SlingSecure is the most secure encrypted messaging provider for Blackberry & Android mobile devices on the market. SlingSecure secure messaging was designed specifically for encrypting mobile-to-mobile, mobile-to-landline communication via Blackberry / Android smartphones.
Our multiple security features and protocols ensure safe, anonymous and highly secure transmission between Blackberry & Android devices for users who may deal with sensitive information and anyone who wants their peace of mind.
Features:
Blackberry to Android Encryption
Mobile to Landline Encryption
Landline to Landline Encryption
Private SMS Encryption
Email Encryption Blackberry to Android.
Visit us today at www.slingsecure.com
2. Problem solving approach for
secure network convergence
Problem
✓ Operators do not give direct IP connection between
devices on different networks
✓ Main limitations are
• Private IP address
• “Rolling” IP address for mobile
• NAT
• Firewalling, etc.
✓ User identity and activity log cannot be hidden
(e.g. for VIP closed User Group)
✓ Standard SIP protocol not designed for mobile networks
✓ Need to interconnect system/devices with different or
legacy transport protocols (e.g. proprietary systems)
VoIP
Server
VoIP
Server
VoIP
Server
Mobile
Terminal
1
Mobile
Terminal
2
3. Problem solving approach for
secure network convergence
Solu%on
✓ Interconnection for secure voice & data communication
between
• IP devices
• 3G - 4G & LTE mobile
• PSTN
• 2G mobile
XServ
Module
XServ
Module
✓ Pass-Through End-to-end Communication
✓ SlingSecure Network allows
• Independent communication and signaling
management
• Closed user group in mixed mobile and fixed
environment
• Encrypted call signaling
• Protocol conversion and adaptation when required
XServ
Module
PSTN
to
IP
User
DB
PSTN
Device
Authen:ca:on
and
Key
Management
End-To-End
Full Duplex
Secure Signaling
IP
Device
4. X Serv
Interconnection for secure voice & data communication
between IP devices
XServ
Module
XServ
Module
SlingSecure
XServ
Module
SlingSecure Network allows protocol conversion and
adaptation when required (e.g. PSTN to IP)
PSTN
to
IP
User
DB
Terminals
Devices connected to X Serv
• Mobile 2G/3G/4G/LTE/WiFi
• PSTN devices
PSTN
Device
Authen:ca:on
and
Key
Management
IP
Device
5. Cross
Network
Communica%on
Server
✓ End-to-end Secure Communication
✓ Encrypted call signaling
✓ HW authentication
✓ Key Management
✓ Pass trough data channels
✓ Mobile IP Follower
✓ Mobile Carrier NAT/Firewall bypass
(No STUN server required)
✓ Cluster based, scalable architecture
SlingSecure
Network
XServ
Module
XServ
Module
XServ
Module
User
DB
User
A
Authen:ca:on
and
Key
Management
XServ
End-To-End
Full Duplex
Secure Channels
User
B
6. XServ
Management
• WEB Based (HTTPS) Interface
• Local Access
– Strong Authentication based on
• USB Secure Token
• Smart Card
• Remote
– Strong Authentication based on
• PKI
• Symmetrical Keys (OTP)
XServ
USEpro Device
7. XServ
Mul%ple
Organiza%ons
Authen:ca:on
and
Key
Management
(A)
Authen:ca:on
and
Key
Management
(B)
XServ
(A)
XServ
(B)
User
DB
(A)
USR
1
USR
2
Account
(A)
USR
3
USR
4
User
DB
(B)
USR
2
Inter-‐Force
Key
USR
3
Inter-‐Force
Key
USR
N
USR
1
USR
4
USR
N
Account
(B)
Organiza:on
(A)
Organiza:on
(B)
8. Communica%on
Gateway
Multiple communication interfaces
embedded into a flexible platform
designed to deliver interconnection
and security
SlingSecure
Gateway
✓ Physical conversion between
heterogeneous channels
(e.g. PSTN to IP)
✓ Logical adaptation between
different protocols
✓ Multi-core, real time signal
processing
✓ Hardware Encryption
SlingSecure
Gateway
on demand
UMTS
EDGE
GSM
Phone,
Line
&
Modems
USB
Host
USB
Device
Ethernet
SD
Storage
Fully Customizable
9. Devices
connected
to
XServ
SlingSecure Network allows both mobile
and fixed devices to be interconnected
and perform secure voice and data
communications
✓
✓
✓
✓
•
•
•
Mobile 3G/4G/LTE
Mobile 2G
WiFi ready terminals
PSTN Devices
Telephone
Fax
Modems
2.75G/3G
WiFi
2G/3G/WiFi
2G
Telephone
Fax
10. SlingSecure
Secure
Phone
Stack
Available platforms
✓ Full Custom
✓ Semi Custom
✓ COTS (e.g. Motorola, Nokia, HTC HW)
Applications
& Libraries
for
Secure Mobile
Communication
Authentication
and Encryption
Applica:on
Layer
Clear
Dialer
Crypto
Dialer
Call
List
Crypto
Call
List
Contacts
Crypto
Contacts
SMS
Crypto
SMS
Libraries
Crypto
Protocols
Graphic
Libs
Crypto
Engine
(xSE
(QT,
...)
based)
OS
Independent
Wrapper
(Audio,
keypad,
PM,
Modem,
etc.
)
Telephony
API
microSE
mSE
Hardware
Secure Phone Stack
(SPS)
Software
Fully Customizable
11. m
S
E
Ambiente
Micro
Seguro
All the xSE features in a MicroSD
ASIC
✓ HW crypto engine
✓ Standard and custom algorithms
✓ SD card interface (up to 450Mb/s)
✓ Integrated memory (up to 4 GB)
✓ Internal keys database
✓ Suitable for Mobile Applications
SPI
o
BUS
NAND
Flash
mSE
12. SlingSecure
Mobile
PlaDorms
SlingSecure range consists in 4 kinds of mobile platforms
according to the required security level
Hardware
Security
Software secure
application on COTS
terminals with microSD
(eg. Nokia, Windows
Mobile, etc.)
Software secure
application on COTS
terminals (eg. Nokia,
Windows Mobile,
Android, etc.)
C
microSD on
COTS
Terminals
COTS
terminals
A
Software Secure
Application
Software secure
phone stack on COTS
terminals with
microSD (eg. Android)
D
B
Software Secure
Phone Stack
Software secure
phone stack (OS and
applications) on
COTS terminals (eg.
Motorola)
Software
Security
13. Secure
Voice
Call
Flow
Authen%ca%on
To launch the application and access to the secure dialer
user must insert authentication password
Secure
Dialer
Access
Nego%a%on
Symmetrical communication key is negotiated between the caller and the
called user when secure voice call is set up or an incoming secure call is
answered
Before starting the secure voice call the following elements are also
negotiated by the devices
• Encryption/Decryption algorithm (multiple algorithm selection available)
• Vocoder type, mode and rate
• Secondary keys (e.g. used for sms)
Incoming/Outcoming
Secure
Voice
Call
Nego%a%on
Voice
Secure voice call starts after negotiation phase
successful completion
Secure
Voice
Call
14. Authen%ca%on
User Authentication
• User is asked to insert a password whenever the Secure Voice Application is launched
• Password can be asked only once or several times according to the user preferences
• Password can be changed at any time by the user
• Password is used to access the application and the key repository
User
Password
Sha
256
Hashed
Password
Comparator
Keys are encrypted by
means of a key derived
by the User Password
OK
Start
Secure
Dialer
Stored on the
mobile phone
Key Repository
15. Key
Repository
Two key secure repositories are stored on the mobile terminal (or on microSD)
• Manual Keys repository
• KMS - Key Management Server - Keys repository
Key secure repositories contain symmetrical pre-shared keys to be used standalone or combined
with other secrets to encrypt/decrypt communications (voice calls, sms, messaging, etc.).
• Manual Keys
•
Can be added, deleted or modified directly by the User using the Secure Voice
Application menu
•
Can be enabled according to the user preferences and/or KMS (Key Management
Server) policies, if applicable
• KMS - Key Management Server - Keys
•
Can be generated only by the KMS
•
Can be added remotely (e.g. via sms) by the KMS
•
Cannot be cancelled or modified by the user
16. Keys
Security
Main fields
•
KeyID (clear)
•
Key Value (encrypted)
Secondary fields
• expiration date (encrypted)
• usage (encrypted)
•
label (clear)
• RND key is generated at keys Repository creation time
Keys
are
encrypted
by
means
of
a
key
derived
by
the
User
Password
• RND key is encrypted and stored on the mobile phone
• Encrypted RND key is used in combination with the User Password to extract a key value from the encrypted keys
Repository
• When the cryptographic microSD card is present Keys are sent encrypted in the microSD card
• Encrypted RND key is stored in the microSD
• Keys are decrypted and used inside the microSD
All
the
opera:on
in
the
green
area
are
performed
in
the
microSD,
if
present
Key
ID
(4
bytes)
Encrypted
Key
Value
(16
Bytes)
IN
In
Encrypted
RND
Key
AES
256
Out
SHA
256
AES
256
OUT
Key
User
Password
Key
microSD
Clear
Key
Value
(16
Bytes)
17. Voice
Call
Key
nego%a%on
Symmetric keys used to encrypt/decrypt communications can be created in three different
ways
1) Pre-Shared keys
• two lists of pre-shared keys are available:
• manual
• KMS generated
• One of the pre-shared keys the caller and the called user have in common, is selected at negotiation time
to encrypt/decrypt the voice call
2) DH Diffie Hellman - Standard or Elliptic Curves based
• A symmetrical session key is negotiated at call time
• Standard DH version based on 4096 bit keys
• Elliptic Curves DH version is based on 571 bit keys, Koblitz GF(2m) configuration
• The final Session key is the hash of DH result
3) A combination of the first two modes
• The final Session key is a combination of the two previous keys: SHA256(DH | SK)
Note:
A
Family
Key
can
be
added
to
all
the
previous
mechanisms
in
order
to
create
(sub)groups
18. Man
in
the
middle
To detect a potential man-in-the-middle attack two numerical authentication codes are generated
from the SHA256 of the negotiated encryption key
Codes appear on the device screen during the call
At the start of the communication users should check such codes each other by voice
MATCHing codes = NO INTRUDER interfering with the call
codes DO NOT MATCH = man in the middle ATTACK IN ACTION
19. Secure
Voice
Call
Path
SECURE CHANNEL
Symmetric Communication Key
ANT
MIC
ANT
MIC
ADC
Voc
Enc
Mod
Mod
Enc
Voc
ADC
DAC
Voc
Dec
Dem
Dem
Dec
Voc
DAC
SPK
SPK
CLEAR
CLEAR
CRYPTO
Application Domain
CRYPTO
CRYPTO
CRYPTO
Baseband Domain
CRYPTO
CRYPTO
CLEAR
CLEAR
Application Domain
20. Applica%on
Voice
Processing
• Access to microphone and speaker using the OS APIs
• Get 8KHz/16bit (128Kbit/s) Audio Samples from Mic
• Put 8KHz/16bit (128Kbit/s) Audio Samples to Speakers
• Compression of Audio Samples to a GSM/UMTS suitable rate using standard or custom
Vocoders
• Encoding of microphone audio samples (from 128Kbit/s to ~5Kbit/s)
• Decoding of speaker audio samples (from ~5Kbit/s to 128Kbit/s)
• The vocoder can be exposed by the operating system or written in native language
• Voice Encryption/Decryption
• Encryption of encoded microphone audio samples
• Decryption of encoded speaker audio samples
• Cryptographic operations are performed by a dedicated HW or SW module
21. Voice
Processing
Components
Get Audio
Samples
Audio Samples
Encoding
Encoded Audio
Samples Encryption
Send Data
Audio Libraries
Standard or
Custom Vocoders
Crypto Library
Telephony API
Audio Drivers
MicroSD/Mass
Storage Drivers
Baseband COM
Audio Codec and
Microphone
Cryptographic
MicroSD
Baseband
Processor
Application
Libraries
Drivers
Hardware
Only for
HW Crypto Engine
(e.g. microSD)
SlingSecure provided
Operating System (e.g. by phone manufacturer)
* This diagram describes only the voice path from the microphone to the radio transmission
23. Secure
Network
Convergence
-‐
Case
1
Secure Voice over IP (2.5G, 2.75G, 3G, 3.5G, 4G, LTE, WiFi)
• Encrypted Signaling managed by XServ Pipecom Server
• Encrypted End-To-End voice packets managed by the IP Terminals
(HW encryption)
VoIP
Device
1
X
Serv
Encrypted
Signaling
Encrypted
voice
packets
over
End-‐To-‐End
pass
through
Channel
Encrypted
Signaling
VoIP
Device
2
24. BlackBerry communication services
• Secure Voice over IP
• Secure eMail
• Secure Messenger
Complete scalable system allowing integrators and operators to
deliver secure voice, messaging and email services over the
BlackBerry platform using End-To-End HW based encryption.
Encrypted
Signaling
HW
token
to
guarantee
high
speed
and
strong
security
(2048
bit
key
length
or
higher)
Proprietary
service
server
Independent
Secure
Client
architecture
Security
X
Serv
Encrypted
Signaling
End-‐To-‐End
HW
Encryp:on
Available
4Q
2010
25. Land-‐Line
to
Mobile
Telephone
System Elements:
• Analog Telephone
• SlingSecure Gateway to convert PSTN to
IP
• 2.5G/3G/4G/LTE Mobile Phone (including
mSE)
Secure Voice Call between standard PSTN
telephones and Mobile phones
SlingSecure Gateway
Encrypted
Signaling
XServ
Encrypted
Signaling
Hardware Encryption performed by
• SlingSecure Gateway on PSTN side
• mSE on Mobile Phone side
• Custom encryption algorithm (optional)
End-To-End
HW Encryption
Mobile
26. Secure
Fax
over
IP
System Elements:
• Standard G3 FAX
• SlingSecure Gateway to convert PSTN to IP
Secure Data Call between standard PSTN FAX
Hardware Encryption performed by the SlingSecure
Gateway
Standard
G3 FAX
SlingSecure Gateway
Encrypted
Signaling
• Custom Encryption Algorithm
Two FAX mode settings:
• Direct Line
• Store and Forward
XServ
Encrypted
Signaling
End-To-End
HW Encryption
Standard
G3 FAX
SlingSecure Gateway
27. Satellite
Worldwide
Connec%on
Satellite
Internet
k
Sat
Lin
VoIP
Server
IP
over
Sat
Car
System
Ground
Station
WiFi
WiFi
Portable
System
Marine
System
28. CSD
Proxy
ZONE 2
ZONE 1
CSD to IP
Conversion
VoIP Server
GSM Area - CSD
(No UMTS, No IP)
IP Network
IP
GSM
-‐
CSD
Secure
Gateway
CSD
Proxy
29. Secure
Conference
Call
SlingSecure Network
IP
IP
XServ
3G Pipe
WiFi Mobile
3G Mobile
Telephone
IP
IP
Secure Media
Conference
IP Network
Temporary Keys
Unique Conference Number
SlingSecure Gateway
30. Customiza%ons
(I)
Customization level & criteria are selected according to the mobile platform
Customization should be performed by the customer independently and without any knowledge or interference from
SlingSecure
Mobile terminals without cryptographic microSD
• As the cryptographic library is an external module written in C/C++, customer can modify or add
methods starting
from a functional template provided by SlingSecure
• Customer can compile and overload the cryptographic library independently
• A simulation environment is provided together with required HW and SW tools
Cross
Compiled
Overloading
Ansi C
Function
C++ Wrapper
Simula:on
Custom
Compila:on
Testing
Loop
ANSI C functions
Customize
AES
Custom
DH
EC
KEY
Mng
RNG
31. Customiza%ons
(II)
Customization options
for or microSD based mobile platforms
1) Smart Card based microSD (standard solution)
• Custom combination of standard algorithms can be implemented
• Cryptographic functions are exported as java card libraries
• SlingSecure can provide the basic applet and support to add/overload internal custom functions on “open”
smart card based microSD provided by the Customer
2) Custom microSD (available on request)
• Micro controller based microSD card for deeper algorithm customizations - SlingSecure provided
• Same approach as for software library with ANSI C code executed inside the microSD
3) Software Library
• Custom algorithms are implemented as software library
• Basic cryptographic operations are kept inside smart card based or micro controller based microSD
32. File
Server
Authen%ca%on
✓
✓
✓
User Authentication to access Dmz File Server
Radius-Tacacs + Ldap verifies user account and policies by the domain controller
The domain server grants the authentication for the workstations to access Dmz File Server
33. Keys
and
Cer%ficates
(I)
✓ User groups in different VLAN are managed by dedicated switches
✓ Traffic policies managed by the security gateway
✓ Access managed by means of
• Secure Token (EAL5+ smartcard based) or
• Symmetric Key based OTP device or
• Certificates
Cer:ficates
USEpro Device
37. SlingSecure products are backed up by the support of the engineering
and design team for
ü Cost effectiveness
ü Smooth system integration
ü Timely solution delivery
The high level service & support for all SlingSecure View products allows
the Customer to reach the desired result with the best cost to
performance ratio