Misplaced Pages

High Assurance Internet Protocol Encryptor

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Encryption device
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
This article may require cleanup to meet Misplaced Pages's quality standards. No cleanup reason has been specified. Please help improve this article if you can. (March 2012) (Learn how and when to remove this message)
This article relies excessively on references to primary sources. Please improve this article by adding secondary or tertiary sources.
Find sources: "High Assurance Internet Protocol Encryptor" – news · newspapers · books · scholar · JSTOR (March 2012) (Learn how and when to remove this message)
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "High Assurance Internet Protocol Encryptor" – news · newspapers · books · scholar · JSTOR (February 2008) (Learn how and when to remove this message)
(Learn how and when to remove this message)

A High Assurance Internet Protocol Encryptor (HAIPE) is a Type 1 encryption device that complies with the National Security Agency's HAIPE IS (formerly the HAIPIS, the High Assurance Internet Protocol Interoperability Specification). The cryptography used is Suite A and Suite B, also specified by the NSA as part of the Cryptographic Modernization Program. HAIPE IS is based on IPsec with additional restrictions and enhancements. One of these enhancements includes the ability to encrypt multicast data using a "preplaced key" (see definition in List of cryptographic key types). This requires loading the same key on all HAIPE devices that will participate in the multicast session in advance of data transmission. A HAIPE is typically a secure gateway that allows two enclaves to exchange data over an untrusted or lower-classification network.

Examples

Examples of HAIPE devices include:

  • L3Harris Technologies' Encryption Products
    • KG-245X 10 Gbit/s (HAIPE IS v3.1.2 and Foreign Interoperable),
    • KG-245A fully tactical 1 Gbit/s (HAIPE IS v3.1.2 and Foreign Interoperable)
    • RedEagle
  • ViaSat's AltaSec Products
    • KG-250, and
    • KG-255
  • General Dynamics Mission Systems TACLANE Products
    • FLEX (KG-175F)
    • 10G (KG-175X)
    • Nano (KG-175N)
  • Airbus Defence & Space ECTOCRYP Transparent Cryptography

Three of these devices are compliant to the HAIPE IS v3.0.2 specification while the remaining devices use the HAIPE IS version 1.3.5, which has a couple of notable limitations: limited support for routing protocols or open network management.

A HAIPE is an IP encryption device, looking up the destination IP address of a packet in its internal Security Association Database (SAD) and picking the encrypted tunnel based on the appropriate entry. For new communications, HAIPEs use the internal Security Policy Database (SPD) to set up new tunnels with the appropriate algorithms and settings. Due to lack of support for modern commercial routing protocols the HAIPEs often must be preprogrammed with static routes and cannot adjust to changing network topology.

A couple of new HAIPE devices will combine the functionality of a router and encryptor when HAIPE IS version 3.0 is approved. General Dynamics has completed its TACLANE version (KG-175R), which house both a red and a black Cisco router, and both ViaSat and L-3 Communications are coming out with a line of network encryptors at version 3.0 and above. Cisco is partnering with Harris Corporation to propose a solution called SWAT1

There is a UK HAIPE variant that implements UKEO algorithms in place of US Suite A. Cassidian has entered the HAIPE market in the UK with its Ectocryp range. Ectocryp Blue is HAIPE version 3.0 compliant and provides a number of the HAIPE extensions as well as support for network quality of service (QoS). Harris has also entered the UK HAIPE market with the BID/2370 End Cryptographic Unit (ECU).

In addition to site encryptors HAIPE is also being inserted into client devices that provide both wired and wireless capabilities. Examples of these include L3Harris Technologies' KOV-26 Talon and KOV-26B Talon2, and Harris Corporation's KIV-54 and PRC-117G radio.

HAIPE managers

Viasat and General Dynamics Mission Systems both develop their own proprietary software for managing HAIPE devices, VINE and GEM One, respectively. The GEM One specifications list support for the Viasat HAIPEs, KG-250X and KG-250XS while the data sheet for VINE only lists supported Viasat Network Encryptors.

Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the L3Harris Common HAIPE Manager (which only operates with L3Harris products).

See also

References

  1. L-3 Communication Encryption Products
  2. ViaSat Information Assurance web page
  3. ViaSat KG-250
  4. ViaSat KG-255
  5. General Dynamics TACLANE Encryptor (KG-175)
  6. "Ectocrypt Blue by Cassidian, an EADS Company". Archived from the original on 2013-11-07. Retrieved 2013-11-18.
  7. "CASSIDIAN unveils ECTOCRYP YELLOW". September 2013. Archived from the original on 2013-11-18.
  8. Cisco Harris SWAT1 Solution
  9. Harris UK BID/2370 ECU
  10. "Harris KIV-54 (SECNET 54)" (PDF). Archived from the original (PDF) on 2013-10-30. Retrieved 2013-11-18.
  11. "Harris AN/PRC-117G". Archived from the original on 2008-09-30. Retrieved 2008-10-05.
  12. "VINE Data Sheet" (PDF). Viasat.com. Retrieved 19 June 2022.
  13. "GEM One Encryptor Manager - General Dynamics Mission Systems". gdmissionsystems.com. Retrieved 19 June 2022.

External links

Categories: