Military Communications and Information Technology: A Trusted ...
Share Embed Flag
Download ePaper

Military Communications and Information Technology: A Trusted ...

Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...

wil.waw.pl
22.01.2015 Views

448 Military Communications and Information Technology... Attribution in the context of security policy breaks requires keeping a log of the changes made to the permissions. A security policy break translates into unauthorized insertion, removal or modification of security metadata. This can include (but are not limited to): Insertion of additional block keys (to leak information); Insertion of additional public keys (to enable modification); Downgrading the (MLS-related) classification labels; Changing or adding administrator information and certification. To enforce attribution and rollback of the security metadata, we introduce per-element metadata-history to the schema. Rollback cannot naturally be fully realized, if the whole history-information is deleted from the document, but this is left for the availability-function of the Storage (cloud), and outside the scope of the schema. The metadata history is always signed as a whole by the Filter itself. This is because of the principle of separation of duties: roles administering security policy should not also track the changes made by themselves. Metadata history contains copies of the security metadata appended with a timestamp and identity of the original signatory of that particular instance (an ADMIN-User or the Owner). The ADMIN-user or (originally) the Owner is responsible for creating and changing the security policy reflected in the security metadata. The principle in the modification is to create a new copy based on the old metadata and move the old copy to the history. The responsibility for the metadata is reflected in a subelement of the security metadata structure, containing the list of the administrator roles, and finally a signature by one of these administrators. Administrator role information must include a PKMA-dependent certification from the Owner. E. Design principles: MLS considerations Multi-level security is considered here from the document perspective only. The CBIS-schema presented here does not account for the User clearance – if IBCbased PKMA is used, the user clearance can be encoded in the encrypted block key, but for other PKMAs this is left for the application. (Which is why we recommend using IBC to achieve a fuller cryptographic enforcement of the security levels than just key management.) The security label exists in the document metadata. Its correctness is enforced by an ADMIN-user’s signature (together with a delegation certification from the Owner) and it is bound to the content by the compound signatures of the content and metadata. (Signed by the Filter, as this is an administrative function). The security label presents a performance issue in the XML-document tree hierarchy, if the structure is very fine-grained ([12, 14]): in order to establish if a user has clearance to the lowest levels of the hierarchy, all of the nodes need to be traversed. To enable more efficient processing, two strategies are possible:

Chapter 4: Information Assurance & Cyber Defence 449 • Structure the document according to the security labels, leaving the natural structuring to be automated “somehow” or, • Include additionals elements for informational purposes, which declare the highest and lowest classification levels of the subelements. If the User’s clearance is higher (or equal) than the highest classification of the subelements, the whole subtree can be copied to the filtered document. However, if the user’s clearance is lower than the lowest element, the whole subtree can be pruned. If these are left unspecified or user clearance lies in between these two, the subtree needs to be traversed at least one level further. The first alternative provides simpler bookkeeping on the security levels, but would likely result in a nightmare in recreating the original document. Thus we chose the latter alternative, even though it requires some bookkeeping in the document creation and modification phase. The correct enforcement of MLS is checking that information does not leak from “high” to “low” domains, which in this context means: • Labels are correctly bound to their content: this is partly the responsibility of the original document creator; after that it is enforced by a per-element compount signature by the Filter and the per-security attribute signature by an ADMIN-user • No highly classified information can be viewed by persons with lower clearance: the contents are cryptographically separated, and if the lower clearance user is not allowed the keys of the content out-of-her-bounds, the probability of leaks reduces to that of breaking the cryptographic primitives or incorrect key management. F. Design principles: hierarchy As the CBIS document includes multiple types of signatures, their characteristics may become blurred, if the signature types and their targets are not pinned down in the XML document tree hierarchy. We then make the following hierarchical conventions (Fig. 3): • There is one main element type hosting the main body of CBIS-related information (cbis:element), and another type hosting all the security metadata (cbis:securityMetadata). • The content is an immediate child of cbis:element • Security metadata is an immediate child of cbis:element • The content-related signatures are immediate children of cbis:securityMetadata. • The compound signature of all the subelements of an cbis:element is an immediate child of that element’s cbis:securityMetadata. The signed subelements include also possible children of the type cbis:element.

448 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />

Attribution in the context of security policy breaks requires keeping a log<br />

of the changes made to the permissions. A security policy break translates into<br />

unauthorized insertion, removal or modification of security metadata. This can include<br />

(but are not limited to): Insertion of additional block keys (to leak information);<br />

Insertion of additional public keys (to enable modification); Downgrading<br />

the (MLS-related) classification labels; Changing or adding administrator information<br />

<strong>and</strong> certification.<br />

To enforce attribution <strong>and</strong> rollback of the security metadata, we introduce<br />

per-element metadata-history to the schema. Rollback cannot naturally be fully<br />

realized, if the whole history-information is deleted from the document, but this<br />

is left for the availability-function of the Storage (cloud), <strong>and</strong> outside the scope<br />

of the schema.<br />

The metadata history is always signed as a whole by the Filter itself. This is because<br />

of the principle of separation of duties: roles administering security policy<br />

should not also track the changes made by themselves.<br />

Metadata history contains copies of the security metadata appended with<br />

a timestamp <strong>and</strong> identity of the original signatory of that particular instance<br />

(an ADMIN-User or the Owner).<br />

The ADMIN-user or (originally) the Owner is responsible for creating <strong>and</strong><br />

changing the security policy reflected in the security metadata. The principle<br />

in the modification is to create a new copy based on the old metadata <strong>and</strong> move<br />

the old copy to the history. The responsibility for the metadata is reflected in a subelement<br />

of the security metadata structure, containing the list of the administrator<br />

roles, <strong>and</strong> finally a signature by one of these administrators. Administrator role<br />

information must include a PKMA-dependent certification from the Owner.<br />

E. Design principles: MLS considerations<br />

Multi-level security is considered here from the document perspective only.<br />

The CBIS-schema presented here does not account for the User clearance – if IBCbased<br />

PKMA is used, the user clearance can be encoded in the encrypted block<br />

key, but for other PKMAs this is left for the application. (Which is why we recommend<br />

using IBC to achieve a fuller cryptographic enforcement of the security levels<br />

than just key management.)<br />

The security label exists in the document metadata. Its correctness is enforced<br />

by an ADMIN-user’s signature (together with a delegation certification from<br />

the Owner) <strong>and</strong> it is bound to the content by the compound signatures of the content<br />

<strong>and</strong> metadata. (Signed by the Filter, as this is an administrative function).<br />

The security label presents a performance issue in the XML-document tree<br />

hierarchy, if the structure is very fine-grained ([12, 14]): in order to establish<br />

if a user has clearance to the lowest levels of the hierarchy, all of the nodes need<br />

to be traversed. To enable more efficient processing, two strategies are possible:

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!