PRAESENSA
General installation procedures and instructions | en
27
Bosch Security Systems B.V.
Installation manual
2019.11 | V1.00 |
subsequent communications. This solution comes with a short period of vulnerability when
the factory default key is changed to a system-specific key. At that moment attackers can learn
the system key by eavesdropping the Diffie‑Hellman key exchange during the connection setup
with the factory default key. Preferably, this part of the setup should be done on a closed
network. The PSK is stored persistently in the device. To change the PSK later, the key must
be known. When the key is lost and/or devices are transferred from one system to another
system, a manual reset switch allows a device to be reset to its factory default. This requires
physical access to the device.
The Cipher suite used by OMNEO is TLS_DHE_PSK_WITH_AES_128_CBC_SHA. This means:
–
Encryption 128 AES.
–
Authentication and data integrity HMAC‑SHA‑1.
Audio security uses a proprietary implementation of a standards based algorithm for
encryption and authentication. The main reason for this is the required low latency, it only
adds 0.1
ms additional sample delay for encoding plus decoding. It uses 128 AES encryption in
Cipher Feedback Mode (CFB) for self‑synchronization, even when the audio stream is received
much later than when it was started, or when some samples are lost during reception. Only six
audio samples (125
us @ 48
kHz sample rate) are sufficient to re‑synchronize.
For authentication the algorithm uses Cipher-based Mandatory Access Control, CMAC. This
adds eight bits to each 24‑bit audio sample, resulting in 32‑bit samples.
The audio security algorithm uses a Pre‑Shared Key that has to be equal for the transmitter
and receiver. The key is volatilely stored on the device and is lost after a power cycle, so it
must be redistributed via a secure control connection. A random key is defined every time an
audio connection is created, so each audio link has a different key.
Other security measures in PRAESENSA are:
–
The system controller stores passwords and exchanges passwords with the Open
Interface / API clients using the SHA‑2 Secure Hash Algorithm (version SHA‑256).
–
Configuration and message backup is possible over an authenticated secure connection
(HTTPS) based on Transport Layer Security (TLS1.2).
4.6.5
Network speed and bandwidth usage
PRAESENSA uses the OMNEO protocol for audio and control, with all audio streams based on
48
kHz sample rate and 24‑bit sample size. Because of encryption for security, 32‑bits per
sample are used. By default the receiver latency is set to 10
ms as a compromise between
latency and network efficiency. This combination of parameters causes a bandwidth usage of
2.44
Mbps per (multicast) channel in the whole subnet it is used in. Control traffic will add
another 1 to 20
Mbps, depending on system size and activities.
A Gb Ethernet network is needed for OMNEO. This is not necessarily a bandwidth requirement
of multiple concurrent audio channels. Even if only a few audio channels are in use, a Gb
network backbone is needed to support the Precision Time Protocol (PTP) for synchronization
of all audio devices (IEEE
1588 and IEC
61588). Packet arrival jitter is a critical parameter,
which is the variation in latency between the reception of multiple Ethernet messages from
the same source. Because of this, Ethernet packet switching must be done in hardware, as
software switches will introduce too much jitter. PRAESENSA devices are pre‑configured to
use Quality of Service (QoS) prioritization for OMNEO, with carefully selected parameters.
Other switches need to be configured with the proper settings for OMNEO.
Summary of Contents for PRAESENSA
Page 1: ...PRAESENSA Public Address and Voice Alarm System en Installation manual ...
Page 2: ......
Page 193: ......