Case Studies

Secure Battlefield Information Sharing System


Overview

Absio’s core technology was nearly “purpose-built” to support the unique requirements of storing and sharing data securely in a tactical battlefield environment. From 2011 through 2014, Absio worked as a subcontractor to CACI Technologies (Prime Contract No. W15P7T-06-D-E402/0071) with US Army Intelligence (G2) in a research and development program (Trojan NEXGEN) to design and deploy a new tactical battlefield information sharing system. The Army’s use case called for placing a server in the back of a Humvee or MRAP, towing a 3G cell tower, and giving soldiers Android™ smart phones and laptop computers.

The Problem

This use case generated several highly problematic data security and control issues. First, the Army had to assume that the server itself could be captured or destroyed. That event could not impact a soldier’s access to their data or risk loss of confidential information to a nation-state actor. Encryption key management therefore had to be local — ensuring that the server itself could not be a single point of failure for access to encryption keys, and supporting offline access to information previously received. Second, with encryption key management pushed out to edge devices carried by soldiers, the keys and content had to be stored in the most secure manner possible, so that a nation-state actor could not easily gain access to sensitive information stored locally. Third, the Army had to assume authorized end users would act badly or be careless. Each file, then, would need to be bound with controls circumscribing its use once decrypted. Those controls needed to be extensive: the file’s use might be restricted to biometrically-authenticated user A, on device B, working on operation C, with security clearance D, who was geo-located E kilometers from forward-operating base F, in the last G hours, and, if all those conditions were true, the encryption key for the file would be valid for H minutes before it self-destructed. Finally, the system had to be easy and inexpensive to deploy. Instead of requiring custom-built hardware, the Army required that the software technology be installed on off-the-shelf hardware, and operated by soldiers without a college education, and senior Army officers whose only software experience might be using email.

 

 

The Solution

Absio’s Serverless Encryption® technology was used to build a cross-platform, secure information sharing application that automatically encrypted all messages and files prior to being stored or transmitted, each with its own unique key, without requiring connectivity to a central server. The data keys were then uniquely encrypted for each user who had been given access to the data, allowing user-specific access and permissions to be added or revoked at any time without needing to re-encrypt the data object itself. Metadata containing instructions for how the content could be used was cryptographically bound to each message or file, enabling the application to consume this information anywhere the data existed, and restrict who, how, where, and for how long decrypted content could be used. Encrypted files and keys were stored locally on endpoint devices in an obfuscated file system that obscured file names and attributes, preventing particularly sensitive content and/or keys from being identified and targeted for brute force decryption. Absio’s zero-knowledge Broker™ application was installed on the portable servers, so that when a connection was available, encrypted data and keys could automatically be synchronized between devices and routed to new recipients.

The technology developed to meet the Army’s requirements, which is now embodied in Absio’s Data Encryption Software Development Kits, resulted in the award of two US Patents: (i) No. 8751799, related to Absio’s unique manner of key exchange in a decentralized key management environment; and (ii) No. 9104888, related to storage of data and keys in Absio’s obfuscating file system.