TRANSEC BASIC
2008 VT iDirect, Inc.
�Security Tradeoffs
DVB-S2
Efficiency
DVB-S2 w/AES
iNFINITI
S2 TRANSEC ACM
iNFINITI w/AES
S2 TRANSEC CCM
iNFINITI
TRANSEC
Security
Anti-Jam/Low
Prob of Detect
�What is TRANSEC?
Transmission security (TRANSEC) prevents an
adversary from exploiting information available in a
communications channel even without defeating
encryption
With only link encryption, an adversary can still answer
questions like:
What types of applications are active on the network?
Who is talking to whom?
Is the network or a particular remote site active now?
Based on traffic analysis, what is the correlation between
network activity and real world activity?
Is a particular remote site moving?
Is there significant acquisition activity?
�TRANSEC Goals
TRANSEC
Requirement
Benefits
Mask Channel Activity
Prevents transmission activity from
being used as an intelligence
gathering
Control Channel
Information
Detection of repetitive data streams
unsuccessful
Hub and Remote
Authentication and
Validation
Ensures only authorized
use of network resources
�TRANSEC Goals Mask Channel Activity
Transmission activity can be used as an intelligence
gathering mechanism
TDMA carriers are based on dynamic traffic bursts so changing
traffic volumes and number of active senders can be detected.
DVB-S2 carriers send easily identifiable fill frames when
theres no user data to send
These vulnerabilities allow adversaries to extrapolate
information on timing, location or scale of strategic
activities
�TRANSEC Goals Mask Channel Activity
TRANSEC negate these risks by:
Using Free Slot Allocation for TDMA bandwidth distribution
Creates a constant wall of data regardless of traffic profiles
Free slots preserve bandwidth efficiencies of TDMA
Empty bursts are indistinguishable from user data
Creating fill-frames with random data for underutilized DVB-S2
carriers
Empty frames are indistinguishable from user data
Obfuscating acquisition activity
Creates traffic in the acquisition slot when no remotes are actually
joining the network
Suppresses acquisition slot bursts even when remotes are
acquiring
�TRANSEC Goals Control Channel Information
When only user data payloads are encrypted, a great
deal of data is still available
Both Layer 2 and Layer 3 packets have traffic engineering
information (source, destination, priority, size) embedded in their
headers
Size and priority information can betray the type of application in use
Source and destination tell an adversary who is talking and when
Control information sent in the clear can reveal network
activity levels
�TRANSEC Goals Control Channel Information
TRANSEC solves this by:
Encrypting both payload and header information
even at Layer 2
Independently encrypting network control information
Changing encryption keys frequently
�TRANSEC Goals Hub and Remote Validation
Unauthorized use of network resources can lead to a
man-in-the-middle attack
A remote might be spoofed and inserted into a secure network
A secure remote might be coerced into joining an insecure
network
While these kinds of attacks are extremely difficult even
in non-TRANSEC environments, the risk of
eavesdropping cannot be ignored
�TRANSEC Goals Hub and Remote Validation
TRANSEC eliminates these threats by:
Using public-key cryptography
Key distribution
Message authentication
Employing X.509 standards for:
Verifying identities
Establishing trust between network elements
Providing methods for dealing with security compromises
�TRANSEC Solution
Wall of Data
Hub System
XLM
XXLMXXLLMLX LLVLMXX
VMXXMM
XXXMVLL
KR
IV
VMXXMM
XXXMVLL
KR
IV
TOS
00110101101001 SADA
LLVLMXX
XLM
XXLMXXLLMLX
X.509Certificate
IPencryptor
DID #456789
Public Key
DCCkey
Signature
$%^#$#%@^&&#
SADA
TOS
SADA
TOS
$%^#$#%@^&&#
ACCkey
Demand
Header DID
DCCkey
IPencryptor
Evolution e8000
Series Remotes
Strong
Authentication
X.509 Certificate
DID #123456
Public Key
WAN
ACCkey
ACCkey
DCCkey
Signature
ProtocolProcessor
TRANSEC Hub
Evolution e8000
Series Remotes
IPencryptor
�Our TRANSEC Solution At a Glance
TRANSEC
Requirements
iDirects Solution
Benefits
Mask channel activity
Free slot allocation creating
uniform size of all TDMA slots
Wall of Data and Acquisition
Obfuscation
Negates the risk of using
transmission activity as
intelligence gathering
mechanism
Control Channel
Information
FIPS 140-2 certified encryption
256 bit keyed AES encrypted
Over-the-air key update feature
Detection of repetitive
data streams unsuccessful
Hub and Remote
authentication
and validation
Public and private key
encryption on remotes and hubs
X.509 digital certificates
Ensures remotes and
hubs are authorized
and validated
Installation of TRANSEC-enabled networks made easy
