secure mobile architecture (sma) – a way to fix the broken internet
TRANSCRIPT
ava i lab le at www.sc ienced i rec t . com
www.compsecon l ine .com/pub l i ca t ions /prod in f .h tm
i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 5 – 8 9
Secure Mobile Architecture (SMA) – A way tofix the broken Internet
Richard H. Paine*
6115 72nd Dr NE, Marysville, WA 98270, USA
Keywords:
Internet Protocol (IP)
Secure Mobile Architecture (SMA)
End-to-end
Public Key Infrastructure (PKI)
TempCert
a b s t r a c t
The Internet is broken. There have been many attempts to fix it, but they are all complex
and very difficult to implement and none of them answer the fundamental questions of
what is wrong with it. The first basic flaw is the very nature of the Internet Protocol
address. It is treated as both a name and an address to deliver the information to its
end-to-end destination. In addition, the security of the protocol is dependent on that
address. The second major flaw is the inability of the Internet protocols to address mobility
with fast and secure handoff. The Secure Mobile Architecture (SMA) fundamentally
addresses these flaws in the very nature of the Internet Protocols. It does this by treating
the IP layer as an insecure transport layer. It requires four elements to effect this transfor-
mation of the Internet. It can be integrated into existing Intranets. It can function easily in
the namespace of an Internet service provider (ISP), an enterprise, or governments. The
rest of this chapter will take you through the architecture and its elements.
ª 2007 Elsevier Ltd. All rights reserved.
1. Introduction
The SMA architecture was published in February 2004. The
group that developed it included representatives from Boe-
ing, Lockheed, IBM, HP, Motorola, Netmotion Wireless, and
a number of universities. In late 2003, Richard Paine started
to lay the groundwork for a project to implement an SMA
pilot through a Boeing Network Centric Operations (NCO)
2004 project. This funded project enabled the SMA project
to develop an SMA Boeing Intranet infrastructure that is
an integral part of the Boeing Intranet as a pilot. The fea-
tures of the SMA pilot demonstrations in December 2004
are illustrated in Fig. 1.
The implementation was designed by Steven C. Venema of
the Phantom Works (PW) M&CT Manufacturing Technology
group. His experience was that many of the manufacturing
problems he has run into are those associated with the net-
work. There are four primary elements that are the major
components of the SMA. Together, the four components
make up the Secure Mobile Architecture (Fig. 2).
He took the major components from the architecture and
implemented them in the following ways.
In order for SMA to be secure, there must be a secure
means of authenticating the users. This secure means was
being worked by the Manufacturing Technology group before
SMA started and is known as Temporary Certificates, or
‘‘TempCerts’’. The TempCerts are being issued based on the
Boeing secure badge and the ability of an authenticated user
to obtain a certificate from the Boeing PKI for a limited amount
of time. The focus of this limited amount of time is a shift in
the factory that is generally 8–12 h long. This process time-
limits the risk of storing a certificate on an end user device.
The process is noted in Fig. 3.
The Host Identity Protocol (HIP) element of the SMA archi-
tecture enables secure communications by putting a crypto-
graphic identity on every packet. One of the most persistent
* Tel.: þ1 206 854 8199; fax: þ1 425 865 2965.E-mail address: [email protected]
1363-4127/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved.doi:10.1016/j.istr.2007.04.003
i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 5 – 8 986
Fig. 1 – Definition of SMA.
problems on the Internet is the fact that security for the TCP/IP
communications has previously always been based on an IP or
an MAC address. This is a weakness that permeates and com-
plicates all present and future work across the Internet. This
weakness leads to spoofing and potential intercept of packets
and applications on the network. This has led SMA to specify-
ing the Internet Engineering Task Force’s (IETF) HIP which pro-
vides a secure pair-wise end-to-end security association (SA)
identified by a cryptographic identity. The cryptographic iden-
tity is included in every packet and sent across the network in
this pair-wise SA. Fig. 4 shows the mechanism required and
the packet orientation.
The implementation uses a virtual directory to retain infor-
mation about the communications that enable SMA to be an
effective namespace and still be a functional member of the
Internet. There is a DNS proxy for the Internet namespace
NGI_SMA_DemoSlides 20-Jul-05| 7
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
SMA Elements
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
Fig. 2 – SMA elements.
that intercepts any DNS requests in the namespace and
checks against the directory for the current address, even
for its own address. This address can be either an IPv4 or an
IPv6 address. This allows the address to change without af-
fecting the roaming mobile device. The mobile device can
move throughout the namespace and retain the ability to
transparently transition across network subnets and retaining
their security association. In addition, all the packets ex-
changed in this namespace are identified by their crypto-
graphic identity that is issued by the entity’s PKI (Fig. 5).
By retaining the information in a directory or a database in-
stead of in registers in the Operating System, the SMA network
can be secure and mobile. In addition to the address being in
a data store, part of the SMA is enabled by being location-
enabled. The SMA secure network uses location to enable se-
curity zones and policy enforcement based on its knowledge
NGI_SMA_DemoSlides 20-Jul-05| 11
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
SMA Elements: PKI
Badgecert
Tempcert
ClientRA
SSL/TLSTunnel
1
2
Boeing PKI
SLDAP
1) Badge used for Client Auth; TempCert request sent to RA2) RA issues TempCert3) Client has TempCert available for up to 8 hours
TempCert Provisioning Process
Fig. 3 – TempCert provisioning process.
i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 5 – 8 9 87
Fig. 4 – Description of the Host Identity Protocol (HIP).
of identity and location. The policy decisions are determined
by a policy decision daemon that accesses its policies in an
SMA data store. In addition, middleboxes are part of this pic-
ture which enable the network to enforce policy on the secure
packets as they traverse the network.
There are a number of ways that SMA can be used by a PKI
entity. The SMA infrastructure can be used as an adjunct to
the existing enterprise infrastructure, like the way the current
SMA pilot is being run. This SMA pilot uses the Boeing Intranet
as a transport for a security association’s exchange of IPSEC-
like packets. It can also be used as large as an entire enterprise
or government agency, or even as large as a service provider
like AOL or MSN. It can be used anywhere on the Internet
and enable secure communications across an entire path
across the Internet.
The functionality enables an SMA client to be anywhere on
the Internet as long as you can get a global IP address from
a service provider (say T-Mobile at Starbucks) or an enterprise
Intranet. The two stage provisioning process is to first authen-
ticate via a smartcard to the client and then get a global
NGI_SMA_DemoSlides 20-Jul-05| 22
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
SMA Elements: NDS
• Support for real-time endpoint mobility & location data• Future integration with Boeing DNS and directory (CED,
NAMS-ng) infrastructure
Enterprise
DNS Proxy
Security Perimeter
Directory
SLDAPClient
Policy DecisionDaemon
Middleboxes
Client
DNSDDNS
Location Server
Directory Information Flow
Fig. 5 – Network Directory Service (NDS) design.
address from a provider (as in the left side of the Fig. 6). After
getting the global address, the authenticated client can re-
quest a ‘‘TEMPCERT’’ from the registration authority. Once
this happens, the client can store its Starbucks address in
the directory, at which time, the enterprise knows the address
of the Boeing device and user that is at Starbucks. Such a capa-
bility enables the enterprise to move laptop and desktop com-
puters outside the enterprise. This shrinks the security
perimeter to the core set of services that need to be secured.
Policies for particular employees and/or computers are en-
abled because the enterprise knows exactly who it is and
where they are. It also gets the enterprise into a mode in
which all communications are secure and the enterprise can
push information and configurations out to the end user de-
vice, no matter where they are.
The 2007 SMA infrastructure is composed of two SMA
networks, one in Bellevue and one in Everett. In addition,
the ability to transparently move from WLAN to cellular
data networks is incorporated. The directories are syn-
chronized by replication between the two networks. The
NGI_SMA_DemoSlide s21-Jul-05| 24
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
SMA Elements: NDS
Generic ISP Provisioning Process
DHCPServer
AAAServer
Client
802.11
Access Poin
Enterprise Provisioning Process
RA
Client
TLS
Directory
1 2
1) HardCert authentication for TempCert2) Identity IP Update in Directory
Two-Stage Client Provisioning
DNS
SLDAP
SLDAP
Fig. 6 – SMA two stage provisioning process.
i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 5 – 8 988
NGI_SMA_JFCOM_rev2_4-17-06 | 21
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
2005 SMA Testbed
smamobiles
Boeing Intranet
AAAServer
DNS Namespace:mobile.tl.boeing.com
RouterAP
AP
AP
…
sma4
130.42.32.0/24
Msg Brkr
Directory
DNS
CiscoSwitch
TempCert RA
LocationServer
LPDD
HIP SA
AP
AP
AP
…smaX
MsgBrkr
Directory
DNS
Cisco1232s
TempCert RA
LocationServer
LPDD
smamobilesHIP SA
HIP SA
HIP SA
Bellevue Everett
PKI
CellularSmamobile HIP SA
HIP
SA
Internet
Fig. 7 – SMA 2005 testbed.
implementation in Bellevue is tied to the Cisco switched wire-
less system that uses and enables wireless VLANs through the
wireless switches. The Everett implementation is tied to the
Cisco factory infrastructure that is based on the Cisco 1232
infrastructure of 802.11a/b/g access points and enables us to
determine issues in the factory versus the office environment.
In addition, there is an SMA capability to be added to the Boe-
ing security perimeter that will enable an SMA relay of the
SMA security association from outside the enterprise to inside
the enterprise (Fig. 7).
The location server component of the SMA pilot is from
Aeroscout. The Aeroscout location service uses the WLAN
infrastructure to enable 802.11 connected devices to be
tracked through the factory. Aeroscout also has active tags
in a WLAN RFID system that can track high value parts
throughout the facility. The following figure is an engineer-
ing drawing of the Everett 40-26 building where the pilot is
installed. The pictures of a scissor lift, a kit, and carts are
those parts of the demonstration capability using active
tags (Fig. 8).
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Aeroscout_Pilot_Demonstration_8-2-05.ppt | 8/2/2005
Everett Location Policy Enforcement
N
Fig. 8 – Everett location (40-26) policy enforcement.
i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 5 – 8 9 89
The SMA Aeroscout location capability also includes soft-
ware called Mobileview. Mobileview is a set of software which
manages the parts and enables a useful Graphics User Inter-
face (GUI) to display information in the above figure, the zones
are logical zones for manufacturing that have features like
dwell, overflow, presence, shortages, etc. that can be part of
the manufacturing process.
The deployment scenarios are now in process as of Febru-
ary 2007. The testing of the Secure Mobile Architecture (SMA)
HIP Bridge is in process on the 777 crawlers. The HIP Bridge
enables the crawler to talk to its controller over the existing
Intranet IEEE 802.11 infrastructure. The HIP Bridge delivers
the communications with security (cryptographic identity)
and seamless mobility (crossing subnets) throughout the
factory. Fig. 9 shows the deployment of the crawlers that are
robotic machine tools that carry sections of the airplane to
deliver these major subassemblies of the airplane to the as-
sembly process.
The other deployment scenario is for the Joint Forces Com-
mand (JFCOM). The prototype is a three laptop scenario that
enables a headquarters to affect policy to the dismounted sol-
dier by interfacing with the Secure Mobile Architecture (SMA)
over any IP network the soldier has access to. If one network
connection becomes disconnected, there is an automatic
Fig. 9 – 777 Crawlers.
NGI_SMA_JFCOM_rev2_4-17-06 | 44
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
JFCOM Demonstration Scenario
Cellular Data Network
IP Network IP Network
Secure Mobile ArchitectureInfrastructure for the War Fighter
IP NetworkIP Network
IP Network
X
Fig. 10 – JFCOM demonstration scenario.
and seamless handoff to the Always Best Connected (ABC)
network (Fig. 10).
The dismounted soldier may carry multiple IP networked
radios that enable him to use whatever resources he has avail-
able to get back to the headquarters.
Fig. 11 gives the 2007 SMA planned implementation and
includes the following projects with a number of demonstra-
tions throughout the first half of the year.
The SMA has the potential to replace the communications
infrastructure of an enterprise or an ISP or any entity that has
a PKI, including governments that have many different PKIs
that they access through government PKI bridges. The SMA
team is working with Cisco and Microsoft to get these con-
cepts across to our vendors. These vendors are our suppliers
of network infrastructure. In fact, we are telling them that
we want them to deliver something like this and even if it is
not exactly what we are doing, this is the kind of capability
we are looking for in the future. In the meantime, before our
vendors provide this capability, Boeing can implement this
capability in the same way we have implemented the pilot;
include the SMA capability in the Boeing builds of Windows
XP and Linux and support SMA in the enterprise to give Boeing
an interim secure mobile network capability. This can be done
by expanding the SMA pilot into larger and larger areas of the
Boeing Company. The SMA team is working to make all this
happen programmatically.
For questions on this white paper and SMA in general,
please contact the following:
Richard Paine
206-854-8199
Steven Venema
425-830-0722
Acknowledgment
This work was supported by Boeing Network Centric Opera-
tions (NCO) funding.
NGI_SMA_JFCOM_rev2_4-17-06 | 43
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
CY’07 Plans
• Development Activities
• VoWLAN using Nokia 770s with HIP
• SMA Implementations and Transition Activities
• 777 Crawlers (direct funded)
• Enterprise Pub-Sub
• Derivative Location Projects
• Network Location Service (NLS) offerings
Fig. 11 – SMA 2007 plans as of 3/7/06.