Multimedia communications and the impressive advances in broadband networking technologies are increasingly influencing everyday life, causing sweeping changes in the way we work, live, and socialise. Confidential communication is of paramount importance for secure multimedia applications such as teleworking, telemedicine, and commercial applications.
SCAN addresses confidential communication in asynchronous transfer mode (ATM) networks. The main objective is to develop solutions by applying state-of-the-art encryption on a per-user connection basis, whilst remaining independent of the user application supported by the ATM network and the underlying physical media. The approach is based on developing a secure ATM network interface card (ATM NIC) for PCs that can handle the two different physical media that are commonly used in local area and wide area ATM networks. These cards will operate at transmission speeds in the range from 2Mbit/s to 155Mbit/s. Security services, such as session key negotiation, are an integral part of SCAN.
SCAN approaches confidentiality by encrypting the ATM cell payload on a per virtual connection (per-VC) basis. This conforms to the ATM Forum Security Specification 1.0, which is widely accepted as a framework for secure communication in ATM network environments. The ATM cell stream is intercepted at a well defined, standardised interface, and can be interconnected to the universal test and operations physical interface for ATM (UTOPIA). Both the ATM NIC itself, and a high-speed data encryption standard (DES) - TripleDES hardware unit connected to the ATM NIC via UTOPIA compliant interfaces - are being developed within SCAN together with the necessary software entities such as the security signalling.The SCAN secure ATM NIC. It consists of: a segmentation and re-assembly (SAR) processor performing the ATM adaptation layer (AAL) and ATM layer functionality; a high-speed DES/TripleDES encryption unit providing confidentiality; a physical media dependent (PMD) and the transmission convergence (TC) components transforming the ATM cells to the 155Mbit/s synchronous transfer mode1 (STM-1) signal, the 2Mbit/s E1 signal according to ITU-T G.703 respectively.
Summary of Trial
To demonstrate the system's principles, a pilot installation covering ATM LAN connections and ATM WAN connections will be undertaken by the end of 1999. The testbed for the trials will consist of laboratory facilities, as well as public lines via National Hosts.
The achievements of the project are expected to be:
-An ATM NIC functionally comparable to standard ATM end user equipment.
-Confidentiality in ATM networks by the means of symmetrical DES, TripleDES encryption with 56 bit effective key length, 112 bit respectively.
-Negligible additional delay due to encryption in the magnitude of a few ATM cell periods, not affecting delay sensitive applications.
-An open key exchange interface allowing for replacing the key exchange algorithm upon user's or legislative needs.
-Security services on an user-to-user basis, transparent to and independent of the application.
Instead of implementing security services at the application level, SCAN approaches confidentiality in ATM networks by securing the communication on a per network connection basis. This should result in far reaching independence of the application. This covers a variety of sensitive applications is addressed. These include linking a company's geographically spread LANs to a cryptographically secured virtual LAN and demanding medical applications, such as remote patient monitoring; all of which require high levels of confidentiality. SCAN will advance the field of privacy enhanced technologies.
Main contributions to the programme objectives:
Develop encryption technology for ATM links
Contribution to the programme
Allows secure confidential communication on ATM networks
SCAN has to address three major technical issues:
-The ATM NIC should be developed to support two physical interfaces, STM-1 and E1. This includes the development of the driver and the application program interface (API).
-The design and fabrication, using very large scaled integrated circuit (VLSI), of DES/TripleDES capable of meeting the major constraints of high-speed encryption operating up to 155Mbit/s, together with the key agility requiring rapid changes of session between subsequent ATM cells.
-The security signalling is embedded in the user network interface (UNI) signalling messages at call establishment as additional information elements. This demands special attention to be given to security organisation, administration and maintenance (OAM) flows during the lifetime of a certain user connection.