HAIPE
Encyclopedia
A HAIPE is a Type 1 encryption
device that complies with the National Security Agency
's HAIPE IS (formerly the HAIPIS, the High Assurance Internet Protocol Interoperability Specification). The cryptography used is Suite A and Suite B
, also specified by the NSA as part of the Cryptographic Modernization Program
. HAIPE IS is based on IPsec
with additional restrictions and enhancements. One of these enhancements includes the ability to encrypt multicast data using a "preplaced key" (see definition in List of cryptographic key types). This requires loading the same key on all HAIPE devices that will participate in the multicast session in advance of data transmission. A HAIPE is typically a secure gateway that allows two enclaves to exchange data over an untrusted or lower-classification network.
Examples of HAIPE devices include
Cassidian's Ectocryp Blue compliant to Version 3 and above is capable of protecting TOP SECRET
and below, including National Caveats such as UK Eyes Only. http://www.cassidian.co.uk/ectocryp-blue
Three of these devices are compliant to the HAIPE IS v3.0.2 specification while the remaining devices use the HAIPE IS version 1.3.5, which has a couple of notable limitations: no support for routing protocols or open network management
. A HAIPE is an IP encryption device, looking up the destination IP address of a packet in its internal Security Association Database (SAD) and picking the encrypted tunnel based on the appropriate entry. For new communications, HAIPEs use the internal Security Policy Database (SPD) to set up new tunnels with the appropriate algorithms and settings. By not supporting routing protocols the HAIPEs must be preprogrammed with static routes
and cannot adjust to changing network topology. While manufacturers support centralized management of their devices through proprietary software, the current devices offer no management functionality through open protocols or standards. Both of these limitations are due to be addressed in HAIPE IS version 3.0 due to be accredited in late 2008, but that date has slipped multiple times. Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the Common HAIPE Manager.
A couple of new HAIPE devices will combine the functionality of a router and encryptor when HAIPE IS version 3.0 is approved. General Dynamics has completed its TACLANE version (KG-175R), which house both a red and a black Cisco router, and both ViaSat and L-3 Communications are coming out with a line of network encryptors at version 3.0 and above. Cisco has dropped its plans for producing its own HAIPE device.
There is a UK HAIPE variant that implements UKEO algorithms in place of US Suite A. Cassidian has entered the HAIPE market in the UK with its Ectocryp range http://www.eadsdsuk.com/ectocryp/. Ectocryp Blue is HAIPE version 3.0 compliant and provides a number of the HAIPE extensions as well as support for network quality of service
(QoS). Harris has also entered the UK HAIPE market with the BID/2370 End Cryptographic Unit (ECU).
In addition to site encryptors HAIPE is also being inserted into client devices that provide both wired and wireless capabilities. Examples of these include L-3 Communication's KOV-26 Talon and Guardian SME-PED, and Harris Corporation
's KIV-54 and PRC-117G radio .
Type 1 encryption
In cryptography, a Type 1 product is a device or system certified by the National Security Agency for use in cryptographically securing classified U.S...
device that complies with the National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
's HAIPE IS (formerly the HAIPIS, the High Assurance Internet Protocol Interoperability Specification). The cryptography used is Suite A and Suite B
NSA Suite B
Suite B is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It is to serve as an interoperable cryptographic base for both unclassified information and most classified information. Suite B was announced on 16...
, also specified by the NSA as part of the Cryptographic Modernization Program
Cryptographic Modernization Program
The Cryptographic Modernization Program is a Department of Defense directed, NSA Information Assurance Directorate led effort to transform and modernize Information Assurance capabilities for the 21st century...
. HAIPE IS is based on IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
with additional restrictions and enhancements. One of these enhancements includes the ability to encrypt multicast data using a "preplaced key" (see definition in List of cryptographic key types). This requires loading the same key on all HAIPE devices that will participate in the multicast session in advance of data transmission. A HAIPE is typically a secure gateway that allows two enclaves to exchange data over an untrusted or lower-classification network.
Examples of HAIPE devices include
- L-3 Communications' HAIPE
- KG-245X 10Gbit/s (HAIPE IS v3.0.2),
- KG-245A fully tactical 1 Gbit/s (HAIPE IS v3.1.2 and Foreign Interoperable)
- KG-240A fully ruggedized 100 Mbit/s (HAIPE IS v3.1.2 and Foreign Interoperable)
- KOV-26 Talon
- ViaSat's AltaSec Products
- KG-250, and
- KG-255 [1 Gbit/s]
- General DynamicsGeneral DynamicsGeneral Dynamics Corporation is a U.S. defense conglomerate formed by mergers and divestitures, and as of 2008 it is the fifth largest defense contractor in the world. Its headquarters are in West Falls Church , unincorporated Fairfax County, Virginia, in the Falls Church area.The company has...
' TACLANETACLANEA TACLANE is a network encryption device developed by the National Security Agency to provide network communications security on Internet Protocol and Asynchronous Transfer Mode networks for the individual user or for enclaves of users at the same security level...
KG-175. - Cassidian's ECTOCRYP Transparent Cryptography http://www.cassidian.co.uk/ectocryp
Cassidian's Ectocryp Blue compliant to Version 3 and above is capable of protecting TOP SECRET
Top Secret
Top Secret generally refers to the highest acknowledged level of classified information.Top Secret may also refer to:- Film and television :* Top Secret , a British comedy directed by Mario Zampi...
and below, including National Caveats such as UK Eyes Only. http://www.cassidian.co.uk/ectocryp-blue
Three of these devices are compliant to the HAIPE IS v3.0.2 specification while the remaining devices use the HAIPE IS version 1.3.5, which has a couple of notable limitations: no support for routing protocols or open network management
Network management
Network management refers to the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of networked systems....
. A HAIPE is an IP encryption device, looking up the destination IP address of a packet in its internal Security Association Database (SAD) and picking the encrypted tunnel based on the appropriate entry. For new communications, HAIPEs use the internal Security Policy Database (SPD) to set up new tunnels with the appropriate algorithms and settings. By not supporting routing protocols the HAIPEs must be preprogrammed with static routes
Static routing
Static routing is a data communication concept describing one way of configuring path selection of routers in computer networks. It is the type of routing characterized by the absence of communication between routers regarding the current topology of the network. This is achieved by manually adding...
and cannot adjust to changing network topology. While manufacturers support centralized management of their devices through proprietary software, the current devices offer no management functionality through open protocols or standards. Both of these limitations are due to be addressed in HAIPE IS version 3.0 due to be accredited in late 2008, but that date has slipped multiple times. Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the Common HAIPE Manager.
A couple of new HAIPE devices will combine the functionality of a router and encryptor when HAIPE IS version 3.0 is approved. General Dynamics has completed its TACLANE version (KG-175R), which house both a red and a black Cisco router, and both ViaSat and L-3 Communications are coming out with a line of network encryptors at version 3.0 and above. Cisco has dropped its plans for producing its own HAIPE device.
There is a UK HAIPE variant that implements UKEO algorithms in place of US Suite A. Cassidian has entered the HAIPE market in the UK with its Ectocryp range http://www.eadsdsuk.com/ectocryp/. Ectocryp Blue is HAIPE version 3.0 compliant and provides a number of the HAIPE extensions as well as support for network quality of service
Quality of service
The quality of service refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements...
(QoS). Harris has also entered the UK HAIPE market with the BID/2370 End Cryptographic Unit (ECU).
In addition to site encryptors HAIPE is also being inserted into client devices that provide both wired and wireless capabilities. Examples of these include L-3 Communication's KOV-26 Talon and Guardian SME-PED, and Harris Corporation
Harris Corporation
Harris Corporation is a Florida-based international communications equipment company that produces wireless equipment, electronic systems, and both terrestrial and spaceborne antennas for use in the government, defense, and commercial sectors. It is also the largest private-sector employer in...
's KIV-54 and PRC-117G radio .