High-assurance Network encryptors secure voice, video, and data moving over public and private IP networks

Rajesh Uppal March 26, 2020 Cyber Comments Off on High-assurance Network encryptors secure voice, video, and data moving over public and private IP networks 505 Views

Protecting network transmitted data against cyber attacks and data breaches is imperative for government agencies. Data network eavesdropping, innocent error or technical failure, data tampering and data theft have all become commonplace. The implications of a significant breach are often catastrophic.

Encryption is a popular and effective method for safeguarding network data. An encryption system is a security device that converts data into a disguised or encrypted form to render it unintelligible to anyone without a decryption key. Its intended purpose is to ensure privacy by keeping the information hidden from anyone for whom it is not intended.

The process of encryption hides data or the contents of a message in such a way that the original information can only be recovered through a corresponding decryption process. Encryption and decryption are common techniques in cryptography — the scientific discipline behind secure communications.

Many security-conscious companies go one stage further and protect not only their Internet traffic but also their internal networks, corporate backbone networks, and virtual private networks (VPNs) with network level encryption. Only encryption may ensure that your agency’s data remains protected while transmitted across data networks and links.

Many different encryption and decryption processes (called algorithms) exist. Especially on the Internet, it’s very difficult to keep the details of these algorithms truly secret. Cryptographers understand this and design their algorithms so that they work even if their implementation details are made public. Most encryption algorithms achieve this level of protection by using keys. In computer cryptography, a key is a long sequence of bits used by encryption and decryption algorithms.

Encrypting data as it moves over a network is only part of a comprehensive network data encryption strategy. Organizations must also consider risks to information at its origin — before it moves — and at its final destination. Stealing a car in a parking lot or private garage is much easier than on the freeway while traveling at high speed!

Network Encryption

Network layer encryption may be applied to sections of a network rather than end-to-end; in this case the network layer packets are encapsulated within IP packets. A major advantage of network layer encryption is that it need not normally be concerned with the details of the transmission medium.

A feature of encryption up to and including the network layer is that it is generally transparent to the user. This means that users may be unaware of security breaches, and a single breach could have implications for many users. This is not the case for application layer encryption. As with link layer encryption, delays associated with encryption and decryption processes need to be kept to an acceptable level, but hardware-based devices capable of carrying out these processes have become increasingly available.

An important set of standards that has been introduced to provide network layer encryption, as well as other security services such as authentication, integrity and access control in IP networks, is IPSec from the IP Security Working Group of the Internet Engineering Task Force detailed in RFC 2401.

Encryption Algorithm

An encryption algorithm takes the original un-encrypted message, and a key like the above, and alters the original message mathematically based on the key’s bits to create a new encrypted message. Conversely, a decryption algorithm takes an encrypted message and restores it to its original form using one or more keys.

Many techniques and algorithms are known for the conversion of the original data, referred to herein as plain text, into its encrypted form, referred to herein as cipher text. Two main types of data encryption exist – asymmetric encryption, also known as public-key encryption, and symmetric encryption.

Some cryptographic algorithms use a single key for both encryption and decryption. Such a key must be kept secret; otherwise, anyone who had knowledge of the key used to send a message could supply that key to the decryption algorithm to read that message.

Other algorithms use one key for encryption and a second, different key for decryption. The encryption key can remain public in this case, as without knowledge of the decryption key messages cannot be read. Popular Internet security protocols use this so-called public-key encryption.

The SSL standard (the technology behind the padlock symbol in the browser and more properly referred to as TLS) is the default form of network data protection for Internet communications. Modern Web browsers use the Secure Sockets Layer (SSL) protocol for secure online transactions. SSL works by using a public key for encryption and a different private key for decryption.

The Rivest-Sharmir-Adleman (RSA) algorithm is a cryptosystem for public-key encryption that is widely used to secure sensitive data, especially when it is sent over an insecure network like the internet. The RSA algorithm’s popularity comes from the fact that both the public and private keys can encrypt a message to assure the confidentiality, integrity, authenticity, and non-repudiability of electronic communications and data through the use of digital signatures.

Wi-Fi home networks support several security protocols including WPA and WPA2. While these are not the strongest encryption algorithms in existence, they are sufficient to protect home networks from having their traffic snooped by outsiders.

Because both WPA/WPA2 and SSL encryption depend so heavily on keys, one common measure of the effectiveness of network encryption in terms of key length – the number of bits in the key. The most basic method of attack on encryption today is brute force, or trying random keys until the right one is found. Of course, the length of the key determines the possible number of keys and affects the plausibility of this type of attack.

The early implementations of SSL in the Netscape and Internet Explorer Web browsers many years ago used a 40-bit SSL encryption standard. The initial implementation of WEP for home networks used 40-bit encryption keys also. The makers of security software recognized the need to increase the strength of encryption and moved to 128-bit and higher encryption levels many years ago.

Compared to 40-bit encryption, 128-bit encryption offers 88 additional bits of key length. This translates to 2 exp(88) or a whopping 309,485,009,821,345,068,724,781,056 additional combinations required for a brute-force crack. Some processing overhead on devices occurs when having to encrypt and decrypt message traffic with these keys, but the benefits far outweigh the cost.

Encryption devices

Encryption systems are conventionally implemented in a combination of software algorithms and custom encryption hardware that contains redundant encryption functions. The redundant encryption functions of the custom encryption hardware include operational checks that ensure that the plain text is being effectively encrypted. Unfortunately, some communication equipment, such as commercial portable cellular handsets, cannot implement the custom encryption hardware for security due to size and power constraints.

To avoid the problems associated with custom encryption hardware, some encryption systems are implemented entirely in software algorithms programmed into conventional microprocessor systems. These software encryption algorithms can then be programmed into memory of the existing communication equipment, thereby overcoming the size and power constraints. However, encryption systems implemented in software have traditionally been perceived to be less secure than hardware implementations because software encryption algorithms can become modified or corrupted. Moreover, software encryption algorithms generally do not contain the same operational checks as algorithms implemented in the custom encryption hardware. Thus, it is difficult to ensure that the correct software encryption algorithms are being properly executed.

In addition, it is difficult to verify that the prior art software encryption algorithms are operating in real time, especially in multitasking environments. The term “real time” refers to the ability of the encryption system to output cipher text at substantially the same rate as the plain text is being input into the system.

Moreover, conventional software encryption algorithms are unable to detect any discrepancy and inform the sender. This is an undesirable situation for maintaining security of communications between transmitting and receiving systems.

Accordingly, what is needed is a system and a method for encrypting plain text to produce cipher text which provide a high level of assurance that encryption is being properly executed. In addition, what is needed is a system and a method that incorporate high assurance software encryption algorithms into existing communications systems, such as commercial portable cellular handsets. Furthermore, a system and method is needed that can be incorporated into communications systems that have size, power, and bill-of-material constraints.

High-assurance encryption

Robust encryption (also known as high-assurance encryption) features secure, dedicated encryption devices. In order to be truly high assurance, these devices must use embedded, zero-touch encryption key management; provide end-to-end, authenticated encryption and use standards-based algorithms.

TACLANE-Nano network encryptor certified by NSA

General Dynamics Mission Systems (GDMS) announced that the National Security Agency (NSA) has certified its new TACLANE-Nano (KG-175N) network encryptor to secure voice, video, and data information classified Top Secret/SCI and below traversing public and private IP networks.

According to the company, this NSA certification validates the TACLANE-Nano’s capability to protect critical data communications through government networks and national security systems worldwide.

Company statements claim that the TACLANE-Nano operates faster than 100 megabits per second aggregate throughout in a Size, Weight, Power and Cost (SWaP-C) optimized form factor, ruggedized to withstand the rigors of a mobile environment. GDMS says it can be used for dismounted tactical forward deployment, unmanned or manned intelligence, surveillance and reconnaissance (ISR), covert, and special operations.