DOCUMENT-BASED MESSAGE-CENTRIC SECURITY USING XML

AUTHENTICATION AND ENCRYPTION FOR COALITION AND INTERAGENCY

OPERATIONS

LCDR Jeffrey S. Williams

Naval Postgraduate School

September 9, 2009This thesis was done at the MOVES Institute

Problem Statement

• Different agencies and different nations are not able to communicate and share structured information – Different data formats– Different security policies

• The current evolution of data and security policies by different agencies and nations will not solve this problem.

Motivation

• Show that existing web standards for document security can be commonly applied across a range of scenarios.– Canonicalization (C14N)– Authentication (digital signature)– Encryption– Compression

• Demonstrate a meaningful exemplar that can work for multiple agencies and nations

Exemplar Scenario

• Coalition Operations for antipiracy– Task Force 151 and NATO ATALANTA– Approx. 30 nations, variable membership– Shared need for document security– Diverse communication channels: NATO

messaging, “free formatted” messaging, e-mail, and bridge-to-bridge radio!

• Assume secure endpoints and non-secure transport for any message

International Navies Concerns

Problem Constraints

• Allow a diverse communications framework to securely enable shared/common data exchange between traditional and nontraditional actors.

• Provide a mechanism with minimal exchange of cryptographic technology by implementing open standard technology.– No nation trusts another nation’s security software– World Wide Web security is a potential for

international standardization because multiple independent implementations are available.

– Can substitute alternative cryptographic algorithms

Key Exchange

Public Key Cryptography has well-defined formal mechanisms for defining secure operations.

• Step 1. B A: {Nb, B}KB

• Step 2. A B: {Nb, Na, A}KA

• Step 3. B A: {Na}KB

XML Digital Signature Process

Digital Signature

http://www.xml.com/pub/a/2001/08/08/xmldsig.html

XML Encryption Process

Recommended Best Practice

XML Encryption

Goal of EXI integration with XML Security

Encryption-EncryptedData (Element Node) +[Attribute] - EncryptionMethod (Element Node) +[Attribute] - KeyInfo (Element Node) - EncryptedKey (Element Node) + EncryptionMethod (Element Node) - KeyInfo (Element Node) +KeyName (Element Node) + CipherData (Element Node) - CipherValue (Element Node) - CipherData (Element Node) + CipherValue

<EncryptedData Id? Type? MimeType? Encoding?> <EncryptionMethod/>? <ds:KeyInfo> <EncryptedKey>? <AgreementMethod>? <ds:KeyName>? <ds:RetrievalMethod>? <ds:*>? </ds:KeyInfo>? <CipherData> <CipherValue>? <CipherReference URI?>? </CipherData> <EncryptionProperties>? </EncryptedData>

http://www.w3.org/TR/xmlenc-core/http://dotnetslackers.com/articles/xml/XMLEncryption.aspx

XML Decryption Process

Conclusions

• XML Security is a feasible approach for multiple agency and coalition operations.

• This thesis demonstrates practical results for a meaningful scenario

• The approach works for any type of XML.

Future Work• Certification and Accreditation of XML Encryption and

Authentication for the unclassified Architecture • Contrast of XML Security with SSL and TLS• Mitigation techniques and tactics to isolate risks

associated with Web Based Security methods.• Applicability of XML Encryption for real time web

services • Application of XML encryption and authentication

techniques within the classified arena• A Comparative Analysis and potential for document

centric security using XML in support of CENTRIXS and Coalition Secure Management and Operations System (COSMOS)

Contact Information• Jeff Williams jswillia@nps.edu

jeffrey.williams2@navy.milskype: williams6us

• Don Brutzman brutzman@nps.eduCode USW/br

Naval Postgraduate School Monterey, CA 93943 1-831-656-2149

Brief Biography of LCDR Williams USN/1600

• LCDR Williams joined the Navy in 1987 through the Delayed Entry Program (DEP). He was commissioned through NROTC Atlanta Consortium via the BOOST program.

• Since his commission in 1996 he has served at the following commands: – USS ESSEX (LHD-2)

– Military Sealift Command Office (MSCO) Beaumont TX

– Naval Network and Space Operations Command (NNSOC)

– Destroyer Squadron Two Six (CDS-26)

– Naval Postgraduate School (NPS)

• Next Assignment: – Network Engineer Program Manager, Brussels Belgium

• Industry Certifications– CISSP, CISA, CWSP, Security+, Network+, I-NET+, A+

Acknowledgements• The thesis was developed under the guidance of Prof.

Don Brutzman, PhD. Naval Postgraduate School and second reader Don McGregor, Research Associate Naval Postgraduate School at the Modeling Virtual Environment and Simulation (MOVES) Institute.

• The Scenario Authoring for Visual Graphical Environments (SAVAGE) team’s expertise in the development and processing of information contributing to the proof of concept formulations.

• Course work and further guidance from the Naval Postgraduate School Center of Information Security Research (CISR) contributed greatly in understanding and articulating key security concepts.