Lab buys software site license
- By Heather Harreld
- May 25, 1997
In a move designed to eliminate password security vulnerabilities the Energy Department's Lawrence Livermore National Laboratory has purchased a site license for encryption software that will encompass all 12 000 users at the lab.
Livermore has purchased a license for F-Secure SSH software from Data Fellows Inc. a Finnish company with U.S. headquarters in San Jose Calif. The client/server software provides user authentication data encryption and privacy protection for internal and remote communications.
Frank Swift unclassified computer security coordinator at Livermore said the purchase should allow the lab to move away from using passwords to identify internal and remote users. The product also was chosen because it supports Apple Computer Inc.'s Macintosh platforms which are prevalent at the lab as well as Microsoft Corp.'s Windows 3.1 95 and NT and all Unix platforms.
"It gives you an encrypted session " he said. "The major threat you have these days is someone sniffing a password - normally it's off-site. Most of the problems we've had in computer security...have been a result of a sniffed password. If you have a sniffer out there [when using F-Secure] all you'd get is a bunch of garbage."
Although this is the first U.S. government site license for Data Fellows Petri Laakkonen president of Data Fellows said other agencies especially other DOE labs may soon follow Livermore's lead because the lab has a reputation of being a leader in information technology security. DOE's Los Alamos National Laboratory Sandia National Laboratory and its Jet Propulsion Laboratory each have acquired a few licenses to date to test the F-Secure product Laakkonen said. Data Fellows' other federal government customers include NASA the Air Force and the Navy.
"It's a pretty good size site license " he said. "Lawrence Livermore National Laboratory is one of those labs that was set up originally in the Cold War...to ensure national security. They are one of the most powerful computing centers in the whole world and the information they deal with in that lab [is] very sensitive information."
In addition the product provides three types of encryption for users which also made the product more attractive Swift said. F-Secure users can choose to use products that employ Triple Data Encryption Standard the International Data Encryption Algorithm or the Blowfish algorithm. Triple DES is a triple implementation of the DES approved by the government for use by federal agencies. IDEA is a fairly new algorithm designed by a Swiss researcher and Blowfish is a DES alternative embedded in the popular Pretty Good Privacy software and other products.
At the beginning of a transmission using F-Secure the client and server authenticate each other with public-key technology from RSA Data Security Inc. Subsequently the software creates an encrypted channel between the client and the server and all transmitted data is encrypted Laakkonen said. The product is designed to protect individual data packets from tampering if captured by an authorized user he said. It also secures electronic-mail databases and World Wide Web servers.
"We provide end-to-end security " he said. "It's not from port-to-port or device-to-device."