Secure Messaging

Harrier

Military Messaging Client

A secure web client for Military Messaging. Harrier supports Military Messaging using SMTP, STANAG 4406 and ACP 127. Harrier can also be used for general purpose email.

harrier-inbox

Military Messaging

Military Messaging is referenced by various names, including Formal Messaging and High Grade Messaging (HGM). It has been traditionally provided by ACP 127, but SMTP and STANAG 4406 are increasingly used. An example military message displayed by Harrier is shown below.

harrier-military-message

There are superficial similarities to email, but key service differences can be seen from inspection of the example message.

  • Military messages are sent between organizations (not roles or users), reflecting the “command” nature of military messages.
  • Military messages have “action” and “information” recipients, which is similar to To:/Cc:, but reflects formal responsibilities.
  • Action and Information recipients have independently specified precedence (e.g., “FLASH”) which inform recipients of priority.
  • Harrier shows a “due time”, which is based on the precedence of the current recipient, any “reply by” time and message delivery time. This provides an indication to the recipient of when the message needs to be processed by.
  • DTG (Date Time Group) shows the formal time that the message takes effect, which can be past or future. Filing time reflects when the message was submitted.  Times are shown in a preferred military format with Zulu time zone.
  • Security Label is associated with every message.
  • Message Type, gives information on exercise/operation to which the message applies.
  • SICs (Subject Information Codes) provide formal information on the nature of the message.
  • This message contains an ADatP-3/APP-11 Message Text Format (MTF) which can be downloaded as an attachment for processing in a C2 (Command and Control) system.

Email and General Purpose

Harrier is built using modern email protocols (IMAP, SMTP & S/MIME) and can be used as a general purpose email interface for communication between roles or users. Harrier provides configuration options to facilitate use for email. It is likely to be of most interest to those needing Harrier features not generally available in email clients, such as security label support, exempted recipient support, and time controls.

Role Based Mailboxes & Message Distribution

While military messaging provides communication between organizations, mailboxes are role based. Harrier supports role based mailboxes by authenticating users and then allowing the user to select a role-based mailbox that the user is authorized to access. This selection is illustrated below:

harrier-role-based-mailbox

Harrier can switch between role-based mailboxes.

When a message is sent to an organization, it will be distributed to role-based mailboxes based on message content and SICs using a profiler, such as the one provided by M-Switch Profiler. Harrier will recognize messages that have been profiled and make this clear to the Harrier user, including whether the recipient is action or info (which can be controlled by the profiler). Harrier can also show a list of all action and info roles to which a profiled message was delivered.

Military Distribution Lists, which provide another message distribution mechanism, split action and info recipients. Harrier will show when a message has been expanded by a military distribution list, and whether the current mailbox is action or info.

Draft, Review and Release

Military messages often make use of a draft and release process to support formal release and approval of messages by an appropriate officer. This linear release process is complemented by a parallel review process, to support drafter-centric review. This is supported by Harrier and described in the Isode whitepaper [Isode’s Draft, Review & Release Solution].

Military Message Features and Compose

harrier-military-compose

Harrier provides a message compose facility, which looks like a general purpose email compose with extra fields. Some of the fields in the above screenshot have already been described and others will be familiar from general purpose email. Other fields are:

  • Releaser. When a message is being drafted, this specifies the releaser which may be optional or mandatory, based on policy/configuration.
  • Reviewers. An optional list of reviewers, who will review the message before it passes to the releaser.
  • Exempt. A list of recipients to which the message will not be delivered. This will generally be used in conjunction with distribution lists.
  • Expires. A date at which the message is no longer valid. Harrier will display this information on reception.
  • Reply By. A date by which a reply is needed. Harrier will flag this information on reception and warn if the time is close.
  • Harrier compose may be used for plain text messaages or for HTML encoded messages with font and list options.

Harrier Scan Listing

harrier-inbox

Harrier provides a scan listing of messages, shown above, sorted by precedence and filing time. Some of this is familiar from email interfaces, but some points are worth noting:

  • Military Message precedence for the active mailbox is shown.
  • A target processing time is shown for each message, based on arrival time, reply by time, and configurable target processing time for the message precedence.
  • Security Label for each message is shown.
  • An icon indicates if message was received directly, profiled, or through a distribution list. This Icon also indicates draft/review/release processing status.
  • An icon indicates if the active mailbox is an action or an info recipient.
  • Folders show daily message archives. Messages can be archived, but not deleted, so that messages are always retained for audit.
  • The scan listing allows selection of messages. Messages can also be selected by free text search in choice of body; subject; SIC; action; info; from, with filter on precedence.

Address Book

Harrier identifies message recipients from an LDAP Directory (Isode’s M-Vault or Microsoft’s Active Directory can be used). Cobalt provisioning marks directory entries as Users, Roles, or Organizations. Type of some entries is automatic, and is selected for entries which represent redirections or distribution lists.

Harrier presents this information as two distinct address books:

  1. Organizations. This is used for Action/Info/Exempt fields.
  2. Roles. This is used in the draft and release process and also for local messages between roles.

Support of MTF and C2

Harrier can be used to support C2 (Command and Control), which makes use of MTF (Message Text Format) data, such as ADatP-3 and OTH-Gold. Harrier provides an integrated way to use systematic IRIS Forms to create and display MTF. Details for this can be found in the white paper C2 Systems use of MTF and Messaging.

ACP 127 Mode

Harrier may be configured in an ACP 127 Mode, which restricts messages to capabilities that an ACP 127 client can provide. When used in ACP127 mode addresses are presented as ACP 127 RI (Routing Indicator) and PLA (Plain Language Address) with SMTP addressing hidden from the user. Also, lines are limited to 69 characters, character set is restricted to ITA2 or IA5 and attachments are disabled. This is helpful when Harrier is deployed in a system where ACP 127 is predominantely used.

Security Labels

Security Labels selection is driven by the configured Security Policy, restricting Harrier to selecting a security label that is appropriate for the intended recipient(s). Multiple security policies can be supported, allowing the user to select the appropriate policy for the message/deployment. Two security label families are supported:

  1. ESS security labels as specified in RFC 2634 “enhance Security Services for SMIME”, following the NATO AC 322 architecture and encoded following:
    1. RFC 7444 “Security Labels in Internet Email”.
  2. NATO Confidentiality labels following:
    1. STANAG 4774 “CONFIDENTIALITY METADATA LABEL SYNTAX”
    2. STANAG 4778 “METADATA BINDING MECHANISM”
    3. NATO SRD 4778.2 Chapter 3 “Simple Mail Transfer Protocol Binding Profile”

Harrier allows drop-down selection of labels taken from system and mailbox-specific catalogues. Harrier allows creation of custom securtiy labels.

Harrier also supports security label access control checking against role clearance (so that only matching security labels are offered) and against recipient clearance.

Recipient Capability Checking

Recipient capabilities may be stored in the directory entry of each recipient. Harrier will ensure that the message is compatible with those capabilities, which can include:

  • Support of Attachments
  • Maximum Line Length
  • Maximum Message Size
  • Supported Character Sets
  • Checking against Recipient Security Clearance that security label is allowed

Capability checking is particularly important when using Harrier as an interface to older messaging standards, such as ACP127, where recipients may have limited capabilities.

TLS & HSM

All protocol links with Harrier can be protected with Transport Layer Security (TLS) and it is strongly recommended that this is done.

Harrier’s own private key may be held by Harrier on disk or making use of an HSM (Hardware Security Module) with a PKCS#11 interface.

S/MIME

Harrier supports message signing and encryption following the S/MIME as specified in RFC 5751 “Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1”. Notes:

  • S/MIME private keys are stored on an HSM and managed by Cobalt. Note that SoftHSM is supported as an HSM option.
  • Signing can be mandated (recommended) and users alerted to messages that are not correctly signed.
  • Encryption may enabled or disabled. When enabled it is user choice.
  • Encryption may use envelope or triple wrap.
  • Header signing is provided as an option. It is strongly recommended, noting that some S/MIME clients do not support it.
  • S/MIME messages are decrypted on initial access. The primary S/MIME goal is end to end protection.  This decryption prevents issues with long term key management and message access.

Harrier is a Web server providing an interface, compatible with modern browsers, communicating to a Harrier web server using HTTP (REST) and Web Sockets and making use of making use of JSON, CSS, and HTML. The architecture allows a user to open multiple browser tabs with multiple roles.

The diagram below shows how Harrier is deployed and how the addition of an M-Switch Gateway, to perform message conversion, allows Harrier to deployed as part of SMTP, X.400, MMHS over SMTP, ACP127, STANAG 4406 networks and constrained network (low-bandwidth/high-latency) variations.

harrier-po

The Harrier web server, MTA and gateway components can be deployed co-resident on a single box or separately depending on architectural choices. TLS is configured by default for all connections to provide confidentiality and integrity.

Configuration

Harrier Configuration Management

Harrier provides a Web interface for server administrators to configure Harrier.  Key features:

  • Full configuration of all Harrier options and capabilities
  • Secure bootstrap
  • Sensible defaulting of parameters to facilitate startup
  • Per domain and global configuration options
  • Security features, including TLS, HSM, S/MIME and Security Labels/Security Policy

Monitoring

The Harrier server web user interface also provides a monitoring capability to show server activity and key operational parameters.

Provisioning

Setting up a system with Harrier requires a good deal of supporting configuration of users, roles, lists and other components. This is done by Isode’s Cobalt product, which is described in the Isode whitepaper [Provisioning for Military Messaging Handling Systems].

Ready to request an Evaluation?

Thankyou for considering Isode’s software products. To request an evaluation, please select the product(s) you are interested in, then fill out the enquiry form.

Select your Evaluation products: