High Assurance information exchange based on Publish-Subscribe and ABAC methods

Author

Fongen, Anders ; Mancini, Federico

Author_Institution

Norwegian Defence Res. Establ. (FFI), Kjeller, Norway

fYear

2014

fDate

6-8 Oct. 2014

Firstpage

242

Lastpage

248

Abstract

The presented effort employs a combination of publish-subscribe distribution and ABAC (Attribute Based Access Control) methods to control the information exchange between security domains. It follows strictly the "separation of duty" principle so a message router only has infrastructure duties while the identity management entity deals with management of authorizations and security policies. The presented work also implements a novel model for message protection and subject authorization. One characteristic of the resulting transfer protocol is that an external bump-on-the-wire device can verify the integrity of the messages and that the security policies are observed. This device can be carefully constructed for the purpose of high assurance and offer fail-safe mechanism in case the message router is malfunctioning or compromised.

Keywords

access control; authorisation; cryptographic protocols; message authentication; ABAC method; attribute based access control method; authorization policies; bump-on-the-wire device; fail-safe mechanism; high assurance information exchange; identity management; message protection; message router; publish-subscribe distribution; security domain; security policies; separation of duty principle; transfer protocol; Authorization; Receivers; Routing protocols; Subscriptions;

fLanguage

English

Publisher

ieee

Conference_Titel

Military Communications Conference (MILCOM), 2014 IEEE

Conference_Location

Baltimore, MD

Type

conf

DOI

10.1109/MILCOM.2014.45

Filename

6956766