john trinidad senior systems engineer harris corporation rochester, ny john.trinidad@harris
DESCRIPTION
The Challenge in Developing an SCA Compliant Security Architecture that Meets Government Security Certification Requirements. Ronald Bunnell Senior Systems Engineer The Boeing Company Anaheim, CA [email protected] (714) 762-2838. John Trinidad Senior Systems Engineer - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/1.jpg)
John TrinidadSenior Systems EngineerHarris CorporationRochester, [email protected](585) 242-3664
The Challenge in Developing an SCA Compliant Security Architecture that
Meets Government Security Certification Requirements
Ronald BunnellSenior Systems EngineerThe Boeing CompanyAnaheim, [email protected](714) 762-2838
![Page 2: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/2.jpg)
2
Introduction The Joint Tactical Radio System is being
developed to be Software Communication Architecture (SCA) version 2.2 compliant Open Architecture Open Standards Portability
The JTRS is also being developed to provide secure communications for the US Military Meet Government security requirements Protect Voice, Data and Network
![Page 3: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/3.jpg)
3
SCA Security Supplement
The SCA Security Supplement (SS) version 1.1 defines a number of security require-ments for the SCA (approximately 260) Enhances Security Generic in nature Doesn’t address issues with classified
systems Other Government Security
Requirements total over 1300
![Page 4: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/4.jpg)
4
SCA SS (cont’d)
Some contradiction between requirements exist Multiple requirements documents generated
by multiple authors Some requirements assume a specific
implementation Challenge is to meet intent of SCA and
still provide a secure system
![Page 5: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/5.jpg)
5
Example Security Functions
Encryption for confidentiality Authentication of users, commands,
software, radio parameter files Integrity of keys, software, files Transmission security to protect the
communications channel Protection of network topology
![Page 6: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/6.jpg)
6
Approach
![Page 7: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/7.jpg)
7
Implementation Approach
Our Approach to meeting Multiple Single Levels of Security (MSLS) includes providing four channels, each with its own transceiver, cryptographic channel, and processors (RED and BLACK). The JTR allows for the capability to operate simultaneously four instantiated waveforms. Waveforms can be torn down or re-instantiated as required.
Two radios connected together can provide for an 8 channel radio.
![Page 8: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/8.jpg)
8
Functional Block Diagram
![Page 9: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/9.jpg)
9
Joint Tactical Radio System Cluster One
Security adapter components use Security APIs per the SCA Security Supplement
Strict adherence to the SCA maximizes Waveform Application’s portability Adherence to the AEP Constraint of minimum CORBA Use of CF:Devices (i.e., Radio Devices) to
interface with hardware Use of existing APIs
![Page 10: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/10.jpg)
10
JTRS Cluster One (cont’d)
A set of common Radio Security Services for non-waveform and waveform applications to use.
Consists of SCA components that are persistent, SCA-compliant Resources or Devices that reside within the JTR Set and execute on a General Purpose Processor
Compliance to the SCA to provide portability and reuse for other Clusters
![Page 11: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/11.jpg)
11
Software StructureCore Framework (CF)
Commercial Off-the-Shelf(COTS)
Applications
OPERATINGENVIRONMENT (OE)
Red Hardware Bus
CFServices &
Applications
CORBA ORB &Services
(Middleware)
Network Stacks & Serial Interface Services
Board Support Package (Bus Layer)
Black Hardware Bus
CFServices &
Applications
CORBA ORB &Services
(Middleware)
Network Stacks & Serial Interface Services
Board Support Package (Bus Layer)
Operating System
Core Framework IDL
Non-CORBAModem
Components
Non-CORBASecurity
Components
Non-CORBA I/O
Components
RF
ModemComponents
Link, NetworkComponents
SecurityComponents
ModemAdapter
SecurityAdapter
SecurityAdapter
I/OAdapter
I/OComponents
MAC API LLC/Network API LLC/Network API
Link, NetworkComponents
Security API
Operating System
PhysicalAPI
I/O API
(“Logical Software Bus” via CORBA)
![Page 12: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/12.jpg)
12
Waveform Porting
Security Architecture must support porting of waveforms Eleven legacy waveforms in addition
to the WNW Design guidance given to
waveform developers in meeting porting, bypass and other security related issues
![Page 13: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/13.jpg)
13
Network Security JTRS is designed to provide
transformational communications in the form of the JTRS Networking capability
Waveforms provide tremendous connectivity to each Radio node
With this improved connectivity, comes greatly increased exposure to threats. Threats now are also network centric and can affect JTRS nodes from anywhere on the planet.
![Page 14: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/14.jpg)
14
Network Assurance
SCA mandates separate network stacks (TCP/IP) for internal software transactions and for external waveform support
Information Assurance approach must Prevent/Detect Network attacks Provide protection to Detection System
![Page 15: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/15.jpg)
15
Defense in Depth
Robust Waveform
TRANSEC
COMSEC
Secured Protocols
Jammers
Detectors
TrafficAnalyzers
InterceptorsRF TrafficAnalysis
DisgruntledInsideHackers
Black(D)DoS Attacks
HostAbuse
ImproperManagement
Red IPNetwork
Black IPNetwork
Packet Filtering Red RouterPacket Filtering Black Router
Risks
Subversion of Resources
O/S
Red(D)DoS Attacks
![Page 16: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/16.jpg)
16
Limitations
Control placed on CORBA calls and other data bypass of the Cryptographic Unit Mainly concerned with Red to Black
bypass Some concern with Black to Red
Limits need to be placed on amount and type of Bypass data Limit free text for example
![Page 17: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/17.jpg)
17
Cryptographic Bypass Four types of bypass:
Header bypass Waveform control/status bypass System control/status bypass Plain text bypass
Each Application will have a Bypass policy Guidelines for Applications established.
Waveform developers are defining
![Page 18: John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY john.trinidad@harris](https://reader035.vdocuments.us/reader035/viewer/2022062516/56812baa550346895d8fda1e/html5/thumbnails/18.jpg)
18
Conclusion
While providing a complete open architecture is not totally possible, given our need to protect data as well as the radio from attack, standards can be applied to the Security Architecture that support portability across a number of different platforms