National defense is generally considered essential to the security and economic prosperity of a society and to the well-being of its people. The ability to securely access and share sensitive information is critical. Many defense organizations rely on smart-card–based PKI solutions to enable personnel to encrypt and sign e-mail messages, to access restricted areas, and to access internal networks. The adoption of identity and access management (I&AM) solutions, however, is lagging behind its adoption by businesses, primarily due to scalability challenges and unique security requirements (e.g., attackers include terrorists and state-sponsored hackers).
U-Prove provides innovative security features of interest to national defense I&AM:
- Monitoring-resistant access: With centralized and federated enterprise I&AM solutions, the insiders of administrative domains are all-powerful: they can monitor in real time which user is accessing what resources, and can deny access to targeted users and users of targeted resources. U-Prove permits any degree of access privacy vis-à-vis resource providers and central parties, even in the face
of collusions, while preserving their ability to deactivate enrollment accounts and to revoke access rights.
- Offline access: I&AM systems that centralize identity management functionality are vulnerable to massive denial-of-service attacks; attackers may resort to network flooding attacks and to more drastic measures such as the bombing of core operations. U-Prove enables secure offline access to protected defense resources on the basis of long-lived identity and attribute information issued to authorized users in protected form. Offline access capability is also important for protected resources in the field.
- Fine-grained access control: Coarse-grained access control allows authorized users to do more with resources than they need to. National defense networks consist of millions of protected documents and other sensitive resources, and must accommodate large numbers of resource users. The access rights of authorized users
depend not only on security clearance, rank, and role, but also on resource sensitivity levels. U-Prove enables defense organizations to electronically provide authorized users with privileges and entitlements in protected form, enabling fine-grained access control decisions at the point of access. At the same time, users can selectively disclose only the minimal information needed to gain access.
- Secure access devices: In light of the sophistication of attackers and the sensitivity of many resources, tamper-resistant access devices are critical. The standard for many national defense networks is an X.509 certificate pre-stored on a hardware token, protected by a PIN and/or a biometric. U-Prove can augment this approach by enabling defense organizations to electronically bind privileges and entitlements over open networks to previously issued tamper-resistant devices (such as a Trusted Computing chips and smart cards). A highly constrained device can protect a virtually unlimited supply of assertions.
- User-authenticated audit trails: U-Prove enables resource providers to collect user-authenticated transcripts that prove every access. These transcripts can prove not merely which resources have been accessed but also what actions have been performed on them. At the same time, resource providers can hide sensitive information (such as the identities of users) from third parties by censoring the transcripts prior to forwarding them.
For details, see our paper on critical information infrastructures.