NSA: Inconsistent products preventing secure Android phones
- By William Jackson
- Feb 29, 2012
SAN FRANCISCO — The National Security Agency has begun a pilot program to demonstrate secure classified communications over commercial equipment, but it is having trouble finding standards-based off-the-shelf products that are interoperable and meet its needs.
The standards and protocols exist to provide the security that NSA requires, but they are not being implemented consistently by vendors, Margaret Salter, a technical director in NSA’s Information Assurance Directorate, said Feb. 29 at the RSA Conference.
The agency went shopping with a list of requirements for encryption for the voice channel and for the Session Initiation protocol. “We couldn’t buy one” that met all the requirements, Salter said. “We could pay someone to make it, but that wasn’t the plan.”
More from RSA:
Researchers: How 'leaky' smart phones give up their crypto keys
Search engine poisoning: How malicious sites fool your filters
The plan is to move from secure GOTS — government off-the-shelf products — to COTS — commercial off-the-shelf. As a compromise in its proof-of-concept pilot, NSA modified the operating system of the phones and has accepted a different set of encryption tools to secure Top Secret voice-over-IP traffic. It has fielded 100 Motorola handsets using the Android operating system on several carrier networks as part of its Fishbowl Architecture.
But there is not a completely interoperable, vendor-independent infrastructure. This means NSA has been forced into some vendor-specific platforms to get the functionality it needs, rather than creating a plug-and-play environment. Salter urged the industry to get on board with the program and begin building interoperable products based on industry standards.
NSA went with the Android OS because it was able to tweak it to reduce the attack space and implement other encryption features, which would not have been possible with the Apple iOS. But the open nature of Android is a double-edged sword because no two vendor implementations of it are identical, Salter said.
NSA has just published a set of technical requirements for its secure mobility program. Those requirements will become Common Criteria protection profiles for mobile equipment that can be used for classified information.
The secure mobility program is part of a broader initiative at NSA to move to off-the-shelf technology for classified uses. The expansion of IT from proprietary architectures that are run by a handful of professionals to ubiquitous user-based equipment such as smart phones and tablet computers has put a premium on economy and user-friendly design, Salter said. NSA does security well but is pretty bad at being user friendly, so it is turning to industry to produce the tools it needs.
“We don’t want to be the vendors for the operating systems and the apps,” Salter said.
The Fishbowl Architecture now being tested uses an IPsec virtual private network with Secure Real-Time Transport Protocol for voice, so that the voice traffic is encrypted twice to avoid a single point of failure. All traffic goes back to the enterprise and is routed from there to the final location based on policies set by the enterprise.
The system supports Top Secret voice traffic now and is moving toward handling data as well. The mobile device will be a thin client, with data served to it by the enterprise.
The phones contain two digital certificates for authenticating for IPsec and voice, and a user password is used for authenticating to the SIP server.
Salter said NSA hopes its requirements will be adopted by industry in commercial products so that it will be able to buy off-the-shelf to meet its needs. She said that the Defense Information Systems Agency is planning a larger pilot program based on the same requirements, and there is hope that the military’s buying clout will help drive demand for and acceptance of the standards-based systems.
William Jackson is freelance writer and the author of the CyberEye blog.