Data Centric Security

OGC Testbed 16 – Dedicated to Advanced Data Centric Security

6. Apr. 2020

The OGC Testbed is an annual research and development program that explores geospatial technology from various angles. OGC Testbed 16 is the name of this year’s OGC Testbed, which has been started in the middle of April 2020, for the first time without kick-off meeting in Washington D.C., due to disruption caused by the current COVID-19 pandemie. This year m-click.aero GmbH was awarded to participate in the OGC’s testbed initiative collaborating on the task dedicated to the advanced Data Centric Security (DCS).

The DCS task consists of a central engineering report (ER) aimed to consolidate all task’s outcomes including the development of components of DCS architecture. Among them are DCS Server, Key Management Server and Authorization Server. Playing together in the DCS architecture, these components shall implement two use case scenarios demonstrating the controlled provisioning and consumption of sensitive/classified (and this cryptographically protected) data. The scenarios shall demonstrate mixed levels of data protection, utilization of symmetric and asymmetric encryption keys and a JSON DCS implementation using STANAG 4774 and 4778. NATO STANAG 4774 defines the Confidentiality Metadata Label Syntax for Data Centric Security. NATO STANAG 4778 is the Metadata Binding Mechanism for Joint Coalition Information Sharing.

The scenarios are based on a well known digital rights management architecture (DRM). The first scenario deals with short living cryptographic keys used for immediate decryption/consumption of protected data within a synchronous data request. The second scenario anticipates a more asynchronous style of data consumption. It includes download of a larger set of encrypted, partially sensitive/classified data from the DCS server and upload on mobile electronic devices prior to the “field use” (for example in emergency situations when in the absence of network connection the rescue teams use navigation/situational-awareness equipment containing classified geospatial data sets). The encrypted data remains stored on such devices for a longer period of time, which potentially represents a security threat. The decryption is performed on demand, using keys having a longer period of validity and stronger cryptographic protection. Required keys are issued by the authorization server in accordance with user credentials and roles.

Both use cases of advanced DCS are relevant for the provision of aeronautical data. For example, high quality AIXM 5.1 data sets might be purchased from an authorized, commercial data provider on a licence basis and be delivered to a client device (for example, a preflight briefing application). The data usage would then be driven by the licencing policy, which would include the decryption key having an expiration time and restrictions derived from the purchased data package. Obviously, the DRM architecture and DCS could be successfully utilized in the aviation domain, especially considering the cloud services. The outcomes of this testbed will provide valuable information regarding the feasibility and the implementation details.

m-click.aero GmbH has lots of experience with security of data in the aeronautical domain. In OGC Testbed-13 we already have been working on a Security ER dedicated to data security in the aviation domain. On behalf of Eurocontrol and FAA we were participating in several projects regarding the aeronautical data security service model (SWIM) and were investigating how to specify and enforce the policies over data sets in the aviation domain. Our award winning aviation data validation platform was developed as an outcome of those activities as one of the first aviation data analysis services available on the web.

We are looking forward to our further, fruitful collaboration with testbed’s participants, sponsors and the OGC staff.