P3/P1
- Transmission Over Copper Security Issues
Introduction this document reviews P3/P1
modulation technology and its security effects on data/voice
transmission
over copper cables
Objectives to
clarify the level of security P3/P1 products offer without additional
encryption devices
to
investigate possible security improvements with the use off additional security
products as
basis
for future product enhancements
Conclusion P3 and P1 products with its RADSL DMT
modulation technology represent a highly secure
transmission of voice and data
over copper. The products digital signal
modulation is an effective data encryption.
P3s provide user indication of
any changes to transmission line including, visual user indication of a
possible intrusion, stopping the transmission at that point in time.
Increasing this inherent
security is achieved by use of existing COTS methods of file and data transfer
protocol encryption – on a user and application level (software methods).
Further security integration
to a government standard would require additional product engineering effort.
As it stands P3 and P1
products offer a considerable cost saving (by using copper instead of
fibre-optic cable) for Command and Control Communications whilst maintaining
high levels of data integrity.
Index
Summary
P3 and P1 offer a high level of security on a physical level.
The multi-carrier modulation technology establishes a one time
distribution of data packets protocol. Each Ethernet data packet is effectively
scrambled over 250 individual frequency carriers.
Only the two devices that are present (on either side of copper line)
will negotiate transmission parameters.
No external devices are able to “listen in” on the process of
establishing the transmission parameters.
Introduction of a “spying” P3 or P1 would result in error (i.e. no link
will be established).
There are no commercial devices in existence that could emulate such a “spying”
device. All ADSL tester and analyser products can only emulate originating or
terminating transmission device (by replacing it).
Once the transmission parameters have been settled, Ethernet data
packets commence transmission.
Only the two P3 or P1 devices that negotiated/synchronised this link know which of the 250 individual carriers are
allocated to carry which part of a single Ethernet packet. The data is scrambled across all the active
carriers.
The more users there are connected to a P3 or a P1 link the higher the
scrambling effect – the harder it is for a “spying” device to identify true
contents of any active frequency carrier.
The technology provides 250 frequency carriers with each carrier capable
of transmitting 64 Kbit/sec of data.
Each Ethernet data packet will be fractionally distributed over some or
all of these carriers.
The set up protocol for this distribution is negotiated once only during
the link synchronisation phase.
In summary, P3s and P1s provide a high level of data integrity based on
this transmission modulation technology.
The technology was designed to compensate for a noisy environment of
public telecommunications copper plants. Its use in tactical, field deployed
communications benefits directly from this modulation technology.
Beyond the physical layer security between the two devices (P3 or P1)
additional security measures can be integrated. On the user side (PCs or
Laptops) file transfer software encryption can be activated – these security
features are commonly available in most current Operating Systems.
Integration of a government standard encryption product into P3 will
necessitate a degree of re-engineering and as a consequence a restriction of
commercial sales of the product.
P3/P1
Modulation
P3/P1 transmission design is based on industry standard DMT (Discrete
Multi Tone) Modulation (see below).
This modulation ensures optimal transmission for any
given condition of a copper link (its quality and thickness, lengths, number of
joints, kinks, stretches, as well as adverse weather conditions). DMT modulation allows P3 and/or P1 to
establish optimal transmission parameters on any given link of copper cable,
reflecting these variable parameters.
It is important to note that DMT modulation is established over 250
individual frequency carriers. Each 4.3 kHz carrier (the same as used for a
voice telephone modulation) transmits maximum 64 Kbit/sec
of data. Total P3/P1 bandwidth in ideal conditions is 8 Mbit/sec
in one direction and 1 Mbit/sec in the other
direction (the technology is asymmetrical due to signal interferences arising
at these speeds). From the diagram it
will be noted that carriers for 8 Mbit/s data stream
are separate from 1 Mbit/s carriers.
The benefit of this technology is that every frequency carrier is
independently tested for ‘Signal to Noise Ratio’ SNR and other data integrity
parameters specific (and unique) to the given copper link. The process is
called ‘training’ or synchronising the link.
The positively checked carriers will remain and carry the data traffic.
Those carriers that did not check out (whose transmission parameters were of
unacceptable level) will be de-activated and not used for the duration of that
link.
The more de-activated frequency carriers there are after the ‘training’
period the less overall bandwidth between the two P3s or P1s.
It should also be noted that ‘DSL’ chipsets continually monitor SNR and
Bit Error Rate BER performance of all active frequency carriers. If any of the active carriers return the
below threshold result (BER or SNR) the link will resynchronise (re-train) to
reflect this change of condition.
In practical terms this is likely to occur when a length of copper is being
stretched or damaged or there is an adverse electrical noise present that
affects transmission parameters (noisy diesel generator, lightning, EW and
similar). Note that these transmission
interferences will affect P3/P1 transmission only if they occur at 0 to 1.5MHz
spectrum – i.e. active P3/P1 frequency carriers. Frequency noise above 1.5MHz does not affect
P3/P1.
DMT
Security Assertions
DMT modulation provides a dynamic and optimal transmission performance
for P3 and P1 in field deployed conditions. It effectively manages and
compensates for any adverse noise conditions on the line.
During the line synchronisation phase each of the 250 frequency carriers
is tested for Signal to Noise Ratio and Bit Error (SNR and BER). In the event
that returned parameters of these tests are below the threshold levels the
affected carrier would be deactivated.
- this process effectively adjusts optimal
transmission parameters for any given length of copper cable that could be
affected by the length, joints, stretches of the copper, atmospheric and
other conditions affecting signal transmission
- the
Digital Signal Processor (DSP), that is part of all P3 and P1
chipsets, establishes which successfully tested frequency carriers will
carry which part of Ethernet data packets
The combined effect of the two processes establishes a once only
data protocol between two active P3s or P1s.
This data protocol is valid for one given physical link only. Importantly, if anyone or anything ‘disturbs’
the line after the synchronisation phase, the line parameters will change and
the devices will stop transmitting. There will be a visual indication to the
operator of this disturbance.
No other P3 or P1 device that would be connected to the copper link
after the synchronisation phase will be operable – the data protocol will not
let it synchronise. The data synchronisation protocol works for two devices on
the line only (i.e. any additional device introduced on the line will result in
line ‘disturbance’ and consequential stop of transmission.
It is worthwhile to note that all commercially available ADSL line
testers and analysers work by substituting one of the ADSL devices on the line
– never as an external (third) introduced device. There are no commercially
available products that could do this.
In theory it would be possible to design a “spying” ADSL device. The
complexity of such a product however, would make it a very unlikely field
deployable or portable product. Therefore, given the variable nature of
tactical data links it is highly improbable that a “spying” ADSL product would
ever come into existence.
Security
Enhancements
P3/P1 have been designed as essentially COTS (Commercial Of The Shelf) products - desirable features at an attractive
price (around 20 times cheaper then a
similar Fibre Optic based equipment).
The inherent data security features provide a relatively high level of
data integrity.
However a number of additional security measures could significantly
increase the level of security. The listed measures are commonly available in
most computer operating systems today:
-
file encryption
through private and public security keys
-
data transfer
protocol encryption through private and public security keys
These measures are transparent to P3s or P1s and do not necessitate any
product modifications.
Integration of a government standard encryption device would require
product adaptation. Significantly, this implies that P3s will become a
restricted product that is also less attractive commercially.
Conclusions
P3 and P1 products with its RADSL DMT modulation technology represent a
highly secure data transmission in a tactical environment. The products offer
effective user indications of any changes to the transmission line, stopping
the transmission at that point in time.
Increasing this security is easily achieved by use of existing COTS
methods of file and data transfer protocol encryption – on a user and
application level.
Further security enhancements - to a government standard - can be
integrated with additional product engineering.
As it stands P3 and P1 products offer a considerable cost saving (by
using copper instead of fibre-optic cable) for Command and Control
Communications whilst maintaining high levels of data integrity.
Technical
References
The following information from the ADSL telecommunications standards
definition is reproduced solely to emphasise the complexity of the overall
signal modulation and includes algorithm definitions of data bits scrambling,
forward error corrections and tone ordering.
In ADSL DMT-systems the downstream channels are divided into
256 4-kHz-wide tones. The upstream channels are divided into 32 subchannels. See also the frequency spectrum of the
ADSL-channels (Pg-2).
Some of the most important parameters for standardized ADSL
DMT are described below. Note, that these values
differ for both ATU-C (MASTER or Tx-High) and ATU-R
(SLAVE or Tx-Low).
Framing
The downstream and upstream data channels are synchronized
to the 4 kHz ADSL DMT (Discrete Multi Tone) symbol rate, and multiplexed into
two separate data buffers (fast and interleaved).
ADSL uses the superframe structure
shown in figure below. Each superframe is composed of
68 ADSL data frames, which are encoded and modulated into DMT symbols. From the
bit-level and user data perspective, the DMT symbol rate is 4000 baud (period =
250 
s).
Because of the sync symbol inserted to the end of each superframe,
the transmitted DMT symbol rate is 69/68 * 4000 baud.
Figure: ADSL superframe
structure
Eight bits per ADSL superframe are
reserved for the crc, and 24 indicator bits (ib0-ib23)
are assigned for OAM functions. The "fast" byte of the fast data
buffer carries either crc, eoc or synchronization bits.
Each user data stream is assigned to either the fast or the
interleaved buffer during initialization.
Scrambling
The binary data stream outputs from the fast or interleaved
buffers are scrambled separately using the following algorithm for both:
where 
is
the 
-th output from the fast or interleaved buffer, and 
is the -th output from the corresponding scrambler. Scrambling can
be performed independent of symbol synchronization.
Forward Error Correction (FEC) is used to assure optimal
performance. It is based on Reed-Solomon coding and it must be implemented. The
size of the Reed-Solomon codeword is 
,
in which the number of check bytes 
and codeword size 
vary depending on the number of bits assigned
to either fast or interleaved buffer.
The Reed-Solomon codewords in the
interleave buffer are convolutionally interleaved.
The interleaving depth values are either 16, 32 or 64
(32 or 64 for 2.048 Mbit/s based systems).
A DMT time-domain signal has a high peak-to-average ratio
(its amplitude distribution is almost Gaussian), and large values may be
clipped by the D/A-converter. The error signal caused by clipping can be
considered as an additive negative impulse for the time sample that was
clipped. The clipping error power is almost equally distributed across all
tones in the symbol in which clipping occurs. Clipping is therefore most likely
to cause errors on those tones that have been assigned the largest number of
bits (and therefore have the densest constellation). These occasional errors
can be reliably corrected by the FEC coding if the tones with the largest
number of bits have been assigned to the interleave buffer.
The number of bits and the relative gains
to be used for every tone are calculated in the ATU-R receiver, and send
back to the ATU-C. The pairs of numbers are typically stored, in ascending
order of frequency or tone number 
,
in a bit and gain table.
The “tone-ordered”' encoding assigns the first 
bytes (8 bits) from the symbol buffer to the tones with
the smallest number of bits assigned to them, and the remaining 
bytes (8 bits) to the remaining tones.
Constellation encoder can be implemented with or without
trellis coding. The system performance can be improved by block processing of Wei's 16-state 4-dimensional trellis code. It is possible
to achieve 2-3 dB better coding gain and the overall improvement in coding gain
by well designed ADSL system can be about 5.5 dB.
Initialization
The task of the initialization process is to maximize the
throughput and reliability of the link. This process is also transparent to the
vendors choice of the method of separating upstream and downstream signals
(either FDM or echo cancellation).
The channel attribute values determined by the
initialization procedure include the number of bits and relative power levels
to be used on each DMT sub-carrier, as well as any messages and final data
rates information. The table to the right illustrates the main stages of the
initialization procedure.
High-level
on-line adaptation -- bit swapping
Bit swapping enables an ADSL system to change the number of
bits assigned to a subcarrier, or change the transmit
energy of a subcarrier without interrupting data
flow. The bit swap process uses the aoc channel.
Carrier 64 (f = 276 kHz) is reserved for a pilot. The data
modulated onto the pilot subcarrier shall be constant
0,0. Use of this pilot allows resolution of sample timing
in a receiver modulo-8 samples.
Nyquist frequency
The carrier at the Nyquist
frequency (256) may not be used for data.
Modulation by the inverse discrete Fourier
transform (IDFT)
The modulating transform defines the relationship between
512 real values 
and the 
for k = 0 to 511.
The encoder and scaler, generate
only 255 complex values of (plus zero at dc, and one real value if the Nyquist frequency is used). In order to generate real
values of these values shall be augmented so that the
vector 
has Hermitian
symmetry.
end.