Posted on by Mission Assurancein
By Grace Lewis
Software Solutions Division, Advanced Mobile Systems Initiative
First responders, search-and-rescue teams, and military personnel often work in "tactical edge" environments defined by limited computing resources, rapidly changing mission requirements, high levels of stress, and limited connectivity. In these tactical edge environments, software applications that enable tasks such as face recognition, language translation, decision support, and mission planning and execution are critical due to computing and battery limitations on mobile devices. Our work on tactical cloudlets addresses some of these challenges by providing a forward-deployed platform for computation offload and data staging (see previous posts).
When establishing communication between two nodes--such as a mobile device and a tactical cloudlet in the field--identification, authentication, and authorization provide the information and assurances necessary for the nodes to trust each other (i.e., mutual trust). A common solution for establishing trust is to create and share credentials in advance and then use an online trusted authority to validate the credentials of the nodes. The tactical environments in which first responders, search-and-rescue, and military personnel operate, however, do not consistently provide access to that online authority or certificate repository because they are disconnected, intermittent, limited (DIL). This blog post, excerpted from the recently published IEEE paper "Establishing Trusted Identities in Disconnected Edge Environments"--I coauthored this paper with Sebastián Echeverría, Dan Klinedinst, Keegan Williams--presents a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field, as well as an evaluation and implementation of the solution.
Identification, Authentication, and Authorization
In the context of tactical cloudlets, our latest work focused on developing a trusted identity solution that meets four major requirements:
Our work focused on creating a solution for establishing trusted identities in disconnected environments based on secure key generation and exchange in the field that meets the above requirements. For the implementation and evaluation of the solution, we use our open source tactical cloudlets system that is targeted at supporting disconnected operations.
Establishing trust in a disconnected environment (i.e., disconnected from the enterprise) requires decentralized security solutions and infrastructure that are challenging to implement due to basic security concerns, such as how to exchange keys, how to manage keys, how to integrate with existing applications, and how to configure security policies. We first explored several solutions for decentralized security with a focus on their applicability to disconnected environments. In particular, we focused on mobile clients interacting with servers deployed in the field:
The solution that we devised is presented in Figure 1 and is based on the design presented in a 2015 IEEE paper on cyber foraging that I co-authored. In this latest implementation, a tactical cloudlet is composed of a cloudlet host computer that acts as a server. This server is connected via ethernet to a WiFi access point that provides wireless access to clients and to the cloudlet's services, and uses RADIUS for WiFi authentication. These two components define a cloudlet unit. A cloudlet client is a mobile device with WiFi capabilities. Both the cloudlet host and the cloudlet client also have Bluetooth and/or USB capabilities (which will be used for pairing).
The developed solution follows the identity based cryptography (IBC) methodology while using secure key agreement to facilitate logistical requirements of disconnected environments. Our implementation depends on the Stanford Identity Based Encryption (IBE) Library, which uses the Boneh Franklin scheme as a key encapsulation mechanism (KEM) and off-the-shelf (OpenSSL) ciphers and HMACs for the actual encryption. Identity-based short signatures are used for the WiFi authentication process.
The selected secure key agreement without a trusted third party ceremony takes advantage of deployments in disconnected environments; specifically, the presupposition of physical proximity. The proposed solution requires a participant's physical proximity to the private key generator (PKG) (i.e., cloudlet) for the initial identification and authentication. The cloudlet admin trusts the device user, so it can also trust a device carried by the device user. Physical proximity can then be used to establish trust between the device and the cloudlet with the help of the users.
We decomposed our solution to establish trust into four subprocesses: bootstrapping, pairing, WiFi authentication, and API requests. The first two processes perform the actual trust establishment; the other two are used to authenticate a paired device requesting access at the WiFi and network level respectively. In addition, we identified two ways to revoke device credentials: automatic and manual.
The bootstrapping process establishes the encryption and identity parameters on the cloudlet. Every cloudlet deployment starts from a clean state, which is why the first step of the process deletes any existing server credentials.
Pairing is the process of identifying a client device to the cloudlet, authorizing it to access that cloudlet, and transferring the required credentials. A mobile device user would begin by presenting their device to the cloudlet admin. The cloudlet admin would decide if the user is authorized to use the cloudlet based on physical credentials and characteristics (e.g., photo ID, uniforms and insignia, personal knowledge, or delegation of trust). If approved, the cloudlet admin would log in to the cloudlet and the mobile user would connect the candidate mobile device to the cloudlet via USB or Bluetooth.
3) WiFi Authentication Process
The cloudlets provide all of their services over WiFi using standard 802.1X authentication. Clients connect to a cloudlet's WiFi access point (AP) and request access to the network. The AP provides the RADIUS Server Certificate and the client verifies its own copy of the RADIUS Server Certificate, which it obtained via pairing. '
4) API Request Process
Services on a cloudlet are provided by a simple HTTP request/response protocol. To secure the requests, the client can decide to use any of the cryptographic elements generated in the previous phases, or can generate and share a new secret key. If a new secret key is generated, it must be replaced as the password for that device in the list of paired devices on the server. Each request/response pair is encrypted and decrypted using the agreed-upon secret key/password.
Automatic and Manual Device Credential Revocation
To address elements of the threat model, our solution includes two ways of revoking device credentials, therefore terminating the connection between the cloudlet and the mobile device.
Threat Modeling, Vulnerability, and Ceremony Analysis
We first evaluated our solution against a threat model for disconnected environments that we used to develop the trusted identity solution. The context for the threat model is a client/server type of system in which the client is a mobile device and the server is providing capabilities to mobile devices. The server is fully disconnected from the network and provides capabilities to proximate mobile devices connected via WiFi. We developed our threat model using Microsoft's SDL Threat Modeling Tool, which generated 60 potential threats, and consolidated them into the 14 relevant threats as detailed in our paper along with accompanying mitigations.
The solution that we developed fully addressed 5 of the 14 threats identified above. It also partially addressed one of the threats due to an explicit tradeoff. Of the 14 threats described above, 6 are addressed outside of the solution, which we addressed through ceremony analysis, described below. Two threats are not addressed by the solution, but we provide potential mitigations that we did not implement in our paper.
We also evaluated our trusted identities solution by performing architectural and technical analysis of possible vulnerabilities based on the threat model. Given the set of threats that we identified, we created a simple attack tree. The goal for an attacker would be to gain access to the data being shared between clients and the cloudlet. We identified four possible paths to access to that data, only two of which are relevant when considering the trusted identity solution:
As described in our paper, we also conducted ceremony analysis, which extends the concept of network protocol by including human beings as nodes in the network. Ceremonies include all protocols, applications with a user interface, and security provisioning workflows. In essence, there is nothing out-of-band in a ceremony. Security analysis of a node in a ceremony is the same for both human and computer nodes: With what will an attacker be able to fool the node into making an incorrect decision?
As our threat model analysis demonstrates, there are multiple threats in the threat model that are addressed outside of the implementation. In essence, there are assumptions that are made by the solution and left open for arbitrary people to satisfy in arbitrary ways. In addition, the pairing process requires an out-of-band channel (physical proximity plus visual confirmation). These are all elements that benefit from a ceremony analysis to provide guidance on how to validate or enforce all elements of the end-to-end solution.
Ceremony nodes in the exchange of credentials between a cloudlet and a mobile device are shown in the figure below. The human nodes are the following:
With the exception of the device ID and device credentials exchange shown in the figure above, all other exchanges between nodes in the ceremony are considered out-of-band for the trusted identities solution. The ceremony analysis therefore demonstrates the need to provide assurances for all other exchanges.
Wrapping Up and Looking Ahead
The paper presented a trusted identity solution for disconnected environments that combines identity-based cryptography (IBC) with mechanisms for secure key exchange without a trusted third party. The solution was developed based on a threat model for disconnected environments and implemented in our open-source tactical cloudlets project targeted at deployment in these types of environments. Evaluation of the implementation was done against the threat model and using vulnerability analysis.
The evaluation and implementation of our trusted identity solution shows a resilient solution that addresses most of the threats and characteristics of disconnected environments if combined with proper application-, OS-, network- and site-level controls. The ceremony analysis that we conducted provided guidance on threats that are addressed outside of the trusted identity solution. Even though the solution was implemented in the context of a client/server tactical cloudlets system, we believe the solution could be applied to any form of trusted communication between two or more computing nodes.
Our current work is expanding the threat model to connected cloudlets for VM migration. Future work will focus on expanding the threat model to include Internet-of-Things (IoT) devices connected to cloudlets for data staging.
We welcome your feedback on our work in the comments section below.
Read the paper that I coauthored with Dan Klinedinst, Establishing Trusted Identities in Disconnected Edge Environments.
The implementation of the tactical cloudlets system that includes the developed trusted identity solution is available at https://github.com/SEI-AMS/pycloud/wiki.