Aspects of Authentication and Encryption
E. Schulte-Geers, German Information Security Agency, Bonn, Germany
o. Abstract The member states interests include confidentia-
lity of the verification information and "least in-
Electronic collection of remotely sensed data - trusive" verification.
and therefore also the methods for the protection
of these data - are becoming increasingly impor- 2. Threats to information security
tant for verification regimes. It is the purpose of
this paper to address some of the aspects that arise In an information processing environment (IPE)
when crytograpruc methods are applied in remote there may be the need for the protection of:
monitoring of data for verification purposes. availability
1. Situation under Consideration integrity
We consider the following scenario, where remote Appropriate protection measures:
monitoring might be applied: (1) try to detect and limit the damage resulting
there are three parties involved in a communica- from (sub)system failure
tion: (2) try to limit the access of unauthorized parties
(1) an (international) verification organization to (parts of) the IPE.
(henceforth called "the Organization") with the They may roughly be categorized as pertaining to:
task of controlling material flow at the member physical security - physical isolation and
states facilities under its safeguards protection of the IPE, use of tamperproof enclo-
(2) an information collection system ("OICS") sures for (parts of) the IPE, tamper-detection and
installed by the Organization in a member states response mechanisms, environmental failure pro-
facility (henceforth called "the plant") tection etc.
(3) the member state.
The Organization has installed an information administrative security - "need to know"
collection system (usually an unattended monitor- and "four eyes" principle, establishment of a con-
ing system) in the plant for its purposes. This fidentiality regime with classification, clearance
information collection system usually consists of of employed personnel, registration etc.
a subsystem for raw data collection: sensors/de-
tectors ofvarious kinds (e.g. video came-ras, radi- functional and logical security
ation counters, seals, switches etc.), "intelligent" identification and authentication for access to the
instruments (including AID-conversion), and an IPE, logical access control to security relevant
electronic processing unit, where the incoming parts, internal gateways and firewalls, authorized
data are processed and ~tored electronically. roles and services, formal configuration control
and administration, independent audit, correct
In the "classical" unattended monitoring the veri- specification, design and construction of systems,
fication information is authenticated and stored in separate interfaces for security relevant
the plant and in regular time intervals "monitored" parameters etc.
and collected by organization inspec-tion teams. technical security - correct operation of
The inspection teams also maintain the OICS and systems under all foreseen conditions, fail-safe-
ensure proper operation of the OICS. ness, proper maintenance, TEMPEST-proofness
In "remote monitoring", the organization installs a of systems (i.e. protection against release of in-
computer (an electronic monitor) in the plant, formation through electromagnetic radiation),
aiming to automate the operation/maintenance appropriate provisions for the case of (sub)system
and collection of data in such a way, that they can failure, self-test ability etc.
be initiated and controlled from remote organiza- cryptographic security - implementation
tion premises. of appropriate mathematical methods and
techniques for the establishment of confidentia-
The Organizations main interest is to get authen- lity, integrity and authenticity of information, and
tie verification information. identification.
Clearly, there are interrelations among these cate- quency, direction, sequence, amount, type, origin
gones. and destination etc. of traffic
We assume in the following that: Countermeasures: traffic padding, "hiding" of
(a) the member state has taken all physical and transmission channel, "splitting" of information
organizational measures it regards necessary for etc.
the protection of information originating in the (8) substitution/modification of information on
plant the transmission channel
(b) the OICS is "sufficiently" physically and tech- (9) undetected replay of old valid information
nically secure (10) confidentiality of information compromised
on the transmission channel
2.1 Vulnerabilities of verification information (11) (seen by the member state) outgoing infor-
in remote monitoring mation not "least intrusive"
Countermeasures for (8)-(11) : discussed below
Even if the possibilities of physical intrusion and Of course, there may be additional threats (de-
technical failure are excluded, the verification pendent on the transmission channel), like identity
information remains vulnerable. Let us list poten- interception or mis-routing.
(C) in the organization
(0) a general threat: "denial of service" attacks -
i.e. disruption of communications lines, unautho- (12) attack through communications channel
rized deletion of information, delay of time-criti- (13) security functions of the information proces-
cal operations, occupation of shared resources, sing system not sufficient
induced systems breakdown etc. Countermeasure: use ITSEC/CC- evaluation
(14) deletion/modification/substitution of infor-
(A) in the plant: mation by "insiders"
(1) substitution and! or modification (including Countermeasures: all of those mentioned under
(partial) insertion and deletion) of parts of original 1.0, especially logical security measures
sensed data: e.g. substitution of scene for sensor, (15) attack through (public data) network
(non detected) interference with sensors Countermeasures: all network security measures,
Countermeasure: no general countermeasure "stand alone"processing of verification infomia-
General strategy : digitalization and authentica- tion
tion of information as close to the origin as possi- (16) unauthorized access by "outsiders"
ble. Countermeasures: all mentioned under 2.0
(2) substitution/modification on the way from (17) compromise of confidentiality
sensorlinstrumentJcamera to data processing unit Countermeasure: encryption
Countermeasure: use of authentication subsystem etc.
(3) substitution/modification during processing, One may consider vulnerabilities listed under (B)
processing incorrect as additional vulnerabilities of remote monitoring.
Countermeasure: use ITSEC/CC-evaluated mo- In principle these vulnerabilities are also there in
nitor the classical monitoring situation, but this is ob-
(4) substitution/modification of monitor proces- scured by the fact that transportation of yerifica-
sing or stored data tion information on physical storage deyices by
Countermeasures: strong identification for access inspectors is conceptually thought of as a secure
to the monitor and other logical security measures channel.
(5) attack through communications channel
Countermeasure: dependent on communications
channel 3. Basic cryptography
(B) transmission and reception (This is a remainder section. Familiarity with
(6) transmission channel noisy, signal corrupted, basic cryptographic concepts is assumed) Au-
transmission failure thentication and encryption are basic crypto-
Countermeasures: use of error-correcting codes, graphic concepts. Mathematical methods and
storage of information at the monitor and deletion techniques which can be used to provide protec-
only after successful transmission tion of information against intentional unauthori-
(7) traffic flow analysis - i.e. a third party records zed release and/or manipulation are called crypto-
a sent message, records absence/presence, fre- graphic.
Cryptographic methods always refer to the follo- Encryption systems are also called encryption
wing situation: a sender A (Alice) sends informa- algorithms. The inverse transformation- transfor-
tion via an insecure channel to a receiver B (Bob). ming ciphertexts back into plaintext- is called
Cryptographic goals and methods decryption. In modem encryption algorithms,
plaintexts, ciphertexts and keys are always strings
Theoretical and practical experience has shown ofbits.
that it makes sense to distinguish four major To be practically accepted, encryption systems
cryptographic goals: should meet the following requirements:
(1) confidentiality / secrecy: (a) they should be resistant against all known
it must be impossible for any unauthorized third cryptographic attacks
party E (Eve) to get access to the information sent especially: the keyspace must be "large enough"
from A to B (b) they should be easy to use
(2) integrity: (c) encryption/decryption must be "fast enough"
no third party shall be able to modify undetec-
tèdly the information (for instance : to delete, If A and B want to put up a confidential connec-
insert or exchange parts) sent from A to B tion, they proceed as follows:
(3) authenticity: (0) cipher agreement: A and B agree on an en-
(data origin authentication) it shall be possible for cryption system
B to ascertain that the informationhe gets was (I) key agreement: A and B agree on a key k
really sent by A / (identification) it shall be possi- (2) encryption: A sends c=encryptlm) (her enci-
ble for A to prove her identity to B phered message) to B
(4) non repudiation: (3) decryption: B decrypts m=decryptk(c) c to get
(a) non repudiation of origin: it shall be impossi- the original message m.
ble for A to send information toB and subse- There are two major classes of encryption sy-
quently deny that she was the originator stems:
(b) non repudiation of delivery: it shall be impos-
sible for B to receive information from A and Symmetric key (secret key, classical) encryption
subsequently deny the receipt systems use the same key for both purposes, en-
cryption and decryption. Symmetric cryptosy-
Clearly, there are relations among these goals, but stems are therefore frequently called "one key"
it is important to understand that secrecy and au- systems, knowledge of one key enables a party to
thenticity are independent attributes of a crypto- encrypt as well as to decrypt data.
graphic system - authentication without encryp- All classical encryption sytems are symmetric, as
tion is possible. well as most modem encryption systems, for ex-
Note that non repudiation needs the existence of ample DES, IDEA, RCS ...
an independent trusted (by both) third party (TIP) Note the following problem of symmetric-key
to settle disputes. Non repudiation can only be systems: if Alice and Bob want to use a secret-key
provided within the context of a clearly defined system for confidentiality they must first have an
security policy for a particular application and its independent secure channel to establish the key
legal environment. they want to use, and both have to keep the key
The basic method for the establishment of confi- secret.
dentiality is encryption, basic methods for the Public key (asymmetric key) encryption systems
establishment of integrity, authenticity and non use different (but of course, mathematically rela-
repudiation arehash Junctions, Message Authen- ted) keys : a "public"key for encryption and a
tication Codes (MACs), digital signatures and "private" key for decryption). The keys must have
cryptographic protocols. the following property:
I assume familiarity with basic cryptographic for everyone who only knows the "public" key it
concepts and go through them here in a informal must be "practically infeasible" to decrypt a ci-
manner. phertext encrypted with this key.
Confidentiality Asymmetric encryptionis therefore "one-way" _
Encryptiontransfarms a plaintext message (in even the person who encrypted a message cannot
dependence of thepiece of informationcalled recover it,if he has forgotten or deleted it, and
"key", and in a reversible way), into a ciphertext, does not know the privatekey. The producer of
trying to make it unreadableto all but authorized the pair (public key, private key) is here in posses-
parties. sion of additional "trapdoor"-information, which
enables him to compute the private key.
The name "public key" encryption stems from the slow, low encryption rates .
in an asymmetric encryption there is no need to
keep the encryption key secret (since, by assump-
· security: for all known public key systems:
(a) there are much better attacks than com-
tion, it is "practically infeasible" to decrypt an plete exhaustion of the key space, there-
encrypted message without prior knowledge of fore: long key needed for high security
the "trapdoor"-information), the encryption key (b) security depends "only" on the conjectu-
can therefore be made public knowledge ("public red algorithmical difficulty of a mathe-
key") without compromising the secrecy of the matical problem
system, whereas the decryption key ("private · good key (pair) generation complicated, se-
key") must be kept secret. veral "shortcuts" must be avoided
Asymmetric encryption was invented by Hybrid encryption schemes try to combine the
W.DIFFIE and M.HELLMAN in 1975/76. advantages of symmetric and asymmetric encryp-
tion schemes, they use an asymmetric encryption
If A and B want to use a public-key encryption system to transmit the "session" key for a sym-
system for confidentiality they don't need a secure metrie system, and encrypt the bulk data using the
channel for key agreement, but the sender must symmetric encryption system. The session key is
have an authentic copy of the receivers public usually used for one encryption session and then
key. discarded. The asymmetric key pair may be used
Two well known examples of public key systems (depending on the circumstances) for a long time.
are: RSA (Rivest, Shamir, Adleman)-encryption
system, Elgamal-encryption system
Both, asymmetric and symmetric encryption sy-
stems have their merits. Integrity is usually provided as a by-product of
data origin authentication, but there is also a dedi-
Advantages of (good) symmetric encryption: cated cryptographic method which serves to esta-
· fast, high encryption rates blish integrity: hashing
· security: (hope) essentially determined by
length of key (that is: no better attack than
A (one way) hash function is a function which
maps bitstrings of arbitrary length onto bitstrings
of a fixed length, with the following properties:
complete exhaustion of key space), high secu- one way property: it must be infeasible, given
rity with short key, only a hash value, to compute a message that has-
key generation simple, usually any bitstring hes to this value
· collision resistance: it must be infeasible to find
of a fixed length allowed
two different ~essages whichhash to the same
Disadvantages of symmetric encryption: value.
both parties in a two party communication The hash-value' of a message is often considered
· as digital fingerprint ofthis message. With the aid
must keep their keys secret
of a hash function hash known to Alice and Bob
· application tci key distribution in large net- they can establish message integrity:
works: inferior to public key techniques Alice hashes her message rn, sends the message
to Bob, and transmits the hash-value to Bob in a
· non-repudiation possible only with on-line
way that preserves its authenticity. Bob hashes the
trusted third party
message and compares his result with Alices hash
Advantages of (good) asymmetric encryption: value. If they coincide he is convinced that the
· each participant in a secret communication
must keep only his private key secret
message has not been altered. Hash functions can
be used to construct MACs for authentication
purposes, if A and B share a secret key.
· easy to use for digital signatures
allow elegant solutions for the key distribu-
Data Origin Authentication
· The main methods for data origin authentication
tion in large networks
are MACs and digital signatures.
possible with off-line trusted
A message authentication code (MAC) is family
of functions MACk, parameterized by a set of
Disadvantages of asymmetric encryption: keys, each of which maps bitstrings of arbitrary
length onto bitstrings of the same fixed length, (b) whereas Alice is the only party who can com-
with the following forge-proofness property: pute signA(m), the MAC of m, MACk(m). can be
for anyone not in possession of the key k it must produced by both parties, Alice and Bob (in pos-
be infeasible to compute MACim) for a new mes- session of the secret authentication key, and eve-
sage m, even if he is in possession of some (mes- rybody else in possession of the authentication
sage,MAC)-pairs (m;, MAClmJ). key)). It is therefore impossible to establish non
If Alice and Bob are in possession of a MAC and repudiation with MACs.
share a common secret "authentication key" k
Alice authenticates her message m simply by sen- Identification
ding (m, MACim)) to Bob, Bob then confirms the Identification includes a time aspect: Alice tries to
authenticity (and integrity) by computing convince Bob in "real time", that he is communi-
MACim) and comparing it with Alices result. cating with her.
MACs are often constructed with the aid of sym- The main techniques used for identification are
metric encryption, but in principle MACs do not "challenge-response" protocols. Bob challenges
need an encryption algorithm, and there are also Alice to demonstrate the knowledge of a secret to
dedicated MACs. A MAC of a message may be him and Alice demonstrates this knowledge wi-
considered as a non-fórgeable key-dependent thout revealing the secret itself to Bob, sending a
cryptographic checksum of a message. Applica- response depending on the secret and the chal-
tion of MACs for authentication requires mutual lenge. For strong identification the challenges
trust in the honesty of the other party and her abi- must be non-repeating. Symmetric key or public
lity to protect the key. key techniques may be used.
A digital signature ofa user A is a (user specific)
pair of two transformations (a) a non-forgeable Key-Management
signing transformation signA that allows the proof Whenever encryption is applied the question of
of the origin (with non repudiation) and appropriate key management arises, this embraces
verification of integrity signed data. (b) an error-
free verification transformation verifyA that allows . generation!ini tialisa ti on
to decide whether or not a signature on a message
. agreement! estab lishment
. distributi on!transport
If A is in possession of a digital signature (signA.
verify,J she keeps signA secret and makes verifyA . change/update
public knowledge. She authenticates a messages
111 appending her signature s=signA(m) to it. If
B has an authentic copy of verifyA he can establish . certification
the authenticity of 111 y computing verifyA(m, sj.
Digital signatures are commonly constructed with
. recovery in case of destruction/loss
a public key encryption system and a hash func-
tion: to sign a message 111 lice computes the hash
value of her message and signs (encrypts) this
. destruction! deletion
with her private key. The purpose of digital si-
gnatures is to permit the resolution of disputes,
they have a "built-in" non-repudiation aspect: if it
can be assured, that at a certain time Alice was the over the full life-cycle of keying material. The
unique holder of her signing key, and verification key management itself may and probably will use
of her signature on a message with an authentic cryptographic techniques. Key management is
verification key shows that it is a valid signature, needed for the whole collection of cryptographic
only she can have at that time signed this mes- modules employed in a cryptography-based secu-
sage. rity system. Secret keys must be protected from
unauthorized disclosure, modification and substi-
Remark: note the following main differences bet- tution. Public keys must be protected against un-
ween MACs and digital signature: authorized substitution and modification. Effec-
(a) the digital signature can be verified by eve- tive key management produres are essential for
ryone (in possession of an authentic verification the protection of information by cryptographic
program), whereas MACs can be verified only by techniques. Key management requires dedicated
the parties in possession of the secret key. resources!
Warning: Application of cryptography is not (ii) an interested third party replays old valid or-
enough to protect information. Keep in mind that ganization instructions
(i) cryptographic methods are only a part of the countermeasures : strong identification, use of
measures which can/must be taken to protect in- challenge response techniques, use of non repea-
formation ting values (random numbers, message numbers,
(ii) use of cryptography does not help in any way timestamps), possibly change of authentication
to assure availability of information keys
(iii) use of cryptography can not protect against (5) release of information to unauthorised third
denial of service attacks. parties: e.g.
(i) release of verification information or systems
4. A closer look at the additional vulnerabilities status information to unauthorised third
in remote monitoring (ii) release of information contained in organiza-
tion instructions to unauthorised third
Information is transmitted between two parties: countermeasure: encryption
A. the Organizations ICS at the plant (in the se-
quel: OICS) Remark: these treats, and the corresponding
B. the Organizations HQ countermeasures are long known and well under-
and there is a third party which has rights and stood.
interests with respect to these data:
C. the Member State Authenticity interests:
We distinguish between authentication of the information (by the Orga-
I. outgoing (at the plant) information (identifica- nization) in both directions is in the interest of
tion data, verification data, systems status infor- both, the Organization and the (compliant) mem-
mation, authentication data) and ber state.
II. ingoing (at the plant) information (identifica- Confidentiality interests:
tion data, data handling instructions (send, delete the member state is interested to keep sensitive
etc.), authentication data), operating and mainte- information confidential, encryption of verifica-
nance instructions). tion data is therefore probably requested. \\Thether
For each item of confidential information it must the member states requests the (partial) encryp-
be granted that: tion of ingoing instructions depends on the con-
· only authorised parties have access to any
tent of these instructions.
Remark : this is probably only a small set of
· the item is received at its destination
(compactly coded) instructions, so that the infor-
mation content for "outsiders" is negligible - the-
refore encryption doesn't seem to be neccessary.
The Organization may additionally be interested
(l) substitution/alteration/partial insertion or de- to keep (parts of) the operating instructions and
letion of information: e.g. the systems status information confidential even
(i) an unauthorised party forges/alters verification from the member state (e.g. outgoing might be the
data and/or systems status information report of failure of a surveillance sub~system, the
(ii) an unauthorised party forges data handling or duration of which may be abused by a non-com-
ICS operating instructions pliant member state, or the report of some tamper
countermeasure: data origin authentication activities, or ingoing might be the instruction for a
(2) impersonation: e.g. surprising non-routine surveillance measure), but
(i) an interested third party disguises as the Orga- this is probably politically impossible.
(ii) an interested third party disguises as the Or- Political aspects
ganization and tries in this way to get information The necessity of the authentication of data in both
about the plant directions by the Organization is unquestionable
countermeasures: strong identification, use of and will be political consensus.
authentic public keys, data origin authentication
(3) replay of old (authentic) information e.g. On the other hand, the questions: Who should
(i) an interested third party replays old valid veri- encrypt what? How far do the rights of a member
fication data or old valid systems status informa- state resp. the Organization reach under the Con-
tion vention? may cause a political debate.
Recall: the principle of least intrusive action re- (4) the member state has the right to know, at
quires that the Organization conducts its verifica- every moment, how the Organizations ICS IS
tion activities in the leastintrusive manner possi- operated in his facility.
bleconsistent with the efficient accomplishment Consequence:
of their objectives. Especially the Organization if the Organizationencrypts ingoing operating
must not collect data which are not necessary to instructions it must be prepared to give the en-
fulfil its responsibilities and must avoid unneces- cryption method and the key to the member state.
sary disclosure of confidential informationnot In this case it must also be clarified, if and under
related to compliance with its Convention. The which conditions (encrypted) authentication key
Organization must protect confidential informa- updates can be part of ingoing messages.
tion. Remark: in this case the Organization will pro-
bably have little or no own motivation to encrypt
Some (debatable) working assumptions and their ingoing instructions. Of course, if encryption keys
consequences: (known to both, the organizations HQ and the
(I) the member state has the right to check that member state) are part of the ingoing messages,
these will be encrypted.
outgoing verification data is indeed least intrusive
and related to the verification of the Convention. (5) several member states may have regulations
Consequence: on the use of cryptography, especially on encryp-
if the Organization encrypts the verification in- tion.
formation it must be prepared to give the encryp- Consequence:
tion method/equipment and the key to the member The Organization must come toan understanding
state, at least upon request with the member state on the question of encryp-
Remark: the member state should not be in the tion oftransmitted informatión.
position for a "chosen text"-attack, therefore it Cryptographic aspects
should check onlya representative (random)
sample of the outgoing data. In the following I assume, that authentication and
encryption of information in both directions is
(2) the member state may consider the verification
desirable. All encryption must respect the member
information as its property and therefore has in
states rights and wishes concerning the monito-
principle the right to determine' the way of en- ring of information.
If the Organization decides to move to remote
Consequence: monitoring, it will need symmetric key and public
the member state may prefer to provide an own keyencryption.
encryption method/equipment, the Organization
will have to accept that. Should MACs or digital signatures be used for
data origin authentication? No general answer
Probable outcome: most member states will ac-
possible: in a wide range of applications both will
cept Organization-provided encryption, some
member states will prefer to provide their own.
MACs should be used, if extremely high data
(3) the member state may suspect that in the re- throughput must be achieved or only very limited
maining part of the outgoing information some computing power is available. Digital signatures
confidential information not related to verification are advantageous in applications where non-repu-
is hidden. diation services are required, or where the risk of
key-compromise is on one side considerably hig-
Consequence: her than on the other side.
the Organization must, at least in retrospect, give Choice of algorithms:
the member state the opportunity to check all Public key encryption:
details of the remaining outgoing information. Since there are only a few public key algorithms
This may even include giving the member state which have survived over the years it should pick
the oppportunity to validate the authentication one of these (e.g. RSA or Elgamal on Elliptic
information. Curves), with suitable key length. Some public
Remark: if symmetric key authentication is used, key systems are patented in some states and re-
the authentication key can be given to the member quire a license for commercial use - is the Orga-
state only in retrospect, if a digital signature is nizations use of encryption commercial?
used, the verification key can be given to the Hash functions: the Organization will probably
member state in advance. also need a cryptographic hash function- since it
has turned out to be difficult to construct crypto- with the aid of a trusted third party (i.e. both, the
graphically strong hash functions and since there member state and the Organization must trust the
are no patent restrictions it is free to choose a same independent third party), since there is no
published one (e.g.the prominent SHA-l, MD5, such (internationally) trusted third party available,
RIPE-MD 160). (Recently, some collision-resi- non repudiation is not achievable in the conside-
stance weaknesses of MD5 have been found - but red situation.
it is still possible to use MD5 for MACs).
Symmetric-key encryption: there are several pub- Security evaluation aspects
lished symmetric-key algorithms, which could Security of an IPE is a holistic concept - an IPE is
satisfy the Organizations needs, although some in principle not stronger as its weakest part. Secu-
are patented or proprietary. rity of remote monitoring information must be
Alternatively, the Organization could wish to considered on the way fIom origin over transmis-
have one or two own algorithms especially taylo- sion to review and archive, and constitutes only a
red for its purposes - such an algorithm could be part of the Organizations aims for IT-security.
provided by one or several member states infor-
mation security agencies. In this case the crypto- To establish IT-security of its IPE the Organiza-
graphic strength of this algorithm should be inde- tion should have a formulated information secu-
pendently assessed (e.g. by the infosec agency of rity policy. This policy should contain the Orga-
another member state). nizations aims for availability, integrity and con-
There is also the possiblity that a member state fidentiality of information and authorized access
supplies an own encryption method for the infor- and operation of (sub)systems at every "point" of
mation outgoing at its facilities. To allow for this, the IPE.
the OICS must havé an interface for the output of An independent investigation, whether the secu-
authenticated but unencrypted outgoing data. rity measures taken by the Organization are suffi-
Need for trusted third party services: cient to establish these aims, a thorough "risk
Since information is sent between the OICS and analysis" should be performed. A first step is the
the Organizations HQ, and the OICS of course security evaluation of small parts the IPE, espe-
unconditionally trusts the Organizations HQ, on cially of the cryptographic modules.
behalf of the Organization no third party services
For each of the cryptographic modules a list of
such as certification of keys or notary services are
functional high-level security objectives should be
put down and a detailed list of security require-
Non repudiation is a concern in the considered
ments, and an independent evaluation should be
situation, if the member state does not trust the
Organization or its ability to handle cryptographic performed.
keys. A member state may claim that compromi- It is natural to seek for a formalized a way - a
sing verification data never originated in its plant methodology - to evaluate and establish the secu-
but were fabricated by the (corrupt) Organization rity (in the broad sense) of an IPE.
(it has generated the authentication keys for the In the past decades - beginning with the D.S.-
outgoing data!) or by an adversary who somehow american "Orange Book" TCSEC (Department of
obtained the authentication key (because the Or- Defense Trusted Computer System Evaluation
ganization didn't protect it sufficiently)- the Orga- Criteria) - international recognized methodologies
nization can not prove the origin without TIP- such as CC (The Common Criteria for Informa-
servIces. tion Technology Security Evaluation) and ITSEC
Remark: if this is really a concern, the simplest (Information Technology Security Evaluation
solution is probably as follows: use a digital si- Criteria (harmonized criteria of the ED and
gnature for the authentication of transmission Australia)) have evolved. These methodologies
data, generate the key pair (signing key, verifica- give a fIamework, in which the security of infor-
tion key) for the OICS by a trusted device (which mation technology can be measured against esta-
is part of the OICS) in the member states facility blished criteria and to specified assurance levels.
in such a way that the signing key never leaves
The information security agencies of several sta-
the OICS, and let a trusted third party certify the
tes are themselves available or have licensed faci-
authenticity of the OICS-verification key.
lities to perform CC/ITSEC evaluation of IT -pro-
A corrupt Organization mayaiso deny the deli-
ducts. The equipment should not be evaluated in
very of correct verification data - the member
the same state where it is put to use.
state can not prove the delivery without TIP-ser-
The security of the equipment and the strength of
vices. Non repudiation can only be established
algorithms should be periodically re-assessed.
Practical aspects export of strong (pure) authentication (è.g. the
Should software/hardware/finnware implementa- Application of cryptographic standards:
tions of cryptographic processes be used? The It is clear that all Organization crypto-equipment
answer depends on several factors: should confonn to some internal standards: appli-
(1) the importance of the cryptographic process cation of standards facilitates interoperability of
(2) the throughput of data to be achieved systems and system components and helps to
(3) economic considerations minimize the range of equipment.
(4) the application environment /surrounding There are also international and national crypto-
protection measures graphie standards of importance: the International
(5) the security aims Organization for Standardization (ISO) and the
In general hardware solutions provide higher se- International Electrotechnical Commission (lEe)
curity and higher perfonnance than software so- have standardized some cryptographic techniques,
lutions, but are also more costly. But certainly' the International Telecommunications Union
software solutions provide higher security than no (ITU-T, fonnerly CCITT) issues Recommenda-
application of cryptography at all! tions. The National Institute of Standards and
Suggestion: since authentication is vital for the Technology(NIST) of the USA issues the Federal
Organizations aims, and since compromise of the Infonnation Processing Standards (FIPS). The
authentication key would allow to forge verifica- American NationalStandards Institute ANSI has
tion information, at least the final authentication also issued security standards (mainly for banking
before transmission should be performed by a purposes).
hardware implementation. These standards contain sound cryptographic
For the encryption of data the national classifica- techniques. Adoption of such standards facilitates
tion of the verification information will also play the use of commercial products and the security
a role - many nations will demand hardware en- evaluation of cryptographic systems.
cryption, if the national classification is higher
then" sensitive". General aspects
Purchase of cryptographic equipment/software: Separation of authenticity and confidentiality:
Authentication and encryption serve different
Should commercial products or dedicated develo- purposes, therefore the requirements for authenti-
ped equipment be used? cation and encryption should be separated.
Probably, for very special surveillance purposes Authentication of outgoing and ingoing data is a
of the Organization, there will be no equipment task which must be done (and must be left in the
on the market, so that dedicated development is sole responsibility) of the Organization (i.e. the
the only choice. For some more general purposes OICS resp. the HQ).
commercial products will be available. Commer- There are situations conceivable where authenti-
cial products have the advantage of being cheaper cation is allowed but encryption (by the Orga-
and being immediately available. Commercial nization) isn't. There are very probable situations,
products might not meet the high security stan- where the Organizations must give (at least in
dards demanded by the Organization! In any case retrospect) encryption keys to the member state,
should an independent security evaluation of the or the member state even supplies the encryption.
equipment be performed. The tasks of encryption and authentication should
Remark on US-export restrictions : the USA are not be mixed: whereever cryptographic keys can
the worlds greatest producer of (high-grade) in principle be used for both purposes they should
cryptographic equipment/software, but the export always only serve for one purpose. (E.g. if a pu-
of cryptographic products needs to be licensed by blic key system is employed there should be diffe-
the U.S. Commerce Department, and the export of rent signing keys and encryption keys.) .
strong encryption is - at least at present - severely From the Organizations point of view the authen-
restricted ( e.g. SSL: public key: the bitlength of tication keys are much more important than the
the modulus of RSA-encryption keys may not encryption keys:
exceed 512 bits, the bitlength of symmetric keys (possession of) the authentication key for the in-
may not exceed 40 bits), so that it must be clari- going infonnation gives an attacker the ,control
fied whether the Organization can buy strong over the Organizations ICS in the plant, .posses-
american encryption-products. To the best of my sion of theauthentication key(s) for the outgoing
knowledge, there are no US-restrictions on the infonnation gives an attacker the possibility to
forge verification infannation. Loss of an encryp- ture of it? How can you assure that your radiation
tion key will under nonnal circumstances result in counter records the radiation its supposed to re-
the loss of confidentiality of only one message. - cord and not that of a radiation source which is
In short: loss of encryption keys results in loss of put in appropriate distance to it? etc. Of course,
confidentiality, but loss of authentication keys one may find simple solutions for special cases
results in loss of control. The authentication keys, (e.g. video), but are there general solutions?). This
especially the key for the verication data, must be threat becomes the more real when host-supplied
adequately protected - this is essential for the equipment is used for safeguards purposes.
aims and the credibility of the Organization.
The turn to remote monitoring introduces new
threats to the security of the Organizations IPE 5. Conclusions
mainly in four respects:
1. The infannation is at higher risk on the trans- Protection of remote monitoring infannation is
mission channel. technica!ly achievable, but a lot of secondary
2. Attacks through the transmission channel are factors have to be taken into account.
conceivable. To promote remote monitoring the Organization
3. The key-management may be insecure. should first develop a remote monitoring con-
4. The infannation is at higher risk at the member cept/policy, which is accepted among its mem-
states plant. The OICS will be left uninspected by bers.
Organization inpection teams for much longer Before introducing remote monitoring on a large
time periods than in the classical monitoring si- scale the requirements (security requirements,
tuation. The most potent attacker is a "motivated perfonnance requirements, possible political re-
insider", this could be a (group in the) member quirements) for the individual systems must be
state, which is only pretending to be compliant specified, and corresponding equipment be deve-
but whichs secret aims are opposed to the Orga- loped. As a consequence of the higher risk of the
nizations Convention. For such an attacker the infannation at the plant the Organizations security
OICS becomes a more attractive target: he has measures there should be reviewed; especially
more time to attack, and he can collect the "pay" should measures be developed to counter the
of a successful penetration for a longer time. (He "substitution of scene" threat, and the role of host-
has also more time to hide the fact that he has supplied equipment be clarified. An effective key
penetrated the OICS). management must be devised and realised. It must
also be clarified, which modifications the intro-
The weakest link: (this is a subjective assertion). duction of remote monitoring brings for the in-
Where is the weakest link of the authentication fonnation processing of the Organization, espe-
chain under this respect? It seems to be the au- cially for the methods of infannation protection.
thenticity of the sensed infannation (the threat
"substitution of scene" for sensors!) Whereas 6. Acknowledgement
there are sufficient methods (to protect physical
and technical security and) for the strong authen- Many of the views expressed in this paper origi-
tication of digital data, to the best of my know- nate in discussions of an expert group at the IAEA
ledge there is nothing comparable for sensed Technical Meeting on Vulnerability Assessment,
analogue data, (How can you assure that your Credible Authentication and Encryption, Wien,
video-camera "sees" its target and not just a pic- 15.09.97-19.09.97, where the author participated.