Slashdot Mirror
NSA Approves First 802.11b Product for Secret Data
joehoya writes "I realize this is a couple of days old, but the National Security Agency recently certified the Harris Corp's Secnet-11 as the first 802.11b system permitted to carry US SECRET level data. See press release. The system integrates NSA crypto with commercial chipset based 802.11b PCMCIA cards and access points to create a secure wireless LAN. Unfortunately, you and I won't be able to buy them, as they are only available to organizations with an NSA COMSEC account."
That should be nsa.GOV, not nsa.MIL.
nsa.gov maybe instead? and not nsa.mil?
It's more like an NSA secure Linux kernel hack that adds some kernel level authentication layers. Also, their diclaimer states that it's more of a conceptual thing they were doing to prove out the concept, and that they don't guarantee it will actually work or anything.
Today's Sesame Street was brought to you by the number e.
Ouch, i just found the price list. This stuff is $$$$$$$$$$$$$.
i st.html
The pc card's are $2500.
Wap's are $1000.
I think I'll stick to VPN over 802.11
Source of pricing is www.govcomm.harris.com/secure-comm/support/pricel
Lawyers, MBA's, RIAA? A jedi fears not these things!
Yes but this is where most people fail.
First you could start by "securing" the net using the "security" available today in 802.11, something all too few companies does.
Then instead of connecting it to your network, you could connect it to the outside of a VPN box, so that you would need to run VPN over it.
If setup right it would work well for those on notebooks, since use the same method to connect to the company network when you are on site or remote using the internet. The difference is that on site, you would use your 802.11 card and remote you would use a ethernet/modem connection to the internet to connect.
I have tried this and it can work, you can even make it work so that the people in the sales dept. can understand it.
With that said, I am still amazed by amount of companies who install a 802.11 net without securing it at all. I have tried it many times, I open my notebook connect to the network and ask them for a account so I can login. Then they ask me how I got connected to their network and I tell them that I am just using their wireless net.
After that I normally can sell a few hours extra to secure their wireless net. And recommend that if they want that extra security, they sould do something like I mentioned above.
And so I end the day with selling a few extra hours and maybe some VPN boxes.
my sig
It doesn't even work with Linux.... that's like putting tons of gold nuggets in a shack with broken windows and using a high security lock for the front door.
are the prices justified?
PC Card: $2,495.24
Wireless Bridge: $1,481.83
Access Point: $990.89
Key Fill Cable: $153.14
None of the OSes (only Windows versions) it works with are certified for TOP SECRET data
Yeah, and Trusted Solaris, and Trusted Irix, and a bunch of other OSs you've probably never head of. Look at this if you don't believe me.
My email is real.
You can establish an SSH session to a Linux system rather easily, but maybe the six-year-old AS/400 sitting on the internal corporate network doesn't. Upgrading the AS/400 is an expensive proposition. Implementing a VPN solution, perhaps at the border router or with another internal system, is probably the best method with current 802.11 hardware. But if the hardware supports encryption, everything is transparent.
Hardware-level encryption certainly doesn't absolve the end user of the responsibility of encrypting Internet communications. However, on an internal network, I think you should be able to trust your wireless connections to the same degree you can trust your wired ones. At worst, hardware-level encryption is a wasted step, but it would give some protection to the average user who expects the internal network to be protected.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
well, the nsa not too long ago standardized on an open source, patent free digital encryption algorithm for their 'advanced encryption system' (aes), to be used in many forthcoming applications, and replace the aging 'data encryption system' (des). the algorithm they've chosen is called rijndael. here is the source for one implementation.
is this kind of like what you were asking for?
And if you would see the software that secures them for TOP SECRET data, you would be amazed...
That particular drive is not used for any other processing, nor is it removed for the secure COMSEC vault. It is coded and numbered, and is not used in any other computer. The computer itself has an encryption algorithm that I've never seen (not GOSH, BLOWFISH, or PGP algorithms) based upon a 1024-bit rotating key that not even the user knows. It is completly random (insofar as a computer can be random) and based upon a random seed. The user's login and password is also encrypted, and typically the computer is not connected to an ethernet network, but rather a dial-up connection through STU-3 or -4 secure modems.
And yes, the government uses Windows because of a licencing deal with the ever-pervasive MS.
Just something to think about....
--CypherDragon
already discussed on slashdot
It would be even funnier if it weren't so true.
--- php: perl hates people
Let's say that the quality of the code is roughly proportional to QN, where N is the number of developers and Q is the quality of each developer.
The alleged value of Open Source is that it allows you to increase the value of N by a dramatic number. Even if the developers are merely average, you can get a higher QN with Open Source than with closed source for many projects.
Of course, if the number of half-finished projects on Sourceforge is any indicator, simply opening up is not enough. You have to have some appeal to developers or you aren't going to raise your N much.
Then of course there is the other factor, Q. Even if you have something really cool, there is no gaurantee that those interested will be any better than average, and you will also have to expend some effort "managing" those who are below average or who are just plain crackpots.
Something tells me that the NSA has no trouble attracting developers with a very high "Q" and in sufficient "N" to do an excellent job.
Yes, I know about the "mythical man month" and that you can't just add up developers as I've suggested. That's why this is just an approximation.
Frankly, I think your post borders on Trollish because you've got "only" and "fully secure" in there; but there are probably plenty of people on /. who will eat up your post, just as there are plenty of people who think that obscurity==security. Of course neither side is right; Open Source isn't a panacea, but giving up obsccurity isn't always such a bright idea either.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
There is a declassified crypto algorithm, designed by the NSA, and available to you. It's Type 2 (good for sensitive but unclassified) called Skipjack. Available here.
It's called "Baton" and it was developed by the NSA, the details of the algorithm are Top Secret/Propreitary. It's a Type-1 encryption algorithm, the kind that can be used to encrypt Secret/Top-Secret information, for example, on SIPRNET. Harris/Intersil was licensed to create a security module that implements the algorithm.
Baton is a symmetric key cypher, by the way. I read somewhere it's a 160 or 320-bit key and of course it has various chaining modes. So it's definitely strong. It uses the SHA-1 hash in the protocol too.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I speak only for myself, not as an official representative of the U.S. Government.
g -1 75.html
I decided to write this because I often see misconceptions of military networks on slashdot.
I have been a network administrator in the U.S. Air Force for 5 years. I have administered classified networks in Asia, Europe, the Middle East and the U.S. I have worked on Air Force and Army networks.
(1) The basic levels of classification are:
Unclassified
Confidential
Secret
Top Secret
There's some gray areas between and above but those are the basics
(2) You can process classified information on almost any platform you want. Top Secret on DOS, no problem. Windows 95, every day. Linux, sure. The big restrictions come when a computer is connected to both classified and unclassified networks. In that case the machine must be trusted to differentiate between the classifications. It must make sure that only Unclass was writted to the disk you're going to carry over to the unclassified network.
(3) Classified information, once properly encrypted, is no longer classified and you can pretty much do you what you want with it (put it on your t-shirt, print it on a flag and wave it, blast it in to space, send it over the internet, whatever)
(4) Because of the above, wireless and classified are nothing new. Radios, wireless networks, satellite phones, all of the them are used to transmit classified information.
(5) Moving classified information over unclassified networks is old news and several devices already exist. Devices like the NES (Network Encryption System) and the TACLANE are used to plug in to a classified network, encrypt and encapsulate the data, then move that data over an unclassified network.
http://www.fas.org/irp/program/security/_work/k
(6) What this new device offers is conveniance. Previously to run a network over a wireless link the procedure went something like:
Connect computer/network to DTE/DCE device
Connect DTE/DCE device to crypto
Connect crypto to wireless transmission medium
These steps needed to be completed for both sides of each link. It is slow, complicated, and expensive.
(7) Why not use IPSEC? It's complicated and not NSA certified. You should be able to give crypto to a user and only explain three things to them; in, out, power. Nothing to misconfigure, either it works or it doesn't, no chance of classified spillage.
(8) Why doesn't someone with access just take this thing apart and figure out whatever? This product is likely a CCI (controlled cryptographic item). Opening CCI without certification/authorization is illegal. Besides, without disecting the chips, how much are you really going to learn?
(9) The NSA must have a back door built in, right? No. A back door built in for them would be vulnerable to anybody. I highly doubt we would move national security information over a wireless network with a back door. If you're using their encryption keys, they have a copy and can read the info anyway. If you're not using their encryption keys, then you don't have one of these devices.
(10) Isn't someone going to crack this in a week? No. NSA certified encryption is good and well tested. We still routinely send Top Secret information over 10 year old encryption devices. If they had been compromised, we wouldn't be using them. The information sent from this device is encrypted. Without the same encryption key, you can't communicate with the device. Period.
(11) What about sniffing packets and breaking the key? Go ahead and try. Encrypted information has been floating around in the air for years and years. Multimillion man armies have been sniffing and recording and trying to break for decades. They keys change often. Sure, someone might (if they were lucky) break one key in ten years, but many devices get a new key every day.
I'm sure I left some stuff out and there are faults in my knowledge and spelling. If you have any questions, post and I will try to answer them.