The need for speed
As DOD deploys faster IP networks, high-speed encryption solutions will keep pace
When it comes to encryption, the need for speed among U.S. military users has never been greater. To accommodate the Defense Department’s high-bandwidth IP infrastructures, such as the Defense Information Systems Agency’s Global Information Grid-Bandwidth Expansion, older link encryptors are being replaced with network IP encryption devices that not only protect classified data and keep up with throughput but also are interoperable, which is just as important.
The National Security Agency’s High Assurance IP Encryptor program is the DOD standard for secure interoperable communications over IP networks of all types. NSA certifies IP encryption devices for the HAIPE label only after they are tested for compliance with the HAIPE Interoperability Standards to ensure that the products will work well together.
Vendors such as General Dynamics, L-3 Communications and ViaSat manufacture NSA-certified HAIPE encryption products capable of throughput rates of 100 megabits/sec, 1 gigabit/sec and 10 gigabits/sec, respectively.
“Each of the devices has been tested to operate at these rates, [and] all of the devices have been certified by NSA for protection of classified information,” said an NSA spokesperson. However, the spokesperson said, the HAIPE devices are “only as good as the infrastructure they are implemented on, and their effective throughput may be less due to limitations of other network components and/or network architecture configurations.”
A 2005 Congressional Budget Office report found that 100 megabits/sec HAIPE devices used initially for GIG-BE had an effective throughput rate of about 80 megabits/sec. The CBO report also found that 1 gigabit/sec HAIPE devices used for GIG-BE had an effective throughput rate between 800 megabits/sec and 900 megabits/sec.
In addition, NSA certification of HAIPE encryption devices has fallen behind schedule. A 100 megabits/sec HAIPE encryptor was supposed to be certified by NSA in September 2003, but it wasn’t certified until February 2004. More recently, a 10 gigabits/sec HAIPE device planned for a November 2005 NSA certification was not certified until June 2007. 10 GIGABITS/SEC AND BEYOND
At present, there are no NSA-certified HAIPE encryption devices operating at data rates faster than 10 gigabits/sec. Nevertheless, government agencies and vendors are looking into the development of high-speed encryption devices that can scale beyond that threshold.
“From a crypto perspective, the challenge isn’t the speed. It’s the system and all the things you have to do to make the system operate at that speed,” said Jerry Goodwin, vice president and general manager of the networks group at ViaSat. “In the past, if you were doing just a point-to-point serial crypto, you didn’t have to worry about changing the keys or the algorithms.”
Late last year, the Cryptologic Systems Group (CPSG) of the Cryptographic Modernization Program Office (CMPO), based at Lackland Air Force Base, Texas, issued a request for information from industry to identify current and future high-speed encryption solutions, including those that are already NSA Type 1 certified, undergoing certification or in development. Specifically, the group queried industry on their high-speed encryption solutions for the protection of data and video capable of encrypting in the speed range of 1 gigabit/sec to 10 gigabits/sec and beyond.
“Raw throughput is where the market is going,” said Andy Solterbeck, chief technology officer at SafeNet Inc., an information security company. “The requirement for higher and higher speeds in the next few years is headed to 100 gigabits/sec crypto devices. The sweet spot right now for encryption is unquestionably 10 gigabits/sec. We’re probably two years away from 40 gigabits/sec being the sweet spot and three to four years from reaching 100 gigabits/sec.”
For now, the GIG-BE is designed to deliver 10 gigabits/sec of IP-based bandwidth for voice, video and data. Although few government networks operate today at throughput rates faster than 10 gigabits/sec, bandwidth requirements are growing, and the need for high-speed encryption is following suit.
“If you look at Joint Vision 2020 and other documents out there, a lot of it did coalesce down to basically saying, ‘Look, it’s 10 gig we’re after,’” Solterbeck said. “When we first started down the road with GIG-BE, the original requirement was 2.4 gigabits/sec [OC-48], and before we even finished the initial deployment, the requirement had gone to 10 gigabits/sec [OC-192]. It’s been stable at 10 gig for a while mainly because the infrastructure just hasn’t been there to take it to 40 gig. But there’s a couple of refreshers to those documents starting to talk about 40 gig and 100 gig.”
Last year, NSA certified L-3 Communications’ RedEagle KG- 245X, a 10 gigabits/sec HAIPE Interoperability Standard (IS) Version 1.3.5 encryptor that supports security levels of top secret/sensitive compartmented information and below. L-3’s RedEagle KG-245X cryptographic keys, applications and protocols can be updated and managed remotely. The company is developing upgrades to the KG- 245X to support HAIPE IS Version 3.0.2 (released in December 2006) and Version 3.1.
A “National Policy Governing the Use of HAIPE Products” (otherwise known as the Committee on National Security Systems — CNSS — Policy No. 19) was issued in February 2007 calling for the procurement of HAIPE IP encryption products starting in fiscal 2009. This policy is meant to ensure that all IPv4 and IPv6 standalone encryptors and systems containing IPv4 or IPv6 encryptor capabilities procured after Sept. 30 comply with core requirements in HAIPE IS Version 3.
HAIPE encryption products are tested to be compliant with HAIPE IS Version 1.3.5, which was released in May 2004. Nevertheless, HAIPE IS Version 1.3.5 has some limitations, including lack of support for routing protocols or open network management. Because of this lack of support for routing protocols, HAIPE encryption devices must be preprogrammed with static routes and cannot adjust to changing network topologies.
HAIPE IS defines requirements for a modular suite of traffic protection, networking and management features that provide secure interoperability between users, content repositories and network-centric enterprise services. According to NSA, HAIPE IS Version 3.0 supports IPv6, standardized over-the-network management and bandwidth efficient modes.
The agency’s current version of HAIPE IS, 3.1.1, was released in November and defines enhanced networking features, including Network Address Translation and HAIPE-to- HAIPE key transfer. HAIPE vendors are in the middle of a development effort to upgrade the HAIPE IS Version 1.3.5 suite of products to be compliant with HAIPE IS Version 3.0.2.
According to NSA, HAIPE IS Version 3.0 products will be backward compatible with HAIPE IS Version 1.3.5 products, improve bandwidth efficiency and add support for IPv6 and other net-centric capabilities. HAIPE IS Version 3.0 products will be available in early 2009.
Recently, a follow-on product development effort was started to incorporate HAIPE IS Version 3.1 functionality. HAIPE IS Version 3.1 products will be available in late 2009.
HAIPE IS Version 3.2, the next scheduled release of the interoperability specification, is planned for release in December 2009. Its feature set tentatively includes plain-text header compression, bandwidth negotiation and Internet Key Exchange Version 2.