(U) High Assurance Internet Protocol Encryptor (HAIPE ) JCMO

Similar documents
National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products

White paper. Combatant command (COCOM) next-generation security architecture

Managed Security Service National Security Information (MSS-NSI)

GSAW Information Assurance in Government Space Systems: From Art to Engineering

UNCLASSIFIED. Exhibit R-2, RDT&E Budget Item Justification Date February 2007 Appropriation/Budget Activity RDT&E Defense-Wide, BA 7

The SafeNet Security System Version 3 Overview

INFORMATION ASSURANCE DIRECTORATE

Secure Delay Tolerant Networking Using SBSP and IPMEIR Enabling Security, Resiliency, and Cost Savings for Space Mission Communications

What is Suite B? How does it relate to Government Certifications?

DoD Identity & Access Management (IdAM) Portfolio Overview

About FIPS, NGE, and AnyConnect

AnyConnect Secure Mobility Client for Windows 10

Understanding Data Link Gateway Challenges

Secure Government Computing Initiatives & SecureZIP

DoD Internet Protocol Version 6 (IPv6) Contractual Language

UNCLASSIFIED CPA SECURITY CHARACTERISTIC IPSEC SECURITY GATEWAY. Version 1.1. Crown Copyright 2011 All Rights Reserved

SENETAS ENCRYPTION KEY MANAGEMENT STATE-OF-THE-ART KEY MANAGEMENT FOR ROBUST NETWORK SECURITY

University of Sunderland Business Assurance PCI Security Policy

1) Revision history Revision 0 (Oct 29, 2008) First revision (r0)

Committee on National Security Systems. CNSS Policy No. 14 November 2002

PIN Security Requirements

Payment Card Industry (PCI) Point-to-Point Encryption

COMBINED FEDERATED BATTLE LABORATORIES NETWORK (CFBLNet)

Key Management Interoperability Protocol (KMIP)

Trusted Computing Group

This Security Policy describes how this module complies with the eleven sections of the Standard:

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

CSE 565 Computer Security Fall 2018

A Security Infrastructure for Trusted Devices

SHA-1 to SHA-2. Migration Guide

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

INFORMATION EXCHANGE GATEWAYS: REFERENCE ARCHITECTURE

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance (IA) Policy on Wireless Capabilities

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

The Open Protocol for Access Control Identification and Ticketing with PrivacY

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

XenApp 5 Security Standards and Deployment Scenarios

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Commercial Solutions for Classified (CSFC) Multi-Site Virtual Private Network Capability Package

Understanding Layer 2 Encryption

INTERNATIONAL LAW ENFORCEMENT HD CCTV NETWORK

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Updates: 2409 May 2005 Category: Standards Track. Algorithms for Internet Key Exchange version 1 (IKEv1)

UNCLASSIFIED FY 2016 OCO. FY 2016 Base

U.S. E-Authentication Interoperability Lab Engineer

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

HP Instant Support Enterprise Edition (ISEE) Security overview

DoD Mobility Mobility Product Security Certification Processes

Campus IT Modernization OPERATIONAL CONTINUITY FLEXIBLE TECHNOLOGY MODERNIZED SYSTEMS

INFORMATION ASSURANCE DIRECTORATE

Indeed Card Management Smart card lifecycle management system

Transglobal Secure Collaboration Program Secure v.1 Technical Specification. Prepared by: TSCP Secure v.

Securing Data-at-Rest

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

An Introduction to Trusted Platform Technology

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

CN9000 Series 100Gbps Encryptors

Brocade FastIron SX, ICX, and FCX Series Switch/Router

CIP Security Pull Model from the Implementation Standpoint

Brocade MLXe Family Devices with Multi- Service IronWare R

Supporting Infrastructure

Information Systems Security Requirements for Federal GIS Initiatives

1. CyberCIEGE Advanced VPNs

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for

FiXs - Federated and Secure Identity Management in Operation

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

SPAWAR Systems Center (SSC) Pacific Unmanned Vehicle (UV) Information Assurance (IA) Support

TECHNICAL STANDARDS ASSESSMENT REPORT

Multi-Domain exchange (MDeX) System

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

SECURING MOBILITY. Through the Canadian Medium Assurance Solutions Program. ICMC May Greg Hills Director, Architecture and Technology Assurance

UNCLASSIFIED. R-1 ITEM NOMENCLATURE PE N: Tactical Data Links

Dell SonicWALL. NSA 220, NSA 220W and NSA 240. FIPS Non-Proprietary Security Policy

Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients

Exploring the ISA100.11a Standard. Exploring the ISA100.11a Standard. William (Bill) Ayers America s OneWireless Consultant.

Citrix XenApp and XenDesktop 7.15 LTSR FIPS Sample Deployments

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

COMBINED FEDERATED BATTLE LABORATORIES NETWORK (CFBLNet)

Multi-Vendor Key Management with KMIP

GDPR Update and ENISA guidelines

Implementing Secure Socket Layer

Transmission Security (TRANSEC) in an IP based VSAT Architecture April 2007

Assurance Activity Report (AAR) for a Target of Evaluation

National Information Assurance Partnership

National Information Assurance Partnership

Requirements for Building Effective Government WLANs

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

Intelligent Solutions for the most Rigorous IT Security Requirements

HIT Policy Committee. Recommendations by the Certification and Adoption Workgroup. Paul Egerman Marc Probst, Intermountain Healthcare.

Who s Protecting Your Keys? August 2018

An Enterprise Guide to Understanding Key Management

Technical Security Standard

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 14 Apr 15

Cisco VPN Internal Service Module for Cisco ISR G2

OpenWay by Itron Security Overview

Transcription:

(U) High Assurance Internet Protocol Encryptor (HAIPE ) JCMO December, 2010 Mike Irani SPAWAR Systems Center Pacific irani@spawar.navy.mil (U) This information is not approved for public disclosure or redistribution without prior approval by NSA.

(U) Overview (U) HAIPE Overview (U) HAIPE Key Management Concepts EKMS and pre-kmi HAIPE Interim Solutions HAIPE and KMI (U) Current Initiatives (U) Products 8 DEC 2010 1

(U) The HAIPE Program Office (U) The mission of the HAIPE PO is to ensure interoperability between HAIPE implementations by specifying requirements and verifying compliance through demonstration, test, analysis, and inspection Development and configuration management of the HAIPE documents Development, configuration management, and deployment of the HAIPE Interoperability Test Tool (HITT) Embedded implementation developers must provide test harness/rig Operation of the HAIPE Interoperability Test Facility SPAWAR Systems Center Pacific (San Diego, CA) Interoperability not Interchangeability 8 DEC 2010 2

(U) HAIPE PO development process (U) Interoperability specification development based on solicited user requirements and current/near future technology trends (U) Vendor implementation based on market segment and user community needs (U) HAIPE interoperability testing ensures compliance with the HAIPE IS core and extensions (U) Vendor-to-vendor testing ensures interoperability across multiple vendors with similar capabilities (U) Product certified for the protection of National Security Sensitive information HAIPE IS Development Vendor Implementation HAIPE Interoperability Testing Vendor-to-Vendor Testing NSA Product Certification 8 DEC 2010 3 (U)

(U) What is the HAIPE Product Cycle? Key Activities Community Buy-In HAIPE PMO Resources Evaluator Review Product Cycle Specification User Demand Funding Evaluator Certification Product Purchase & Integration Configuration Guidance System Accreditation Implementation Deployment 8 DEC 2010 4

(U) Evolution of HAIPE Products (U) HAIPIS 1.3.5 Compliant Products (U) HAIPE IS 3.X Compliant Products (U) HAIPIS 1.3.5 resulted in development of primarily gateway based devices. (U) HAIPE IS 3.X is modular to enable development of a wide variety of devices Network Gateway Host/Embedded application 8 DEC 2010 5

(U) HAIPE IS Hierarchy (U//FOUO) The HAIPE Interoperability Specification is a set of documents that contains all HAIPE feature interoperability requirements (The HAIPE IS is not a product specification) Core features (mandatory for all implementations) Extension features (mandatory for some implementations) Multiple cryptographic suites Suite A (U.S., second party) Suite B (high risk of compromise, third party, and commercial) Legacy (backwards compatibility) Gateway HAIPE IS Core Generic Discovery Client (U) 8 DEC 2010 6

(U) Current HAIPE Key Products (U//FOUO) Suite A EFF vector (EFF exchange) In 5 DePAC (US, Coalition, CCEB, NATO, NATO Nations) CKL PPK (U//FOUO) Suite B EFF vector (MQV exchange) In 5 DePAC (US, Coalition, CCEB, NATO, NATO Nations) CKL APPK (U//FOUO) Device Keys S^2 (change software signature) P^3 (change DePAC) Q^2 (future change APPK trust anchor) 8 DEC 2010 7

(U) HAIPE Key Products Delivery Today (U//FOUO) EFF, PPK, APPK, P^3 and Q^2 Fax or call order Central Facility (CF) generated to Message Server (MS) Call for LMD to MS (or STE transfer to Data Transfer Device (DTD)) LMD decrypts Bulk Encrypted Transaction (BET) LMD transfer to DTD DTD file HAIPE (U//FOUO) PPK Generated at Key Processor (KP) LMD transfer to DTD DTD to HAIPE Note: 1. PPK, APPK, P^3, Q^2 generated at Fort Meade transferred to CF to MS 2. S^2 generated a Fort Meade and delivered on physical media only 3. PPK can be generated at KP or Fort Meade 4. APPK, S^2, P^3 and Q^2 must be called into Fort Meade 5. HAIPE IS 3.1 allows key to be loaded at one HAIPE and transferred to another HAIPE for consumption 8 DEC 2010 8

(U) HAIPE -to-haipe Key Transfer (HAIPE 3.1) 8 DEC 2010 9

(U) H2HKT Modes (U) Key material can be transferred using in-band and out-ofband modes In-band supports the delivery of symmetric key material only Out-of-band supports symmetric and asymmetric (U) Authentication and depac operations are performed at the client 8 DEC 2010 10

(U) HAIPE and KMI (U) HAIPEs are expected to be a major consumer of KMI products. (U) HAIPE 4.1 extension adds requirement for KMI/OTNK KMI 3301 describes HAIPE extension for OTNK (U) Additional work needed in determining delivery options for those device not able to connect to PDE. Disconnected nodes KMI Aware, non-pde enabled. 8 DEC 2010 11

(U) Current Developments (U) HAIPE version 4.1.0 Added IKEv2, ECDH Added Dynamic Multicast Group Creation (U) Participating in Corporate Initiatives GOTS Secret and Below Cryptographic High Valued Product (CHVP) IPMEIR Interoperability with CIS Suite B (U) Over 140,000 products fielded over 10 years (U) User input still influencing feature evolution 8 DEC 2010 12

(U) HAIPsec High Assurance IPSec (HAIPSEC) IKEv2 RFC4306 ESPv3 RFC4303 Suite B RFC 4869 HAIPE Interoperability Core and Extensions (CLASSIFIED) IPSec Minimal Essential Interoperability Requirements (IPMEIR) (UNCLASSIFIED) 8 DEC 2010 13

(U) Interoperability Model US Traditional HAIPE A&B IPMEIR NATO HAIPE B US DHS Commercial IPMEIR WAN IPMEIR IPMEIR HAIPE A&B IPMEIR Coalition CCEB 8 DEC 2010 14

(U) Challenges (U) Keying Infrastructures Alignment (U) Interoperability Testing (U) Beyond the US 8 DEC 2010 15

(U) HAIPE product schedule HAIPIS 1.3.5 Basic Cryptographic Interoperability L3 KG-240 KG-245 KG-245X ViaSat KG-250,A KG-255 GD KG-175 Classic, E100,A,& B FY06 L3 Talon GD KG-175D KG-175R SAFENET CHIP 3340 ViaSat KG-250 Harris KIV-54 FY07 Harris Falcon III ViaSat BGAN/IT Myko KIV-7MiP L3 KG-245A HAIPE IS 3.0.2 Common Management Improved Overhead IPv6 GD SME-PED (IPv4 subset) FY08 L3 KG-240A KG-245A & X SME-PED (IPv4 subset) GD KG-175D KG-176 Myko KIV-7MiP ViaSat KG-250,A,M,T FY09 HAIPE IS 3.1.x HAIPE-to-HAIPE Re-keying Non-Gateway Devices (client) HAIPIS 1.3.5 Compliant Product HAIPE FI Compliant Product HAIPE IS 3.0 Compliant Product HAIPE IS 3.1 Compliant Product L3 KG-240A KG-245A GD KG-175D KG-175A, B,R ViaSat KG-250,A. M, T KG-255 FY10 FY11 8 DEC 2010 16

(U) Questions? December, 2010 Mike Irani SPAWAR Systems Center Pacific irani@spawar.navy.mil (U) This information is not approved for public disclosure or redistribution without prior approval by NSA.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback