DOD tests secure data sharing in the field
New approach fuses standard encryption with bit-splitting data packets
Two Defense Department units are experimenting with a novel form of network encryption that could facilitate cloud computing and simplify network management. Unisys’ Stealth Solution for Network makes it possible to securely share data via insecure networks by encrypting and breaking up network packets.
The Navy used Stealth Solution for Network during a preliminary lab experiment phase of the military service’s Trident Warrior 2010 network warfare tests in October 2009. With Unisys' system, the Navy could connect simulated shipboard systems in a lab via a satellite connection to cloud computing resources from a commercial cloud provider. Meanwhile, the Joint Forces Command (JFCOM) also is working on Stealth Solution for Network. The command uses the system in ongoing testing to allow secure data sharing in the field via a common backbone.
Unisys created Stealth in response to inquiries from DOD several years ago, said Scott Sanchez, director of the security portfolio at Unisys’ technology and integration services unit. DOD officials wanted to find a way to provide multiple network connections to forward areas of the battlefield. Rather than run multiple network connections to tents in the desert, for example, they wanted to find a way to serve multiple users with a secure, segregated approach that uses a single network.
In response to that request, Unisys developers created Stealth. “The concept is to have a shared network and have the same level of security you would have with multiple networks with routers and protection and apply them in a virtual way using this Stealth Solution,” Sanchez said. Stealth uses a combination of standard AES 256-bit encryption and a technology called bit-splitting.
Bit-splitting “takes each packet and breaks it up into random blocks of data that move across the network,” Sanchez said. “You have to be in what we term a community of interest in order to reassemble that data.” Without the community's credentials, the traffic is invisible and undecipherable.
Administrators can load Stealth’s software on client machines, such as a device driver, and it runs on Windows or Linux platforms. Administrators also can configure Stealth as a network security appliance at the edge of the network, allowing computers within the network to access remote Stealth-enabled systems transparently.
JFCOM and its subordinate command, the Joint Transformation Command for Intelligence, started testing Stealth last year to evaluate how that capability could be applied in areas where the number of separate networks that need to be configured makes it difficult to manage the required infrastructure. JFCOM awarded a one-year task order to Unisys in summer 2009 through the Defense Information Systems Agency’s Encore II contract to provide technical support for a test of Stealth’s cryptographic bit-splitting technology. The command wants to use the system to help consolidate multiple DOD networks operating at different security levels into a single network infrastructure.
Analysts and technicians at JFCOM’s Joint Intelligence Laboratory recently completed the first phase of proof-of-concept and assessment activity, said Vincent Murdock, JFCOM's task monitor of cryptographic bit-splitting technology. The results provided sufficient cause to move to the next phase, which involves a wide-area network configuration that will be more representative of the operational concept. “To date, the phases have focused on Stealth’s support of data in motion and controlled sharing of information," Murdock said.
Unisys has applied Stealth technology to other potential applications, including offering it as part of a secure cloud computing solution. “All of the traffic that goes through this shared multitenant environment — the cloud — is protected by Stealth,” Sanchez said. “So one client can't see another client passing data. They don't even know that other client exists on the network. It's the same problem we're trying to solve for DOD, just in a different environment.”
Stealth's cloud capability was at the heart of the Navy test during the Trident Warrior 2010 lab experiments in October. Conducted with support from Dataline system integrators, the test showed that standard shipboard communications could be used to manage applications that run in a commercial cloud environment, specifically Amazon’s Elastic Compute Cloud and Simple Storage Service. The goal was to prove that a commercial infrastructure-as-a-service platform could support the Navy’s requirements for global connectivity, server failover and application access.
For the test's purposes, the cloud systems were provisioned to run the Oracle Beehive application server, the Erdas Apollo geospatial data management platform and the Transverse collaboration suite developed by JFCOM. The proof-of-concept application used the Unisys Stealth architecture to provide data-in-motion security. Stealth ran on the cloud servers and at the lab to encrypt data in transit via the Internet.
“The Navy is very interested in exploring cloud computing concepts and their use in the naval tactical environment,” said Lt. Cmdr. Caroline Lahman, Officer-in-Charge at Navy FORCEnet San Diego, in a statement on the test. “We look forward to further testing during the Trident Warrior 2010 lab period in April.”
Sean Gallagher is senior contributing editor for Defense Systems.