High Assurance Internet Protocol Encryptor: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:12, 18 August 2013 edit EncMstr (talk \| contribs) Edit filter managers, Administrators 49,270 edits m Reverted edits by 184.166.65.28 (talk) to last version by Widefox ← Previous edit		Latest revision as of 00:42, 24 March 2025 edit undo Balon Greyjoy (talk \| contribs) Autopatrolled, Extended confirmed users, New page reviewers, Pending changes reviewers, Rollbackers 75,728 edits m script-assisted date audit and style fixes per MOS:NUM
(39 intermediate revisions by 33 users not shown)
Line 1: {{Short description\|Encryption device}} {{multiple issues\| {{cleanup\|date=March 2012}} {{external links\|date=March 2012}}▼ {{primary sources\|date=March 2012}} {{refimprove \|date= February 2008}} ~~{{linkrot\|date=July 2013}}~~ }} ▲{{~~external~~Use ~~links~~mdy dates\|date=March ~~2012~~2025}} A '''~~HAIPE (~~High Assurance Internet Protocol Encryptor)''' ('''HAIPE''') is a [[Type 1 encryption]] device that complies with the [[National Security Agency]]'s HAIPE IS (formerly the HAIPIS, the High Assurance Internet Protocol Interoperability Specification). The [[cryptography]] used is [[NSA Suite A Cryptography\|Suite A]] and [[NSA Suite B\|Suite B]], also specified by the NSA as part of the [[Cryptographic Modernization Program]]. HAIPE  IS is based on [[IPsec]] with additional restrictions and enhancements. One of these enhancements includes the ability to encrypt [[~~multicasting\|~~multicast]] data using a "preplaced key" (see definition in [[List of cryptographic key types]]). This requires loading the same key on all HAIPE devices that will participate in the multicast session in advance of data transmission. A HAIPE is typically a secure gateway that allows two enclaves to exchange data over an untrusted or lower-classification network.▼ ==Examples== ▲A '''HAIPE (High Assurance Internet Protocol Encryptor)''' is a [[Type 1 encryption]] device that complies with the [[National Security Agency]]'s HAIPE IS (formerly the HAIPIS, the High Assurance Internet Protocol Interoperability Specification). The [[cryptography]] used is [[NSA Suite A Cryptography\|Suite A]] and [[NSA Suite B\|Suite B]], also specified by the NSA as part of the [[Cryptographic Modernization Program]]. HAIPE IS is based on [[IPsec]] with additional restrictions and enhancements. One of these enhancements includes the ability to encrypt [[multicasting\|multicast]] data using a "preplaced key" (see definition in [[List of cryptographic key types]]). This requires loading the same key on all HAIPE devices that will participate in the multicast session in advance of data transmission. A HAIPE is typically a secure gateway that allows two enclaves to exchange data over an untrusted or lower-classification network. Examples of HAIPE devices include:▼ * [[L3Harris Technologies]]' Encryption Products<ref>[https://www2.l3t.com/cs-east/what-we-do/products/encryption-products_red-eagle.htm L-3 Communication Encryption Products]</ref> KG-~~245A fully tactical 1~~245X 10 Gbit/s (HAIPE IS v3.1.2 and Foreign Interoperable),▼ KG-~~240A~~245A fully ~~ruggedized~~tactical ~~100 Mbit~~1 Gbit/s (HAIPE IS v3.1.2 and Foreign Interoperable)▼ ** RedEagle * [~~http://www.viasat.com/government-communications/information-assurance~~ [ViaSat]]'s AltaSec Products]<ref ~~name="AltaSec KG-250"~~>[http://www.viasat.com/government-communications/information-assurance/~~altasec-kg-250~~ ViaSat ~~AltaSec~~Information ~~KG-250~~Assurance web page]</ref>▼ KG-250,<ref>[http://www.viasat.com/government-communications/information-assurance/altasec-kg-250 ViaSat KG-250],<~~ref name="AltaSec KG-250"~~/ref> and▼ KG-255 [1 Gbit/s]<ref>[http://www.viasat.com/government-communications/information-assurance/altasec-kg-255 ViaSat KG-255]</ref> * [[General Dynamics Mission Systems]] TACLANE Products<ref name="ge">[https://gdmissionsystems.com/encryption/taclane-network-encryption General Dynamics TACLANE Encryptor (KG-175)]</ref> FLEX (KG-175F) 10G (KG-175X) ** Nano (KG-175N) * Airbus Defence & Space ECTOCRYP Transparent Cryptography<ref>{{Cite web \|url=http://www.cassidian.com/pl/web/guest/1307 \|title=Ectocrypt Blue by Cassidian, an EADS Company \|access-date=November 18, 2013 \|archive-url=https://web.archive.org/web/20131107061236/http://www.cassidian.com/pl/web/guest/1307 \|archive-date=November 7, 2013 \|url-status=dead }}</ref><ref>{{cite web\|url=http://www.cassidian.com/en_US/web/guest/cassidian-unveils-ectocryp-yellow \|archive-url=https://archive.today/20131118073910/http://www.cassidian.com/en_US/web/guest/cassidian-unveils-ectocryp-yellow \|url-status=dead \|archive-date=November 18, 2013 \|title=CASSIDIAN unveils ECTOCRYP YELLOW \|date=September 2013 }}</ref> Three of these devices are compliant to the HAIPE IS v3.0.2 specification while the remaining devices use the HAIPE IS version 1.3.5, which has a couple of notable limitations: limited support for [[routing protocols]] or open [[network management]]. ▲Examples of HAIPE devices include * L-3 Communications' <ref name=L3>[http://www.l-3com.com/HAIPE L-3 HAIPE]</ref>[http://www.l-3com.com/HAIPE HAIPE] KG-245X 10Gbit/s (HAIPE IS v3.0.2), ▲ KG-245A fully tactical 1 Gbit/s (HAIPE IS v3.1.2 and Foreign Interoperable) ▲ KG-240A fully ruggedized 100 Mbit/s (HAIPE IS v3.1.2 and Foreign Interoperable) KOV-26 <ref name=L3>[http://www.l-3com.com/Talon L-3 Talon]</ref>[http://www.l-3com.com/Talon Talon] ▲* [http://www.viasat.com/government-communications/information-assurance ViaSat's AltaSec Products]<ref name="AltaSec KG-250">[http://www.viasat.com/government-communications/information-assurance/altasec-kg-250 ViaSat AltaSec KG-250]</ref> ▲ [http://www.viasat.com/government-communications/information-assurance/altasec-kg-250 KG-250],<ref name="AltaSec KG-250"/> and KG-255 [1 Gbit/s]<ref name=Viasat255datasheet>[http://www.viasat.com/files/assets/KG-255_datasheet_014.pdf ViaSat KG-255 Datasheet]</ref> * [[General Dynamics]]' <ref name=ge>[http://www.gdc4s.com/content/detail.cfm?item=f3f0ef4c-cced-46b2-937e-69c42fd1fe3b TACLANE Encryptor (KG-175)]</ref> [[TACLANE]] KG-175. Cassidian's ECTOCRYP Transparent Cryptography <ref name="ECTOCRYP Transparent Cryptography">[http://www.cassidian.co.uk] ECTOCRYP Transparent Cryptography</ref>[http://www.cassidian.co.uk/ectocryp] Three of these devices are compliant to the HAIPE IS v3.0.2 specification while the remaining devices use the HAIPE IS version 1.3.5, which has a couple of notable limitations: no support for [[routing protocols]] or open [[network management]]. A HAIPE is an IP encryption device, looking up the destination IP address of a [[Network packet\|packet]] in its internal Security Association Database (SAD) and picking the encrypted tunnel based on the appropriate entry. For new communications, HAIPEs use the internal Security Policy Database (SPD) to set up new tunnels with the appropriate algorithms and settings. Due Byto ~~not~~lack of support for ~~supporting~~modern commercial routing protocols the HAIPEs often must be preprogrammed with [[static routing\|static routes]] and cannot adjust to changing network topology. While manufacturers support centralized management of their devices through proprietary software,<ref>[http://www.viasat.com/government-communications/information-assurance/viasat-ine-manager-software-vine ViaSat's VINE website]</ref><ref>[http://www.gdc4s.com/content/detail.cfm?item=45b9abed-a178-486e-908b-28f858754155 General Dynamics's GEM website]</ref> the current devices offer no management functionality through open protocols or standards. Recently [http://www.telegrid.com TELEGRID Technologies] <ref>[http://www.telegrid.com TELEGRID Technologies]</ref> has produced a non proprietary manager [http://www.telegrid.com/TELEGRID_SMRT_Flyer.pdf SMRT] for multiple HAIPE encryptors including the KG-175D, KG-250 and SecNet 54 in addition to the KIV-7M LEF encryptor.<ref>[http://www.telegrid.com/TELEGRID_SMRT_Flyer.pdf SMRT MULTIPLE HAIPE REMOTE MANAGER]</ref> Both of these limitations are due to be addressed in HAIPE IS version 3.0 due to be accredited in late 2008, but that date has slipped multiple times.{{Citation needed\|date=April 2008}} Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the <ref name=L3>[http://www.l-3com.com/HAIPE Common HAIPE Manager]</ref>[http://www.l-3com.com/HAIPE Common HAIPE Manager]. A couple of new HAIPE devices will combine the functionality of a router and encryptor when HAIPE IS version 3.0 is approved. General Dynamics has completed its TACLANE version (KG-175R), which house both [[Red/black concept\|a red and a black]] Cisco router, and both ViaSat and L-3 Communications are coming out with a line of network encryptors at version 3.0 and above. Cisco ~~has~~is ~~dropped~~partnering ~~its~~with ~~plans~~[[Harris ~~for~~Corporation]] ~~producing~~to ~~its~~propose ~~own~~a ~~HAIPE~~solution ~~device~~called SWAT1<ref>[https://www.~~{{Citation~~cisco.com/web/strategy/docs/gov/swat1_ds.pdf ~~needed\|date=March~~Cisco Harris SWAT1 ~~2008}}~~Solution]</ref> There is a UK HAIPE variant that implements UKEO algorithms in place of US Suite A. Cassidian has entered the HAIPE market in the UK with its Ectocryp range ~~[http://www.eadsdsuk.com/ectocryp/]~~. Ectocryp Blue is HAIPE version 3.0 compliant and provides a number of the HAIPE extensions as well as support for network [[quality of service]] (QoS). Harris has also entered the UK HAIPE market with the BID/2370 End Cryptographic Unit (ECU).<ref ~~name=bid2370~~>[~~http~~https://www~~.rfcomm~~.harris.com/~~products~~press-releases/2008/~~embeddable-security~~12/next-generation-bid-2370-device-developed-under-uk-ministry-of-defence-chimp~~.pdf~~ Harris UK BID/2370 ECU]</ref> In addition to site encryptors HAIPE is also being inserted into client devices that provide both wired and wireless capabilities. Examples of these include ~~L-3~~L3Harris ~~Communication~~Technologies's KOV-26 [Talon and KOV-26B Talon2, and Harris Corporation's KIV-54 <ref>{{Cite web \|url=http://~~www~~rf.~~l-3com~~harris.com/~~cs-east~~media/~~ia/talon/ie_ia_talon~~secnet54_emod_tcm26-9219.~~shtml~~pdf ~~Talon]~~\|title=Harris ~~and~~KIV-54 ~~[http~~(SECNET 54) \|access-date=November 18, 2013 \|archive-url=https://~~www~~web.~~l-3com~~archive.~~com~~org/~~cs-east~~web/ia20131030001308/~~smeped~~http:/~~ie_ia_smeped~~/rf.harris.com/media/SecNet54_EMOD_tcm26-9219.~~shtml~~pdf ~~Guardian] SME~~\|archive-~~PED~~date=October 30, ~~and~~2013 ~~[[Harris~~\|url-status=dead ~~Corporation]]'s~~}}</ref> and PRC-117G <ref>{{Cite ~~name~~web \|url=~~harris>[~~http://www.rfcomm.harris.com/~~products/embeddable-security~~117G/ \|title=Harris ~~KIV-54]<~~AN/~~ref> KIV-54 and~~ PRC-117G ~~<ref~~\|access-date=October ~~name~~5, ~~=PRC~~2008 \|archive-~~117G>[~~url=https://web.archive.org/web/20080930205542/http://www.rfcomm.harris.com/117G/ ~~Harris~~\|archive-date=September ~~PRC~~30, 2008 \|url-~~117G]~~status=dead }}</ref> radio . ==~~See~~ ~~also~~HAIPE managers == Viasat and General Dynamics Mission Systems both develop their own proprietary software for managing HAIPE devices, VINE and GEM One, respectively. The GEM One specifications list support for the Viasat HAIPEs, KG-250X and KG-250XS while the data sheet for VINE only lists supported Viasat Network Encryptors.<ref name="VINE Data Sheet">{{cite web \|title=VINE Data Sheet \|url=https://www.viasat.com/content/dam/us-site/government/documents/VINE_datasheet_040_web.pdf \|website=Viasat.com \|access-date=June 19, 2022}}</ref><ref name="GEM One GDMS">{{cite web \|title=GEM One Encryptor Manager - General Dynamics Mission Systems \|url=https://gdmissionsystems.com/products/encryption/encryptor-management/gem-one-encryptor-manager \|website=gdmissionsystems.com \|access-date=June 19, 2022 \|language=en}}</ref> Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the L3Harris Common HAIPE Manager (which only operates with L3Harris products).{{Citation Needed\|date=June 2022}} == See also == [[ARPANET encryption devices]] * [[NSA encryption systems]] == References == {{reflist}} [http://www.cnss.gov/Assets/pdf/CNSSP-19.pdf CNSS Policy #19 governing the use of HAIPE]▼ == ~~Footnotes~~External links == ▲* [http://www.cnss.gov/Assets/pdf/CNSSP-19.pdf CNSS Policy #19 governing the use of HAIPE] {{Webarchive\|url=https://web.archive.org/web/20080513042825/http://www.cnss.gov/Assets/pdf/CNSSP-19.pdf \|date=May 13, 2008 }} ~~{{Reflist\|30em}}~~ [[Category:Cryptographic protocols]]