FAQ: SINA and "SINA laptops"

The Secure Inter-Network Architecture (SINA) is a product family developed by the German Federal Office for Information Security (BSI) in collaboration with secunet for the transmission and processing of sensitive information in insecure networks.

SINA comprises a growing family of modular components for securing various application scenarios, such as the connection of locations, the use of mobile workstations or the operation at just one computer of workplace sessions requiring different levels of protection.

Flexible, scalable and highly secure solutions are implemented through the extensive use of open source software and numerous coordinated security mechanisms (including VPN-Virtual Private Network-based network encryption, local data encryption, enclosure of operating systems, interface monitoring).

More information can be found here at the BSI's website.

A "SINA laptop" is a client from the SINA product family, the product name is SINA Workstation. In contrast to a conventional laptop, a SINA Workstation utilises coordinated modular security measures that enable the secure processing of classified information or other sensitive data, regardless of location.

The integrated security measures of SINA workstations include

• IPsec-protected VPN - for tap-proof encryption of data traffic
• Two-factor authentication - so that only authorised users with a smart card and corresponding PIN can access the device
• Virtualisation / SINA OS - to encapsulate the guest operating systems
• Hard disk encryption - so that all information is encrypted at all times and cannot be read by unauthorised persons
• Interface control - regulates whether and which devices may be connected to a SINA workstation.

There is no such thing as a "SINA laptop"; there are different devices for the different classification levels VS-NfD, VS-VERTRAULICH and GEHEIM, each of which has the appropriate approvals and is also protected with additional measures depending on the security level.

If you would like to know more about the classification levels, you will find this information here (German only).

The most widespread version is the SINA Workstation S, which is approved by the BSI for the processing, storage and transmission of information up to classification level VS-NfD in a national context. In total, more than 200,000 SINA Workstation S units are in use by customers.

In addition to the technical requirements, the respective organisation using SINA components must comply with the conditions of use and operation. These are specified by the responsible cyber security authority - in Germany the BSI. These may include, for example, who is authorised to process which information with the devices and how authentication factors are to be handled. The user's organisation is responsible for compliance with these conditions of use and operation.

The SINA architecture has been developed precisely for such scenarios - espionage, manipulation, loss or theft of a device. So if unauthorised persons gain possession of SINA devices, neither the information stored in them nor the technology of the systems themselves are at risk.

SINA products implement the so-called "Kerckhoff's principle". At SINA, the security of the cryptography is based exclusively on the secrecy of the key itself, not on the secrecy of the encryption algorithms or technical components used. SINA systems use only standard procedures such as AES for VS-NfD (RESTRICTED) and are based primarily on open source software. This concept allows secunet and third parties, such as the BSI, to check the security based on the source code.

In short, the systems are designed in such a way that even through reverse engineering, for example, an attacker could not gain any significant knowledge that would enable them to attack (other) SINA devices or access information stored on them.

Technologically, SINA prevents attackers from reading data from a stolen or lost laptop or using it to gain unauthorised access to connected networks. This assumes that the attackers are not in possession of all authentication factors (access data, smartcards, certificates).

With central SINA management, an operating organisation can block people and devices at any time and thus prevent unauthorised access to the network.

Cross-organisational attacks are technically impossible.

The SINA architecture and the devices in operation are safe and are in no way affected by the reported incidents.This applies regardless of the authorisation level of the devices.

No, secunet as the manufacturer generally has no access to the data stored on or transmitted with its customers' SINA devices. SINA network infrastructures are generally operated and managed by the customers themselves. This also includes the administration and management of access restrictions and authentication measures. This also makes a significant contribution to digital sovereignty.

In general, a distinction must be made between the colloquial use of the word "secret" and the clearly defined classification levels that apply in public administration.

SINA components with corresponding approvals from the German Federal Office for Information Security (BSI) are available for three of the four classification levels applicable in Germany: VS-NfD, VS-VERTRAULICH and GEHEIM. most devices in circulation are approved for the lowest level VS-NfD ("VERSCHLUSSSACHE - NUR FÜR DEN DIENSTGEBRAUCH"). They are the standard workstation in many federal authorities. Devices approved for VS-VERTRAULICH or GEHEIM are protected with additional security measures.

In addition, many SINA products also have approvals for comparable international classification levels, for example for use in international organisations such as the EU and NATO.