Jump to content

Talk:Defense Message System

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 68.39.174.238 (talk) at 14:09, 21 June 2007 (What...?!). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

I don't understand why some individuals have such a big hangup about the encryption used to send/receive messages. If someone, say a government, really wants to decipher an encrypted message, then they stand a darned good chance of figuring out what was contained in the message. If you would like examples, just look at the history of the code breakers in World War II that broke the code for German and Japanese secure messages. In todays world it will take a lot more effort and computer power to break the encryption of a secure message, but the job can be done. if you have a doubt, just look at how may powerful computers the US Government agencies such as the CIA purchase for use in code breaking efforts.

I am curious about the statement as to how many instances exist for the various systems as to how many times the encryption has been broken. What was the source for these counts? Did the KGB publish a document that lists how many times they have broken the various encryption schemes. If an individual or group manages to break the encryption of secured data, I don't believe they would make that information public. For example, during World War II the Americans and British went to extremes to prevent the Germans from finding out that their encryption had been broken.

The problem with security is not the encryption. The problem is the Computer Systems running MS Operating Systems is the weak link for security.

The "best" secure program in the world can be compromised if it is executed on an Operating System that is not secure.

Just try and get the Defense Intelligence Agency (DIA) to certify (for security) a computer system that is running a MS Operating System. Why do you think that the government accreditors are forcing systems to migrate to SUN OS Trusted Solaris?

Also, are you aware that there are two distinct groups of users of secure messaging and that the original DMS configuration left the second set of users (at the higher security level) out in the cold. This iss one major reason that the implementation of DMS in the field has been delayed. They had to try and rework the system to support both sets of users. They have had a lot of obstacles to overcome working on the support for the second group of DMS users.

And if you are wondering, my company has been supporting govenrment secure communications projects for 20+ years and we were the company that provided the proof-of-concept work to the government for DMS. It is unfortunate that Lockheed chose to ignore a lot of work that was accomplished for the proof-of-concept and went with the "not invented here" philosophy.

Again, all your justification is based on the encryption. Did you know that the FORTEZZA encryption uses hardware encryption that adds to the cost while at the same time reducing the througput of the DMS system as compared to schemas that utilize software encryption?

A lot of the information in this article is false, at least in how it pertains to the USAF implementation. I would correct it, but I am unsure of what information I am permitted to disclose due to NDA. Cfpresley 16:34, 11 April 2006 (UTC)[reply]

What part is false? You can say what part is false without violating agreements, can't you?

i am a little confused i didn't see anything about the usaf on this page.


No, I agree that this isn't entirely accurate, particulary the "security" concerns. Yes, it uses Outlook. However, DMS isn't given to any idiot. Though MS products are somewhat insecure (ie the page example of Buffer overflows)... this has never happened or will ever happen in DMS operations.

DMS, in fact, is the most secure system that the DoD has ever used. 1024 bit encryption using a hard token (FORTEZZA) with all its layers of security truly put DoD's popular PKI and CAC security (which also uses MS products). This is exactly why 128 bit encrypted PKI that we use with CAC logins etc is named to be "medium grade" security while DMS is the SOLE product worthy of being called "High Grade" Security by the DoD.

Looking at 128bits of encryption used by DoD today is easily broken. In fact, the first PKI message was broken 2 weeks upon its release. What about DMS? Never. Looking at 128 bits of encryption vs 1024 bits of encryption... you would be easily fooled into thinking that 1024 bits is approximately 10x stronger than 128 while in fact it is EXPONENTIALLY stronger. How is this? Because for every bit you add to the encryption, you DOUBLE the amount of possible keys to unlock your message.

The DMS main page on Wikipedia makes it appear as though DMS has some serious security flaws and yet, it is in fact the strongest we have ever used. Even riding the NIPRNET, we are assured of High Grade Assurance.

Considering that it's reported that so many military units are still using SMTP in the clear for actual SWA troop movements, even I can accept the popular 128 bit PKI system that DoD finds so attractive lately... it's better than SMTP in the clear. However, if we REALLY wanted secure email, we'd go back to using DMS exclusively just for the encryption level (not to mention the fact you need a FORTEZZA card).

What is the real reason that DMS isn't the standard? Because of 2 reasons: 1) the software was buggy for the first 4 years and Lockheed just did a horrible job with documentation. You had to really dig and dig to be a pro administrator. 2) You still have to spend at least 6 hard months with a current DMS competent SA before you'll be one yourself. And so we have mostly inept DMS administrators and the result becomes broken sites.

The future of DoD email security is leaning towards "user friendliness" and less on actual hard security. The proof is in the use of 128 bit CAC encrypted email and the abandonment of 1024 bit encryption altogether it seems.

Sadly, in a few years, 2048 will be necessary to consider being secure. 128 bits just won't even be a day's challenge.

_________________

Ok listen, USAF uses a separate system called AMHS which i cant go into more detail because i still in fact use the DMS system (I am a CAW operator matter of fact). Therefore this information presented to you will not fall under any information you have dealt with. --Mark Orahoske 22:12, 10 July 2006 (UTC)[reply]


It's not just the USAF, the DoD is moving to AMHS which isn't all that special. In fact, we lose security with AMHS vs using DMS because the highest level of encryption is 128 bits, between the web browser and the AMHS servers.

I teach the CAW, I teach DMS, and I teach AMHS. DMS is/was the only bright future for DOD high grade assurance. There are many security holes in the AMHS system, the very reason it continues to fail DoD testing. Perhaps the mail should be encrypted on the servers rather than being in the clear. That would be a great start.

And so I agree with 2 entries above. DMS is and always was the correct way to go. AMHS, AUTODIN, and all other systems are too flawed and insecure. DMS is entirely secure.


The main article for this entry states that DMS is often used in conjuction with DMS. The fact is, DMDS is a part of DMS, not a seperate entity. It's also considered to be a part of a DMS Core package if you were to open a site.

AUTODIN is far from the answer and the main article is wrong here as well. DMS is the only system to never be broken or compromised. AUTODIN has 2 incidents. AMHS is insecure by design, the same reason it can't pass DOD requirements for the last 3 years (email storage in the clear being the biggest example.)

This is a terrible article. It appears to have some factual inaccuracies, plus it is written poorly. Look at the last paragraph. Who the hell writes an encyclopedia article in first person? Even this discussion page stinks. Few of the postings on this discussion page are signed. Hildenja 07:08, 20 October 2006 (UTC)[reply]

I didn't think this was an article, rather, I thought this was a DISCUSSION page. I can accept a different type of content for discussions versus actual article content.

Confusing Encryption

I believe the discussion above is confusing encryption schemes. 128 bit vs 1024 bit encryption isn't a straightforward comparison, because in this case the 128 bit key is a stream cipher, while the 1024 bit key is an asymmetric public key token. The two systems work very, very differently. While a stream cipher is used to encrypt a stream of data, as typically between Amazon.com and the home user, the 1024 bit asymmetric public key is used to establish mutual authentication. Generally, it works like this:

  • two computers establish a connection, and decide to "talk" secure.
  • using asymmetric keys, the two systems transmit their public keys to each other. At this point, the keys are usually then verified against a public Certificate Authority to see if they are good, trusted, current etc.
  • System A then encrypts a challange phrase using its private key and transmits it to system B, which decrypts it using system A's public key. B then takes this decrypted message, encrypts it using its private key, and transmits the message to A, which decrypts it using B's public key. The process repeats, with B originating a challange phrase.
  • In this way, the systems establish they both posess the private keys corresponding with their public keys, which have been verified with the Certificate Authority.
  • The systems then establish a new session key, which is 128, 256 bits long etc. and is used in a stream cipher. Generally, both systems generate a random string of numbers, encrypt the stream with the other systems' public key, and transmit to each other. In this way, they ensure that only the holder of the private keys can know what the random numbers are. They both combine the randon numbers in a known manner, and from there, communicate using a stream cipher.

What are the differences?

A block cipher is generally much more secure, since there is only a private key, and it has no mathmatical relationship to any publically known information. As a result, 256-bit AES encryption is extremely secure, provided the key is kept secret.

Asymmetric key cryptography is different, in that there are two numbers generated that have a mathmatical relationship to each other. The public and private keys can encrypt traffic to each other that is decrypted with the other. For this reason, public-key cryptography is good for establishing trust, but the keys need to be much, much larger to ensure security.

This is quick crash course, so please search Wiki if you have any questions.

Air power!

ATTN: Whichever Microsoft publicist posted on the entry:

Who wrote the section comparing Outlook and DMS, Bill Gates? Regardless of the merits of the argument, that section is pure opinion.


DMDS

DMDS is the routing server. Defense Message Dissemination System. I work daily with DMS. It is my job in the military. DMS is moving more to a web-based system requiring a PKI cert. This PKI can only be given to those who hold a valid military id. The PKI is then sent to the Area Control Centers for validation and then you can send messages. Only approved users are allowed to send messages. Its is a secure system but any system can be beaten.

What...?!

Alright, I've removed that massive unwikified and poorly written text block. The 1st part of it was pure partizanry and the latter was not understandable. I also suggest that people here sign yourself. Thanx. 68.39.174.238 14:09, 21 June 2007 (UTC)[reply]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Defense_Message_System&oldid=139670656"