Military Communications and Information Technology: A Trusted ...
Share Embed Flag
Download ePaper

Military Communications and Information Technology: A Trusted ...

Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...

wil.waw.pl
22.01.2015 Views

444 Military Communications and Information Technology... The data is assumed to be stored in the “cloud”, i.e. somewhere else than where the actual creators, modifiers, viewers and removers of the data reside. This cloud has several storage providers, which collectively are assumed to have the following properties: The cloud focuses on availability, and there is always one “clean” copy of a desired document available (after some time or a number of checks). The cloud is not able to discern between clean and corrupted documents. The cloud is also able to push authorized changes to a document eventually to other copies throughout its sphere of influence Figure 2. Environment for the CBIS documents The roles related to handling of data are as follows: • Data Owner is responsible for the data and decides the access control policy and approves its change policy. Each document has a unique owner, who controls all the sub-elements of the document. • Users are the “consumers” of the data blob. A User has READ- and/or WRITE-permissions to a set of element. If the user has READ-permissions, she is able to decrypt the content; if she has WRITE-permissions, her edits can be considered valid via her digital signature. Some users can act on the behalf of the Owner, and have ADMIN-permissions (permissions to order changes to the permissions from the Filter) • Storage is one element in the cloud where the documents physically may reside. Storage servers are not trusted to view or modify (including filtering and other reference monitor duties) content, but they are trusted to handle

Chapter 4: Information Assurance & Cyber Defence 445 versioning and storage functions. Storage does not perform high-assurance authentication of document requests, so it is assumed to be easy to bypass the Filter-edge of the cloud. • Filters form the “smart edge” of the cloud. They relay the functions between Users, Owners and Storage. Filters are semi-trusted in that they are allowed to perform administrative functions inside a document, but they are not trusted to see or alter the actual content or the security policy. Filters’ primary objective is to exercise RTK-level control to the content, and remove those parts of the document the User is not cleared to. User must be able to check the completeness of the document, so Filter must provide her with sufficient verification information. IV. Schema design principles A. Previous work The definition work on CBIS, [12], identified some necessary elements and their interrelations on the structured document. However, these were purely motivated from the CBIS needs, and not very detailed or standard-oriented. The actual structured format was canonized and integrated into other data models in an internal work together with Finnish defence industry [14]. This resulted in an actual schema, but too heavily tied to existing PKI and referencemonitor-based thinking (it could not enforce actual CAC). Furthermore, the first version of the schema did not elaborate the effect of dynamic compound signatures resulting from the need to restructure the document passing an MLS-filter (which removes classified parts exceeding the User’s clearance). B. Design principles: key managent architecture independency The main motivation for this work was to establish a concrete and canonized specification for the CBIS document structure that would last over the different developmental phases and public-key management architectures. Thus there is a type of cryptographic interface the schema should comply to. This interface is constructed based on the least common denominator (of the PKMAs): • Content is enciphered with a block cipher and the block cipher key (block key) itself is encrypted. The schema should not make more reservations than this to the key management. • Content can be represented by the output of a secure hash-function • The content integrity is enforced by signatures (but their exact type is not specified) • If the permission type is WRITE, the space occupied by the block key is used to host the public key needed for verification. Note that the User Agent

Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />

445<br />

versioning <strong>and</strong> storage functions. Storage does not perform high-assurance<br />

authentication of document requests, so it is assumed to be easy to bypass<br />

the Filter-edge of the cloud.<br />

• Filters form the “smart edge” of the cloud. They relay the functions between<br />

Users, Owners <strong>and</strong> Storage. Filters are semi-trusted in that they are<br />

allowed to perform administrative functions inside a document, but they<br />

are not trusted to see or alter the actual content or the security policy. Filters’<br />

primary objective is to exercise RTK-level control to the content, <strong>and</strong><br />

remove those parts of the document the User is not cleared to. User must<br />

be able to check the completeness of the document, so Filter must provide<br />

her with sufficient verification information.<br />

IV. Schema design principles<br />

A. Previous work<br />

The definition work on CBIS, [12], identified some necessary elements <strong>and</strong> their<br />

interrelations on the structured document. However, these were purely motivated<br />

from the CBIS needs, <strong>and</strong> not very detailed or st<strong>and</strong>ard-oriented.<br />

The actual structured format was canonized <strong>and</strong> integrated into other data<br />

models in an internal work together with Finnish defence industry [14]. This<br />

resulted in an actual schema, but too heavily tied to existing PKI <strong>and</strong> referencemonitor-based<br />

thinking (it could not enforce actual CAC). Furthermore, the first<br />

version of the schema did not elaborate the effect of dynamic compound signatures<br />

resulting from the need to restructure the document passing an MLS-filter (which<br />

removes classified parts exceeding the User’s clearance).<br />

B. Design principles: key managent architecture independency<br />

The main motivation for this work was to establish a concrete <strong>and</strong> canonized<br />

specification for the CBIS document structure that would last over the different<br />

developmental phases <strong>and</strong> public-key management architectures. Thus there<br />

is a type of cryptographic interface the schema should comply to. This interface<br />

is constructed based on the least common denominator (of the PKMAs):<br />

• Content is enciphered with a block cipher <strong>and</strong> the block cipher key (block<br />

key) itself is encrypted. The schema should not make more reservations<br />

than this to the key management.<br />

• Content can be represented by the output of a secure hash-function<br />

• The content integrity is enforced by signatures (but their exact type is not<br />

specified)<br />

• If the permission type is WRITE, the space occupied by the block key is used<br />

to host the public key needed for verification. Note that the User Agent

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!