- Email: [email protected]
Some new directions
February
1991
transformation algorithm, well known to communication specialists, could be used to overcome the so-called security offered by spread technology. Motorola noted that its signal range is short and separate systems can be set up as close as 120 feet, but because of security reasons, no customer will be assigned the same frequency within a 35 mile range. Communications engineers note that cutting power to reduce the broadcast range within a building presents an engineering problem because of signal reliability. Besides the signal does not stop at the outside building walls and many signals wander beyond their set range. Thus the eavesdropper or intruder would be able to access the networks server for data and/or monitor data flow on the network. The technique needed to access the network is not as simple as using Norton Utilities or PCTools but the skill required is not beyond the hackers familiar with telephone and broadcast technology. Certainly this technique is far easier and cheaper than using the complex electronic eavesdropping devices. Furthermore, it would not be necessary for the eavesdropper to have the equipment in the same building as the network, although that would be the best location. Another factor in the cost of operations may be eventual shielding of the system. Harmonics in any waveband can create problems. So can leakage which is not consistent. The system might interact with many of the microwave security systems used in the building or neighbouring buildings. Stray waves may also create workstation problems. Many years ago I purchased a cordless telephone system for our office. Often when we dialed a number or received a call, stray waves from the telephone played havoc with the microcomputer. In some cases program execution was halted; in the worst case the system was rebooted automatically. From a human/environmental viewpoint the microwave system faces human concerns about
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
a possible health hazard. Some communities in the United States have successfully stopped the construction of microwave facilities for the Defense Department, the Weather Bureau and even air traffic control operations. With repeated studies of possible dangers of living near electric power transmission lines, Motorola might have a problem in convincing employees that its milliwatt signal levels are completely harmless. Again we have the classic problem of product development without concomitant security precautions. A wireless system certainly has its attractions in business and industry. Not only is there a substantial saving in cable installation but it also makes it possible to move and/or add workstations more easily. Data transmission, however, is over public wavebands. We will undoubtedly encounter the same privacy and security problems that we have in the use of cellular telephones. Many organizations, unless involved with defense contracts, appear unconcerned about data security. However, some of the savings afforded by wireless LAN systems will be eroded when companies realize that the microwave signals will have to be encrypted. The strength of that security will then depend on the encryption algorithm, encryption keys and the knotty problem of key management.
NETWORK SECURITY Some New Directions Mike Shain GE lnfonnarion Limited
Services
Security is very much tied up with responsibility. For safe computing it is important that everyone involved takes some responsibility for implementing and complying with security controls. Ideally, one should be able to define the system boundary separating the network from the customer, although this may not be easy in
7
Computer
Fraud & Security Bulletin
February
199 1
a multi user environment, such as EDI. With their own sphere of responsibility, network users
the network, or on the central hosts of the controls or countermeasures listed below, the
should have well defined security policies covering their information processing, and through the use of risk analysis have identified cost effective security controls and procedures. Similarly, network operators will need to provide security services to comply with the policies of their customers. The issues then become, “What are these services, how are they supported and where should they be located?”
first four are based on cryptographic techniques, and usually require dedicated hardware. This is partly for reasons of performance, but mainly because ultimately all cryptographic controls depend on physical security. That is why cryptographic keys are housed in tamper resistant modules where they are never revealed to the outside world. User Authentication
and Access Control
This paper addresses these questions and suggests the direction for developing a security architecture that is flexible, easy to implement and cost-effective. This latter point is important because advances in technology bring about new threats and exposures and so from time to time certain elements of the security architecture, such as an algorithm or protocol, may need to be replaced without causing too much disruption. Secondly, the administration needed to maintain a security system must be kept to a minimum. Network Security
Services
Threats and Countermeasures Figure 1 lists the most likely threats, and the controls that are needed to counteract them. These controls should be thought of as security services which are available to system designers when developing new network based facilities. Thus these controls will need to be supported by security mechanisms placed either at the PC, on
Access categories:
control can be divided
l
physical access control
l
logical access control
into two
Physical access control is aimed at controlling access to the physical components of the information processing or storage media. This will also include certain aspects of communications security, e.g. lines, network processors etc. Logical access provides additional controls to users who have managed to log on to the computer system by restricting access to sets of data or software. Logical access control attempts to separate the legitimate user from the hacker by: l
l
identifying and authenticating the user restricting minimum
user access
Threat
Control
Illegal Use of Network Espionage, Privacy Message Modification Repudiation Message Replay Message Delay Internal Fraud
User Authentication Encryption Message Authentication Digital Signatures Application Controls User Procedures Reasonability Checks
privileges
to the
Figure 1: Network security controls.
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
February I99 I
l
monitoring all usage.
key management scheme is required to securely distribute the symmetric encryption/decryption
Users requesting access provide details of their identity and some proof of that identity by means of: l
an attribute of the user, e.g. a thumbprint.
l
a possession of the user, e.g. a token.
l
knowledge held by the user, e.g. a password.
Biometrics are unreliable, and passwords are very weak. Token devices, such as Watchword, which contain a secret key known only to the host and not revealed during the logon sequence, are very secure. As we shall see later, smart cards can be made to operate in a similar way. Encryption Encryption provides for the protection of data from unauthorized disclosure and against message interception. The standard way of doing this is for both parties to share a common, secret cryptographic key which is used for both encrypting and decrypting messages. The system for creating these keys, administering and distributing keys and destroying used keys is known as key management. Key management schemes usually place a heavy burden on those who have to maintain them and it is an issue that lies at the heart of providing security. The problem is considerably reduced if a public key ctyptosystem such as RSA, is employed for this purpose, because RSA can be adopted for transporting encryption keys securely between users who want to communicate. Message Authentication This service proves that a message has not been inadvertently or intentionally modified. The mechanism to do this involves the encipherment of a compressed string of relevant data (e.g. as specified in ANSI X9.9) to be transferred and this is sent to the recipient along with the plain text. The recipient repeats the process and compares the result. As in the encryption section above, a
01991
Elsevier Science Publishers Ltd
keys used. Digital Signature This technique is used to provide proof of the integrity and origin of data, both in an unforgeable relationship, which can be verified by any third party. This mechanism involves the encipherment by the originator’s secret key of an asymmetric scheme, on a compressed string of data to be transferred. Just as with the data integrity mechanism mentioned above, the recipient will process the message to prove authenticity. A digital signature in effect confers the benefits of user and message authentication mentioned above, but it does so in a way that does not depend on a shared secret between the communicating parties, as Racal Guardata’s ‘Watchword’ does. Because of this a digital signature cannot be repudiated by either the sending or receiving party. Location of Network Security Services The CCITT recommendation X.509 advocates the use of a Secure Directory from which parties who intend to communicate can obtain knowledge of each others credentials, knowledge which forms the basis of authentication. The protocols for this have to be proof against malicious attack, and an indication of how this might be achieved is discussed later. Security has to begin and end at the nodes of a network, and typically this means providing controls at the PCs and host computers sending and receiving messages. The four cryptographic controls discussed above are forced on terminals through the use of special equipment, such as PC crypt0 cards, or smart cards, and the key management aspect is provided at the centre. Of course, message security is only part of the overall security policy for a network, which must ensure the integrity of all processing and be available as and when needed.
Computer
Fraud & Security Bulletin
The network must have good logical access control, along with a system of authorization, such as RACF in an IBM environment. Apart from monitoring and logging security violations, the burden of cryptographic processing takes place not on the network, but at the user’s terminal. To support this the network must provide a framework for user authentication. RSA Certification Public key cryptosystems separate the capacities for encryption and decryption so that (1) one person can encrypt messages in such a way that many people can read them and (2) many people can encrypt messages in such a way that only one person can read them. This separation allows important improvements in the management of cryptographic keys and makes it possible to ‘sign’ a purely digital message. RSA is an implementation of a public key cryptosystem and it makes use of the fact that finding large (e.g. 200 digit) prime numbers is computationally easy, but that factoring the product of two such numbers appears computationally infeasible. The problem with RSA is that an RSA system runs at about one thousandth as fast as DES and requires keys about ten times as large. At present, the convenient features of public-key cryptosystems are bought at the expense of speed. The fastest RSA implementation runs at only a few thousand bits per second and so it is generally desirable to make use of a hybrid system in which RSA is used only during the key management processes to establish shared keys for employment with conventional systems (such as DES). Key Management The solution to the problem of key management using conventional cryptography is for the network to provide a key distribution centre (KDC): a trusted network resource that shares a key with each subscriber and uses these in a bootstrap process to provide additional keys to the subscribers as needed. When one subscriber wants to communicate securely with
10
February
199 1
another, he first contacts the KDC to obtain a session key for use in that particular conversation or transaction. The session key itself has to be encrypted otherwise the whole system would be compromised. One of the problems in operating a conventional KDC is that the number of keys that have to be stored rises rapidly with the number of users. For n terminals, there are n(n-1)/2 pairs of keys. This amounts to half a millions keys in a network with one thousand terminals. With public key cryptography, the keys the KDC dispenses are public keys (of which there would only be n, the number of terminals) and messages encrypted with these can only be decrypted by using the corresponding secret keys, to which the KDC has no access! In the language of X.509, the KDC becomes a ‘Secure Directory’. However, in order to protect subscriber’s public keys held in a directory, each key has to be certificated i.e. it has to be cryptographically authorized by the KDC or Directory. Thus if Alice wishes to send a message to Bob, she obtains Bobs certificate from the Directory and tests to see that it is authentic. A certificate in fact, functions as a letter of introduction, in this case from the directory operator to the user. What would happen in practice is as follows: Let Bob’s ID = BOB ksn kr’n kpa kss e d
= = = = = =
secret key of the Directory public key of the Directory Bob’s public key Bob’s secret key the RSA encipherment function RSA decipherment function
The Directory stores kPB along with the following certificate: eksu (BOB, kf’e)) Bob’s ID and his public key have been encrypted under the secret key of the Directory, i.e. they have been signed to form a certificate.
01991
Elsevier Science Publishers Ltd
February
Computer Fraud & Security Bulletin
199 1
line includes the IBM smart card, smart card reader, crypto-card for the PS2 workstation and
When Alice retrieves this she develops
a network security processor. The IBM smart card is used both for user and message authentication, the crypto-card is used to encrypt the hard disk.
dkt=b(eksn(BOB,ki=e)) = BOB, kps. Alice has derived Bob’s public key from the certificate, and it should be identical to the unsigned version. In other words, Alice can be sure that kpe is Bob’s public key, and not someone else masquerading as Bob. Note, if this were the case, the masquerader would be able to read Alice’s message. In effect, the Directory has certified Bob’s public key by producing a digital signature using its secret key.* Having seen, in principle, how Alice can recover Bob’s public key, the question is, “How are public keys place securely in the directory and who is responsible? If the Directory operator were responsible for issuing its clients with public/private key pairs, the problem is solved, but then everyone would have to trust the operator, and much of the benefit of RSA’s non-repudiation is lost. The alternative is for each user to generate his own key pair, and to have a secure way of entering the public key in the Directory, and leaving the secret key with the user and not the operator of the Directory. A suggested mechanism for this is a smart card capable of handling RSA. To understand how this might be accomplished we need to review the capabilities of the smart card. Smart cards Market trends In September 1989 the IBM Centre in Boblingen, Germany, announced a smart card solution for their banking products. The product
l
Note, with a symmetric
encryption
scheme,
the same key, k is used for encrypting message, With RSA,
M. Thus however,
such as DES,
and decrypting
a
ek (M) is decrypted by: dk (ek (M)) = M. a message
encrypted by a public key
cannot be used to decrypt it, i.e. dkpa (M) z M (or anything like M!).
01991
Elsevier Science Publishers Ltd
Smart cards have been around for over ten years but it is only fairly recently that they have been specifically packaged to handle security. A number of manufacturers, including GEC, Philips, Gemplus, Logicam, Thorn EMI and Bull have developed security smart cards. In France, Gemplus has an automated factory capable of producing 2 000 000 cards per month. In one UK Clearing Bank Trial, customers will be provided with smart cards which will enable them to review payment instructions. Once the instruction has been created they will be able to cancel, amend, or release it as they rike. When the bank receives the message (via INS) they can check the contents against an authentication code for any unauthorized modification. In effect, the smart card has become in the one device a portable PC security module and Watchword generator. The first widespread appearance of the card in Europe will be with the advent of satellite pay television. News International has set up a joint company with Gemplus to form News Gem Smart Card, and produces the smart cards in Scotland. Interestingly, the card uses the very powerful Fiat-Shamir authentication protocol to let the decoder know it’s a genuine, up-to-date card. The Scottish plant has a capacity of 400 000 cards per month. Sky is using the Gemplus COS 8K card, costing around $4.00 each. As Coca Cola will have their logo on these cards, money from advertising will further offset the cost. In the US, GE Cable has signed an agreement with this company for their smart cards and decoders. Thus, almost overnight smart cards will become an integral par-l of consumer electronics. The effect will be to make those involved in protecting network services,
11
Computer Fraud & Security Bulletin
February 199 1
1
R --__ 0 M
CARD OPERATING SYSTEM
I
;z
I I
OPTIONAL
USER
Application software controlling the behaviour of the card.
‘J
APPLICATION
E
I
SUBROUTINES
p
I
R ’ 0'
CONFIDENTIAL
CODES
M
for protection of memory areas. C.O.S. CONTROL
AREA
USER AREAS -------_ Each user area is identified own descriptor ---_____
1SECURITY 1 control
1 ]
OR
by its
and its access is controlled for writing and reading operations. ----____
E E P R 0
Areas are managed through a directory.
M
Figure 2. Architecture of the Gemplus ‘COS’ smartcard.
realize that this can now be done very cheaply and effectively. In such an environment network operators need to consider very carefully what they must do to take advantage of this technology, as well as protecting its existing customer base. Smart Card Architecture Figure 2 depicts the layout of a typical modern smart card, in this case the COS made
12
by Gemplus. The features of the type of card include a single-chip a-bit microprocessor, with a user storage memory of 32k bits, or more. The equivalent card made by Philips, the D2 Security Smart Card, has a built-in DES algorithm running at 440 bits/set and can carry out message authentication to ANSI X9.9. In addition, it can store 6 base keys and 2 additional keys per service zone, and support key management for the generation of session keys as well as storing master keys.
01991
Elsevier Science Publishers Ltd
February
Computer Fraud & Security Bulletin
I99 1
Operating System
All applications software and data is maintained securely in the memory within the
The operating system can only be implemented in the card during initial card manufacture and cannot be subsequently
card, which is immune to external magnetic fields, radio frequency transmissions and X rays.
changed. It will contain routines to allow the card to hold data securely in a tamper resistant form as well as secure communications software.
Communications and Interface
Applications Software The applications software is loaded in the card under the control of the operating system at a later stage of card manufacture, just prior to final card customizing. It would contain the routines for handling
GEIS’
network security
protocols. Data Memory The
remaining
area
of the memory
is
available for data, some of which may be loaded when the card is customized, i.e. account number and personal identity data. Other data may be accumulated as the card is used i.e. totalizer information or transaction log. It could even record the user’s terminal connect time and characters transmitted, thereby off-loading part of the billing overhead. Flexible memory partitioning is employed such that memory outside the operating system can be split as required
between
applications
software
and
data. Data can be held in the memory in any of three ways as:
All card communications are controlled and configured by the processor and data is sent and received using an industry standard synchronous communications protocol. The character set is internationally recognized and information can be sent at any rate from 300 to 9600 binary digits a second. In the case of the GEC iC card, all power and communications are received via a contactless interface. This card only has to be placed within one inch of a read/write coupler for it to become active. The coupler induces power within one inch of the card, across the gap, and the card modulates this power to communicate back to the coupler. Cards with contacts now conform to IS0 7816 parts 1,2 and 3 and a reader meeting this specification can, in principle, accept any card. However, message formats for smart card communications have not been agreed, although an IS0 working party, TC 68/5, is looking into this. Accountability The initial customizing of cards, where secret data may be imbedded, is carried out automatically, at the manufacturer’s secure premises. A full audit trail for circuits, cards and encoding is an integral part of most production processes.
Secret data: once loaded can never be read outside the card and cannot be altered.
Security Integral to all smart cards is the ability to build
Confidential data: once loaded can only be read outside the card upon receipt of the correct password or secret key, and cannot be overwritten.
security around the stored data. Because cards can hold secret data, they can be used to store
Free data: Can be read and written as specified by the applications software.
operating system can read this data, where it would typically access it to decrypt an encrypted
and transport secret cryptographic keys. This is a very important property only the card’s
session key received over a network.
01991
Elsevier Science Publishers Ltd
13
February 199 1
Computer Fraud & Security Bulletin
RSA
4.
Message Authentication (ANSI X9.9)
RSA can be embedded into a smart card as part of the applications software. Until recently RSA processing has been very slow with smart cards but now both Thorn-EM1 and the French company, Logicam, have announced products offering RSA signature and authentication. The Logicam card, the MIRSA, processes RSA at a rage of 300 ms for 512 bits and DES at 150K bps. MIRSA has been selected by the French banks as the security device for the implementation of ETEBAC5 (French banking security standard for the 1990s). The module is the result of successful collaboration between Logicam and SEPT (France Telecom Research Lab).
5.
Watchword protocol for user authentication
The Logicam RSA cards are currently expensive (about f300 each) but they are expected to come down. This card is particularly fast using as it does a signal processing chip. Slower, and hence less expensive cards are available. However, the Logicam card is less expensive and more flexible than conventional security offerings based upon PC crypt0 cards and access control tokens. A Network Operator’s Smart Card We have seen how Alice can obtain Bobs public key, and have indicated that there would be a strong advantage in having subscribers generate their own keys. This could be done on Alice’s smart card provided it came with RSA software. In fact, this could be accomplished with a network customized smart card i.e. one holding applications software to handle the relevant security algorithms and protocols for a particular network or closed user group. This software might include: 1.
RSA for key management signatures
and digital
2.
DES for encrypting financial transactions
3.
Network operator proprietary algorithm for non-financial traffic e.g. EDI
14
In addition, the card would hold the following data in the secret part of its memory. 1.
DES Master Key kDES
2.
Card serial number, N
The following ‘confidential’ data would also be held, see Figure 3. 1.
The Network Operator Directory public key, kt’p
2.
Alice’s ID or user number, ALICE.
All information held in the ‘Secret’ and ‘Confidential’ areas of the card is encrypted and access to these ‘fences’, as they are known, is controlled by the card operating system. The normal procedure in using smart cards is that firstly the user authenticates himself/herself to the card via a PIN. This would be stored in the secret part of the card and is usually encrypted under a one-way function, which is proprietary to the manufacturer. Once this has been accomplished, the card may authenticate itself to the other card reader and the card reader will then authenticate itself to the network. One protocol for doing this is the
Operating
System
Applications
Software
Secret Data
Confidential Data
k SA
k PA
k “ES
ALICE
N
k FD
Free Data
Figure 3. Data storage in the smartcard issued by a network operator
01991
Elsevter Science Publishers Ltd
February199 1
Computer Fraud & Security Bulletin
Fiat-Shamir, which is as strong as the factorization problem upon which RSA is based.
key pair can take a long time, on an 8 bit
Once this handshaking is complete, the network is now able to ‘trust’ the smart card. However, the alternative is to use a dumb card reader and have the PC communicate directly with the card. This
new Logicam card it would take a minute or so).
would be the preferred method because there would no loss of security and it would be cheaper overall.
have been generated they are stored in the smart
End-to-end
controls with a smart card
Network security, as we have seen, is achieved by cryptographically ‘sealing’ messages at the point where they enter a network and then ‘unsealing’ them where they leave it. Sealing is achieved by generating cryptographic checksums that accompany the message and are both unique to it and to the sender. The above process is referred to as end-to-end security. In applications such as EDI, electronic mail and money transfer, the ‘ends’ are where information is entered and retrieved. In most cases this would be the client’s PC, and here a smart card would provide the security mechanism. The smart card is capable of securing both the network and PC, effectively turning it into a security workstation. If a message needs either encryption, authentication or signing before being transmitted, it will be sent in its entirety from the PC to the card where security checksums are appended to the message, as described above. Special attention will need to be given to the format of messages sent between the PC and card a security application interface has to be specified so that card services can be called upon in a standard way. Network Secure Directory and the Smart Card RSA Public Key Distribution When Alice receives her smart card from a network operator, she asks it to generate RSA key pairs. The secure creation of a secret/public
01991
Elsevier Science Publishers Ltd
processor it could take up to two hours, (on the Note that key generation is a separate, and slower, activity than either signing or key management card,
the
using RSA. Once Alice’s public
key,
kPA, going
keys
in the
‘confidential’ area and the secret key, ksA, held in the ‘secret’ area. For additional security both keys would be encrypted by the card. Alice then develops:
eh(N,kPA) and sends this along with kpA to the Directory which decrypts this message using its secret key, ksn, and recovers N and kPA. Since N is unknown to Alice (but unique to her), it can only be read by software in the card, the transmission had to come from her and kPA must be her public key if the dear text and decrypted versions are the same. Before putting her public key in the Directory, it is signed using ks~ to CK?ate a certificate. This procedure has only involved a small amount of central processing on the network, and once accomplished there is no further work to do, except if Alice wishes to change her public key at a later date. The important point is that Alice’s card has generated her secret key, not the network operator, so there should be no fear of a ‘Big Brother’ capable of monitoring or falsifying her messages. In this way the subscribers to the system can build up the Directory of public keys specified in the way suggested in X.509. Once these keys are in place they can be used for the key management of DES keys, see below. DES Key Management
with &A
Suppose Alice wishes to send a message, M, to Bob. She obtains his key from the directory, checks the Directory signature, and generates a random number, R, to be used as a DES key. She computes a MAC, and prepares the following for Bob:
15
Comwter
February
Fraud & Security Bulletin
799 1
Network Operator Responsibilities
M,ekpeR, MAC In order for Bob to ensure that the message came from Alice, she must sign the MAC with her secret key i.e.: eksA MAC. Thus Bob receives M, ekPBR,ekSA MAC from which he derives the MAC, the encryption key R and verifies that the MAC corresponds to M when encrypted under R, as per ANSI X9.9.
We have seen how under these arrangements the Network Operator would be responsible for issuing smart cards containing its public key. It is vital that the operator ensures the integrity of its secret key, for this underpins the security of the whole scheme. The safety of keys held in the smart card depends on the owner keeping the card physically safe, as well as the inherent security of the smart card itself should it fall into the wrong hands.
In this example we have seen how the secret DES session key, R, has been securely transported from Alice to Bob using public key
It would seem that the operator has to take responsibility for administering the Secure Directory and has to ensure that it certifies the
cryptography.
right public keys. The procedures under which cards are issued need to be carefully worked through. With large organizations with many members, the responsibility for delivering cards
These processes may appear complex, but they are transparent to the user because all processing is carried out in the card. Because Alice ‘signed’ the MAC digest (which was generated using R), with her secret key: she cannot subsequently sent the message
repudiate having
Bob knows it could only have come from her and not an impostor a third party would know that Bob could not have forged it, in the event of a dispute. Further, because Alice encrypted the DES key, R, with Bobs public key, no one else but Bob could recover it.
would fall to the parent organization. Inevitably cards will be lost or stolen, or users will have their cards revoked if contracts are breached. The Secure Directory must take account of this. Suppose Bob loses his card, he would need to create a new public key, kPB. Whilst it would be relatively easy to change this on the Directory, Alice and others who may have Bob’s old key stored on their cards would need to be informed of this when they next access the Directory, which has to maintain an efficient audit trail of all key changes.
EDI, however, is intended to be a cheap service. The paradox is reconciled if we use smart cards,
In the TV scheme mentioned earlier, subscribers will be mailed new smart cards every three months, and the card will hold a cryptographic key for each service/TV channel subscribed to. Thus a key acts as a token, giving the user rights to specific services. In a similar way, the network operator could offer subscription services to its customers by updating their smart cards with the appropriate cryptographic keys. This key would then permit access to the services of a third party.
because all processing is carried out on the card and the only additional equipment required is a
Conclusions
All the cryptographic based controls listed in Table 1 can thus be met using the procedures and protocols outlined above. EDI security represents an interesting paradox because EDI can require some, if not all of these controls, which ordinarily are expensive to implement.
‘dumb’ card reader i.e. one that goes into a COMl or COMZ port on the back of the PC.
16
After some ten years or so the smart card has become a market reality. Great benefits are
01991
Elsevier Science Publishers Ltd
February
199 1
Computer Fraud & Security Bulletin
conferred on those who issue and control them, and perhaps the most important role they have found so far is in their ability to provide full message integrity across an open network. This paper has indicated how smart cards
3rd SCANDINAVIAN CONFERENCE AUDIT, CONTROL & SECURITY
ON EDP
February 26-28, 1991. Location: Geilo, Norway. Contact: Terje Bjornstad, EDPAA Norway Chapter, PO Box 264 Skoyen, 0212 Oslo 2, Norway; tel: +47 (0)2 52 83 05.
could be used on networks to provide end-to-end assurance
in a way that involves
very little
processing overhead. All that is required is the creation of a Directory and the ability to perform RSA certification, not an onerous task. As smart cards become more ubiquitous, one can see the time when, for example, applications like electronic mail on EDI are burned into the card, enabling the user to pick his messages up from any PC. They could also help off load the burden of central billing. The protocols outlined have a need to be tied in closely with the network applications, so a lot of careful analysis needs to be undertaken. Similarly, the software in the smart card will require careful specification, and a view will need to be taken on which type of smart card is to be developed. This may involve entering into non disclosure agreements manufacturers.
with
one
or more
The risk with this technology, now that it has proven itself, is the commercial risk of ignoring it. IT planners need to evaluate its potential in order to build it into their IT strategy, of which security is just one component.
EVENTS NETWORK SECURITY February 19-20, 1991. Location: London, UK. Contact: The Network Resource Centre, 2 The Chapel, Royal Victoria Patriotic Building, Fitzhugh Grove, London, SW18 3SX; tel: +44 (0)81 871 2546; fax: +44 (0)81 871 3866.
01991
Elsevier Science Publishers Ltd
INVESTIGATING COMPUTER ABUSE March 4-6, 1991. Location: Oxford, UK. Contact: Penny Moon, Elsevier Seminars, Mayfield House, 256 Banbury Road, Oxford, OX2 7DH, UK; tel: +44 (0)865 512242; fax: +44 (0)865 310981. INFORMATION SECURITY March 13-l 7, 1991. Location: Saariselka, Lapland. Contact: InBaSe Oy, Meritullinkatu 33, 00170 Helsinki, Finland; tel: +358 (0) 135 5826; fax: +358 (0) 135 2985. 4th ANNUAL COMPUTER VIRUS & SECURITY CONFERENCE March 14-15, 1991. Location: New York, USA. Contact: The Computer Society of the IEEE; tel: +l 202 371 1013; fax: +l 202 728 0884. COMMONSENSE COMPUTER SECURITY March 18-19, 1991. Location: London, UK. Contact: Penny Moon, Elsevier Seminars, Mayfield House, 256 Banbury Road, Oxford, OX2 7DH, UK; tel: +44 (0)865 512242; fax: +44 (0)865 310981. SECURICOM 91 March 19-22, 1991. Location: La Defense, France. Contact: SEDEP-Blenheim, 8 rue de la Michodiere, 75002 Paris, France; tel: +33 (1) 47 42 41 00; fax: +33 (1) 47 42 40 30. ISSA ‘91 April l-5, 1991. Location: San Diego, USA. Contact: Richard Rueb, ISSA HQ, PO Box 9457, Newport Beach, CA 92658, USA; tel: +1714 854 5500; fax: +l 714 854 0444. EUROCRYPT ‘91 April 8-l 1, 1991. Location: Brighton, UK. Contact: Andrew J. Clark, PO Box 1156, Brighton, Sussex, BNl 5GT, UK; tellfax: +44 (0)273 566115.
17
1991
transformation algorithm, well known to communication specialists, could be used to overcome the so-called security offered by spread technology. Motorola noted that its signal range is short and separate systems can be set up as close as 120 feet, but because of security reasons, no customer will be assigned the same frequency within a 35 mile range. Communications engineers note that cutting power to reduce the broadcast range within a building presents an engineering problem because of signal reliability. Besides the signal does not stop at the outside building walls and many signals wander beyond their set range. Thus the eavesdropper or intruder would be able to access the networks server for data and/or monitor data flow on the network. The technique needed to access the network is not as simple as using Norton Utilities or PCTools but the skill required is not beyond the hackers familiar with telephone and broadcast technology. Certainly this technique is far easier and cheaper than using the complex electronic eavesdropping devices. Furthermore, it would not be necessary for the eavesdropper to have the equipment in the same building as the network, although that would be the best location. Another factor in the cost of operations may be eventual shielding of the system. Harmonics in any waveband can create problems. So can leakage which is not consistent. The system might interact with many of the microwave security systems used in the building or neighbouring buildings. Stray waves may also create workstation problems. Many years ago I purchased a cordless telephone system for our office. Often when we dialed a number or received a call, stray waves from the telephone played havoc with the microcomputer. In some cases program execution was halted; in the worst case the system was rebooted automatically. From a human/environmental viewpoint the microwave system faces human concerns about
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
a possible health hazard. Some communities in the United States have successfully stopped the construction of microwave facilities for the Defense Department, the Weather Bureau and even air traffic control operations. With repeated studies of possible dangers of living near electric power transmission lines, Motorola might have a problem in convincing employees that its milliwatt signal levels are completely harmless. Again we have the classic problem of product development without concomitant security precautions. A wireless system certainly has its attractions in business and industry. Not only is there a substantial saving in cable installation but it also makes it possible to move and/or add workstations more easily. Data transmission, however, is over public wavebands. We will undoubtedly encounter the same privacy and security problems that we have in the use of cellular telephones. Many organizations, unless involved with defense contracts, appear unconcerned about data security. However, some of the savings afforded by wireless LAN systems will be eroded when companies realize that the microwave signals will have to be encrypted. The strength of that security will then depend on the encryption algorithm, encryption keys and the knotty problem of key management.
NETWORK SECURITY Some New Directions Mike Shain GE lnfonnarion Limited
Services
Security is very much tied up with responsibility. For safe computing it is important that everyone involved takes some responsibility for implementing and complying with security controls. Ideally, one should be able to define the system boundary separating the network from the customer, although this may not be easy in
7
Computer
Fraud & Security Bulletin
February
199 1
a multi user environment, such as EDI. With their own sphere of responsibility, network users
the network, or on the central hosts of the controls or countermeasures listed below, the
should have well defined security policies covering their information processing, and through the use of risk analysis have identified cost effective security controls and procedures. Similarly, network operators will need to provide security services to comply with the policies of their customers. The issues then become, “What are these services, how are they supported and where should they be located?”
first four are based on cryptographic techniques, and usually require dedicated hardware. This is partly for reasons of performance, but mainly because ultimately all cryptographic controls depend on physical security. That is why cryptographic keys are housed in tamper resistant modules where they are never revealed to the outside world. User Authentication
and Access Control
This paper addresses these questions and suggests the direction for developing a security architecture that is flexible, easy to implement and cost-effective. This latter point is important because advances in technology bring about new threats and exposures and so from time to time certain elements of the security architecture, such as an algorithm or protocol, may need to be replaced without causing too much disruption. Secondly, the administration needed to maintain a security system must be kept to a minimum. Network Security
Services
Threats and Countermeasures Figure 1 lists the most likely threats, and the controls that are needed to counteract them. These controls should be thought of as security services which are available to system designers when developing new network based facilities. Thus these controls will need to be supported by security mechanisms placed either at the PC, on
Access categories:
control can be divided
l
physical access control
l
logical access control
into two
Physical access control is aimed at controlling access to the physical components of the information processing or storage media. This will also include certain aspects of communications security, e.g. lines, network processors etc. Logical access provides additional controls to users who have managed to log on to the computer system by restricting access to sets of data or software. Logical access control attempts to separate the legitimate user from the hacker by: l
l
identifying and authenticating the user restricting minimum
user access
Threat
Control
Illegal Use of Network Espionage, Privacy Message Modification Repudiation Message Replay Message Delay Internal Fraud
User Authentication Encryption Message Authentication Digital Signatures Application Controls User Procedures Reasonability Checks
privileges
to the
Figure 1: Network security controls.
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
February I99 I
l
monitoring all usage.
key management scheme is required to securely distribute the symmetric encryption/decryption
Users requesting access provide details of their identity and some proof of that identity by means of: l
an attribute of the user, e.g. a thumbprint.
l
a possession of the user, e.g. a token.
l
knowledge held by the user, e.g. a password.
Biometrics are unreliable, and passwords are very weak. Token devices, such as Watchword, which contain a secret key known only to the host and not revealed during the logon sequence, are very secure. As we shall see later, smart cards can be made to operate in a similar way. Encryption Encryption provides for the protection of data from unauthorized disclosure and against message interception. The standard way of doing this is for both parties to share a common, secret cryptographic key which is used for both encrypting and decrypting messages. The system for creating these keys, administering and distributing keys and destroying used keys is known as key management. Key management schemes usually place a heavy burden on those who have to maintain them and it is an issue that lies at the heart of providing security. The problem is considerably reduced if a public key ctyptosystem such as RSA, is employed for this purpose, because RSA can be adopted for transporting encryption keys securely between users who want to communicate. Message Authentication This service proves that a message has not been inadvertently or intentionally modified. The mechanism to do this involves the encipherment of a compressed string of relevant data (e.g. as specified in ANSI X9.9) to be transferred and this is sent to the recipient along with the plain text. The recipient repeats the process and compares the result. As in the encryption section above, a
01991
Elsevier Science Publishers Ltd
keys used. Digital Signature This technique is used to provide proof of the integrity and origin of data, both in an unforgeable relationship, which can be verified by any third party. This mechanism involves the encipherment by the originator’s secret key of an asymmetric scheme, on a compressed string of data to be transferred. Just as with the data integrity mechanism mentioned above, the recipient will process the message to prove authenticity. A digital signature in effect confers the benefits of user and message authentication mentioned above, but it does so in a way that does not depend on a shared secret between the communicating parties, as Racal Guardata’s ‘Watchword’ does. Because of this a digital signature cannot be repudiated by either the sending or receiving party. Location of Network Security Services The CCITT recommendation X.509 advocates the use of a Secure Directory from which parties who intend to communicate can obtain knowledge of each others credentials, knowledge which forms the basis of authentication. The protocols for this have to be proof against malicious attack, and an indication of how this might be achieved is discussed later. Security has to begin and end at the nodes of a network, and typically this means providing controls at the PCs and host computers sending and receiving messages. The four cryptographic controls discussed above are forced on terminals through the use of special equipment, such as PC crypt0 cards, or smart cards, and the key management aspect is provided at the centre. Of course, message security is only part of the overall security policy for a network, which must ensure the integrity of all processing and be available as and when needed.
Computer
Fraud & Security Bulletin
The network must have good logical access control, along with a system of authorization, such as RACF in an IBM environment. Apart from monitoring and logging security violations, the burden of cryptographic processing takes place not on the network, but at the user’s terminal. To support this the network must provide a framework for user authentication. RSA Certification Public key cryptosystems separate the capacities for encryption and decryption so that (1) one person can encrypt messages in such a way that many people can read them and (2) many people can encrypt messages in such a way that only one person can read them. This separation allows important improvements in the management of cryptographic keys and makes it possible to ‘sign’ a purely digital message. RSA is an implementation of a public key cryptosystem and it makes use of the fact that finding large (e.g. 200 digit) prime numbers is computationally easy, but that factoring the product of two such numbers appears computationally infeasible. The problem with RSA is that an RSA system runs at about one thousandth as fast as DES and requires keys about ten times as large. At present, the convenient features of public-key cryptosystems are bought at the expense of speed. The fastest RSA implementation runs at only a few thousand bits per second and so it is generally desirable to make use of a hybrid system in which RSA is used only during the key management processes to establish shared keys for employment with conventional systems (such as DES). Key Management The solution to the problem of key management using conventional cryptography is for the network to provide a key distribution centre (KDC): a trusted network resource that shares a key with each subscriber and uses these in a bootstrap process to provide additional keys to the subscribers as needed. When one subscriber wants to communicate securely with
10
February
199 1
another, he first contacts the KDC to obtain a session key for use in that particular conversation or transaction. The session key itself has to be encrypted otherwise the whole system would be compromised. One of the problems in operating a conventional KDC is that the number of keys that have to be stored rises rapidly with the number of users. For n terminals, there are n(n-1)/2 pairs of keys. This amounts to half a millions keys in a network with one thousand terminals. With public key cryptography, the keys the KDC dispenses are public keys (of which there would only be n, the number of terminals) and messages encrypted with these can only be decrypted by using the corresponding secret keys, to which the KDC has no access! In the language of X.509, the KDC becomes a ‘Secure Directory’. However, in order to protect subscriber’s public keys held in a directory, each key has to be certificated i.e. it has to be cryptographically authorized by the KDC or Directory. Thus if Alice wishes to send a message to Bob, she obtains Bobs certificate from the Directory and tests to see that it is authentic. A certificate in fact, functions as a letter of introduction, in this case from the directory operator to the user. What would happen in practice is as follows: Let Bob’s ID = BOB ksn kr’n kpa kss e d
= = = = = =
secret key of the Directory public key of the Directory Bob’s public key Bob’s secret key the RSA encipherment function RSA decipherment function
The Directory stores kPB along with the following certificate: eksu (BOB, kf’e)) Bob’s ID and his public key have been encrypted under the secret key of the Directory, i.e. they have been signed to form a certificate.
01991
Elsevier Science Publishers Ltd
February
Computer Fraud & Security Bulletin
199 1
line includes the IBM smart card, smart card reader, crypto-card for the PS2 workstation and
When Alice retrieves this she develops
a network security processor. The IBM smart card is used both for user and message authentication, the crypto-card is used to encrypt the hard disk.
dkt=b(eksn(BOB,ki=e)) = BOB, kps. Alice has derived Bob’s public key from the certificate, and it should be identical to the unsigned version. In other words, Alice can be sure that kpe is Bob’s public key, and not someone else masquerading as Bob. Note, if this were the case, the masquerader would be able to read Alice’s message. In effect, the Directory has certified Bob’s public key by producing a digital signature using its secret key.* Having seen, in principle, how Alice can recover Bob’s public key, the question is, “How are public keys place securely in the directory and who is responsible? If the Directory operator were responsible for issuing its clients with public/private key pairs, the problem is solved, but then everyone would have to trust the operator, and much of the benefit of RSA’s non-repudiation is lost. The alternative is for each user to generate his own key pair, and to have a secure way of entering the public key in the Directory, and leaving the secret key with the user and not the operator of the Directory. A suggested mechanism for this is a smart card capable of handling RSA. To understand how this might be accomplished we need to review the capabilities of the smart card. Smart cards Market trends In September 1989 the IBM Centre in Boblingen, Germany, announced a smart card solution for their banking products. The product
l
Note, with a symmetric
encryption
scheme,
the same key, k is used for encrypting message, With RSA,
M. Thus however,
such as DES,
and decrypting
a
ek (M) is decrypted by: dk (ek (M)) = M. a message
encrypted by a public key
cannot be used to decrypt it, i.e. dkpa (M) z M (or anything like M!).
01991
Elsevier Science Publishers Ltd
Smart cards have been around for over ten years but it is only fairly recently that they have been specifically packaged to handle security. A number of manufacturers, including GEC, Philips, Gemplus, Logicam, Thorn EMI and Bull have developed security smart cards. In France, Gemplus has an automated factory capable of producing 2 000 000 cards per month. In one UK Clearing Bank Trial, customers will be provided with smart cards which will enable them to review payment instructions. Once the instruction has been created they will be able to cancel, amend, or release it as they rike. When the bank receives the message (via INS) they can check the contents against an authentication code for any unauthorized modification. In effect, the smart card has become in the one device a portable PC security module and Watchword generator. The first widespread appearance of the card in Europe will be with the advent of satellite pay television. News International has set up a joint company with Gemplus to form News Gem Smart Card, and produces the smart cards in Scotland. Interestingly, the card uses the very powerful Fiat-Shamir authentication protocol to let the decoder know it’s a genuine, up-to-date card. The Scottish plant has a capacity of 400 000 cards per month. Sky is using the Gemplus COS 8K card, costing around $4.00 each. As Coca Cola will have their logo on these cards, money from advertising will further offset the cost. In the US, GE Cable has signed an agreement with this company for their smart cards and decoders. Thus, almost overnight smart cards will become an integral par-l of consumer electronics. The effect will be to make those involved in protecting network services,
11
Computer Fraud & Security Bulletin
February 199 1
1
R --__ 0 M
CARD OPERATING SYSTEM
I
;z
I I
OPTIONAL
USER
Application software controlling the behaviour of the card.
‘J
APPLICATION
E
I
SUBROUTINES
p
I
R ’ 0'
CONFIDENTIAL
CODES
M
for protection of memory areas. C.O.S. CONTROL
AREA
USER AREAS -------_ Each user area is identified own descriptor ---_____
1SECURITY 1 control
1 ]
OR
by its
and its access is controlled for writing and reading operations. ----____
E E P R 0
Areas are managed through a directory.
M
Figure 2. Architecture of the Gemplus ‘COS’ smartcard.
realize that this can now be done very cheaply and effectively. In such an environment network operators need to consider very carefully what they must do to take advantage of this technology, as well as protecting its existing customer base. Smart Card Architecture Figure 2 depicts the layout of a typical modern smart card, in this case the COS made
12
by Gemplus. The features of the type of card include a single-chip a-bit microprocessor, with a user storage memory of 32k bits, or more. The equivalent card made by Philips, the D2 Security Smart Card, has a built-in DES algorithm running at 440 bits/set and can carry out message authentication to ANSI X9.9. In addition, it can store 6 base keys and 2 additional keys per service zone, and support key management for the generation of session keys as well as storing master keys.
01991
Elsevier Science Publishers Ltd
February
Computer Fraud & Security Bulletin
I99 1
Operating System
All applications software and data is maintained securely in the memory within the
The operating system can only be implemented in the card during initial card manufacture and cannot be subsequently
card, which is immune to external magnetic fields, radio frequency transmissions and X rays.
changed. It will contain routines to allow the card to hold data securely in a tamper resistant form as well as secure communications software.
Communications and Interface
Applications Software The applications software is loaded in the card under the control of the operating system at a later stage of card manufacture, just prior to final card customizing. It would contain the routines for handling
GEIS’
network security
protocols. Data Memory The
remaining
area
of the memory
is
available for data, some of which may be loaded when the card is customized, i.e. account number and personal identity data. Other data may be accumulated as the card is used i.e. totalizer information or transaction log. It could even record the user’s terminal connect time and characters transmitted, thereby off-loading part of the billing overhead. Flexible memory partitioning is employed such that memory outside the operating system can be split as required
between
applications
software
and
data. Data can be held in the memory in any of three ways as:
All card communications are controlled and configured by the processor and data is sent and received using an industry standard synchronous communications protocol. The character set is internationally recognized and information can be sent at any rate from 300 to 9600 binary digits a second. In the case of the GEC iC card, all power and communications are received via a contactless interface. This card only has to be placed within one inch of a read/write coupler for it to become active. The coupler induces power within one inch of the card, across the gap, and the card modulates this power to communicate back to the coupler. Cards with contacts now conform to IS0 7816 parts 1,2 and 3 and a reader meeting this specification can, in principle, accept any card. However, message formats for smart card communications have not been agreed, although an IS0 working party, TC 68/5, is looking into this. Accountability The initial customizing of cards, where secret data may be imbedded, is carried out automatically, at the manufacturer’s secure premises. A full audit trail for circuits, cards and encoding is an integral part of most production processes.
Secret data: once loaded can never be read outside the card and cannot be altered.
Security Integral to all smart cards is the ability to build
Confidential data: once loaded can only be read outside the card upon receipt of the correct password or secret key, and cannot be overwritten.
security around the stored data. Because cards can hold secret data, they can be used to store
Free data: Can be read and written as specified by the applications software.
operating system can read this data, where it would typically access it to decrypt an encrypted
and transport secret cryptographic keys. This is a very important property only the card’s
session key received over a network.
01991
Elsevier Science Publishers Ltd
13
February 199 1
Computer Fraud & Security Bulletin
RSA
4.
Message Authentication (ANSI X9.9)
RSA can be embedded into a smart card as part of the applications software. Until recently RSA processing has been very slow with smart cards but now both Thorn-EM1 and the French company, Logicam, have announced products offering RSA signature and authentication. The Logicam card, the MIRSA, processes RSA at a rage of 300 ms for 512 bits and DES at 150K bps. MIRSA has been selected by the French banks as the security device for the implementation of ETEBAC5 (French banking security standard for the 1990s). The module is the result of successful collaboration between Logicam and SEPT (France Telecom Research Lab).
5.
Watchword protocol for user authentication
The Logicam RSA cards are currently expensive (about f300 each) but they are expected to come down. This card is particularly fast using as it does a signal processing chip. Slower, and hence less expensive cards are available. However, the Logicam card is less expensive and more flexible than conventional security offerings based upon PC crypt0 cards and access control tokens. A Network Operator’s Smart Card We have seen how Alice can obtain Bobs public key, and have indicated that there would be a strong advantage in having subscribers generate their own keys. This could be done on Alice’s smart card provided it came with RSA software. In fact, this could be accomplished with a network customized smart card i.e. one holding applications software to handle the relevant security algorithms and protocols for a particular network or closed user group. This software might include: 1.
RSA for key management signatures
and digital
2.
DES for encrypting financial transactions
3.
Network operator proprietary algorithm for non-financial traffic e.g. EDI
14
In addition, the card would hold the following data in the secret part of its memory. 1.
DES Master Key kDES
2.
Card serial number, N
The following ‘confidential’ data would also be held, see Figure 3. 1.
The Network Operator Directory public key, kt’p
2.
Alice’s ID or user number, ALICE.
All information held in the ‘Secret’ and ‘Confidential’ areas of the card is encrypted and access to these ‘fences’, as they are known, is controlled by the card operating system. The normal procedure in using smart cards is that firstly the user authenticates himself/herself to the card via a PIN. This would be stored in the secret part of the card and is usually encrypted under a one-way function, which is proprietary to the manufacturer. Once this has been accomplished, the card may authenticate itself to the other card reader and the card reader will then authenticate itself to the network. One protocol for doing this is the
Operating
System
Applications
Software
Secret Data
Confidential Data
k SA
k PA
k “ES
ALICE
N
k FD
Free Data
Figure 3. Data storage in the smartcard issued by a network operator
01991
Elsevter Science Publishers Ltd
February199 1
Computer Fraud & Security Bulletin
Fiat-Shamir, which is as strong as the factorization problem upon which RSA is based.
key pair can take a long time, on an 8 bit
Once this handshaking is complete, the network is now able to ‘trust’ the smart card. However, the alternative is to use a dumb card reader and have the PC communicate directly with the card. This
new Logicam card it would take a minute or so).
would be the preferred method because there would no loss of security and it would be cheaper overall.
have been generated they are stored in the smart
End-to-end
controls with a smart card
Network security, as we have seen, is achieved by cryptographically ‘sealing’ messages at the point where they enter a network and then ‘unsealing’ them where they leave it. Sealing is achieved by generating cryptographic checksums that accompany the message and are both unique to it and to the sender. The above process is referred to as end-to-end security. In applications such as EDI, electronic mail and money transfer, the ‘ends’ are where information is entered and retrieved. In most cases this would be the client’s PC, and here a smart card would provide the security mechanism. The smart card is capable of securing both the network and PC, effectively turning it into a security workstation. If a message needs either encryption, authentication or signing before being transmitted, it will be sent in its entirety from the PC to the card where security checksums are appended to the message, as described above. Special attention will need to be given to the format of messages sent between the PC and card a security application interface has to be specified so that card services can be called upon in a standard way. Network Secure Directory and the Smart Card RSA Public Key Distribution When Alice receives her smart card from a network operator, she asks it to generate RSA key pairs. The secure creation of a secret/public
01991
Elsevier Science Publishers Ltd
processor it could take up to two hours, (on the Note that key generation is a separate, and slower, activity than either signing or key management card,
the
using RSA. Once Alice’s public
key,
kPA, going
keys
in the
‘confidential’ area and the secret key, ksA, held in the ‘secret’ area. For additional security both keys would be encrypted by the card. Alice then develops:
eh(N,kPA) and sends this along with kpA to the Directory which decrypts this message using its secret key, ksn, and recovers N and kPA. Since N is unknown to Alice (but unique to her), it can only be read by software in the card, the transmission had to come from her and kPA must be her public key if the dear text and decrypted versions are the same. Before putting her public key in the Directory, it is signed using ks~ to CK?ate a certificate. This procedure has only involved a small amount of central processing on the network, and once accomplished there is no further work to do, except if Alice wishes to change her public key at a later date. The important point is that Alice’s card has generated her secret key, not the network operator, so there should be no fear of a ‘Big Brother’ capable of monitoring or falsifying her messages. In this way the subscribers to the system can build up the Directory of public keys specified in the way suggested in X.509. Once these keys are in place they can be used for the key management of DES keys, see below. DES Key Management
with &A
Suppose Alice wishes to send a message, M, to Bob. She obtains his key from the directory, checks the Directory signature, and generates a random number, R, to be used as a DES key. She computes a MAC, and prepares the following for Bob:
15
Comwter
February
Fraud & Security Bulletin
799 1
Network Operator Responsibilities
M,ekpeR, MAC In order for Bob to ensure that the message came from Alice, she must sign the MAC with her secret key i.e.: eksA MAC. Thus Bob receives M, ekPBR,ekSA MAC from which he derives the MAC, the encryption key R and verifies that the MAC corresponds to M when encrypted under R, as per ANSI X9.9.
We have seen how under these arrangements the Network Operator would be responsible for issuing smart cards containing its public key. It is vital that the operator ensures the integrity of its secret key, for this underpins the security of the whole scheme. The safety of keys held in the smart card depends on the owner keeping the card physically safe, as well as the inherent security of the smart card itself should it fall into the wrong hands.
In this example we have seen how the secret DES session key, R, has been securely transported from Alice to Bob using public key
It would seem that the operator has to take responsibility for administering the Secure Directory and has to ensure that it certifies the
cryptography.
right public keys. The procedures under which cards are issued need to be carefully worked through. With large organizations with many members, the responsibility for delivering cards
These processes may appear complex, but they are transparent to the user because all processing is carried out in the card. Because Alice ‘signed’ the MAC digest (which was generated using R), with her secret key: she cannot subsequently sent the message
repudiate having
Bob knows it could only have come from her and not an impostor a third party would know that Bob could not have forged it, in the event of a dispute. Further, because Alice encrypted the DES key, R, with Bobs public key, no one else but Bob could recover it.
would fall to the parent organization. Inevitably cards will be lost or stolen, or users will have their cards revoked if contracts are breached. The Secure Directory must take account of this. Suppose Bob loses his card, he would need to create a new public key, kPB. Whilst it would be relatively easy to change this on the Directory, Alice and others who may have Bob’s old key stored on their cards would need to be informed of this when they next access the Directory, which has to maintain an efficient audit trail of all key changes.
EDI, however, is intended to be a cheap service. The paradox is reconciled if we use smart cards,
In the TV scheme mentioned earlier, subscribers will be mailed new smart cards every three months, and the card will hold a cryptographic key for each service/TV channel subscribed to. Thus a key acts as a token, giving the user rights to specific services. In a similar way, the network operator could offer subscription services to its customers by updating their smart cards with the appropriate cryptographic keys. This key would then permit access to the services of a third party.
because all processing is carried out on the card and the only additional equipment required is a
Conclusions
All the cryptographic based controls listed in Table 1 can thus be met using the procedures and protocols outlined above. EDI security represents an interesting paradox because EDI can require some, if not all of these controls, which ordinarily are expensive to implement.
‘dumb’ card reader i.e. one that goes into a COMl or COMZ port on the back of the PC.
16
After some ten years or so the smart card has become a market reality. Great benefits are
01991
Elsevier Science Publishers Ltd
February
199 1
Computer Fraud & Security Bulletin
conferred on those who issue and control them, and perhaps the most important role they have found so far is in their ability to provide full message integrity across an open network. This paper has indicated how smart cards
3rd SCANDINAVIAN CONFERENCE AUDIT, CONTROL & SECURITY
ON EDP
February 26-28, 1991. Location: Geilo, Norway. Contact: Terje Bjornstad, EDPAA Norway Chapter, PO Box 264 Skoyen, 0212 Oslo 2, Norway; tel: +47 (0)2 52 83 05.
could be used on networks to provide end-to-end assurance
in a way that involves
very little
processing overhead. All that is required is the creation of a Directory and the ability to perform RSA certification, not an onerous task. As smart cards become more ubiquitous, one can see the time when, for example, applications like electronic mail on EDI are burned into the card, enabling the user to pick his messages up from any PC. They could also help off load the burden of central billing. The protocols outlined have a need to be tied in closely with the network applications, so a lot of careful analysis needs to be undertaken. Similarly, the software in the smart card will require careful specification, and a view will need to be taken on which type of smart card is to be developed. This may involve entering into non disclosure agreements manufacturers.
with
one
or more
The risk with this technology, now that it has proven itself, is the commercial risk of ignoring it. IT planners need to evaluate its potential in order to build it into their IT strategy, of which security is just one component.
EVENTS NETWORK SECURITY February 19-20, 1991. Location: London, UK. Contact: The Network Resource Centre, 2 The Chapel, Royal Victoria Patriotic Building, Fitzhugh Grove, London, SW18 3SX; tel: +44 (0)81 871 2546; fax: +44 (0)81 871 3866.
01991
Elsevier Science Publishers Ltd
INVESTIGATING COMPUTER ABUSE March 4-6, 1991. Location: Oxford, UK. Contact: Penny Moon, Elsevier Seminars, Mayfield House, 256 Banbury Road, Oxford, OX2 7DH, UK; tel: +44 (0)865 512242; fax: +44 (0)865 310981. INFORMATION SECURITY March 13-l 7, 1991. Location: Saariselka, Lapland. Contact: InBaSe Oy, Meritullinkatu 33, 00170 Helsinki, Finland; tel: +358 (0) 135 5826; fax: +358 (0) 135 2985. 4th ANNUAL COMPUTER VIRUS & SECURITY CONFERENCE March 14-15, 1991. Location: New York, USA. Contact: The Computer Society of the IEEE; tel: +l 202 371 1013; fax: +l 202 728 0884. COMMONSENSE COMPUTER SECURITY March 18-19, 1991. Location: London, UK. Contact: Penny Moon, Elsevier Seminars, Mayfield House, 256 Banbury Road, Oxford, OX2 7DH, UK; tel: +44 (0)865 512242; fax: +44 (0)865 310981. SECURICOM 91 March 19-22, 1991. Location: La Defense, France. Contact: SEDEP-Blenheim, 8 rue de la Michodiere, 75002 Paris, France; tel: +33 (1) 47 42 41 00; fax: +33 (1) 47 42 40 30. ISSA ‘91 April l-5, 1991. Location: San Diego, USA. Contact: Richard Rueb, ISSA HQ, PO Box 9457, Newport Beach, CA 92658, USA; tel: +1714 854 5500; fax: +l 714 854 0444. EUROCRYPT ‘91 April 8-l 1, 1991. Location: Brighton, UK. Contact: Andrew J. Clark, PO Box 1156, Brighton, Sussex, BNl 5GT, UK; tellfax: +44 (0)273 566115.
17