Technology Today - Home
Comprehensive Mission Assurance requires secure battlefield communication. Warfighters must be confident that their data meets the three main tenets of information assurance: confidentiality, integrity and availability.

Although classic IA technologies such as firewalls and network intrusion detection and prevention systems are used in a defense-in-depth manner, they typically do not secure the internal data that is being communicated. Firewalls monitor and limit network connections. Network intrusion detection systems scan network traffic to detect malicious actions and intent. Because these technologies are applied at network boundaries, additional technologies must be used to ensure the confidentiality and integrity of the data being communicated.

To meet this challenge, Raytheon recently funded IA research into Internet Protocol version 6 (IPv6), High Assurance Internet Protocol Encryptors (HAIPE), and a Common Cryptography Module Architecture. These technologies provide encryption and other safeguards to ensure that data gets to the correct individuals without being modified or intercepted. These logical controls, described below, help to support the goal of Mission Assurance in military communication.

IPv6 is a network layer for packet-switched internetworks. It is designated as the successor to IPv4, the current version of the Internet Protocol, for general use on the Internet.

The emergence of IPv6, providing the world with an exponentially larger number of available IP addresses, is essential to the continued growth of the Internet and development of new applications leveraging mobile Internet connectivity.

In addition, IPv6 contains additional functional and security capabilities beyond that offered by IPv4. However, added features introduce other issues. IPv6 supports addresses that are 128 bits in length, which provides for about 3.4x1038 possible IP addresses. This capacity allows a unique IP address to be assigned to every device on the planet — including your toaster — thereby eliminating the need for network address translation. NAT has provided residual security benefits by shielding a user's private address space from direct contact with the outside network. NAT routers are commonly used by households today because they allow multiple computers to share a single IP address. A NAT router limits direct access to the household's computers. With IPv6, direct access to an IP address is allowed and this creates security implications, such as the potential for targeted denial of service attacks.

IPv6 offers enhanced capabilities such as mobility through the use of Mobile IP v6, which allows an IPv6 node the ability to retain the same IPv6 address regardless of its geographic location or the equipment to which it is connected. Moreover, IPv6 includes improved quality-of-service features that reduce packet header processing overhead and employ traffic class and flow label header fields that expedite packet priority handling. More important to this discussion, IPv6 offers inherent end-to-end security services that include entity and data origin authentication, connectionless integrity, replay protection, data confidentiality, and limited traffic flow confidentiality.

IPv6 provides end-to-end confidentiality by enabling end nodes to create a mutual security association through the network. Figure 1 represents a simple end-to-end path over a network, with the end nodes' addresses expressed in the IPv6 format of eight groups of four hexidecimal digits. The security association is established between the nodes using a shared secret that is either preconfigured or generated dynamically using cryptographic key agreement algorithms. IPsec implements standard cryptographic algorithms and protocols to authenticate the nodes, ensure authenticity and integrity of messages, and prevent traffic flow analysis.

Encryption used to secure classified information is referred to as Type 1 encryption. Type 1 encryption products are subject to advanced levels of validation, verification and certification throughout their life cycle. In recent years, Type 1 standards have been developed for IPsec-style IP datagram security services. A HAIPE device is a National Security Agency (NSA) Type 1 cryptographic product that provides IA services for IP data-in-transit.

The foundation of HAIPE is its use of subsets and custom variants of Internet Engineering Task Force IPsec standards and protocols for the purposes of enhancing cryptographic algorithms and capabilities. HAIPE foreign interoperability (HAIPE FI) capability provides the ability to safeguard IP communications in different operational environments though its use of NSA-approved classified (Suite A) and unclassified (Suite B) algorithms.

HAIPE FI capability is available in HAIPE IS versions 1.3.5-FI and 3.x. HAIPE FI includes an exclusion key (EK) capability that enables the creation of dynamic communities of interest (COIs) with two levels of cryptographic protection: one through an asymmetric key exchange, and one through the addition of the symmetric EK. COIs are created by configuring HAIPE peers to require the use of an EK for certain communications (e.g., policy-based), and selectively loading that EK on the appropriate HAIPE peers. See Figure 2 for examples of using exclusion keys in COIs.

Through Raytheon's research, the company has collaborated with the NSA to define the IA policy and guidance for HAIPE use within the U.S. Department of Defense.

Common Crypto Module Architecture
Further extending Raytheon's research into HAIPE technology, a Common Crypto Module Architecture was developed to modularize system components of a radio frequency circuit board. The Common Crypto Module Architecture provides Type 1 and HAIPE functionality to RF communications. Radio builders can leverage this architecture to furnish government-certified encryption to their military communications. This modular architecture allows the capabilities that best fit the system concept of operations.

These are some of the main technologies for ensuring that warfighter communication and data are secure. All of these technologies enable seamless IA that empowers rather than hinders the user.

Randall Brooks
Contributor: Chris Rampino