There is an increasing demand within the Ministry of Defence to exchange Ministerial Restricted information between systems in a secure manner, mostly supported by cryptographic applications. However, the hardware crypto solutions that are available on the market often contain an overkill of functionalities, are costly and require a considerable management effort. This has resulted in KIXS starting an innovation project in 2016 to show via a demonstrator that more budget-friendly and simpler to use crypto appliances can be designed by implementing accredited OpenVPN-NL crypto software in programmable chips (Field Programmable Gate Array, FPGA).
Article from Intercom #2, 2017 - also available in pdf (Dutch version)
Mr A. (Antoine) Wittebols, Senior Innovation Manager DMO/JIVC/KIXS
The Dutch company Technolution was involved in the innovation project and has filed a request with the Defence Material Development Commission (CODEMO) late in 2016.
Since January 2017, Technolution has been collaborating non-stop with the Ministry of Defence to develop this demonstrator into a usable final product.
The beginning: KIXS innovation project
The Ministry of Defence is currently using several different brands and types of crypto devices to keep its information safe. These are often very expensive devices due to the security and functional requirements that are imposed; requirements that are necessary for the security for Highly Classified Information (Hoog Gerubriceerde Informatie, HGI). However, Lowly Classified Information (Laag Gerubriceerde Informatie, LGI) also increasingly requires security through crypto. Possible applications for LGI crypto devices are, among other things, securing the Netherlands armed forces integrated network (NAFIN) terminals and Theater Independent Tactical Adaptive Armed Forces Network (TITAAN) ZWART connections. The business crypto that is available on the market for the Ministerial Restricted level (DepV) is not sufficient and the currently available and approved Ministerial Restricted cryptos are often derived from the cryptos for higher levels and thus contain an arrangement of functionalities that are not being used.
The increasing need for LGI cryptos has caused administrators to look for LGI cryptos that are easier to configure, implement and control than the current crypto devices. Therefore, at the start of 2016, KIXS started an innovation project during which an accredited software solution that was already in use for DepV – OpenVPN-NL – is being realized into hardware, so that a more robust implementation and better performance against lower costs can be achieved. In a Proof-of-Concept (PoC), the most important components of OpenVPN-NL code have been implemented in an FPGA on a demo board. During the PoC, two important research questions play a vital role: does the solution indeed show an acceptable performance, and what steps must be undertaken in order to come to a product-worthy solution? The entire design was eventually checked by Technolution as ordered by KIXS. The conclusion is that the implementation of OpenVPN-NL in a FPGA with a sufficient performance is definitely attainable.
The PoC has, in addition, provided valuable insight and information regarding the needs of the target group, the architecture of the future product, a conceptual Very High Speed Integrated Circuit Hardware Description Language (VHDL) implementation and a validation framework. However, at the same time, a lot of refining is still required in order to shape the demonstrator into a product-worthy solution.
OpenVPN-NL is a hardened version of OpenVPN, an open source VPN software product that, thanks to a number of adjustments, can offer an increased level of security. This is realized by a number of patches and improved documentation. OpenVPN-NL therefore meets all the evaluation criteria of the Netherlands National Communications Security Agency (NLNCSA) of the General Intelligence and Security Service for the acquisition of restricted information up to and including the level of 'Ministerial Restricted'. OpenVPN-NL is used by the Ministry of Defence to set up a secured connection with the Telestick and the smartphone to the MULAN environment.
The next step: CODEMO
In addition to further refinement, there are still other important issues to tackle when the product is made available, such as support and lifecycle management; something the market has more experience with than the innovation department of the Ministry of Defence. Thankfully, Technolution – who was involved in the innovation project before – was so enthusiastic that they filed a CODEMO request to further develop the demonstrator into a usable product.
For CODEMO, the Ministry of Defence will reimburse 50% of the project costs, requiring a royalty per sold product (with a specific limit and/or for a specific time period). In addition to the refunding of some of the costs, the Ministry of Defence also provides input from, for instance, users (mostly administrators) during the project so that the product can be optimally fine-tuned to any demands and wishes.
KIXS guides the CODEMO project that started at the beginning of 2017 and will be concluded at the end of the same year with the delivery of a usable OpenVPN-NL hardware product.
VHDL and FPGA
VHDL stands for 'Very High-speed Integrated Circuit Hardware Description Language'. It is a hardware description language used to describe and model digital connections and programmable logic (such as FPGAs). Originally, this programming language was designed by the American Department of Defence, but it has since been a commonly used language worldwide for digital connections. FPGA stands for 'Field- Programmable Gate Array' and is an integrated circuit consisting of programmable logical components that can be programmed as logical functions (e.g. AND, XOR).
The result: PRIMELINK 3015
From early 2017, Technolution has been working diligently, collecting requirements through various user group sessions with users from Defence (OPS and SATS) in relation to usage, administration, technology and security. Even outside the Ministry of Defence (various other ministries), there is interest in the product and those potential clients will, of course, be involved in the development process. In June 2017, the electronic design for Printed Circuit Board (PCB) was finalized and the first prototypes are expected in late August. A number of Defence departments will execute tests in order to see if the product meets the expectations.
The product has since acquired a name: PrimeLink 3015. It will be one of the products included in a line of high quality security products and services rendered by Technolution. The first version of PrimeLink will be available at the start of 2018 in two editions: a 19” edition for dataracks and a desktop model. This first version has a maximum speed of 1 Gbit/s (with both electric as well as optical inputs). Later, the same device will – via a simple firmware upgrade - be able to handle speeds up to 10 Gbit/s. The device can be implemented in both level 2 (Ethernet) as well as level 3 (IP). Key management will be performed by a Crypto-Ignition Key (CIK). The retail price for the product is considerably lower than that of the existing DepV cryptos. If the field tests show that the final product meets the requirements of the Ministry of Defence, the ministry will have a more affordable and simpler LGI crypto within reach!