Download - IDirect TRANSEC - Basic Presentation
-
2008 VT iDirect, Inc.
TRANSEC BASIC
-
Security Tradeoffs
Security
E
f
f
i
c
i
e
n
c
y
DVB-S2
iNFINITITRANSEC
S2 TRANSEC CCM
S2 TRANSEC ACM
Anti-Jam/Low Prob of Detect
DVB-S2 w/AES
iNFINITI
iNFINITI w/AES
-
Transmission security (TRANSEC) prevents an adversary from exploiting information available in a communications channel even without defeating encryption
With only link encryption, an adversary can still answer questions like:
What types of applications are active on the network? Who is talking to whom? Is the network or a particular remote site active now? Based on traffic analysis, what is the correlation between
network activity and real world activity? Is a particular remote site moving? Is there significant acquisition activity?
What is TRANSEC?
-
TRANSEC Goals
TRANSEC Requirement Benefits
Mask Channel ActivityPrevents transmission activity from being used as an intelligence gathering
Control Channel Information
Detection of repetitive data streams unsuccessful
Hub and Remote Authentication and Validation
Ensures only authorized use of network resources
-
TRANSEC Goals Mask Channel Activity
Transmission activity can be used as an intelligence gathering mechanism TDMA carriers are based on dynamic traffic bursts so changing
traffic volumes and number of active senders can be detected. DVB-S2 carriers send easily identifiable fill frames when
theres no user data to send
These vulnerabilities allow adversaries to extrapolate information on timing, location or scale of strategic activities
-
TRANSEC Goals Mask Channel Activity
TRANSEC negate these risks by: Using Free Slot Allocation for TDMA bandwidth distribution
Creates a constant wall of data regardless of traffic profiles Free slots preserve bandwidth efficiencies of TDMA Empty bursts are indistinguishable from user data
Creating fill-frames with random data for underutilized DVB-S2 carriers
Empty frames are indistinguishable from user data Obfuscating acquisition activity
Creates traffic in the acquisition slot when no remotes are actually joining the network
Suppresses acquisition slot bursts even when remotes are acquiring
-
TRANSEC Goals Control Channel Information
When only user data payloads are encrypted, a great deal of data is still available Both Layer 2 and Layer 3 packets have traffic engineering
information (source, destination, priority, size) embedded in their headers
Size and priority information can betray the type of application in use Source and destination tell an adversary who is talking and when
Control information sent in the clear can reveal network activity levels
-
TRANSEC Goals Control Channel Information
TRANSEC solves this by: Encrypting both payload and header information
even at Layer 2 Independently encrypting network control information Changing encryption keys frequently
-
TRANSEC Goals Hub and Remote Validation
Unauthorized use of network resources can lead to a man-in-the-middle attack A remote might be spoofed and inserted into a secure network A secure remote might be coerced into joining an insecure
network
While these kinds of attacks are extremely difficult even in non-TRANSEC environments, the risk of eavesdropping cannot be ignored
-
TRANSEC Goals Hub and Remote Validation
TRANSEC eliminates these threats by: Using public-key cryptography
Key distribution Message authentication
Employing X.509 standards for: Verifying identities Establishing trust between network elements Providing methods for dealing with security compromises
-
IPencryptorProtocolProcessor
00110101101001 SADA
TOS
$%^#$#%@^& SADA
TOS
IVKRXXLMXXLLMLX LLVLMXX
XLM VMXXMMXXXMVLL
IPencryptor
X.509 Certificate
DID #123456Public Key
Signature
X.509Certificate
DID #456789Public Key
Signature
IVKRXXLMXXLLMLX LLVLMXX
XLM
ACCkey
DCCkey
ACCkey
DCCkey
ACCkey
DCCkey
IPencryptor
TOS Demand
Header DID
Evolution e8000Series Remotes
WAN
Hub SystemWall of Data
Strong Authentication
TRANSEC Solution
TRANSEC Hub
$%^#$#%@^& SADA
VMXXMMXXXMVLL
Evolution e8000Series Remotes
-
Our TRANSEC Solution At a Glance
Installation of TRANSEC-enabled networks made easy
TRANSEC RequirementsMask channel activity
iDirects Solution
Free slot allocation creating uniform size of all TDMA slotsWall of Data and Acquisition Obfuscation
FIPS 140-2 certified encryption 256 bit keyed AES encryptedOver-the-air key update feature
Public and private key encryption on remotes and hubsX.509 digital certificates
Benefits
Negates the risk of using transmission activity as intelligence gathering mechanism
Detection of repetitive data streams unsuccessful
Ensures remotes and hubs are authorized and validated
Control Channel Information
Hub and Remote authentication and validation
TRANSEC BASICSecurity TradeoffsWhat is TRANSEC?Slide Number 4TRANSEC Goals Mask Channel ActivityTRANSEC Goals Mask Channel ActivityTRANSEC Goals Control Channel InformationTRANSEC Goals Control Channel InformationTRANSEC Goals Hub and Remote ValidationTRANSEC Goals Hub and Remote ValidationSlide Number 11Our TRANSEC Solution At a Glance