HSE – High Speed Encryptor

Certification Course
01 - Introduction
Product Introduction
Gemalto/Safenet Global Encryptor Sales
GOVERNMENT, DEFENCE AND COMMERCIAL CUSTOMERS in 35+ countries
HSE – Where are they used…
Your data, video and voice on the move
From site to site, or multiple sites

From data centre to data centre, for

backup and
disaster recovery

To the last mile, curb, cabinet…

On-premises, up to the cloud and

back again
How Secure is your network Traffic?
 Communications facilities, wires and fibres are not within your
direct control
 As soon as unencrypted information leaves your premises you
lose control
 Unless specified service provider VPNs are not encrypted
 Practically anyone who has access to physical infrastructure
could view or pull out sensitive traffic
Carrier VPN Services – The Reality…
Most telco’s do NOT offer encrypted services

The term virtual private network (VPN) may sound good, but…
What is the risk with Fibre Optic Networks?
 It is well known that fibre can be tapped and is at risk to data theft.
 Tapping used to fall into the realm of national intelligence…
 Not any more !
 Available on the internet for around $1000
Fibre Optic Tapping…

Link to Gemalto Fibre Tap Animation

Product Features
What is HSE?
A family of dedicated hardware appliances that encrypts data
across:

 Wide Area Networks

 Metro Area Networks
 Carrier VPNs
What should an Encryptor offer
 Have zero impact on network performance, regardless of
topology, protocol or traffic type
 Provide authenticated, end-to-end encryption
 Be certified by the world’s leading independent testing authorities
 Be simple to install, configure and maintain
 Be flexible enough to grow as network and encryption standards
change over time
 Feature robust, standards-based algorithms
Network Encryption Best Practices

Encryption should never:

 Degrade network performance

 Slow down network traffic or services
 Be hard to configure
 Give variable performance
Network Encryption Best Practices

Poorly implemented encryption can degrade your network:

 Reduces throughput – introduce bottleneck

 Increases latency
 Complex to manage and maintain
 No performance guarantees
High Assurance Encryption – What is it?
Federal Information Processing Standards (FIPS)
Certification - USA
The FIPS 140-2 standard is an information technology security
approval program for cryptographic modules produced by private
sector vendors seeking to have their products certified for use in
government departments and regulated industries (such as financial
and health-care institutions) that collect, store, transfer, share and
disseminate sensitive but unclassified (SBU) information.
Networking 101
OSI Model
 About the OSI Model
 The Open Systems Interconnection model (OSI model) is a product of
the ISO.
 It is a way of sub-dividing a communications system into smaller parts
called layers. A layer is a collection of similar functions that provide
services to the layer above it and receives services from the layer
below it.
 The data units name per layer Layer Number Layer Name Data Unit

Layer 5-7 Session - Application Data

Layer 4 Transport Segments
Layer 3 Network Packet
Layer 2 Data Link Frame
Layer 1 Physical Bit
OSI Model
The Physical Layer
 The Physical Layer is the first and lowest layer in the seven-layer
OSI model of computer networking.
 The Physical Layer consists of the basic hardware transmission
technologies of a network.
 The Physical Layer defines the means of transmitting raw bits rather
than logical data packets over a physical link connecting network
nodes.
 The Physical Layer provides an electrical, mechanical, and
procedural interface to the transmission medium.
 The Physical Layer
 Interfaces with the Data Link Layer's medium access control (MAC) sub
layer.
 Performs character encoding, transmission, reception and decoding.
The Physical Layer - Continue
 List of hardware layers for example
 Ethernet
 10BASE-T, 10BASE2, 10BASE5, 100BASE-TX, 100BASE-FX, 100BASE-T,
1000BASE-T, 1000BASE-SX and other varieties
 Varieties of 802.11 Wi-Fi Physical Layers
 DSL
 ISDN
 T1 and other T-carrier links, and E1 and other E-carrier links
 SONET/SDH
 Optical Transport Network (OTN)
 GSM Um radio interface physical layer
Ethernet
 About Ethernet
 Ethernet is a family of frame-based computer networking technologies.
It defines a number of wiring and signaling standards for the Physical
Layer of the OSI networking model as well as a common addressing
format and Media Access Control at the Data Link Layer.
 Ethernet is standardized as IEEE 802.3. The combination of the
twisted pair versions of Ethernet for connecting end systems to the
network, along with the fiber optic versions for site backbones
 Ethernet is the most widespread wired LAN technology. It has been
used from around 1980 to the present, largely replacing competing
LAN standards such as token ring, FDDI, and ARCNET.
Ethernet Addressing
 An Ethernet (or MAC) address is 6 bytes long and has 2 portions
of significance:
 Organizationally Unique Identifier (OUI) (first 3 bytes)
 Organization Assigned Portion (last 3 bytes)
Ethernet Addressing
 There are 3 types of addresses:
 Unicast - addresses a single network device
 Multicast - addresses a logical group of network devices
 Broadcast - addresses all devices on a particular LAN segment
Ethernet – Continue
 About VLANS
 A virtual LAN, commonly known as a
VLAN, is a group of hosts with a
common set of requirements that
communicate as if they were attached
to the same broadcast domain,
regardless of their physical location.
 A VLAN has the same attributes as a
physical LAN, but it allows for end
stations to be grouped together even if
they are not located on the same
network switch.
 Network reconfiguration can be done
through software instead of physically
relocating devices.
Ethernet - Frame structure

 Ethernet frame structure

 Preamble - Used to synchronize the data / indicate where the data flow
starts.
 Destination Address - Specify the recipients MAC Address
 Source Address - Specify the senders MAC Address
 802.1Q tag – Allows the sharing of a physical Ethernet network link by
multiple independent logical networks - Optional
 EtherType -Identifies an upper layer protocol encapsulating the frame
data. For example:
 EtherType value of 0x0800 is IPv4 ; EtherType value of 0x86DD is IPv6
 Payload – The actual data of Layer 3 (Layer 3 headers and data)
 CRC/FCS - Uses a CRC-32 polynomial code to verify the frame integrity
Networking cables:
Twisted Pair

 Twisted pair cabling is a type of wiring in which two copper conductors (the forward
and return conductors of a single circuit) are twisted together for the purposes of
canceling out electromagnetic interference (EMI) from external sources.
 In balanced pair operation, the two wires carry equal and opposite signals and the
destination detects the difference between the two. This is known as differential mode
transmission
 Connector is 8P8C (8 position 8 conductor, often referred to as RJ45 in the context of
Ethernet and category 5 cables)

 An Ethernet crossover cable is a type of Ethernet cable used to connect computing

devices together directly where they would normally be connected via a network switch,
hub or router, such as directly connecting two personal computers via their network
adapters.
Networking cables:
CAT5 and CAT6
 Category 5 cable (Cat 5) is a twisted pair, high signal integrity cable type.
 This type of cable is used in structured cabling for computer networks such as Ethernet and ATM, and is also used to
carry many other signals such as telephony and video.
 Most Category 5 cables are unshielded, relying on the twisted pair design for noise rejection.

 Category 6 cable (Cat 6) is a cable standard for Gigabit Ethernet and other network Physical Layers that is
backward compatible with the Category 5/5e and Category 3 cable standards.
 Compared with Cat 5 and Cat 5e, Cat 6 features more stringent specifications for crosstalk and system noise.
 The cable standard provides performance of up to 250 MHz and is suitable for 10BASE-T, 100BASE-TX (Fast Ethernet),
1000BASE-T/1000BASE-TX (Gigabit Ethernet) and 10GBASE-T (10-Gigabit Ethernet).
 Category 6 cable also contains four twisted wire pairs. The increase in performance with Cat 6 comes mainly from better
insulation;
 Cat 6 patch cables are normally terminated in 8P8C modular connectors.
Networking cables:
Optical Fiber
 An optical fiber cable is a cable containing one or more light transmitting optical fibers.
 The optical fiber elements are typically individually coated with plastic layers and contained in a protective
tube suitable for the environment where the cable will be deployed.
 The cladding is usually coated with a tough resin buffer layer, which may be further surrounded by a jacket layer, usually
plastic.

 These layers add strength to the fiber (do not contribute to its optical properties).

 Rigid fiber assemblies sometimes put light-absorbing ("dark") glass between the fibers, to prevent light that leaks out of
one fiber from entering another. This reduces cross-talk between the fibers, or reduces flare in fiber bundle imaging
applications.

 The buffer or jacket on patch cords is often color-coded to indicate the type of fiber used
Networking cables:
Optical Fiber - Modes
 There are two classifications for optical fiber:
single-mode (SMF) and multi-mode (MMF).
 In SMF light follows a single path through the fiber while in MMF it takes multiple paths resulting in differential
mode delay (DMD).
 SMF is used for long distance communication and MMF is used for distances of less than 300 m.
 SMF has a narrower core (8.3 µm) which requires a more precise termination and connection method.
 MMF has a wider core (50 or 62.5 µm).
 The advantage of MMF is that it can be driven by lower cost VCSEL lasers for short distances, and
multimode connectors are cheaper and easier to terminate reliably in the field.
 Its disadvantage is that due to DMD it can work only over short distances. To distinguish SMF from MMF
cables, SMF cables are usually yellow, while MMF cables are orange (OM1 & OM2) or aqua (OM3 & OM4).
Gigabit Ethernet Transceivers – GBIC
 A gigabit interface converter (GBIC) is a standard for transceivers, commonly used with
Gigabit Ethernet and fiber channel.

 By offering a standard, hot swappable electrical interface, one gigabit Ethernet port can support a
wide range of physical media, from copper to long-wave single-mode optical fiber, at lengths of
hundreds of kilometers.

 The appeal of the GBIC standard in networking equipment, as opposed to fixed physical
interface configurations, is its flexibility.

 Where multiple different optical technologies are in use, an administrator can purchase GBICs as
needed, not in advance, and they can be the specific type needed for each link.

Cisco-Linksys
MGBT1 Gigabit
1000baseT Mini-
GBIC SFP SFP
XFP
Transceiver
Gigabit & 10Gigabit Ethernet
(1000BASE-T & 10000BASE-T)
 Gigabit Ethernet (GbE or 1 GigE) is a term describing various technologies for transmitting
Ethernet frames at a rate of a gigabit per second.
 Implementation is usually full-duplex with switches.

 The 10 gigabit Ethernet (10GE or 10GbE or 10 GigE) standard defines a version of Ethernet
with a nominal data rate of 10 Gbit/s, (ten times as fast as gigabit Ethernet).
 10 gigabit Ethernet supports only full duplex links which can be connected by switches.
 The 10 gigabit Ethernet standard encompasses a number of different physical layer standards.
 10G Ethernet can also run over twin-ax cabling, twisted pair cabling and backplanes or fiber
connections.
 40 Gigabit Ethernet, or 40GbE, and 100 Gigabit Ethernet, or 100GbE, are Ethernet
standards developed by IEEE P802.3ba Ethernet Task Force which started in November
2007, and ratified in June 2010.
Platform Architecture
 HSE Product Family

CN4000 CN6000
Versatile and compact, the CN4000 desk- Rack-mounted, encryptors for business-critical
top encryptor operates between 10Mbps- applications; operating at speeds between
1Gbps. 1Gbps to 10Gbps.

The ideal low-cost, high-performance Defence grade protection without

encryptor for SMEs. compromising network performance.

Protocols: Ethernet Protocols: All Layer 2

Topologies: All Topologies: All
Certification: Common Criteria EAL2+, FIPS Certification: Common Criteria EAL2+, FIPS 140-
140-2 Level 3 and NATO – Restricted 2 Level 3 and NATO – Restricted
HSE Product Family
CN8000
Multi-link, multiple tenancy network data
encryption without compromising
bandwidth or network performance.
The optimal large-scale data network
security solution for enterprise data centre
and cloud service providers.
Protocols: Ethernet, Fibre Channel
Topologies: All
Certification: Common Criteria EAL2+ and
FIPS 140-2 Level 3
CN9000
Ultra-fast, 100Gbps high-assurance encryption
for ‘mega data’ networks and applications.
The first commercially available 100Gbps
Ethernet encryptor to support the most
complex fully meshed topologies.
Protocols: Ethernet
Topologies: All
Certification: FIPS 140-2 Level 3 & Common
Criteria
HSE Hardware Product Portfolio
CN4010/CN4020 CN6010 CN6100 CN8000 CN9100

Compact desktop 1U rack mount 1U rack mount 4U rack mount 1U rack mount
enclosure enclosure enclosure enclosure (10 blades) enclosure
100/1000Mbps 100/1000Mbps 1/10Gbps 10 * 1/10Gbps 100Gbps
(scalable licensing)
(scalable licensing) (scalable licensing) (scalable licensing) (scalable licensing)
(10Mbps – CN4010)
RJ45 (CN4010) RJ45 electrical Pluggable optical XFP Pluggable optical Pluggable optical
SFP (CN4020) interfaces SFP+ CFP-4
Pluggable optical SFP
External plug pack Dual redundant AC/DC Dual redundant AC/DC Dual redundant AC/DC Dual redundant AC
supplies supplies supplies supplies

LEDs LCD/Key Pad LCD/Key Pad LCD/Key Pad LCD/Key Pad

User-serviceable User-serviceable User-serviceable User-serviceable

fans/battery fans/battery fans/battery fans/battery
Latency < 10uS Latency < 8uS Latency < 6uS Latency < 6uS Latency < 1uS
CC EAL2+, FIPS 140-2 CC EAL2+, FIPS 140-2 CC EAL2+, FIPS 140-2 CC EAL2+, FIPS 140-2 In process
level 3 level 3 level 3 level 3
All devices are interoperable and can be managed by SafeNet High Speed Management Platforms (SMC or CM7)
High Speed Encryption
 Best in class security
• AES-256 and standards based key management/storage tools
• Tamper proof enclosure
• Independently certified: FIPS, CC, CAPS, NATO

 Simple to deploy (bump-in-the-wire technology)

• Operates over layer 2 Ethernet WANs
• Provides network agility and flexibility
• 10Mbps-10Gbps link speeds (scalable)

 Low impact operation

• Requires no network changes
• Supports point-point, hub-spoke or full meshed topologies
• Per VLAN cryptographic isolation
HSE Network Protocols
Ethernet rate limiting – Licenced Model
• Limits throughput to a licensed rate
• Available in FPGA models only
• Set in the factory by firmware load
• Examples:
ETHERNET ENCRYPTOR,100MBPS,DUAL
943-000051-001
AC,CN6040
ETHERNET ENCRYPTOR,125MBPS,DUAL
943-000168-001
AC,CN6040
ETHERNET ENCRYPTOR,250MBPS,DUAL
943-000052-001
AC,CN6040

• Applies in both encrypt and bypass modes

• Excess traffic is discarded
Licence - Rate limiting implementation
• Does not support bursting or shaping
• If the throughput exceeds the configured maximum
then frames are dropped
• Alarm/trap warning that bandwidth is being clipped
• You can change the rate limiting on a running
encryptor but a reboot is required
• Delivered via an encrypted script – upgrade image
(via USB or SNMP)
HSE Crypto-agility
 Fully in-field upgradeable
 Wide choice of built-in Elliptic Curves
 Bring Your Own Curve
 Design Your Own Curve
 Bring Your Own Key (Entropy)
 Configurable S-boxes
 Full bespoke customisation (GOST)
ARCHITECTURE: FPGAs vs ASICs

FPGAs ASICs

Field Programmable Gate Array Application Specific Integrated Circuit

In-field updateable – protects end-user Built-in obsolescence – may require

investment unit replacement

Fast time to market with new features Long expensive development cycles

Additional functionality easily added Cannot extend functionality

We own the code so the security can Hard to evaluate the security and
be easily evaluated functionality
Encryptor architecture
• FPGA encryption engine
 cut-through non-blocking frame processing*
 consistent latency and jitter
 Independent of frame size
 Control / data plane separation

• Latencies per device (approx);

 100M – 20us
 1G – 9us
 10G – 5us
 100G – 2us

*With exception of the CN9000 which uses a store & forward

architecture
Encryptor architecture
CV1000 Virtual Encryption
A brief history of our virtual encryptor
 Initial concept arose 2.5 years ago
 Born of a desire to get into SDN market
 Seen as desirable addition to HSE product family
 First builds proved very useful for training, fault finding etc
 Now we are launching first official product
 Several use cases identified
 Ability to adapt to new services and feature as needs change
CV1000 – Basics
 A software HSE in a Virtual Machine
 Functionally equivalent & interoperable with hardware
HSE
• Encrypts data in motion
• Supports (mostly) the same encryption modes
• SNMPv3 manageable
• Designed for Layer 2 (TIM coming soon)
 Runs on industry standard hypervisors
• VMWare, KVM, Virtual Box, Hyper-V
 Two models
• CV1000, CV1000-DPDK
CV1000 Identified use cases
1. Edge virtualisation - vCPE
2. Securing east-west traffic within data centre
3. Securing branch office / home office
4. Securing MPLS Layer 3 networks
5. …Others
CV1000 Known use cases
1. Edge Virtualisation (vCPE) for Telco Layer 2 network

Status: Tested and working – deal

Flexible vCPE platforms @ customer
pending edge

RAD view management and

orchestration

CM7 Device management

Connection to HW HSE @ hub if

required
CV1000 Use cases
2. Securing east-west traffic within data centre

Status: Supported today (layer 2 use case)

CV1000 Use cases
3. Cost effective branch / home office encryption
Status: Supported today (over layer 2), tomorrow over Layer 3 with TIM
CV1000 Use cases
4. Securing MPLS Layer 3 networks

Status: Will be supported with TIM

CV1000 – Key Secure Support

• CV1000 becomes a Gemalto Encryption Connector

• Increases VM assurance when used with FIPS certified Key Secure
• KeySecure provides:
• Entropy generation (encryption keys)
• Storage of master key for protection of critical security parameters on vmdk
• Supports virtual and physical key secure
CV1000 – Transport Independent Mode

• Will allow encryption at layer 2,3 or 4

• Lower overhead than IPSec
• Encryption is optimized for the underlying environment
• Layer 2 when possible for efficiency
• Layer 3 or 4 when required (NAT, NETFLOW, JFLOW)

• Available 1H 2018
Physical vs Virtual Encryption obvious differences
Hardware HSE
• Hardware root of trust
• Tamper proof enclosure
• Hardware RNGs
• Cut-through HW encryption
engine
• Deterministic ultra-low latency
• Multiple certifications (FIPS, CC,
NATO etc)
• Traffic flow security
• Plug and Play
• QKD
• Variable throughput licensing
options
CV1000
• Runs on 3rd party hardware
• No physical security
• No certifications
• Crypto offload: AES-NI
• Software RNG
• Performance is platform
dependent
• Optional Key Secure Connectivity
(‘hardened virtual appliance’)
Physical vs Virtual encryption
Optional Interface To SafeNet KeySecure
 Entropy generation
 Storage of master key for protection of critical
security parameters
 ‘Hardened’ virtual appliance

SafeNet KeySecure from Gemalto is the

industry’s leading centralized key management
platform.
It is available as a hardware appliance or a
hardened virtual security appliance.
CV1000-DPDK
What is DPDK (data plane development kit)?
Without DPDK With DPDK
Network packets are Kernel is bypassed
processed in the Linux and packets are
kernel processed in user
space
Network interrupt
processing in kernel is No interrupts are
a bottleneck required – ports are
polled
Fragile - a bug in
kernel packet Huge memory
processing can cause pages store packets
entire OS to crash
Multiple cores can
Kernel programming be assigned
options are not as (processor affinity)
flexible as user space
CV1000 models compared
CV1000 CV1000-DPDK
• Encryption performed in kernel • Encryption performed in user
• Requires exactly 4 processor space with DPDK
cores • Can assign 1 to n cores
• Does not support GCM mode (recommend 3)

• Estimated throughput: Up to • Performance ‘scales up’ with

1Gbps* more cores
• Requires DPDK support in kernel
and in HW (CPU & NICs)
• Supports GCM mode
• Estimated throughput: Up to
* Platform dependent 5Gbps*
CV1000 – Licensing Options
Two concurrent models:

 Sentinel RMS/EMS integration

• Perpetual or subscription licence

 Senetas (Licensing Management System LMS)

• 15 days Trialware
• Senetas issues X.509 licence certificate for licenced period
• Certificate bulk loadable by CM7
Sentinel RMS/EMS Model

 Standard Sentinel deployment

• RMS – Embedded toolkit in
CV1000
• EMS – Web based licence and
entitlement management
 Supports perpetual or
subscription licensing
Senetas LMS model
Senetas LMS model
Senetas LMS model
 Entire network can be
setup & operational
without a licence
 Within first 15 days a
single licence request
file must be sent to
Senetas
 Single entitlement
licence file is returned
 Single click
deployment for entire
network
Thank You