By 
In a positive outcome, the Department of Defense’s encryption software has been made open source. Now everyone can have access to military grade encryption tech that was previously exclusive to government agencies and defense contractors.
Breaking New Frontier
SpiderOak announced on October 17 that Aranya, their zero-trust framework used in OrbitSecure platform, is now available on GitHub. OrbitSecure is a security platform tested aboard the International Space Station.
By open sourcing the core technology, we’re providing both the defense and commercial industries with a critical tool to cyber harden their most important systems,
Says Charles Beames, SpiderOak’s executive chairman.
Technical Framework
Aranya runs on Rust and handles data through a decentralized system [source].
Core Features:
- Micro-segmentation built into code
- End-to-end encrypted channels
- Network-independent security
- Distributed-ledger technology for encryption keys
- Custom security policy language
Space-Tested Architecture
SpiderOak’s interesting & unique approach to secure communications resulted from a specific challenge:
How do you maintain secure connections when your network keeps dropping, in space?
While exploring the source code we can understand better:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
pub enum Role { Owner, Admin, Operator, Member, } // ... team.add_sync_peer(ground_station, Duration::from_secs(60)).await?; team.add_sync_peer(satellite_1, Duration::from_secs(120)).await?; team.add_sync_peer(satellite_2, Duration::from_secs(180)).await?; // ... let (channel_id, node_id, ctrl) = team.create_channel( team_id, satellite_1, Label(0x01) // Custom security label for data type ).await?; // ... team.add_device_to_team(device_keys).await?; team.assign_role(device_id, Role::Operator).await?; // Give operation rights team.assign_label(device_id, Label(0x01)).await?; // Allow specific channel access |
At its core, a daemon process keeps track of all network connections using a DAG (directed acyclic graph). This might sound complex, but for developers it’s straightforward: they plug in the client library and get authentication, authorization, and encrypted data flows without writing extra security code.
So, the system uses DAG to track network state, where each node represents a connection point. When satellite_1 goes out of range, its node in the DAG gets marked but doesn’t break the graph, other connections continue their sync cycles independently.
Image source : blog.bitnovo.com
Labels work as security boundaries a device needs both the right role (in this case Operator) and the correct label to access a channel.
This architecture came from space requirements but works surprisingly well for ground systems where networks are unreliable or zero-trust is needed.
Usage
While Aranya started as a development framework, its strength lies in distributed applications. Of course satellite systems or any large-scale application where security needs to be built from the ground up. This should be a standard in developing software application, but we need to leave Utopia for a moment.
For identity management (IAM), Aranya represents can be a great use-case. When credentials get compromised, and more often than not they will, the damage stays contained. Overall he system’s micro-segmentation combined with custom security policies and zero-trust architecture, adds a new layer beyond traditional firewalls and antivirus.
In any case it shouldn’t be examined as a standalone security piece of software, but it should complement other security layers.
Photo by NASA