SkyTale is a family of IP network cryptos equipped with a unique mode of

network encapsulation, custom created in close cooperation with the armed

forces of the Netherlands, and tried and tested over several years. Although

initially developed for use in vehicles and specially geared towards aerial

networks, it has now been adapted in order to be used in configurations ranging

from server rooms to soldier uniforms.

SkyTale provides confidentiality, integrity and availability for mobile networks,

from the highest Information Assurance level to the lowest.

SkyTaleHigh Security for the Tactical Domain

Payload Encryption and SkyTale

The cryptographic network encapsulation solution

– Payload Encryption, or PLE for short – that was born

from this concept, and is implemented in all SkyTale family

members, addresses the following challenges:

Unstable links

Aerial networks are naturally unstable. They fade with

distance, suffer from earth- intrinsic physical oddities, skip

distances, atmospheric conditions, weather, and natural

and man-made objects in the line of sight.

Low and fluctuating bandwidths

Network-tunneling mechanisms that supply both

confidentiality and authentication typically encounter

non-trivial hurdles in the areas of reliability, overhead

and replay-detection when dealing with the low and

fluctuating bandwidths that are the result of unstable

links. Payload Encryption addresses these challenges

head-on, resulting in significantly decreased instability

of your secure connection.

Using a single addressing scheme

When using NAT in cryptographically protected networks,

or in mobile ad-hoc networks, it is very difficult to main-

tain red/black mapping of addresses. In multicast, without

falling back on the (inefficient) star-network topology

and without duplicating all packets, it is almost impos-

sible. PLE is a form of bump-in-the-wire transport-mode

and therefore does not interfere with the addressing

scheme underlying your network. Your packets will arrive

as intended.

Usable in unilaterally separated networks

Because Payload Encryption does not require a security

association, and can be configured with pre-shared keys,

it can be used through one-way separations between

different classified networks (data diodes).

Supporting QoS and multicast

Networks suffering from such low and fluctuating band-

widths will benefit from a well thought-out quality-of-

service scheme that is supported throughout the network.

Also, in certain areas of applications (VoIP, position-data)

using multicast can significantly ease the burden of

carrying packets on a network. It is therefore important that

our solution supports both mechanisms transparently,

allowing red hosts to alert black routers about pertinent

occurrences in the traffic. Payload Encryption, allows you

to fine-tune precisely and effectively which aspects of

your packet should be declassified in order to achieve this.

IPv6 support

With more and more networks and network-equipment

moving on from IPv4 and given its superior support for

flexible addressing and roaming, it is obvious that the

SkyTale family supports IPv6 out of the box.

Mission approved

A Payload Encryptor is envisioned for usage in everything

from infrastructure to military vehicles and dismounted

soldiers, carrying network information from strategic

to tactical. Each family member certified to its own,

appropriate, security level.

In 2008, the Dutch armed forces initiated an experiment to address

the following challenge: to build a durable global communications system

to be mounted inside vehicles that can carry both voice and data, with

acceptable bandwidths and latencies. A system that is capable of using

all available means of communication at a given site, capable of roaming

without disconnections and is appropriately secure.

Productsis a Payload Encryptor/Ad-hoc Router combination for

vehicles. It has a rugged casing design, mil-std-38999

connectors, is water- and dustproof, EMC-safe, and is

resistant to vibrations of military vehicles according to

mil-std-810. It will stand temperatures according to STANAG

2895 and has an input range of 10-36 Volt DC (mil-std 1275).

The Ad-hoc Router connects to WLAN-AP and -AH, wired and

mobile networks and has provisions for sitcom modems over

RJ45, serial and USB. It can be managed from the trusted side

through the crypto.

is a Payload Encryptor/IPsec tunnel-mode hybrid for high

IA levels (Secret and above) with a sturdy design. Primarily

intended for server-room, shelter- and command-vehicle

use, it has been more or less designed to the same environ-

mental specifications as SkyTale/DCV, but its looks are more

‘civilian’: two of them fit neatly side-by-side in a 1U slot of

a 19 ̓ ̓ rack and it uses regular copper and fiber inter faces.

It has a keypad and a screen for authentication, configuration

and status output.

is a software package, compatible with the broader family

of SkyTale offerings. Using SkyTale/SRM on telephones or

tablets, for example, allows for field operatives to securely

communicate with deployed vehicles (equipped with

SkyTale/DCV for example), using apps of their choosing.

Using it on a laptop means that you can connect to the

broader network from your hotel room. This software

package works independently in the background, over

your network connections transparently and turning your

end-point solution into a crypto.

SkyTale/DCV

SkyTale/DSS

SkyTale/SRM

110-013-EN

fox-it

• Was founded in 1999.

• Established one of the first Cyber Security

Operations Centers in Europe.

• Is Europe’s largest specialized cyber security

company.

• Operates in three business areas:

1 Cyber Threat Management: a solution portfolio

aimed at reducing the risks of cyber threats,

and includes: professional services, managed

security services, and technology;

2 Web and Mobile event analytics: a solution

portfolio that is aimed at reducing financial

risks in (online) payment transactions;

3 High Assurance: solutions that make trusted

communication possible to the highest

classification levels.

• Has been involved in many high-profile Incident

Response cases. Most of the cases we worked on

are secret. An approved selection can be shared

upon request.

SkyTale Feature List

• IPv4 / IPv6 support.

• Stateless, group-keyed Payload Encryption.

• Multicast support.

• NAPT support.

• SNMP and TFTP (custom) based management.

• AES-256 / SHA256 algorithms.

Depending on platform:

• Dutch national, EU, NATO algorithms.

• High throughput.

• IP56 (water & dust-proof).

• Mil-Std-810 (vibration), 1275 (input, filter), 38999 (connectors).

• STANAG 2895 (temperature).

• SDIP27 (TEMPEST).

fox-it

Olof Palmestraat 6, Delft

PO box 638, 2600 AP Delft

The Netherlands

T +31 (0) 15 284 79 99

F +31 (0) 15 284 79 90

E fox@fox-it.com

www.fox-it.com