High Assurance Internet Protocol Encryptor

Last updated

A High Assurance Internet Protocol Encryptor (HAIPE) is a Type 1 encryption device that complies with the National Security Agency's HAIPE IS (formerly the HAIPIS, the High Assurance Internet Protocol Interoperability Specification). The cryptography used is Suite A and Suite B, also specified by the NSA as part of the Cryptographic Modernization Program. HAIPE IS is based on IPsec with additional restrictions and enhancements. One of these enhancements includes the ability to encrypt multicast data using a "preplaced key" (see definition in List of cryptographic key types). This requires loading the same key on all HAIPE devices that will participate in the multicast session in advance of data transmission. A HAIPE is typically a secure gateway that allows two enclaves to exchange data over an untrusted or lower-classification network.

Contents

Examples of HAIPE devices include:

Three of these devices are compliant to the HAIPE IS v3.0.2 specification while the remaining devices use the HAIPE IS version 1.3.5, which has a couple of notable limitations: limited support for routing protocols or open network management.

A HAIPE is an IP encryption device, looking up the destination IP address of a packet in its internal Security Association Database (SAD) and picking the encrypted tunnel based on the appropriate entry. For new communications, HAIPEs use the internal Security Policy Database (SPD) to set up new tunnels with the appropriate algorithms and settings. Due to lack of support for modern commercial routing protocols the HAIPEs often must be preprogrammed with static routes and cannot adjust to changing network topology.

A couple of new HAIPE devices will combine the functionality of a router and encryptor when HAIPE IS version 3.0 is approved. General Dynamics has completed its TACLANE version (KG-175R), which house both a red and a black Cisco router, and both ViaSat and L-3 Communications are coming out with a line of network encryptors at version 3.0 and above. Cisco is partnering with Harris Corporation to propose a solution called SWAT1 [8]

There is a UK HAIPE variant that implements UKEO algorithms in place of US Suite A. Cassidian has entered the HAIPE market in the UK with its Ectocryp range. Ectocryp Blue is HAIPE version 3.0 compliant and provides a number of the HAIPE extensions as well as support for network quality of service (QoS). Harris has also entered the UK HAIPE market with the BID/2370 End Cryptographic Unit (ECU). [9]

In addition to site encryptors HAIPE is also being inserted into client devices that provide both wired and wireless capabilities. Examples of these include L3Harris Technologies' KOV-26 Talon and KOV-26B Talon2, and Harris Corporation's KIV-54 [10] and PRC-117G [11] radio.

HAIPE managers

Viasat and General Dynamics Mission Systems both develop their own propriety software for managing HAIPE devices, VINE and GEM One, respectively. The GEM One specifications list support for the Viasat HAIPEs, KG-250X and KG-250XS while the data sheet for VINE only lists supported Viasat Network Encryptors. [12] [13]

Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the L3Harris Common HAIPE Manager (which only operates with L3Harris products).[ citation needed ]

See also

Related Research Articles

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.

Health Level Seven, abbreviated to HL7, is a range of global standards for the transfer of clinical and administrative health data between applications with the aim to improve patient outcomes and health system performance. The HL7 standards focus on the application layer, which is "layer 7" in the Open Systems Interconnection model. The standards are produced by Health Level Seven International, an international standards organization, and are adopted by other standards issuing bodies such as American National Standards Institute and International Organization for Standardization. There are a range of primary standards that are commonly used across the industry, as well as secondary standards which are less frequently adopted.

<span class="mw-page-title-main">STU-III</span> Telephone

STU-III is a family of secure telephones introduced in 1987 by the NSA for use by the United States government, its contractors, and its allies. STU-III desk units look much like typical office telephones, plug into a standard telephone wall jack and can make calls to any ordinary phone user. When a call is placed to another STU-III unit that is properly set up, one caller can ask the other to initiate secure transmission. They then press a button on their telephones and, after a 15-second delay, their call is encrypted to prevent eavesdropping. There are portable and militarized versions and most STU-IIIs contained an internal modem and RS-232 port for data and fax transmission. Vendors were AT&T, RCA and Motorola.

The National Security Agency took over responsibility for all U.S. Government encryption systems when it was formed in 1952. The technical details of most NSA-approved systems are still classified, but much more about its early systems have become known and its most modern systems share at least some features with commercial products.

The Secure Communications Interoperability Protocol (SCIP) is a US standard for secure voice and data communication, for circuit-switched one-to-one connections, not packet-switched networks. SCIP derived from the US Government Future Narrowband Digital Terminal (FNBDT) project. SCIP supports a number of different modes, including national and multinational modes which employ different cryptography. Many nations and industries develop SCIP devices to support the multinational and national modes of SCIP.

The vast majority of the National Security Agency's work on encryption is classified, but from time to time NSA participates in standards processes or otherwise publishes information about its cryptographic algorithms. The NSA has categorized encryption items into four product types, and algorithms into two suites. The following is a brief and incomplete summary of public knowledge about NSA algorithms and protocols.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

The Cryptographic Modernization Program is a Department of Defense directed, NSA Information Assurance Directorate led effort to transform and modernize Information Assurance capabilities for the 21st century. It has three phases:

<span class="mw-page-title-main">AN/PRC-148</span> Handheld software-defined radio

The AN/PRC-148 Multiband Inter/Intra Team Radio (MBITR) is the most widely fielded handheld multiband, tactical software-defined radio, used by NATO forces around the world. The radio is built by Thales Communications, a subsidiary of the France-based Thales Group. The designation AN/PRC translates to Army/Navy Portable Radio used for two-way communications, according to Joint Electronics Type Designation System (JETDS) guidelines.

<span class="mw-page-title-main">AN/PRC-152</span> American military radio system

The AN/PRC-152 Multiband Handheld Radio, is a portable, compact, tactical software-defined combat-net radio manufactured by Harris Corporation. It is compliant without waivers to the Joint Tactical Radio System (JTRS) Software Communications Architecture (SCA). It has received NSA certification for the transmission of Top Secret data.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

<span class="mw-page-title-main">SafeNet</span> Information security company

SafeNet, Inc. was an information security company based in Belcamp, Maryland, United States, which was acquired in August 2014 by the French security company Gemalto. Gemalto was, in turn, acquired by Thales Group in 2019. The former SafeNet's products include solutions for enterprise authentication, data encryption, and key management. SafeNet's software monetization products are sold under the Thales Sentinel brand.

<span class="mw-page-title-main">UniPro</span> High-speed interface technology

UniPro is a high-speed interface technology for interconnecting integrated circuits in mobile and mobile-influenced electronics. The various versions of the UniPro protocol are created within the MIPI Alliance, an organization that defines specifications targeting mobile and mobile-influenced applications.

The KIV-7 is a National Security Agency Type-1, single-channel encryptor originally designed in the mid-1990s by AlliedSignal Corporation to meet the demand for secure data communications from personal computers (PC), workstations, and FAXs. It has data rates up to 512 kbit/s and is interoperable with the KG-84, KG-84A, and KG-84C data encryption devices.

<span class="mw-page-title-main">Etherstack</span>


Etherstack is a provider of wireless communications software for the Professional/Land Mobile Radio and defense industries in Europe, Asia, and North America. Their products encompass wireless protocol stacks, IP-based communication networks, cryptographic communications, Software Defined Radio (SDR), and Software Communications Architecture (SCA) compatible waveforms.

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

<span class="mw-page-title-main">ARPANET encryption devices</span> Security tools used on ARPANET

The ARPANET pioneered the creation of novel encryption devices for packet networks in the 1970s and 1980s, and as such were ancestors to today's IPsec architecture, and High Assurance Internet Protocol Encryptor (HAIPE) devices more specifically.

References

  1. L-3 Communication Encryption Products
  2. ViaSat Information Assurance web page
  3. ViaSat KG-250
  4. ViaSat KG-255
  5. General Dynamics TACLANE Encryptor (KG-175)
  6. "Ectocrypt Blue by Cassidian, an EADS Company". Archived from the original on 2013-11-07. Retrieved 2013-11-18.
  7. "CASSIDIAN unveils ECTOCRYP YELLOW". September 2013. Archived from the original on 2013-11-18.
  8. Cisco Harris SWAT1 Solution
  9. Harris UK BID/2370 ECU
  10. "Harris KIV-54 (SECNET 54)" (PDF). Archived from the original (PDF) on 2013-10-30. Retrieved 2013-11-18.
  11. "Harris AN/PRC-117G". Archived from the original on 2008-09-30. Retrieved 2008-10-05.
  12. "VINE Data Sheet" (PDF). Viasat.com. Retrieved 19 June 2022.
  13. "GEM One Encryptor Manager - General Dynamics Mission Systems". gdmissionsystems.com. Retrieved 19 June 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.