POET OF SECURITY

POET OF SECURITY

Encryption Program Seeks Common Platform That Can Be Used
in Future Tri-Service Multi-Band, Multi-Mode High-Communications Terminals.

by Cheryl Gerber, MIT Correspondent
 

As part of a tri-service effort, the Army is developing a scalable, re-programmable encryption technology that could serve as a model for optimizing future developments, particularly if the Army can achieve a common interface.

The initiative’s goals include building four independent cryptographic engines, each capable of more than 1 Gbps performance, to ensure cross-channel security in the multi-channel design and to provide re-usability that will accommodate the varying constraints of military and commercial satellite communications terminals.

Officials from the Air Force, Army and Navy, who are involved in the Transformational Communications Satellite (T-SAT) program run by the Air Force, pooled their resources to fund the Programmable Objective Encryption Technologies (POET) program. Although the T-SAT officers are responsible for developing their own ground terminals that can talk to satellites and test the resulting POET technology, the program is developing an Advanced Cryptographic Module (ACM) for the joint services.

The Army Communications Electronics Research, Development and Engineering Center (CERDEC) awarded contracts to General Dynamics and Harris to develop their versions of the ACM for the POET program. CERDEC is under the Research Development and Engineering Command.

“POET represents the evolution of cryptographic engine technology development. Other past crypto chips were stovepipes and not programmable. They were only dedicated technology with no migration path. We are trying to develop a crypto engine from which we can migrate,” said Stanley Fong, chief of the Army Cryptographic Modernization Project Management Office under the Army chief information officer/ G-6.M

The POET program is aiming high and reaching far in its efforts to establish a common platform that can be used in future tri-service multi-band, multi-mode high communications terminals, Fong explained. “We might have a crypto engine for the future in the high-end area for the joint services if we can develop common interface specifications with different levels of security and COMSEC algorithms.”

Two top challenges in developing common interface specifications are integration and interoperability, he said, noting, “Taking into consideration size, weight, throughput power and ease of embedding, all in a cost-effective manner, are other challenges.”

Program developers are working with the National Security Agency (NSA), which oversees military encryption policies. One of NSA’s chief concerns is to guarantee cross-channel security.

“The challenge presented by POET’s multi-channel design is to ensure that no unintended or uncontrolled information flows across or between channels. NSA’s position on multi-channel security has been consistent over time: to enforce separation between layers of differing classifications and stringent control over any information flows allowed between the layers,” said an NSA official familiar with the program.

MULTIPLE MODULES

An original incentive for the POET program was risk reduction for satellite and radio-linked ground terminals with 2 Gigahertz in four channels. The throughput for each channel would be 500 Megabits, with an aggregate of 2 Gigabits per second. The future objective is 10 Gigabits, Fong said. “There was no one device that could handle all four channels at the speed we wanted,” said Cynthia Shaw, project lead from Computer Sciences Corp.

The four channels all perform different high-speed functions simultaneously. For example, one channel can link to one satellite and a second channel can link either to another satellite or the same satellite with a different set of data. Yet a third and fourth channel could be a ground RF, all with different frequencies, said Shaw.

The embedded ACM will be configured to support security levels from Unclassified to Top Secret by providing different COMSEC algorithms for each level. While the ACM currently under development is a high-end module, the POET program is planning to incorporate a broader range of options.

“We’re looking at a whole series of modules, including an $8,000-10,000 per module price for the high end, a midrange price of about $4,000-5,000 per module, and less for the low end,” Fong said. Achieving low-end, midrange and highend modules will require a flexible design that is built jointly to keep costs down, is applicable to other cryptographic programs and provides crypto capability for 2 GHz and above terminals, according to the NSA.

“The obstacles include the variance in requirements from one service to another, the ability to improve SWaP [size, weight and power] functions, the ability to enable secure, net-centric operations, to become compliant with the Crypto Modernization Initiative [CMI] and to achieve a fully releasable, configurable/loadable module,” said the NSA official.

“The CMI states that all new cryptographic devices must be programmable and re-programmable for one-time-only security,” said Shaw. “We are also defining POET to accommodate the NSA Key Management Initiative under development, and we have expanded support to include the mobile terminal to be used for C2 On the Move,” she added.

The modules also must comply with High Assurance Internet Protocol Encryptor (HAIPE) version 3, a secure gateway that combines the functionality of a router and encryptor. The ACM will attain other unique features, such as high-speed transmission security (TRANSEC) key stream generation, high-speed communications security (COMSEC) encryption/decryption, simultaneous operation of numerous TRANSEC/COMSEC waveforms, and algorithms/waveforms that are Advanced Extremely High Frequency.

Briefly put, a waveform is how a terminal talks to a satellite, and key stream generation refers to a method of encrypting and decrypting binary data that is extremely fast and highly variable.

The four-channel, embedded POET ACMs are all running different security algorithms with different keys. While there are other embedded, rather than external, security devices, “They don’t have the multi-channel capability with the common interface and the throughput POET has,” Shaw noted.

Yet the complex, multi-channel capability of POET presents a security challenge. “When you are in multi-channel, you have to deal with Multiple Independent Levels of Security (MILS), which is harder to certify,” noted Loring Hosley, project lead for POET in the Army Cryptographic Modernization branch, Information Assurance Division under CERDEC.

However, to achieve ease of scalability, the POET ACM design takes a modular approach. “If you want to reduce a fourchannel module to a smaller mode, for example, you wouldn’t be changing parts. You would just be removing parts. You just pull out three to go from four channels down to one channel and you just add channels to go up,” said Shaw.

The POET program also must ensure that there is enough processing power and memory to accommodate many algorithms. “Some algorithms require more processing power and memory than others,” said Fong. “You want to factor in what you know today as well as what may happen down the road. And you also must load them in a secure and verifiable manner, which requires yet more processing and storage power.”

EXISTING TECHNOLOGIES

Both General Dynamics and Harris are leveraging existing technologies in the course of developing their versions of the ACM for POET. The companies have worked on the Boeing T-SAT security architecture for the Air Force and are utilizing some of those technologies in their POET ACM versions.

“The General Dynamics POET solution provides a modular architecture that leverages proven critical technologies from our existing portfolio of NSA-certified Type 1 encryptors, reducing development, integration and certification costs in support of both legacy and modernized networking waveforms,” said Bill Ross, director of information assurance systems and programs for General Dynamics C4 Systems.

GDC4S is using its Advanced INFOSEC Machine (AIM) technology, which sends and receives encrypted messages via embedded encryption programming that supports the NSA’s CMI.

AIM cryptographic components include the Joint Tactical Radio System, which is low power and fully programmable with a small footprint and a Type 1 randomizer—an extremely secure method of encryption. AIM features multiple channels, algorithms and engines as well as fast-context switching. They are multilevel secure and contain two package types for a broad array of applications.

Since both General Dynamics and Harris base the ACM versions on proven technologies, their primary challenges revolve around meeting program and predicting user requirements. “The primary technological challenges are selecting the optimum technology and properly applying it to a design that supports full programmability, interface flexibility and re-certification,” said Ross.

The Harris POET ACM is built on Harris’ certified Sierra II Application Specific Integrated Circuit, which is customized for a particular use rather than for general purpose. It provides a four-channel capability with multiple single levels of security in a small, scalable form factor. Each channel can support a wide range of algorithms simultaneously, including crypto services for HAIPE and the link encryption family. The Harris POET ACM supports the NSA’s CMI as well as a scalable and reprogrammable solution for future SATCOM terminal programs.

“The most significant challenge is to balance the tradeoff between size, power and cost, and provide scalability while meeting all of the POET functional requirements. Today’s technology can provide a fully compliant POET product, but the power, cost and potential size must fit within the constraints of the user requirements. Future advances in integrated technology will provide more compact POET solutions,” said Richard Rzepkowski, vice president of communications security products, Harris RF Communications.

One objective of the program is to ease the NSA certification and recertification process. The use of already-certified systems helps to pave the way. “A substantial percentage of our POET security design and certification artifacts are based on reuse from our existing portfolio of encryption solutions. Reuse of design techniques and implementations that have successfully been certified assists in reducing initial certification risk,” said Ross.

Another method is to achieve the highest level of certification so that every level below will be easier. “Through the certification of an initial ‘superset’ module design, additional [less capable] modules can be created very quickly by removing components versus adding new capability. This type of ‘delta certification’ approach appears to speed up the certification process, since the evaluators only need to verify the removal of capability versus a new development,” said Rzepkowski.

Harris has implemented the delta certification approach with various products, which the company claims cuts NSA certification time in half. The procedure also abets the process of reuse. “By certifying at a module [component] level, this family of modules can be re-used in various product implementations, such as SATCOM terminals, with limited re-certification,” he said.

CERTIFIED SYSTEMS

NSA acknowledges that utilizing already-certified systems can shorten recertification time. “By adhering to the certification requirements, any changes to the POET design should be easier to re-certify. A delta certification process may only apply to the variances in the originally certified product for addressing the changes in that delta,” said an NSA official.

In the process of certifying and re-certifying multi-channel MILS, the method can apply not just to removing but to adding technology. “The fundamental implementation of MILS in the POET module will come through basic hardware/software separation design techniques, for example core technical design. Once the core MILS capability is certified, adding components, such as channels, should not impact the MILS certification. Changes to the core MILS functionality will require a re-certification exercise. However, these core changes should be re-usable across all products or modules,” said Rzepkowski.

As an NSA official noted, technology will always become obsolete over time. But the POET re-programmable design will help overcome some technological obsolescence by providing the flexibility to accommodate software upgrade.

Meanwhile, the Air Force, Army and Navy will have their work cut out to develop ground terminals that will test the POET ACM. “It is envisioned that the immediate demand for POET will be to support the terminal developers for targeting environments, problems and needs such as Navy multi-band terminal, family of beyond line-of-sight terminal and high-capacity communications capability terminals. POET can also be adapted for a number of functions requiring an embedded, high-speed, high-capacity encryption/ decryption capability,” said an NSA official.

The chief considerations in accomplishing joint development among the services are the need to share and the ability to satisfy a superset of requirements generated by the services for ground-based satellite transceivers, said the NSA. This is the essence of what the POET ACM is working to accomplish.

“Because the POET architecture is designed to be modular, scalable and reprogrammable, we see the device being used to support a wide range of user applications well into the future,” said Fong. ♦