IP Crypt

Basic general description of data encryption protection system IPcrypt version 6.0

Basic description of the network traffic communication encryption system IPcrypt:

IPcrypt is a network trasmitted data protection system used for data traffic in Microsoft Windows operating systems. The protection is performed by encrypting the data transmitted within the TCP IP network protocol. The encryption is being perfomed at the IP packet level of the TCP protocol and at the TCP data stream level. The system has been designed to meet the safety criteria set by the Security Standard. and at the same time meet the conditions imposed by the National Security Bureau for the successful execution of the certification pre-certification procedure for obtaining the certificate for classification level V reserved. Implementation of the IPcrypt system development was necessary in particular because of the lack of a similar network drive encryption system that would meet the required features from both the user and cryptographic security aspects. The IPcrypt system has implemented the cryptographic standards required by the Security Standard and thus meets the NATO RESTRICTED and EU RESTRICTED security classifications. The system has been tested in real-world operations for several years, mainly in the state sector and is being upgraded and updated to the latest operating systems, the latest 64-bit v6.0 is designed for Microsoft Windows 11 and servers running Windows Server 2016 it is also based on Windows 11. This latest version also has backward compatibility with older operating systems such as Windows 7, Windows 8 and Windows 8.1 on the x64 architecture.

When implementing this system, emphasis was placed on providing modern network traffic with encryption at the Windows Filtering Platform (WFP) level, using cryptographic standards for both symmetric and asymmetric ciphers, and the correct implementation of cryptographic algorithms to avoid security vulnerabilities faced by others similar systems and multi-factoring in the authentication processes in the system and processes in generating key management elements as well as in their distribution through network traffic.
The system uses a three-level key management for both the client and server computers on the network. Changing elements of the key management are generated by the Central Security Authority (CSA) physically separated from the network. Special rules apply for the operation of the software on CSA computer. Key management elements are kept on security USB GNT tokens, which are also certified and have a built-in crypto processor with specific features. They are distributed to computers on an encrypted network over an encrypted network from a Distribution Server on which a CSA-generated distribution archive database is stored. The authentication and activation of the key management on each computer, which is necessary before clients log on to the domain, is performed by a multi-factor using each computer of the Credential provider installed. Multi-factor key protection is used to ensure non-transferability to other computers.
From user’s point of view the IPcrypt encrypted network functions completly transparently. The only action is to use the USB GNT token after the computer or server is started, or after restarting. The life of an activated key economy and the operation of an encrypted network is secure, and after a user or server administrator logs off or shuts down the computer.
The IPcrypt system also works on the most modern computer architectures with the latest processor generations (tested on the PC with 8th generation CPUs) and UEFI BIOS with GPT disk division table and with installed Secure Boot. This is secured by Microsoft certified Driver packages used in the IPcrypt.

A brief description of the IPcrypt v6.0 system properties for Windows 7 up to Windows 11 OS and for x64 processor architecture:

• IPcrypt v6.0 system program tools are intended for 64-bit operating systems of the NT (New Technology) family, such as Windows 7 up to Windows 11 for 64 bit processor architecture,
• Network traffic encryption is conducted completly transparently on-the-fly,
• The encrypted network is made accessible only after USB GNT token is inserted into USB slot and after entering the authentication password or PIN (optional), which activates the key management,
• IPcrypt system uses three-level key management,
• The key management used is comprised of the top-level key, interactive second-level keys and directional (as well as third-level) keys,
• The life span of the individual keys is set by the Security Standard,
• Key handling and key management Updates describe the IPcrypt Rules of Conduct,
• Key management activation (KM) uses the main encryption key loaded from the USB GNT token after entering a password or PIN (specified by CSA administrator)
• By activating the KM, interactive keys are decrypted in the operating system kernel under the main key belonging to the PC client (server) and thus the encrypted network is operable,
• Interactive keys serve the dynamic process of encrypting directional keys,
• Directional keys are valid for a short period of time, they are controlled by the amount of encrypted and transmitted data, and also by network transmission time,
• The direction key is re-generated every 10 minutes or after 1 MB of data transfer,
• The direction keys are generated by both clients and servers in the IPcrypt kernel module,
• Especially the main encryption key that is stored in the token must be protected,
• Interactive keys are stored in computer registers and encrypted with the master key as well as the PC’s hardware fingerprint to make them functionally impenetrable to others and non-transferable to other computers,
• Data transmitted over the network is encrypted with a high-quality symmetric encryption algorithm AES256 with protection against Time and Waudenay cryptographic attack, which is also ensured by the choice of the correct encryption mode,
• As another symmetric cryptographic algorithm, the AES-64A algorithm with high resistance to multiple cryptanalyses is used and is used for ancillary purposes, namely to perform postprocessing in the hardware random character generator in CSA and also as the core of generating a pseudo-random sequence for generating direction keys,
• Both symmetric algorithms use a 256-bit encryption key, AES has a 128-bit (16-byte) block of registry length, the SEA-64A has a 64-bit processing block length (8 bytes),
• Elliptic Curve (EC) algorithms are used for asymmetric cryptography, especially for the implementation of the DH algorithm for distributing keys from a distribution server,
• Also for other assistence features for DH, such as PKI signing and encryption,
• For compatibility reasons, the RSA asymmetric DA signature certificate algorithm is also used in the CSA’s built-in Certification Authority (CA),
• The Elliptic Curves with standardized algorithms are implemented and used,
• User passwords for USB tokens user authentication have a maximum length of 8 characters, but PIN codes of 4 to 8 digits can be used instead of passwords, which is satisfactory enough to use the token as an authentication token,
• If the password or PIN is used for token authentication is decided by the CSA administrator.

Operation safety principles of the IPcrypt system

IPcrypt is designed primarily for the Restricted Class and must therefore be certified. However, it can also be used to encrypt non-classified network traffic, for example, only for sensitive information. When used to encrypt classified information networks, these networks must be separate from the Internet. That is, it is for LANs only. However, for unclassified information, it is possible to deploy IPcrypt to WAN networks connected to the Internet. It should be noted, however, that even in this case, computers with IPcrypt installed will only be able to communicate with computers (servers) with IPcrypt installed. Simultaneous access to encrypted servers or to encrypted clients and to the Internet is not possible. The encryption is conducted on all communication ports for any IP address. This is being performed for security reasons. In principle, a computer with IPcrypt v6.0 installed does not have access to non-encrypted servers on the Internet. In case of connection via WAN network (e.g. branches via internet) it is possible to channel through clients running on private IP addresses behind NAT, i. e. also with a help of mobile connection.