Fibre optic connections are often assumed to be secure, but they can be tapped. Senetas, a company that develops high-speed network encryption technology, explains how fibre tapping can be done with readily available devices. With some technical knowledge and effort, optical fibres can be tapped without detection by splicing into or polishing the fibres to create an evanescent wave coupler that splits the signal. While difficult, motivated attackers could potentially intercept transmitted data this way if not encrypted. Senetas recommends encryption to protect valuable data and discusses their CN range of encryptors that provide full-duplex encryption up to 10Gbps with low latency.
3. Company overview
• Senetas Europe,
based in Basingstoke
is a wholly owned
subsidiary of
Senetas Corp. Ltd.
Australia
• An Australian ASX
listed engineering
company
• Developing high
speed network
encryption
technology since
1997
• Currently sold to
more than 35
countries globally
7. Why would someone tap an optical
link?
• Live networks and back-up systems
run remotely on high speed optical
fibre
• Optic Fibre NOT secure
• Readily available fibre tap device
bought on Net
• Intrusion undetected by
information sender or receiver
• 480 million km of fibre deployed
• IDC estimates that only 30% of the
digital universe is subject to security
applications.
8. How - Clip on Coupler
• We can already prove
that fibre can be tapped.
• What is contentious is
whether this risk can be
mitigated against
without the need for
encryption.
9. How - Light Touch Techniques
• The effect of this technique is similar to splicing.
• The extent to which the fibres are polished will decide
on the tap ratio. This can be as low as 1% but up to
20% would be likely to be undetectable.
10. How - Light Touch Techniques
The polished evanescent wave coupler is
based on bringing the cores of two fibres
close together by removing part of the
cladding and optically contacting the
polished faces. By this process, the two
cores behave as if they are contained within
the same cladding.
12. Patents for fusing fibres
• Once you can splice there are a number of patented
techniques for fusing more than one fibre WITHOUT
breaking the original.
• You can check out:
– US 4989939
– US 5410626
– US 6862385
13. Main Message
‘If your data is worth millions then it’s worth spending
thousands to get it’
• We do not suggest this is a trivial enterprise
• Nor could it be done by novices
• But we do suggest that this kind of attack is
possible for moneyed and motivated people
14. Senetas CN range of Encryptors summary
• Encrypts ALL the contents of Ethernet and Fibre Channel frames
• Full duplex line-rate encryption up to 10Gbps < 7 microseconds
latency
• All Senetas solutions centrally managed by CypherManager
• Certified - FIPS 140-2 level 3, Common Criteria EAL4+, CAPS IL3
baseline
• Ideal for Point to Point fibre links and MPLS Services
• Flexible licensing from 10Mbps to 10Gbps
EAL4
+
15. Securing Data in
Transit
Thank you for your
attention.
Any Questions?
Notas do Editor
Senetas Europe are a wholly owned subsidiary of Senetas Australia.Senetas in Australia have been very successful in designing and supplying encryptors into the Asian markets for over 15 years, 18 months ago Senetas Europe was established to engage with partners to address both the private and public requirements for encryption solutions.And it is with great pleasure that we have with use today SelexElsag our partner to supply CAPS approved into Government space and Tellemachus who specialise in addressing the security needs of organisations such as police forces.
What we do.The range of certified encryptors cover speeds from 2Mbps through to 10 Gbps and a range of protocols from E1/T1 to SONIT/SDH.Our CAPS program is focused on the CN1000 1 and 10 gig Ethernet plus the Fibre Channel encryptors.Hopefully that gives you an idea of who we are and what we do, now we would like to show you why we do it.Introduce Graham Wallace.
It is demonstrable that with a cheap clip-on tapping device we can extract sufficient light to accurately reconstruct the transmitted data packet.However, this device introduces a loss of anything from 3-6dB depending on the wavelength being tapped.It is therefore detectable using simple Optical Time-Domain Reflectometer(OTDR) devicesIt has never been our contention that this device is an appropriate tool for a serious cyber-thief.We believe only that it opens up the question of what is possible.Nevertheless there are scenarios we will consider which could use even this simple device.
Guided Waves occur when light propagates along or is constrained by the physical boundaries of a waveguide. This is the case for a singlemode fiber where the denser core has refractive index n1 and the cladding is less dense with refractive index n2. When the core diameter is small enough that the number of possible totally internally reflected rays is reduced to one, thus allowing only a single mode of guided light, the concept of rays changes to modes which bend with or are guided by the core.
Indeed from the patent if you have a jig design which is specific to the fibre and the percentage of tap you wish to use then the whole process seems straightforward enough regardless of location. It’s really just about preparation.
I think that’s probably sufficient. I’d like to just revisit the main message slide I showed earlier and reiterate. We believe that serious cyber actors can tap fibre optic links without being detected or without being stopped in a timely fashion. Justification for encryption remains a function of data value and risk assessment but we would contend that the you cannot make that judgement based on the idea that optical fibres are secure.
Senetas are the only vendor that offers a whole range of layer 2 appliance based solutions including Ethernet, fibre-channel, SONET/SDH and ATM from 10MB to 10GB throughput. 100Gb in development.Because the solutions running at layer 2 rather than layer 3 there is little or no overhead added to the data packets. The CN 10000 ethernet solution has ~ 7uS latency and 99.9% bandwidth availability. (Layer 3 solutions from vendors such as Check Point/Cisco use IPSEC and VPN’s which encapsulate the whole packet adding significant overhead, especially on small frame such as those required for voice and video traffic). The Senetas layer 2 technology utilises a ‘cut through’ implementation rather than the layer three ‘store and forward’ characteristics.In the same way a switch has less impact on data delay than does a router.We currently are “in evaluation” stage with CESG (CAPS) which is due to be approved in during 2012 and will be the only 1 and 10Gigabit layer 2 encryptors approved for HM Government. We already have FIPS140-2 and Common Criteria. The commercial and CAPS products are based an exactly the same hardware platform.