Data Transmission Security: AES & AKEP2

Apollo employs an extremely efficient and high performance AES 256 VPN dynamic tunnel that adds security to data moving across any wide area network.  It works with NAT and PAT environments and does not fail in out of coverage situations. Dynamic session keys ensure the highest level of security. Apollo is able to manage split tunnel authentication supporting sessions over multiple simultaneous bonded bearers.

The AES – Advanced Encryption Standard – used by Apollo, also known as Rijindael, was adopted by NIST as a Federal Information Processing Standard. Like its predecessors, AES is a block cipher where “plain text” is encrypted in “blocks”. AES is used with the Diffie Hellman key exchange. Diffie Hellman uses public key cryptography, which is considered a cryptographically safer approach for exchanging session keys. Public key cryptography uses a public key to encrypt data and a private key to decrypt. As the algorithms deal with large prime numbers they are computationally expensive, so are only used for key exchange. The much faster symmetric block ciphers are used for normal data encryption. With encryption active, only the Apollo data and compressed TCP/IP data will get encrypted and the HDLC header is applied to the datagram after encryption because decryption’s error-extension properties make error detection and correction more difficult.  Data is compressed before the encryption process which significantly improves the overall security of the data.

AKEP2 (Authenticated Key Exchange Protocol 2) is a protocol derived from the SKID3 protocol. It uses keyed-hash functions to secure the exchange. To prevent compromise of the keys they are automatically computed prior to every key exchange using information unique to each client. The source information is input into a key expansion algorithm producing 4x128-bit keys. The blowfish cipher is used as the basis for the keyed hash functions. To enhance security further Apollo uses a Two-Key Triple-Encryption process to produce the final hashed value. The Apollo implementation of this protocol uses information unique to each session to authenticate the peer using the secure hashing functions.

Key Exchange Mechanism

In Apollo the key is exchanged between the Anywhere Client and the PAS using a mechanism based on Diffie Hellman. While, in classical Diffie Hellman, some parameters are exchanged in clear text, Apollo does not exchange any of the values in clear text. Apollo’s mechanism, whereby no clear text is sent, is highly secure and a significant enhancement to classic DH parameter exchanges. Apollo supports an encryption key of 256-bits by default. This process is transparent to the customer since it is automatically generated inside the Apollo Anywhere Client and PAS making configuration fast and simple.

 

Device Registration

Apollo's device authentication is performed using encoded MAC addresses which is, in turn, used to perform session validation before user-level credentials are submitted. This provides early warning and detection of black-listed clients prior to any authentication-layer processes occurring     Learn More

User Authentication

Apollo’s user-authentication process uses EAP (Extensible Authentication Protocol) in conjunction with the TLS (Transport Layer Security) protocol. Together these protocols provide a means for mutual authentication between the Anywhere Client and the PAS authentication server using digital certificates. Because authentication is conducted immediately after the L2TP encrypted tunnel has been established, none of the authentication packets are transferred in plain text     Learn More