2018-10-17

Serial RS232 Encryption

Serial RS232 Cryptor

Serial ports based on the RS232 specification are widely used in the SCADA systems. There are demands for security solutions using serial modems communication links. With Cryptor 302 we provide a new product with highest security for RS232 links. Highest cryptographic security is combined with a maximum physical security for the product. Technologies developed for high sensitive computer networks are applied to the Serial Cryptor 302 wherever possible.

Cryptor 302

The first high secure SCADA RS232c encryption device. Even as it is an old standard, serial communication is still widely used in the SCADA world.

We provide a real high security encryption device, with features and functions that are unique. Besides simple point to point encryption, a lot of additional benefits are built into this product. No compromise, when it comes to security. The highly sophisticated encryption function, which are going far beyond the standard AES 256, are needed for critical infrastructure. Less would be risky.

Beside the security of the data, the protection of the device itself is important. SCADA equipment are mostly operating in an unattended environment. Every unexpected situation is detected, recorded and countered. If a connection to the partner Cryptor is available, reports or alerts are delivered. The product is protected by an active Anti Tamper Device ATD, which detects all modifications to the product itself. A self erase function deletes all access codes from the inbuilt security chip.

All keys are encrypted and only used inside the FPGA encryption chip.  The Cryptor has a built-in battery, which lasts 11 years when no external power is supplied. During normal operation when the Cryptor is connected to a power source, the battery life can last even longer.

Redundancy on critical elements is important. Power input is redundant, two inputs are provided via an edge connector and one additional input is for table top use.

The product is embedded in a solid machined aluminium casing, providing a DIN rail mount. Without the DIN rail mount the product can be used as table top Cryptor. With just 10 x 10 cm size it is the smallest high security serial encryptor on the market.

Security Functions:

Encryption using a block cipher with 256 bit key length.
Self synchronising if data are lost or damaged during transmission over the line.
Automatic, or policy initiated key change without Diffie-Hellman (DH) type protocols.
Alive data if no user payload is transferred after a time.
Status and alarm information send to the partner automatically.
Events are recorded with time stamp from the internal real time clock.
Active ATD and double casing protection.
Anti replay protection.
Emergency erase button (protected against accidental activation).
Customer defined proprietary algorithms usable.
Additional encryption rounds against known S-Box weaknesses.
Customer can load all software, algorithms, certificates, etc by itself to counter supply chain attacks.

Operational features:

Redundant power supply.
Automatic and manual baud rate configuration.
Full set of line and modem control lines.
Sleep mode when no traffic to save power.
Inbuilt security backup battery.
USB-C port for initial configuration, local management and on site statistics.
100 MBit ethernet port for management  networks.

Developed and manufactured in Singapore for government and critical infrastructure use.

This product is available in December 2018.

Cryptor 302 Specification

Physical Dimensions:

  • Solid Full Aluminium Casing
  • Small 10o x 10o x 3o mm

Electrical Data:

  •  12 Volt max 650 mA
  • Industrial connector with 2 separate inputs for full power redundancy
  • Alternative 12 Volt supply through a small pinhole connector for office use
  • Alternative 5 Volt supply through USB-C connector for configuration
  • 3 Volt Lithium Battery 1 Ah internally replaceable

Performance Data:

  • 300 to 115200 Baud full duplex
  • 4 seconds startup delay until serial operation is ready

Ports and Connections:

  • 2 x RJ45 connector for plain and encrypted serial data
  • USB-C port using USB2.1 for diagnostic reports and initial configuration
  • 5 Volt alternate operating power during configuration (1 cable only)
  • RJ45 Ethernet 100 BaseT network for multiple use
  • Industrial power edge connector for 2 independent supplies

Switches:

  • Reset switch
  • Product erase switch to reset product to factory state

Signaling:

  • Plain port LED for Rx data receiving
  • Plain port LED for Tx data sending
  • Crypt  port LED for Rx data receiving
  • Crypt port LED for Tx data sending
  • Ethernet port LED for link detect
  • Ethernet port LED for packet traffic
  • Power-On LED
  • Error LED for selftest and operational errors detected
  • Ready LED signaling in operational mode
  • Configuration LED signaling no or incomplete configuration

Cryptography:

  • Smartcard equivalent security chip EAL 4+
  • Full set of crypto function provided by the security chip
  • FPGA based payload and management encryption
  • 256 bit key length for payload encryption
  • AES as built in standard
  • Customizable by parameters
  • 16 S-Boxes for encryption and 16 S-Boxes for decryption
  • One to 16 S-Boxes can be loaded with independent content
  • Encryption rounds can be defined from 14 to 29
  • Alternatively full customizable algorithm using different FPGA code

Access control and Identification:

  • Challenge response based authentication between Cryptor and Admin station
  • RSA 2048, alternatively ECC based Cryptor certificate to proof identity.
  • Certificates signed by Admin certificate
  • Password based local access control for non-sensitive local activities
  • Remote reset/change of Cryptor's local password at any time by Admin

Cryptor Role:

  • Paired link provides a point to point link without hierarchy
  • Master-Slave link with a central Cryptor can control the remote Cryptor