Lightweight Portable Security

Last updated
Lightweight Portable Security (rebranded as
Trusted End Node Security) [1]
Seal of the United States Department of Defense.svg Air Force Research Laboratory.svg
LPS 1.6.0-Public Deluxe.png
Lightweight Portable Security Desktop
Developer US Department of Defense
OS family Linux (Unix-like)
Working stateDiscontinued
Source model Open source
Initial release2011
Latest release 3.0.4.1 [2] / 30 April 2021;3 years ago (2021-04-30)
Kernel type Monolithic (Linux)
Userland GNU
Default
user interface 		XFCE
License Free software licenses
(mainly GPL)
Official website Trusted End Node Security program office

Lightweight Portable Security (LPS) or Trusted End Node Security (TENS) was a Linux LiveCD (or LiveUSB) distribution. The application Encryption Wizard, originally bundled with TENS is still actively maintained. LPS and its successor TENS was developed and publicly distributed by the United States Department of Defense’s Air Force Research Laboratory [3] The live CD is designed to serve as a secure end node. The Air Force Research Laboratory actively maintained LPS and TENS from 2007 to 2021. [4] It can run on almost any x86_64 computer (PC or Mac). [5] LPS boots only in RAM, creating a pristine, non-persistent end node. It supports DoD-approved Common Access Card (CAC) readers, as required for authenticating users into PKI-authenticated gateways to access internal DoD networks. [6] [7] [8]

Contents

LPS turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer's hard drive. As of September 2011 (version 1.2.5), the LPS public distribution includes a smart card-enabled Firefox browser supporting DoD's CAC and Personal Identity Verification (PIV) cards, a PDF and text viewer, Java, a file browser, remote desktop software (Citrix, Microsoft or VMware View), an SSH client, the public edition of Encryption Wizard and the ability to use USB flash drives. A Public Deluxe version is also available that adds LibreOffice and Adobe Reader software.

History

LPS and Encryption Wizard were initiated by the Air Force Research Laboratory's Anti-Tamper Software Protection Initiative program, started in 2001. In 2016, that program was ending, so LPS and Encryption Wizard were moved to the Trusted End Node Security program office. LPS, as of version 1.7 was rebranded Trusted End Node Security, or TENS. [9] Encryption Wizard retained its name, but received the TENS logo as of version 3.4.11. [10]

In 2020, the COVID-19 pandemic led to an increase in remote work. The National Security Agency recommended that U.S. government employees working remotely use government furnished computers. However, when it was necessary for an employee to use their home computer, the National Security Agency recommended TENS as one measure an individual employee could use to make that computer more secure. [11]

In 2021, TENS became compatible with UEFI Secure Boot. [12] UEFI Secure Boot is used to protect the operating system installed on the computer's hard drive. As of June 2020, UEFI Secure Boot was available on many newer PCs. UEFI Secure Boot would prevent older versions of TENS from booting. [13]

In August 2021, the TENS web site announced the TENS program office had been decommissioned. The Defense Information Systems Agency was no longer willing to fund the program. No other agency had agreed to champion the program. "Potentially final" editions of TENS and Encryption Wizard had been released in April and May 2021. [12]

The Mission Planning group of the Air Force Life Cycle Management Center took over management of Encryption Wizard. However, as of early 2023, the TENS program had not been restarted. [14]

Encryption Wizard

LPS came with Encryption Wizard (EW), a simple, strong file and folder encryptor for protection of sensitive but unclassified information (FOUO, Privacy Act, CUI, etc.). Written in Java, EW encrypted all file types for data at rest and data in transit protection. Without installation or elevated privileges, EW ran on Windows, Mac, Linux, Solaris, and other computers that support the Java software platform. With a simple drag and drop interface, EW offered 128-bit and 256-bit AES encryption, SHA-256 hashing, RSA signatures, searchable metadata, archives, compression, secure deleting, and PKI/CAC/PIV support. Encryption could be keyed from a passphrase or a PKI certificate. EW was GOTS—U.S. Government invented, owned, and supported software—and came in three versions, a public version that uses the standard Java cryptographic library, a unified version that uses a FIP-140-2 certified crypto licensed by The Legion of the Bouncy Castle, and a government-only version that uses a FIPS-140-2 certified crypto stack licensed from RSA Security [ citation needed ]. The three versions interoperate.

Public HTTPS access

The official web site, offering the public versions of TENS, was hosted on Department of Defense servers. The program office also had a commercially hosted "gettens" web site. The official web site was shut down circa 2022. As of early 2023, Encryption Wizard is still available on the "gettens" web site.

The "gettens" commercially hosted web site was established because the general public had some difficulty accessing web sites on Department of Defense servers. Originally, the gettens web site merely provided instructions how to configure a web browser to work with the official web site. However, in 2023 the gettens web site was repurposed to actually host Encryption Wizard.

This article incorporates text from the US Department of Defense SPI web site.

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Kerberos (protocol)</span> Computer authentication protocol

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

<span class="mw-page-title-main">Booting</span> Process of starting a computer

In computing, booting is the process of starting a computer as initiated via hardware such as a button on the computer or by a software command. After it is switched on, a computer's central processing unit (CPU) has no software in its main memory, so some process must load software into memory before it can be executed. This may be done by hardware or firmware in the CPU, or by a separate processor in the computer system.

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of confidential computing. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key that is inaccessible to the rest of the system and the owner.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provides security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

<span class="mw-page-title-main">MemTest86</span> Computer memory diagnostics software

MemTest86 and Memtest86+ are memory test software programs designed to test and stress test an x86 architecture computer's random-access memory (RAM) for errors, by writing test patterns to most memory addresses, reading back the data, and comparing for errors. Each tries to verify that the RAM will accept and correctly retain arbitrary patterns of data written to it, that there are no errors where different bits of memory interact, and that there are no conflicts between memory addresses.

<span class="mw-page-title-main">UEFI</span> Technical specification for firmware architecture

Unified Extensible Firmware Interface is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system. Examples include AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.

Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written to the media, or through physical properties of the storage media that allow previously written data to be recovered. Data remanence may make inadvertent disclosure of sensitive information possible should the storage media be released into an uncontrolled environment.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity, and to store disk encryption keys.

<span class="mw-page-title-main">BitLocker</span> Disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) or "xor–encrypt–xor (XEX)-based Tweaked codebook mode with ciphertext Stealing" (XTS) mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

Acronis True Image is a proprietary backup, imaging, cloning and cybersecurity suite developed by Acronis International GmbH. It can back up files, data, clone storage media and protects the system from ransomware. In 2021, the product was renamed to Acronis Cyber Protect Home Office before being renamed back to True Image in 2024.


This is a comparison of notable free and open-source configuration management software, suitable for tasks like server configuration, orchestration and infrastructure as code typically performed by a system administrator.

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

Pre-boot authentication (PBA) or power-on authentication (POA) serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed they have the correct password or other credentials including multi-factor authentication.

Data erasure is a software-based method of data sanitization that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by overwriting data onto all sectors of the device in an irreversible process. By overwriting the data on the storage device, the data is rendered irrecoverable.

A Secure End Node is a trusted, individual computer that temporarily becomes part of a trusted, sensitive, well-managed network and later connects to many other (un)trusted networks/clouds. SEN's cannot communicate good or evil data between the various networks. SENs often connect through an untrusted medium and thus require a secure connection and strong authentication. The amount of trust required is commensurate with the risk of piracy, tampering, and reverse engineering. An essential characteristic of SENs is they cannot persist information as they change between networks.

<span class="mw-page-title-main">VeraCrypt</span> Free and open-source disk encryption utility

VeraCrypt is a free and open-source utility for on-the-fly encryption (OTFE). The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication.

References

References to the Trusted End Node Security Program office refer to the Trusted End Node Security Program Office, Information Directorate, Air Force Research Laboratories, United States Air Force.

References to the Software Protection Initiative refer to the DoD Anti-Tamper Program, Sensors Directorate, Air Force Research Laboratories, United States Air Force.

  1. "Trusted End Node Security - Downloads". Software Protection Initiative. Department of Defense. Archived from the original on 6 March 2021. Retrieved 19 July 2021.
  2. "LPS Release Notes". Trusted End Node Security - Software Protection Initiative. Department of Defense TENS Program Office. 2019-05-17. Retrieved 2019-12-10.[ permanent dead link ]
  3. TENS Program Office. "Trusted End Node Security". Archived from the original on 14 July 2018. Retrieved 10 December 2019.
  4. "TENS Release Notes". Trusted End Node Security. Air Force Research Laboratory. 16 April 2021. Archived from the original on July 19, 2021.
  5. Trusted End Node Security (TENS) Public Edition (TENS-Public) User's Guide (PDF). Air Force Research Laboratory. 2020. Archived from the original (PDF) on 21 March 2021.
  6. Galloway, David (24 July 2011). "Lightweight Portable Security Is a Portable Linux Distro from the Department of Defense". Lifehacker. Archived from the original on 2011-09-13. Retrieved 2021-08-20.
  7. Reed, Michael (30 Nov 2010). "Linux Distribution: Lightweight Portable Security | Linux Journal". www.linuxjournal.com. Archived from the original on 2010-12-03. Retrieved 2021-08-20.
  8. Montalbano, Elizabeth (22 July 2011). "Not Your Average Linux Distribution: DOD's Flavor". Information Week Government. Archived from the original on 2011-07-23.
  9. Software Protection Initiative. "Lightweight Portable Security". Archived from the original on 2016-09-25.
  10. Software Protection Initiative. "Encryption Wizard Release History". Trusted End Node Security. Archived from the original on 2021-07-19. Retrieved 26 February 2019.
  11. Selecting and Safely Using Collaboration Services for Telework - UPDATE (PDF). National Security Agency. 2020. p. 3. Archived from the original (PDF) on August 5, 2020.
  12. 1 2 TENS Program Office. "Downloads". Trusted End Node Security. Archived from the original on 18 August 2021. Retrieved 18 August 2021.
  13. TENS Virtual Machine Guide (PDF). National Security Agency. 2020. Archived (PDF) from the original on June 30, 2020.
  14. "Encryption Wizard". Airspace Mission Planning Division, Air Force Life Cycle Management Center. Archived from the original on 2023-01-29. Retrieved 2023-04-27.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.