Cyber Defense - Projects
Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE
- © Fraunhofer FKIE
IDP / MIKE – Security between Communication Partners
An important aspect of Network Enabled Capabilities is the secure exchange of information between military units, eg when transmitting information from the operational forces to the command post in order to improve the situational awareness. The secure integration of IP enabled tactical terminals, however, still represents a significant challenge. Virtual private networks (VPN) can be used to provide protection against threats to confidentiality, integrity and the authenticity of information, but commercially available VPN solutions can often only be operated by experts.
In particular in a tactical environment communication interruptions will impair the availability of established VPNs. To combat this issue the Fraunhofer FKIE has developed a process which improves the availability of virtual private networks under arduous operating conditions and in situations where terminals do not need to be configured.
Guaranteeing confidentiality, integrity and authenticity
The mechanism is called IDP- and is based on established IPsec technology. IPsec is a proven method that ensures confidentiality, integrity and authenticity between two communication parties. IPsec is used primarily in commercial site networks. IDP- enhances the IPsec’s protection mechanisms due to the addition of an automatic detection and configuration component as well as robust and efficient key management. The IDP-MIKE mechanism benefits from cost-effective and commercially available technology but is still able to offer a secure networking solution adapted to tactical operational conditions. The IPsec Discovery Protocol (IDP) automatically recognizes VPN enabled terminals and reports the information to the key management. subsequently negotiates a common key and distributes it to all VPN nodes.
Faster, simpler and safer VPN
In contrast to traditional server-based solutions all VPN endpoints are able to communicate securely with each other and so avoid overloading the server. However, the most significant advance is the fact that VPN nodes equipped with IDP-MIKE require no manual maintenance whatsoever. If a node is connected with the proposed access network, such as when a network cable is plugged in, IDP- will automatically set up a VPN tunnel for other IDP- instances. It does not need to be configured by the user even if a key is changed or the key material or device is lost.
Revocation of certificates is used to debar of any compromised devices and keys. The subsequent automatic key change occurs without user intervention. IDP- has the potential to support Command and Control under operating conditions. In the future, faster, easier and safer VPN with IDP- will make networked units easier to operate. The IDP- prototype is continually being refined and tested in simulations, as an integral component in ATM KommServers and in international test networks.