Commercial Based, Two-Layer Encryption Improves Battlefield Mobility
July 28, 2021
Published in Milsat Magazine
Written by Charlie Kawasaki, Chief Technical Officer, PacStar
In order to achieve and maintain warfighting overmatch, coForedinaatet ure deployed forces, and enable new capabilities, the US Army, Air Force and Navy are actively looking to new programs, such as Joint All Domain Command and Control (JADC2) to ensure warfighters have maximum situational awareness.
While the Department of Defense (DoD) intends to rely more heavily on information resources, tactical and expeditionary networking and command post programs widely acknowledge the critical need to improve mobility. This necessitates the implementation of higher-capacity secure wireless, (including for classified networks) available farther out at the edge of the network and across multiple data transport types — to essentially untether communications.
The National Security Agency’s (NSA) Commercial Solutions for Classified (CSfC) program approves organizations to transmit classified information (including Top Secret), via two layers of commercial encryption solutions. By using two sets of encryption technologies (from two different vendors or platforms), one tunneled inside the other, secret information can be transmitted over untrusted wired and wireless networks such as WiFi, LTE, 5G and SATCOM, including public, government, and partner networks.
The CSfC program enables a variety of use cases, but most important is the ability to use commercial wireless mobile devices for classified communications — as well as the ability to use commercial encryption devices for site-to-site transmission of classified information – without the use of Type 1 cryptographic equipment. In the past, the only means available to transmit classified information was via these expensive, controlled, military-grade encryption devices.
For example, with an email server in a classified network, when an email needs to be transmitted over SATCOM, if the email is sent through a VPN encryptor first, the data is encrypted once. Next, after sending that singly encrypted email through a second VPN encryptor — so that it’s encrypted twice — the email can now be safely sent over wireless infrastructure. When the email reaches its destination, it must be decrypted twice. For mobile devices, this can be done using two software-based VPN clients. For remote installations, two gateways can be used, after which, the email can be read on a mobile device using a standard email program.