The Multi-level Information Systems Security Initiative (MISSI) is an NSA effort to make available products that could be used to construct systems that would satisfy user Mutli-level Security (MLS) requirements. MISSI includes the development of products in four categories: the Crypto Peripheral, Network Security Management, Secure Network Server, and Workstation Security Applique. These products will comprise the set of security components needed to construct Automated Information System (AIS) that satisfy MLS requirements.

MISSI establishes the structure for the placement of the components to achieve MLS at the workstation, LAN, or WAN levels as needed. This structure is designed to (1) protect data from unauthorized disclosure and modification; (2) identify and authenticate system users; (3) control access to data and system resources, and; (4) support source authentication and non-repudiation of messages. MISSI will be introduced in a four-phase release approach. Each release will provide four operational capabilities exceeding those of the previous release along with the required security services.

  * Release 1 provides encryption and digital signature capability to protect unclassified but sensitive
     electronic mail and file transfers.

  * Release 2 provides the capability to secure electronic mail through different level system-high
     environments with a multi-level range of  Unclassified to Secret.

  * Release 3 provides the capability to handle information in the range of Unclassified to Top Secret
     including file transfer.

  * Release 4 adds performance improvements and robustness to the network security management
     capabilities in order to address new AIS technologies and large scale expansion.

The following paragraphs describe the features and characteristics of MISSI products as they pertain to system performance, capabilities and characteristics.


MISSI components will support mandatory access controls to provide hierarchical (Unclassified, Confidential, Secret, Top Secret) and non-hierarchical ("compartmented") classifications. Discretionary access controls provide additional "need-to-know" granularity. All data stored and processed by MISSI
components will be labeled with a designation of its criticality and sensitivity through the use of the Common Internet Protocol Security Option (CIPSO) labels and internal labels in a Trusted Computing Base (TCB).

The user operation requirements of MISSI hardware components will be compatible with those required to operate the AISs they secure. At the workstation level, a user's identity will be authenticated up to the Top Secret level with a local name, a personal password, and a physical token inserted into a reader associated with the workstation's MISSI component. The use of trusted software and trusted operating systems will provide protection from unauthorized interference or tampering. MISSI components will use CIPSO labels for mandatory access controls and a database/directory scheme for discretionary access controls. These access controls and those of the trusted operation system will permit users to specify and control sharing of files and programs and provide controls to limit the propagation of access rights.


Initial MISSI components will operate on DDN X.25, CCITT 1984 X.25, IEEE 802.3, and Ethernet networks. Later releases are planned to evolve with communications network protocols such as ATM. MISSI systems are intended to be protocol independent below the lowest layer where security is applied. A Secure Network Server (SNS) providing a guard/gateway function will provide CIPSO labeling to route datagrams to the proper networks and prevent those labels from being inadvertently or deliberately altered. MISSI components communicating on Ethernet (TCP/IP based) networks will support Address Resolution Protocol functions to provide logical addressing. MISSI components will also support GOSIP X.25 protocols.


MISSI components will rely on the Electronic Key Management System (EKMS) for keying and rekeying activities. Components will support FIREFLY technology.


The reliability, availability, and maintainability of MISSI hardware and software components will meet or exceed current industry standards for commercial off-the-shelf office environment applications. Some of the MISSI critical system characteristics are:

  * MISSI hardware components designed for operation in a ground non-hostile

  * MISSI components which meet the appropriate EMI, EMC, and TEMPEST
    requirements consistent with supported networks.

  * MISSI components handled according to Controlled Cryptographic Item (CCI)

  * Integrated Logistics Support requirements for MISSI are hardware components
    that are maintainable at the organizational, intermediate, and depot
    levels. The Mean-Time-To-Repair (MTTR) figure for organizational and
    intermediate levels is 15 minutes. The MTTR figure for depot level
    maintenance is 30 minutes.

  * MISSI software and hardware components will undergo periodic health checks


The Information Security (INFOSEC) product evolution of MISSI, as defined in the four-phased release approach and the four product categories previously mentioned, is explained in more detail by the following graphics.


The Mosaic program is an implementation designed to support MISSI Release 1. This program provides a Personal Computer Memory Card International Association (PCMCIA) crypto card, which provides encryption of sensitive unclassified electronic mail (E-mail) messages. Under the Mosaic program, a Commercial Off The Shelf (COTS) networked workstation configured with a PCMCIA card bus or separate reader performs the required MISSI Release 1 functions.

The Mosaic program supports X.400 or Simple Mail Transfer Protocol (SMTP) E-mail on the Defense Message System, as well as other Department of Defense (DoD) and Civil Agency applications. This system is currently designed to operate at 1.5 Mbps encryption/decryption. The PCMCIA card is under going test in the Mosaic program.


The APPLIQUE is a low cost product that provides multi-level security services for COTS networked workstations. It consists of both a software package and a hardware device referred to as the Crypto Peripheral (CP). Capabilities include security services to support writer to reader security for X.400 based E-mail and peer-to-peer applications. The security services performed by the APPLIQUEare: access control, audit, data confidentiality, data integrity, identification, and authentication as well as non-repudiation. It consists integrates with a wide variety of 386/486 based processor COTS workstations and higher. The APPLIQUE consists of several basic elements that allow the user to communicate in networked environments with multiple security levels. These elements include: a communications security package, trusted computing base, CP and a physical token.

The communications security package includes these ISO layer 3 and 7 security protocols: Network Layer Security Protocol (NLSP1), Message Security Protocol (MSP), and Key Management Protocol (KMP). The APPLIQUE will support both the GOSIP and DoD (TCP/IP) protocol suites. The TMACH Security Monitor provides multi-level security services to the workstation user. The CP with an estimated minimum throughput rate of 10 Mbs/sec., performs FIREFLY key generation, encryption, and digital signatures. The Crypto Peripheral can make use of a PCMCIA device to provide the physical token and crypto-ignition key (CIK) functionally as a means for user identification and authentication. It is required to access security mechanisms in the CP.


The CP is a compact security product that provides encryption of E-mail messages for COTS networked workstations. It is contained on a PCMCIA card and interfaces directly to the workstation through a PCMCIA card bus or reader. The CP is the workstation security product designed to support the MISSI Release 2 system, and to protect classified information up to Secret. The CP supports a wide variety of COTS workstations that support X.400 mail packages. It is specifically designed to support ISO layer 7 security protocols. Writer to reader security protection is provided between both for Official Use Only sensitive community of Release 1 and the Secret community served by Release 2, as well as Top Secret communities served by Release 3 and above. The CP is designed for a 10 Mbps throughput rate.


The SNS is a computer system designed to allow simultaneous processing of information from the Unclassified level up to Top Secret level. It combines the highest levels of both Computer Security and COMSEC technology. The SNS will allow the connection of two or more networks at different security levels and as a MLS network file server, the SNS will allow files of different security levels to be stored and accessed simultaneously. Application software being developed for the SNS will allow it to function as a guard/downgrader. The SNS will support the CP associated with an untrusted workstation during MISSI Release 2. It insures the CP has been invoked before releasing an E-mail message to an unclassified network and regrades E-mail by human review. In MISSI Release 3, the SNS in conjunction with the Workstation Security Applique, provides full E-mail security services including regrading and MLS file storage. An EKMS compatible cryptographic function in the SNS allows all data stored on non-removable media to be protected. This allows the SNS to be treated as an unclassified Controlled Cryptographic Item (CCI) once the CIK is removed. For the software applications developer, this MLS computer will provide a POSIX compliant interface at the operating system level. Therefore, it will be possible for the SNS to run existing UNIX based application programs.


NSM provides network security management functions for the MISSI products. These functions consist of key generator and distribution, access control permissions, secure directory, and mail list services. It is a primary link to other network management functions, such as configuration management, fault management, accounting management, and performance management. The capabilities of the security management components will be phased, along with the various MISSI components. The NSM components needed to provide the above functions are the Domain Security Manager, Local Authority Workstation (LAW), Audit Manager, Rekey Agent (RKA), Secure Directory Server, and Mail List Agent. It is anticipated that these components will be software application programs that will run on COTS workstations equipped with a Workstation Security APPLIQUE. Together they will provide the necessary services to securely manage and operate the MISSI.

Back To Systems Menu Page
Mar 24/01