NEG – NovaTec Encryption Gateway

Secure encryption for ISDN and IP connections with the NovaTec Encryption Gateway

Task:

The rapid growth of commercial and private communication over IP provides ideal attack points for eavesdroppers and therefore leads to a drastic increase of illegal attacks on telephone and data networks. The attacks on confidential data take place from within a company as well as from the outside. The economic damage deriving from people spying on confidential data and telephone calls is huge. Only encrypting the data and telephone calls can help.

 

Solution:

For the solution of this safety concern the NovaTec Encryption Gateway (NEG) has been developed from the approved NovaTec system series, which provides a secure end to end encryption for ISDN, analogue and VoIP terminal equipment. Single connections of ISDN terminal systems with S0 (BRI) or S2M (PRI) and analogue interfaces can be encrypted as well as VoIP connections. This happens with help of the open standards SIPS, SRTP and TLS as well as current encryption procedures. NovaTec also provides the tools necessary to build up your own PKI (private key infrastructure).

Encryption and key exchange

VoIP telephony via SIP/RTP, as implemented in the NovaTec gateways and most other VoIP products, is always differentiated betwwen signalisation connection (SIP) and the actual user data (RTP). The NovaTec Encryption Gateways (NEGs) use internationally approved standards for encryption:

  • The signalisation (SIP) is carried out via TLSv1 to TLSv1.2 connection. During this automatically the most current protocol supported by both systems is used. Insecure cipher suites are deactivated by default.
  •  In TLSv1.2 mode the systems support thr fast and secure AES-GCM (Galoise Counter Mode), RSA authentication, Perfect Forward Secrecy through Epheremeral Elliptic Curve Diffie-Hellmann (ECDH) and signatures with SHA-2 amongst others.
  • With activated encryption the user data is transferred via the secure version of RTP (Secure RTP, sRTP). SRTP has been developed specifically for the encryption of voice data. The NovaTec systems use the SDP method according to RFC 4568/6188 for the key negotiation. During this the main key is exchanged via the SIP connection, which should therefore also be encrypted when using sRTP.
  •  With sRTP according to RFC 4568/6188 the data stream is encrypted with AES in counter mode with a key length of up to 256 bit and an integrity checking hash with HMAC-SHA 1 is created with 32 bits.

Encryption gateway provides high flexibility

The NovaTec Encryption Gateway (NEG) is constructed as an ebbeded hybrid system. Through the use of standardised interfaces extension lines with S2M (PRI) can be connected as well as single analogue, digital or SIP terminal systems. As such, all connections can be encrypted via IP with TLS/SIPS and sRTP. The encryption can be carried out for certain source or target numbers in accordance with a configurable call number plan or by prefixing with a freely eligible cipher combination.

The NovaTec Encryption Gateway can be integrated into the existing ISDN or IP connection of the company’s network as individual system. If a system of the NovaTec series is already present, the NovaTec Encryption Gateway can be installed into this as an additional module.

Summary:

Applications

  • Encryption of voice and data connections
  • Encryption of video conferences

Customers

  • small, middle sized and big companies
  • Carrier
  • SOHO, Home Office with connection to the company central

Encryption

  • Signalising via TLSv1.2/AES up to 256 bit
  • User data via sRTP/AES up to 256 bit

Flexibility

  • Encryption of single S0 (BRI) or analogue interfaces as well as for S2M (PRI) with 30 B channels
  • Encryption by source or target number (call number plan) or individually by prefixing with a configurable cipher combination
  • Encryption gateway as individual system or within a NovaTec system as additional module