Boosting Government
Security
The Apriva SensaMail secure mobile email offering is a complete, end-to-end secure, wireless messaging system. SensaMail was designed from its initial conception to comply with NSA (V34) Non-Type 1 Wireless Protection Profiles, DoD Directives, and to provide a handheld vendor and wireless carrier-network-neutral implementation. The system was designed to support Secure Multipurpose Internet Mail Extensions (S/MIME) v3 email conventions for optimal legacy desktop interoperability as well as to adapt emerging conventions like S/MIME AES 256 (Advanced Encryption Standard) envelope encryption. The system was designed to be upgradeable to NSA Type 1 service with High Assurance Internet Protocol Encryptor communications and crypto extensions. The Apriva SensaMail system was designed to fully integrate the Department of Defense Public Key Infrastructure (PKI) including hard token certificates, authentication for DoD Common Access Cards (CAC) or Personal Identity Verification (PIV) cards, as well as soft token digital certificates.
The four standard Sensa® system components are:
Additionally, the use of AprivaTalk infrastructure optimizes carrier bandwidth and message delivery speeds through wireless networks.
Additional Security components include:
Wireless Transport Layer Security (WTLS)
WTLS is a security protocol based upon the industry-standard Transport Layer Security (TLS) protocol, formerly known as Secure Sockets Layer (SSL). WTLS is intended for use with the WAP transport protocols and has been optimized for use over narrow-band communication channels. WTLS provides the following features:
WTLS may also be used for secure communication between terminals such as authentication of electronic business card exchange.
Applications are able to selectively enable or disable WTLS features depending on their security requirements and the characteristics of the underlying network.
Server Side Security
The SensaMail Management Server is installed and managed exclusively by customer administrative personnel within the customer zone. A one-to-many relationship is supported between SensaMail Mail Servers and customer provided mail servers such as Microsoft Exchange. A one-to-many relationship is supported between SensaMail Management Servers and SensaMail Mail Servers. The SensaMail Management Server and SensaMail Mail Server are typically installed in the same server hardware. There are no artificial product licenses or technical limits for the number of users supported. The user population size is gated solely by server and network capacities. The primary operation is specialized routing of the packet traffic to and from the wireless carriers and the devices.
Additionally, all routed packets have their own self-protection such as:
- Type 1 Messages – HAIPE
- Non Type 1 Messages – AES 256 + S/MIME encrypted-type 3-DES, session keys established via enclave server certificates, 3-5 packet key rotations and 24 hour sunset on master session key.
- Connections to customer enclaves (COTS SensaMail) are protected with PMPG valid enclave ID authorization tables and firewall IP openings.
Private Multi-Protocol Gateway (PMPG)
Apriva is the leader in providing 7/24 wireless carrier gateway and routing/transform services in the mobile Point of Sale (POS) marketplace. Apriva is dominant in this space and is the preferred vendor of American Express and First Data Corporation. Apriva’s Private Multi-Protocol Gateway (PMPG) is certified by VISA through its Cardholder Information Security Program (CISP). Apriva’s has partnerships with virtually all POS terminal vendors and its middleware (AprivaTalk) is ported to most operating system platforms used by these vendors. In the Government space, Apriva’s SensaMail Secure Mobile Email system is DoD Joint Interoperability Test Command (JITC) validated and has passed all Army G6 Information Assurance (IA) vulnerability tests at Army ATID.
The PMPG is designed to operate in a black environment while supporting both NSA Type 1 and NSA Non Type 1 S/MIME message traffic. At no time do the PMPG components open any messages. This data center has multi-layer biometrics access, 3 way Internet pathing and proven 7/24 battery and diesel generation power backup.
Connections to wireless carriers will be private APNs using VPNs or Frame Relay connections. Any public Internet connections will be protected with the Cisco ASA server and a DMZ. The ASA provides firewall and denial of service protection as well as a VPN server for maintenance access.
Apriva’s unique Network design provides consistent network characteristics across both GSM/GPRS and CDMA and offers managed and unmanaged communication services for both classified and unclassified enclaves.
• Unclassified (Non-Type 1) message traffic (SensaMail AprivaTalk IP/UDP) is strongly encrypted with AES 256 using best practices key derivation, exchange and rotation.
• Classified (Type 1) message traffic is very strongly encrypted with HAIPE, where key injection/control is not performed in the Apriva PMPG but rather in customer Enclaves and when the Portable Electronic Device (PED) is loaded in a trusted manner.
The Apriva PMPG design provides the following centralized services:
Redundant, private wireless carrier connections
- Private connection from the PMPG to multiple and diverse wireless carrier networks
- Single entry point for enclaves requiring multiple, diverse wireless network services
- Managed end-to-end service with common reliability and security characteristics from the Portable Electronic Device (PED) all the way through to delivery to the enclave demarcation point
- Simplified procurement with one centralized access point rather than multiple Centralized perimeter security via firewall and active intrusion protection
- Multi Protocol Router (MPR) is the control and switching point all traffic to customer enclaves
- Only the traffic from enclave administrator-authorized Portable Electronic Device units is routed to customer enclaves.
Multi Protocol Routing
- The Apriva MPR is designed using existing AprivaTalk technology (Non Type 1) and extended to support High Assurance Internet Protocol Encryptor (Type 1)
- Manages dynamic wireless carrier Portable Electronic Device IP changes to provide:
- True “push” email delivery to the Portable Electronic Devices
- Static IP address space as required for proper HAIPE connectivity, even when the underlying carrier networks cannot support static IP addresses.
- Routes both Type 1 and non-Type 1 protocols
- Provides an infrastructure and framework to add other services over time.
Administration Server
- Portable Electronic Device provisioning/control by Enclave administrators via X.509 certificates and SSL.
- Detailed audit logs (errors, provisioning/control changes, trace)
- Traffic metrics
- PMPG Component Status
Load Balancing
- Balanced or weighted round robin
- MPR keep-alive with failure notification
AprivaTalk
Apriva’s unique AprivaTalk infrastructure provides the network-neutral foundation for the SensaMail system. AprivaTalk has been well tested in the wireless point of sale domain and has proven strengths in guaranteed delivery and bandwidth optimization with packet radio networks in marginal radio coverage areas. AprivaTalk optimizes message delivery performance over wireless networks.
The AprivaTalk Multi-Protocol Gateway (MPG) architecture provides a scaleable and extensible environment for application development for mobile communication devices. This is achieved through a layered design of the entire protocol stack. Each of the layers of the architecture is accessible by the layers above, as well as by other services and applications.
