Protocols for secure client-server applications in the Joint Maritime command Information System

Abstract

The new architecture for the Joint Maritime Command Information System, referred to as JMCIS'98, seeks to provide uniform access to tactical and non-tactical information. The goal is to allow access to such information using Wide Area Network technology and Personal Computers running Windows NT in a web environment. This architecture relies on web servers to deliver executable content, such as Java applets, to clients and gateway servers to route requests to the appropriate servers and/or databases. This architecture raises new security risks which must be addressed. Two of these risks are addressed in this thesis: executing downloaded code from a web server and transmitting sensitive information, such as passwords, to gateway servers. We investigate three cryptographic protocols to address these risks. The first protocol treats the risk of executing downloaded code from a web server by using digital signatures. The second protocol addresses the transmission of sensitive information to a gateway server by using certificates and symmetric key cryptography. Finally, we explore an alternative approach, that of the Secure Sockets Layer, which provides mutual authentication. We discuss how the first two protocols can be implemented in Java using the Java Developer's Kit (JDK) 1.1 and the Java Cryptography Extension (JCE) 1.1