BAE Systems - Knowledge Bank


				Home > Knowledge Bank > SMP

Access Control Library

Capabilities

The Access Control Library (ACL) provides an Access Control Decision Function (ACDF) that determines if a subject's authorizations (contained in an X.501 Clearance attribute) allow the subject to access data labeled with specific sensitivity values (included in a security label). The ACL can be used to meet the Partition Rule Based Access Control (PRBAC) processing requirements specified in the "SDN.801 MISSI Access Control Concept and Mechanisms" document. It can process an X.509 Attribute Certificate (AC) or Version 3 X.509 public key certificate to extract the subject's Clearance attribute. It processes security labels formatted according to the "RFC 2634 Enhanced Security Services for S/MIME" specification. It can also process X.411 security labels as used with the ACP120 security protocol. It performs access control for any labeled data, not just messages. The ACL is designed for use in conjunction with the S/MIME Freeware Library (SFL), but can be used independently. The ACL uses the Certificate Management Library (CML) to ASN.1 decode X.509 Certificates and Attribute Certificates.

The ACL provides the following security services:

Provides an ACDF that meets the SDN.801 PRBAC processing requirements using: Clearance attribute containing subject's authorizations; security label indicating the sensitivity of the data; and Security Policy Information File (SPIF) for the security policy identified in the Clearance attribute and security label.

Checks a security label to ensure that it includes a valid combination of security classification and security category values as specified in SDN.801.

Processes an AC to extract the subject's Clearance attribute to meet the Federal PKI Working Group's Bridge Certification Authority (BCA) Phase II Demonstration access control requirements stated in the "Technical Interoperability Profile for the BCA Interoperability Demonstration Phase II" document.

Processes v3 X.509 public key certificates (subjectDirectoryAttributes extension) to extract the subject’s clearance attribute to meet the Defense Message System (DMS) SDN.801 access control requirements.

Processes an individual Clearance attribute that can be provided separate from a certificate or an AC.

Optionally uses Lightweight Directory Access Protocol to retrieve security objects.

Optionally use the freeware CML to build and verify v3 X.509 certification paths.

Provides the displayable string representation of a security label.

Processes multiple Clearance attributes included in a subject's signature or key management v3 X.509 public key certificate to meet the Canadian Department of National Defense (DND) Military Messaging Handling System (MMHS) access control requirements.
Can process a security label that includes either a set of NATO security category syntaxes (as described in the "Electronic Labelling of NATO Information" document) or an SDN.801 MISSISecurityCategory syntax.