Access Control and Data Distribution Solutions for the Swedish Network Based Defence

by Frej Drejhammar, Ali Ghodsi, Erik Klintskog, Erik Rissanen and Babak Sadighi

Network Based Defence (NBD) is a national Swedish military funded project with the goal of developing the next generation command and control system. The main focus of the project is to develop a system that is so scalable, flexible, robust, decentralized and interoperable that it can handle the needs of tomorrow's battlefield. SICS has in close cooperation with FMV (Swedish Defence Materiel Administration) and Saab Systems developed a role based access control system for NBD.

Access control is about deciding who gets access to what resources in the system. NBD is a plan for a military information system which can be highly flexible, resilient and provide information superiority. The system is built as a highly decentralised and dynamic system of systems. In this environment with high demands on mobility and autonomy, traditional centralised solutions for access control can no longer be applied. SICS has previously used the Delegent authorisation server, which is based on research done at SICS, in proof of concept demonstrators for NBD. During the year Delegent has been redesigned to be based on XACML (eXtensible Access Control Markup Language), a standard for access control policies. To support the NBD requirement we have extended XACML functions for delegated decentralised administration of policies. Decentralised administration provides more resilience to failures and faster reaction times when adapting to new situations.

Also, in order to further adapt Delegent to the NBD requirements, we have coupled Delegent to a structured peer-to-peer-system (P2P) called DKS, which provides decentralised storage of the access control policies. The DKS system, implemented by SICS and KTH, provides a decentralised data management system, with additional support for a Publish and Subscribe service. The DKS enhances Delegent to no longer rely on a centralised policy repository, as it distributes policies via the DKS storage system and the Publish and Subscribe service can work out which information is needed where in the network. This provides fault tolerance and enables parts of the system to continue to function autonomously in case of loss of network communications.

DKS provides fault tolerance and enables parts of the system to continue to function autonomously in case of loss of network communications.

The DKS system is designed to connect a large number of machines with dynamic behaviour in an overlay network. Dynamic behaviour includes machines joining and leaving the overlay, as well as machines failing and connections to machines failing. With the minimal requirement of point to point connectivity, aggregated functionality such as reliable data storage, name-based communication and multicast are provided.

The updated version of Delegent and DKS have been installed at the Swedish Defence Material Administration proof of concept facility and successfully used in experiments during the autumn of 2005.

The DKS enhanced Delegent system is a potential core component of NBD. Access control functions are no longer located on one single machine, but distributed to the edge of the network with the additional benefit of reduced bandwidth consumption and removal of a single-point-of-failure.

The successful coupling of Delegent and DKS is just one example of where structured P2P-systems can be applied within the NBD project. We foresee a multitude of other applications that could benefit from the usage of a structured P2P-system, such as service repositories, user databases and flat name space resolution services, some of which will be explored in the future. We will also continue the research on access control solutions for dynamic systems with more research on administration and revocation models and how to best present information to users.

Link:
http://www.sics.se/spot/

Please contact:
Erik Rissanen and Frej Drejhammar, SICS
Tel: +46 633 1500
E-mail: mirtysics.se and frejsics.se