Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Approves First 802.11b Product for Secret Data

Posted by michael on from the modprobe-orinoco dept.

joehoya writes "I realize this is a couple of days old, but the National Security Agency recently certified the Harris Corp's Secnet-11 as the first 802.11b system permitted to carry US SECRET level data. See press release. The system integrates NSA crypto with commercial chipset based 802.11b PCMCIA cards and access points to create a secure wireless LAN. Unfortunately, you and I won't be able to buy them, as they are only available to organizations with an NSA COMSEC account."

19 of 252 comments (clear)

  1. How is this unfortunate? by drinkypoo · · Score: 4, Interesting
    It's already possible to "leverage" "existing technologies" in order to do secure communications using "commodity hardware".

    Or, in English (and not marketdroidspeak) you can have perfectly secure communications over existing 802.11 as long as you encrypt at the protocol level rather than the hardware (link? I need to study my OSI seven layer network burrito) level. So why do we care about this anyway?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:How is this unfortunate? by Anonymous Coward · · Score: 2, Interesting

      real basic encryption is done in hardware its just easy to crack. But who cares you should always use your own higher level protocal encryption schemes anyway. Yes wireless communications are easier to "grab" out of the air, then say grabing your ethernet from your company. In either case you should always use hire level protocalls like ssl and ssh to handle encrypted data or access to accounts.

      Haveing "hardware" only encryption is not and will never be a solution.

      I look on the current encryption scheme that 802.11b uses as a simple mesure to make recording or watching communication harder. It in NO WAY is a means of totel security. That is always better left to higher level protocals then the link layer in 802.11b, or any networking protocal for that matter.

      Yes I only use/allow encrypted connections to all of my wired, and wireless systems.

  2. hum.... by tadheckaman · · Score: 2, Interesting

    When will someone take one apart and find out its a and figures out how rip the firmware out of it for use in standard cards?

    --
    My potato gun was confiscated by the United Nations. They said I wasn't allowed to have weapons of mash destruction.
  3. Public or private key? by thirty-seven · · Score: 4, Interesting

    I wasn't able to find this in the press release. Does anyone know if the encryption algorithm would be public key based, or would it be DEC or something like that?

    --

    Atheism is a religion to the same extent that not collecting stamps is a hobby.

  4. /me hopes this will make it out to the market by EvilOpie · · Score: 3, Interesting

    I hope that at some point technology like this makes it out to the hands of the average consumer. It's good to see that at least someone is trying to make wireless access more secure. It would be nice to be able to pick up a secure wireless product at some point, and use it out of the box without worries of it being insecure.

    But until then, there's always VPN or SSH tunnels. And as an added bonus, you can impliment SSH tunnels for free. (even for web and other traffic... not just SSH data)

    --
    -Through the server, over the router, off the firewall... Nothing but 'Net!
  5. But it only works with Windows.......... by jcrb · · Score: 5, Interesting


    who is fooling who here? None of the OSes (only Windows versions) it works with are certified for TOP SECRET data.... guess its pretty useless till someone does the linux port eh? :)

    --
    -jon
  6. Possible Use for detecting detecting software? by lpret · · Score: 3, Interesting

    In a recent article we discussed the futility of implementing a detector detector in a network. This seems that this would be one use that would actually help as an extra layer of defense.

    --
    This is my digital signature. 10011011001
    1. Re:Possible Use for detecting detecting software? by sakeneko · · Score: 3, Interesting
      In a recent article [slashdot.org] we discussed the futility of implementing a detector detector in a network. This seems that this would be one use that would actually help as an extra layer of defense.

      Stratum8 Networks , perhaps? (Disclaimer -- I work there, so I'm not unbiased.) :)

      --

      Catherine

  7. why not in software? by mocktor · · Score: 5, Interesting

    impressive stuff... from what the datasheet says this all looks to be implemented hardware on the card - but given the low-level facilities of the chipsets on consumer-grade 802.11 cards is there any reason why some bright coder can't do a similar thing in driverspace?

  8. There's that secure wireless oxymoron again by kbielefe · · Score: 4, Interesting
    At my work we deal with a lot of secret and/or export controlled material. There are areas at my work set aside for foreign customers that we aren't even allowed to run a wired LAN connection to. If you want to run some software over there, you have to put it on a floppy or CD and carry it over from your desk. This can be a real pain when trying to find an elusive bug. Maybe it was just easier than getting the security measures approved to connect the LAN.

    If they have good reason at all to be that paranoid about a wired LAN, I think it won't take long for this "secure" wireless thing to come back and bite the NSA.

    --
    This space intentionally left blank.
  9. MAIN NSA COMSEC ACCOUNT by Istealmymusic · · Score: 3, Interesting

    The main NSA COMSEC Account is 880099, and its address follows:

    Middle River Facility
    Building A-W Dock 2
    2800 Eastern Boulevard
    Middle River, MD 21220
    --
    "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
  10. This is great! by LittleLebowskiUrbanA · · Score: 3, Interesting

    My unit sets up networks in the field (I'm a Marine) and most of the work involves running a fiber backbone and running CAT5 to each and every computer in the fieldHQ (tents). We had looked into running wireless but of course the security was non-existent. Maybe now, we can spend more time training the junior Marines on real networking, not running a CAT5 drops to some officer who "has" to check his email. My platoon will be looking into this tomorrow, I can assure you.

    --
    This guy is way out there
  11. Re:Proprietary crypto is lame by Anonymous Coward · · Score: 1, Interesting

    The academic/civilian crypto community is far behind the NSA. We don't really have any experience deducing the structure of cryptosystems with only ciphertext and bits of plaintext. The academic community today would have had a hard time breaking Enigma (assuming the wirings were not known) even with the computing power available to us. Bear in mind that almost all of the work done to cryptoanalyse rotor systems is still classified. It is safe to say that there are entire categories of cryptanalytic and cipher design techniques that we are ignorant about. Look at skipjack-- the use of a stepped LFSR in the round function adds tremendous variability to the cipher system. Skipjack appears to be exactly as strong as it needs to be (I believe the best attack we know about breaks 31 of 32 rounds with essentially all of the text available). It is also incredibly fragile, a peak of strength in a broad valley of weakness: practically any change one makes to it makes it much easier to break.

  12. What about system accreditation? by jinx90277 · · Score: 2, Interesting

    I work in the defense industry, so I have to deal with security issues on occasion. Even though they got someone to sign off on the security of the wireless transmission, it will be interesting to see how they actually implement this technology as part of a larger accreditable system.

    In my experience with security organizations, they tend to overemphasize the role of physical safeguards in designating a system as "secure," especially when it comes to COMSEC. How will they feel about accrediting a system in which multiple COMSEC units can be moved outside of a secured perimeter?

    --
    "she says i'm lousy conversation. as if that's supposed to help."
  13. So what? Even the phone book is classified! by pvera · · Score: 4, Interesting

    This is a non-event. And secret is not a life-or-death classification level, as anything that is considered remotely important will automagically get tagged with TS + keyword.

    --
    Pedro
    ----
    The Insomniac Coder
  14. Most readers missing the point... by drunkrussian · · Score: 5, Interesting

    To get something approved for processing at the SECRET level is a moderately big deal for those who work with such data. For the outside world, it's not the last word on the quality of the system.

    You can't, for example, get a Linux box approved to process SECRET information (at least, last I checked). Windows is approved, however. Yet, for the commercial user, I would say that Linux is more secure than Windows. What matters is how the system is set up. I'm kind of surprised that there's any demand for wireless networking at the SECRET level. With few exceptions, a classified box has to be physically disconnected from all other machines and operate only from hard drives with no communications software on them. There was an article on cnn.com today about a hacker who got access to sensitive but not classified information on military networks. The reason he didn't get access to classified information is because of the way it's protected.

    And forget about anything at the TOP SECRET level or above. We have a room at the office that does work at the TS level. If you bring a disk in there, you can't leave with it. If you bring a hard drive in there, it can't leave the room. Once a computer goes in there, it can't leave either. Well, that's not entirely true...security chops them up into little tiny pieces, waves magnets over them, and does some other magic to make them completely clean before they can leave. They're certainly never useable again. They even destroy the monitors before removing them from the room, in case an image might be burned into them.

    Anyway. People who deal with SECRET information will probably be interested in this article, and I'm sure life will go on with no change for those who don't.

    1. Re:Most readers missing the point... by Anonymous Coward · · Score: 1, Interesting

      Part of the problem with Linux not being able to process SECRET (and higher) data lies with its lack of C2 security mechanisms. Everyone pull out their DOD orange books and turn to page 17 (2.2 CLASS (C2): CONTROLLED ACCESS PROTECTION). Here's the basic list of what is needed for Linux to become a trusted C2 OS:

      - File ACLs (not just ugo:rwx permissions)
      - Memory scrubbing between allocations
      - An audit system

  15. Re:Proprietary crypto is lame by Dillon2112 · · Score: 2, Interesting

    One of the biggest aspects of military security lies in not revealing what technology they use. Any information given gives a potential attacker a clue where to start...a lack of such information greatly increases the time to even ascertain whether an encryption is even worth spending time on. As anyone who has hacked or tried to find security vulnerabilites knows, one of the nicest things you can hope for when trying to gain access to a server is what software and version its running. If you don't know that, it kind of makes it hard to know where to start.

  16. Some highlights by mdecerbo · · Score: 2, Interesting
    I googled around. The site at www.secnet11.com is actually pretty informative, and there's some other information floating around out there too.

    Some highlights:

    • The card sticks out of the computer with two antennas poking up.
    • It uses an NSA encryption algorithm called BATON (from various stuff on the Web, I get the impression that BATON is a 64-bit block cipher with 128-bit keys that is designed for very fast operation)
    • the message address is encrypted to prevent traffic analysis (this is a big selling point against VPN technology)
    • Each packet has an 80-bit IV (it's rare to learn even that much about a Type 1 encryption system)
    • Cards cost over $2500 each. That's 30 times the price of a commercial WiFi card, but cheaper than traditional NSA encryption data products which seem to run around $5K per node.
    • "Red keys" are loaded via a special cable that connects to a data transfer device such as the CYZ-10.
    I wonder how much work it would be for someone to implement a commercial version of this using Rijndael, or AES, or something unclassified. With a larger market than the government, maybe it could be cheaper, and the development costs made up on volume...

    Let's face it, it's a pain to set up IPSEC on all your boxes...