2. SecuVOICE SNS
Outline
The Need for End-to-End Security in Secure Voice
The Compatibility Challenge of End-to-End Security
The SNS Standard: Secure Network-Independent Speech
Communication
SecuVOICE SNS – Mastering the Interoperability Challange
3. SecuVOICE SNS
The Need for End-to-End Security
threads to voice and SMS
communication
Interception on the air interface
Passive: breaking A5/1 encryption
Active: IMSI-Catcher
(Dis-)lawful interception in the land transmission
network
Voice and SMS data are transmitted in clear text
Call-ID spoofing
Attacker transmits false caller ID
Cheap and effective
4. SecuVOICE SNS
The Need for End-to-End Security
secure voice needs more than just
encryption
End-to-End encryption of voice and SMS data
Protection against interception
Certificate-based authentication of the users
Protection against man-in-the-middle attacks
Protection against Call-ID spoofing
8. SecuVOICE SNS
The Interoperability Challenge of E2E
Security
manufacturer-independent
TC
Installation
PSTN +
SecuGATE
LI 4 / LI 30
+
SecuGATE
LI 1
9. SecuVOICE SNS
The Interoperability Challenge of E2E
Security
network-independent
TC
Installation
PSTN +
SecuGATE
+ LI 4 / LI 30
TETRA / PSTN
SecuGATE
LI 1
10. SecuVOICE SNS
The Interoperability Challenge of E2E
Security
future proof
IP / PSTN
TC
Installation
PSTN +
SecuGATE
+ LI 4 / LI 30
TETRA / PSTN
SecuGATE
LI 1
11. SecuVOICE SNS
The SNS Standard:
Secure Network-independent Speech
communication
Open standard published by the German Federal
Office for Information Security (BSI)
Defines a network-independent protocol for end-to-
end secure voice and SMS communication
Makes no assumptions on the underlying channel
other than a minimum bit rate of ca. 7 kbit/s
facilitates compatibility of manufacturer-independent
solutions
12. SecuVOICE SNS
The SNS standard is leading the way
in interoperable secure communication.
SNS protocol supports the definition of various
national and proprietary modes
Each mode defines: voice codec, crypto scheme and
signalling plan
Negotiation of the best possible mode at the beginning
of each call
Mandatory interoperability mode based on TETRA
ACELP voice codec and “BOS Digital” crypto scheme
13. SecuVOICE SNS
The SNS standard defines a
mandatory
interoperability mode based on “BOS Digital”
Elliptic curve public key cryptography available only in
Smart Cards (NXP SmartMX P5CT072)
Certificate-based key management based on BOS
public key infrastructure (BOS PKI)
Authenticated ECDH key negotiation of a new traffic
encryption key (TEK) for each new call
Voice traffic encryption using symmetric key stream
cipher based on AES-128
key stream generation performed inside the smart
card
Even the TEK never leaves the smart card
14. SecuVOICE SNS
The SNS standard enables E2E secure
communication
over a variety of networks
One of the mandatory interoperability modes allows E2E secure
voice and SMS communication between SNS devices in PSTN
and TETRA radio devices in German TETRA-BOS network
BOS-Digital cryptography (voice encryption, SDS/SMS
encryption and key management)
Voice Codec: TETRA ACELP (ETSI EN 300 395-2)
Voice signalling plan compatible with TETRA (via
transparent PSTN/TETRA gateway)
15. SecuVOICE SNS
The SNS standard
implementation challenges
Much like NATO-SCIP the implementation of the SNS-Standard
imposes several challenges particularly when considering
current mobile device platforms
Design-In of BOS Smartcard
Secusmart Security Card (4GB microSD Card with
embedded BOS Smartcard)
Integration of TETRA ACELP voice codec on
application processor
Implementation of SNS protocol stack for each mobile
platform
16. SecuVOICE SNS
SecuVOICE SNS
secure mobile voice communications
Secure encrypted conversations,
authenticated conversation partners
Unencrypted telephone
calls also possible
SecuGATE
LI 1
17. SecuVOICE SNS
SecuVOICE SNS
secure SMS text messages
Worldwide protection with end-to-end encryption,
authenticated senders and recipients
Unencrypted text
messages also possible
18. SecuVOICE SNS
SecuGATE SNS
secure landline voice calls SecuGATE
Hardware-encrypted conversations, LI 1
authenticated conversation partners
SecuGATE
TC Installation
SecuGATE
LI 4 / LI 30
LI 1
Unencrypted also possible
telephone calls
19. SecuVOICE SNS
SecuVOICE & SecuGATE
as comfortable as always, more secure
than ever.
Usual user-friendliness
Secure telephone conferences
Excellent voice quality
Quick call set-up
Global accessibility (GSM networks)
20. SecuVOICE SNS
SecuVOICE & SecuGATE
compatible, interoperable and approved
Approved for VS-NfD security level
(Classified – for official use only)
Internationally approved up to NATO
Restricted security level
Compatible with TETRA-BOS
Compatible with SNS standard
Supplying German federal authorities
since 2009
Supplying German state authorities since
2010
21. SecuVOICE SNS
Secusmart Security Card
Secure microSD card with embedded
Smartcard
4GB flash memory
Embedded Smartcard Chip
(NXP SmartMX P5CT072)
BOS-Digital Cryptography
Secure key storage (protected
against
unauthorized access)
PKI co-processor
High speed AES co-processor
Energy saving design
22. SecuVOICE SNS
Technical Background –
Landline
SecuGATE Crypto Gateways:
SecuGATE LI 1 – for 1 ISDN S0 connection
SecuGATE LI 4 – for up to 4 ISDN S0 connections
SecuGATE LI 30 – for 1 ISDN S2M connection
(up to 30 voice channels)
Works with all commercial ISDN telephones
and ISDN telephone systems