System assures confidentiality on Internet protocol-based networks.
The North Atlantic Treaty Organization is strengthening its communications structure with a new standard Internet protocol encryption system that protects data, videoconferencing and some voice communications. The organization and its member nations will begin using the system later this year.
Communications security is a key issue for countries that share information and conduct collaborative sessions on a sustained basis or as part of coalition missions. Because nations have been developing technology in different ways and at differing speeds, standards issues have surfaced. These challenges are particularly perplexing in environments that require a high degree of confidentiality and the ability to authenticate both the content of messages and the identity of their senders.
To address these issues, the North Atlantic Treaty Organization’s (NATO’s) Consultation, Command and Control Agency recently signed a contract with Thales Communications AS, Oslo, Norway, for its Cryptel Internet protocol (IP) data encryption technology. The system was developed in close cooperation with the Norwegian defense ministry. Norwegian armed forces currently use the technology, which can be deployed with any IP network, to protect their data networks.
According to Svein Barlund, senior system engineer, Thales Communications, the equipment, designated TCE 621, is situated between a computer and the network or between a local area network (LAN) and another network.
“The Cryptel IP therefore provides secure channels between distributed local networks and/or individual computers. This allows a secure network to be distributed over multiple locations,” Barlund explains. In addition, users operating at different classification levels can share the same wide area network, he adds.
The system, which supports both current IP version 4 and the future IP version 6 standards, consists of several elements that add end-to-end security services to the transmission control protocol, or TCP. The crypto unit, which is approximately the size of a video cassette recorder, is one of a two-component scheme. It does not independently provide security; the second component, a crypto ignition key (CIK) smart card, must be inserted to activate the system.
“When the crypto ignition key is removed, the unit will contain no clear-text crypto keys and cannot be used for communication. When the CIK is re-inserted, the unit will immediately become operational again. In many situations, however, the crypto equipment will be installed in a locked cabinet and remain operational on a continuous basis,” Barlund relates.
Encapsulation security protocol, or ESP, secures the data, voice or video transmissions, as specified by the Internet Engineering Task Force, an organization that coordinates Internet standards and specifications. Audio communications are only secure when using voice over IP technologies.
The original IP data packet, including the header that contains the source and destination addresses and service type, is encrypted. This encrypted data packet is given a new IP header to enable transmission to the crypto equipment, Barlund offers. “Any outsider who may examine the data in transit over the wide area network will not be able, therefore, to learn anything about the content of the data, the type of data such as e-mail, Web or file transfer, or the addresses of the computer behind the crypto equipment,” he states.
Because the equipment resides at the systems administration level, individual users are not involved in its operation. They will not need any form of password to use the encrypted communication service. The system is managed solely by administrators.
To facilitate the supervision of the crypto system, developers designed the TCE 671 security management center. Systems administrators can monitor and operate the Cryptel IP online over the network. The TCE 671 performs supporting functions such as CIK generation and distribution, access control management, and audit and alarm collection.
One security management center operated by one person or a few individuals can control and monitor a large distributed network of Cryptel IP equipment with up to 1,000 crypto devices. “The security management center will automatically distribute crypto keys to the crypto devices under its control, as required for communication, and automatically update information according to the defined update intervals. It also uses access control lists that control which computers are allowed to communicate with each other,” Barlund relates.
Administrators also can manually operate the system without the support of the security management center.
Barlund believes Cryptel IP provides information security for the means of communications that is emerging as the leading method for transmissions.
“Cryptel IP differs from other information assurance approaches in that it provides security with Internet protocol, which is becoming the dominant communication protocol for all data and multimedia communications in both civilian and military networks. In the past, communication links were often point-to-point, requiring one crypto device for each physical communication line. IP allows simultaneous communications with several distant computers with a single network connection and one crypto device,” Barlund explains. However, all users or a collection of users sharing one encrypted network connection who intend to communicate securely with each other will need the same type of crypto equipment as well as CIKs issued by the same security authority, he points out.
The Cryptel IP features a capacity that corresponds to the LAN interface on today’s computers with a 10 megabits per second Ethernet interface. It only monitors and records message traffic; it does not examine the content of the message. “The Cryptel IP will provide confidentiality of communication. It will also ensure that communication is only possible with other users with the same type of equipment and valid encryption keys. It may be supplemented by firewalls, mail guards and other systems for additional security regarding content of communication,” he says.
Thales’ current contract with NATO is for an undisclosed number of general-purpose Cryptel IP devices that are certified for use with all NATO security classification levels. The organization and member nations that purchase the equipment will use it to protect communications over various networks including NATO networks, public data networks and the Internet.
Although each member country has its own policies for protecting national classified information, all will be required to use NATO-approved equipment to transmit the organization’s classified data. “We therefore expect that the equipment will be used in some form in most or all NATO nations,” Barlund discloses.