TRANSEC

Advanced Overview

© 2008 VT iDirect, Inc.

 TRANSEC Operation

• iDirect ACC and DCC Encryption Channels

• Operational Encryption
• Public Key Infrastructure
• Acquisition & Authentication
• Acquisition Obfuscation
• Key Rolls
• Handling Security Compromises
 Encryption Channels

• Acquisition Ciphertext Channel (ACC)

• Only used during Acquisition and Authentication
• Based on ACC key using AES 256 CBC symmetric encryption
• Key is initially distributed to the remote manually then updated
over the air in operation
• Key is rolled every 28 days by default. Key is stored if the power
is turned off. Remote must manually rekey if it is out of network
for two keyrolls.
• Data Ciphertext Channel (DCC)
• The DCC channel encrypts all user data traffic with the DCC key
using AES 256 CBC symmetric encryption
• Masks activity with random blocks of data when remotes have no
data to send “Wall of Data”
• Key is updated over the air every 8 hours by default. Not stored if
power is cycled.
 Operational Encryption

Wall of Data
Hub System

XLM
XXLMXXLLMLX LLVLMXX VMXXMM KR IV
XXXMVLL

XXLMXXLLMLX LLVLMXX VMXXMM KR IV

XLM
XXXMVLL
TOS

00110101101001 SA  DA
ACC key

ACC key DCC key

IP encryptor
DCC key IP encryptor
Evolution e8000
Series Remotes
TOS

TOS

$%^#$#%@^&&# SA  DA $%^#$#%@^&&# SA  DA Demand 

Header DID

WAN DCC key

Protocol Processor IP encryptor
Evolution e8000
TRANSEC Hub Series Remotes
 Public Key Infrastructure (PKI)

• Host private keys/public keys

• Asymmetric cryptography
• Each host has a set of self generated private and public
keys used for certificate exchange and verification
• 2048 bit long private / public keys (RSA)
• These keys protect all network key exchanges
• Each network element has a X.509 certificate
• A certificate is a document that connects a public key to
an identity
• Used to authenticate remotes and build a chain of trust
• Certificates are issued by iDirect CA
 Public Key Infrastructure (PKI)

Wall of Data
Hub System

XLM
XXLMXXLLMLX LLVLMXX VMXXMM KR IV
XXXMVLL

XXLMXXLLMLX LLVLMXX VMXXMM KR IV

XLM
XXXMVLL
TOS

00110101101001 SA  DA

X.509  Certificate ACC key

ACC key DID #456789 DCC key

Public Key
IP encryptor
DCC key IP encryptor
Signature
Evolution e8000
Strong Series Remotes
Authentication
TOS

TOS

$%^#$#%@^&&# SA  DA $%^#$#%@^&&# SA  DA Demand 

Header DID

WAN

Protocol Processor

TRANSEC Hub
 TRANSEC Network Acquisition

• When and only when a remote is out of network, the

hub periodically invites it to acquire on ACC channel.
• An out-of-network remote immediately responds to this
invitation on the ACC with an "ACQ Burst" from which
the hub calculates the timing, power and frequency
offsets the remote must apply to successfully join the
network.
• The hub and remote authenticate across the ACC
using X.509 Certificate Exchange
• Current ACC and DCC keys are encrypted using the
remote’s public key (PKI) and distributed to each
remote
 Acquisition and Authentication

VMXXMM
XXXMVLL

X.509  Certificate ACC key

ACC key DID #456789 DCC key

Public Key
DCC key
Signature
Evolution e8000
Series Remotes

ACC key X.509 Certificate

DID #123456 ACC key

DCC key
ACC key Public Key
DCC key
Signature
DCC key
Protocol Processor
Evolution e8000
TRANSEC Hub Series Remotes
 ACQ Obfuscation

• To mask the actual acquisition activity, the hub will

• Issue dummy invitations to remotes already in network, so that it appears there is always
some acquisition activity. Remotes in network will always burst in response to dummy
invitations.
• Deliberately not issue invitations for some slots, so the ACQ channel never appears full.
• Issue normal invitations, in which some remotes will burst and others will not.
• Frequency, timing and power of “dummy” bursts will vary to hide
usage patterns
 Key Rolls

Key Distribution Protocol

• Changing encryption keys
Peer 1 Peer 2
periodically helps prevent
attackers from deriving keys
from captured data
(cryptanalysis)

• iDirect TRANSEC makes Mutual Trust Established

rolling period configurable

• ACC key must be manually

distributed the first time or if Key Distribution Complete

a remote is out of network

for 2 ACC keyrolls
 Global Key Distributor

• Global Key Distributor (GKD)

• GKD distributes ACC key among one or more
networks
• Allows roaming remotes to acquire into all networks
• Multiple GKDs can be configured for redundancy
• Within an individual hub
• Between multiple hubs
 Handling Security Compromises

• Zeroization is a process for removing all Critical

Security Parameters (CSPs) from a network element.
• Network configuration
• DCC and ACC keys
• Public/private key pair
• Certificate revocation adds a certificate to the CRL,
breaking trust between an entity and the rest of the
network.
• Network acquisition fails
• Key distribution ceases to work
• Operator-triggered key rolls, in combination with
certificate revocation prevents network elements from
decoding data.
THANK YOU