Abstract: Disclosed herein are embodiments of systems, methods, and products comprising a computing device, which provides Efficient Data-In-Transit Protection Techniques for Handheld Devices (EDITH) to protect data-in-transit. An end user device (EUD) may generate a multicast data packet. The EDITH module of the EUD encapsulates the data packet in a GRE packet and directs the GRE packet to a unicast destination address of an EDITH Multicast Router included in an infrastructure. The EDITH module on the EUD double compresses and double encrypts the GRE packet. The EDITH module on the infrastructure decrypts and decompresses the double compressed and double encrypted GRE packet to recreate the GRE packet. The EDITH module on the infrastructure decapsulates the GRE packet to derive the original multicast data packet, and distributes the original multicast data packet to the multiple group member based on the multicast destination address included in the original multicast data packet.

Abstract: Embodiments for a computer readable medium including a software module are provided. The software module causes one or more processing devices to obtain a biometric identifier from a user. Access to a resource is requested by providing a software credential token and the biometric identifier. The software credential token corresponds to a hardware credential token, and the hardware credential token is one of a set of hardware credential tokens that are used to access the resource. An indication that access to the resource has been granted is received and after receiving the indication an indication that the access to the resource has been revoked is received. After receiving the indication that access to the resource has been revoked, a biometric identifier is re-obtained from a user and access to the resource is re-requested by providing a software credential token and the re-obtained biometric identifier.

Abstract: A method of routing an Internet Protocol (IP) packet from a routing device is provided. The method includes receiving a first IP packet having a first IP header and a first IP data field, the first IP packet having a final destination corresponding to a destination device communicatively coupled to the routing device via a network route including at least two hops between the routing device and the final destination. A second IP packet having a second IP header and a second IP data field is generated. The second IP data field is a copy of the first IP data field, and a destination IP address field in the second IP header includes an IP address of a next hop on the network route. The second IP packet does not include an IP address of the final destination in the second IP header.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which provides a secure data transport service (SecureX) for data packets traversing from an end user device (EUD) to a mission network over untrusted networks. The disclosed SecureX module may be software product running on the EUD and on a SecureX appliance fronting the mission network. The SecureX module on the EUD compresses the data packets by removing header fields that are constant over the same packet flow and double encrypts the data packets with different cryptographic keys. The SecureX on the EUD transmits the double compressed encrypted data packets over the untrusted network. The SecureX appliance receives the double compressed encrypted data packets, decrypts the data packets and decompresses the data packets to recreate the original data packets. The SecureX appliance transmits the original data packets to the mission network.

Abstract: Embodiments for a method of implementing multiple domains in a network switching device are disclosed. The method includes assigning a plurality of hardware ports to a plurality of domains. Ports are assigned to at least two of the plurality of domains, and none of the ports are concurrently assigned to multiple domains. The method also includes loading rules for forwarding packets between the plurality of ports into a data plane. The rules direct the data plane to forward only between ports in a common domain of the plurality of domains. The method also includes assuring that a packet received at any port assigned to a first domain is not sent in legible form from any port assigned to a second domain if an error causes the data plane to forward or request forwarding the packet to any port assigned to a second domain.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprising a computing device, which provides Efficient Data-In-Transit Protection Techniques for Handheld Devices (EDITH) to protect data-in-transit. An end user device (EUD) may generate a multicast data packet. The EDITH module of the EUD encapsulates the data packet in a GRE packet and directs the GRE packet to a unicast destination address of an EDITH Multicast Router included in an infrastructure. The EDITH module on the EUD double compresses and double encrypts the GRE packet. The EDITH module on the infrastructure decrypts and decompresses the double compressed and double encrypted GRE packet to recreate the GRE packet. The EDITH module on the infrastructure decapsulates the GRE packet to derive the original multicast data packet, and distributes the original multicast data packet to the multiple group member based on the multicast destination address included in the original multicast data packet.

Abstract: Embodiments for a networking device are disclosed. The networking device includes a private identity-based cryptographic (IBC) key issued for a first device. The networking device can receive an internet protocol (IP) packet from the first device. The networking device modifies the IP packet to form a modified IP packet, wherein modify the IP packet includes add an extension header to the IP packet. The extension header includes a source identifier identifying the first device, an indication of the key generation authority and an indication of an identity-based encryption (IBE) algorithm. The networking device also generates an identity-based signature (IBS) using the IBC algorithm with the source identifier as an identity input, the modified IP packet as a message input, and the private IBC key for the first device as a private key input. The modified IP packet and the IBS is then sent towards a destination of the IP packet.

Abstract: A method of generating a plan for a vehicle is provided. The method includes receiving information indicating a location of each of a plurality of communication nodes and the vehicle during a first time period and a second time period. The vehicle is configured to send wireless signals to and receive wireless signals with the plurality of communication nodes. The method includes developing a plan that defines a path of motion for the vehicle and a configuration for an antenna on the vehicle during the first time period and the second time period based on connectivity between the vehicle and the plurality of communication nodes.

Abstract: Disclosed herein are embodiments of a cloud data synchronization system enabling an user operating a mobile client device to download mission-specific data sets from a fixed cloud-based server system to a database of the mobile client device, and then use the downloaded data sets independently on the mobile client device when the mobile client device is disconnected from a network connecting to the fixed cloud-based server system. When connectivity to the fixed cloud-based server system is re-established by the mobile client device in an intermittent and bandwidth-limited communication network environment, the fixed cloud-based server system may provide bi-directional data synchronization between records of the fixed cloud-based server system and the mobile client device to update the data sets on the fixed cloud-based server system and the mobile client device while operating in the intermittent and bandwidth-limited communication network environment.

Abstract: Disclosed is a high assurance unified switching device corresponding to a modular, standards-compliant extensible network switch supporting multiple security domains with data isolation of multiple data packets obtained from the multiple security domains. The device may comprise an inner layer router and an outer layer security wrapper (outer layer router). The ports on the outer layer router are configured for different security domains and assigned corresponding key pairs. The ports use the assigned key pairs for encrypting data packets prior to routing and decrypt the data after routing such that there is an isolation of data packets of different security domains. A routed packet arriving at the wrong port cannot be decrypted and therefore is dropped.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which provides a secure data transport service (SecureX) for data packets traversing from an end user device (EUD) to a mission network over untrusted networks. The disclosed SecureX module may be software product running on the EUD and on a SecureX appliance fronting the mission network. The SecureX module on the EUD compresses the data packets by removing header fields that are constant over the same packet flow and double encrypts the data packets with different cryptographic keys. The SecureX on the EUD transmits the double compressed encrypted data packets over the untrusted network. The SecureX appliance receives the double compressed encrypted data packets, decrypts the data packets and decompresses the data packets to recreate the original data packets. The SecureX appliance transmits the original data packets to the mission network.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which allows a device to be used in different classification levels by powering the device down and booting to a different classified level without the need to switch hard drives. The disclosed software shield and persona switcher (Shielder) module provides independent application environments (personas) for separate security domains while allowing fast transition between personas. Shielder module supports multiple security classification via a minimal system storage partitioning. Shielder module allows efficient collection and reallocation of memory and persistent storage according to need and priority. Shielder module provides secure management of communication media by directing the system communication according to the security profile of the active persona.

Abstract: Embodiments for a computer readable medium including a software module are provided. The software module causes one or more processing devices to obtain a biometric identifier from a user. Access to a resource is requested by providing a software credential token and the biometric identifier. The software credential token corresponds to a hardware credential token, and the hardware credential token is one of a set of hardware credential tokens that are used to access the resource. An indication that access to the resource has been granted is received and after receiving the indication an indication that the access to the resource has been revoked is received. After receiving the indication that access to the resource has been revoked, a biometric identifier is re-obtained from a user and access to the resource is re-requested by providing a software credential token and the re-obtained biometric identifier.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprising a computing device, which provides Efficient Data-In-Transit Protection Techniques for Handheld Devices (EDITH) to protect data-in-transit. An end user device (EUD) may generate a multicast data packet. The EDITH module of the EUD encapsulates the data packet in a GRE packet and directs the GRE packet to a unicast destination address of an EDITH Multicast Router included in an infrastructure. The EDITH module on the EUD double compresses and double encrypts the GRE packet. The EDITH module on the infrastructure decrypts and decompresses the double compressed and double encrypted GRE packet to recreate the GRE packet. The EDITH module on the infrastructure decapsulates the GRE packet to derive the original multicast data packet, and distributes the original multicast data packet to the multiple group member based on the multicast destination address included in the original multicast data packet.

Abstract: Embodiments for a computer readable medium including a software module are provided. The software module causes one or more processing devices to obtain a biometric identifier from a user. Access to a resource is requested by providing a software credential token and the biometric identifier. The software credential token corresponds to a hardware credential token, and the hardware credential token is one of a set of hardware credential tokens that are used to access the resource. An indication that access to the resource has been granted is received and after receiving the indication an indication that the access to the resource has been revoked is received. After receiving the indication that access to the resource has been revoked, a biometric identifier is re-obtained from a user and access to the resource is re-requested by providing a software credential token and the re-obtained biometric identifier.

Abstract: Disclosed herein are embodiments of a cloud data synchronization system enabling an user operating a mobile client device to download mission-specific data sets from a fixed cloud-based server system to a database of the mobile client device, and then use the downloaded data sets independently on the mobile client device when the mobile client device is disconnected from a network connecting to the fixed cloud-based server system. When connectivity to the fixed cloud-based server system is re-established by the mobile client device in an intermittent and bandwidth-limited communication network environment, the fixed cloud-based server system may provide bi-directional data synchronization between records of the fixed cloud-based server system and the mobile client device to update the data sets on the fixed cloud-based server system and the mobile client device while operating in the intermittent and bandwidth-limited communication network environment.

Abstract: A method of generating a flight path for an aircraft is provided. The method includes modeling geographic space and time that includes a plurality of mobile communication nodes. The model includes locations of each of the plurality of mobile communication nodes as those nodes move over time. The model also provides an indication of wireless connectivity between a radio on each of the plurality of communication nodes and a radio of the aircraft at their respective location. The method further includes running a plurality of flight paths through the model in order to identify a selected flight path that provides a desired level of connectivity between the aircraft and the plurality of communication nodes.

Abstract: Embodiments for a method of implementing multiple domains in a network switching device are disclosed. The method includes assigning a plurality of hardware ports to a plurality of domains. Ports are assigned to at least two of the plurality of domains, and none of the ports are concurrently assigned to multiple domains. The method also includes loading rules for forwarding packets between the plurality of ports into a data plane. The rules direct the data plane to forward only between ports in a common domain of the plurality of domains. The method also includes assuring that a packet received at any port assigned to a first domain is not sent in legible form from any port assigned to a second domain if an error causes the data plane to forward or request forwarding the packet to any port assigned to a second domain.

Abstract: A method of embedding information in a packet with low overhead is provided. The method includes receiving an IP packet at a first networking device and translating it into an intermediary packet having a non-IP header and a data field. Translating includes copying at least the transport layer data field into the data field of the intermediary packet, compressing the IP header, and embedding out-of-band data into the non-IP header of the intermediary packet. The intermediary packet is sent to second networking device. At the second networking device the intermediary packet is translated into a re-created IP packet. The re-created IP packet is sent toward a destination of the original IP packet.

Abstract: Disclosed herein are embodiments of a cloud data synchronization system enabling an user operating a mobile client device to download mission-specific data sets from a fixed cloud-based server system to a database of the mobile client device, and then use the downloaded data sets independently on the mobile client device when the mobile client device is disconnected from a network connecting to the fixed cloud-based server system. When connectivity to the fixed cloud-based server system is re-established by the mobile client device in an intermittent and bandwidth-limited communication network environment, the fixed cloud-based server system may provide bi-directional data synchronization between records of the fixed cloud-based server system and the mobile client device to update the data sets on the fixed cloud-based server system and the mobile client device while operating in the intermittent and bandwidth-limited communication network environment.