Designers of military radios, secure software operating systems, and field-programmable gate arrays (FPGAs) are concentrating on advanced security measures to ensure sensitive information gets to intended recipients with no interception or tampering along the way.
BY John Keller
Today’s digital battlefield is a data- intensive place. The notion of network-centric warfare means data from video, images, text, and voice communications ping-pongs across every military theater at a dizzying pace, and there is no letup in sight for the volume of data traffic during military operations. The unquenchable thirst for information of all kinds relative to enemy positions and friendly forces, medical resources, fire support, nearby aircraft, the status of resupply, and countless other crucial data points promises to grow in volume and urgency to match the ever-quickening tempo of military operations.
Still, victory on the modern battlefield does not always go to the forces able to move data more quickly than their opponents. Increasingly, the crucial factor is becoming the ability to move data not only quickly, but also safely. Advanced electronic warfare, signals intelligence, and cyber warfare techniques are becoming widely available across the globe, which places military data communications in increasing jeopardy from sophisticated computer hackers, code breakers, and reverse-engineering specialists.
We know that U.S. and allied military forces are able to move mountains of data quickly. The bigger question is: Can they do it reliably? In short, those transmitting want to make sure that military data gets to its intended recipients—and ONLY those intended recipients—and that this data has not been intercepted or tampered with along the way. Those receiving military data want to make sure this data is authentic. Today’s cyber and information warfare, after all, relies nearly as much on spoofing and misinformation as it does on denying communications to its adversaries, and those receiving military data on the ground want reasonable confidence they haven’t been victims of these practices.
|Warfighters on today’s network-centric battlefield need to ensure that data reaches intended recipients without being intercepted or tampered with.|
Among the top enabling technolo- gies for real-time data dissemination and verification on the battlefield involve sophisticated encryption, anti-tamper, and wireless communications schemes that are difficult, if not impossible, to intercept and decipher. Key to these capabilities are secure software, advanced radios and wireless networking, and anti-tamper technology—particularly when it comes to field-programmable gate arrays (FPGAs).
As fair warning to the reader, much of the encryption and other security technology in military radios and other wireless communications devices is classified, and in the purview of the U.S. National Security Agency (NSA) at Fort Meade, Md. Details of encryption algorithms and related enabling technologies are not available in open sources.
Levels of security
The NSA has several levels of security classification, ranging from secret to coded terms beyond top secret. Where the aerospace and defense industry is concerned, five basic components encapsulate the concept of information assurance: confidentiality, authenticity, integrity, availability, and non-repudiation, explains Richard Newell, senior principal product architect at the Microsemi Corp. SoC Products Group in Mountain View, Calif. Microsemi SoC—short for systems on chip—specializes in FPGAs, and Newell is concerned primarily with security and information assurance related to FPGAs.
Confidentiality refers to concealing message transmissions, through scrambling, enciphering, spread-spectrum, or frequency hopping techniques to foil an adversary’s attempts to eavesdrop on sensitive radio data communications. Integrity, meanwhile, refers to ensuring that transmitted data messages are intact, and have not lost bits or suffered other kinds of data corruption.
Authentication refers to ensuring that received data transmissions are actually from the senders from whom the data is expected. Authentication can use cryptographic keys known only to the data senders, which must be included in all data traffic to be considered authentic.
Availability simply means radio data communications are available when needed, and not overly influenced by equipment malfunctions, enemy jamming, or other kinds of denial-of-service countermeasures. Non-repudiation, which is related to authenticity, refers to measures taken to ensure not only that transmitted data is authentic, but also to prevent senders of authentic data to deny later that they actually sent the data in question.
Radio communications also have three basis definitions when it comes to data security and data assurance. The first is transmission security, sometimes called TRANSEC, which ensures that radio messages get through, are not compromised by electronic jamming, and are not intercepted or tampered with in transit.
The second radio information assurance definition is communications security, sometimes called COMSEC, which ensures that adversaries cannot track and decipher transmitted data, even if they are able to intercept it. The third refers to additional safeguards in RF communications applications, such as time stamps, to ensure that transmitted data is valid. That third definition “is very application-specific, and often is built specifically into military communications systems,” explains James Kroeger, chief engineer, tactical communications at ITT Corp. Communications Systems in Fort Wayne, Ind., which designs and manufactures the Single Channel Ground and Airborne Radio System (SINCGARS).
|By allowing information to securely travel from one security level to another, the NanoGuard delivers more information to the soldier in tactical environments. The warfighter can use this information to support mission success, trusting that it is accurate and authentic.|
Curse of the cell phone
One might believe that securing battlefield radios from enemy intrusion and eavesdropping might have straightforward solutions. Anti-jam radios like SINCGARS, for example, have been in use for decades. SINCGARS uses frequency-hopping techniques for transmission security, and encryption for communications security, for example. Other military radios, such as those from the Harris Corp. RF Systems segment in Rochester, N.Y., and the manufacturers of the Joint Tactical Radio Systems (JTRS) also have strong TRANSEC and COMSEC built in.
The problem emerging these days, however, involves warfighters and their attitudes toward ubiquitous cell phone technology—particularly the so-called smartphones, like the Apple iPhone and cell phones from various manufactures that use the Google Android mobile operating system.
“We’re starting now to see people who are looking at mobile communications capability that is equivalent to a cell phone, but that handles secure information on the network,” explains Robert Day, vice president of marketing at LynuxWorks Inc. in San Jose, Calif., a designer of real-time and secure software.
“This is the next part of the network-centric battlefield, and there is no real standard for that now,” Day says. “We have software-defined radio, but this is looking at cell phone technology for different networks on the battlefield. It needs multiple feeds of information to succeed on the battlefield.
“Military leaders are starting to see how people look at mobile communications with the equivalent of a cell phone and look at secure information on the network,” Day adds. “This is the next part of the network-centric battlefield. No real standard exists for that now. We will need multiple feeds of information to succeed on the battlefield, yet without the massive hardware out there we have traditionally had.”
How people use cell phones today in their everyday lives is driving much of the thinking going into tomorrow’s military secure data communications. “Is there a way to do this so we can have as much confidence as we can in using commercial off-the-shelf phones, yet use them on the battlefield,” asks David Kleidermacher, chief technology officer at Green Hills Software in Santa Barbara, Calif.
|The General Dynamics TacGuard enables secure transfer of information within a tactical vehicle on one screen. Warfighters in the vehicles can trust that the data received is authentic and the data shared is secure.|
Traditional secure radio
Until secure smartphone technology can be brought to the battlefield, however, U.S. military forces today rely on traditional radio technology like SINCGARS, JTRS, and the Falcon family of radios from Harris RF Communications. These radios depend heavily on sophisticated NSA-approved COMSEC encryption algorithms, as well as TRANSEC technologies like spread-spectrum and frequency hopping.
Still, traditional military radio manufacturers must contend with today’s design imperatives of building radio communications capability that is small, lightweight, and consumes as little power as possible. This size, weight, and power issue is commonly known as SWaP. This means that data security and information assurance capability in military radio systems must be built small and power-efficient.
“We have grown our understanding of what are the interfaces for IA [information assurance], and we offer the whole gamut of those solutions,” says David Bukovick, program manager, General Dynamics C4 Systems in Scottsdale, Ariz.
On the large side, General Dynamics C4 Systems is working on the U.S. Department of Defense Warfighter Information Network-Tactical (WIN-T) program, which Bukovick describes as “a huge tactical network system deployed across the battlefield.” For WIN-T, General Dynamics uses the Radiant Mercury system from the Lockheed Martin Corp. Information Systems & Global Solutions-Defense segment in San Diego. Radiant Mercury enables sharing of sensitive data among differing security domains.
On the small side, General Dynamics has developed the Nano matchbox-sized, man-wearable computer designed to control the transfer of information between a manpack computer and the U.S. military Joint Tactical Radio System (JTRS), Bukovick explains. The Nano gets power from a USB port, so does not require batteries.
“It’s built in a way that there is almost no actual soldier interaction required,” Bukovick says. “There are security policies implemented that determine what can and can’t transfer from one domain to another.” The Nano erases crucial information when it powers down to keep important data out of enemy hands. At power-down “it is just a dead piece of computing hardware,” he says.
Among design trends in military radio security is single-processor encryption, while previous generations used two separate processors to implement security algorithms to avoid one device corrupting software on the other. “In more modern radios, designers are leaning toward a single device for the COMSEC and TRANSEC algorithms,” says ITT’s Kroeger. “There is one piece in the radio that does all the security.”
Among the most crucial aspects of real-time data dissemination and verification on the battlefield is secure software. Among the latest trends in secure software is partitioning real-time operating systems or microkernels into secure and non-secure sections. The idea is to isolate secure and non-secure software partitions to avoid cross-corruption and providing entry ways for would-be software hackers.
“We have been focused on providing the platform that allows people to separate multiple networks and multiple domains on a single physical platform,” explains Robert Day, vice president of marketing at secure real-time software expert LynuxWorks Inc. in San Jose, Calif.
“As we get to the battle front, more and more information is relied on by the warfighter, but the information is coming from so many different places and networks that the actual management of that wont’ fit in a humvee or a tank because you have too much potential information,” Day says. “We have been looking at how we can help government contractors shrink that down without losing any performance or security, by moving to a single piece of hardware. We do the separation so people can drop multiple existing systems onto each secure domain on our single software platform.”
The growing popularity of cloud computing—in which software applications, data, and computer processors elsewhere on the network and users access data they need with laptop computers, tablets, or smartphones—is bringing forth its own set of secure software issues.
“What if you have soldiers on the front line trying to identify and catalog local individuals who might be friendly or hostile,” asks Joe Wlad, senior director of aerospace and defense and Wind River Systems in Alameda, Calif. “This is a cross-domain case with classified and unclassified data on the same channel. What they want to do is have the front-line people do the biometrics, cataloging, and record keeping by inputting it with a device like a portable camera, tablet, or laptop, and then separate it for domain security.
“Today, it is a very manual process, with no easy way to ensure that data can be authenticated, with assurance that it has not been tampered with, or manipulated in any way,” Wlad says. Wind River is working with partners Real Time Innovations (RTI) in Sunnyvale, Calif., and McAfee Inc. in Santa Clara, Calif., to build a complete secure software solution that addresses these concerns, Wlad says.
“To secure the cloud, and make it tamper-proof, we need to worry about who has access, and trusted delivery,” Wlad says. “A lot of security concerns need to be addressed, and we are just starting to explore them.”
|The Single-Channel Ground and Airborne Radio System (SINCGARS) from ITT Corp. uses encryption and frequency-hopping schemes to keep sensitive military data secure.|
A central component of real-time data verification and validation on the battlefield involves field-programmable gate arrays (FPGAs), which are programmable, parallel-processing, central processing units that increasingly are used to implement COMSEC and TRANSEC algorithms in military communications systems.
The worry with FPGAs, however, is how can the crucial data they contain be safeguarded from an enemy’s attempts to access it if battlefield equipment like radios and handheld computers fall into the wrong hands if their intended operators lose them? Today’s FPGA makers, like Altera Corp. in San Jose, Calif.; Microsemi SoC Products Group in Mountain View, Calif.; and Xilinx Inc. in San Jose, Calif., are taking these threats very seriously.
“We focus on making sure the customers design-in security,” says Juju Joyce, senior marketing engineer in the Altera military business unit. “We design-in anti-tamper features, and make sure the encryption schemes inside the FPGA meet information-assurance requirements.”
Among the measures FPGA makers can take to safeguard device data is to scramble and encrypt any sensitive data, says Microsemi’s Newell. Future generations of Microsemi FPGAs also will have features to resist attempts to extract data by differential power analysis and side-channel analysis, he says.
FPGA makers also are enhancing security in their devices by squeezing two-chip configurations into single-chip configurations. Previous generations of secure FPGAs required two separate devices to isolate secure from non-secure data. The security weakness, however, was the data interconnects between the two devices. “Less and less components are better for security because no data is going back and forth between components,” says Hanneke Krekels, senior marketing manager at Xilinx.