TopSec Mobile Voice encryption for mobile phones

Secure Communications

Data Sheet | 04.00

TopSec Mobile At a glance

The TopSecMobile is a voice encryption device that can be connected to commercially available mobile phones using a Bluetooth interface. It provides confidential, tap-proof communications anywhere in the world. The encryption has been embedded in the TopSecMobile hardware to avoid the susceptibility of GSM phones to manipulation.

The TopSecMobile connects to communications terminal equipment by means of Bluetooth. These terminals are predominately mobile phones. A TopSecMobile allows encrypted communications with an interoperable partner encryption device using almost any mobile phone with a Bluetooth interface. This provides voice encryption services for the majority of the mobile phones from a variety of manufacturers. The algorithms and methods used for encryption have been tried and tested with the TopSec product family. The TopSecMobile is the most secure voice encryption device for mobile communications on the market today. It features an elegant design, outstanding voice quality and is easy to use and operate. The TopSecMobile is plug-and-play compatible with most commercially available mobile phones interoperable with other TopSec products in analog and digital fixed networks, as well as in mobile radio and TETRA networks secure through state-of-the-art encryption and security processes

TopSec Mobile Benefits and key features

Versatile
Bluetooth interface to connect to end user communications terminal equipment TopSec Mobile works with almost every modern mobilephone Largely independent of mobile radio frequencies Can also be used with modems and satellite phones withBluetooth interface page 4

Manipulation-proof
Unrestricted use of the mobile phone convenience features TopSec Mobile security is independent of the mobile phone Cannot be identified by the mobile network provider page 5

TopSec encryption methods

Method for maximum security Key agreement with elliptical curves, 384 bit Preventing spoofed encrypted connections and man-in-the-middle attacks Certificate-based authentication Voice encryption using the Advanced Encryption Standard (AES) 256 bit key page 6

Loadable encryption methods

Security card reader Support of BOS-Digital security card page 7

Interoperable
Interoperability with: TopSecMobile in combination with a mobile phone TopSec GSM encrypting mobile phone TopSec 703+ encryption device for digital connections TopSec 711 encryption device for analog connections Future-ready page 8

The Bluetooth word mark and logos are registered trademarks owned by Bluetooth SIG, Inc. and any use of such marks by Rohde & Schwarz is under license.

Rohde & Schwarz TopSec Mobile 3

Versatile
Bluetooth interface to connect to end user communications terminal equipment
The TopSecMobile voice encryption device utilizes a Bluetooth interface to connect to communications terminal equipment. The majority of the devices that are used with the TopSecMobile are mobile phones with Bluetooth. Bluetooth is a clearly defined standard that provides a stable communications interface between the TopSecMobile and the mobile phone. The TopSecMobile provides voice encryption versatility when connecting communications terminal equipment to the network.

Largely independent of mobile radio frequencies

An additional advantage of using Bluetooth connectivity is that the TopSecMobile is largely independent of the mobile radio frequencies. With a Bluetooth mobile phone and its associated mobile radio network, users can rely on having access to their desired frequencies and network providers. The TopSecMobile requires a non-transparent data connection at 9.6 kbps for encrypted connections. Depending on the capability of the partner encryption device, either the V.110 or V.32 communications protocol is used. The necessary requirements are supported by most mobile phones with Bluetooth and by most mobile radio networks.

Can also be used with modems and satellite phones with Bluetooth interface
The TopSec Mobile can be connected to an analog or ISDN modem or a satellite phone via the Bluetooth interface. It can be operated within fixed telephone networks, or can provide secure satellite communications worldwide. The TopSec Mobile requires a non-transparent data connection at 9.6kbps for encrypted connections.

TopSec Mobile works with almost every modern mobile phone

The TopSecMobile is interoperable with diverse mobile phones from a variety of manufacturers. Prerequisite: The mobile phone must support the circuit-switched data (CSD) non-transparent GSM data mode, and must have a Bluetooth interface (version 1.2 or later) with a dial-up networking (DUN) profile for encrypted communications. Most modern mobile phones have this capability. As a result, users have the freedom to select and use their preferred mobile phone and, at the same time, use their TopSecMobile for secure communications when desired.

Encryption with the TopSecMobile

GSM network Voice communications Bluetooth GSM

Mobile phone Encryption with the TopSec Mobile

Manipulation-proof
Unrestricted use of the mobile phone conveniencefeatures
Mobile phones provide a wide selection of features. Applications can often be downloaded later from the public telephone network. Providers also send unsolicited information to the mobile phone. This information is then used to configure the phone according to the provider's preferences. These capabilities are necessary to make mobility as broad and flexible as possible, to have the most current information on hand, or to ensure around-the-clock access to meeting and appointment schedules. Mobile phone acceptance depends heavily on such convenience features.

TopSec Mobile security is independent of the mobilephone

The elements of telephone convenience hold the risk of unauthorized use by attackers to obtain confidential information. There are many ways to manipulate mobile telephones. However, the TopSecMobile does not require information from a provider and additional applications cannot be downloaded or executed. The TopSecMobile is a device that permits confidential voice communications using a mobile phone. The control features, the audio components such as microphone and loudspeaker, and all encryption functions are integrated in the TopSecMobile. The security of the TopSecMobile is independent of the mobile phone. The TopSecMobile offers best protection against manipulation.

Cannot be identified by the mobile network provider

Mobile phones can be identified by the international mobile equipment identity (IMEI). The IMEI is automatically transmitted whenever a mobile phone logs on to a network. It provides information about the manufacturer and equipment type. This allows network providers to deny full or partial service to specific mobile phones. In contrast, the TopSecMobile is not a mobile phone. It connects to and operates with a variety of mobile phones by means of a Bluetooth interface. The TopSecMobile cannot be identified, which makes it impossible for mobile radio network providers to deny service to the TopSecMobile.

Voice encryption in mobile radio networks

GSM

TopSec Mobile

Mobile phone with Bluetooth interface

TopSec GSM

The TopSecMobile is interoperable with most Bluetooth enabled mobile phones. Either a moTopSec Mobile Mobile phone with Bluetooth interface bile phone in combination with a TopSecMobile or a TopSec GSM phone can be used as partner equipment in the mobile radio network. Rohde & Schwarz TopSec Mobile 5

TopSec encryption methods

Method for maximum security
Encryption in the TopSec Mobile is based on a hybrid process to achieve the highest level of security. This process requires that the partner encryption devices have the same mathematical parameters and that they use identical algorithms.

Preventing spoofed encrypted connections and man-in-the-middle attacks

TopSec Mobile users want to be absolutely certain that spoofed encrypted connections, and man-in-the-middle attacks in which unauthorized third parties masquerade as the legitimate communications partner, are prevented. For this purpose, a unique four-digit security code is generated in the open system. The code is displayed on the partner encryption device and is only available on the callers and the partner encryption device. When the security codes are identical, a secure call is established.

Certificate-based authentication
Another measure to prevent man-in-the-middle attacks is to create closed user groups. This requires the TopSec Administrator, which combines the functions of a trust center with the centralized administration of operational parameters. During an initialization process, the TopSec devices receive a certificate and generate a public key pair that is used for authentication. In closed systems, authentication between the TopSec encryption devices takes place automatically. An encrypted connection is only established if authentication is successful. Consequently, calls made using the TopSec encryption devices meet the highest security requirements.

Key agreement with elliptical curves, 384 bit

The Diffie-Hellman key agreement protocol enables encrypted communications between two partner encryption devices without the need for central administrative services. In TopSec terms, this is referred to as an open system, because it is possible to establish a secure crypto connection between any two TopSec encryption devices. The session key K calculated by the two partner encryption devices is used by the symmetric algorithms to encrypt or decrypt the digitized and compressed voice information.

Voice encryption using the Advanced Encryption Standard (AES) 256 bit key
The TopSec Mobile and the partner encryption device automatically agree on a new 256 bit key during each call setup. A key is randomly selected from a pool of 1076 possible keys and then deleted immediately upon completion of the call.

Combined key agreement and authentication

Device A

Assumption: common base point P0; public keys PA, PB are included in the certicate; private keys SA, SB are only available in devices A and B SB, PB = SB P0

Device B

SA, PA = SA P0

PB, QB
A selects a random value rA A calculates QA = rA P0 A calculates K = rA PB + (F(QA, QB) rA + SA) QB

PA, QA
B selects a random value rB B calculates QB = rB P0 B calculates K = rB PA + (F(QB, QA) rB + SB) QA

Neither rA, rB, SA nor SB were transmitted; only A and B have the random values rA or rB required for calculating the session key K

Loadable encryption methods

Security card reader

The TopSec Mobile allows the use of the TopSec encryption methods permanently implemented in the device as well as of other voice encryption methods. In the TopSec Mobile user menu, the encryption methods can be activated and deactivated by means of the integrated card reader. Provided the security card is inserted in the reader, the TopSec Mobile user decides for each call setup which algorithm is to be used for calling the communications partner. The TopSec Mobile addresses the security card using commands that comply with the secure transnetwork voice communications standard (SNS) developed by the German Federal Office for Information Security.

Support of BOS-Digital security card

For encrypting calls, the algorithms of the BOS-Digital security card are available via the card reader. The cryptography of this card includes a certificate-based, DiffieHellman-compliant authentication with elliptic curves for key agreement and voice encryption in line with AES. For certificate-based authentication, the certificate together with a public key (for verifying certificates) and a public key pair (for actual authentication) is saved on the BOS-Digital security card by a trust center during the initialization process. To authenticate a connection, the partner encryption devices certificate is verified. For key agreement, the Diffie-Hellman key agreement protocol with elliptic curves is used to calculate the individual session key for each call. In encryption mode, the TopSec Mobile and the partner encryption device automatically agree on a new symmetric AES key, which is deleted immediately upon completion of the call.

Rohde & Schwarz TopSec Mobile 7

Interoperable
Interoperability
The TopSecMobile uses algorithms and methods for encryption that have been tried and tested with the TopSec product family. The products of the TopSec family are interoperable. Voice encryption in mobile radio networks is the primary application for the TopSecMobile. The communications partner can be reached over a mobile radio network, an analog or a digital fixed network. Secure voice encryption is possible in all of the above scenarios. The TopSecMobile compresses the voice call so that it can be transmitted at a data rate of 9.6 kbps. Either the V.110 or the V.32 protocol can be used to place a secure call with a communications partner on a mobile phone. This ensures interoperability with a second TopSecMobile or with a TopSec GSM encrypting mobile phone.

The V.110 protocol is selected to set up an encrypted voice connection via the TopSec 703+ ISDN encryption device. If the communications partner uses a TopSec711 for encrypted voice calls over an analog connection, the V.32 protocol is selected. After the appropriate network protocol has been selected, i.e. V.110 or V.32, the TopSec Mobile voice encryption device is interoperable with the TopSec GSM, TopSec703+ and TopSec 711.

Future-ready
The TopSecMobile is based on high-performance hardware with large storage capacity. The TopSecMobile firmware can be securely updated with TopSecAdministrator. This ensures that new challenges can easily be mastered with the TopSecMobile.

Voice encryption with TopSec devices

TopSec Mobile SAT ISDN TETRA

GSM

POTS

TopSec 703+

TopSec 711

TopSec Mobile

Design and functional elements

Design
The TopSecMobile is targeted at senior management levels in government and at business leaders in important industries and sensitive departments such as security, sales, finance, engineering and science. The elegant and timeless design of the TopSecMobile is representative for this user group without attracting undue attention. The TopSecMobile can be carried in a shirt, suit or coat pocket; a wide clip provides secure fastening. It can also be attached to a carrying strap.

Functional elements
The TopSecMobile is a voice encryption device with integrated audio components. The figure below depicts the various functional elements of the TopSec Mobile. The TopSecMobile has an integrated microphone for talking. The loudspeaker integrated into the clip on the reverse side of the TopSecMobile is used to signal incoming calls. The loudspeaker integrated into the front side of the clip is used during the phone call and delivers outstanding voice quality. The TopSecMobile functions are controlled using a fiveway element that consists of a center key and a ring that can be activated in four directions. Information is shown on a three-line display. The display can be rotated by 180 to accommodate both right and left-handed users. The TopSecMobile has two additional keys to control the loudspeaker volume. A multifunctional interface for charging the battery and connecting a PC is integrated on the bottom of the device. A card reader on the side of the TopSec Mobile is used for the loadable encryption methods.

Functional elements of the TopSec Mobile

Volume control "+" Volume control "" Ringtone loudspeaker Rechargeable battery Battery compartment cover

Loudspeaker

Carrying strap fastener

Clip Multifunctional center key Card reader Microphone Multifunctional interface

Rohde & Schwarz TopSec Mobile 9

Operation
Startup
The TopSecMobile must be paired with a mobile phone before it can be used. Pairing is started by activating the Bluetooth search mode on the TopSecMobile. As soon as the desired mobile phone is selected, the PIN a random eight-digit number is displayed on the TopSecMobile. This PIN must be entered in the mobile phone. ABluetooth connection between the mobile phone and the TopSecMobile is established. The TopSecMobile is now ready for encrypted voice communications.

Software for editing the TopSecMobile telephone directory

The TopSecMobile telephone directory can be edited at any time by using the control elements. The telephone directory PC software (called TopSecMobile Phonebook Editor), which is delivered with the TopSecMobile, makes it easy to edit the telephone directory. The telephone directory is transferred from the TopSecMobile to the PC over a USB cable (supplied with the device) where it can be edited and transferred back to the TopSecMobile.

Using the TopSecMobile with a headset

The TopSecMobile is typically used like a mobile phone. The user speaks into the integrated microphone and listens to the integrated loudspeaker. Alternatively, a headset can also be used. The TopSecMobile multifunctional interface is used to connect the headset. For this purpose, a headset adapter is plugged into the TopSecMobile interface. The headset adapter has a microphone, a 2.5 mm jack and a control element to accept incoming calls. The headset plugs into the 2.5 mm jack.

Establishing an encrypted connection

When an encrypted call is placed, the telephone number of the party to be called is selected from the integrated telephone directory. The TopSecMobile sends the telephone number to the mobile phone over the Bluetooth connection. The mobile phone then establishes a data connection to the partner device. Either the V.110 or V.32 communications protocol is used.

Accepting an encrypted call

As soon as the called communications partner accepts the incoming call by pressing the center key, the two encryption devices start synchronizing encryption. A four-digit security code to verify the secure connection is displayed after encryption has been successfully synchronized. The communications partners can now carry out a confidential phone call.

Power supply
A rechargeable battery supplies power to the TopSecMobile. The battery is recharged using the USB cable supplied with the TopSecMobile. There are two ways to recharge the battery: connecting the TopSecMobile to a USB port, such as on a laptop, or using the power supply unit that is delivered with the device.

Using the TopSecMobile with a headset

Bluetooth

GSM

GSM network

Mobile phone Voice communications Encryption with the TopSec Mobile

10

Specifications
Specifications
Bluetooth standard Standby time Talk time Data rate Communications protocol Dimensions Weight version 2.0 up to 100 h up to 4 h 9.6 kbps V.32, V.110 99 mm 34 mm 22 mm (3.9 in 1.3 in 0.9 in) 58 g (0.13 lb)

Ordering information
Designation
Voice Encryption Device

Type
TopSec Mobile

Order No.
5411.0002

Accessories supplied: TopSec Mobile Phonebook Editor

Rohde & Schwarz TopSec Mobile 11

Service you can rely on Service you can rely on

J J J J J

Worldwide J Worldwide Local and personalized J Local and personalized Customized and flexible J Customized and flexible Uncompromising quality J Uncompromising quality Long-term dependability J Long-term dependability

About Rohde & Schwarz Rohde & Schwarz is an independent group of companies specializing in electronics. It is a leading supplier of solutions in the fields of test and measurement, broadcasting, radiomonitoring and radiolocation, as well as secure communications. Established more than 75 years ago, Rohde & Schwarz has a global presence and a dedicated service network in over 70 countries. Company headquarters are in Munich, Germany. Environmental commitment Energy-efficient products Continuous improvement in environmental sustainability ISO 14001-certified environmental management system

Certified Quality System

ISO 9001

Rohde & Schwarz SIT GmbH Am Studio 3 | D-12489 Berlin +49 30 65884-223 | Fax +49 30 65884-184 E-Mail: info.sit@rohde-schwarz.com www.sit.rohde-schwarz.com www.rohde-schwarz.com Regional contact Europe, Africa, Middle East +49 89 4129 123 45 customersupport@rohde-schwarz.com North America 1 888 TEST RSA (1 888 837 87 72) customer.support@rsa.rohde-schwarz.com Latin America +1 410 910 79 88 customersupport.la@rohde-schwarz.com Asia/Pacific +65 65 13 04 88 customersupport.asia@rohde-schwarz.com
R&S is a registered trademark of Rohde & Schwarz GmbH & Co. KG Trade names are trademarks of the owners | Printed in Germany (ch) PD 5213.9792.32 | Version 04.00 | February 2011 | TopSec Mobile Data without tolerance limits is not binding | Subject to change 2008 - 2011 Rohde & Schwarz GmbH & Co. KG | 81671 Mnchen, Germany

5213979232