Web Security for the STK end user
- May 14, 2018
- STK Data Federate (SDF)
HTTPS, and TLS, and certificates! Oh, my!
If you’re an STK user who is hearing some of these cybersecurity buzzwords from your IT department and are wondering (or being asked!) how well STK will function in changing information security environments, then keep on reading.
First of all, let’s define some of the terms involved:
https (HTTP Secure) – A communications protocol for encrypting traffic over a network. This allows a client to be sure they are talking to the correct server, and have two way encryption of all traffic between them. HTTPS can use SSL or TLS protocols.
SSL (Secure Sockets Layer) – A cryptographic protocol started in the mid 90s. The most recent version, v3.0, was created in 1996, and as of 2014, was generally considered insecure.
TLS (Transport Layer Security) – A newer cryptographic protocol, currently at v1.2. Many organizations, including the US federal government as of 2014, have mandated this as the only acceptable protocol.
PKI (Public Key Infrastructure) – A set of policies and tools allowing for exchange of encrypted digital certificates to provide authentication, or proof that clients and servers are who they claim to be.
Certificate – Sometimes itself referred to as a PKI, this is the standard format digital identification document attached to initial https requests between a client and a server. Certificates can be held by servers or individual users and come in a few varieties.
STIG (Security Technical Implementation Guide) – Published by DISA, a technical guide to the security configuration required to operate on some DOD systems.
So, what do all of these have to do with STK? The short answer is, STK may need to play nicely with them anytime it makes a network request using internet protocols, even when on a private network. This type of network request is what happens all the time in your web browser of choice, and is different than simply browsing for a file or folder on your network using a file browse dialog box in STK.
STK Desktop may make these kinds of requests more often than you might realize when using features, such as:
- STK Data Federate
- Streaming imagery services
- Streaming terrain or terrain-based analysis using STK Terrain Server
- Scalability Server requests to compute Coverage or Deck Access on a network cluster
- Data Updates
- Network-linked KML
And of course, our server-, web-, and browser-based products (including Cesium) deal with these issues even more frequently.
The security of AGI’s software is continuing to evolve along with our customer’s to meet the threats of today’s cybersecurity environment. STK 11.4 continues this evolution. Just the past few releases have seen changes such as:
- STK Data Federate enhanced support for TLSv1.2 and certificate authentication
- Web Map Services (WMS/WMTS) and ArcGIS REST Map Services plugins now handle user certificates
- STK Scalability Server supports TLS v1.2 and client and server certificates
- TLS v1.2 available by default for network communications
As always, if you have any questions about how AGI products will operate in a particular security environment or if it will meet specific requirements, don’t hesitate to contact one of our engineers at 1.800.924.7244 or email@example.com, or reach out to your friendly neighborhood local AGI representative.
If you’d like to do a little further reading on these and related topics, here are some resources I’ve found helpful as an aerospace engineer forced to learn just a little about web security:
- TipTopSecurity: How Does HTTPS Work?
- How HTTPS Secures Connections (more math!)
- How Does HTTPS Actually Work?
- SSL vs TLS – What’s the Difference?
- The US Government standard is TLS 1.2