0
SlingSecure
Secure Network
Convergence
Problem solving approach for
secure network convergence
Problem
✓ Operators do not give direct IP connection between
devic...
Problem solving approach for
secure network convergence
Solu%on	
  
	
  

✓ Interconnection for secure voice & data commun...
X Serv

Interconnection for secure voice & data communication
between IP devices

XServ	
  
Module	
  

XServ	
  
Module	
...
Cross	
  Network	
  Communica%on	
  Server	
  	
  
✓ End-to-end Secure Communication
✓ Encrypted call signaling
✓ HW authe...
XServ	
  Management	
  
•  WEB Based (HTTPS) Interface
•  Local Access
–  Strong Authentication based on
•  USB Secure Tok...
XServ	
  Mul%ple	
  Organiza%ons	
  

Authen:ca:on	
  and	
  	
  
Key	
  Management	
  (A)	
  

Authen:ca:on	
  and	
  	
 ...
Communica%on	
  Gateway	
  
Multiple communication interfaces
embedded into a flexible platform
designed to deliver interc...
Devices	
  connected	
  to	
  XServ	
  
SlingSecure Network allows both mobile
and fixed devices to be interconnected
and ...
SlingSecure	
  Secure	
  Phone	
  Stack	
  
Available platforms
✓ Full Custom
✓ Semi Custom
✓ COTS (e.g. Motorola, Nokia, ...
m	
  S	
  E	
  Ambiente	
  Micro	
  Seguro	
  
All the xSE features in a MicroSD

ASIC	
  

✓ HW crypto engine
✓ Standard ...
SlingSecure	
  Mobile	
  PlaDorms	
  
SlingSecure range consists in 4 kinds of mobile platforms
according to the required ...
Secure	
  Voice	
  Call	
  Flow	
  
Authen%ca%on	
  

To launch the application and access to the secure dialer
user must ...
Authen%ca%on	
  
User Authentication
•  User is asked to insert a password whenever the Secure Voice Application is launch...
Key	
  Repository	
  
Two key secure repositories are stored on the mobile terminal (or on microSD)
•  Manual Keys reposit...
Keys	
  Security	
  
Main fields
• 

KeyID (clear)

• 

Key Value (encrypted)

Secondary fields
•  expiration date (encryp...
Voice	
  Call	
  Key	
  nego%a%on	
  
Symmetric keys used to encrypt/decrypt communications can be created in three differ...
Man	
  in	
  the	
  middle	
  
To detect a potential man-in-the-middle attack two numerical authentication codes are gener...
Secure	
  Voice	
  Call	
  Path	
  
SECURE CHANNEL

Symmetric Communication Key

ANT

MIC

ANT

MIC

ADC

Voc

Enc

Mod

M...
Applica%on	
  Voice	
  Processing	
  
•  Access to microphone and speaker using the OS APIs
•  Get 8KHz/16bit (128Kbit/s) ...
Voice	
  Processing	
  Components	
  
Get Audio
Samples

Audio Samples
Encoding

Encoded Audio
Samples Encryption

Send Da...
SlingSecure Network
FAX G3

IP

XServ

IP

3G Mobile

i Pip
WiF

SlingSecure Gateway

e

Telephone
IP

IP Network
WiFi Mob...
Secure	
  Network	
  Convergence	
  -­‐	
  Case	
  1	
  
Secure Voice over IP (2.5G, 2.75G, 3G, 3.5G, 4G, LTE, WiFi)
•  En...
BlackBerry communication services
•  Secure Voice over IP
•  Secure eMail
•  Secure Messenger
Complete scalable system all...
Land-­‐Line	
  to	
  Mobile	
  
Telephone

System Elements:
•  Analog Telephone
•  SlingSecure Gateway to convert PSTN to
...
Secure	
  Fax	
  over	
  IP	
  
System Elements:
•  Standard G3 FAX
•  SlingSecure Gateway to convert PSTN to IP
Secure Da...
Satellite	
  Worldwide	
  Connec%on	
  
Satellite	
  

Internet	
  

k	
  
Sat	
  Lin

VoIP	
  Server	
  

IP	
  over	
  S...
CSD	
  Proxy	
  
ZONE 2
ZONE 1
CSD to IP
Conversion

VoIP Server

GSM Area - CSD
(No UMTS, No IP)

IP Network
IP	
  

GSM	...
Secure	
  Conference	
  Call	
  
SlingSecure Network
IP

IP

XServ

3G Pipe

WiFi Mobile
3G Mobile

Telephone
IP
IP

Secur...
Customiza%ons	
  (I)	
  
Customization level & criteria are selected according to the mobile platform
Customization should...
Customiza%ons	
  (II)	
  
Customization options
for or microSD based mobile platforms
1) Smart Card based microSD (standar...
File	
  Server	
  Authen%ca%on	
  
✓ 
✓ 
✓ 

User Authentication to access Dmz File Server
Radius-Tacacs + Ldap verifies u...
Keys	
  and	
  Cer%ficates	
  (I)	
  
✓ User groups in different VLAN are managed by dedicated switches
✓ Traffic policies ...
Keys	
  and	
  Cer%ficates	
  (II)	
  
Remote	
  Management	
  over	
  VPN	
  
✓  VPN managed by Clavister products
•  SG 3000
•  SG 4000
✓  QoS and Bandwidth Ma...
IDP/IPS	
  Scanning	
  
SlingSecure products are backed up by the support of the engineering
and design team for
ü  Cost effectiveness
ü  Smooth...
SlingSecure International
info@slingsecure.com
Upcoming SlideShare
Loading in...5
×

SlingSecure Mobile Voice Encryption

1,012

Published on

SlingSecure is the most secure encrypted messaging provider for Blackberry & Android mobile devices on the market. SlingSecure secure messaging was designed specifically for encrypting mobile-to-mobile, mobile-to-landline communication via Blackberry / Android smartphones.

Our multiple security features and protocols ensure safe, anonymous and highly secure transmission between Blackberry & Android devices for users who may deal with sensitive information and anyone who wants their peace of mind.

Features:

Blackberry to Android Encryption
Mobile to Landline Encryption
Landline to Landline Encryption
Private SMS Encryption
Email Encryption Blackberry to Android.

Visit us today at www.slingsecure.com

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,012
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "SlingSecure Mobile Voice Encryption"

  1. 1. SlingSecure Secure Network Convergence
  2. 2. Problem solving approach for secure network convergence Problem ✓ Operators do not give direct IP connection between devices on different networks ✓ Main limitations are •  Private IP address •  “Rolling” IP address for mobile •  NAT •  Firewalling, etc. ✓ User identity and activity log cannot be hidden (e.g. for VIP closed User Group) ✓ Standard SIP protocol not designed for mobile networks ✓ Need to interconnect system/devices with different or legacy transport protocols (e.g. proprietary systems)     VoIP   Server   VoIP   Server   VoIP   Server   Mobile   Terminal  1   Mobile  Terminal  2  
  3. 3. Problem solving approach for secure network convergence Solu%on     ✓ Interconnection for secure voice & data communication between •  IP devices •  3G - 4G & LTE mobile •  PSTN •  2G mobile XServ   Module   XServ   Module   ✓ Pass-Through End-to-end Communication ✓ SlingSecure Network allows •  Independent communication and signaling management •  Closed user group in mixed mobile and fixed environment •  Encrypted call signaling •  Protocol conversion and adaptation when required   XServ   Module   PSTN    to  IP   User  DB   PSTN  Device   Authen:ca:on  and     Key  Management   End-To-End Full Duplex Secure Signaling IP  Device  
  4. 4. X Serv Interconnection for secure voice & data communication between IP devices XServ   Module   XServ   Module   SlingSecure XServ   Module   SlingSecure Network allows protocol conversion and adaptation when required (e.g. PSTN to IP) PSTN    to  IP   User  DB   Terminals   Devices connected to X Serv • Mobile 2G/3G/4G/LTE/WiFi • PSTN devices PSTN  Device   Authen:ca:on  and     Key  Management   IP  Device  
  5. 5. Cross  Network  Communica%on  Server     ✓ End-to-end Secure Communication ✓ Encrypted call signaling ✓ HW authentication ✓ Key Management ✓ Pass trough data channels ✓ Mobile IP Follower ✓ Mobile Carrier NAT/Firewall bypass (No STUN server required) ✓ Cluster based, scalable architecture SlingSecure Network XServ   Module   XServ   Module   XServ   Module   User  DB   User  A   Authen:ca:on  and     Key  Management   XServ   End-To-End Full Duplex Secure Channels User  B  
  6. 6. XServ  Management   •  WEB Based (HTTPS) Interface •  Local Access –  Strong Authentication based on •  USB Secure Token •  Smart Card •  Remote   –  Strong Authentication based on •  PKI •  Symmetrical Keys (OTP) XServ   USEpro Device
  7. 7. XServ  Mul%ple  Organiza%ons   Authen:ca:on  and     Key  Management  (A)   Authen:ca:on  and     Key  Management  (B)   XServ  (A)   XServ  (B)   User  DB  (A)   USR  1   USR  2   Account  (A)   USR  3   USR  4   User  DB  (B)   USR  2   Inter-­‐Force   Key   USR  3   Inter-­‐Force   Key   USR  N   USR  1   USR  4   USR  N   Account  (B)   Organiza:on  (A)   Organiza:on  (B)  
  8. 8. Communica%on  Gateway   Multiple communication interfaces embedded into a flexible platform designed to deliver interconnection and security SlingSecure Gateway ✓  Physical conversion between heterogeneous channels (e.g. PSTN to IP) ✓  Logical adaptation between different protocols ✓  Multi-core, real time signal processing ✓  Hardware Encryption SlingSecure  Gateway   on demand UMTS   EDGE   GSM   Phone,  Line     &  Modems   USB  Host   USB  Device   Ethernet   SD  Storage   Fully Customizable
  9. 9. Devices  connected  to  XServ   SlingSecure Network allows both mobile and fixed devices to be interconnected and perform secure voice and data communications ✓  ✓  ✓  ✓  •  •  •  Mobile 3G/4G/LTE Mobile 2G WiFi ready terminals PSTN Devices Telephone Fax Modems 2.75G/3G WiFi 2G/3G/WiFi 2G Telephone Fax
  10. 10. SlingSecure  Secure  Phone  Stack   Available platforms ✓ Full Custom ✓ Semi Custom ✓ COTS (e.g. Motorola, Nokia, HTC HW)     Applications & Libraries for Secure Mobile Communication Authentication and Encryption Applica:on  Layer   Clear  Dialer   Crypto  Dialer   Call  List   Crypto  Call  List   Contacts   Crypto  Contacts   SMS   Crypto  SMS   Libraries   Crypto  Protocols     Graphic  Libs   Crypto  Engine  (xSE   (QT,  ...)   based)     OS  Independent  Wrapper   (Audio,  keypad,  PM,  Modem,  etc.  )     Telephony  API   microSE mSE   Hardware Secure Phone Stack (SPS) Software Fully Customizable
  11. 11. m  S  E  Ambiente  Micro  Seguro   All the xSE features in a MicroSD ASIC   ✓ HW crypto engine ✓ Standard and custom algorithms ✓ SD card interface (up to 450Mb/s) ✓ Integrated memory (up to 4 GB) ✓ Internal keys database ✓ Suitable for Mobile Applications SPI  o   BUS   NAND   Flash   mSE  
  12. 12. SlingSecure  Mobile  PlaDorms   SlingSecure range consists in 4 kinds of mobile platforms according to the required security level Hardware Security Software secure application on COTS terminals with microSD (eg. Nokia, Windows Mobile, etc.) Software secure application on COTS terminals (eg. Nokia, Windows Mobile, Android, etc.) C microSD on COTS Terminals COTS terminals A Software Secure Application Software secure phone stack on COTS terminals with microSD (eg. Android) D B Software Secure Phone Stack Software secure phone stack (OS and applications) on COTS terminals (eg. Motorola) Software Security
  13. 13. Secure  Voice  Call  Flow   Authen%ca%on   To launch the application and access to the secure dialer user must insert authentication password Secure  Dialer  Access   Nego%a%on   Symmetrical communication key is negotiated between the caller and the called user when secure voice call is set up or an incoming secure call is answered Before starting the secure voice call the following elements are also negotiated by the devices • Encryption/Decryption algorithm (multiple algorithm selection available) • Vocoder type, mode and rate • Secondary keys (e.g. used for sms) Incoming/Outcoming   Secure  Voice  Call   Nego%a%on   Voice   Secure voice call starts after negotiation phase successful completion Secure  Voice  Call  
  14. 14. Authen%ca%on   User Authentication •  User is asked to insert a password whenever the Secure Voice Application is launched •  Password can be asked only once or several times according to the user preferences •  Password can be changed at any time by the user •  Password is used to access the application and the key repository User  Password   Sha   256   Hashed  Password   Comparator   Keys are encrypted by means of a key derived by the User Password OK   Start  Secure  Dialer   Stored on the mobile phone Key Repository
  15. 15. Key  Repository   Two key secure repositories are stored on the mobile terminal (or on microSD) •  Manual Keys repository •  KMS - Key Management Server - Keys repository Key secure repositories contain symmetrical pre-shared keys to be used standalone or combined with other secrets to encrypt/decrypt communications (voice calls, sms, messaging, etc.). • Manual Keys •  Can be added, deleted or modified directly by the User using the Secure Voice Application menu •  Can be enabled according to the user preferences and/or KMS (Key Management Server) policies, if applicable • KMS - Key Management Server - Keys •  Can be generated only by the KMS •  Can be added remotely (e.g. via sms) by the KMS •  Cannot be cancelled or modified by the user
  16. 16. Keys  Security   Main fields •  KeyID (clear) •  Key Value (encrypted) Secondary fields •  expiration date (encrypted) •  usage (encrypted) •  label (clear) • RND key is generated at keys Repository creation time Keys  are  encrypted  by     means  of  a  key  derived     by  the  User  Password   • RND key is encrypted and stored on the mobile phone • Encrypted RND key is used in combination with the User Password to extract a key value from the encrypted keys Repository • When the cryptographic microSD card is present Keys are sent encrypted in the microSD card • Encrypted RND key is stored in the microSD • Keys are decrypted and used inside the microSD All  the  opera:on  in   the  green  area   are  performed  in   the  microSD,     if  present   Key  ID  (4  bytes)   Encrypted  Key  Value  (16  Bytes)   IN   In   Encrypted  RND  Key   AES   256   Out   SHA   256   AES   256   OUT   Key   User  Password   Key   microSD   Clear  Key  Value  (16  Bytes)  
  17. 17. Voice  Call  Key  nego%a%on   Symmetric keys used to encrypt/decrypt communications can be created in three different ways 1) Pre-Shared keys • two lists of pre-shared keys are available: •  manual •  KMS generated • One of the pre-shared keys the caller and the called user have in common, is selected at negotiation time to encrypt/decrypt the voice call 2) DH Diffie Hellman - Standard or Elliptic Curves based • A symmetrical session key is negotiated at call time • Standard DH version based on 4096 bit keys • Elliptic Curves DH version is based on 571 bit keys, Koblitz GF(2m) configuration • The final Session key is the hash of DH result 3) A combination of the first two modes • The final Session key is a combination of the two previous keys: SHA256(DH | SK) Note:    A  Family  Key  can  be  added  to  all  the  previous  mechanisms  in  order  to  create  (sub)groups  
  18. 18. Man  in  the  middle   To detect a potential man-in-the-middle attack two numerical authentication codes are generated from the SHA256 of the negotiated encryption key Codes appear on the device screen during the call At the start of the communication users should check such codes each other by voice MATCHing codes = NO INTRUDER interfering with the call codes DO NOT MATCH = man in the middle ATTACK IN ACTION
  19. 19. Secure  Voice  Call  Path   SECURE CHANNEL Symmetric Communication Key ANT MIC ANT MIC ADC Voc Enc Mod Mod Enc Voc ADC DAC Voc Dec Dem Dem Dec Voc DAC SPK SPK CLEAR CLEAR CRYPTO Application Domain CRYPTO CRYPTO CRYPTO Baseband Domain CRYPTO CRYPTO CLEAR CLEAR Application Domain
  20. 20. Applica%on  Voice  Processing   •  Access to microphone and speaker using the OS APIs •  Get 8KHz/16bit (128Kbit/s) Audio Samples from Mic •  Put 8KHz/16bit (128Kbit/s) Audio Samples to Speakers •  Compression of Audio Samples to a GSM/UMTS suitable rate using standard or custom Vocoders •  Encoding of microphone audio samples (from 128Kbit/s to ~5Kbit/s) •  Decoding of speaker audio samples (from ~5Kbit/s to 128Kbit/s) •  The vocoder can be exposed by the operating system or written in native language •  Voice Encryption/Decryption •  Encryption of encoded microphone audio samples •  Decryption of encoded speaker audio samples •  Cryptographic operations are performed by a dedicated HW or SW module
  21. 21. Voice  Processing  Components   Get Audio Samples Audio Samples Encoding Encoded Audio Samples Encryption Send Data Audio Libraries Standard or Custom Vocoders Crypto Library Telephony API Audio Drivers MicroSD/Mass Storage Drivers Baseband COM Audio Codec and Microphone Cryptographic MicroSD Baseband Processor Application Libraries Drivers Hardware Only for HW Crypto Engine (e.g. microSD) SlingSecure provided Operating System (e.g. by phone manufacturer) * This diagram describes only the voice path from the microphone to the radio transmission
  22. 22. SlingSecure Network FAX G3 IP XServ IP 3G Mobile i Pip WiF SlingSecure Gateway e Telephone IP IP Network WiFi Mobile IP SlingSecure Gateway
  23. 23. Secure  Network  Convergence  -­‐  Case  1   Secure Voice over IP (2.5G, 2.75G, 3G, 3.5G, 4G, LTE, WiFi) •  Encrypted Signaling managed by XServ Pipecom Server •  Encrypted End-To-End voice packets managed by the IP Terminals (HW encryption) VoIP   Device  1   X  Serv   Encrypted   Signaling   Encrypted  voice  packets     over  End-­‐To-­‐End   pass  through  Channel   Encrypted   Signaling   VoIP   Device  2  
  24. 24. BlackBerry communication services •  Secure Voice over IP •  Secure eMail •  Secure Messenger Complete scalable system allowing integrators and operators to deliver secure voice, messaging and email services over the BlackBerry platform using End-To-End HW based encryption. Encrypted   Signaling   HW  token  to  guarantee  high  speed   and  strong  security     (2048  bit  key  length  or  higher)   Proprietary  service  server   Independent  Secure  Client   architecture   Security   X  Serv   Encrypted   Signaling   End-­‐To-­‐End   HW  Encryp:on   Available  4Q  2010  
  25. 25. Land-­‐Line  to  Mobile   Telephone System Elements: •  Analog Telephone •  SlingSecure Gateway to convert PSTN to IP •  2.5G/3G/4G/LTE Mobile Phone (including mSE) Secure Voice Call between standard PSTN telephones and Mobile phones SlingSecure Gateway Encrypted Signaling XServ   Encrypted Signaling Hardware Encryption performed by • SlingSecure Gateway on PSTN side • mSE on Mobile Phone side • Custom encryption algorithm (optional) End-To-End HW Encryption Mobile
  26. 26. Secure  Fax  over  IP   System Elements: •  Standard G3 FAX •  SlingSecure Gateway to convert PSTN to IP Secure Data Call between standard PSTN FAX Hardware Encryption performed by the SlingSecure Gateway Standard G3 FAX SlingSecure Gateway Encrypted Signaling •  Custom Encryption Algorithm Two FAX mode settings: •  Direct Line •  Store and Forward XServ   Encrypted Signaling End-To-End HW Encryption Standard G3 FAX SlingSecure Gateway
  27. 27. Satellite  Worldwide  Connec%on   Satellite   Internet   k   Sat  Lin VoIP  Server   IP  over  Sat   Car  System   Ground     Station   WiFi   WiFi   Portable  System   Marine  System  
  28. 28. CSD  Proxy   ZONE 2 ZONE 1 CSD to IP Conversion VoIP Server GSM Area - CSD (No UMTS, No IP) IP Network IP   GSM  -­‐  CSD   Secure  Gateway   CSD  Proxy  
  29. 29. Secure  Conference  Call   SlingSecure Network IP IP XServ 3G Pipe WiFi Mobile 3G Mobile Telephone IP IP Secure Media Conference IP Network Temporary Keys Unique Conference Number SlingSecure Gateway
  30. 30. Customiza%ons  (I)   Customization level & criteria are selected according to the mobile platform Customization should be performed by the customer independently and without any knowledge or interference from SlingSecure Mobile terminals without cryptographic microSD • As the cryptographic library is an external module written in C/C++, customer can modify or add methods starting from a functional template provided by SlingSecure • Customer can compile and overload the cryptographic library independently • A simulation environment is provided together with required HW and SW tools Cross Compiled Overloading   Ansi C Function C++ Wrapper Simula:on   Custom Compila:on   Testing Loop ANSI C functions Customize AES Custom DH EC KEY Mng RNG
  31. 31. Customiza%ons  (II)   Customization options for or microSD based mobile platforms 1) Smart Card based microSD (standard solution) • Custom combination of standard algorithms can be implemented • Cryptographic functions are exported as java card libraries • SlingSecure can provide the basic applet and support to add/overload internal custom functions on “open” smart card based microSD provided by the Customer 2) Custom microSD (available on request) • Micro controller based microSD card for deeper algorithm customizations - SlingSecure provided • Same approach as for software library with ANSI C code executed inside the microSD 3) Software Library • Custom algorithms are implemented as software library • Basic cryptographic operations are kept inside smart card based or micro controller based microSD
  32. 32. File  Server  Authen%ca%on   ✓  ✓  ✓  User Authentication to access Dmz File Server Radius-Tacacs + Ldap verifies user account and policies by the domain controller The domain server grants the authentication for the workstations to access Dmz File Server
  33. 33. Keys  and  Cer%ficates  (I)   ✓ User groups in different VLAN are managed by dedicated switches ✓ Traffic policies managed by the security gateway ✓ Access managed by means of •  Secure Token (EAL5+ smartcard based) or •  Symmetric Key based OTP device or •  Certificates Cer:ficates   USEpro Device    
  34. 34. Keys  and  Cer%ficates  (II)  
  35. 35. Remote  Management  over  VPN   ✓  VPN managed by Clavister products •  SG 3000 •  SG 4000 ✓  QoS and Bandwidth Management
  36. 36. IDP/IPS  Scanning  
  37. 37. SlingSecure products are backed up by the support of the engineering and design team for ü  Cost effectiveness ü  Smooth system integration ü  Timely solution delivery The high level service & support for all SlingSecure View products allows the Customer to reach the desired result with the best cost to performance ratio
  38. 38. SlingSecure International info@slingsecure.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×