public Key Infrastructure (PKI)

Wall of Data
Hub System
XLM

XXLMXXLLMLX LLVLMXX

VMXXMM
XXXMVLL

KR

IV
VMXXMM
XXXMVLL

KR

IV

TOS

00110101101001 SADA

LLVLMXX

XLM

XXLMXXLLMLX

X.509Certificate

IPencryptor

DID #456789
Public Key

DCCkey

Signature

$%^#$#%@^&&#

SADA

TOS

SADA

TOS

$%^#$#%@^&&#

ACCkey

Demand
Header DID

WAN

ProtocolProcessor

TRANSEC Hub

Strong
Authentication

ACCkey
DCCkey

IPencryptor

Evolution e8000
Series Remotes

TRANSEC Network Acquisition


When and only when a remote is out of network, the
hub periodically invites it to acquire on ACC channel.
An out-of-network remote immediately responds to this
invitation on the ACC with an "ACQ Burst" from which
the hub calculates the timing, power and frequency
offsets the remote must apply to successfully join the
network.
The hub and remote authenticate across the ACC
using X.509 Certificate Exchange
Current ACC and DCC keys are encrypted using the
remotes public key (PKI) and distributed to each
remote

Acquisition and Authentication

VMXXMM
XXXMVLL

X.509Certificate
ACCkey

DID #456789
Public Key

DCCkey

Signature

ACCkey
DCCkey

Evolution e8000
Series Remotes
ACCkey

DCCkey
ACCkey

X.509 Certificate
DID #123456
Public Key

ACCkey
DCCkey

Signature
DCCkey

ProtocolProcessor

TRANSEC Hub

Evolution e8000
Series Remotes

ACQ Obfuscation

To mask the actual acquisition activity, the hub will


Issue dummy invitations to remotes already in network, so that it appears there is always
some acquisition activity. Remotes in network will always burst in response to dummy
invitations.
Deliberately not issue invitations for some slots, so the ACQ channel never appears full.
Issue normal invitations, in which some remotes will burst and others will not.

Frequency, timing and power of dummy bursts will vary to hide


usage patterns

Key Rolls
Changing encryption keys
Peer 1
periodically helps prevent
attackers from deriving keys
from captured data
(cryptanalysis)
iDirect TRANSEC makes
rolling period configurable
ACC key must be manually
distributed the first time or if
a remote is out of network
for 2 ACC keyrolls

Key Distribution Protocol


Peer 2

Mutual Trust Established

Key Distribution Complete

Global Key Distributor

Global Key Distributor (GKD)


GKD distributes ACC key among one or more
networks
Allows roaming remotes to acquire into all networks

Multiple GKDs can be configured for redundancy


Within an individual hub
Between multiple hubs

Handling Security Compromises


Zeroization is a process for removing all Critical
Security Parameters (CSPs) from a network element.
Network configuration
DCC and ACC keys
Public/private key pair

Certificate revocation adds a certificate to the CRL,


breaking trust between an entity and the rest of the
network.
Network acquisition fails
Key distribution ceases to work

Operator-triggered key rolls, in combination with


certificate revocation prevents network elements from
decoding data.

THANK YOU