IDirect TRANSEC - Advanced Overview

TRANSEC
Advanced Overview
2008 VT iDirect, Inc.
TRANSEC Operation
iDirect ACC and DCC Encryption Channels

Operational Encryption
Public Key Infrastructure
Acquisition & Authentication
Acquisition Obfuscation
Key Rolls
Handling Security Compromises
Encryption Channels
Acquisition Ciphertext Channel (ACC)
Only used during Acquisition and Authentication
Based on ACC key using AES 256 CBC symmetric encryption
Key is initially distributed to the remote manually then updated
over the air in operation
Key is rolled every 28 days by default. Key is stored if the power
is turned off. Remote must manually rekey if it is out of network
for two keyrolls.
Data Ciphertext Channel (DCC)

The DCC channel encrypts all user data traffic with the DCC key
using AES 256 CBC symmetric encryption
Masks activity with random blocks of data when remotes have no
data to send Wall of Data
Key is updated over the air every 8 hours by default. Not stored if
power is cycled.
Operational Encryption
Wall of Data
Hub System
XLM
XXLMXXLLMLX LLVLMXX
VMXXMM
XXXMVLL
KR
IV
VMXXMM
XXXMVLL
KR
IV
TOS
00110101101001 SADA
LLVLMXX
XLM
XXLMXXLLMLX
ACCkey
ACCkey
IPencryptor
DCCkey
DCCkey
IPencryptor
Evolution e8000
Series Remotes
$%^#$#%@^&&#
SADA
TOS
SADA
TOS
$%^#$#%@^&&#
Demand
Header DID
WAN
DCCkey
ProtocolProcessor
TRANSEC Hub
Evolution e8000
Series Remotes
IPencryptor
Public Key Infrastructure (PKI)
Host private keys/public keys

Asymmetric cryptography
Each host has a set of self generated private and public
keys used for certificate exchange and verification
2048 bit long private / public keys (RSA)
These keys protect all network key exchanges
Each network element has a X.509 certificate

A certificate is a document that connects a public key to
an identity
Used to authenticate remotes and build a chain of trust
Certificates are issued by iDirect CA
Public Key Infrastructure (PKI)
Wall of Data
Hub System
XLM
XXLMXXLLMLX LLVLMXX
VMXXMM
XXXMVLL
KR
IV
VMXXMM
XXXMVLL
KR
IV
TOS
00110101101001 SADA
LLVLMXX
XLM
XXLMXXLLMLX
X.509Certificate
IPencryptor
DID #456789
Public Key
DCCkey
Signature
$%^#$#%@^&&#
SADA
TOS
SADA
TOS
$%^#$#%@^&&#
ACCkey
Demand
Header DID
WAN
ProtocolProcessor
TRANSEC Hub
Strong
Authentication
ACCkey
DCCkey
IPencryptor
Evolution e8000
Series Remotes
TRANSEC Network Acquisition

When and only when a remote is out of network, the
hub periodically invites it to acquire on ACC channel.
An out-of-network remote immediately responds to this
invitation on the ACC with an "ACQ Burst" from which
the hub calculates the timing, power and frequency
offsets the remote must apply to successfully join the
network.
The hub and remote authenticate across the ACC
using X.509 Certificate Exchange
Current ACC and DCC keys are encrypted using the
remotes public key (PKI) and distributed to each
remote
Acquisition and Authentication
VMXXMM
XXXMVLL
X.509Certificate
ACCkey
DID #456789
Public Key
DCCkey
Signature
ACCkey
DCCkey
Evolution e8000
Series Remotes
ACCkey
DCCkey
ACCkey
X.509 Certificate
DID #123456
Public Key
ACCkey
DCCkey
Signature
DCCkey
ProtocolProcessor
TRANSEC Hub
Evolution e8000
Series Remotes
ACQ Obfuscation
To mask the actual acquisition activity, the hub will

Issue dummy invitations to remotes already in network, so that it appears there is always
some acquisition activity. Remotes in network will always burst in response to dummy
invitations.
Deliberately not issue invitations for some slots, so the ACQ channel never appears full.
Issue normal invitations, in which some remotes will burst and others will not.
Frequency, timing and power of dummy bursts will vary to hide

usage patterns
Key Rolls
Changing encryption keys
Peer 1
periodically helps prevent
attackers from deriving keys
from captured data
(cryptanalysis)
iDirect TRANSEC makes
rolling period configurable
ACC key must be manually
distributed the first time or if
a remote is out of network
for 2 ACC keyrolls
Key Distribution Protocol

Peer 2
Mutual Trust Established
Key Distribution Complete
Global Key Distributor
Global Key Distributor (GKD)

GKD distributes ACC key among one or more
networks
Allows roaming remotes to acquire into all networks
Multiple GKDs can be configured for redundancy

Within an individual hub
Between multiple hubs
Handling Security Compromises

Zeroization is a process for removing all Critical
Security Parameters (CSPs) from a network element.
Network configuration
DCC and ACC keys
Public/private key pair
Certificate revocation adds a certificate to the CRL,

breaking trust between an entity and the rest of the
network.
Network acquisition fails
Key distribution ceases to work
Operator-triggered key rolls, in combination with

certificate revocation prevents network elements from
decoding data.
THANK YOU

IDirect TRANSEC - Advanced Overview

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

IDirect TRANSEC - Advanced Overview

Enviado por

Direitos autorais:

Formatos disponíveis

TRANSEC

2008 VT iDirect, Inc.

iDirect ACC and DCC Encryption Channels

Data Ciphertext Channel (DCC)

Public Key Infrastructure (PKI)

Host private keys/public keys

Each network element has a X.509 certificate

Public Key Infrastructure (PKI)

TRANSEC Network Acquisition

Acquisition and Authentication

To mask the actual acquisition activity, the hub will

Frequency, timing and power of dummy bursts will vary to hide

Key Distribution Protocol

Mutual Trust Established

Key Distribution Complete

Global Key Distributor

Global Key Distributor (GKD)

Multiple GKDs can be configured for redundancy

Handling Security Compromises

Certificate revocation adds a certificate to the CRL,

Operator-triggered key rolls, in combination with

Você também pode gostar