http://www.gcn.com/online/vol1_no1/46264-1.html
By Wilson Dizard III
GCN.com
05/15/08
A military cryptology organization has asked the vendor community for
advice on some of the technology options available to help upgrade the
government's classified communication systems.
The Cryptologic Systems Group's Cryptographic Modernization Program
Office at Lackland AFB, Texas, issued a request for information (RFI)
[1] recently regarding multilevel security (MLS) and multiple
independent levels of security.
Both of those technologies cover systems that can handle classified
information that falls into multiple security categories, including the
traditional top-secret-and-above and secret-and-below, in addition to
the security barriers between information domains operated by Pentagon
agencies and foreign allies.
Federal agencies often issue RFIs as they prepare procurement programs
for information technology goods and services and other items.
RFIs can provide useful insights into government agencies' potential
future procurement activities, but the requests do not commit agencies
to specific purchases. Also, the agencies frequently modify their
procurement plans based on information they gather via the RFI process.
Information that prospective vendors provide can alert agencies to newly
available technologies, potential stumbling blocks or likely dead ends
in the IT acquisition process.
The National Security Agency is the Pentagon's lead agency for code
development, or cryptography, and code breaking, cryptanalysis.
The multilevel crypto work falls under a program run by the Air Force,
but technologies the modernization program develops likely will be
deployed across various offices in the military and intelligence
communities when they receive certification and accreditation from NSA.
The May 7 information request includes an annex that describes the
government's multilevel crypto IT interests more fully.
Some of the pivotal areas of interest are:
* Aspects of MLS technologies that could be formulated into industry
standards to provide greater efficiency in producing solutions.
* How the Trusted Platform Module (TPM) can be used by a real-time
operating system.
* Specific components that would benefit from Application Specific
Integrated Circuits (ASICs) produced by the DOD Trusted Foundry.
The RFI shows how parts of its multilevel IT security description
overlap with existing NSA projects. NSA's NetTop and High Assurance
Platform (HAP), for example, rely on some of the same technologies that
the information request provides.
For example, the TPM that the RFI refers to forms a part of the HAP
standards and specifications package. That package helps define how
multilevel systems guard classified information from improper release or
exploitation, including:
* Asymmetric key generation.
* Data encryption and decryption.
* Handling the keys that TPMs sign and exchange.
The prospect that multilevel systems could use ASICs produced by the
Pentagon's own integrated circuit factory, or foundry, points to the
crypto community's preference for embedding security features into chips
and boards rather than using software to do so.
Intelligence community technology specialists saythat preference has
gained traction because of the increasingly large and sophisticated
malware attacks on DOD systems.
The RFI points to the crypto community's drive to create technology
standards that would help IT specialists upgrade system security and
lower the cost of developing future generations of classified systems.
[1] http://preview.tinyurl.com/6j9c6k
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Comments