Vienna, Va. (December, 2004)
Mandylion Labs has taken part in a 3 year Advance Concept Technology Development and Demonstration Project funded by DoD Advanced Systems and Concepts. Mandylion formally worked under the Coalition Information Assurance–Common Operational Picture (C-IA COP) Advanced Concept Technology Demonstration (ACTD) program project managed by SAIC. This ACTD was co-sponsored by the Defense Information Systems Agency and the Office of the Secretary of Defense for Advanced Systems and Concepts.
The Department of Defense initiated the ACTD programs in 1994, in order to rapidly transition technologies from the defense and commercial developers into the hands of the warfighter, ACTDs emphasize technology assessment and integration rather than technology development. The goal is to provide a prototype capability to the war fighter and to enable war fighters to evaluate the capabilities of a given technology in real military exercises, and at a scale sufficient to fully assess military utility.
The ACTD program marries operational requirements with new technologies and solutions. It reduces the time to field new technologies and systems and to increase the end-user involvement in the requirements and the integration. This is one of the few programs in which ACTD products are really demonstrated for military utility by the warfighter, and the warfighter actually writes concept of operations in the context in which he needs the technology.
Mandylion was invited and became involved with the Coalition Information Assurance ACTD in response to U.S. Combatant Commanders’ concerns over the use and importance of cryptographically strong passwords in multinational Coalition environments. Most Coalition environments are quickly assembled and focused infrastructures where the ability to know whom your Coalition partner will be and the extent of their involvement is difficult to ascertain in advance. Coordinating radio and communications frequencies is difficult enough, to preplan and coordinate emerging authentication mechanisms and conventions with various warfighter applications among Coalition members is even more daunting.
Passwords and physical access control are the only truly useable forms of authentication in these environments for the foreseeable future.
The reality these Combatant Commanders’ faced is that in the age of Network Centric warfare, the password is king. Sovereignty of an individual Country’s data is often only protected by a password.
Needed: A Simple Tool, NOW
With deference to the advancement of authentication technology and biometrics under long term study at DARPA and other DoD Research Labs, Combatant Commanders were concerned about today. They were concerned about the ability of the warfighter to generate, recall and manage multiple strong passwords in a high stress environment. Presenting this issue, the Combatant Commanders’ sought a simple and reliable tool which could serve as a secure memory aide in the generation and recall of cryptographically strong passwords. The ACTD surveyed the commercial marketplace for such a technology as had been requested and
found a close fit with the Mandylion Password Managers already in use by many DoD activities.
“Mandylion’s involvement in the ACTD was the single most important event in the Company’s history” stated Joe Grajewski, President and founder of Mandylion Labs. “Far better than any traditional wall street backing, the program gave us not only funding to rapidly mature our technology, but it also provided us with a built in and motivated customer base which provided critical feedback in each step of the maturity” he added. Participating in the ACTD provided Mandylion with high level exposure within the DoD as well as in a number of Civilian Agencies working with the DoD in the area of homeland defense.
Commercial Product Quickly Matured
“The first generation of the Mandylion password manager token, although unique and packed with functionality, was not for the faint of heart” admitted Mandylion’s Grajewski. “It erred on the side of security and, as such, was difficult to configure for the average user, though it was a hit with security conscientious administrators.” “There is absolutely nothing out on the market like it, period” stated Erik Fortin, of Vermont Electric, a New England Electric Utility and customer of Mandylion. “Its that simple standalone tool that anyone whom is using passwords needs, but for some reason, the industry seemed to overlook in favor of providing costly and proprietary solutions to replace passwords”; “and in most of my environments, that just isn’t reality” he added. Combatant Commanders agree.
The ACTD matured the technology from “cult gadget” into a true enterprise “tool”
via participation and feedback in two worldwide Military exercises, Joint Warfare Interoperability Demonstration (JWID) and over 60 DoD and Civilian Agency pilot programs funded by the ACTD.
The new token is actually now a platform with a great deal of configuration and integration options. It comes with configuration software and cradles which now allow an administrator to quickly and securely configure multiple tokens on behalf of a group of users. The login policies, user screen names, and the generation, storage and update of up to 50 simultaneous login records can now managed with this next generation token. Not to be confused with the one time password tokens which have been around for 20 years and have limited appeal due to their cost and complexity or with smart cards which both require complex coordination and installation of software on each client PC, the Mandylion solution is used where these alternatives to passwords are not practical or cost/risk justified.
“In addition to the customer exposure, another benefit of participating in the ACTD is the acceleration of product and technology certifications” stated Mr. David Schoenbrot, Vice President of Mandylion. “The DoD is a vast and complex organization.” “Before any technology can be fielded, it must be evaluated by a number of activities in relationship to various regulations and standards” he added. “This can be a very daunting process, especially for a small technology business with limited resources.” “With the desire to mature and field successful ACTD technology as rapidly as possible, OSD and our Co-Sponsor DISA, provided invaluable mentoring throughout the various certification and policy reviews” added Schoenbrot.
“When there is a pressing need for a technology and a sponsor willing to shepherd it through the certification process, navigating the various authorities and their responsibilities “almost” makes sense” joked Schoenbrot about this onerous task of having a product reviewed and approved for use in the DoD. “With an ACTD program manager attending a meeting, the typical “what if”, “academic discussions” and “pontifications” about the use and misuse of a technology is quickly replaced with an aire of “can do” cooperation and the formulation of logical game plans to get the technology reviewed, sanctioned and deployed” Schoenbrot added.
“A saving grace for Mandylion as well as many other technology vendors was the final issuance of DoD 8500” stated Mr. Grajewski. DoD Directive 8500 is issued in 2002 is the definitive policy statement on Information Assurance within the Department of Defense. “8500 clarified and unified all the disparate, and at times contradictory, conventions, regulations and practices on any technology that have developed in each of the branches over the years which even remotely touches on information security” stated Mr. Grajewski. “8500 met its stated goal of providing the Branches with clear guidance as to what technology and in what environments requires certification, and more importantly, which ones do not” he added. “As it turns out, the Mandylion technology required no special certifications for routine use on almost any DoD system.” Mr. Grajewski stated. The Department of the Army issued Army Regulation 25-IA in the Fall of 2003 officially sanctioning the use of password generator tokens, when they are used as memory aides.
About the Technology
Mandylion Labs’ developed and patented this innovative and inexpensive password manager in a 6 year development effort. It is a key chain sized device that helps any user instantly create cryptographically strong passwords that immediately work with any web site, login or system. To insure purely random passcodes, algorithms embedded within the token’s firmware continuously sense and take input from the user's random and unique interaction with the device. This random data is utilized by the algorithms in generating passwords which can be throttled to meet any password policy as to length, composition and renewal period.
A key feature is that the device functions as a memory aide to the secure and convenient storage of a user’s passwords along with their automatic update. The technology was designed to do away with the inherent weaknesses traditionally associated with the use of passwords; namely the individual being asked to create, remember and regularly change their passwords. Passwords created with the device thwart all known brute force and dictionary type hacking attacks.
Originally developed for U.S. military and national security applications, more advanced versions of the device have the ability to embed user identifying watermarks within the passwords generated. The biometric version of the unit can asymmetrically bio-authenticate the individual logging in to an ordinary web site.
About Mandylion Research Labs
In 1998, Mandylion Labs originated a simple and intuitive concept toward password management. Today, we're a recognized as the leading innovator in access control utilizing durable password techniques. Government, Corporations and ISPs use our solutions to reduce the cost and complexity of managing their access control systems in the Window NT and Unix and Linux environments while increasing the enterprise's entire baseline of data security. Mandylion products provide organizations with a least cost compliance tool with the information assurance requirements of Sarbanes Oxley, Gramm-Leach Bliley, FISMA
The Company is located in Vienna, Va. Our number is 703 – 628 4284.
Our e-mail address is