Document-based message-centric security using XML authentication and encryption for coalition and interagency operations

Abstract

Different agencies and different nations are not able to securely communicate and share structured information due to differences in security policies and data formats. The current evolution of security and data policies is not solving this fundamental problem. Document-based message-centric XML security can provide satisfactory security within a diversified communications framework between traditional and nontraditional partners by utilizing existing Web standards for XML canonicalization, XML digital signature, XML compression and XML encryption. Vulnerabilities related to the exchange of cryptographic technologies are minimized by strictly adhering to open-standards technology. This approach thus resolves multi-partner trust challenges in regards to using another entity's equipment, software, or policy requirements through the proper adoption of standards-based structured data and alternative cryptographic algorithms. Exemplar results demonstrated in this thesis show that XML Security is a feasible approach for operations that include multiple agencies and coalition partners. Alternative solutions are also available using proprietary technologies, but such approaches lock participants into commercial contracts, prohibit distribution and provide suspect capabilities. Therefore, they cannot attain interagency or international acceptance. Such methods involve the use of unique or proprietary message formats with customized encryption and compression algorithms that are not available for broad scrutiny by open source communities. Closed approaches cannot gain group trust. This thesis specifically investigates XML standardization methods for various categories of unclassified data to provide secure information exchange among a wide audience, e.g. multi-agency task force or multinational coalition partners. Using an XML document-centric approach is a helpful organizing principle for this problem that provides levels of security consistent with common business practices achieved, within the constraints of the respective organizational security policies of each participant. The resulting design patterns for XML document development enhance confidentiality, integrity, and authentication commensurate with the nature of the unclassified document generated, while maintaining information objects at an appropriate level of security and acceptable level of risk.