Information Technology Reference
In-Depth Information
Stanley
: I would just like to respond to the three points. Cryptography has to be
proposed by NATO nations, evaluated by a NATO nation or agency which is in a
position to rubberstamp the evaluation. Checkpoint I was not claiming was for
cryptographic products. As I said, the other half of my agency in Brussels does the large
procurements for NATO. I do not know, but I can give you the number of the directive,
but for any procurement the rule is supposed to be: you can only buy from a NATO
nation. But as I said, they can get round a non-NATO product by buying, for example, a
security code from a Finnish company. And the final comment was that PKI does not
really exist yet. There is a certificate policy, DECAN, in other NATO agencies that is
totally US manned; keys, data and the management agency. They can access the NATO
route free of charge, and an NMS which is the NATO messaging system. This is going to
be the first product that will take advantage of this NATO route and I was involved in a
big evaluation. This will go through, so you will be able to find out who the CA's will
be. And they will be signed by the DECAN routes of the evaluation. There is a specific
line in there saying you are not bidding on confidentiality, but if the product contains
confidentiality algorithms, then do not specifically disable them, remove them or turn
them off. The problem we are facing is that for most standard cryptography, the PKI is
not going to be for classified material. And most standard cryptography includes
confidentiality and digital signature together. One day we may decide we can use this
sort of standard algorithms for what they call privacy rather than confidentiality or
cumulative interest separation. The transmission link is already hardware encrypted and
you can use it to separate different communities. So I repeat, the NATO PKI does not
have a confidentiality component.
Aharoni
: I may help in your procurement as a safe net product was recently acquired
by an American company. So, yes, it is easier. I would like to make an observation that
we noticed from our end is related to the question. It might interest you to know that
originally when we sold to security type agencies they invariably asked for the internal
logarithms to be changed to their own private algorithms. For example, in our products,
but not just those products, we always had the ability to change the internal standard
civilian algorithms with external algorithms. So, if you try to sell a device in China, the
first thing that they say is that they would like to use their Chinese algorithms, and to do
so in a way that we will not be exposed to.
Handy
: The same goes for equipment that we sell to any security agency around the
world; in the US it is algorithms, etc. One thing that we have started noticing and I think
that this indicates a trend, is that military organisations around the world are beginning to
move to civilian algorithms, so they have started buying ordinary civilian off-the-shelf
products for military use, for intelligence use. To start with they used these for less
classified transactions but this is a significant barrier that has been overcome now. Up
until a couple of years ago it was not even possible to suggest to a military organisation
to use a civilian device. It was not possible to suggest the use of a standard hardware
VPN solution. Nowadays you do see military organisations using civilian products. They
admit that it is very difficult for them to compete with the wealth of security products
that exist on the outside. I wonder to what extent it would actually become prevalent and
how common in military organisations it will be in future to see a regular standard
civilian product being used by the military.
Search WWH ::
Custom Search