KEYVPN CLIENT Industry s Most Complete IPsec VPN Client for Android OEMs and Enterprises. Features & Benefits Supports latest Android versions Ice Cream Sandwich and Jelly Bean Configuration Wizard for IT administrators provides one click configuration experience to employees Available as post-loadable app for Android 4.x and later Complies with Carrier requirements Enterprise authentication methods Hybrid RSA, EAP-MSCHAPv2, EAP-MD5, RSA Secured ID Suite B algorithms and optional FIPS 140-2 Level 1 cryptography meets Federal, Financial, and Healthcare security requirements Split tunneling allows for securing of only sensitive traffic for longer battery life The smartphone and tablet market has seen remarkable adoption and acceptance for consumer-level Android devices. Enterprises are now looking to take advantage of the features, functionality, and user experience that Android has brought to millions of consumers globally. As OEMs look to build a bridge between these consumer-level devices and Enterprise systems, highly advanced security features will be required to compete against incumbent solutions like Blackberry and iphone. KeyVPN Client The Industry s Most Complete Mobile VPN Solution KeyVPN Client is a complete, full-featured solution that allows Android OEMs to easily integrate VPN functionality into devices that need to establish encrypted tunnels of communication into critical business and enterprise resources. Furthermore, for Android 4.x devices, KeyVPN Client is available as a downloadable mobile application, allowing integration with a single tap. Based on Mocana s award-winning NanoSec code base, which has been certified by the VPN consortium (VPNC) for interoperability with all leading VPN gateway appliances and vendors, KeyVPN Client includes an intuitive GUI with out-of-the-box support for the latest Android operating systems. KeyVPN Client employs a cross-platform implementation that allows OEMs to utilize a single cryptographic module across multiple Security Detail for Android products, such as NanoSec or KeyDAR (data-at-rest encryption for Android devices), creating system-level efficiencies with size and performance. 1
Mocana s cryptographic module is available with NSA Suite B algorithms and an optional FIPS 140-2 Level 1 certification, which have become mandatory with many Healthcare, Financial and Government Enterprises for meeting compliance specifications. Big VPN Functionality in a Very Small Package KeyVPN includes an easy-to-use GUI that is intuitive and suitable for any end user. It also integrates additional features like multiple VPN profile configurations, handling multiple gateways, supporting VPN and non-vpn traffic simultaneously (aka split tunneling ) and Suite B encryption. Easy to Use and Highly Configurable Modular Design: Facilitates integration with headless (GUI-less) embedded devices Highly Customizable: Connect securely to almost any commercial or open-source IPsec-based VPN server software or appliance Multi Purpose: Leverage single IPsec core support for both IMS 4G and VPN enterprise connectivity Highly Efficient: Leverage a single cryptographic module for multiple security applications Support Enterprise and Government Applications NSA Suite B Cryptography included FIPS 140-2 Level 1 certifiable cryptography module Mobile OS Platforms Supported Android Ice Cream Sandwich Android Jelly Bean Android Kit Kat (4.4.2) Hardware Platforms Supported KeyVPN Client Benefits As Android devices make their way into enterprise and Government markets, they will need a way to securely connect to back-end IT systems and infrastructure. Mocana s KeyVPN Client provides many benefits for Android OEMs and Enterprises. 2
Meets Enterprise Protocols IKE/IPsec VPN is widely deployed in Enterprises for desktop and laptop devices. KeyVPN Client follows these same protocols that Enterprises are now requiring for their mobile device VPN clients. Several smartphones on the market today, such as iphone and Blackberry, already support IKE/IPsec VPN. Accessibility & Interoperability KeyVPN Client allows Android smartphones and tablets to access Enterprise resources remotely and securely by setting up a IPsec based VPN tunnel from Android end points to Enterprise VPN gateways. Furthermore, it uses IKEv1/v2 as the key establishment protocol between end point and gateway. KeyVPN Client is an interoperable, standards based solution that does not require prior collaboration with VPN gateway vendors for end to end implementation. Win Government Dollars All government agencies and most contractors require FIPS certified cryptography a difficult certification to achieve. KeyVPN Client s core cryptographic module is available to you in source, or as a FIPS 140-2 Level 1 certified binary module. Both source and binary versions include full support for NSA s Suite B algorithms, providing secure communications between high-assurance and basicassurance systems. Ease of Use & Reduced Development Time KeyVPN Client contains absolutely no GPL code, you can be confident your intellectual property won t accidentally become public domain because of GPL contamination something open source projects cannot do. No crypto expertise is required because KeyVPN Client hides all of the complexity of the cryptography, so you can focus on other aspects of your project. Lastly, KeyVPN Client is hardware architecture independent and fits into tiny memory footprints. Mocana s patentpending Acceleration Harness provides an asynchronous event driven mechanism to leverage available hardware offloads dramatically enhancing performance and extending battery life on mobile platforms. Only KeyVPN Client offers everything you need together in one package, to get the job done right and fast. Open New Markets Android adoption in the Enterprise requires a IKE / IPsec VPN. Adopting KeyVPN Client will allow Android OEMs to make inroads into the Enterprise market with their Android devices. Beat Your Competition Apple iphone and ipad support IKE/IPsec VPN, but it is limited in functionality and are only Cisco compliant. KeyVPN Client is interoperable with all leading VPN gateway vendors giving reach to 99+% of all the Enterprise market. Get There Fast Many Android device OEMs have VPN client functionality on their roadmaps. KeyVPN Client will allow you to be one of the few Enterprise-ready providers in the market. Be one of the first to enable 3
corporate employees access to Enterprise systems with their Android device enabling the ability to carry one device for personal and business use. KeyVPN Client Key Features Key Feature Benefits & Specifications Easy to use & user friendly Intuitive Design Optimized for minimal number of clicks Reduces IT troubleshooting & tickets Extensive Protocol Support Best in Class Encryption / Authentication Internet Key Exchange IKE v1 (Aggressive and Main Mode) IKE v2 / IPv4 / IPv6 / XAUTH / NAT Traversal IPsec (ESP) using Data Encryption Standard (DES)/Triple DES (3DES) (56/168-bit) or AES (128/256-bit) with MD5 or SHA RSA, Diffie-Hellman, Elliptic Curve and full support for NSA Suite B Cryptography RSA SecurID, Hybrid RSA, EAP-MD5, EAP-MSCHAPv2 NSA Suite B Algorithms and Optional FIPS 140-2 Level 1 Certified Cryptography Use of highly advanced cryptography standards & certifications Meets cryptography & compliance needs for Healthcare, Financial, and Government markets No additional equipment to buy VPNC (VPN Consortium) Certified Interoperable VPN profile configuration with MDM Console Compatible with existing & popular VPN gateways Maximum compatibility with the use of industry standard protocols Provides APIs for configuring VPN profile from MDM consoles Supports VPN and non-vpn traffic simultaneously Split-Tunnel Mode Provides clean and smooth user experience Removes enterprise network as the bandwidth bottleneck 4
Key Feature Built-in Error Detection and Logging Mechanisms Connectivity KeyVPN Configuration Wizard Back-Up Server Benefits & Specifications Saves time and money Quicker troubleshooting & resolution of issues or IT tickets Supports WiFi (802.11a/b/g/n), GPRS, 3G, Edge, UMTS, and IMS 4G wireless connections, using native Android functionality Host based configuration tool allows creation of VPN profile Relieves users from complex task of VPN configuration Automatically attempts to connect to back up VPN gateway when primary gateway fails X.509 v3 certificate support Digital Certificate and Advanced Key Management Support PKCS #12, Certificate provisioning support (Digital certificates) Diffie-Hellman (DH) Groups 1, 2, and 5 Perfect Forward Secrecy (PFS) Rekeying KeyVPN Client Functionality and Implementation Figure 1: User Interface & Home Screen End Users will see a VPN application icon on their mobile device home screen. 5
Figure 2: Basic Features KeyVPN Client is a fully configurable VPN client. Users or Enterprise System Administrators can choose their IKE version (v1), their authentication method (certificates or pre share keys) or XAUTH. The feature set can be preconfigured, allowing System Administrators to mask configuration options to the end User by creating set profiles. Figure 3: Advanced Features KeyVPN Client also has more advanced features, such as dead peer detection (DPD) and split tunneling. Many configuration options are available, such as a choice between main and aggressive modes and choice of Suite B algorithms. 6
KeyVPN Client Compliancy and Supported Standards KeyVPN Client is built upon Mocana s award winning NanoSec (IKE / IPSec) product that has been deployed on millions of devices. NanoSec is complaint with the following set of IETF RFCs, cryptographic algorithms, and other applicable industry standards. RFC Compliance RFC-2367, PF_KEY Key Management API, Version 2 RFC 2401/4301, Security Architecture for the Internet Protocol RFC-2402/4302, IP Authentication Header RFC-2403/4303, The Use of HMAC-MD5-96 within ESP and AH RFC-2404, The Use of HMAC-SHA-1-96 within ESP and AH RFC-2405/4305, The ESP DES-CBC Cipher Algorithm With Explicit IV RFC-2406/4306, IP Encapsulating Security Payload (ESP) RFC-2407, The Internet IP Security Domain of Interpretation for ISAKMP RFC-2408, Internet Security Association and Key Management Protocol (ISAKMP) RFC-2409, The Internet Key Exchange (IKE) RFC-2410, The NULL Encryption Algorithm and Its Use With IPsec RFC-2451, The ESP CBC-Mode Cipher Algorithms RFC-3280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) RFC-3566, The AES-XCBC-MAC-96 Algorithm and Its Uses With IPsec RFC-3602, The AES-CBC Cipher Algorithm and Its Use with IPsec RFC 3610: Counter with CBC-MAC (CCM) RFC 3686: Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) RFC-3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers RFC-3715, IPsec-Network Address Translation (NAT) Compatibility Requirements RFC-3748, Extensible Authentication Protocol (EAP) RFC-3947, Negotiation of NAT-Traversal in IKE RFC-3948, UDP Encapsulation of IPsec ESP Packets RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) RFC-4306, Internet Key Exchange (IKEv2) Protocol RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 RFC 4308: Cryptographic Suites for IPsec RFC-4434, The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE) 7
RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH RFC-4555, IKEv2 Mobility and Multihoming RFC-4718, IKEv2 Clarifications and Implementation Guidelines RFC 4753: ECP Groups for IKE and IKEv2 RFC 4754: IKE and IKEv2 Authentication Using ECDSA RFC 4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2 RFC 4835: Cryptographic Algorithm Implementation Requirements for ESP and AH RFC 4868: Using HMAC-SHA-256, HMAC- SHA-384, and HMAC-SHA-512 with IPsec RFC 4894: Use of Hash Algorithms in Internet Key Exchange (IKE) and IPsec RFC 4869: Suite B Cryptographic Suites for IPsec RFC 5685: Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) ModeConfig: draft-dukes-ike-mode-cfg-02.txt XAUTH: draft-ietf-ipsec-isakmp-xauth-06.txt Certificate Management RFCs Supported IETF Draft: draft-nourse-scep-14.txt X.509 v3 certificate X.509 v2 CRL format Very Granular IKE / IPsec Feature Controls: Complete control of AH and ESP protocols configuration Multiple concurrent instances for multihoming, VLAN, per-interface, etc. Complete control of transport and tunnel modes Simple and complete control of shared secrets (IKE authentication) Complete control of IKE exchange Complete control of non-compliant security policy packets RFC-2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP RFC-3280, X.509 certificate and CRL profiles IKE APIs to handle VendorIDs, customization of Initial Payload Exchange IKE APIs to set / retrieve information in XAUTH and ModeConfig interactions Support for Dead Peer Detection (DPD) and hooks for customization of DPD interactions. Supports Dual-Mode Operation (IKEv1 and IKEv2) Tight integration with Mocana NanoEAP Supports RSA tokens for EAP-GTC with IKEv2 (RFC 3748) Full-featured IKE implementation as initiator or responder 8
Mocana s Complete Mobile Device Security Solution System Level Efficiency KeyVPN Client builds on top of Mocana s Industry leading NanoSec (IPsec) and NanoCrypto (cryptographic algorithms) security modules to provide a complete VPN solution that integrates into the Android OS. KeyVPN Client can sit beside other Mocana security modules, such as KeyDAR Encryption (Data-at-Rest Encryption) and utilize the same NanoCrypto algorithms driving greater system-level efficiency than any other VPN solution on the market. Future Proof Your Design Furthermore, by choosing KeyVPN Client, OEMs will future proof their code base to add additional Mocana Device Security Framework (DSF) modules, such as x.509v3 certificate lifecycle management with NanoCert. This allows OEMs to better utilize their precious development resources and reduce time to market in the competitive mobile devices market. Mocana s KeyVPN Client KeyVPN Client IMS NanoSec IPSec / IKEv1 / v2 / MOBIKE User Space Tools GUI KeyDAR Encryption Data-at-Rest Encryption Other Mocana Devie Security Framework (DSF ) Modules NanoCrypto FIPS 140-2 Level 1 Certified Suite B Algorithms Mocana Security Detail Android mocana.com/sd/android 9
Mocana s Device Security Framework KeyVPN is part of the Mocana Device Security Framework (DSF ), designed to secure all aspects of any connected device. All components of the Device Security Framework are built on a common architecture and share a common API and code base. As a device designer, you can choose only the components you need for your particular project...or standardize company-wide on the DSF, futureproofing your investment with this broad, cross platform, flexible and extensible security architecture. Device-Resident Code Cloud and On-Premise Services SMART DEVICE MANAGEMENT & SERVICES Mobile App Mgmt Device Identity Mgmt 3 rd Party Systems Integration with and Applications Safety NanoCert NanoSSH NanoSSL NanoSign DEVICE CONFIDENTIALITY NanoSec DEVICE AUTHENTICATION NanoEAP Nano Wireless FIPS 140-2 Certified Cryptographic Core Nano Defender KeyDAR Nano Update KeyVPN NanoBoot DEVICE INTEGRITY Security Event Mgmt Remedation Compliance 10
About Mocana Mocana securely mobilizes enterprise data and protects millions of the smart connected devices that comprise the Internet of Things. The company s award-winning enterprise mobile app security platform provides organizations with an easy way to deliver business-critical mobile apps, with a highquality end user experience, tap-and-go simplicity and strong security, for internal and external users. Mocana s customers include Fortune 50 enterprises, government agencies and the world s leading smart device manufacturers. More information is available at www.mocana.com. Awards and Certificates Mocana Corporation 710 Sansome Street San Francisco, CA 94111 tel (415) 617-0055 toll free (866) 213-1273 www.mocana.com sales@mocana.com 2014 Mocana Corporation 11