IPcrypt system is designed for secure user PC connection to the server application. The entire communcation between the user PC and encrypted server is done at the IP packet level. Encryption runs transparently for all applications communicating over a network without the need for changes. The system allows simultaneous operation of multiple client applications.
32-bit, OS Windows 7, Windows 2008 Server
64-bit, OS Windows 7 to Windows 10
IP protocol version 4
Communication flow in a system where IPcrypt is installed is the following:
Any client application sends IP packets to the server.
These pass through the IP stack of the operating system. NDIS intermediate driver captures them and does not release further. The packet is encrypted and is sent to tunneling encryption server IPcrypt.
Only tunneled IP packets pass over the WAN routers - as their content lies with the original encrypted IP packets.
Tunneled IP packets arrive in the encryption server, they are decrypted and forwarded to the destinationed computer (with the server application).
Packets from the server application are directed in opposite direction similarly to a client PC. The encryption server encrypts them and wanders through the WAN network encrypted to the client computer where it is decrypted and send to the client application.
IPcrypt meets the strictest safety standard requirements. The distribution of encryption keys is done automatically over the network from the distribution server. The entire network traffic to all ports is completely encrypted. IPcrypt network encryption consists of an encryption server, the application server (which can also be combined in one PC), the distribution server, monitoring server (can also be combined in the same PC) and client PCs. Communication is enabled between client and server by default or optionally also between individual clients. AES256 encryption algorithm is used to encrypt data in packets. Distribution of encryption keys is secured with asymmetric algorithm ECC (Elliptic Curve Cryptography).
The entire encryption system uses a three-level key management. It is a dynamic system with constantly changing configuration of the keys. Each PC in the network has its master key. Interactive set of 500 encrypted keys under the master key is distributed into every PC and the server. One interactive key is randomly-selected with each connection establishment which is used to encrypt a randomly-generated directional key. It is used as data key encrypting own packet data. Directional key changes very often, every X milliseconds and also by amount of traffic. Interactive keys pack has a set lifetime after which a new distribution from the distribution center takes place. Distribution is carried out using the Diffie-Hellman algorithm based on EC (ECDH) using the signature certificate (ECDSA) supporting ECIES encryption / decryption.
IPcrypt may be deployed in local area networks as well as within the WAN and the Internet. Encryption is done On_The_Fly and completely transparently, thus the user does not experience any restrictions. Encryption activation on the network is performed using a USB GNT token just before user logging on to the domain or local account.