Network & Voice Communications Security Blog: 2015

Wednesday, November 4, 2015

Universal, End-to-End Encryption for TCP Performance-Optimized Satellite Networks with the Cipher X® 7211 IP Encryption System

Satellite performance, particularly for Transmission Control Protocol (TCP), is adversely affected by the long round trip delay (over half a second) associated with geostationary high earth satellites. Many satellite equipment vendors have developed techniques to minimize this impact on users; one common technique is the use of a TCP proxy for TCP Acceleration. Application(s) requiring strong end-to-end protection using an installed satellite system with TCP Acceleration, however, have a problem. Use of a Layer 3 or 4 IP encryption system to implement end-to-end security is incompatible with TCP Acceleration techniques utilized by satellite gear unless the encryption system is specifically designed to handle this situation. TCC has developed the Cipher X 7211 IP encryption system with innovative TCP Stream Encryption operating to properly handle these optimizations seamlessly.

Our white paper, which is available for download, provides an overview of satellite communication performance limitations and how a TCP proxy operates to counter the limitations. It then describes TCP proxy incompatibility issues with Layer 3 or 4 end-to-end encryption systems, and how TCC’s Cipher X 7211 IP encryption system with TCP Stream Encryption enables end-to-end security for TCP performance-optimized satellite networks.

TCC’s Cipher X 7211 IP encryption system with innovative TCP Stream Encryption supports TCP Acceleration performed by satellite networking gear. As a result, users of TCP performance-optimized satellite networks no longer have to sacrifice performance to implement end-to-end security. The Cipher X 7211 encryption system operating at Layer 4 includes features to work with and take full advantage of the special capabilities often incorporated into satellite gear for network performance optimization. Further, the Cipher X 7211 encrypts satellite and other transport media, including hybrid networks, and operates independently of the network provider and equipment.

Download the white paper to learn more.

End-to-end transport-agnostic WAN security with TCP performance-enhanced satellite networks

TECHNICAL COMMUNICATIONS CORPORATION | www.tccsecure.com

Thursday, August 6, 2015

On-Demand Webinar: 360 Degrees of Data Security Know-How Made Easy

VPN, secure email, access control, edge encryption ... the list goes on. What are the differences among data security capabilities and what should you implement in your organization to protect your information onsite, across locations, with remote employees and with customers, suppliers and partners?

This complimentary, 1.5 hour non-technical webinar taught by a cryptography expert will:

Provide a high-level technical understanding of data encryption and security
Walk through a company scenario with diverse applications and activities while describing security threats, options & best practices
Arm you with the knowledge to identify security needs, understand available security solutions, and be confident that the right security issues are being addressed for your business

Curriculum Detail

Encryption technical foundation. Overview of the basic concepts of encryption, keys and passwords, integrity & hashing, authentication & signatures, and public key infrastructure.

Data security solutions and their applications. Covered areas include access control, secure email, file encryption, voice security, firewalls, virus/malware, intrusion detection system, edge encryption, virtual private network and e-commerce.

Securing activities inside the LAN. Learn about access and logging in, and securely sending/receiving email files. Also, understand risks and protection for wireless LANs, as well as security for databases, shared folders and Internet browsing.

Protecting the LAN perimeter. Outlines threats and security measures to protect the boundary between the trusted LAN inside and outside such as firewalls and intrusion detection systems.

Encrypting the wide area network. Bulk and protocol sensitive encryption devices are explored and compared to secure multi-site communications.

Communicating securely outside the core network. Discusses the differences of securing remote employees with uncontrolled remote access and securing partners, contractors and customers. An overview of VPN and application security options are provided.

TECHNICAL COMMUNICATIONS CORPORATION | www.tccsecure.com | Subscribe for TCC updates

Tuesday, June 30, 2015

Enhancing Mobile User Security with Cipher X® 7211 IP Encryption

Modern enterprises have the need to securely enable a mobile workforce. Employees need access to corporate data services to enhance productivity and improve corporate responsiveness. TCC's Cipher X 7211 IP encryption system easily integrates into networks that have mobile users and helps enforce security policies, providing a more robust and flexible security solution that enhances the security of traditional VPN access.

Inter-operates with Traditional VPN Services

TCC’s Cipher X 7211 system can be easily configured to inter-operate with and enhance the security of traditional user VPN services. It’s security policy engine can be configured to allow remote user VPN service access in the corporate network while maintaining the security overlay on core network communications. The Cipher X 7211 security policy engine protects services such as software-based VPN servers by restricting the traffic granted access to the VPN server to only what conforms to strict security policy.

Tight Control, Simplified Monitoring

Routing remote users through a single Cipher X 7211 access point in the network allows security managers tight controls and simplified monitoring of network traffic to minimize the threat opportunity that mobile devices inherently add to corporate data security. The flexibility of the Cipher X 7211 security overlay means access to the corporate network’s VPN service can be provided by any one of the Cipher X 7211 devices in the network. This gateway access can be easily moved between sites through centralized control of the Cipher X 7211. The Cipher X 7211 adds a secure circuit breaker capability in the event of a significant network security event.

Infinite Flexibility to Minimize Threat Opportunity

The flexibility of Cipher X 7211 security policy engine provides network security engineers the ability to limit VPN access to pre-approved source networks to ensure that global threats or compromise of mobile devices has a minimum threat opportunity. TCC’s Cipher X 7211 system provides network security engineers simple to deploy strategic communications with infinite flexibility all enabled by its centrally managed powerful security policy engine.

Learn more about the Cipher X 7211 IP encryption system.

TECHNICAL COMMUNICATIONS CORPORATION | www.tccsecure.com | Subscribe to Email News

Tuesday, June 9, 2015

All About Cryptographic Bit Lengths

You’re evaluating cryptographic solutions and you come across the term bit length for various security parameters. So, what is a bit length? And what size is sufficient to secure your data? The most common bit length refers to the encryption algorithm, and another important length refers to key management.

Algorithms

In a digital system, data is represented as a sequence of bits. That is, a sequence of 0’s and 1’s. A cryptographic algorithm is the means by which an encryption device scrambles data. It is a mathematical function which converts unencrypted data (called plaintext) into encrypted data (called ciphertext).

Most commonly encountered algorithms are block algorithms. This means that they operate on blocks of data of a fixed size, encrypting one block after another. An example is the Advanced Encryption Standard (AES) algorithm, which takes 128 consecutive bits of plaintext and transforms it into 128 bits of ciphertext. The block size of AES is said to be 128-bits. AES can be thought of as a permutation on 128-bit blocks, mapping every 128-bit sequence to a unique, seemingly unrelated 128-bit output sequence. Note: The block size does not bear directly on the encryption strength.

Cryptographic Key

Now, if the permutation is known, ciphertext can be reversed to its original plaintext state. A cryptographic algorithm prevents unauthorized parties from reversing the ciphertext by use of a key. A cryptographic key for an algorithm is a string of bits (0’s and 1’s) of a defined length called the key length. An algorithm that uses keys of length “n” is often called an n-bit algorithm. The key is used in the definition of the algorithm itself, and each distinct choice of key turns the algorithm into a distinct permutation. Without the key, the permutation is not known and the ciphertext cannot be reversed.

An adversary may attempt to decrypt ciphertext by guessing the key and using it to see if the ciphertext decrypts into something that looks like plaintext. In practice, this means testing every possible key until the one that was used is found. A key search can be time-consuming if not impossible, even with modern computers. The reason is the mathematics of exponentiation.

Inside the Math

An n-bit key is a sequence of 0’s and 1’s of length n. Since there are two possibilities for each bit in the key, there are 2ⁿ different n-bit keys. Thus, if an algorithm used an 8-bit key, there would be 2⁸= different 256 keys to try. The number of keys grows exponentially. A 16-bit algorithm has 2¹⁶ = 65,536 keys to try, and a 32-bit algorithm has 2³² = 4,294,967,296 keys. Modern algorithms use length of 128 or 256 bits. 2²⁵⁶ is roughly the same as the estimated number of particles in the universe.

Examples of algorithms include DES (64-bit blocks, 56-bit keys), IDEA (64-bit blocks, 128-bit keys), and AES (128-bit blocks, and implementations supporting 128-, 192-, and 256-bit keys).

What Key Size is Sufficient?

How large of a key is large enough to prevent a successful key search? Computers can search through possibilities very quickly, but even they are eventually overwhelmed by the task. The following table estimates the amount of time it would take to find the correct key on a computer capable of trying one key every microsecond (ms, a millionth of a second), as well as on a parallelized network (one in which the search is split among many computers) capable of testing a million keys every microsecond.

Length of Key	Number of Keys	Testing 1 key per ms	Testing 10⁶ keys per ms
32 bits	2³² = 4.3 x 10⁹	2³¹ms = 35.8 minutes	2.15 milliseconds
56 bits	2⁵⁶ = 7.2 x 10¹⁶	2⁵⁵ms = 1142 years	10 hours
128 bits	2¹²⁸ = 3.4 x 10³⁸	2¹²⁷ms = 5.4 x 10²⁴ years	5.4 x 10¹⁸ years
256 bits	2²⁵⁵ = 5.8 x 10⁷⁶	2²⁵⁵ms = 1.8 x 10⁶³ years	1.8 x 10⁵⁷ years

Summing It Up

Certain things stand out from the table above. First, a 56-bit algorithm such as DES is still secure against anything except an organized parallelized effort. Second, the key space of a 128-bit algorithm is sufficiently large to resist a key search from even national-scale efforts. And finally, even if the available computing power and speed doubles every year, 128-bit keys will remain secure over our lifetimes. No computer or network of computers will be able to search every 128-bit key. For this reason, 128- and 256-bit algorithms are recommended, and bit-sizes beyond these are considered superfluous.

· View products to secure network, phone and radio communications at: www.tccsecure.com.

· Learn more about information and communications security by visiting TCC’s Crypto Learning Center.

TECHNICAL COMMUNICATIONS CORPORATION | www.tccsecure.com

Wednesday, May 27, 2015

Are Fiber Optic Networks Secure?

NO!

Unless you have a private network AND you guard every inch or centimeter of it, fiber-optic networks are still vulnerable to wiretapping and eavesdropping.

Even though there is no electromagnetic radiation or crosstalk from a fiber-optic line and, wiretapping is not as simple as clipping on copper wires, eavesdropping on a fiber-optic network can be achieved with splitter/regenerator devices or with micro-bending clamps, which can capture light off the fiber.

The biggest vulnerability exists at the switching and repeater points where signals are split-out and regenerated. At these points, off-the-shelf (OTS) splitter/regenerator devices can be used to gain access to all the information. This type of tapping can also be done by splicing the line at any other point, and inserting an OTS splitter/regenerator device. This requires no sophistication, but it results in a one-time interruption which may be noticed and investigated by an alert technician.

A more subtle approach is to use a micro-bending clamp. This bends the fiber and clamps down on it, so that some of the light leaks through the strand which can be detected by an optical photo detector. The result is that the signal passes through unimpeded, while a copy of it is shunted off.

The techniques above are commercially available, and fairly inexpensive. Once the light is captured, an optical to electrical converter, a laptop and a packet sniffer can then be used to gather valuable information. And since this is not an electrical tap, signal reflection methods for measuring wire length to an impedance inflexion (tap) point cannot be used. Once a tap on a fiber-optic line is in place, it is virtually undetectable.

These and other more sophisticated tapping techniques can be found in the public domain.Also in the public domain, there are well known instances of Fiber Optic Network breaches, including:

In 2000, when three main trunk lines of Deutsche Telekom were breached at Frankfurt Airport

In 2003, when a tap was discovered hooked into Verizon's network. It was believed to be financial reporting espionage.

Taps have also been found on police networks in Germany and the Netherlands, and in the networks of pharmaceutical giants in the UK and France.

More information can be found on the Web by searching "fiber optic network security".

*****************************************************************************************************

To encrypt fiber optic communications, TCC offers an Ethernet solution, the Cipher X 7211 for speeds up to 1 Gb/s, and the DSD 72B-SP SONET/SDH encryption family for up to 622 Mb/s.

The SONET/SDH DSD 72B-SP interoperable encryption family seamlessly overlays on existing networks and has product variations to support military, rugged industrial and industrial environments. Key management is also automated and easily managed with KEYNET Optical Manager. It supports AES 256-bit encryption or a custom algorithm.

The Cipher X 7211 is a 1 Gb/s Ethernet optical encryptor. Its own fiber optic ports, which can be used instead of electrical interfacing, is especially suited for distance. The Cipher X 7211 has been deployed with single mode optics in the WAN port enabling a reach on the order of 10 km. Electrical Ethernet supports about 100 m, multi-mode optics 200 m to 500 m, and Ethernet single mode optics 10 km. Non-standard optics can reach approximately 40 to 70 km. The Cipher X 7211 seamlessly overlays onto existing networks and is easily managed with KEYNET.