When digital microwave radio links transmit sensitive information, there is always a concern for security. While some microwave links, especially at the millimeter wave bands, have high degree of security by the nature of the narrow-beam propagation, many users, especially in government and large commercial institutions, require extra means of security, and data encryption plays a major role in implementing such security policies. Governments and other organizations require multiple layers of security that may co-exist in the same link. The more sensitive data is encrypted at the source, while less sensitive data is encrypted only if it leaves the premises for transmission through outside media, including wireless links. The data may also be encrypted by encrypting the entire payload of the microwave link. If a part or the entire payload has been encrypted with high-security techniques at the source, there may still be a desire to supply lower-level security for the entire link's payload as an extra barrier.
One common way of implementing an encryption system is by using a stand-alone system. For example, to secure a (GigE) link, one can purchase a stand alone system with two ports; one port is the local, unsecured GigE port, and the other is an encrypted GigE port. Network integrators may favor this solution in some instances because it allows the use of any non-secure wireless link, however there are also drawbacks, as discussed below. An example of a commercial supplier of encryption system is Fortress Technologies of Oldsmar, Fla.
An example of a well known encryption standard is the encryption standard described as the United States Federal Information Processing Standard (FIPS), PUB 140-2 which is incorporated herein by reference. This standard includes several procedures for ensuring security, including the use of an encryption algorithm known as the Advanced Encryption Standard (AES), and the definition of four levels of security.
At the core of many encryption systems, including AES, there is a cipher module. A cipher module transforms a block of input information, known as “Plaintext” to an encrypted block, known as “Ciphertext”, usually of the same size as the Plaintext, by using a transformation-algorithm. The algorithm usually includes a binary block known as a cipher key. The receiving side performs an inverse transformation to recover the original Plaintext, using a decoding key, usually identical to the transmitter's key. While encryption standards involve several procedures and techniques, such as key distribution methods or providing seals for detecting temper-attempts, these standards do not contemplate or describe how to integrate of one or more cipher blocks with microwave radio equipment and the resulting structures and processes needed to accomplish such an integration.
A simple integration step could be to incorporate an entire encryption unit within a radio enclosure. However, such an approach is too expensive, significantly decreases overall link reliability, may add undesired processing delay, and may introduce a major reduction in data throughput of the microwave radio. Thus, it is desirable to integrate a digital radio with only the necessary encryption functions, without the extra hardware already available in the radio, such as the Ethernet interfaces.
Commercially available encryption units may add a significant overhead to the carried payload, thus reducing the capacity of the link. This overhead may be necessary when each frame is destined to a different end point, for example, a WiFi access point broadcasting to multiple devices. However, the wireless links using the digital microwave radio are point-to-point point and thus it is desired to devise an encryption sub-system and associated methods that do not increase the link overhead beyond the overhead already allocated for link-specific functions, such as forward error correction. The commercially available encryption systems may also suffer from processing speed limitation when the GigE link is nearing its payload capacity, and some Ethernet frames or related packets may be dropped. It is desired to provide a digital solution that meets the processing capacity requirements without exceptions.
Thus, it is desirable to be able to integrate encryption modules into a digital microwave link, including various sub-systems and processes.