Wireless Warriors Secure in Their Knowledge

August 2005
By Jeff Hawk

U.S. Army soldiers use SecNet 11 to send link-encrypted communications.
Modular Internet protocol-based encryption technology enables wireless transmission of Top Secret information.

Sending Top Secret e-mail from a hotel room may soon be possible pending the National Security Agency’s certification of new wireless Internet encryption technology. The modular Internet protocol (IP) encryption device would allow users to send classified data and voice messages using unsecured private and public networks.

Called SecNet 54, the device currently is undergoing the agency’s type-1 encryption certification process. Officials with the Melbourne, Florida-based Harris Corporation, which built SecNet 54 under the National Security Agency’s (NSA’s) commercial communications security (COMSEC) endorsement program, say they expect the agency to complete certification this month; it could be available for military use later this year.

Unlike previous NSA-certified radio frequency (RF) link encryption systems, SecNet 54 would secure classified transmissions by encrypting a user’s data, wrapping it in a valid routable IP-addressed packet and then delivering that packet through an Internet connection, according to Eric Petkus, systems engineer for Harris’ Secure Communications Group (SCG).

A user with SecNet 54 attached to a computer could generate a Top Secret message and send it wirelessly to another SecNet 54-equipped operative, who would then decrypt it. But the wireless option is only one of the modular device’s many possible configurations. Harris built the device so that its encryption component, or red side, could be detached from its transmission element, or black side. This design allows the user to bolt on various transmission media.

One SecNet 54 prototype offers an Ethernet module, which would result in a very small form factor, inline network encryptor, Petkus says. Other configurations might include integrated services or packet-switched digital network modules for modem applications or satellite formations. Or they could take the form of a tactical radio for low-probability-to-intercept type communication modules, he adds.

Keeping the crypto separate from the transmission medium offers “a friendly way to keep up with technology,” David Landeta, program manager, Harris SCG, says. As new technologies are developed, Harris’ modular design reduces the need to make changes to SecNet 54’s encryption component, which would require another lengthy NSA review, he explains. “We just have to design the black side. When we do the next module, the certification will be much quicker because we don’t have to do the security [certification].”

The technology seems in step with the U.S. Army’s vision. “The future for the Army is migrating to an end-to-end IP encryption standard and architecture,” says Dr. Edward M. Siomacco, director of technology, Army Chief Information Office/G-6. The warfighter will need only a single IP encryption device for multiple levels of security of information, he adds.

The value of this modular approach is not lost on one of the Army’s top wireless IP technology champions. According to Lt. Gen. Steven W. Boutelle, USA, the Army’s chief information officer/G-6, SecNet 54’s design looks like an interesting way of doing business. “You can unplug it and use it with the COMSEC by itself, or you can use it with wireless,” Gen. Boutelle observes.

The design allows Harris to seek out commercial products as transmission technologies change without interfering with the encryption. That appeals to an Army increasingly looking to commercial solutions to speed acquisition. “Don’t create anything proprietary if you can find something commercial off the shelf,” Gen. Boutelle states.

Petkus relates that this directive was the genesis for the modularity of this technology. “How do we take advantage of commercial technologies that are moving along so much faster than we can get this stuff certified?” he states.

Harris also incorporated previous NSA-certified technology into SecNet 54. The device uses Harris RF Communications Division’s Sierra II software programmable cryptographic processor. The programmable module enables Harris to adjust SecNet 54 for future U.S. Defense Department requirements and for those forwarded by coalition partners, Petkus says.

Connected to a laptop by Ethernet cable, SecNet 54 enables wireless Internet protocol-encrypted transmission of data and voice information. 
Sierra II built upon the original Sierra programmable module, which is embedded into Harris’ first entrant into the wireless encryption market, SecNet 11. Launched in January 2003, SecNet 11 is a small, 11-megabit-per-second NSA-certified type 1 wireless card that plugs into a computer’s PC-MCIA slot. The wireless device encrypts all aspects of the 802.11b protocol, which is the current standard wireless networking technology. The U.S. Marine Corps used SecNet 11 to build a secure wireless local area network for command and control elements during tsunami relief efforts in South Asia.

With the pending arrival of SecNet 54, Harris officials are struggling to differentiate the two technologies. “SecNet 54 is not a replacement for SecNet 11,” Petkus notes. In its wireless configuration, SecNet 54 can operate on the 54-megabit-per-second-enabled 802.11g wireless protocol, which he says is much better than the 11-megabit-per-second-enabled 802.11b protocol for SecNet 11. SecNet 54 is compatible with 802.11 a, b and g wireless IP standards. Its modular design offers the flexibility to accommodate emerging IP standards, Petkus adds.

SecNet 11 encrypts only the RF link, whereas SecNet 54 encrypts the entire IP packet, allowing it to be routed “around the universe,” Petkus says. He offers the following scenario: An Army commander in garrison could send an encrypted e-mail through the Internet over an 802.11 protocol, up to a satellite and back down over some local country’s network, and finally through a tactical operations center (TOC) gateway. Assuming both parties have data connectivity, the receiving TOC party could grab that encrypted message and decrypt it with another SecNet 54 device. SecNet 54 accomplishes this through a high assurance IP encryption, or HAIPE, tunnel, he explains. “It’s basically IP security over an NSA-tweaked protocol,” he adds.

In terms of its software programmability, SecNet 54 will be able to stay on top of evolving wireless IP standards. According to Landeta, the Sierra II chip set can support all the standards that are in the process of being placed. Another benefit of the modular design is that it allows Harris to take an off-the-shelf chip set when evolving wireless protocol standards raise data rates. “We won’t have to make any changes from a hardware perspective, and all the certification has already been done on the crypto side,” Landeta maintains.

Other differences exist. SecNet 54 communicates Top Secret data from end unit to end unit and can have an entire unsecured network in between. In contrast, SecNet 11 links one encrypted unit to another encrypted unit to transmit Secret and below classified data. In addition, SecNet 11 users plug a wireless card into a host device like a laptop, which requires drivers based on that unit’s operating system. A laptop user tied into a SecNet 54 with an Ethernet cable needs only a Web browser to configure the device.

Still, each device has its own uses. In Iraq, Petkus relates, units are using SecNet 11 to provide secure communications over 3- to 5-kilometer links, reducing the need to ferry CD-loaded data over dangerous roadways. SecNet 54 performs several different functions, he adds. It can serve as a gateway to a network. If the device is loaded with a Top Secret/Sensitive Compartmented Information (TS/SCI) Key Number 1, it will allow and decrypt only TS/SCI Key Number 1 packets to flow into it. The device rejects everything else, so it is acting like a filter, he relates.

The Army is slowly transitioning wireless technology into tactical units with specific security requirements. Gen. Boutelle says the service demands that those units use type 1 encryption, and technologies without NSA certification will not be able to play in the market. The general adds that Harris is the only company that has obtained NSA type 1 certification for wireless IP applications. As wireless protocol standards evolve, he envisions users accessing information from wireless services provided by hotels, coffee shops and mobile telephone providers to an Army-adopted wireless protocol in a wireless field environment.

Petkus predicts that as secured wireless communications emerges, the Army will begin to understand its impact. “Two or three years ago, the ability to have classified wireless didn’t exist at all,” he says. The Defense Department is just now coming to grips with the benefits it will provide in reducing cable weights and transport weights, and in the ability to assemble and disassemble more quickly and efficiently, he offers.

In a rapid deployment TOC environment, both SecNet 54 and 11 eliminate the need to string cable. Petkus offers another scenario where users want to extend their secret Internet protocol router network (SIPRNET) connectivity. “That’s hard in a wired world because that’s all protected conduit,” he says. Laying cable is costly and requires certification and accreditation once it is installed with alarms and other protection mechanisms, he adds. Both SecNet 54 and 11 provide SIPRNET drops to clients without having to run all those wires, he explains. Landeta says Harris anticipates providing various pre-integrated packages such as kits built specifically for long-range communications or video capabilities. “Everything has been pre-defined, and you don’t have to put things together piecemeal,” he adds.

Petkus says the development, certification and subsequent rollout of SecNet 11 taught Harris personnel new ways to communicate more effectively with NSA representatives. For SecNet 11, the company engaged in a few initial discussions about the product’s development and then went off to build it. This process took much longer than the subsequent, more inclusive approach taken to build SecNet 54. Landeta explains that the firm worked with the agency to have a collaborative, iterative process such that when it hit key points in the development, it would contact NSA and meet with its technical experts. This approach prevented “surprises” during product evaluation and certification and appears to be quickening the process, he adds.

At a time when surprises translate into a delay in the delivery of technology to warfighters, the more collaborative approach may signal a new model for doing business with the NSA. Says Petkus: “The NSA is much more confident that what it is getting is satisfying its security considerations.”


Web Resource
Harris Government Communications Systems Division: www.govcomm.harris.com