secure mobile architecture (sma) – a way to fix the broken internet

ava i lab le at www.sc ienced i rec t . com

www.compsecon l ine .com/pub l i ca t ions /prod in f .h tm

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 5 – 8 9

Secure Mobile Architecture (SMA) – A way tofix the broken Internet

Richard H. Paine*

6115 72nd Dr NE, Marysville, WA 98270, USA

Keywords:

Internet Protocol (IP)

Secure Mobile Architecture (SMA)

End-to-end

Public Key Infrastructure (PKI)

TempCert

a b s t r a c t

The Internet is broken. There have been many attempts to fix it, but they are all complex

and very difficult to implement and none of them answer the fundamental questions of

what is wrong with it. The first basic flaw is the very nature of the Internet Protocol

address. It is treated as both a name and an address to deliver the information to its

end-to-end destination. In addition, the security of the protocol is dependent on that

address. The second major flaw is the inability of the Internet protocols to address mobility

with fast and secure handoff. The Secure Mobile Architecture (SMA) fundamentally

addresses these flaws in the very nature of the Internet Protocols. It does this by treating

the IP layer as an insecure transport layer. It requires four elements to effect this transfor-

mation of the Internet. It can be integrated into existing Intranets. It can function easily in

the namespace of an Internet service provider (ISP), an enterprise, or governments. The

rest of this chapter will take you through the architecture and its elements.

ª 2007 Elsevier Ltd. All rights reserved.

1. Introduction

The SMA architecture was published in February 2004. The

group that developed it included representatives from Boe-

ing, Lockheed, IBM, HP, Motorola, Netmotion Wireless, and

a number of universities. In late 2003, Richard Paine started

to lay the groundwork for a project to implement an SMA

pilot through a Boeing Network Centric Operations (NCO)

2004 project. This funded project enabled the SMA project

to develop an SMA Boeing Intranet infrastructure that is

an integral part of the Boeing Intranet as a pilot. The fea-

tures of the SMA pilot demonstrations in December 2004

are illustrated in Fig. 1.

The implementation was designed by Steven C. Venema of

the Phantom Works (PW) M&CT Manufacturing Technology

group. His experience was that many of the manufacturing

problems he has run into are those associated with the net-

work. There are four primary elements that are the major

components of the SMA. Together, the four components

make up the Secure Mobile Architecture (Fig. 2).

He took the major components from the architecture and

implemented them in the following ways.

In order for SMA to be secure, there must be a secure

means of authenticating the users. This secure means was

being worked by the Manufacturing Technology group before

SMA started and is known as Temporary Certificates, or

‘‘TempCerts’’. The TempCerts are being issued based on the

Boeing secure badge and the ability of an authenticated user

to obtain a certificate from the Boeing PKI for a limited amount

of time. The focus of this limited amount of time is a shift in

the factory that is generally 8–12 h long. This process time-

limits the risk of storing a certificate on an end user device.

The process is noted in Fig. 3.

The Host Identity Protocol (HIP) element of the SMA archi-

tecture enables secure communications by putting a crypto-

graphic identity on every packet. One of the most persistent

* Tel.: þ1 206 854 8199; fax: þ1 425 865 2965.E-mail address: [email protected]

1363-4127/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved.doi:10.1016/j.istr.2007.04.003

mailto:[email protected]

http://www.compseconline.com/publications/prodinf.htm


Fig. 1 – Definition of SMA.

problems on the Internet is the fact that security for the TCP/IP

communications has previously always been based on an IP or

an MAC address. This is a weakness that permeates and com-

plicates all present and future work across the Internet. This

weakness leads to spoofing and potential intercept of packets

and applications on the network. This has led SMA to specify-

ing the Internet Engineering Task Force’s (IETF) HIP which pro-

vides a secure pair-wise end-to-end security association (SA)

identified by a cryptographic identity. The cryptographic iden-

tity is included in every packet and sent across the network in

this pair-wise SA. Fig. 4 shows the mechanism required and

the packet orientation.

The implementation uses a virtual directory to retain infor-

mation about the communications that enable SMA to be an

effective namespace and still be a functional member of the

Internet. There is a DNS proxy for the Internet namespace

NGI_SMA_DemoSlides 20-Jul-05| 7

Boeing Technology | Phantom Works

Copyright © 2004 Boeing. All rights reserved.

E&IT | Mathematics and Computing Technology

SMA Elements

PKI Public Key Infrastructure

HIP Host Identity Protocol

NDS Network Directory Services

LENS Location-Enabled Network Services

SMA Secure Mobile Architecture

+

Fig. 2 – SMA elements.

that intercepts any DNS requests in the namespace and

checks against the directory for the current address, even

for its own address. This address can be either an IPv4 or an

IPv6 address. This allows the address to change without af-

fecting the roaming mobile device. The mobile device can

move throughout the namespace and retain the ability to

transparently transition across network subnets and retaining

their security association. In addition, all the packets ex-

changed in this namespace are identified by their crypto-

graphic identity that is issued by the entity’s PKI (Fig. 5).

By retaining the information in a directory or a database in-

stead of in registers in the Operating System, the SMA network

can be secure and mobile. In addition to the address being in

a data store, part of the SMA is enabled by being location-

enabled. The SMA secure network uses location to enable se-

curity zones and policy enforcement based on its knowledge





SMA Elements: PKI

Badgecert

Tempcert

ClientRA

SSL/TLSTunnel

1

2

Boeing PKI

SLDAP

1) Badge used for Client Auth; TempCert request sent to RA2) RA issues TempCert3) Client has TempCert available for up to 8 hours

TempCert Provisioning Process

Fig. 3 – TempCert provisioning process.

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 5 – 8 9 87

Fig. 4 – Description of the Host Identity Protocol (HIP).

of identity and location. The policy decisions are determined

by a policy decision daemon that accesses its policies in an

SMA data store. In addition, middleboxes are part of this pic-

ture which enable the network to enforce policy on the secure

packets as they traverse the network.

There are a number of ways that SMA can be used by a PKI

entity. The SMA infrastructure can be used as an adjunct to

the existing enterprise infrastructure, like the way the current

SMA pilot is being run. This SMA pilot uses the Boeing Intranet

as a transport for a security association’s exchange of IPSEC-

like packets. It can also be used as large as an entire enterprise

or government agency, or even as large as a service provider

like AOL or MSN. It can be used anywhere on the Internet

and enable secure communications across an entire path

across the Internet.

The functionality enables an SMA client to be anywhere on

the Internet as long as you can get a global IP address from

a service provider (say T-Mobile at Starbucks) or an enterprise

Intranet. The two stage provisioning process is to first authen-

ticate via a smartcard to the client and then get a global





SMA Elements: NDS

• Support for real-time endpoint mobility & location data• Future integration with Boeing DNS and directory (CED,

NAMS-ng) infrastructure

Enterprise

DNS Proxy

Security Perimeter

Directory

SLDAPClient

Policy DecisionDaemon

Middleboxes

Client

DNSDDNS

Location Server

Directory Information Flow

Fig. 5 – Network Directory Service (NDS) design.

address from a provider (as in the left side of the Fig. 6). After

getting the global address, the authenticated client can re-

quest a ‘‘TEMPCERT’’ from the registration authority. Once

this happens, the client can store its Starbucks address in

the directory, at which time, the enterprise knows the address

of the Boeing device and user that is at Starbucks. Such a capa-

bility enables the enterprise to move laptop and desktop com-

puters outside the enterprise. This shrinks the security

perimeter to the core set of services that need to be secured.

Policies for particular employees and/or computers are en-

abled because the enterprise knows exactly who it is and

where they are. It also gets the enterprise into a mode in

which all communications are secure and the enterprise can

push information and configurations out to the end user de-

vice, no matter where they are.

The 2007 SMA infrastructure is composed of two SMA

networks, one in Bellevue and one in Everett. In addition,

the ability to transparently move from WLAN to cellular

data networks is incorporated. The directories are syn-

chronized by replication between the two networks. The

NGI_SMA_DemoSlide s21-Jul-05| 24




SMA Elements: NDS

Generic ISP Provisioning Process

DHCPServer

AAAServer

Client

802.11

Access Poin

Enterprise Provisioning Process

RA

Client

TLS

Directory

1 2

1) HardCert authentication for TempCert2) Identity IP Update in Directory

Two-Stage Client Provisioning

DNS

SLDAP

SLDAP

Fig. 6 – SMA two stage provisioning process.


NGI_SMA_JFCOM_rev2_4-17-06 | 21




2005 SMA Testbed

smamobiles

Boeing Intranet

AAAServer

DNS Namespace:mobile.tl.boeing.com

RouterAP

AP

AP

…

sma4

130.42.32.0/24

Msg Brkr

Directory

DNS

CiscoSwitch

TempCert RA

LocationServer

LPDD

HIP SA

AP

AP

AP

…smaX

MsgBrkr

Directory

DNS

Cisco1232s

TempCert RA

LocationServer

LPDD

smamobilesHIP SA

HIP SA

HIP SA

Bellevue Everett

PKI

CellularSmamobile HIP SA

HIP

SA

Internet

Fig. 7 – SMA 2005 testbed.

implementation in Bellevue is tied to the Cisco switched wire-

less system that uses and enables wireless VLANs through the

wireless switches. The Everett implementation is tied to the

Cisco factory infrastructure that is based on the Cisco 1232

infrastructure of 802.11a/b/g access points and enables us to

determine issues in the factory versus the office environment.

In addition, there is an SMA capability to be added to the Boe-

ing security perimeter that will enable an SMA relay of the

SMA security association from outside the enterprise to inside

the enterprise (Fig. 7).

The location server component of the SMA pilot is from

Aeroscout. The Aeroscout location service uses the WLAN

infrastructure to enable 802.11 connected devices to be

tracked through the factory. Aeroscout also has active tags

in a WLAN RFID system that can track high value parts

throughout the facility. The following figure is an engineer-

ing drawing of the Everett 40-26 building where the pilot is

installed. The pictures of a scissor lift, a kit, and carts are

those parts of the demonstration capability using active

tags (Fig. 8).




NGI_SMA_Aeroscout_Pilot_Demonstration_8-2-05.ppt | 8/2/2005

Everett Location Policy Enforcement

N

Fig. 8 – Everett location (40-26) policy enforcement.

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 8 5 – 8 9 89

The SMA Aeroscout location capability also includes soft-

ware called Mobileview. Mobileview is a set of software which

manages the parts and enables a useful Graphics User Inter-

face (GUI) to display information in the above figure, the zones

are logical zones for manufacturing that have features like

dwell, overflow, presence, shortages, etc. that can be part of

the manufacturing process.

The deployment scenarios are now in process as of Febru-

ary 2007. The testing of the Secure Mobile Architecture (SMA)

HIP Bridge is in process on the 777 crawlers. The HIP Bridge

enables the crawler to talk to its controller over the existing

Intranet IEEE 802.11 infrastructure. The HIP Bridge delivers

the communications with security (cryptographic identity)

and seamless mobility (crossing subnets) throughout the

factory. Fig. 9 shows the deployment of the crawlers that are

robotic machine tools that carry sections of the airplane to

deliver these major subassemblies of the airplane to the as-

sembly process.

The other deployment scenario is for the Joint Forces Com-

mand (JFCOM). The prototype is a three laptop scenario that

enables a headquarters to affect policy to the dismounted sol-

dier by interfacing with the Secure Mobile Architecture (SMA)

over any IP network the soldier has access to. If one network

connection becomes disconnected, there is an automatic

Fig. 9 – 777 Crawlers.





JFCOM Demonstration Scenario

Cellular Data Network

IP Network IP Network

Secure Mobile ArchitectureInfrastructure for the War Fighter

IP NetworkIP Network

IP Network

X

Fig. 10 – JFCOM demonstration scenario.

and seamless handoff to the Always Best Connected (ABC)

network (Fig. 10).

The dismounted soldier may carry multiple IP networked

radios that enable him to use whatever resources he has avail-

able to get back to the headquarters.

Fig. 11 gives the 2007 SMA planned implementation and

includes the following projects with a number of demonstra-

tions throughout the first half of the year.

The SMA has the potential to replace the communications

infrastructure of an enterprise or an ISP or any entity that has

a PKI, including governments that have many different PKIs

that they access through government PKI bridges. The SMA

team is working with Cisco and Microsoft to get these con-

cepts across to our vendors. These vendors are our suppliers

of network infrastructure. In fact, we are telling them that

we want them to deliver something like this and even if it is

not exactly what we are doing, this is the kind of capability

we are looking for in the future. In the meantime, before our

vendors provide this capability, Boeing can implement this

capability in the same way we have implemented the pilot;

include the SMA capability in the Boeing builds of Windows

XP and Linux and support SMA in the enterprise to give Boeing

an interim secure mobile network capability. This can be done

by expanding the SMA pilot into larger and larger areas of the

Boeing Company. The SMA team is working to make all this

happen programmatically.

For questions on this white paper and SMA in general,

please contact the following:

Richard Paine

206-854-8199

[email protected]

Steven Venema

425-830-0722

[email protected]

Acknowledgment

This work was supported by Boeing Network Centric Opera-

tions (NCO) funding.





CY’07 Plans

• Development Activities

• VoWLAN using Nokia 770s with HIP

• SMA Implementations and Transition Activities

• 777 Crawlers (direct funded)

• Enterprise Pub-Sub

• Derivative Location Projects

• Network Location Service (NLS) offerings

Fig. 11 – SMA 2007 plans as of 3/7/06.



secure mobile architecture (sma) – a way to fix the broken internet

Documents