IP Crypt

Basic general description of the encryption data protection system, IPcrypt version 6.1

Basic description of the IPcrypt network communication encryption system:

IPcrypt is a system for protecting data transmitted over a network and is used for data traffic in Microsoft Windows operating systems. Protection is done by encrypting data transmitted within the TCP/IP network protocol. Encryption is done at the level of TCP IP packets and at the level of the TCP data flow. The system has been designed to meet the security criteria set by the security standard and at the same time meet the conditions set by the National Security Authority for the successful completion of the certification procedure for obtaining a certificate for classification level “V” – reserved. The development of IPcrypt was necessary, in particular, because of the absence of a similar system for encrypting network traffic that would meet the required characteristics in terms of both user and cryptographic security. The IPcrypt system has implemented the cryptographic standards required by the security standard and therefore meets the NATO RESTRICTED and EU RESTRICTED security classifications. The system has been tested in real operation for several years, especially in the government sector, and has now been updated to the latest operating systems. The latest 64-bit version v6.1 is designed for Microsoft Windows 11 and servers running Windows Server 2016 to Windows Server 2025, the latter already based on Windows 11. The latest version of IPcrypt for clients also has backward compatibility with older operating systems such as Windows 7, Windows 8, and Windows 8.1 on x64 architecture.

 

   During the implementation of this system, emphasis was placed on securing modern network traffic with encryption at the Windows Filtering Platform (WFP) level, using cryptographic standards for symmetric ciphers and the correct implementation of cryptographic algorithms to avoid security vulnerabilities faced by other similar systems, and on multifactoring in the authentication processes in the system and the processes of generating key economy elements,  as well as their distribution through network traffic.

 

   The system uses a three-level key economy for both client and server computers in the network. The changing elements of the key economy are generated by the Central Security Authority (CBA), which is physically separated from the grid. Special rules apply to the operation of the software on the CBA computer. The main elements of the key economy are stored on security USB GNT tokens, which are also certified and have a built-in cryptographic security processor with specific functions. Interactive keys are automatically distributed to computers on an encrypted network through an encrypted network from a distribution server that stores a distribution database of keys regularly generated in CBA. Authentication and activation of the key economy on each computer, which is required before clients log in to the domain, is done in a multi-factor manner using their own credential provider. Multi-factor hardware protection of encrypted interactive keys is used to ensure non-portability to other computers (even between PCs that are on an encrypted network).

 

   From the user’s point of view, an encrypted IPcrypt network works completely transparently. The only action is to use the USB GNT token after the computer or server starts, or after a restart. The IPcrypt system also works on the most modern computer architectures with the latest generations of processors, is independent of the type and version of the processor, and with the UEFI BIOS module and Secure Boot enabled. This is supported by Microsoft-certified and signed driver packages that are used in the Windows kernel with IPcrypt installed.

Brief description of IPcrypt v6.1 features for Windows 7 to Windows 11 operating systems and for x64 processor architecture:

  • IPcrypt v6.1 software tools are designed for 64-bit NT (New Technology) family operating systems, such as Windows 7 to Windows 11 for 64-bit processor architecture,
  • Encryption of network traffic is carried out completely transparently on the fly,
  • The encrypted network is made available only after inserting a USB GNT token into the USB slot and entering an authentication password or PIN code (optionally specified by the administrator in the CBA), thus activating the key economy,
  • IPcrypt uses a three-tier key economy,
  • The key economy used consists of the top-level key, the second-level interactive keys and the third-level directional data keys;
  • The lifespan of individual types of keys is determined by the Central Cipher Authority,
  • The update of the key economy and the manipulation of its elements are described in the rules for the use of the IPcrypt system,
  • The key economy activation system uses the master encryption key from the security processor of the USB GNT token after entering a password or PIN code (specified by the CBA Administrator),
  • By activating the key economy, the interactive keys are decrypted in the core of the operating system under the master key belonging to the workstation client or server administrator, thus making the encrypted network functional,
  • Interactive keys are used for the dynamic process of encryption and exchange of directional keys, which is a stronger replacement for asymmetric DH,
  • D-codes are valid for a short time, they are controlled by the amount of encrypted and transmitted data, as well as the transmission time in the network,
  • The directional key is regenerated every 10 minutes or after 1 MB of data transfer,
  • Routing keys are generated by both clients and servers in the IPcrypt kernel module,
  • The master encryption key, which is stored in the token, must be protected by a security processor, as its validity is long-term,
  • Interactive keys are stored in the computer’s OS registry and are encrypted with the master key as well as the PC’s hardware fingerprint to make them functionally impenetrable to others and non-transferable to other computers.
  • Data transmitted over the network is encrypted with the standard AES256 symmetric encryption algorithm with protection against cryptographic Time attack and Waudenay attack, which is also ensured by choosing the correct encryption modes,
  • As an additional symmetric cryptographic algorithm, the SEA-64A algorithm with high resistance to most types of cryptanalysis is used, which is used for auxiliary purposes, namely to perform post-processing in the hardware random character generator in CBA, and also as a pseudorandom sequence generation core for the generation of directional keys at clients and servers,
  • Both symmetric algorithms use a 256-bit encryption key, AES has a 128-bit (16-byte) processing block, SEA-64A has a 64-bit processing block length (8 bytes),
  • Elliptic curve (EC) algorithms are used only for asymmetric cryptography within the PKI, which is used on a one-time basis only in the initial installation processes of IPcrypt. In the real network operation of IPcrypt, asymmetric cryptography is not used, as it is replaced by a more modern and secure system implemented by algorithms with symmetric cryptography based on a three-level key economy. It replaces outdated and less secure features, such as the DH function.
  • For compatibility reasons, the Asymmetric Signing Certificate (DSA) algorithm is also used in the built-in Certificate Authority (CA) within the CBA, but only for additional signing of the encrypted distribution archive transmitted over an already encrypted network,
  • User passwords for user authentication using USB tokens have a maximum length of 8 characters, but PIN codes with 4 to 8 digits can be used instead of passwords, which is sufficient enough to use the token as a hardware authentication device,
  • Whether a password or PIN will be used for token authentication will be decided by the CBA administrator based on the description in the Terms of Use.

Principles of IPcrypt Operation Security

   IPcrypt is designed primarily for a limited class of classified information and therefore must be certified. However, it can also be used to encrypt unclassified network traffic, for example, only for sensitive information. When used to encrypt networks with classified information, these networks must be separated from the Internet. This means that it is then intended only for LAN. However, for unclassified information, it is possible to deploy IPcrypt to WAN networks connected to the Internet. However, it should be noted that even in this case, computers with IPcrypt installed will only be able to communicate with computers (servers) with IPcrypt installed. Encryption is done on all communication ports for any IP address. This is done for safety reasons. In principle, a computer with IPcrypt installed does not have access to unencrypted servers on the Internet, and concurrent operation is thus excluded. In the case of a connection via a WAN network (e.g. branches over the Internet), it is possible to connect clients running on private IP addresses behind NAT, i.e. also with the help of a mobile connection. IPcrypt v6.1 is designed and certified for use by client stations in protected areas as well as in unprotected areas. This type of use is set when installing IPcrypt.