C4 Marine Brig. Gen. Kevin J. Nally - KMI Media Group
C4 Marine Brig. Gen. Kevin J. Nally - KMI Media Group
C4 Marine Brig. Gen. Kevin J. Nally - KMI Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
he continued. “We have to do more in terms<br />
of protecting data on a device that is lost. We<br />
have a whole lot of things to make it easier<br />
when these things are in hostile environment<br />
either to rekey them or disable them.”<br />
The same technology could also be applied<br />
to commercial non-government users, whose<br />
laptops are often stolen. ViaSat is already<br />
beginning to install the same technology on<br />
company laptops to ensure the security of<br />
proprietary data.<br />
ViaSat also has an array of Type 1 encryption<br />
technology for data in transit. These<br />
inline network encryptors (INE) utilize a<br />
common encryption technology called<br />
PSIAM. This embedded crypto module is also<br />
offered as a system to companies who need<br />
cybersecurity technology and can incorporate<br />
PSIAM into their computing and communications<br />
devices. The module went through<br />
the final security verification approval process<br />
by NSA in December.<br />
“That will be a fully certified instantiation<br />
of PSIAM,” Wren said. “We are working with<br />
handset and tablet manufacturers and want<br />
to enable them to communicate securely. We<br />
are seeing a lot of play in that because vendors<br />
don’t like being tied to one ASIC and ASIC<br />
supplier. With PSIAM FPGA-based technology<br />
they can implement a new algorithm and<br />
change whatever needs to be changed to keep<br />
the product moving forward. We are hitting<br />
power and size requirements that compete<br />
with ASIC architectures because the PSIAM<br />
technology is going so well.”<br />
The KG-250X, ViaSat’s latest INE, also<br />
uses the PSIAM crypto engine and has been<br />
certified by NSA for Top Secret data. An<br />
uncertified version of the device has already<br />
been demonstrated to customers across the<br />
services. In addition to being smaller than<br />
any currently available INE, additional functionality<br />
has been added as well as ruggedization<br />
and additional processing power for<br />
future capabilities.<br />
Wren expects to deliver units early this<br />
year. “We are ramping up production now<br />
and you will see this almost pocket-sized<br />
encryptor device, using the same technology<br />
that we have developed in the KG-250.”<br />
Another innovative solution for the tactical<br />
edge is the IPS-250, which is HAIPE<br />
compliant and interoperable with the existing<br />
fielded Type 1 network infrastructure. “That<br />
gets a lot of play in the services because now<br />
it doesn’t need to be treated like a COMSEC<br />
device,” Wren explained. “Instead, it has to be<br />
treated only as a high value item, although<br />
that is still important. The IPS-250 is the first<br />
28 | MIT 15.1<br />
and only instantiation of an NSA certified<br />
CHVP INE out there today.”<br />
“HAIPE encryption is moving out to the<br />
edge. If you have a device that is mobile<br />
and you want to get it onto the grid, doing<br />
that in a secure manner is a big challenge.<br />
Nonetheless, we have been able to do that<br />
because we have built up the knowhow over<br />
many years,” he said, adding, “The IPS-250<br />
can be used for NATO communications, and<br />
supports HAIPE 3.1.2 and HAIPE-to-HAIPE<br />
keying.”<br />
non-ClassIfIed Box<br />
The latest update to <strong>Gen</strong>eral Dynamics’<br />
TACLANE KG-175 family of IA products has<br />
been the NSA certification of HAIPE 3.1.2,<br />
which started delivery in October. This gives<br />
users a simultaneous capability in IPv4 and<br />
IPv6, allowing users to have a staged migration<br />
from the former to the latter. The software<br />
will be shipped with all new TACLANE<br />
products and is being made available as a free<br />
download via NSA’s SIPRNet website or a CD-<br />
ROM, and takes 15 minutes to install.<br />
The presence of the TACLANE product line<br />
is substantial, with about 60,000 TACLANE-<br />
Micro devices in service. This is supported<br />
by roughly 60,000 TACLANE Classics and<br />
E-100s and a further 15,000 KG-175D-Minis<br />
and 12,000 KG-175A TACLANE-GigE, which<br />
provide a gigabit Ethernet capability.<br />
“They are used just about anywhere,”<br />
explained Mike Guzelian, vice president of<br />
secure voice and data products for <strong>Gen</strong>eral<br />
Dynamics <strong>C4</strong> Systems. “They could be in<br />
a command center, a tent in the battlefield<br />
or data closets to secure LAN connectivity<br />
in secure building. They are used all over<br />
SIPRNet, JWICS, GCCS, the departments of<br />
state and homeland security and for other<br />
federal customers and on other classified networks.<br />
They are also pretty widely deployed in<br />
Canada, Australia and New Zealand.”<br />
Another key feature of 3.1.2 is what is<br />
called HAIPE-to-HAIPE keying, allowing a<br />
user to download the encryption keys into<br />
one device for the entire network and rekey<br />
all the other devices on the network, even<br />
from the other side of the world. Previously<br />
the key fill would have had to be physically<br />
inputted at each device by hand.<br />
Beyond 3.1.2, <strong>Gen</strong>eral Dynamics <strong>C4</strong><br />
Systems is working on hardware and software<br />
upgrades for TACLANE to support a<br />
new mode that NSA calls Internet Protocol<br />
Minimum Essential Interoperability Requirements<br />
(IPMEIR).<br />
“This is a second mode in the box using<br />
all commercial protocols and algorithms<br />
next to the government HAIPE mode,” Guzelian<br />
explained. “The reason for doing this is<br />
to enable the deployment of TACLANEs to<br />
non-classified networks. As part of that software<br />
release, we are coming out with a new<br />
piece of hardware called TACLANE-C100,<br />
which is an unclassified device, not a CCI.<br />
There is new designation NSA gives it, called<br />
Crypto High Value Product (CHVP). Basically<br />
that will run this new IPMEIR mode only in<br />
that hardware.<br />
“Because it is a non-classified box, it can<br />
be deployed to other federal agencies and<br />
state and local government. TACLANEs with<br />
both modes will interoperate with all the<br />
existing devices in a classified network, but<br />
will also have a highly secure solution that<br />
is now easy to field to other agencies. It also<br />
protects communications with very strong<br />
security, but again, without needing someone<br />
to obtain Type 1 keys and to operate in a<br />
Type 1 environment,” he continued.<br />
The goal is to deliver the new solution<br />
ready for certification in April 2012. A second<br />
option would be to use it in NATO and allied<br />
countries so that in Afghanistan, for example,<br />
the CHVP devices can be used in current networks.<br />
But because they are non-CCI items,<br />
they can be left in situ when the United States<br />
turns over control to the local authorities.<br />
In addition to the TACLANE INEs, in the<br />
cellular world the Sectéra Edge is being continually<br />
improved both to maintain security<br />
and also to enhance ruggedization to better<br />
enable its reliable use on the battlefields of<br />
the near future.<br />
The Sectéra Edge is essentially two PDAs<br />
in one via NSA’s Secure Mobile Environment<br />
Portable Electronic Device (SME PED) program.<br />
Even though there is only one display<br />
and one keyboard on the device, it is actually<br />
two physically separate PDAs, not two different<br />
modes. There are two separate chips in<br />
the device plus a variety of measures in place<br />
to ensure that data between the two processors<br />
never meets.<br />
Guzelian explained, “There is an unclassified<br />
PDA that allows you to go to Google<br />
or Yahoo or any website on the Internet you<br />
want. Then there is a classified PDA that can<br />
talk Secret or Top Secret on the network.<br />
Now I can get my classified e-mail on one<br />
PDA and my unclassified e-mail on the other.<br />
It runs a Windows operating environment<br />
capable of downloading imagery and video.”<br />
At the forward edge, the device has<br />
been selected to meet the requirement for<br />
www.MIT-kmi.com