CRYPTOMAGAZINE

For the customers of Crypto AG, Switzerland 2 2008

MAINTAINING SOVEREIGNTY IN THE AIR

EDITORIAL

Dear Reader, Some claim that freedom in the air is unlimited. But this has not been the case for some time. Since civil aviation has become an affordable means of transport for many, high-altitude airspace is in ever shorter supply. According to the Airports Council International, around 4.8 billion passengers and 88.5 million tonnes of goods were transported by air last year, giving rise to over 76 million ights. The smooth, safe operation of aviation in general requires overall surveillance organisations. One of the main tasks of air forces is to ensure that proper order is maintained in aviation airspace. This task is complex enough, but is exacerbated by the fact that there are those at work in the air with malicious aims: hijacks, unauthorised overights in third-party airspace and shooting down aircraft are among the real threats. The air forces are in demand, and this is at a time when a transformation process of the armed forces (land, sea and air) is already under way. This edition of the Crypto Magazine is devoted to the air forces. We take a look at the work of modern air forces and seek to show how we can help and support them and our other customers with our solutions and products. I would like to draw particular attention to the new Crypto Mobile Client (article starting on page 15). This small, handy unit is set to become a constant travelling companion for all those who want to work on the move while keeping their data secure. I wish you interesting and absorbing reading. President and Chief Executive Ofcer Giuliano Otth

CONTENTS

Transformation process in the air forces Maintaining sovereignty in the air

FOCUS

Interview with the Swiss Air Force Aerial surveillance does not stop at the border

INTERVIEW

Digitalisation and automation open up new dimensions A second life for radio communications

FOCUS

11

Encryption for communication security frequency hopping for transmission security For secure communication channels

FOCUS

13

Successful installation of MultiCom Radio Encryption in helicopters Protected communication in the air

FOCUS

15

The Crypto Mobile Client makes a good personal travelling companion A small, powerful encryption unit for IP VPN

FOCUS

CRYPTOMAGAZINE 2/2008

18

Crypto Services (I) Establishing and maintaining ICT security is a priority

SERVICES

20

Series: Switzerland A land for brilliant minds

SWISSNESS

22

USB Sticks & Co.: small, but not without risk

SECURITY AWARENESS

TRANSFORMATION PROCESS IN THE AIR FORCES

MAINTAINING SOVEREIGNTY IN THE AIR

The main task of an air force is to protect the airspace positively for the state and its people. This essentially includes maintaining sovereignty in the air, providing rescue and assistance operations, supporting ground forces and protecting land and buildings. The new risks and dangers from international terrorism on the one hand and the challenges of the transformation process on the other present modern air forces with a substantial task.
Beatrice Huber and Dr Silvan Frik*

On 11 September 2001, on the east coast of the USA, four passengercarrying aircraft were hijacked with the aim of using them for terrorist attacks against the American state possibly representing the whole of the western world. The terrorists steered two of these aircraft into the twin towers of the World Trade Center in New York, which collapsed as a result. A third aircraft crashed into the Pentagon, the main headquarters of the US Ministry of Defence. The fourth aircraft crashed near Pittsburgh without achieving the hijackers actual objective. The number of victims ran to a total of over 3,000, the vast majority of them civilians. These were by no means the rst terrorist attacks, but they showed a

new

dimension.

Large-capacity

This is not just a matter of safeguarding against accidents as, for example, is also done on the roads but also against malicious acts. The primary responsibility for ensuring this safety lies with the air forces of the nations in question. For example, the German Air Force maintains that, even though widespread attacks from the air have now become unlikely in many regions, nevertheless, measures should be taken to ensure that the

civil aircraft were deliberately hijacked with the aim of causing widespread damage. This poses a signicant and very difcult question for the armed forces, in particular air forces: is it acceptable to shoot down a passenger aircraft and therefore knowingly accept the deaths of civilians in order to protect the lives of the civilian population on the ground? Despite the attacks of 11 September and the current high fuel prices, civilian air travel is booming. It is therefore no wonder that airspace over some countries has become crowded as a result. This means that, even without the threat of terrorism, ensuring the safety of airspace has become a major challenge.

capacity is in place to counter potential dangers, for instance from terrorist attacks. Changing threats It is not only the inuence of 11 September: towards the end of the Cold War there was increasing awareness that the nature of threats worldwide had changed. Instead of two states of more or less equal strength opposing one another, the political security situation of today is more diffuse: states breaking down, simmering conicts over resources such as water, oil or most recently food, the resultant migrations, organised crime and global terrorism, all make up the wider picture, while conicts nowadays are happening ever more frequently among the civilian population. The world has not become a safer place over the last 20 years. The tasks facing todays air force The changed political security arena affects the demands placed on air forces. The primary task of air forces, maintaining sovereignty in the air, remains unchanged, but in recent times threats to airspace 3

FOCUS

have increasingly come from nonstate protagonists. These include unauthorised overying and the kinds of terrorist attacks already referred to. The Swiss Air Force is among those that have to face this task. Switzerlands central location in Europe also makes it a hub of both civil and military aviation, making the airways overcrowded. This is reected in the range of activities undertaken by the Swiss Air Force: Air police service Air defence Air-ground combat Aerial reconnaissance Air transport, domestic and abroad The air police service and, where necessary, air defence ensure that sovereignty in the air over Switzerland is maintained. Like the road trafc police, the air police service ensures smooth-running and thus safe aviation. As Switzerland has expanded the concept of security, the military is often assigned support duties in natural or humanitarian disasters. This includes the air force. These duties are not only carried out in Switzerland itself for example in the case of avalanches or forest res but also relate to peacekeeping or humanitarian interventions abroad. Executive information systems To enable the effective evaluation of all aspects of a threat, there must be the capability for early detection and risk assessment. This is evident, for example, in humanitarian interventions, where the air force is often the only, and certainly the fastest, way to reach those in need. However, these interventions are frequently undertaken in an unstable environment. The planes and helicopters, and above all their crews, are exposed to substantial dangers either from military attack or looting. Reconnaissance and monitoring enable an overview to be gained relatively quickly. During the time of the Cold War, the This means that executive information systems provide assistance not only for the operations themselves, but also at the planning stage. Several operations can be planned at the same time. This also leads to a new management philosophy for the deployment of the armed forces, which combines the known strengths of mission tactics with the ever-increasing possibilities offered by the information age. It goes without saying that the provision of the most appropriate situation data for any given role is crucial. The German Air Force requires that information-related advantages can be translated into real advantages when taking military action, which should substantially increase the effectiveness of actual operations. The focus here is naturally on information and communications technologies. Unmanned aerial vehicles A further technical development that has changed the work of the air forces is what is known as UAV, or Unmanned Aerial Vehicles. These remote-controlled aircraft are also called drones. A typical eld of application is in aerial reconnaissance. The aircraft are tted with high-resolution cameras, which can record the model and even the registration number of a car, at night or in fog. Those responsible for the remote control of these UAVs may be nearby, but may equally be thousands of kilometres away. The advantage of these aircraft is that they can stay in the air much longer and can also ascend High-performance computer-assisted executive information systems make an important contribution. Data from sensors and information from intelligence enter the system, helping to create an overview of the situation so that the most appropriate measures can be implemented. main driving force behind development was the military, above all the US Army. This has changed. Now, the essential developments for executive information systems come from private enterprise (information and communications technology, logistics). This should lead to an increase in efciency, endurance and operational exibility for the air forces. One aspect of this transformation is that there is no longer a predened ultimate status, but merely capabilities described as interim objectives.

CRYPTOMAGAZINE 2/2008

to higher altitudes than manned aircraft. Drones are also cheaper to buy.

* Beatrice Huber is Corporate Editor and Dr Silvan Frik is Head of Marketing Services at Crypto AG. Sources: The Swiss Air Force website (www.luftwaffe.ch); the German Air Force website (www.bundeswehr.de and www.luftwaffe.de); the Austrian Air Force website (www.bmlv.at); Die Rolle der Luftstreitkrfte im neuen sicherheitspolitischen Umfeld, Jrg Studer, Military Power Revue der Schweizer Armee Nr. 1-2008; Sicherheitspolitische Information, March 2008, Swiss Association for Security Policy and Military Science (VSWW); Wikipedia; press articles

FOCUS
5

INTERVIEW WITH THE SWISS AIR FORCE

AERIAL SURVEILLANCE DOES NOT STOP AT THE BORDER

The smooth, safe operation of aviation in general in 2007 over 76 million ights were recorded in civil aviation alone requires overall surveillance organisations. This is one of the duties of the air forces of all countries. What else do they do? Crypto Magazine talked to the Swiss Air Force.
Interview: Beatrice Huber

The air force also carries out missions together with other organisations military or civilian for example, aerial surveillance. How is this organised from the Swiss point of view? Aerial surveillance is primarily carried out electronically. The modern FLORAKO system is in use 24 hours a day, 365 days a year, in combination with civilian sensors and the modern F/A18. In the dynamic environment of the third dimension, it goes without saying that this surveillance does not stop at the border. Appropriate contracts What are the main duties assigned to the Swiss Air Force? The main duties of the Swiss Air Force are: maintaining sovereignty in the air (protection of the airspace, air police), air transport and procurement, and the analysis of news and information for the political and military leadership. These three principal tasks continue to be required of our air force, with instructions given by the Swiss Federal Council and the Swiss Parliament. This also applies to any future interventions that may be asked of us. provided since the decommissioning of the Hunter in the mid-1990s. For the same reason, aerial reconnaissance using manned ghter planes (Mirage III RS) has also no longer been possible since the beginning of 2000. Aerial reconnaissance is now carried out to a great extent by the ADS drone system. Over the last 30 years our air force has developed from a task force made up of rst-generation aircraft (Venom, Hunter, Alouette 2 and 3) through the second generation (Mirage III, Tiger F5, Hawk, Super Puma) to a modern force using third-generation aircraft (F/ A18, Cougar, EC635, PC21). Some How have the duties changed over the last 20 to 30 years? The air force duties have not changed fundamentally over the last 20 to 30 years, although the direct support of ground forces by ghter bombers is no longer of these have the capability of undertaking complex tasks using Datalink and FLIR (Forward Looking Infra Red). Weapons, such as guided missiles and jamming systems, have also developed over the same period of technological progress. Operations abroad are above all in connection with providing air The Swiss Air Force also undertakes operations abroad. What kind of operations are these? What challenges arise when working with foreign forces? What is different/special about such operations? During major events such as the annual WEF and the European Football Championships held in June in Switzerland and Austria, the level of aerial surveillance is more or less similar, but the deployment of aircraft is more complex, as they are often armed and y in complicated airspace structures. Without this safeguarding of the airspace by the air force, it would not be possible to hold these events. with our neighbours are in place or in course of negotiation.

CRYPTOMAGAZINE 2/2008

transport daily in Kosovo and Bosnia. But humanitarian operations are also undertaken to the benet of civilian authorities and populations in Italy, Austria, Albania, Sumatra, Portugal and Greece. Training ights are undertaken together with other friendly air forces in Europe, using modern air transport craft (Super Puma, Cougar) and combat aircraft (F/A18) on a weekly or daily basis. This is a matter of practising special operations or noise-intensive ights that cannot be carried out in our country, or only with difculty. They include supersonic ights below 10,000 m AMSL and intensive night-ying training, and are often carried out together with foreign, friendly air forces. The training is based on Memoranbetween the countries involved. These operations are very valuable for our crews and indispensable for maintaining the necessary training levels. Depending on the location, the logistical aspects are a major challenge, as we still lack sufcient means, notably transport aircraft.

Thank you very much for your comments! This interview was carried out by correspondence.
Further information: Website of the Swiss Air Force: www.luftwaffe.ch

INTERVIEW
7

da of Understanding drawn up

DIGITALISATION AND AUTOMATION OPEN UP NEW DIMENSIONS

A SECOND LIFE FOR RADIO COMMUNICATIONS

Theres life in the old dog yet, so the saying goes. Many high-tech adherents may once have been keen to condemn radio communications to the scrap heap, but the opposite now holds true: digital technology has not only revolutionised xed networks and satellite links, but also done the same for working with radio waves! This has enabled HF/VHF radio to reposition itself in the spectrum of global networking as a fully adequate channel with specic advantages in certain important areas of application.
Dr. Rudolf Meier*

In the shadow of widespread global networking with bre optic networks and satellite links, radio technology has also experienced some major technological developments, which have gone more or less unnoticed by many. Properties such as the use of bandwidths, transmission quality, availability and operational automation have been enormously improved integrated radio networks are now fullling more communications needs than ever before. Just a brief look at the most important areas of development shows where the additional potential of modern radio communications lies. Software denes functions The idea of experienced radio operators sitting by their radio and setting the various resonant circuits manually with knobs and switches is denitely a thing of the past. Apart from the actual HF resonant circuits on the receiver/transmitter frequency (analogue technology is necessary here for reasons of physics), almost all signal values are digitised and can be processed by digital signal processors (DSP). This is the primary reason for the new dimension of HF and VHF radio the properties and functions of modern radio equipment (transmitters and receivers) can be dened, operated and controlled completely by software. A Software Dened Radio (SDR) can in principle be programmed for anything without requiring hardware intervention

whether

relating

to

frequency

appropriate frequency are no longer done manually automated link establishment (ALE) technology makes the radio operator redundant. It is well-known that HF frequencies have widely varying broadcast conditions, which can change quickly. The decisive step forward with ALE is that the radio system constantly tests automatically (several times a second) the optimum frequency

bands, selection or adjustment, or the operating mode or power control. Most of these functions can be automated. A modern radio unit generally takes the form of a universal module in an overall communications system, which can be used together with almost any other technology required. Automated link establishment Even searching for and selecting an

CRYPTOMAGAZINE 2/2008

Interpretable phase displacement 45

Wave 1 Wave 2 0 45 90 180 270 360

Wanted signal t Modulated carrier signal t

180

45 270 Phase displacement

An example of 45 phase displacement (vector rotates anticlockwise): the second sine wave starts 45 later on the time axis and, displaced accordingly, runs after the first sine wave. The phase displacement is recognised by the demodulator and interpreted as a bit value. Several phase displacements are possible per complete 360 sine wave, increasing the data throughput rate.

channels for a link between A and B by transmitting brief impulses and receiving them at the outstation. The measured link qualities are recorded in a matrix. If a useful link is then to be established between A and B, the system can immediately read and set up the current best frequency (and possibly operating mode) from the matrix. The user is usually unaware of any of this process in a realistic ideal situation it will no longer be relevant to him whether he is using a xed network connection or a radio channel in both cases, the link is more or less immediately available. International standards are in place for ALE processes; these take account of the latest technological developments. The current generation is based mainly on STANAG 4538. Within this standard, further parameters are dened, for example relating to modem technology. These ensure, among other things, that links and channels can be established and used even under poor conditions. Link protection mechanisms against spoong are also dened, i.e. the ALE impulses are protected by scrambling methods. It goes without saying that radio communication should always be encrypted. Optimum bandwidth use Modem technology is the most complex aspect of HF data transmission but also that in which the greatest technological advances have been

made. Because todays information is transmitted in digital form, the bits must be transferred in a suitable form to the analogue radio waves within the physically strictly limited frequency bandwidth available with radio waves. The digital phase modulation (phase shift keying) customary today has also been adapted and developed for HF radio channels. The principle is that the transmitter wave is not up-modulated to a continuous sine signal, but individual wave segments (symbols) out of phase with one another are transmitted. Each phase displacement can be encoded by the transmitter and receiver as a digital signal (1 or 0). In this way, all possible kinds of information can be transferred in digital form. The advance lies in the fact that the phase length within a complete transferred wave can also be displaced several times with radio waves (with a phase angle reduced accordingly). The transferable bit rate for a given bandwidth can thus be multiplied. A 4-fold phase displacement of 90, for example, can be used to code/reproduce 4 states: 0 / +90 / -90 / 180. Because a bit requires 2 states (0 or 1), 2 bits can be transferred per sine wave (quadrature phase-shift keying, QPSK). The principle can be increased to 8 states per symbol and (theoretically) more sine waves can be modulated simultaneously on the transmission frequency. However, the more phase displacements per

wave, the more susceptible the signal will be in relation to the wanted signal/noise ratio. Several of these wave forms can therefore be provided in a radio unit, to enable adaptation to the relevant channel quality. In practice, given HF with a typical bandwidth of 3 kHz and good signal/noise ratio, up to 9.6 kBit/s can be transferred (or even a multiple of this with channel bundling, for example of USB and LSB). In the VHF range, with a 25 kHz bandwidth, 64 kBit/s is possible, or even several hundred kBit/s given very good conditions and/or a larger bandwidth. Automatic error correction Radio technologies have long had the reputation of a high error rate. But things have changed in this regard if ARQ (Automatic Repeat Request) is not possible, i.e. if a feedback channel of sufcient quality is not available, the signal can now be prepared by the transmitter so that any gaps that may arise can to an extent be made good by the receiver. Of course this is only possible up to a certain loss level. Modern error correction processes (FEC = Forward Error Correction) work by method. These cut up the signal prior to transmission into equal sequences which are exchanged in a linear time sequence (on the basis of a matrix) and are then sent in an incorrect sequence, so to speak. If there is now a brief failure, for example due to atmospheric 9 what is known as the interleaving

FOCUS

Transmission: by column Data sequence: by row

1 11 21 31 41 ... 91

2 12 22 32 42 ... 92

3 13 23 33 43 ... 93

4 14 24 34 44 ... 94

5 15 25 35 45 ... 95

... ... ... ... ... ... ...

10 20 30 40 50 ... 100

Data sequence: 1 Transmission: 1

2 11

3 21

6 51

7 61

8 71

31 41

4-bit loss due to burst interference

The interleaving principle With interleaving, the sending of the information (bit data sequence 1 ... n) is not linear, but in an offset sequence in accordance with a matrix, i.e. in columns instead of rows, as shown in the example of a simple 10 x 10 matrix. Without interleaving: four subsequent bits, which are lost during transmission because of a burst, form a single, large gap (bits 3-6). With interleaving: the four missing bits are distributed over the data sequence, each displaced by ten places, and are therefore much easier to correct/reconstruct

interference, only a few sequences of the information that originally belonged together are missing because the other interleaved parts lay chronologically outside the burst and were correctly transmitted. The correct sequence is then restored by the receiver and instead of one substantial gap there are now several small, spread out gaps. This loss can be made good by inserting redundancy (multiple transfer of the same block of information) or appropriate fault coding of the information. Such highly-developed procedures reduce the fault rate by several factors, which among other things has been an essential prerequisite for the introduction of IP via radio. Radio today integrable and indispensable! The combination of all modern functions provides the prerequisite for the direct integration of radio networks into the communications systems of many users. Advantages such as good availability, automatic operation without the need for manning, suitability for modern applications (including IP-based) and larger bandwidths are important elements in network planning. And a further aspect that has not changed to this day when all else has failed, radio links are still possible under (almost) any conditions!

* Dr. Rudolf Meier is a journalist specialising in political science, economics and technology.

10

CRYPTOMAGAZINE 2/2008

ENCRYPTION FOR COMMUNICATION SECURITY FREQUENCY HOPPING FOR TRANSMISSION SECURITY

FOR SECURE COMMUNICATION CHANNELS

Eavesdropping, jamming, manipulation radio communication is exposed to various dangers. As the information exchanged can be very valuable, effective protection is essential. Crypto AG offers encryption platforms that protect not only the information, but also the communication channel.
Martin Maron*

Take the following scenario: four jets of a squadron are in use. They are ying over a target area and monitoring it. They have divided the area between them. For example, one jet only monitors what is happening behind the squadron. In order to ensure that all the aircraft have the same information, there is an intensive exchange of data between the jets. Then there is a radio message from the ground station. The squadron is withdrawn from the current target area and receives a new operating zone. The jets immediately make their way there. In air forces, radio communication is still an important communication channel for both voice and data. The information exchanged as in the scenario described must be protected to prevent it from getting into the wrong hands. Protection not only means shielding from eavesdropping, but also from jamming and manipulation. Crypto AG has been active in this eld for many years. The current portfolio, for example, offers on the one hand the MultiCom Radio Encryption HC2650 multifunctional encryption platform (see article on page 13) and on the other, encryption platforms with frequency hopping processes. What is frequency hopping for? Efcient protection means safeguarding both the information itself and the transmission path used for communication. The rst aspect is covered by the term COMSEC (communication security) and the second known as TRANSEC (transmission security). Digital encryption is used for COMSEC (voice and data). It securely protects radio messages from interception. Eavesdroppers hear only white noise. However, encryption is of no use as protection from jamming transmitters, i.e. interference with the transmission path. Other technologies are needed here. The frequency-hopping procedure has become established for TRANSEC: the radio unit does not transmit on a constant frequency, but hops up to several hundred times a second within the specied frequency band. This means the transmitter sends only a short package of information on any given frequency before it is changed. The frequency hopping procedure is not intended as an active measure against jamming transmitters, but an attempt to evade the jamming (EPM = electronic protective measures). If a frequency is jammed, it only affects the information package that has just been transmitted packages are not affected. However, thanks to natural or articial redundancy, the jammed package can usually be reconstructed. The loss of a few information packages can be coped with, and the procedure is therefore very robust against external inuences. 11 on that frequency. The remaining

FOCUS

VOICE V/UHF DATA TDMA

VOICE V/UHF V/UHF

VOICE

Air forces scenario: various units communicate with one another by radio. Both the information itself and the transmission path used for communication must be protected. TDMA: Time Division Multiple Access

Successful in practice As part of a cooperation over many years with the German company Rohde&Schwarz, the SECOS wave form has been developed, which applies a fast frequency hopping procedure in connection with highly effective encryption. Radio units for tactical applications (man packs and vehicle units M3TR), units for stationary use (M3SR) and units for on-board use with air forces (M3AR) provide secure, well-protected radio communication using SECOS (SEcure COmmunication System) and thus ensure the interoperability of the different sectors of the combat forces with one another (= joint missions) over the VHF/UHF frequency

band. SECOS systems are installed in various types of plane and helicopter types, and in airborne control systems (AWACS) by a number of manufacturers, and used on board military frigates and for military air defence. The airborne units are used in training and in applications such as airspace surveillance, maintaining sovereignty in the air and carrying troops. SECOS is successfully used in operational units in Europe, Latin America, the Middle East and South-East Asia.
* Martin Maron is Senior Product Manager.

12

CRYPTOMAGAZINE 2/2008

SUCCESSFUL INSTALLATION OF MULTICOM RADIO ENCRYPTION IN HELICOPTERS

PROTECTED COMMUNICATION IN THE AIR

Helicopters are indispensable tools for air forces. They can reach places that would otherwise only be accessible with difculty. As communication via radio the typical communication channel for helicopters is easy to intercept and therefore needs protection, an encryption unit is an essential piece of on-board equipment. However space is at a premium, which means it is an advantage if the encryption unit is capable of exible installation. This is denitely the case with the MultiCom Radio Encryption HC-2650.
Martin Maron*

Unlike planes, helicopters have the advantage of not requiring a runway for taking off or landing. They can therefore carry both people and goods to virtually impassable locations, often not connected by road and only accessible on foot with difculty. Helicopters are therefore indispensable tools for armies, navies and especially air forces. Radio contact is still of great importance for communication between helicopters, planes and ground stations. Protection for radio communications is an even greater factor in the case of operations far away from the home territory. For example, operations forming part of peacekeeping operations in areas of armed conict are associated with great risks for helicopters and their crews. Protected communication keeps ight paths, information on the freight being carried and much more secret and safe from potential attack (for example by looters). The universal platform HC-2650 The MultiCom Radio Encryption HC-2650 is ideal for protecting communications in military contexts. This universal encryption platform has been successfully installed in helicopters, for example the Super Puma type. Further projects involving the NH90 and Dauphin helicopters are under way. The HC-2650 was designed for military application and is therefore accordingly robust and suitable for problemfree use in motor vehicles, tanks, aircraft and helicopters. Installation in civilian aircraft (e.g. for VIPs, such as presidential transport), is also possible, and has in fact been implemented. The multi of the HC-2650 covers many aspects: multi-radio means that all known radio units can be connected; multi-band means encryption over all frequency bands used, multi-application covers voice (in various modes for HF and V/ UHF), data (with integrated or external modem), messaging and IP/VPN (see box). The unit automatically detects voice or data communication, which means that the same radio channel can be used for both voice and data without Successfully connected to the ARC-210 In a current project, the MultiCom cessfully connected to the ARC-210 (Collins) radio unit. The unit is used for communication via V/UHF. As the connection can be made over a broad band, the voice quality is very good. Another benet is that the control of the encryption unit can be integrated into the central 13 Radio Encryption HC-2650 was sucrequiring intervention from the operator. Multi-algo means that several algorithms can be used, a requirement for multinational manoeuvres (the national algorithm and also an allied algorithm).

FOCUS

HC-2650: a new member of the IP VPN range from Crypto AG User needs change These and so encryption units have to adapt accordingly. changes include the fact that air forces like other armed forces on land and sea increasingly use Internet Protocol (IP) for their communications. In line with this, the MultiCom Radio Encryption HC-2650 has been expanded to include the IP/VPN application. Communications can be carried out securely in a protected VPN tunnel. This new application is compatible with all other units in the IP/VPN range from Crypto AG, including the new control unit. This consists of multifunction displays for the pilot and co-pilot. Special features for air forces Limited space on board planes and helicopters can be a serious problem. It is therefore not always possible to position encryption units in locations where the operator (usually the pilot) has access to them and can make and change settings. It must therefore be possible to connect with the encryption unit remotely. For such cases, a remote control unit will soon be available for the MultiCom Radio Encryption HC-2650. Various special mounting kits are also available to facilitate the installation of the encryption units. This means the HC-2650 can be tted on board a helicopter in the optimum location, taking account of space-saving and other factors. The operator still has access to it, ensuring that communication is protected at all times.
* Martin Maron is Senior Product Manager.

Crypto Mobile Client (see opposite page). All applications, i.e. the traditional applications for voice and data as well as the IP VPN application, can be installed in parallel, with just one active at any given time, as it is necessary to switch between the interfaces.

14

CRYPTOMAGAZINE 2/2008

THE CRYPTO MOBILE CLIENT MAKES A GOOD PERSONAL TRAVELLING COMPANION

A SMALL, POWERFUL ENCRYPTION UNIT FOR IP VPN

It is a given nowadays that those who work at frequently-changing locations use personal communication units. Ad-hoc access to the Internet or other IP networks is widely available, for example via WLAN hotspots or portable Sat terminals. The Crypto Mobile Client is a small, personal, powerful encryption unit that can be used in conjunction with practically any PC or laptop, regardless of the operating system. This means that even mobile access is secure.
Philipp Birrer*

Ambassadors, government members, senior ofcials, military leaders and managers all travel frequently, or even constantly, for their organisations. This could be to attend an international conference or, in the case of military personnel, for joint eld exercises with friendly armies. However, in order to full their tasks, these persons must have access that is as reliable as possible to the central infrastructure which provides their organisations data. The main working unit is a portable computer, in other words a laptop. Mobile working includes the need to access and store data remotely. There is also the need to receive and send e-mails and undertake research on the Internet. Telephone conversations and video conferences are also of interest. Ad-hoc access to the Internet or to other IP networks is now available almost anywhere. Facilities for doing so include WLAN hotspots in hotels, Ethernet interfaces in regional ofces, satellite terminals in open country and ADSL connections in private dwellings. Because most applications converge on IP, todays providers offer bandwidths that enable triple-play applications, i.e. voice, data and video. A certain path through uncertain territory The world of communications is also the world of hackers, spies, data thieves and terrorists. As Internet connections are generally used for

mobile

working,

sensitive

data

connection to the IP network. All units from the Crypto IP VPN range are suitable as receiving stations for the Crypto Mobile Client (see box on page 17). The Crypto Mobile Client also includes a cryptographically secured hard disk on which documents can be stored in encrypted form, and an option of e-mail encrypting. Scenario: searching databases A thin client scenario is one where the end unit can only be used purely as a terminal. No actual data is stored here, and the screen is only used for displaying data. Mouse movements and keystrokes are transmitted via a special protocol from the terminal to the server, which in turn returns the output of the application to the terminal, which simply displays it. This communication is via an encrypted VPN tunnel and corresponds to the highest security requirements. If the Crypto Mobile Client is installed as the encryption unit, it can also be used to store data. To do this, the laptop can be started up by software integrated into the Crypto Mobile Client. In this way, any malware that may be on the laptop cannot attack the data. Typical applications for this scenario include external searches of comprehensive databases. In this way, many different terminals in different locations can have safe access to a central computer, where they can input, call up and compare 15

could easily fall into the wrong hands. E-mails can be intercepted, redirected or altered. Damaging software, or malware, i.e. viruses, worms, trojans and others, can adversely affect not only the computer attacked, but also whole networks. This is exacerbated by the fact that networks are trimmed with performance in mind rather than to provide the best possible protection for the data they carry. Special protective measures are essential to ensure that, even when travelling, the members of an organisation are able to link up safely to the central infrastructure from outside the protected home zone. These measures should ideally be capable of linking into the existing infrastructure without substantial difculties. Personal encryption unit The Crypto Mobile Client is a small, personal, powerful encryption unit that can be used for secure data exchange via an IP network. To this end, the Crypto Mobile Client establishes a secure VPN tunnel. Diplomats or travelling employees enter their authentication into the unit and are then granted access. It is an external unit and therefore runs independently of the operating system of the laptop. The exibility of the Crypto Mobile Client enables the user to connect to an existing computer in a hotel or conference centre, or to their own laptop. There is an Ethernet interface (wired) and WLAN and Bluetooth (wireless) for

FOCUS

to safeguard it from manipulation and all unauthorised access is prevented. Straightforward connection What use is the security of data and information without the capability of making a connection via the available communication networks? A network connection is available in a hotel, at a conference or at home, but these are not supported by the end unit. For this reason the Crypto Mobile Client is equipped with various technologies; it supports connections via Ethernet, WLAN and Bluetooth. Connection and start-up are very easy and user-friendly. The Crypto Mobile Client is connected data. The Crypto Mobile Client provides encrypted access to this data and gives protection from unauthorised access or data transfer. Secure data exchange, secure storage E-mail has become an important working tool. With the Crypto Mobile Client, e-mails can be sent and received in encrypted form over the existing e-mail infrastructure. The Crypto Mobile Client encrypts the data and sends it via the relevant e-mail software. Mobile access to information is extremely important in enabling efcient, future-oriented working. To this end, the Crypto Mobile Client offers the option of an integrated cryptographically protected hard disk. All data on the hard disk is encoded and only accessible by password. The hardware is designed
* Philipp Birrer is Marketing Manager.

to the laptop via the home page and the World Page provides the option for using either a physical LAN (Ethernet cable) or wireless (WLAN, Bluetooth) connection depending on the available network.

IP Network

WLAN

Ethernet

Bluetooth

CRYPTOMAGAZINE 2/2008

The Crypto Mobile Client enables connection using a variety of technologies.

16

The IP VPN range from Crypto If public IP networks are used for the transfer of sensitive data and information, great attention should be paid to the security of the information. Crypto AG offers a complete range of IP VPN encryption units: IP VPN Encryption HC-7825 Enterprise Version: a unit for direct integration into the infrastructure with 100 Mbit/s throughput and up to 250 VPN tunnels. IP VPN Encryption HC-7825 Branch Ofce Version: a unit for direct integration into the infrastructure with 20 Mbit/s throughput and up to 250 VPN tunnels. IP VPN Encryption HC-7805 Small Ofce Version: a stationary unit with 10 Mbit/s throughput. Crypto Mobile Client HC-7835 IP VPN: a personal mobile unit, scalable with 1, 4 or 8 Mbit/s. MultiCom Radio Encryption HC-2650: a universal IP platform for military scenarios. The encryption units are compatible with one another and their security architecture is the same. The variety of their application and performance potential enables scalable security solutions in practically any environment.

POLICE

Phone Application

Mobile Unit
E-mail / Voice

Crypto Mobile Client

Server

Video

IP Network IP VPN Encryption E-mail / Voice

Headquarters

Video Data

Travel

E-mail / Voice

Data

The secure connection is established automatically and enables the exchange of sensitive data via the VPN tunnel created. All IP applications such as video, e-mail, voice and data transfer are possible.

FOCUS
17

Crypto Mobile Client

CRYPTO SERVICES (I)

ESTABLISHING AND MAINTAINING ICT SECURITY IS A PRIORITY

Information security in complex ICT environments does not happen automatically when the infrastructure is installed, but can only come about by taking account of specic structural elements and processes. In order to ensure that these contributions have optimum effect, it generally makes sense to call on the services of specialists. Crypto AG is increasingly providing support in this area to customers who operate or are setting up systems with a high security requirement. In this series of articles we introduce the range of services offered by Crypto AG the rst article gives an overview of the basic principles and concepts behind a successful High Security IT Operations project.
Beat Knsel*

Any department head or security ofcer in the eld of politics or diplomacy who is responsible for the secure handling of condential or even secret information will only get a good nights sleep if they are able to depend on watertight, impregnable structures and processes in the ICT environment. An embarrassing or dangerous incident happens quickly but is not so quick or easy to put right. External security experts can provide valuable insights and also if required undertake complete security projects with individual support services. The Services department of Crypto AG uses a structure/process diagram to show the relevant areas of activity, taking account of the operational levels of the user on the one hand and the

security requirements on the other (see structure/process diagram). The best place to begin is by isolating the areas of an ICT structure where there may be security gaps: I. People: lack of knowledge, frustrations and staff uctuations

form the basis of working in the easiest way - which is rarely the most secure way. III. Technology: ageing or inappropriate technologies in networks, communication media or storage elements can be the source of notable security gaps. Reports appear almost daily in the media of security-related incidents in these three areas. But they can be eliminated to a great extent, provided appropriately focused action is taken. IT standards insufcient focus

SOC = Security Operations Center

on security When working on new projects or on the continued operation of an ICT infrastructure, the latest standards enable processing and system design to be simplied. But all these standards have one thing in common: they focus on efciency and clearly pay far too little attention to the need for information security.

can frequently contribute to creeping, awkward risk areas. II. Processes: inappropriate working practices, unclear classications and/or instructions can

(PRINCE2, PMBOK or similar)

The areas of application of standards relate to two levels, project environment and operational ICT environment:

CRYPTOMAGAZINE 2/2008

The project environment includes, for example, PRINCE2 or PMBOK (see box), a recognised standard for processing work packages and meeting milestones. Because account is generally taken here of large numbers of elements from different
Structure/process diagram

18

(PRINCE2, PMBOK or similar)

Project environment

specialist disciplines, Crypto AG can help to transform a standard IT project into a high security project. Standards should remain as standards, but special attention should be paid to the value of the information, as the immediate project environment is where things can be most hectic and therefore the greatest security risks can arise. ITIL has recently established itself rmly in the operational ICT environment (see box). Standard operation is usually focused on the availability of the systems and efciency of the employees. Crypto AG can also make a valuable contribution where highly condential informaPRINCE2 - PRojects IN Controlled Environments PRINCE2 is a project management methodology covering the management, control and organisation of projects. It includes eight main stages, which define the results for milestones and cooperation. PRINCE2 focuses in particular on the planning of the bases for projects, the control of changes and quality inspections. A Guide to the Project Management Body of Knowledge (PMBOK) The Project Management Institute (PMI) publishes standards related to project management and manages project management certification. Its main standard A Guide to the Project Management Body of Knowledge (PMBOK) is currently in its third edition. ITIL (Information Technology Infrastructure Library) ITIL provides a best practice framework for IT services and operational procedures, focusing on strategy, design, transitions, operation and continual improvements to IT services and associated processes.

Operational ICT environment

tion and data are to be processed and saved, as information security in all phases, including phases of hectic activity, can only be reliably ensured on the basis of many years experience. The specialists concepts dene among other things security requirements for operating staff in the secure zones, establishing the dual-control principle, installing a secure key management, room division, training staff in the secure zones and much more. Requirements of the operator Every user of an ICT structure works in an individual scenario, and this is the basis for the denition of their individual security policies. This means that the handling

of information and the main risks must be incorporated individually into the project and the operations. Knowledge in the security environment changes quickly. It therefore makes sense for the user to call in support on a project-related basis, or in the form of individually dened services. The service portfolio of Crypto AG involves the ve lines Consulting Services, Implementation Services, Education Servicand Lifecycle Management Services. The services offered are dened in a service catalogue, but can be adapted to suit customers requirements. Future articles will look at the prerequisites and process stages which es, Operational Support Services

ensure that a standard project or standard infrastructure can be implemented with the aim of information security at the highest level, without paying a premium.
* Beat Knsel is Head of Service Business & Portfolio for Crypto AG.

SERVICES
19

SERIES: SWITZERLAND

A LAND FOR BRILLIANT MINDS

Switzerland is characterised by more than merely high mountains and enchanting landscapes. In rankings for quality of life, Switzerland and its cities regularly occupy the top places. In addition, Switzerland is characterised by a special form of government direct democracy. This gives citizens far-reaching rights of co-determination. Switzerland is also known as a seat of knowledge, with its numerous top-level universities and one of the highest densities of Nobel Laureates per head of population. Part two of Crypto Magazines series on Switzerland is devoted to Switzerland as a seat of knowledge.

without reference to the theory of relativity. The Swiss Nobel Laureates Many years later, in 1921, Albert Einstein received recognition for his groundbreaking work the Nobel Prize for Physics. This brought him among the ranks of the Swiss Nobel Laureates. Three Swiss scientists had been awarded this highest scientic accolade before him, and to date 18 have succeeded him. They are joined by three holders of the Nobel Peace Prize and two Nobel Laureates for literature. The rst Swiss Nobel Laureate was Henri Dunant, the founder of the International Committee of the Red Cross, who was awarded the Nobel Peace Prize in 1901. The rst Swiss scientist to be awarded the Nobel prize was Emil Theodor Kocher of the University of Bern, who was awarded the prize in 1909 for his research
ETH Zurich in the foreground; in the background on the left, the dome of University of Zurich.

into the thyroid gland. The most recent Swiss Nobel Laureate to date was Kurt Wthrich, Professor at ETH Zurich, who was awarded the Nobel Prize for Chemistry in 2002. In all, Switzerland has produced 27 Nobel Laureates, which must be a record. Switzerland is one of the countries with the highest number of Nobel Laureates per head of population. Among the best Switzerland has two national universities ETH Zurich and EPF de Lausanne and 10 cantonal universities. The oldest university is in Basel (founded in 1460); the largest

The most famous scientist of the 20th century was Swiss. Born in what is now Germany, the young Albert Einstein came to Switzerland to study. He studied at what was then the Federal Polytechnic Institute, now ETH Zurich, specialising in mathematics and natural sciences, and graduating in 1900. In the following year, Albert Einstein became a Swiss citizen. Einstein applied as an assistant at a university without success. So he took a job at the patent ofce in Bern, as a class III technical expert. This may seem an untypical position for a

future Nobel Laureate, but it did offer him the time and space to pursue his passion, theoretical physics. During his time in Bern, more precisely in 1905, Albert Einstein wrote ve groundbreaking works which turned the world of physics, as it was understood then, upside down. The themes were the reality and size of atoms, light quanta and the theory of special relativity. Although Einsteins main interest was theoretical physics, his theories are also of practical benet. For instance, global positioning systems (GPS) would only be very imprecise

20

CRYPTOMAGAZINE 2/2008

2
its location was also chosen to be in Switzerland, near Geneva. This year, CERN will bring into operation the most powerful particle accelerator ever built. Switzerland truly a land for brilliant minds.

Nobel prizes are awarded by the Swedish Academy every October. The prizes are awarded on 10 December, the anniversary of the death of Alfred Nobel (www.nobel.se).

in Zurich. The University of Zurich is celebrating its 175-year anniversary this year. It was the rst university in Europe which was not founded by the church or a member of the nobility, but by a democratic state. It has a history of twelve Nobel Laureates, including Albert Einstein, who was an associate professor at Zurich. ETH Zurich can look back on even more Nobel Laureates. It is associated with 22, some of whom merely studied or undertook their doctorates there, others of whom were professors. And the current rankings show that the institution is not resting on its laurels: ETH Zurich is still considered among the best in Europe, alongside, for example, the British universities of Oxford and Cambridge. Reaping the benets of investment Science needs investment to be made long before the benets are seen. This investment is made in

Switzerland. Switzerland is a country whose expenditure on investment as a percentage of the gross domestic product is one of the highest in the world, with two thirds of this expenditure coming from private-sector companies. The most important areas of research in the private sector are chemistry, the pharmaceutical industry and the electrical and metal industries. These investments pay off the number of scientic works and patent applications per head of population is among the highest in the world. And that is not all. Companies in the IT sector have chosen Switzerland for the location of their research laboratory of IBM has been in Switzerland since 1956, and Google recently opened its largest research centre outside the United States in Zurich. Moreover, not only was Switzerland among the founder members of the European Laboratory for Particle Physics CERN, but 21 research centres. The European

SWISSNESS

USB STICKS & CO.: SMALL, BUT NOT WITHOUT RISK

Information security is not only a technical discipline but has a great deal to do with people, because information security depends on the conscious thinking and actions of the user. But what constitutes a correct and secure way of dealing with information and IT media? In this series, Crypto Magazine looks at the different topic areas, from the Internet to passwords, and gives useful tips for everyday life. The second part addresses the secure handling of portable data carriers.
Franco Cerminara*

be treated with suspicion. A USB stick found lying around should never be used. Always check USB sticks with an antivirus software prior to use. Deactivate the auto-run function on the computer. This prevents any programs on a portable data carrier from running automatically. Such programs could, for example, damage the computer or even the whole network to which it is connected. A simple delete command is not Small, ne and yet with considerable memory capacity these are portable data carriers such as USB sticks, memory cards or MP3 players. The rst USB sticks appeared on the market in the year 2000 and had a memory capacity of 8 MB; at present, memories of up to 64 GB are available. This represents over 15 million A4 pages of text. This means that a lot of useful information can be stored, but also plenty that is less useful and even dangerous. The insidious aspect of this is that harmful software, for example, can automatically inltrate any computer with which the data carrier comes into contact, and from there spread throughout whole networks. Portable data carriers can also copy or even delete data, uncontrolled and practically unnoticed, from computers or networks. And, what is even more alarming, cases Some tips for the safe use of portable data carriers: Thieves are opportunists. Never leave data carriers lying around in open view, but always put them away safely. Always save information worthy of protection in encrypted format. Special USB sticks are available for this purpose. And only save as much data on portable data carriers as is absolutely necessary. It goes without saying that data carriers of unknown origin should
* Franco Cerminara is Head of Consulting and Education with InfoGuard AG. InfoGuard AG, a company affiliated to Crypto AG and a member of the Crypto Group, specialises in comprehensive information security. Its competencies include advice, training and awareness-raising as well as development and implementation of technical security solutions.

have emerged where USB sticks have been infected with a virus direct from the factory. It is not known whether this was due to negligence or malicious intent. Care is therefore required when using portable data carriers to ensure that the benets of these devices always outweigh the associated risks.

enough to delete data which is no longer needed. The data is not securely deleted until it has been overwritten, preferably several times. Never allow unknown persons to recharge MP3 players, iPods, digital cameras or other devices via the computer. Damaging software could enter the computer in this way, or data could be copied or even deleted from the computer.

Published three times a year Print run 6000 (German, English, French, Spanish, Russian, Arabic) Publisher Crypto AG, P.O. Box 460, 6301 Zug (Switzerland), www.crypto.ch Editor-in-chief Beatrice Huber, Crypto AG, Tel. +41 41 749 77 80, Fax +41 41 741 22 72, E-mail beatrice.huber@crypto.ch Design/Typesetting illugraphic, Sonnhalde 3, 6332 Hagendorn (Switzerland), www.illugraphic.ch Printing Ennetsee AG, Bsch 35, 6331 Hnenberg (Switzerland) Reproduction Free of charge with the consent of the editorial office, courtesy copies requested. All rights reserved Crypto AG Illustrations Corbis: p. 5, 21 Crypto AG: p. 14, 16, 17 ETH Zrich: p. 20 Imagepoint: p. 8, 10, 12, 18, 22 Kursiv: p. 20, 22 Nasa: p. 19 Swiss Air Force: cover, p. 3, 4, 5, 6, 7, 11, 13, 14, 24

22

SECURITY AWARENESS

CRYPTOMAGAZINE 2/2008

IMPRINT

Top of Information Security

For more than 55 years we have concentrated on the development, production and implementation of challenging Information Security Solutions. Because we know that condential information is of the highest value. You too can rely on the expertise and capability of Crypto AG. Customers from over 130 countries are already doing just that.

To Remain Sovereign
Crypto AG, P.O. Box 460, CH-6301 Zug, Switzerland, Tel. +41 41 749 77 22, Fax +41 41 741 22 72, get@crypto.ch, www.crypto.ch

Crypto AG, Headquarters

TRADE FAIRS
COMM08, 10 to 14 September 2008 Frauenfeld, Switzerland

Crypto AG P.O. Box 460 CH-6301 Zug Switzerland Tel. +41 41 749 77 22 Fax +41 41 741 22 72 crypto@crypto.ch www.crypto.ch

NEW PUBLICATIONS
Services from Crypto AG: Risk-free handling of information at all times Education Services: Welcome to the Crypto Academy where our professional know-how becomes yours! MultiCom Encryption The only encryption platform that can defend your sovereignty in all networks!

Crypto AG, Regional Ofces Abidjan Crypto AG 01 B.P. 5852 Abidjan 01 Ivory Coast Tel. +225 22 41 17 71 Fax +225 22 41 17 73 Abu Dhabi Crypto AG Abu Dhabi P.O. Box 41076 Abu Dhabi United Arab Emirates Tel. +971 2 64 22 228 Fax +971 2 64 22 118 Buenos Aires Crypto AG Maipu 1256 PB A 1006 Buenos Aires Argentina Tel. +54 11 4312 1812 Fax +54 11 4312 1812 Kuala Lumpur Crypto AG Regional Ofce Pacic Asia Level 9B Wisma E&C 2, Lorong Dungun Kiri Damansara Heights 50490 Kuala Lumpur Malaysia Tel. +60 3 2080 2150 Fax +60 3 2080 2140 Muscat Crypto AG Regional Ofce P.O. Box 2911 Seeb PC 111 Sultanate of Oman Tel. +968 2449 4966 Fax +968 2449 8929

PRESS REVIEW
NATO Centre of Excellence for Cyber Defence A NATO research centre for cyber defence is to be established in the Estonian capital Tallinn. Seven NATO nations Germany, Italy, Spain, Slovakia, Lithuania, Latvia and Estonia signed an agreement to this effect on 14 May in Brussels. At the Cyber Defence Centre of Excellence, specialists will devote themselves to research and training in the area of electronic warfare. Estonia lends itself to being the location for the research centre: on the one hand, this is a country that offers its citizens free Internet access and is very active in the eld of e-government, and on the other, Estonia was the target of massive denial-of-service attacks last year. Centres of Excellence full a consultative capacity within the NATO organisation. For example, there is a Centre of Excellence for Defence Against Terrorism in the Turkish capital, Ankara. Source: heise online, news of 14 May 2008

CRYPTO AG TO REMAIN SOVEREIGN

A member of The Crypto Group