Fax- and Voice Encryption


The communications infrastructure forms a fragile foundation of our information society. In particular, insufficient security on the information highway causes substantial financial damage to the economy due to industrial espionage. Therefore, it is essential to protect sensitive information from unauthorized access or manipulation and to prevent severe consequences. Telephone and facsimile services on connection-oriented networks – still the most widely deployed communications medium – are particularly exposed to attacks.


The Sirrix.FaxEncryption appliance developed by Sirrix AG provides secure authentication and encryption as a frontend device to any regular fax machine. In a user-friendly and easy manner, the Sirrix.FaxEncryption appliance secures your communications and protects your assets from eavesdropping and manipulation by both passive and active attackers.


The Sirrix.FaxEncryption appliance has been designed as a store-and-forward device. Independent of the fax machine connected to it, the Sirrix.FaxEncryption appliance will always attempt to forward the fax message at full V.34 speed of 33.6 kbit/s over the PSTN lines. In addition to its standard analog operating mode, the appliance optionally supports digital (ISDN) and IP transmission (fax over IP) of G3 fax documents. Finally, it can optionally act as a fax to e-mail gateway and deliver the fax documents encrypted to any e-mail address. A separate key management device generates and distributes digital certificates.

The Sirrix.FaxEncryption appliances can be delivered without the management station and preconfigured certificates. Customers have also the option to purchase the management station and take care of key management themselves. For key encryption, the appliance uses the RSA private/public key pair method with a key length of 8192 bits. This very long appliance/based RSA key pair is generated from scratch each time the appliance reboots. SHA-2 is used as hash function to ensure the integrity and authenticity of data transmitted. The AES-256 method is used for the actual encryption and the symmetric keys are protected by the RSA key pair method.

The key management system initiates the creation of an individual private/public key pair with a key length of 2048 bits directly on and via a USB-based tamper-proof smart card device. The public key, but not the private key, is then provided to the key management system. The management system creates an X.509 certificate by using an 8192 RSA key pair to digitally sign the public key and send it back to the smart card. As a result, each appliance can authenticate every other appliance belonging to the same group as defined by the key management device.

Each appliance can encrypt faxes sent to any other appliance in the same group and the receiving device can decrypt the message and verify its integrity. The sending device will create new AES- 256 symmetric keys for each individual fax transmission. It encrypts one of these symmetric keys with the public key (2048 bits) of the receiving USB smart card and the other with the public key (8192 bits) of the receiving device. This combination ensures top level encryption during the transmission phase and also that a separate security token is used for the local protection of sensitive documents.

Optional features

Smart card devices can also be personalized on a per user basis. In this case, the sender can specify a special extension for the normal fax number, ensuring that only the targeted person will be able to receive the facsimile. Instead of forwarding the document directly to the fax device, the receiving appliance will store it. Only when the right USB device is plugged into the appliance will the stored fax document be decrypted and forwarded to the locally connected fax device.