Presentation is loading. Please wait.

Presentation is loading. Please wait.

PacketLight Encryption

Published byDerrick Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "PacketLight Encryption"— Presentation transcript:

1 PacketLight Encryption
Solution PL-1000TE Crypto GbE,10G, 40G Eth, 4G/8G/10/16G FC

2 The RAD Group No. of employees = 4,500
Group sales in 2014= $1.2 billion The Service Assured Solutions Company Established: 1981 CWDM and DWDM Solutions Established: 2000 Network Test Solutions Established: 1991* Wireless Mobile Backhaul Established: 1996* Coordinated Strategy Shared Sales Channels Joint Development & Technology Group Distributor in Israel and Worldwide System Integrator Established: 1975 Integrated Application Delivery Established: 1997* DDOS Protection Solutions Established: 2012 Industrial Communication Solutions Established: 2009 Sub-6GHz Wireless Backhaul Established: 1997 Hi-end Adapters for Servers Established: 1987* *Publicly Traded Companies 2

3 Design & Manufacturing in Israel Thousands of installations worldwide
About PacketLight Established in year 2000 PacketLight develops state of the art CWDM & DWDM and OTN layer products For transport of data, storage, voice and video applications All our products are Green technology with low power consumption compliant with international standards Design & Manufacturing in Israel Thousands of installations worldwide Member of the RAD group

4 The PacketLight Differentiators
Compact 1U Solutions All the features of a carrier class WDM product Simple configuration Process Cost Effective Solution for CPE Transports up to 100Gbps Up to 96 Channels 4 4

5 Building Agile CWDM, DWDM Infrastructure
The use of PL products is to multiplex a variety of services (Voice, Data, Video, Storage) over CWDM or DWDM dual or Single Fiber On a dedicated fiber ring, point to point, linear add/drop etc. July 10, 2000 5 5

6 Building WDM + OTN Based Metro/Access networks
3rd Party OTN Infrastructure OTU2/OTU4

7 PacketLight Product Portfolio
PL-1000TN- 6 x 8G/10G OTN Services PL-1000TE-Crypto: 8 x 1G-10G services PL-1000T: 100G Transponder PL-1000: 4 x 10G Services Transponders OTN Solutions PL-1000GM/GT- 100G Muxponder/Transponder PL-400: 8 x Sub 10G Services PL Up to 16 any service Muxponder PL-1000EM: 10 x GbE Muxponder Muxponders PL-1000IL: Optical Amplifiers PL-1000RO: WSS ROADM PL-300: Passive Solutions Infrastructure 7 7

8 Comprehensive Feature Set
Layer 1 Encryption 3R Multi Chassis Scalability Up to 96WL Mux/Demux Remote Management Bidirectional 3R Optical Amplifiers Muxponders Family Protection Single or Dual Fiber Network Diagnostics Firewall Multiple Topology Support NMS SNMP Performance Monitoring CWDM / DWDM & OTN ROADMs Network Protocols July 10, 2000 8 8

9 Encryption Essential and Awareness Is Growing
It is not so difficult to tap fiber optics, ,many “youtubes” videos show how simple it is Government have initiated new sets of laws and guideline to protect essential and financial infrastructures Hackers and cyber attacks are posing strategic treats to any enterprise

10 Benefit of Layer-1 Encryption
Encryption on all the data passing over the fiber, no room for omissions Transparent, maintaining full bandwidth of the traffic Beneficial for low latency applications Covering the physical fiber tapping detection Interface to existing DWDM infrastructure and Telco OTN networks No need to change or upgrade the Layer-2/3 switch/routers

11 Fiber Security Layers Physical Layer Data Plane Management Plane
Optical power monitoring per service Automatic detection of fiber tapping Data Plane Layer-1 Transparent full bandwidth Encryption GCM-AES-256 (Advanced Encryption Standard) Diffie Hellman Key exchange Authentication using SHA-256 Management Plane SNMPv3 Radius Management Firewall HTTPS Secure Shell

12 Encryption throughput

13 PL-1000TE-Crypto Features
“1U Data and Storage Layer-1 Encryption solution” 8 full Bi-Directional 3R Multi type/rate Transponders 8 independent encryption AES-256 machines and keys exchange per service Fully compliant with FIPS Level 2 and NSA Suite B Flexible, user configurable Multirate Interfaces support for: Data: GbE, 10GbE, 40GbE LAN Storage: 4G/8G/10G/16G FC Performance Monitoring on all interfaces Data flow transparent, Ultra Low latency Optional 1+1 optical facility protection using Optical Switch Integrated passive optics (Mux/DeMux), optical amplifiers (EDFAs) Pay as you grow architecture (Pluggable SFP+s) Dual redundant pluggable AC/DC PSU and FAN unit

14 PL-1000TE-Crypto Encryption Solution Description
Support 8 independent bi-directional encryption/decryption machines Each encryption/decryption machine can be configured to a different service rate/type and has its own key exchange and pre shared secret Conforms with known Encryption standards : GCM-AES-256 (Advanced Encryption Standard) Diffie Hellman Key exchange FIPS Security Level 2 Suite B CNSSP-15 Cryptography Encryption supports: Confidentiality Data integrity Authentication Support user configurable services: 1G/10G/40G Ethernet 4G/8G/10G/16G FC Low latency < 20 µsec for encrypted 10G ETH Support secured key distribution 8 optical transponder, optional Mux/DeMux, optical amp and OSW Encryption Mechanism PL-1000TE

15 PL-1000TE Encryption Functionality
Requirement Function Algorithm FIPS 140-2 Suite B Cryptographic Algorithm Encryption Algorithm GCM-AES-256 FIPS 197 and SP800-38D Yes Key Management Key Establishment Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECC CDH) with a Pre-Shared Secret SP A Key Message Authentication Message digest with a Pre Shared Key Secure Hash Algorithm 2 (SHA-256) FIPS 180-4 Self Tests Integrity tests On power up check digestion for software encryption modules and run test vectors with known answers (KAT) N/A Random Number Generator Used for keys generation True Random (TRNG) with FDK-100, and Deterministic random bit generator (DRBG) SP800-90 Access Control Authentication Role Based, User/Password authentication Physical security Tamper evidence EMI/EMC FCC Part 15 Class A Services Supported Services GbE, 10GbE, 40GbE 4G-FC, 8G-FC, 10G-FC, 16G-FC

16 Mapping of the Encrypted Services
The mapping of the encrypted services is done according to the following table: The bit rate of the encrypted 64b/66b service is the same as the client rate The Diffie-Hellman key exchange is done in-band to the encrypted signal Service Client Rate Uplink Rate Encrypted Signal Rate Encrypted 10GbE G 10GbE Encrypted 1GbE 1.25G 2.125G 2GFC Encrypted 4G FC 4.25G Encrypted 8G FC 8.5G Encrypted 10G FC G 10GFC Encrypted 16G FC 14.025G 16GFC Encrypted 40GbE 4x G 4x 10GbE

17 PL-1000TE-Crypto Applications
Secured fiber network infrastructure for: Gov and data center connectivity Banks, Credit card companies and other financial institutes Cloud providers and ISP backbone Utilities and essential infrastructure Feeder of encrypted services to existing Optical Transport Networks (OTN) Managed encrypted wavelength services offered by service providers Internal data center secured connectivity

18 8 Encrypted Services Agnostic To Switch Vendor

19 Secured Fiber Network Infrastructure
Encrypted Services Encrypted Services PL-1000TE Crypto PL-1000TE Crypto Encryption Managed by customer Switch/Router Vendor agnostic 1G/10G/40G Eth, 4G/8G/10G/16G FC Switch/Router Vendor agnostic 1G/10G/40G Eth, 4G/8G/10G/16G FC

20 Encrypted Services Over OTN Backbone OTU2/OTU4
10/100G OTN Backbone (OTU2/OTU4) 3rd Party OTN Infrastructure

21 10G Encryption Over Standard 100G OTU4 Uplink
Dark Fiber/OTU4 10G LAN 8G FC Using 10G Encrypted uplinks in to 100G OTU4 uplink

22 10G Encryption Over Standard 10G OTU2 Uplink
Dark Fiber/OTU2 10G LAN 8G FC Using 10G Encrypted uplinks in to 10G OTU2 uplink

23

24 Service Type Selection

25 Encryption Configuration

26 Crypto Officer Functionality
The Crypto Officer is a single built-in user 'crypto' that is not manageable by the Admin user. Only the Crypto Officer is allowed to change its own password (default: 'crypto') Only the Crypto Officer has an access to the Encryption tab with the pre-shared-secret information, and the Key Exchange Period. In all other terms the behavior of the Crypto Officer user is like a Read-Only user for the GUI and CLI purposes. The Crypto Officer user can logged in to the device remotely via the Web-GUI over HTTP/HTTPS. The Crypto Officer user is not available via SNMPv3 To prevent Admin changing the service type from encrypted to non-encrypted, the Crypto Officer has the option to lock the encrypted service. For locked encrypted service, the admin user can not change the service type. In addition, if there is at least one locked service, the admin is not allowed to: restore-to-factory-defaults, load a previously saved configuration file, switch between SW loads

27 Firewall Built-in Firewall allows blocking of any selected IP address or protocol/s.

28 PL-1000TE Management Security
HTTPS – Secured HTTP Support SNMPv3 SSH - Secured Shell (telnet) SNMP V3 adds View- what view you can see Group- which group can see it User- which user can see which veiw as part of a group

29 RADIUS PL-1000TE supports RADIUS for centralized user management
Up to two RADIUS servers are supported for protection

30 Thank you!

31 More Technical Slides

32 AES Background AES- Advances Encryption Standard Asymmetric Encryption- for Key Exchange, protocols SSH, VPN, Web Symmetric Encryption- for Data FIPS197-Federal Information Processing Standard Testing protocol to make sure implementation is correct AES-256 the strongest encryption Random Number Generator RNG

33 Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES), which was published in 1977. For AES, NIST selected three members of the family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. PL-1000TE is using the stronger version AES with key of 256 bits.

34 PL-1000TE Security Features
Data Plane Encryption Key Exchange Power-up tests Optical Power Drop detection Crypto Officer Optical Power Monitoring for tap detection Management Plane Role based User/Password Authentication Protocols: HTTPS/SHA/SNMPv3 Firewall RADIUS

35 NIST FIPS 140-2 Security Level 2
© 2015 Coriant. All rights reserved.

36 Galois Counter Mode (GCM)
Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits. PL-1000TEis using GCM with message integrity code (MIC) of 128 bits.

37 Diffie-Hellman Key Exchange
DH ECDH protocol compliant with SP A Secure Hash Algorithm 2 (SHA-256) message digest Protection for a Man-In-The-Middle attack with 256 bits (64 bytes) Pre-Shared-Secret Configurable Key-Exchange period with granularity of 1 minute. The pre-shared secret consists of hexadecimal numbers

38 DH Algorithm Alice and Bob agree to use a prime number p = 23 and base g = 5 (which is a primitive root modulo 23). Alice chooses a secret integer a = 6, then sends Bob A = g^a mod p A = 5⁶ mod 23 = 8 Bob chooses a secret integer b = 15, then sends Alice B = g^b mod p B = 5¹⁵ mod 23 = 19 Alice computes s = B^a mod p s = 19⁶ mod 23 = 2 Bob computes s = A^b mod p s = 8¹⁵ mod 23 = 2 Alice and Bob now share a secret (the number 2)

39 Cryptographic Hash Function
A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. The input data is often called the message, and the hash value is often called the message digest or simply the digest. The ideal cryptographic hash function has four main properties: it is easy to compute the hash value for any given message it is infeasible to generate a message from its hash it is infeasible to modify a message without changing the hash it is infeasible to find two different messages with the same hash. The PL-1000TE is using the SHA-256 hash function to authenticate the DH messages, and to compute the digest of the cryptographic modules for the power up tests The SHA function takes the pre-shared secret to digest the Diffie-Hellman protocol messages. This way the peer side can ensure that the Diffie-Hellman message was not sent by someone else and prevent the Man-In-The-Middle attack.

40 Self Tests A cryptographic module perform power-up self-tests and conditional self-tests to ensure that the module is functioning properly. Power-up self-tests are performed when the cryptographic module is powered up (including integrity tests, KAT, etc). Conditional self-tests are performed when an applicable security function or operation is invoked. If a cryptographic module fails a self-test, the module must enter an error state and output an error indicator via the status output interface. The cryptographic module shall not perform any cryptographic operations while in an error state. All data output via the data output interface shall be inhibited when an error state exists.

41 Crypto Officer The Crypto-Officer is a single built-in user crypto that is not manageable by the Admin user. Only the Crypto Officer is allowed to change its own password (default: crypto) The Crypto Officer has an access to the Encryption tab with the pre-shared-secret information, and the Key Exchange Period. In all other terms the behavior of the Crypto Officer user is like a Read-Only user for the GUI and CLI purposes. The Crypto Officer user is not available via SNMPv3. The Crypto Officer user can reach a box remotely via the Web-GUI over HTTP/HTTPS only To prevent Admin changing the service type from encrypted to non-encrypted, the Crypto Officer has the option to lock the encrypted service. For locked encrypted service, the admin user can not change the service type. In addition, if there is at least one locked service, the admin is not allowed to: restore-to-factory-defaults, load a previously saved configuration file, switch between SW loads

42 Management Interfaces and Protocols
OSC – 2x 100M/1000M optical interface LAN – RJ45 Serial – RS232 Protocols HTTP/HTTPS Telnet/SSH SNMPv1/SNMPv2c/SNMPv3 Syslog RADIUS TFTP/FTP /*/ secured protocols

43 Hardware Security Conformance to EMI/EMC requirements
EMI: Electromagnetic Interference Does the module interfere with other equipment? EMI is caused by undesirable radiated electromagnetic fields or conducted voltages and currents. EMC: Electromagnetic Compatibility Does other equipment interfere with the module? EMC is the ability of electrical or electronic equipment/systems to function in the intended operating environment without causing or experiencing performance degradation due to unintentional EMI. For Levels 1 and 2, an FCC part 15 class A certification is required Tamper Evidence – required for Security Level 2 PL-1000TE has FCC part 15 class A certification PL-1000TE is using special labels on the box screws for tamper evidence

44 Optical Power Drop Detection
An event is created if the optical power is dropped by more than 2 dB The event can be used to detect tapping attempts to the fiber © 2015 Coriant. All rights reserved.

45 Additional Cryptography Terms
NIST - USA National Institute of Standards and Technology NSA – USA National Security Agency FIPS – NIST Federal Information Processing Standards security requirements for cryptography modules rev. 2 Suite B – a subset of the cryptographic algorithms covered by FIPS 140-2, recommended by the NSA Encryption - the process of encoding messages or information in such a way that only authorized parties can read Data Authentication - provides a way to check that the message has not been altered Peer Authentication - provides a way to make sure that you are talking to a trusted other side, not an adversary Symmetric Key - the same key is used for encryption and decryption Key stream – Key + IV IV - Initialization vector (also called “salt”, “nonce”) used to ensure uniqueness of the key stream CTR – a block cipher mode of operation that uses incrementing IV counter for the key stream source GCM - Galois Counter Mode uses CTR mode for encryption, and Galois multiplication for data authentication MIC - Message Integrity Code used for authentication KAT - Known Answer Test self-tests that are performed during power up self tests DRBG - Deterministic Random Bit Generator used to generate a sequence of random numbers based on a TRNG. TRNG – True Random Number Generator based on a pure source of entropy (“noise”) DES - Data Encryption Standard AES - Advanced Encryption Standard (also referenced as Rijndael)

Download ppt "PacketLight Encryption"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Paweł Pilewski Pre-Sales Engineer MICROSENS GmbH & Co. KG

Paweł Pilewski Pre-Sales Engineer MICROSENS GmbH & Co. KG
Complete WDM and OTN Solutions

Complete WDM and OTN Solutions
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Similar presentations

Ads by Google