Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...
134 Military Communications and Information Technology... III. The prototype configuration For an experimental evaluation of these principles (cf. Section X) a prototype was developed with the following services in mind: A. Protected service invocation A client in the NGO network should be able to invoke a positioning service in the classified network, and to receive the GPS coordinates of a mobile military unit. The service requires mutual cross domain authentication across the CiMi interface, role based access control decisions, and data inspection by the guard in order for the invocation to succeed. B. Secure chat The mobile client may write text messages to other users on a chat client program. The chat messages must be protected in the same manner as service invocation messages using the same cryptographic mechanisms. There is no need for end-to-end authentication, and a simple authentication mechanism provided by the chat server is sufficient. The chat message service covers users connected to the NGO network or the unclassified military network, but the chat server will reside in the military network. C. Configuration details Figure 1 outlines the structure of the prototype. It consists of the following actors: • An Android smartphone, acting as an NGO terminal for chat and protected service invocation. • A chat server for the XMPP chat protocol. This server will forward both chat messages and service invocation messages. • Two Identity Providers (IdP), one for the NGO domain and one for the military domain. They provide identity information for authentication operations. The details of the IdP will be explained in Section IV. • An application server, residing in the military domain, hosts application services or proxies for Web Services. • A SOAP guard, which connects the military classified and unclassified networks. It ensures that only correctly labeled data is passed from the classified to the unclassified part. • Other chat clients which use the XMPP protocol. They are connected to the XMPP server.
Chapter 2: Communications and Information Technology for Trusted... 135 The XMPP protocol is used for the transport of chat messages as well as messages for the protected service invocation. Clients or services need to connect (and log in to) the server in order to participate in any of the two services. The XMPP chat server is the only connection between the NGO nodes and the military nodes, and there is no IP route between the two networks. The figure also shows that connections outside the physical control of a wired military network is protected with IPSec tunnels. Figure 1. Outline of the experimental prototype for the demonstration of CiMi communication IV. Introduction to identity management (Most of the text in the following 4 sections are previously published in [2]). Identity Management (IdM) are collection of services and procedures for maintaining subject information (key pair, roles) and to issue credentials for the purpose of authentication, message protection and access control. From the client perspective, the credentials issued by the IdM services enables it to access many services inside a community under the protection of mutual authentication and encryption. From the server perspective, IdM enables it to offer credentials to clients in order to provide mutual authentication. The arrangement of an IdM resembles the Public Key Infrastructure (PKI), in the sense that a Certificate Authority (CA) can issue public key certificates which binds an identity to a public key in a way that can be validated by a relying party. The binding is made by the CA’s signature using a well known and trusted key.
- Page 84 and 85: 84 Military Communications and Info
- Page 86 and 87: 86 Military Communications and Info
- Page 88 and 89: 88 Military Communications and Info
- Page 90 and 91: 90 Military Communications and Info
- Page 92 and 93: 92 Military Communications and Info
- Page 94 and 95: 94 Military Communications and Info
- Page 96 and 97: 96 Military Communications and Info
- Page 98 and 99: 98 Military Communications and Info
- Page 100 and 101: 100 Military Communications and Inf
- Page 103: Chapter 2 Communications and Inform
- Page 106 and 107: 106 Military Communications and Inf
- Page 108 and 109: 108 Military Communications and Inf
- Page 110 and 111: 110 Military Communications and Inf
- Page 112 and 113: 112 Military Communications and Inf
- Page 114 and 115: 114 Military Communications and Inf
- Page 116 and 117: 116 Military Communications and Inf
- Page 118 and 119: 118 Military Communications and Inf
- Page 120 and 121: 120 Military Communications and Inf
- Page 122 and 123: 122 Military Communications and Inf
- Page 124 and 125: 124 Military Communications and Inf
- Page 126 and 127: 126 Military Communications and Inf
- Page 128 and 129: 128 Military Communications and Inf
- Page 130 and 131: 130 Military Communications and Inf
- Page 132 and 133: 132 Military Communications and Inf
- Page 136 and 137: 136 Military Communications and Inf
- Page 138 and 139: 138 Military Communications and Inf
- Page 140 and 141: 140 Military Communications and Inf
- Page 142 and 143: 142 Military Communications and Inf
- Page 144 and 145: 144 Military Communications and Inf
- Page 146 and 147: 146 Military Communications and Inf
- Page 149 and 150: Use of Cross Domain Guards for CoNS
- Page 151 and 152: Chapter 2: Communications and Infor
- Page 153 and 154: Chapter 2: Communications and Infor
- Page 155 and 156: Chapter 2: Communications and Infor
- Page 157 and 158: Chapter 2: Communications and Infor
- Page 159: Chapter 2: Communications and Infor
- Page 162 and 163: 162 Military Communications and Inf
- Page 164 and 165: 164 Military Communications and Inf
- Page 166 and 167: 166 Military Communications and Inf
- Page 168 and 169: 168 Military Communications and Inf
- Page 170 and 171: 170 Military Communications and Inf
- Page 172 and 173: 172 Military Communications and Inf
- Page 174 and 175: 174 Military Communications and Inf
- Page 176 and 177: 176 Military Communications and Inf
- Page 178 and 179: 178 Military Communications and Inf
- Page 180 and 181: 180 Military Communications and Inf
- Page 182 and 183: 182 Military Communications and Inf
134 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
III. The prototype configuration<br />
For an experimental evaluation of these principles (cf. Section X) a prototype<br />
was developed with the following services in mind:<br />
A. Protected service invocation<br />
A client in the NGO network should be able to invoke a positioning service<br />
in the classified network, <strong>and</strong> to receive the GPS coordinates of a mobile military<br />
unit. The service requires mutual cross domain authentication across the CiMi<br />
interface, role based access control decisions, <strong>and</strong> data inspection by the guard<br />
in order for the invocation to succeed.<br />
B. Secure chat<br />
The mobile client may write text messages to other users on a chat client<br />
program. The chat messages must be protected in the same manner as service<br />
invocation messages using the same cryptographic mechanisms. There is no need<br />
for end-to-end authentication, <strong>and</strong> a simple authentication mechanism provided<br />
by the chat server is sufficient. The chat message service covers users connected<br />
to the NGO network or the unclassified military network, but the chat server will<br />
reside in the military network.<br />
C. Configuration details<br />
Figure 1 outlines the structure of the prototype. It consists of the following<br />
actors:<br />
• An Android smartphone, acting as an NGO terminal for chat <strong>and</strong> protected<br />
service invocation.<br />
• A chat server for the XMPP chat protocol. This server will forward both<br />
chat messages <strong>and</strong> service invocation messages.<br />
• Two Identity Providers (IdP), one for the NGO domain <strong>and</strong> one for the military<br />
domain. They provide identity information for authentication operations.<br />
The details of the IdP will be explained in Section IV.<br />
• An application server, residing in the military domain, hosts application<br />
services or proxies for Web Services.<br />
• A SOAP guard, which connects the military classified <strong>and</strong> unclassified<br />
networks. It ensures that only correctly labeled data is passed from the classified<br />
to the unclassified part.<br />
• Other chat clients which use the XMPP protocol. They are connected to<br />
the XMPP server.