View
845
Download
2
Tags:
Embed Size (px)
DESCRIPTION
SlingSecure is the most secure encrypted messaging provider for Blackberry & Android mobile devices on the market. SlingSecure secure messaging was designed specifically for encrypting mobile-to-mobile, mobile-to-landline communication via Blackberry / Android smartphones. Our multiple security features and protocols ensure safe, anonymous and highly secure transmission between Blackberry & Android devices for users who may deal with sensitive information and anyone who wants their peace of mind. Features: Blackberry to Android Encryption Mobile to Landline Encryption Landline to Landline Encryption Private SMS Encryption Email Encryption Blackberry to Android. Visit us today at www.slingsecure.com
Citation preview
Problem solving approach for secure network convergence
Problem ✓ Operators do not give direct IP connection between devices on different networks ✓ Main limitations are
• Private IP address • “Rolling” IP address for mobile • NAT • Firewalling, etc.
✓ User identity and activity log cannot be hidden (e.g. for VIP closed User Group)
✓ Standard SIP protocol not designed for mobile networks ✓ Need to interconnect system/devices with different or legacy transport protocols (e.g. proprietary systems)
VoIP Server
Mobile Terminal 2 Mobile
Terminal 1
VoIP Server
VoIP Server
Solu%on ✓ Interconnection for secure voice & data communication between
• IP devices • 3G - 4G & LTE mobile • PSTN • 2G mobile
✓ Pass-Through End-to-end Communication
✓ SlingSecure Network allows • Independent communication and signaling
management • Closed user group in mixed mobile and fixed
environment • Encrypted call signaling • Protocol conversion and adaptation when required
Problem solving approach for secure network convergence
End-To-End Full Duplex
Secure Signaling
XServ Module
XServ Module
XServ Module
Authen:ca:on and Key Management
User DB PSTN to IP
IP Device PSTN Device
X Serv Interconnection for secure voice & data communication between IP devices
SlingSecure SlingSecure Network allows protocol conversion and adaptation when required (e.g. PSTN to IP)
Terminals Devices connected to X Serv • Mobile 2G/3G/4G/LTE/WiFi • PSTN devices
XServ Module
XServ Module
XServ Module
Authen:ca:on and Key Management
IP Device
User DB
PSTN Device
PSTN to IP
✓ End-to-end Secure Communication ✓ Encrypted call signaling ✓ HW authentication ✓ Key Management ✓ Pass trough data channels ✓ Mobile IP Follower ✓ Mobile Carrier NAT/Firewall bypass (No STUN server required) ✓ Cluster based, scalable architecture
Cross Network Communica%on Server
XServ
User DB
XServ Module
Authen:ca:on and Key Management
User B
User A
XServ Module
XServ Module
SlingSecure Network
End-To-End Full Duplex
Secure Channels
XServ Management
• WEB Based (HTTPS) Interface • Local Access
– Strong Authentication based on • USB Secure Token • Smart Card
• Remote – Strong Authentication based on
• PKI • Symmetrical Keys (OTP)
XServ
USEpro Device
XServ Mul%ple Organiza%ons
XServ (A) XServ (B)
Organiza:on (A) Organiza:on (B)
USR 1 USR 2
User DB (A) User DB (B)
USR 3 USR 4
USR N
Authen:ca:on and Key Management (A)
Authen:ca:on and Key Management (B)
Inter-‐Force Key
USR 1
USR 2
USR 3 USR 4
USR N
Account (A)
Account (B)
Inter-‐Force Key
Multiple communication interfaces embedded into a flexible platform designed to deliver interconnection and security
✓ Physical conversion between heterogeneous channels (e.g. PSTN to IP)
✓ Logical adaptation between different protocols
✓ Multi-core, real time signal processing
✓ Hardware Encryption on demand SlingSecure Gateway
Communica%on Gateway
Fully Customizable
SD Storage
USB Host USB Device
Ethernet
Phone, Line & Modems
UMTS EDGE
GSM SlingSecure
Gateway
SlingSecure Network allows both mobile and fixed devices to be interconnected and perform secure voice and data communications ✓ Mobile 3G/4G/LTE ✓ Mobile 2G ✓ WiFi ready terminals ✓ PSTN Devices • Telephone • Fax • Modems
Devices connected to XServ
2G/3G/WiFi
Telephone
Fax
2.75G/3G WiFi
2G
Available platforms ✓ Full Custom ✓ Semi Custom ✓ COTS (e.g. Motorola, Nokia, HTC HW)
SlingSecure Secure Phone Stack
microSE
Authentication and Encryption
Hardware
mSE
Clear Dialer Crypto Dialer
Contacts Crypto Contacts
SMS Crypto SMS
Libraries
Call List Crypto Call List
Telephony API Crypto Protocols
Crypto Engine (xSE based)
OS Independent Wrapper
(Audio, keypad, PM, Modem, etc. )
Graphic Libs (QT, ...)
Applica:on Layer
Fully Customizable
Applications & Libraries
for Secure Mobile Communication
Software
Secure Phone Stack (SPS)
ASIC
NAND Flash
SPI o BUS
All the xSE features in a MicroSD
✓ HW crypto engine ✓ Standard and custom algorithms ✓ SD card interface (up to 450Mb/s) ✓ Integrated memory (up to 4 GB) ✓ Internal keys database ✓ Suitable for Mobile Applications
mSE
m S E Ambiente Micro Seguro
SlingSecure range consists in 4 kinds of mobile platforms according to the required security level
SlingSecure Mobile PlaDorms
Software Secure Application
Software Secure Phone Stack
COTS terminals
microSD on COTS
Terminals
Hardware Security
Software Security
C D
B A
Software secure application on COTS
terminals with microSD (eg. Nokia, Windows
Mobile, etc.)
Software secure application on COTS terminals (eg. Nokia,
Windows Mobile, Android, etc.)
Software secure phone stack (OS and
applications) on COTS terminals (eg.
Motorola)
Software secure phone stack on COTS
terminals with microSD (eg. Android)
Secure Voice Call Flow
To launch the application and access to the secure dialer user must insert authentication password
Secure Dialer Access
Incoming/Outcoming Secure Voice Call
Nego%a%on
Secure Voice Call
Symmetrical communication key is negotiated between the caller and the called user when secure voice call is set up or an incoming secure call is answered Before starting the secure voice call the following elements are also negotiated by the devices • Encryption/Decryption algorithm (multiple algorithm selection available) • Vocoder type, mode and rate • Secondary keys (e.g. used for sms)
Secure voice call starts after negotiation phase successful completion
Authen%ca%on
Nego%a%on
Voice
User Authentication • User is asked to insert a password whenever the Secure Voice Application is launched • Password can be asked only once or several times according to the user preferences • Password can be changed at any time by the user • Password is used to access the application and the key repository
Authen%ca%on
Key Repository
User Password
Hashed Password
Sha 256
Stored on the mobile phone
Comparator
Start Secure Dialer
Keys are encrypted by means of a key derived by the User Password
OK
Key Repository Two key secure repositories are stored on the mobile terminal (or on microSD)
• Manual Keys repository • KMS - Key Management Server - Keys repository
Key secure repositories contain symmetrical pre-shared keys to be used standalone or combined with other secrets to encrypt/decrypt communications (voice calls, sms, messaging, etc.).
• Manual Keys • Can be added, deleted or modified directly by the User using the Secure Voice
Application menu • Can be enabled according to the user preferences and/or KMS (Key Management
Server) policies, if applicable
• KMS - Key Management Server - Keys • Can be generated only by the KMS • Can be added remotely (e.g. via sms) by the KMS • Cannot be cancelled or modified by the user
Keys Security Main fields
• KeyID (clear) • Key Value (encrypted)
Secondary fields • expiration date (encrypted) • usage (encrypted) • label (clear)
• RND key is generated at keys Repository creation time • RND key is encrypted and stored on the mobile phone • Encrypted RND key is used in combination with the User Password to extract a key value from the encrypted keys Repository • When the cryptographic microSD card is present Keys are sent encrypted in the microSD card • Encrypted RND key is stored in the microSD • Keys are decrypted and used inside the microSD
Keys are encrypted by means of a key derived by the User Password
Encrypted RND Key AES 256
Key ID (4 bytes)
IN
Encrypted Key Value (16 Bytes)
OUT
Clear Key Value (16 Bytes)
AES 256
SHA 256
Out In Key
User Password
Key
All the opera:on in the green area are performed in the microSD, if present
microSD
Voice Call Key nego%a%on
Symmetric keys used to encrypt/decrypt communications can be created in three different ways
1) Pre-Shared keys • two lists of pre-shared keys are available:
• manual • KMS generated
• One of the pre-shared keys the caller and the called user have in common, is selected at negotiation time to encrypt/decrypt the voice call 2) DH Diffie Hellman - Standard or Elliptic Curves based • A symmetrical session key is negotiated at call time • Standard DH version based on 4096 bit keys • Elliptic Curves DH version is based on 571 bit keys, Koblitz GF(2m) configuration • The final Session key is the hash of DH result
3) A combination of the first two modes • The final Session key is a combination of the two previous keys: SHA256(DH | SK)
Note: A Family Key can be added to all the previous mechanisms in order to create (sub)groups
Man in the middle
To detect a potential man-in-the-middle attack two numerical authentication codes are generated from the SHA256 of the negotiated encryption key Codes appear on the device screen during the call At the start of the communication users should check such codes each other by voice
MATCHing codes = NO INTRUDER interfering with the call codes DO NOT MATCH = man in the middle ATTACK IN ACTION
Secure Voice Call Path
MIC
ADC Voc Mod
DAC Voc Dem
ANT
SPK
Enc
Dec
MIC
ADC Voc Mod
DAC Voc Dem
ANT
SPK
Enc
Dec
CLEAR CLEAR CRYPTO CRYPTO CRYPTO CRYPTO CRYPTO CRYPTO CLEAR CLEAR
SECURE CHANNEL
Symmetric Communication Key
Baseband Domain Application Domain Application Domain
• Access to microphone and speaker using the OS APIs • Get 8KHz/16bit (128Kbit/s) Audio Samples from Mic • Put 8KHz/16bit (128Kbit/s) Audio Samples to Speakers
• Compression of Audio Samples to a GSM/UMTS suitable rate using standard or custom Vocoders • Encoding of microphone audio samples (from 128Kbit/s to ~5Kbit/s) • Decoding of speaker audio samples (from ~5Kbit/s to 128Kbit/s) • The vocoder can be exposed by the operating system or written in native language
• Voice Encryption/Decryption • Encryption of encoded microphone audio samples • Decryption of encoded speaker audio samples • Cryptographic operations are performed by a dedicated HW or SW module
Applica%on Voice Processing
Voice Processing Components
Get Audio Samples
Application
Libraries
Drivers
Hardware
Audio Samples Encoding
Encoded Audio Samples Encryption
Audio Libraries
Audio Drivers
Audio Codec and Microphone
SlingSecure provided
Operating System (e.g. by phone manufacturer)
Standard or Custom Vocoders Crypto Library
Cryptographic MicroSD
MicroSD/Mass Storage Drivers
Only for HW Crypto Engine
(e.g. microSD)
Send Data
Telephony API
Baseband COM
Baseband Processor
* This diagram describes only the voice path from the microphone to the radio transmission
SlingSecure Gateway
XServ
IP Network
SlingSecure Gateway
FAX G3
Telephone
3G Mobile
WiFi Mobile
WiFi Pipe
SlingSecure Network
IP
IP
IP
IP
Secure Network Convergence -‐ Case 1
Secure Voice over IP (2.5G, 2.75G, 3G, 3.5G, 4G, LTE, WiFi) • Encrypted Signaling managed by XServ Pipecom Server
• Encrypted End-To-End voice packets managed by the IP Terminals (HW encryption)
X Serv VoIP Device 2
Encrypted voice packets over End-‐To-‐End
pass through Channel
VoIP Device 1 Encrypted
Signaling Encrypted Signaling
BlackBerry communication services • Secure Voice over IP • Secure eMail
• Secure Messenger Complete scalable system allowing integrators and operators to deliver secure voice, messaging and email services over the BlackBerry platform using End-To-End HW based encryption.
Security
HW token to guarantee high speed and strong security (2048 bit key length or higher) Proprietary service server Independent Secure Client architecture
X Serv
Encrypted Signaling
Encrypted Signaling
End-‐To-‐End HW Encryp:on
Available 4Q 2010
System Elements: • Analog Telephone • SlingSecure Gateway to convert PSTN to
IP • 2.5G/3G/4G/LTE Mobile Phone (including
mSE) Secure Voice Call between standard PSTN telephones and Mobile phones
Hardware Encryption performed by • SlingSecure Gateway on PSTN side • mSE on Mobile Phone side • Custom encryption algorithm (optional)
Land-‐Line to Mobile
XServ
Encrypted Signaling
Encrypted Signaling
Telephone
End-To-End HW Encryption
Mobile
SlingSecure Gateway
System Elements: • Standard G3 FAX • SlingSecure Gateway to convert PSTN to IP
Secure Data Call between standard PSTN FAX
Hardware Encryption performed by the SlingSecure Gateway
• Custom Encryption Algorithm
Two FAX mode settings: • Direct Line • Store and Forward
Secure Fax over IP
XServ
Encrypted Signaling
Encrypted Signaling
End-To-End HW Encryption
SlingSecure Gateway
Standard G3 FAX
SlingSecure Gateway
Standard G3 FAX
Satellite Worldwide Connec%on
Internet
Portable System
Car System
Satellite
WiFi
WiFi
Sat Link
VoIP Server
IP ove
r Sat
Ground Station
Marine System
CSD Proxy
VoIP Server
IP Network GSM Area - CSD (No UMTS, No IP)
Secure Gateway
GSM -‐ CSD
IP
ZONE 1
ZONE 2
CSD to IP Conversion
CSD Proxy
Secure Conference Call
SlingSecure Gateway
XServ
IP Network
Telephone
3G Mobile WiFi Mobile
3G Pipe
SlingSecure Network
IP
IP IP
Secure Media Conference
IP
Temporary Keys Unique Conference Number
Customiza%ons (I) Customization level & criteria are selected according to the mobile platform Customization should be performed by the customer independently and without any knowledge or interference from SlingSecure
Mobile terminals without cryptographic microSD • As the cryptographic library is an external module written in C/C++, customer can modify or add methods starting from a functional template provided by SlingSecure • Customer can compile and overload the cryptographic library independently • A simulation environment is provided together with required HW and SW tools
C++ Wrapper
ANSI C functions
AES DH EC
RNG KEY Mng
Custom
Custom
Compila:o
n
Simula:
on
Overlo
ading
Ansi C Function
Cross Compiled
Testing Loop
Customize
Customiza%ons (II) Customization options for or microSD based mobile platforms
1) Smart Card based microSD (standard solution) • Custom combination of standard algorithms can be implemented • Cryptographic functions are exported as java card libraries • SlingSecure can provide the basic applet and support to add/overload internal custom functions on “open” smart card based microSD provided by the Customer
2) Custom microSD (available on request) • Micro controller based microSD card for deeper algorithm customizations - SlingSecure provided • Same approach as for software library with ANSI C code executed inside the microSD
3) Software Library • Custom algorithms are implemented as software library • Basic cryptographic operations are kept inside smart card based or micro controller based microSD
File Server Authen%ca%on ✓ User Authentication to access Dmz File Server ✓ Radius-Tacacs + Ldap verifies user account and policies by the domain controller ✓ The domain server grants the authentication for the workstations to access Dmz File Server
Keys and Cer%ficates (I)
✓ User groups in different VLAN are managed by dedicated switches ✓ Traffic policies managed by the security gateway ✓ Access managed by means of • Secure Token (EAL5+ smartcard based) or • Symmetric Key based OTP device or • Certificates
USEpro Device
Cer:ficates
Remote Management over VPN
✓ VPN managed by Clavister products • SG 3000 • SG 4000 ✓ QoS and Bandwidth Management
SlingSecure products are backed up by the support of the engineering and design team for ü Cost effectiveness ü Smooth system integration ü Timely solution delivery
The high level service & support for all SlingSecure View products allows the Customer to reach the desired result with the best cost to performance ratio
SlingSecure International [email protected]