Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...
444 Military Communications and Information Technology... The data is assumed to be stored in the “cloud”, i.e. somewhere else than where the actual creators, modifiers, viewers and removers of the data reside. This cloud has several storage providers, which collectively are assumed to have the following properties: The cloud focuses on availability, and there is always one “clean” copy of a desired document available (after some time or a number of checks). The cloud is not able to discern between clean and corrupted documents. The cloud is also able to push authorized changes to a document eventually to other copies throughout its sphere of influence Figure 2. Environment for the CBIS documents The roles related to handling of data are as follows: • Data Owner is responsible for the data and decides the access control policy and approves its change policy. Each document has a unique owner, who controls all the sub-elements of the document. • Users are the “consumers” of the data blob. A User has READ- and/or WRITE-permissions to a set of element. If the user has READ-permissions, she is able to decrypt the content; if she has WRITE-permissions, her edits can be considered valid via her digital signature. Some users can act on the behalf of the Owner, and have ADMIN-permissions (permissions to order changes to the permissions from the Filter) • Storage is one element in the cloud where the documents physically may reside. Storage servers are not trusted to view or modify (including filtering and other reference monitor duties) content, but they are trusted to handle
Chapter 4: Information Assurance & Cyber Defence 445 versioning and storage functions. Storage does not perform high-assurance authentication of document requests, so it is assumed to be easy to bypass the Filter-edge of the cloud. • Filters form the “smart edge” of the cloud. They relay the functions between Users, Owners and Storage. Filters are semi-trusted in that they are allowed to perform administrative functions inside a document, but they are not trusted to see or alter the actual content or the security policy. Filters’ primary objective is to exercise RTK-level control to the content, and remove those parts of the document the User is not cleared to. User must be able to check the completeness of the document, so Filter must provide her with sufficient verification information. IV. Schema design principles A. Previous work The definition work on CBIS, [12], identified some necessary elements and their interrelations on the structured document. However, these were purely motivated from the CBIS needs, and not very detailed or standard-oriented. The actual structured format was canonized and integrated into other data models in an internal work together with Finnish defence industry [14]. This resulted in an actual schema, but too heavily tied to existing PKI and referencemonitor-based thinking (it could not enforce actual CAC). Furthermore, the first version of the schema did not elaborate the effect of dynamic compound signatures resulting from the need to restructure the document passing an MLS-filter (which removes classified parts exceeding the User’s clearance). B. Design principles: key managent architecture independency The main motivation for this work was to establish a concrete and canonized specification for the CBIS document structure that would last over the different developmental phases and public-key management architectures. Thus there is a type of cryptographic interface the schema should comply to. This interface is constructed based on the least common denominator (of the PKMAs): • Content is enciphered with a block cipher and the block cipher key (block key) itself is encrypted. The schema should not make more reservations than this to the key management. • Content can be represented by the output of a secure hash-function • The content integrity is enforced by signatures (but their exact type is not specified) • If the permission type is WRITE, the space occupied by the block key is used to host the public key needed for verification. Note that the User Agent
- Page 393 and 394: Chapter 4: Information Assurance &
- Page 395 and 396: Network Traffic Characteristics for
- Page 397 and 398: Chapter 4: Information Assurance &
- Page 399 and 400: Chapter 4: Information Assurance &
- Page 401 and 402: Chapter 4: Information Assurance &
- Page 403 and 404: Chapter 4: Information Assurance &
- Page 405 and 406: Chapter 4: Information Assurance &
- Page 407 and 408: Chapter 4: Information Assurance &
- Page 409 and 410: Chapter 4: Information Assurance &
- Page 411 and 412: Chapter 4: Information Assurance &
- Page 413 and 414: Chapter 4: Information Assurance &
- Page 415 and 416: Methodology for Gathering Data Conc
- Page 417 and 418: Chapter 4: Information Assurance &
- Page 419 and 420: Chapter 4: Information Assurance &
- Page 421 and 422: Chapter 4: Information Assurance &
- Page 423 and 424: Chapter 4: Information Assurance &
- Page 425 and 426: Chapter 4: Information Assurance &
- Page 427 and 428: Chapter 4: Information Assurance &
- Page 429: Chapter 4: Information Assurance &
- Page 432 and 433: 432 Military Communications and Inf
- Page 434 and 435: 434 Military Communications and Inf
- Page 436 and 437: 436 Military Communications and Inf
- Page 439 and 440: On Multi-Level Secure Structured Co
- Page 441 and 442: Chapter 4: Information Assurance &
- Page 443: Chapter 4: Information Assurance &
- Page 447 and 448: Chapter 4: Information Assurance &
- Page 449 and 450: Chapter 4: Information Assurance &
- Page 451 and 452: Chapter 4: Information Assurance &
- Page 453 and 454: Chapter 4: Information Assurance &
- Page 455 and 456: Generation of Nonlinear Feedback Sh
- Page 457 and 458: Chapter 4: Information Assurance &
- Page 459 and 460: Chapter 4: Information Assurance &
- Page 461 and 462: Chapter 4: Information Assurance &
- Page 463: Chapter 4: Information Assurance &
- Page 466 and 467: 466 Military Communications and Inf
- Page 468 and 469: 468 Military Communications and Inf
- Page 470 and 471: 470 Military Communications and Inf
- Page 472 and 473: 472 Military Communications and Inf
- Page 474 and 475: 474 Military Communications and Inf
- Page 476 and 477: 476 Military Communications and Inf
- Page 478 and 479: 478 Military Communications and Inf
- Page 480 and 481: 480 Military Communications and Inf
- Page 482 and 483: 482 Military Communications and Inf
- Page 485 and 486: Modern Usage of “Old” One-Time
- Page 487 and 488: Chapter 4: Information Assurance &
- Page 489 and 490: Chapter 4: Information Assurance &
- Page 491 and 492: Chapter 4: Information Assurance &
- Page 493 and 494: Chapter 4: Information Assurance &
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
445<br />
versioning <strong>and</strong> storage functions. Storage does not perform high-assurance<br />
authentication of document requests, so it is assumed to be easy to bypass<br />
the Filter-edge of the cloud.<br />
• Filters form the “smart edge” of the cloud. They relay the functions between<br />
Users, Owners <strong>and</strong> Storage. Filters are semi-trusted in that they are<br />
allowed to perform administrative functions inside a document, but they<br />
are not trusted to see or alter the actual content or the security policy. Filters’<br />
primary objective is to exercise RTK-level control to the content, <strong>and</strong><br />
remove those parts of the document the User is not cleared to. User must<br />
be able to check the completeness of the document, so Filter must provide<br />
her with sufficient verification information.<br />
IV. Schema design principles<br />
A. Previous work<br />
The definition work on CBIS, [12], identified some necessary elements <strong>and</strong> their<br />
interrelations on the structured document. However, these were purely motivated<br />
from the CBIS needs, <strong>and</strong> not very detailed or st<strong>and</strong>ard-oriented.<br />
The actual structured format was canonized <strong>and</strong> integrated into other data<br />
models in an internal work together with Finnish defence industry [14]. This<br />
resulted in an actual schema, but too heavily tied to existing PKI <strong>and</strong> referencemonitor-based<br />
thinking (it could not enforce actual CAC). Furthermore, the first<br />
version of the schema did not elaborate the effect of dynamic compound signatures<br />
resulting from the need to restructure the document passing an MLS-filter (which<br />
removes classified parts exceeding the User’s clearance).<br />
B. Design principles: key managent architecture independency<br />
The main motivation for this work was to establish a concrete <strong>and</strong> canonized<br />
specification for the CBIS document structure that would last over the different<br />
developmental phases <strong>and</strong> public-key management architectures. Thus there<br />
is a type of cryptographic interface the schema should comply to. This interface<br />
is constructed based on the least common denominator (of the PKMAs):<br />
• Content is enciphered with a block cipher <strong>and</strong> the block cipher key (block<br />
key) itself is encrypted. The schema should not make more reservations<br />
than this to the key management.<br />
• Content can be represented by the output of a secure hash-function<br />
• The content integrity is enforced by signatures (but their exact type is not<br />
specified)<br />
• If the permission type is WRITE, the space occupied by the block key is used<br />
to host the public key needed for verification. Note that the User Agent