Black Box Explains... TEMPEST standard and Common Criteria (EAL4+)
Common Criteria (EAL4+) defines a common set of tests regarding the process of the design, testing, verification, and shipping of new security products. Common Criteria enables customers to assess a... more/see it nowlevel of trust in how a product has been designed, tested, built, and shipped.
TEMPEST testing, while classified, is regarded as a process that assesses the threat of data linking by various covert electromagnetic eavesdropping mechanisms. The TEMPEST designation is often required by military organizations. TEMPEST, as a security standard, pertains to technical security countermeasures, standards, and instrumentation that prevent or minimize the exploitation of vulnerable data
communications equipment by technical surveillance or
Both testing standards are important, they just test for different things.
TEMPEST-Secure KVM Switches
For 2 or 4 ports, with USB, and DVI-I or VGA the ServSwitch Secure KVM Switch with USB (page 382) provides control and separation of up to four PCs connected to secure and unsecure networks through just one keyboard, monitor, and mouse.
High port-to-port electrical isolation, which facilitates data separation (RED/BLACK).
NSA tested and TEMPEST approved for and by the U.S. Air Force.
The low radiated emissions profile meets the appropriate national requirements for conducted/radiated electromagnetic emissions.
Switches are permanently hard wired, preventing access from one CPU to the others or access from one network to others.
External tamper-evident seals make it easy to spot attempted tampering.
Channel-to-channel 60-dB crosstalk isolation protects against signal snooping, so software tools and applications cannot be used to access any connected computer from another connected computer.
Users can safely switch among as many as four computers operating at different classification levels.
Common Criteria Evaluation Assurance to Level 4+
A newly developed switch, the ServSwitch Secure with USB and DVI, or VGA, or VGA and a Card Reader (pages 384–385), is being evaluated for Common Criteria Evaluation Assurance to Level 4+ (EAL4+). Common Criteria is an international standardized process for information technology security evaluation, validation, and certification. The Common Criteria scheme is supported by the National Security Agency through the National Information Assurance Program (NIAP).
The ServSwitch Secure KVM Switch with USB surpasses the security profiles of most other KVM switches. Along with the tamper-evident seals and other security features already mentioned, ServSwitch Secure KVM Switch with USB models feature these security measures:
The flow of keyboard and mouse data is unidirectional, so it’s not possible for the computer to send data along the keyboard and mouse signaling channels.
Keyboard and mouse devices can only be enumerated at the keyboard and mouse ports. Any other USB peripherals connected to these ports will be prohibited from operating, preventing, for example, a USB thumb drive from uploading or downloading unauthorized data.
At each channel switchover, the USB host controller circuit, which controls shared peripherals, erases its entire RAM. This prevents residual data from remaining in the channel after a channel change and being transferred to another computer.
Every time the channel is changed, shared USB peripherals are powered down, reset, and re-enumerated.
Every time the channel is changed, the USB host controller is also powered down and reset, further ensuring no transfer of residual data.
Dedicated DDC bus and EDID memory emulation at each port prevent the shared monitor link from being used as a covert attack channel.
With only one selection button per channel, the ServSwitch Secure models enable direct and unambiguous channel selection.
Hotkey and mouse switching are excluded, preventing remote control of the switch.
Ports are powered through the computer’s USB ports, while the shared keyboard, mouse, and monitor are powered by the switch’s power supply. The lack of a common power supply minimizes electronic signaling.
The switches with card readers have additional features, including active authentication verification and active tamper detection. collapse
Black Box Explains... Coax cables for ServSwitch products.
Whats the difference between standard and coax cables for ServSwitch™ products? Performance! Coax cables are made with premium-gauge wire, so they can be made in longer lengths. That means you... more/see it nowcan move your workstation up to 100 feet (30.4 m) from your ServSwitch. Plus coax cables have even more shielding to maintain the signal quality and strength you need. If you require high-resolution video or long distances, this is the cable you need! collapse
Black Box Explains... Plasma vs. LCD Screens
When deciding whether to use plasma or liquid crystal diode (LCD) displays for your applications, you need to consider many factors. Both provide brilliant color, sharp text contrast, and crystal-clear... more/see it nowimages. But the way in which plasma and LCD screens process and display incoming video/computer signals is markedly different.
Compare and contrast.
Both plasma and LCD technology provide stark enough contrasts to make displays sharp and pleasing. But when it comes to contrast output, plasma technology outperforms LCD screens. Some plasma displays have a 3000:1 contrast ratio, which is the measure of the blackest black compared to the whitest white. LCDs use electric charges to untwist liquid crystals, thereby blocking light and emitting darker pixels. Despite this process, LCD displays dont produce more than a 1000:1 contrast ratio.
Clarity thats light waves ahead.
Pixels contain enough information to produce every color in the spectrum. Because plasmas use each and every pixel on their screens, color information is reproduced more accurately. Plasma screens display moving images with remarkable clarity, though burn-in can be an issue. For displays with lots of light and dark imagery, plasma panels provide excellent performance with their high-contrast levels, color saturation, and overall brightness.
LCD displays, on the other hand, manipulate light waves and reproduce colors by subtracting colors from white light. Though this makes it more difficult to maintain color accuracy and vibrancy compared to plasma screens, LCDs have an advantage with their higher-than-average number of pixels per square inch. These additional pixels make LCD technology better at displaying static images from computers or VGA sources in full-color detail. Plus, theres no flicker and very little screen burn-in.
Applications with large amounts of data—such as those found on spreadsheets—display particularly well on LCD monitors.
Brilliant displays that go on and on.
With LCD screens, there are essentially no parts to wear out. LCD screens last as long as their backlights do, with displays lasting, on average, 50,000–75,000 hours. Thats why LCD screens are especially good for long-term applications, such as digital signage or displays that require around-the-clock use.
Plasma screens, however, use a combination of electric currents and noble gases (argon, neon, and xenon) to produce a glow, which in turn yields brilliant color. The half-life of these gases, however, is only around 25,000 hours. The glow they produce grows dimmer over time.
The right angle can make all the difference.
Plasmas light every pixel on the screen, making the brightness on the screen consistent and giving plasmas the edge when it comes to viewing angles. In fact, plasma screens have as much as a 160° viewing angle compared to LCDs. This makes viewing the images on the screen easier to see from a variety of angles. In doing so, however, plasmas consume much more power.
LCDs display at 130–140° angles, but their use of fluorescent backlighting requires much less power to operate than plasmas. This also makes LCDs less prone to burn-in or ghosting of images.
Black Box Explains...Multicasting video over a LAN: Use the right switch.
In KVM extension applications where you want to distribute HD video across a network, you need to understand how it works and what kind of networking equipment to use with... more/see it nowyour extenders.
Think of your network as a river of data with a steady current of data moving smoothly down the channel. All your network users are like tiny tributaries branching off this river, taking only as much water (bandwidth) as they need to process data. When you start to multicast video, data, and audio over the LAN, those streams suddenly become the size of the main river. Each user is then basically flooded with data and it becomes difficult or impossible to do any other tasks. This scenario of sending transmissions to every user on the network is called broadcasting, and it slows down the network to a trickle. There are network protocol methods that alleviate this problem, but it depends on the network switch you use.
Unicast vs. multicasting, and why a typical Layer 2 switch isn’t sufficient.
Unicasting is sending data from one network device to another (point to point); in a typical unicast network, Layer 2 switches easily support these types of communications. But multicasting is transmitting data from one network device to multiple users. When multicasting with Layer 2 switches, all attached devices receive the packets, whether they want them or not. Because a multicast header does NOT have a destination IP address, an average network switch (a Layer 2 switch without supported capabilities) will not know what to do with it. So the switch sends the packet out to every network port on all attached devices. When the client or network interface card (NIC) receives the packet, it analyzes it and discards it if not wanted.
The solution: a Layer 3 switch with IGMPv2 or IGMPv3 and packet forwarding.
Multicasting with Layer 3 switches is much more efficient than with Layer 2 switches because it identifies the multicast packet and sends it only to the intended receivers. A Layer 2 switch sends the multicast packets to every device and, If there are many sources, the network will slow down because of all the traffic. And, without IGMPv2 or IGMPv3 snooping support, the switch can handle only a few devices sending multicasting packets.
Layer 3 switches with IGMP support, however, “know” who wants to receive the multicast packet and who doesn’t. When a receiving device wants to tap into a multicasting stream, it responds to the multicast broadcast with an IGMP report, the equivalent of saying, “I want to connect to this stream.” The report is only sent in the first cycle, initializing the connection between the stream and receiving device. If the device was previously connected to the stream, it sends a grafting request for removing the temporary block on the unicast routing table. The switch can then send the multicast packets to newly connected members of the multicast group.
Then, when a device no longer wants to receive the multicast packets, it sends a pruning request to the IGMP-supported switch, which temporarily removes the device from the multicast group and stream.
Therefore, for multicasting, use routers or Layer 3 switches that support the IGMP protocol. Without this support, your network devices will be receiving so many multicasting packets, they will not be able to communicate with other devices using different protocols, such as FTP. Plus, a feature-rich, IGMP-supported Layer 3 switch gives you the bandwidth control needed to send video from multiple sources over a LAN.
Black Box Explains…HDMI
The High-Definition Multimedia Interface (HDMI®) is the first digital interface to combine uncompressed high-definition video, up to eight channels of uncompressed digital audio, and intelligent format and command data in... more/see it nowa single cable. It is now the de facto standard for consumer electronics and high-definition video and is gaining ground in the PC world.
HDMI supports standard, enhanced, and high-definition video. It can carry video signals at resolutions up to and beyond 1080p at 60 Hz (Full HD). The latest version eve support 4K video resolutions.
HDMI offers an easy, standardized way to set up home theaters and AV equipment over one cable. Use it to connect audio/video equipment, such as DVD players, set-top boxes, and A/V receivers with an audio and/or video equipment, such as a digital TVs, PCs, cameras, and camcorders. It also supports multiple audio formats from standard stereo to multichannel surround sound. Plus it provides two-way communications between the video source and the digital TV, enabling simple remote, point-and-click configurations.
NOTE: HDMI also supports HDCP (High-bandwidth Digital Content Protection), which prevents the copying of digital audio and video content transmitted over HDMI able. If you have a device between the source and the display that supports HDMI but not HDCP, your transmission won't work, even over an HDMI cable.
HDMI offers significant benefits over older analog A/V connections. It's backward compatible with DVI equipment, such as PCs. TVs, and other electronic devices using the DVI standard. A DVI-to-HDMI adapter can be used without a loss of video quality. Because DVI only supports video signals, no audio, the DVI device simply ignores the extra audio data.
The HDMI standard was introduced in December 2002. Since then, there have been a number of versions with increasing bandwidth and/or transmission capabilities.
With the introduction of HDMI (June 2006), more than doubled the bandwidth from 4.95 Gbps to 10.2 Gbps (340 MHz). It offers support for 16-bit color, increased refresh rates, and added support for 1440p WQXGA. It also added support for xvYCC color space and Dolby True HD and DTS-HD Master Audio standards. Plus it added features to automatically correct audio video synchronization. Finally, it added a mini connector.
HDMI 1.3a (November 2006), HDMI 1.3b (March 2007, HDMI 1.3b1 (November 2007), and 1.3c (August 2008) added termination recommendations, control commands, and other specification for testing, etc.
HDMI 1.4 (May 2009) increased the maximum resolution to 4Kx 2K (3840 x 2160 p/24/25/30 Hz). It added an HDMI Ethernet channel for a 100-Mbps connection between two HDMI devices. Other advancements include: an Audio Return Channel, stereoscopic 3D over HDMI (HDMI 1.3 devices will only support this for 1080i), an automotive connection system, and the micro HDMI connector.
HDMI 1.4a (March 2010) adds two additional 3D formats for broadcast content.
HDMI 2.0 (August 2013), which is backwards compatible with earlier versions of the HDMI specification, significantly increases bandwidth up to 18 Gbps and adds key enhancements to support market requirements for enhancing the consumer video and audio experience.
HDMI 2.0 also includes the following advanced features:
Resolutions up to 4K@50/60 (2160p), which is four times the clarity of 1080p/60 video resolution, for the ultimate video experience.
Up to 32 audio channels for a multi-dimensional immersive audio experience.
Up to 1536Hz audio sample frequency for the highest audio fidelity.
Simultaneous delivery of dual video streams to multiple users on the same screen.
Simultaneous delivery of multi-stream audio to multiple users (up to four).
Support for the wide angle theatrical 21:9 video aspect ratio.
Dynamic synchronization of video and audio streams.
CEC extensions provide more expanded command and control of consumer electronics devices through a single control point.
There are four HDMI connector types. Type A and Type B are defined in the HDMI 1.0 specification. Type C is defined in HDMI 1.3, and Type D is defined in HDMI 1.4.
Type A: 19 pins. It supports all SDTV, EDTV, and HDTV modes. It is electrically compatible with single-link DVI-D.
Type B: 29 pins. Offers double the video bandwidth of Type A. Use for very high-resolution displays such as WQUXGA. It's electronically compatible with dual-link DVI-D.
Type C Mini: 19 pins. This mini connector is intended for portable devices. It is smaller than Type A but has the same pin configuration and can be connected to Type A cable via an adapter or adapter cable.
Type D Micro: 19 pins. This also has the 19-pin configuration of Type A but is about the size of a micro-USB connector.
Recently, HDMI Licnsing, LLC announced that all able would be tested as either Standard or High-Speed cables. Referring to cables based on HDMI standard (e.g. 1.2, 1.3 etc.) is no longer allowed.
Standard HDMI cable is designed for use with digital broadcast TV, cable TV, satellites TV, Blu-ray, and upscale DVD payers to reliably transmit up to 1080i or 720p video (or the equivalent of 75 MHz or up to 2.25 Gbps).
High-Speed HDMI reliably transmits video resolutions of 1080p and beyond, including advanced display technologies such as 4K, 3D, and Deep Color. High-Speed HDMI is the recommended cable for 1080p video. It will perform at speeds of 600 MHz or up to 18 Gbps, the highest bandwidth urgently available over an HDMI cable.
Additional resources and licensing information is available at HDMI.org. collapse
Black Box Explains…TEMPEST.
TEMPEST is an acronym for Telecommunications Electronics Material Protected from Emanating Spurious Transmissions. It pertains to technical security countermeasures, standards, and instrumentation that prevent or minimize the exploitation of vulnerable... more/see it nowdata communication equipment by technical surveillance or eavesdropping.
What puts your data communication equipment at risk?
Many things. But first and foremost, its microchip.
Any device with a microchip generates an electromagnetic field, often called a “compromising emanation” by security experts. With the proper surveillance equipment, these emanations can be intercepted and the signal reconstructed and analyzed. Unprotected equipment can, in fact, emit a signal into the air like a radio station—and nobody wants to risk his or her job and a whole lot more by broadcasting national security or trade secrets to the wrong people.
Some of the most vulnerable devices are speakerphones, printers, fax machines, scanners, external disc drives, and other high-speed, high-bandwidth peripherals. If the snoop is using a high-quality interception device, your equipment’s signals can be acquired up to several hundred feet away.
Arguably one of the most vulnerable pieces of equipment is an analog VGA monitor. If a spy were to introduce a Trojan into your system, he or she could monitor and store key presses and passwords used during the day. When the system’s not in use at night, the spy could pulse the VGA screen with grayscale images that have a strong signal at particular frequencies. VGA uses single-ended signaling that has a high common-mode emission level not protected by cable shielding, and it’s possible to monitor these signals outside the secure zone using a radio receiver. Even without a Trojan, a sophisticated receiver located nearby picks up and views what’s on the VGA monitor.
What TEMPEST is and isn’t.
It should come as no surprise that the Federal government became concerned about signal leakage. In fact, its interest goes back to the days of World War I when the Army was trying to exploit weaknesses of enemy combat phones and radio transmitters. Since then, the scope of the government’s interests has broadened beyond battlefield equipment. In the last
40 years, the National Security Agency (NSA) has taken several industry measurement standards and greatly beefed them up. These enhanced criteria are commonly referred to as the TEMPEST standards (although the NSA also calls them EMSEC standards, short for “emissions security”).
TEMPEST disciplines involve designing circuits to minimize emanations and the application of appropriate shielding, grounding, and bonding. Some methods used include radiation screening, alarms, and isolation.
A TEMPEST-approved device resembles its non-secure version with a few key differences. If it’s a network component such as a switch, it comes in a heavy metal case. It also has special shielding, a modified power supply, and perhaps a few other modifications from the standard model. If you need to open the device’s case,
a special torque wrench for use with TEMPEST-only products is required.
TEMPEST test equipment is very expensive and is sold exclusively to government agencies. Nobody can sell you commercial TEMPEST testing equipment. And if someone offers you a “TEMPEST surveillance system,” you need to be aware of two things: First, TEMPEST is counter-surveillance science and the offer is a fraud; second, the salesperson is committing a federal felony.
If you buy surveillance equipment—authentic or not—then you have also commited a felony. Construction of, possession of, attempting a sale of, or attempting a purchase of said surveillance equipment is illegal. Even if the product purchased is a hoax, the law will take your intentions into account as much as the salesperson’s. Don’t be surprised if you
both go to jail.
In the United States, you can learn about TEMPEST testing only in special schools sanctioned by, if not run by, the NSA. Courses to earn the TEMPEST Technician or TEMPEST Engineer certifications are very expensive. These classes are offered to a limited number of people who have a very high level of security clearance and who will be working on TEMPEST-approved equipment all the time.
All TEMPEST-approved communication devices have a rating based on their application and/or environment.
Type 1: This rating is for classified cryptographic equipment used for national security purposes. It’s endorsed by the NSA for securing telecommunications and automated information systems and for the protection of classified or sensitive U.S. Government information.
Type 2: This rating is for unclassified cryptographic equipment used by U.S. Government agencies, state and local governments, and sponsored U.S. Government contractors. It’s endorsed by the NSA for securing telecommunications and automated information systems and for the protection of unclassified but sensitive information, such as contract bids.
Type 3: This rating is for unclassified commercial cryptographic equipment that implements an algorithm registered with the National Institute of Standards and Technology (NIST). It’s for use in protecting sensitive information, like a corporation’s network communications. collapse
Black Box Explains...Digital Visual Interface (DVI) cables.
The Digital Visual Interface (DVI) standard is based on transition-minimized differential signaling (TMDS). In a typical single-line digital signal, voltage is raised to a high level and decreased to a... more/see it nowlow level to create transitions that convey data. To minimize the number of transitions needed to transfer data, TMDS uses a pair of signal wires. When one wire goes to a high-voltage state, the other goes to a low-voltage state. This balance increases the data-transfer rate and improves accuracy.
There are different types of DVI connectors: DVI-D, DVI-I, DVI-A, DFP, and EVC. DVI-D is a digital-only connector.
DVI-D is a digital-only connector. DVI-I supports both digital and analog RGB connections. Some manufacturers are offering the DVI-I connector type on their products instead of separate analog and digital connectors. DVI-A is used to carry an analog DVI signal to a VGA device, such as a display. DFP, like DVI-D, was an early digital-only connector used on some displays; it’s being phased out. EVC (also known as P&D) is similar to DVI-I only it’s slightly larger in size. It also handles digital and analog connections, and it’s used primarily on projectors. collapse
Black Box Explains...On-screen menus.
When the ServSwitch™ brand of KVM switches was first introduced, there were only two ways to switch: from front-panel push buttons or by sending command sequences from the keyboard. While... more/see it nowthis was more convenient than having a separate keyboard, monitor, and mouse for each CPU, the operator still had to remember key combinations and which server was connected to which port—leading to many cryptic, scribbled notes attached to the switch and to the workstation.
But with the advent of on-screen menus, an operator can use easy-to-read, pop-up menus to identify and select CPUs. It’s even possible to give each CPU a name that makes sense to you—names like “MIS Server,” “Accounting Server,” and so on.