BOXML MAJIIC ISRIS
As the Web Service XKMS security vender Bestning
Technologies is leading the way in the Multi-sensor Aerospace-ground Joint ISR
Interoperability Coalition (MAJIIC).
Its BOXML,a triple dimensions XML security tool, can
provide time stamp
solution to accreditation transformation, multiple signature solution to national intelligence certification, and dynamic encryption solution to sensitive compartmented information (SCI) .
MAJIIC develops common data
formats, common interfaces and XML schemas to share ISR data in near-real time
. MAJIIC deals only with data and doesn’t care what
sensor it comes from. MAJIIC eventually would support Web services capabilities for the
military’s Distributed Common Ground System. Administrators frequently spend a lot of time
managing user names and passwords creation, suspension, privilege modification,
and account deletion authorization, authentication and provisioning. The warfighter logs on using various passwords to query a
secure server directly for ISR which was previously
time consuming and expensive for administrators to manage. Managing identities
becomes more complex as the number of users, applications and systems grows, it
is not only for users who have to
remember the right IDs and passwords to use each of their applications but also
for administrators who have to track and manage it all. MaJIIC
would have single-sign-on capability through DOD’s public-key infrastructure. MaJIIC users could find out what data
services were available at a single Web interface, without having to ping each
server.
Single sign-on is a simple and effective way to access data from multiple sources .
The Intelligence, Surveillance, Reconnaissance
Information Service (ISRIS) compresses video and data into downloadable
files on a server, which users can access with commonly used Web browsers and
video software.ISRIS is built on
service-oriented architecture (SOA) , ISRIS do need web service security
instead of web server security.
Public
Key Infrastructures does not require secret IDs and passwords to be
previously known by the authenticating party. A principal advantage for PKI
based security is the ability to support single sign-on by using public key certificates. With a PKI-secured message, an
online service is not necessary for any two parties to communicate securely. In
addition, the ability to have a hierarchical key structure, and real-time
analysis of the path through the hierarchy, makes it possible for parties to
securely communicate without prior business arrangement.PKI
requires both authentication and authorization to take place for remote access
control. It needs not only to know who a remote user is, but also to know what
the user is permitted to do. Although PKI provide comprehensive support for
authentication, PKI require the use of digital certificates for managing
authentication.
OCSP
is a real time mechanism for certificate
revocation and certificate validation checking within a PKI deployment.
Online
Certificate Status Protocol is a online request-response pair PKI information
access protocol composed of standardized request and response types for certificate revocation and validation status. When a remote user attempts to access a
server, OCSP sends a request for certificate status information. The server
sends back a response of "current", "expired," or
"unknown." An
OCSP request message is composed of protocol version number, a request type
object identifier and other request data relevant to a particular request type.
Initially the OCSP responder certificate is located and the signature on the
OCSP request checked using the responder certificate's public key. Then a
normal certificate verify is performed on the OCSP responder certificate
building up a certificate chain in the process.
Although OCSP enables
applications to determine the revocation state of an identified certificate , OCSP can not check that certificates are signed correctly .
Although a set of trusted public keys from which certificate chains
may be constructed , OCSP can not check that the
certificate chains to an acceptable trust point . Although a set of
intermediate certificate authorities from which the trust chain may be
constructed , OCSP can not check that each
certificate in the chain contains an acceptable certificate policy identifier
to ensure that certificates are not being misused. OCSP by itself is not
sufficient to meet our customer's full requirements .
OCSP requires that every
user and every application verify the identity of everyone they communicate
with and ensure that the counter-party identity is appropriate for the
transaction and that the identity is still valid (not been revoked). OCSP deployment is too cumbersome and costly for the
technology to achieve widespread use.
BOXML creates a trust service that
shields clients from complexity by providing an XML interface to PKI and
using Dynamic
XML Encryption ,Multiple XML
Signature and Time-Stamp
Universal Unique XML Identification .
Traditionally, with PKI
all trust decisions are offloaded to the
cryptographic client. The certificate
verifier needed to support
all the complex functionality such as certificate path building, certificate
path verification and certificate
status checking. This
requires complicated programming libraries and configuration information. It is important to minimize client code
and configuration complexity for PKI.Furthermore, such applications were heavy in terms of PKI code
making them difficult to be deployed on thin memory devices e.g. PDAs and cell phones .
BOXML trust server supports XKMS( XML Key Management Specification) by Dynamic XML Encryption ,Multiple XML Signature and Time-Stamp Universal Unique XML Identification. XKMS replaces many PKI protocols, such as OCSP(Online Certificate Status Protocol),LDAP( Lightweight Directory Access Protocol),CRL(Certificate Revocation Lists),CMP(Certificate Management Protocol ) and SCEP (Simple Certificate Enrollment Protocol ), with XML-based protocols such as Register Service, Revoke Service, Reissue Services
, Recover Service, Locate Service and Validate Service . With XKMS,
trust functions reside in BOXML accessible via easily programmed XML
transactions so they
can be centralized and applied consistently across platforms. The
only configuration information an BOXML’s client needs is the URL of the BOXML
, and the certificate which BOXML will use to sign its response. Developers can allow applications to delegate all or part of the
processing of XML multiple digital signatures and XML partial encrypted
elements to BOXML .
Different trust models can be supported by using different URLs. Anything to do with PKI can be delegated to BOXML trust server.