|
|
 |
home > March 24, 2008 issue > article
The need for speed
By Greg Slabodkin
Special to Defense Systems
As DOD deploys faster IP networks, high-speed encryption solutions will keep pace
When it comes to encryption, the need for speed among U.S. military
users has never been greater. To accommodate the Defense Department’s
high-bandwidth IP infrastructures, such as the Defense Information Systems
Agency’s Global Information Grid-Bandwidth Expansion, older link encryptors
are being replaced with network IP encryption devices that not only protect
classified data and keep up with throughput but also are interoperable,
which is just as important.
The National Security Agency’s High Assurance IP Encryptor program is
the DOD standard for secure interoperable communications over IP networks
of all types. NSA certifies IP encryption devices for the HAIPE label
only after they are tested for compliance with the HAIPE Interoperability
Standards to ensure that the products will work well together.
Vendors such as General Dynamics, L-3 Communications and ViaSat
manufacture NSA-certified HAIPE encryption products capable of
throughput rates of 100 megabits/sec, 1 gigabit/sec and 10 gigabits/sec,
respectively.
“Each of the devices has been tested to operate at these rates, [and] all of
the devices have been certified by NSA for protection of classified information,”
said an NSA spokesperson. However, the spokesperson said, the
HAIPE devices are “only as good as the infrastructure they are implemented
on, and their effective throughput may be less due to limitations of other
network components and/or network architecture configurations.”
A 2005 Congressional Budget Office report found that 100 megabits/sec
HAIPE devices used initially for GIG-BE had an effective throughput rate of
about 80 megabits/sec. The CBO report also found that 1 gigabit/sec
HAIPE devices used for GIG-BE had an effective throughput rate between
800 megabits/sec and 900 megabits/sec.
In addition, NSA certification of HAIPE encryption devices has fallen
behind schedule. A 100 megabits/sec HAIPE encryptor was supposed to be
certified by NSA in September 2003, but it wasn’t certified until February
2004. More recently, a 10 gigabits/sec HAIPE device planned for a
November 2005 NSA certification was not certified until June 2007.
10 GIGABITS/SEC AND BEYOND
At present, there are no NSA-certified HAIPE encryption devices operating
at data rates faster than 10 gigabits/sec. Nevertheless, government agencies
and vendors are looking into the development of high-speed encryption
devices that can scale beyond that threshold.
“From a crypto perspective, the challenge isn’t the speed. It’s the system
and all the things you have to do to make the system operate at that speed,”
said Jerry Goodwin, vice president and general manager of the networks
group at ViaSat. “In the past, if you were doing just a point-to-point serial
crypto, you didn’t have to worry about changing the keys or the algorithms.”
Late last year, the Cryptologic Systems Group (CPSG) of the
Cryptographic Modernization Program Office (CMPO), based at
Lackland Air Force Base, Texas, issued a request for information
from industry to identify current and future high-speed encryption
solutions, including those that are already NSA Type 1 certified,
undergoing certification or in development. Specifically, the group
queried industry on their high-speed encryption solutions for the
protection of data and video capable of encrypting in the speed
range of 1 gigabit/sec to 10 gigabits/sec and beyond.
“Raw throughput is where the market is going,” said Andy
Solterbeck, chief technology officer at SafeNet
Inc., an information security company. “The
requirement for higher and higher speeds in the
next few years is headed to 100 gigabits/sec crypto
devices. The sweet spot right now for encryption
is unquestionably 10 gigabits/sec. We’re
probably two years away from 40 gigabits/sec
being the sweet spot and three to four years from
reaching 100 gigabits/sec.”
For now, the GIG-BE is designed to deliver 10
gigabits/sec of IP-based bandwidth for voice,
video and data. Although few government networks
operate today at throughput rates faster
than 10 gigabits/sec, bandwidth requirements are
growing, and the need for high-speed encryption
is following suit.
“If you look at Joint Vision 2020 and other documents out there, a
lot of it did coalesce down to basically saying, ‘Look, it’s 10 gig we’re
after,’” Solterbeck said. “When we first started down the road with
GIG-BE, the original requirement was 2.4 gigabits/sec [OC-48], and
before we even finished the initial deployment, the requirement had
gone to 10 gigabits/sec [OC-192]. It’s been stable at 10 gig for a while
mainly because the infrastructure just hasn’t been there to take it to 40
gig. But there’s a couple of refreshers to those documents starting to
talk about 40 gig and 100 gig.”
Last year, NSA certified L-3 Communications’ RedEagle KG-
245X, a 10 gigabits/sec HAIPE Interoperability Standard (IS) Version
1.3.5 encryptor that supports security levels of top secret/sensitive
compartmented information and below. L-3’s RedEagle KG-245X
cryptographic keys, applications and protocols can be updated and
managed remotely. The company is developing upgrades to the KG-
245X to support HAIPE IS Version 3.0.2 (released in December
2006) and Version 3.1.
HAIPE POLICY
A “National Policy Governing the Use of HAIPE Products” (otherwise
known as the Committee on National Security Systems —
CNSS — Policy No. 19) was issued in February 2007 calling for the
procurement of HAIPE IP encryption products starting in fiscal
2009. This policy is meant to ensure that all IPv4 and IPv6 standalone
encryptors and systems containing IPv4 or IPv6 encryptor
capabilities procured after Sept. 30 comply with core requirements
in HAIPE IS Version 3.
HAIPE encryption products are tested to be compliant with
HAIPE IS Version 1.3.5, which was released in May 2004.
Nevertheless, HAIPE IS Version 1.3.5 has some limitations, including
lack of support for routing protocols or
open network management. Because of this
lack of support for routing protocols, HAIPE
encryption devices must be preprogrammed
with static routes and cannot adjust to changing
network topologies.
HAIPE IS defines requirements for a modular
suite of traffic protection, networking and
management features that provide secure interoperability
between users, content repositories
and network-centric enterprise services.
According to NSA, HAIPE IS Version 3.0 supports
IPv6, standardized over-the-network
management and bandwidth efficient modes.
The agency’s current version of HAIPE IS,
3.1.1, was released in November and defines enhanced networking
features, including Network Address Translation and HAIPE-to-
HAIPE key transfer. HAIPE vendors are in the middle of a development
effort to upgrade the HAIPE IS Version 1.3.5 suite of products
to be compliant with HAIPE IS Version 3.0.2.
According to NSA, HAIPE IS Version 3.0 products will be backward
compatible with HAIPE IS Version 1.3.5 products, improve
bandwidth efficiency and add support for IPv6 and other net-centric
capabilities. HAIPE IS Version 3.0 products will be available in
early 2009.
Recently, a follow-on product development effort was started to
incorporate HAIPE IS Version 3.1 functionality. HAIPE IS Version
3.1 products will be available in late 2009.
HAIPE IS Version 3.2, the next scheduled release of the
interoperability specification, is planned for release in December
2009. Its feature set tentatively includes plain-text header
compression, bandwidth negotiation and Internet Key Exchange
Version 2.
|
|
|
|
![1105 Media [purity]](/images/ds1_pntmlogo.gif "1105 Media [purity]"){kind=small}
