Aspects of Authentication and Encryption - ESARDA

Document Sample
Aspects of Authentication and Encryption - ESARDA Powered By Docstoc
					                          Aspects of Authentication              and Encryption
                  E. Schulte-Geers, German Information Security Agency, Bonn, Germany

o. Abstract                                                  The member states interests include confidentia-
                                                             lity of the verification information and "least in-
Electronic collection of remotely sensed data -              trusive" verification.
and therefore also the methods for the protection
of these data - are becoming increasingly impor-             2. Threats to information security
tant for verification regimes. It is the purpose of
this paper to address some of the aspects that arise         In an information processing environment (IPE)
when crytograpruc methods are applied in remote              there may be the need for the protection of:
monitoring of data for verification purposes.                        availability
1. Situation under Consideration                                     integrity
                                                             of information.
We consider the following scenario, where remote             Appropriate protection measures:
monitoring might be applied:                                 (1) try to detect and limit the damage resulting
there are three parties involved in a communica-             from (sub)system failure
tion:                                                        (2) try to limit the access of unauthorized parties
(1) an (international) verification organization             to (parts of) the IPE.
(henceforth called "the Organization") with the              They may roughly be categorized as pertaining to:
task of controlling material flow at the member                       physical   security   -   physical   isolation   and
states facilities under its safeguards                       protection of the IPE, use of tamperproof enclo-
(2) an information collection system ("OICS")                sures for (parts of) the IPE, tamper-detection and
installed by the Organization in a member states             response mechanisms, environmental failure pro-
facility (henceforth called "the plant")                     tection etc.
(3) the member state.
The Organization has installed an information                         administrative    security    - "need    to know"
collection system (usually an unattended monitor-            and "four eyes" principle, establishment of a con-
ing system) in the plant for its purposes. This              fidentiality regime with classification, clearance
information collection system usually consists of            of employed personnel, registration etc.
a subsystem for raw data collection: sensors/de-
tectors ofvarious kinds (e.g. video came-ras, radi-                    functional     and     logical     security
ation counters, seals, switches etc.), "intelligent"         identification and authentication for access to the
instruments (including AID-conversion), and an               IPE, logical access control to security relevant
electronic processing unit, where the incoming               parts, internal gateways and firewalls, authorized
data are processed and ~tored electronically.                roles and services, formal configuration control
                                                             and administration, independent audit, correct
In the "classical" unattended monitoring the veri-           specification, design and construction of systems,
fication information is authenticated and stored in          separate      interfaces     for    security      relevant
the plant and in regular time intervals "monitored"          parameters etc.
and collected by organization inspec-tion teams.                       technical security - correct operation of
The inspection teams also maintain the OICS and              systems under all foreseen conditions, fail-safe-
ensure proper operation of the OICS.                         ness, proper maintenance, TEMPEST-proofness
In "remote monitoring", the organization installs a          of systems (i.e. protection against release of in-
computer (an electronic monitor) in the plant,               formation through electromagnetic              radiation),
aiming to automate the operation/maintenance                 appropriate provisions for the case of (sub)system
and collection of data in such a way, that they can          failure, self-test ability etc.
be initiated and controlled from remote organiza-                      cryptographic security - implementation
tion premises.                                               of appropriate         mathematical      methods       and
                                                             techniques for the establishment of confidentia-
The Organizations main interest is to get authen-            lity, integrity and authenticity of information, and
tie verification information.                                identification.

Clearly, there are interrelations among these cate-            quency, direction, sequence, amount, type, origin
gones.                                                         and destination etc. of traffic
We assume in the following that:                               Countermeasures: traffic padding, "hiding" of
(a) the member state has taken all physical and                transmission channel, "splitting" of information
organizational measures it regards necessary for               etc.
the protection of information originating in the               (8) substitution/modification   of information on
plant                                                          the transmission channel
(b) the OICS is "sufficiently" physically and tech-            (9) undetected replay of old valid information
nically secure                                                 (10) confidentiality of information compromised
                                                               on the transmission channel
2.1 Vulnerabilities of verification information                (11) (seen by the member state) outgoing infor-
in remote monitoring                                           mation not "least intrusive"
                                                               Countermeasures for (8)-(11) : discussed below
Even if the possibilities of physical intrusion and            Of course, there may be additional threats (de-
technical failure are excluded, the verification               pendent on the transmission channel), like identity
information remains vulnerable. Let us list poten-             interception or mis-routing.
tial threats:
                                                               (C) in the organization
(0) a general threat: "denial of service" attacks -
i.e. disruption of communications lines, unautho-              (12) attack through communications channel
rized deletion of information, delay of time-criti-            (13) security functions of the information proces-
cal operations, occupation of shared resources,                sing system not sufficient
induced systems breakdown etc.                                 Countermeasure: use ITSEC/CC- evaluation
                                                               (14) deletion/modification/substitution   of infor-
(A) in the plant:                                              mation by "insiders"
(1) substitution and! or modification (including               Countermeasures: all of those mentioned under
(partial) insertion and deletion) of parts of original         1.0, especially logical security measures
sensed data: e.g. substitution of scene for sensor,            (15) attack through (public data) network
(non detected) interference with sensors                       Countermeasures: all network security measures,
Countermeasure: no general countermeasure                      "stand alone"processing of verification infomia-
General strategy : digitalization and authentica-              tion
tion of information as close to the origin as possi-           (16) unauthorized access by "outsiders"
ble.                                                           Countermeasures: all mentioned under 2.0
(2) substitution/modification     on the way from              (17) compromise of confidentiality
sensorlinstrumentJcamera to data processing unit               Countermeasure: encryption
Countermeasure: use of authentication subsystem                etc.
(3) substitution/modification     during processing,           One may consider vulnerabilities listed under (B)
processing incorrect                                           as additional vulnerabilities of remote monitoring.
Countermeasure: use ITSEC/CC-evaluated            mo-          In principle these vulnerabilities are also there in
nitor                                                          the classical monitoring situation, but this is ob-
(4) substitution/modification    of monitor proces-            scured by the fact that transportation of yerifica-
sing or stored data                                            tion information on physical storage deyices by
Countermeasures: strong identification for access              inspectors is conceptually thought of as a secure
to the monitor and other logical security measures             channel.
(5) attack through communications channel
Countermeasure: dependent on communications
channel                                                        3. Basic cryptography
(B) transmission and reception                                 (This is a remainder section. Familiarity with
(6) transmission channel noisy, signal corrupted,              basic cryptographic concepts is assumed) Au-
transmission failure                                           thentication and encryption are basic crypto-
Countermeasures: use of error-correcting codes,                graphic concepts. Mathematical methods and
storage of information at the monitor and deletion             techniques which can be used to provide protec-
only after successful transmission                             tion of information against intentional unauthori-
(7) traffic flow analysis - i.e. a third party records         zed release and/or manipulation are called crypto-
a sent message, records absence/presence, fre-                 graphic.

Cryptographic methods always refer to the follo-               Encryption systems are also called encryption
wing situation: a sender A (Alice) sends informa-              algorithms. The inverse transformation- transfor-
tion via an insecure channel to a receiver B (Bob).            ming ciphertexts back into plaintext- is called
Cryptographic goals and methods                                decryption. In modem encryption algorithms,
                                                               plaintexts, ciphertexts and keys are always strings
Theoretical and practical experience has shown                 ofbits.
that it makes sense to distinguish four major                  To be practically accepted, encryption systems
cryptographic goals:                                           should meet the following requirements:
(1) confidentiality / secrecy:                                 (a) they should be resistant against all known
it must be impossible for any unauthorized third               cryptographic attacks
party E (Eve) to get access to the information sent            especially: the keyspace must be "large enough"
from A to B                                                    (b) they should be easy to use
(2) integrity:                                                 (c) encryption/decryption must be "fast enough"
no third party shall be able to modify undetec-
tèdly the information (for instance : to delete,               If A and B want to put up a confidential connec-
insert or exchange parts) sent from A to B                     tion, they proceed as follows:
(3) authenticity:                                              (0) cipher agreement: A and B agree on an en-
(data origin authentication) it shall be possible for          cryption system
B to ascertain that the informationhe        gets was          (I) key agreement: A and B agree on a key k
really sent by A / (identification) it shall be possi-         (2) encryption: A sends c=encryptlm) (her enci-
ble for A to prove her identity to B                           phered message) to B
(4) non repudiation:                                           (3) decryption: B decrypts m=decryptk(c) c to get
(a) non repudiation of origin: it shall be impossi-            the original message m.
ble for A to send information toB and subse-                   There are two major classes of encryption        sy-
quently deny that she was the originator                       stems:
(b) non repudiation of delivery: it shall be impos-
sible for B to receive information from A and                  Symmetric key (secret key, classical) encryption
subsequently deny the receipt                                  systems use the same key for both purposes, en-
                                                               cryption and decryption. Symmetric cryptosy-
Clearly, there are relations among these goals, but            stems are therefore frequently called "one key"
it is important to understand that secrecy and au-             systems, knowledge of one key enables a party to
thenticity are independent attributes of a crypto-             encrypt as well as to decrypt data.
graphic system - authentication without encryp-                 All classical encryption sytems are symmetric, as
tion is possible.                                              well as most modem encryption systems, for ex-
Note that non repudiation needs the existence of               ample DES, IDEA, RCS ...
an independent trusted (by both) third party (TIP)             Note the following problem of symmetric-key
to settle disputes. Non repudiation can only be                systems: if Alice and Bob want to use a secret-key
provided within the context of a clearly defined               system for confidentiality they must first have an
security policy for a particular application and its           independent secure channel to establish the key
legal environment.                                             they want to use, and both have to keep the key
The basic method for the establishment of confi-               secret.
dentiality is encryption, basic methods for the                Public key (asymmetric key) encryption systems
establishment of integrity, authenticity and non               use different (but of course, mathematically rela-
repudiation arehash Junctions, Message Authen-                 ted) keys : a "public"key for encryption and a
tication Codes (MACs), digital signatures and                  "private" key for decryption). The keys must have
cryptographic protocols.                                       the following property:
I assume familiarity with basic cryptographic                  for everyone who only knows the "public" key it
concepts and go through them here in a informal                must be "practically infeasible" to decrypt a ci-
manner.                                                        phertext encrypted with this key.
Confidentiality                                                Asymmetric encryptionis therefore "one-way" _
Encryptiontransfarms      a plaintext message (in              even the person who encrypted a message cannot
dependence of thepiece      of informationcalled               recover it,if he has forgotten or deleted it, and
"key", and in a reversible way), into a ciphertext,            does not know the privatekey. The producer of
trying to make it unreadableto all but authorized              the pair (public key, private key) is here in posses-
parties.                                                       sion of additional "trapdoor"-information, which
                                                               enables him to compute the private key.

The name "public key" encryption stems from the                      slow, low encryption rates        .
following fact:
 in an asymmetric encryption there is no need to
keep the encryption key secret (since, by assump-
                                                                 ·    security: for all known public key systems:
                                                                     (a)    there are much better attacks than com-
tion, it is "practically infeasible" to decrypt an                          plete exhaustion of the key space, there-
encrypted message without prior knowledge of                                fore: long key needed for high security
the "trapdoor"-information),    the encryption key                   (b)    security depends "only" on the conjectu-
can therefore be made public knowledge ("public                             red algorithmical difficulty of a mathe-
key") without compromising the secrecy of the                               matical problem
system, whereas the decryption key ("private                     ·   good    key (pair)   generation       complicated,   se-
key") must be kept secret.                                           veral "shortcuts" must be avoided
Asymmetric   encryption was invented                  by         Hybrid encryption schemes try to combine the
W.DIFFIE and M.HELLMAN in 1975/76.                               advantages of symmetric and asymmetric encryp-
                                                                 tion schemes, they use an asymmetric encryption
If A and B want to use a public-key encryption                   system to transmit the "session" key for a sym-
system for confidentiality they don't need a secure              metrie system, and encrypt the bulk data using the
channel for key agreement, but the sender must                   symmetric encryption system. The session key is
have an authentic copy of the receivers public                   usually used for one encryption session and then
key.                                                             discarded. The asymmetric key pair may be used
Two well known examples of public key systems                    (depending on the circumstances) for a long time.
are: RSA (Rivest, Shamir, Adleman)-encryption
system, Elgamal-encryption system
Both, asymmetric and symmetric encryption sy-
stems have their merits.                                         Integrity is usually provided as a by-product of
                                                                 data origin authentication, but there is also a dedi-
Advantages of (good) symmetric encryption:                       cated cryptographic method which serves to esta-
·   fast, high encryption rates                                  blish integrity: hashing

·   security: (hope) essentially determined by
    length of key (that is: no better attack than
                                                                  A (one way) hash function is a function which
                                                                 maps bitstrings of arbitrary length onto bitstrings
                                                                 of a fixed length, with the following properties:
    complete exhaustion of key space), high secu-                 one way property: it must be infeasible, given
    rity with short key,                                         only a hash value, to compute a message that has-
    key generation simple, usually any bitstring                 hes to this value
·                                                                 collision resistance: it must be infeasible to find
    of a fixed length allowed
                                                                 two different ~essages whichhash to the same
Disadvantages of symmetric encryption:                           value.
    both   parties   in a two party   communication               The hash-value' of a message is often considered
·                                                                as digital fingerprint ofthis message. With the aid
    must keep their keys secret
                                                                 of a hash function hash known to Alice and Bob
·   application tci key distribution in large net-               they can establish message integrity:
    works: inferior to public key techniques                      Alice hashes her message rn, sends the message
                                                                 to Bob, and transmits the hash-value to Bob in a
·   non-repudiation     possible   only with on-line
                                                                 way that preserves its authenticity. Bob hashes the
    trusted third party
                                                                 message and compares his result with Alices hash
Advantages of (good) asymmetric encryption:                      value. If they coincide he is convinced that the
·   each participant in a secret communication
    must keep only his private key secret
                                                                 message has not been altered. Hash functions can
                                                                 be used to construct MACs for authentication
                                                                 purposes, if A and B share a secret key.
·   easy to use for digital signatures
    allow elegant solutions for the key distribu-
                                                                 Data Origin Authentication
·                                                                The main methods for data origin authentication
    tion in large networks
                                                                 are MACs and digital signatures.
·   non-repudiation
    third party
                        possible with off-line trusted
                                                                 A message authentication code (MAC) is family
                                                                 of functions MACk, parameterized by a set of
Disadvantages of asymmetric encryption:                          keys, each of which maps bitstrings of arbitrary

 length onto bitstrings of the same fixed length,              (b) whereas Alice is the only party who can com-
with the following forge-proofness property:                  pute signA(m), the MAC of m, MACk(m). can be
  for anyone not in possession of the key k it must           produced by both parties, Alice and Bob (in pos-
be infeasible to compute MACim) for a new mes-                session of the secret authentication key, and eve-
 sage m, even if he is in possession of some (mes-            rybody else in possession of the authentication
sage,MAC)-pairs (m;, MAClmJ).                                 key)). It is therefore impossible to establish non
  If Alice and Bob are in possession of a MAC and             repudiation with MACs.
share a common secret "authentication key" k
Alice authenticates her message m simply by sen-              Identification
ding (m, MACim)) to Bob, Bob then confirms the                Identification includes a time aspect: Alice tries to
authenticity     (and integrity)    by computing              convince Bob in "real time", that he is communi-
MACim) and comparing it with Alices result.                   cating with her.
MACs are often constructed with the aid of sym-                The main techniques used for identification are
metric encryption, but in principle MACs do not               "challenge-response" protocols. Bob challenges
need an encryption algorithm, and there are also              Alice to demonstrate the knowledge of a secret to
dedicated MACs. A MAC of a message may be                     him and Alice demonstrates this knowledge wi-
considered as a non-fórgeable key-dependent                   thout revealing the secret itself to Bob, sending a
cryptographic checksum of a message. Applica-                 response depending on the secret and the chal-
tion of MACs for authentication requires mutual               lenge. For strong identification the challenges
trust in the honesty of the other party and her abi-          must be non-repeating. Symmetric key or public
lity to protect the key.                                      key techniques may be used.
A digital signature ofa user A is a (user specific)
pair of two transformations (a) a non-forgeable               Key-Management
signing transformation signA that allows the proof            Whenever encryption is applied the question of
of the origin (with non repudiation)              and         appropriate key management arises, this embraces
verification of integrity signed data. (b) an error-
free verification transformation verifyA that allows          .   generation!ini   tialisa ti on
to decide whether or not a signature on a message
is valid.
                                                              .   agreement! estab lishment
                                                              .   distributi on!transport
If A is in possession of a digital signature (signA.
verify,J she keeps signA secret and makes verifyA             .   change/update
public knowledge. She authenticates a messages
                                                              .   storage
111 appending her signature s=signA(m) to it. If
B has an authentic copy of verifyA he can establish           .   certification
the authenticity of 111 y computing verifyA(m, sj.
                                                              .   revocation
Digital signatures are commonly constructed with
                                                              .   recovery in case of destruction/loss
a public key encryption system and a hash func-
tion: to sign a message 111 lice computes the hash
value of her message and signs (encrypts) this
                                                              .   destruction! deletion
                                                              .   archiving
with her private key. The purpose of digital si-
gnatures is to permit the resolution of disputes,
they have a "built-in" non-repudiation aspect: if it
                                                              .   escrow

can be assured, that at a certain time Alice was the          over the full life-cycle of keying material. The
unique holder of her signing key, and verification            key management itself may and probably will use
of her signature on a message with an authentic               cryptographic techniques. Key management is
verification key shows that it is a valid signature,          needed for the whole collection of cryptographic
only she can have at that time signed this mes-               modules employed in a cryptography-based secu-
sage.                                                         rity system. Secret keys must be protected from
                                                              unauthorized disclosure, modification and substi-
Remark: note the following main differences bet-              tution. Public keys must be protected against un-
ween MACs and digital signature:                              authorized substitution and modification. Effec-
 (a) the digital signature can be verified by eve-            tive key management produres are essential for
ryone (in possession of an authentic verification             the protection of information by cryptographic
program), whereas MACs can be verified only by                techniques. Key management requires dedicated
the parties in possession of the secret key.                  resources!

Warning: Application of cryptography is not                   (ii) an interested third party replays old valid or-
enough to protect information. Keep in mind that              ganization instructions
(i) cryptographic methods are only a part of the              countermeasures : strong identification, use of
measures which can/must be taken to protect in-               challenge response techniques, use of non repea-
formation                                                     ting values (random numbers, message numbers,
(ii) use of cryptography does not help in any way             timestamps), possibly change of authentication
to assure availability of information                         keys
(iii) use of cryptography can not protect against             (5) release of information to unauthorised third
denial of service attacks.                                    parties: e.g.
                                                              (i) release of verification information or systems
4. A closer look at the additional vulnerabilities            status information to unauthorised third
in remote monitoring                                          (ii) release of information contained in organiza-
                                                              tion instructions to unauthorised third
Information is transmitted between two parties:               countermeasure: encryption
 A. the Organizations ICS at the plant (in the se-
quel: OICS)                                                   Remark: these treats, and the corresponding
 B. the Organizations HQ                                      countermeasures are long known and well under-
 and there is a third party which has rights and              stood.
interests with respect to these data:
 C. the Member State                                          Authenticity interests:
 We distinguish between                                       authentication of the information (by the Orga-
 I. outgoing (at the plant) information (identifica-          nization) in both directions is in the interest of
tion data, verification data, systems status infor-           both, the Organization and the (compliant) mem-
mation, authentication data) and                              ber state.
 II. ingoing (at the plant) information (identifica-          Confidentiality interests:
tion data, data handling instructions (send, delete            the member state is interested to keep sensitive
etc.), authentication data), operating and mainte-            information confidential, encryption of verifica-
nance instructions).                                          tion data is therefore probably requested. \\Thether
 For each item of confidential information it must            the member states requests the (partial) encryp-
be granted that:                                              tion of ingoing instructions depends on the con-
·   only authorised parties have access to any
    transmitted data
                                                              tent of these instructions.
                                                              Remark : this is probably only a small set of

·   the item is received at its destination
Possible threats:
                                                              (compactly coded) instructions, so that the infor-
                                                              mation content for "outsiders" is negligible - the-
                                                              refore encryption doesn't seem to be neccessary.
                                                               The Organization may additionally be interested
(l) substitution/alteration/partial  insertion or de-         to keep (parts of) the operating instructions and
letion of information: e.g.                                   the systems status information confidential even
(i) an unauthorised party forges/alters verification          from the member state (e.g. outgoing might be the
data and/or systems status information                        report of failure of a surveillance sub~system, the
(ii) an unauthorised party forges data handling or            duration of which may be abused by a non-com-
ICS operating instructions                                    pliant member state, or the report of some tamper
countermeasure: data origin authentication                    activities, or ingoing might be the instruction for a
(2) impersonation: e.g.                                       surprising non-routine surveillance measure), but
(i) an interested third party disguises as the Orga-          this is probably politically impossible.
nizations ICS
(ii) an interested third party disguises as the Or-           Political aspects
ganization and tries in this way to get information           The necessity of the authentication of data in both
about the plant                                               directions by the Organization is unquestionable
countermeasures:      strong identification, use of           and will be political consensus.
authentic public keys, data origin authentication
(3) replay of old (authentic) information e.g.                On the other hand, the questions: Who should
(i) an interested third party replays old valid veri-         encrypt what? How far do the rights of a member
fication data or old valid systems status informa-            state resp. the Organization reach under the Con-
tion                                                          vention? may cause a political debate.

Recall: the principle of least intrusive action re-          (4) the member state has the right to know, at
quires that the Organization conducts its verifica-          every moment, how the Organizations ICS IS
tion activities in the leastintrusive manner possi-          operated in his facility.
bleconsistent with the efficient accomplishment              Consequence:
of their objectives. Especially the Organization             if the Organizationencrypts      ingoing operating
must not collect data which are not necessary to             instructions it must be prepared to give the en-
fulfil its responsibilities and must avoid unneces-          cryption method and the key to the member state.
sary disclosure of confidential informationnot               In this case it must also be clarified, if and under
related to compliance with its Convention. The               which conditions (encrypted) authentication key
Organization must protect confidential informa-              updates can be part of ingoing messages.
tion.                                                        Remark: in this case the Organization will pro-
                                                             bably have little or no own motivation to encrypt
Some (debatable) working assumptions and their               ingoing instructions. Of course, if encryption keys
consequences:                                                (known to both, the organizations HQ and the
(I) the member state has the right to check that             member state) are part of the ingoing messages,
                                                             these will be encrypted.
outgoing verification data is indeed least intrusive
and related to the verification of the Convention.           (5) several member states may have regulations
Consequence:                                                 on the use of cryptography, especially on encryp-
if the Organization encrypts the verification in-            tion.
formation it must be prepared to give the encryp-            Consequence:
tion method/equipment and the key to the member              The Organization must come toan understanding
state, at least upon request                                 with the member state on the question of encryp-
Remark: the member state should not be in the                tion oftransmitted informatión.
position for a "chosen text"-attack, therefore it            Cryptographic aspects
should check onlya          representative (random)
sample of the outgoing data.                                 In the following I assume, that authentication and
                                                             encryption of information in both directions is
(2) the member state may consider the verification
                                                             desirable. All encryption must respect the member
information as its property and therefore has in
                                                             states rights and wishes concerning the monito-
principle the right to determine' the way of en-             ring of information.
                                                             If the Organization decides to move to remote
Consequence:                                                 monitoring, it will need symmetric key and public
the member state may prefer to provide an own                keyencryption.
encryption method/equipment, the Organization
will have to accept that.                                    Should MACs or digital signatures be used for
                                                             data origin authentication? No general answer
Probable outcome: most member states will ac-
                                                             possible: in a wide range of applications both will
cept Organization-provided      encryption, some
member states will prefer to provide their own.
                                                             MACs should be used, if extremely high data
(3) the member state may suspect that in the re-             throughput must be achieved or only very limited
maining part of the outgoing information some                computing power is available. Digital signatures
confidential information not related to verification         are advantageous in applications where non-repu-
is hidden.                                                   diation services are required, or where the risk of
                                                             key-compromise is on one side considerably hig-
Consequence:                                                 her than on the other side.
the Organization must, at least in retrospect, give          Choice of algorithms:
the member state the opportunity to check all                Public key encryption:
details of the remaining outgoing information.               Since there are only a few public key algorithms
This may even include giving the member state                which have survived over the years it should pick
the oppportunity to validate the authentication              one of these (e.g. RSA or Elgamal on Elliptic
information.                                                 Curves), with suitable key length. Some public
Remark: if symmetric key authentication is used,             key systems are patented in some states and re-
the authentication key can be given to the member            quire a license for commercial   use   - is   the Orga-
state only in retrospect, if a digital signature is          nizations use of encryption commercial?
used, the verification key can be given to the               Hash functions: the Organization will probably
member state in advance.                                     also need a cryptographic hash function- since it

 has turned out to be difficult to construct crypto-           with the aid of a trusted third party (i.e. both, the
 graphically strong hash functions and since there             member state and the Organization must trust the
 are no patent restrictions it is free to choose a             same independent third party), since there is no
 published one (e.g.the prominent SHA-l, MD5,                  such (internationally) trusted third party available,
 RIPE-MD 160). (Recently, some collision-resi-                 non repudiation is not achievable in the conside-
 stance weaknesses of MD5 have been found - but                red situation.
 it is still possible to use MD5 for MACs).
 Symmetric-key encryption: there are several pub-              Security evaluation aspects
 lished symmetric-key algorithms, which could                  Security of an IPE is a holistic concept - an IPE is
 satisfy the Organizations needs, although some                in principle not stronger as its weakest part. Secu-
 are patented or proprietary.                                  rity of remote monitoring information must be
 Alternatively, the Organization could wish to                 considered on the way fIom origin over transmis-
 have one or two own algorithms especially taylo-              sion to review and archive, and constitutes only a
 red for its purposes - such an algorithm could be             part of the Organizations aims for IT-security.
 provided by one or several member states infor-
 mation security agencies. In this case the crypto-            To establish IT-security of its IPE the Organiza-
 graphic strength of this algorithm should be inde-            tion should have a formulated information secu-
 pendently assessed (e.g. by the infosec agency of             rity policy. This policy should contain the Orga-
 another member state).                                        nizations aims for availability, integrity and con-
There is also the possiblity that a member state               fidentiality of information and authorized access
 supplies an own encryption method for the infor-              and operation of (sub)systems at every "point" of
 mation outgoing at its facilities. To allow for this,         the IPE.
the OICS must havé an interface for the output of              An independent investigation, whether the       secu-
authenticated but unencrypted outgoing data.                   rity measures taken by the Organization are    suffi-
Need for trusted third party services:                         cient to establish these aims, a thorough        "risk
 Since information is sent between the OICS and                analysis" should be performed. A first step    is the
the Organizations HQ, and the OICS of course                   security evaluation of small parts the IPE,    espe-
unconditionally trusts the Organizations HQ, on                cially of the cryptographic modules.
behalf of the Organization no third party services
                                                               For each of the cryptographic modules a list of
such as certification of keys or notary services are
                                                               functional high-level security objectives should be
                                                               put down and a detailed list of security require-
Non repudiation is a concern in the considered
                                                               ments, and an independent evaluation should be
situation, if the member state does not trust the
Organization or its ability to handle cryptographic            performed.
keys. A member state may claim that compromi-                  It is natural to seek for a formalized a way - a
sing verification data never originated in its plant           methodology - to evaluate and establish the secu-
but were fabricated by the (corrupt) Organization              rity (in the broad sense) of an IPE.
(it has generated the authentication keys for the              In the past decades - beginning with the D.S.-
outgoing data!) or by an adversary who somehow                 american "Orange Book" TCSEC (Department of
obtained the authentication key (because the Or-               Defense Trusted Computer System Evaluation
ganization didn't protect it sufficiently)- the Orga-          Criteria) - international recognized methodologies
nization can not prove the origin without TIP-                 such as CC (The Common Criteria for Informa-
servIces.                                                      tion Technology Security Evaluation) and ITSEC
Remark: if this is really a concern, the simplest              (Information Technology Security Evaluation
solution is probably as follows: use a digital si-             Criteria (harmonized criteria of the ED and
gnature for the authentication of transmission                 Australia)) have evolved. These methodologies
data, generate the key pair (signing key, verifica-            give a fIamework, in which the security of infor-
tion key) for the OICS by a trusted device (which              mation technology can be measured against esta-
is part of the OICS) in the member states facility             blished criteria and to specified assurance levels.
in such a way that the signing key never leaves
                                                               The information security agencies of several sta-
the OICS, and let a trusted third party certify the
                                                               tes are themselves available or have licensed faci-
authenticity of the OICS-verification key.
                                                               lities to perform CC/ITSEC evaluation of IT -pro-
A corrupt Organization mayaiso deny the deli-
                                                               ducts. The equipment should not be evaluated in
very of correct verification data - the member
                                                               the same state where it is put to use.
state can not prove the delivery without TIP-ser-
                                                               The security of the equipment and the strength of
vices. Non repudiation can only be established
                                                               algorithms should be periodically re-assessed.

Practical aspects                                             export of strong (pure) authentication    (è.g. the
Implementation:                                               DSA).

Should software/hardware/finnware      implementa-            Application of cryptographic standards:
tions of cryptographic processes be used? The                 It is clear that all Organization crypto-equipment
answer depends on several factors:                            should confonn to some internal standards: appli-
(1) the importance of the cryptographic process               cation of standards facilitates interoperability of
(2) the throughput of data to be achieved                     systems and system components and helps to
(3) economic considerations                                   minimize the range of equipment.
(4) the application environment /surrounding                  There are also international and national crypto-
protection measures                                           graphie standards of importance: the International
(5) the security aims                                         Organization for Standardization (ISO) and the
In general hardware solutions provide higher se-              International Electrotechnical Commission (lEe)
curity and higher perfonnance than software so-               have standardized some cryptographic techniques,
lutions, but are also more costly. But certainly'             the International Telecommunications         Union
software solutions provide higher security than no            (ITU-T, fonnerly CCITT) issues Recommenda-
application of cryptography at all!                           tions. The National Institute of Standards and
Suggestion: since authentication is vital for the             Technology(NIST) of the USA issues the Federal
Organizations aims, and since compromise of the               Infonnation Processing Standards (FIPS). The
authentication key would allow to forge verifica-             American NationalStandards Institute ANSI has
tion information, at least the final authentication           also issued security standards (mainly for banking
before transmission should be performed by a                  purposes).
hardware implementation.                                      These standards contain sound cryptographic
For the encryption of data the national classifica-           techniques. Adoption of such standards facilitates
tion of the verification information will also play           the use of commercial products and the security
a role - many nations will demand hardware en-                evaluation of cryptographic systems.
cryption, if the national classification is higher
then" sensitive".                                             General aspects

Purchase of cryptographic equipment/software:                 Separation of authenticity and confidentiality:
                                                              Authentication and encryption serve different
Should commercial products or dedicated develo-               purposes, therefore the requirements for authenti-
ped equipment be used?                                        cation and encryption should be separated.
Probably, for very special surveillance purposes              Authentication of outgoing and ingoing data is a
of the Organization, there will be no equipment               task which must be done (and must be left in the
on the market, so that dedicated development is               sole responsibility) of the Organization (i.e. the
the only choice. For some more general purposes               OICS resp. the HQ).
commercial products will be available. Commer-                There are situations conceivable where authenti-
cial products have the advantage of being cheaper             cation is allowed but encryption (by the Orga-
and being immediately available. Commercial                   nization) isn't. There are very probable situations,
products might not meet the high security stan-               where the Organizations must give (at least in
dards demanded by the Organization! In any case               retrospect) encryption keys to the member state,
should an independent security evaluation of the              or the member state even supplies the encryption.
equipment be performed.                                       The tasks of encryption and authentication should
Remark on US-export restrictions : the USA are                not be mixed: whereever cryptographic keys can
the worlds greatest producer of (high-grade)                  in principle be used for both purposes they should
cryptographic equipment/software, but the export              always only serve for one purpose. (E.g. if a pu-
of cryptographic products needs to be licensed by             blic key system is employed there should be diffe-
the U.S. Commerce Department, and the export of               rent signing keys and encryption keys.) .
strong encryption is - at least at present - severely         From the Organizations point of view the authen-
restricted ( e.g. SSL: public key: the bitlength of           tication keys are much more important than the
the modulus of RSA-encryption keys may not                    encryption keys:
exceed 512 bits, the bitlength of symmetric keys              (possession of) the authentication key for the in-
may not exceed 40 bits), so that it must be clari-            going infonnation gives an attacker the ,control
fied whether the Organization can buy strong                  over the Organizations ICS in the plant, .posses-
american encryption-products. To the best of my               sion of theauthentication key(s) for the outgoing
knowledge, there are no US-restrictions on the                infonnation gives an attacker the possibility to

forge verification infannation. Loss of an encryp-           ture of it? How can you assure that your radiation
tion key will under nonnal circumstances result in           counter records the radiation its supposed to re-
the loss of confidentiality of only one message. -           cord and not that of a radiation source which is
In short: loss of encryption keys results in loss of         put in appropriate distance to it? etc. Of course,
confidentiality, but loss of authentication keys             one may find simple solutions for special cases
results in loss of control. The authentication keys,         (e.g. video), but are there general solutions?). This
especially the key for the verication data, must be          threat becomes the more real when host-supplied
adequately protected - this is essential for the             equipment is used for safeguards purposes.
aims and the credibility of the Organization.
The turn to remote monitoring introduces new
threats to the security of the Organizations IPE             5. Conclusions
mainly in four respects:
 1. The infannation is at higher risk on the trans-          Protection of remote monitoring infannation is
mission channel.                                             technica!ly achievable, but a lot of secondary
2. Attacks through the transmission channel are              factors have to be taken into account.
conceivable.                                                 To promote remote monitoring the Organization
3. The key-management may be insecure.                       should first develop a remote monitoring con-
4. The infannation is at higher risk at the member           cept/policy, which is accepted among its mem-
states plant. The OICS will be left uninspected by           bers.
Organization inpection teams for much longer                 Before introducing remote monitoring on a large
time periods than in the classical monitoring si-            scale the requirements (security requirements,
tuation. The most potent attacker is a "motivated            perfonnance requirements, possible political re-
insider", this could be a (group in the) member              quirements) for the individual systems must be
state, which is only pretending to be compliant              specified, and corresponding equipment be deve-
but whichs secret aims are opposed to the Orga-              loped. As a consequence of the higher risk of the
nizations Convention. For such an attacker the               infannation at the plant the Organizations security
OICS becomes a more attractive target: he has                measures there should be reviewed; especially
more time to attack, and he can collect the "pay"            should measures be developed to counter the
 of a successful penetration for a longer time. (He          "substitution of scene" threat, and the role of host-
has also more time to hide the fact that he has              supplied equipment be clarified. An effective key
penetrated the OICS).                                        management must be devised and realised. It must
                                                             also be clarified, which modifications the intro-
The weakest link: (this is a subjective assertion).           duction of remote monitoring brings for the in-
Where is the weakest link of the authentication               fonnation processing of the Organization, espe-
chain under this respect? It seems to be the au-             cially for the methods of infannation protection.
thenticity of the sensed infannation (the threat
"substitution of scene" for sensors!) Whereas                6. Acknowledgement
there are sufficient methods (to protect physical
and technical security and) for the strong authen-           Many of the views expressed in this paper origi-
tication of digital data, to the best of my know-            nate in discussions of an expert group at the IAEA
ledge there is nothing comparable for sensed                 Technical Meeting on Vulnerability Assessment,
analogue data, (How can you assure that your                 Credible Authentication and Encryption, Wien,
video-camera "sees" its target and not just a pic-           15.09.97-19.09.97, where the author participated.


Shared By: