This guide helps you protect networks from unauthorized access. It discusses counter security threats, optimum use of en
202 25 13MB
English Pages 252 [256] Year 1993
SECURE DATA
NETWORKIN
Michael Purser
Digitized by the Internet Archive in
2009
http://www.archive.org/details/securedatanetworOOpurs
Secure Data Networking
The Artech House Optoelectronics Library Brian Culshaw, Alan Rogers, and Henry Taylor, Series Editors
Acousto-Optic Signal Processing: Fundamentals and Applications, Pankaj Das
Amorphous and Microcrystalline Semiconductor Devices, Optoelectronic Devices, Jerzy Kanicki, editor
Electro -Optical Systems Performance Modeling, Gary
Waldman and John Wootton
The Fiber-Opt ic Gyroscope, Herv6 Lefevre Field Theory of Acousto-Optic Signal Processing Devices, Craig Scott
Highly Coherent Semiconductor Lasers, Motoichi Ohtsu Introduction to Electro-Optical Imaging S.
and Tracking Systems, Khalil
Seyrafi and
A. Hovanessian
Introduction to Glass Integrated Optics, S.
Iraj
Najafi
Optical Control of Microwave Devices, Rainee N. Simons Optical Fiber Sensors, Volume
I:
Principles
and Components, John Dakin and
Brian Culshaw, editors
Optical Fiber Sensors, Volume
II:
Systems andApplicatons, Brian Culshaw and
John Dakin, editors Optical Network Theory, Yitzhak
Weissman
Principles of Modern Optical Systems,
Volume
I, I.
Volume
II, I.
Andonovic and
D. Uttamchandani, editors Principles of Modern Optical Systems,
Andonovic and
D. Uttamchandani, editors Reliability
and Degradation ofLEDs and Semiconductor Lasers, Mitsuo Fukuda
Single-Mode Optical Fiber Measurements: Characterization and Sensing, Giovanni Cancellieri
Secure Data Networking
Michael Purser
Artech House
Boston
•
London
Library of Congress Cataloglng-ln-Publlcatlon Data Purser,
Michael
Secure Data Networking Includes bibliographical references and index.
ISBN 0-89006-692-2
— —
Computer Networks Security Measures. 2. Computer Computer networks management. I. Title. ~ TK5105.5.P87 1993 CIP 005.8—dc20 1.
3.
security.
93-7161
© 1993 ARTECH HOUSE, INC. 685 Canton Street
Norwood,
MA 02062
All rights reserved. Printed and
bound
in the
United States of America.
No part of this book may be
reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or
by any information storage and
retrieval system, without permission in writing
from the publisher.
Book Number: 0-89006-692-2 Library of Congress Catalog Card Number: 93-7161
International Standard
10
987654321
Contents
Preface
Chapter
ix
Security Threats, Services, and
I
Mechanisms
1.1
1 1
2
4 6 6 7
9 9 10 12 13
16 16
Chapter 2 2.1
2.2
Security Procedures
17
Attacks
To Be Thwarted
2.1.1
Statistical
2.1.2
Known
2.1.3
Chosen Cyphertext Attack
18
2.1.4
Searching the Key Space
18
2.1.5
Breaking the Algorithm
2.1.6
Stealing the
2.1.7
Introducing a False
2.1.8
Modifying Cyphertext
19
2.1.9
Modifying Plaintext
19
17
Analysis
17
Plaintext Attack
Key
Encryption Procedures
18
18
19
Key
19
20
5 7
2.3
24 27
2.3.2
Personal Identification Procedures
31
2.3.3.
Chipcards for Access Control
35
2.3.4
The Secure Session Anonymity
41
2.3.5
2.4
Secure Access Management
Authentication Procedures 2.3.1
38
OSI Layers and Networks
43
46
References
Chapter 3
Security
Management
47
3.1
Scope of Security Management
47
3.2
Key Management 3.2.1 Key Generation
48
48
Keys
3.2.2
Certification and Notarisation of
3.2.3
Distribution of
Keys
55
3.2.4
Withdrawal of Keys
59
51
3.3
PIN Management
60
3.4
Authorization
61
3.5
System Security Management
63
3.6
Security Service
Management
66 68
References
Chapter 4
69
Algorithms
Cypher Algorithms
4.1
Traditional
4.2
The Data Encryption Algorithm Asymmetric Algorithms
4.3
4.3.2
The
4.3.3
Fiat-Shamir (FS) Signatures
90
4.3.4
Trapdoor Knapsack Schemes
92
4.3.5
Making Asymmetric Cyphers From Symmetric Ones
95
RSA
Some Other
86
Algorithm
98
Useful Algorithms
104
4.5.1
Hashing
4.5.2
Random Numbers
110
4.5.3
The Euclidean Algorithm
113
104
Conclusion
115
References
5.2
86
Authentication
4.5
5.1
82
DL
Stream Cyphers
Chapter 5
77
4.3.1
4.4
4.6
69
OSI and Security The OSI/RM and
Security
Security and X.400
MHS
1
1
1
1
1
17
122
5.2.1
Origin Authentication
127
5.2.2
Proof and Nonrepudiation of Submission and Delivery
127
5.3
5.2.3
Secure Access Management
129
5.2.4
Integrity/Confidentiality
130
5.2.5
General Message Security Services
132
5.2.6
Registration Security Services
132
5.2.7
A
EDI
Security
Approach— PEM
Different
133
134
5.3.1
X.435 and Security
134
5.3.2
The ANSI X12 Secure EDI Approach
138
5.3.3
Security and
EDIFACT
142
5.4
The X.500 Directory
144
5.5
Conclusion
147 148
References Applications, Systems, Products, and Architectures
Chapter 6 6.1
Some Banking and
6.3
149
ISO 8730
150
6.1.2
SWIFT
151
6.1.3
ETEBAC 5 ATMs and Debit
152
and Credit Cards
154 155
Security Products 6.2.1
Communication Encryptors
155
6.2.2
File Security Products
158
6.2.3
Products for User Identification
159
6.2.4
Products for Intersystem Access Control
162
6.2.5
Security
6.2.6
Some Other
6.2.7
A
Management Products
163
165
Relevant Products
Typical Security Product for a
PC
Security Architectures
166 166
6.3.1
Kerberos
167
6.3.2
SESAME
169
6.3.3
Comparison of Architectures
173
6.3.4
Other Security Architectures
174 175
References
177
Conclusion
Chapter 7
149
6.1.1
6.1.4
6.2
Financial Applications
7.1
Voice and Video Networks
177
7.2
Security of Mobile- and Radio-Based Systems
179
7.3
Some Other
Application Areas for Security
References
Appendix
A
82
The Open Systems Interconnection Reference Model (OSI/RM) and Security
References
Appendix B
181 1
Shannon's Theory of Secrecy Systems
185 1
89
191
B.l
Perfect Secrecy
Preface
The
origins of this
book go back
to courses
Trinity College Dublin, and to
ics,
on cryptology given
many consultancy and
undertaken by Baltimore Technologies for
the
1
least
in the
School of Mathemat-
practical security projects
clients.
The second half of the 1970s was a period of rapid development in cryptography, and 980s saw the new techniques being applied to data communications and networking, at on paper
in
standardisation activity. However, with the 1990s these techniques and
standards have begun to be applied in earnest to
The
many applications. come in time to meet
ability to provide security services has
users'
need for
them, as they realise more and more their heavy dependence on networked computer systems. This book
who have
is
written for
an interest
in
all
making
designers, implementors, and users of such systems,
communications secure. It aims to give a widein computer networks. Some basic understand the chapter on algorithms, but most of the
their
ranging overview of security techniques as applied
mathematical ability
is
required to
mathematics (which
is
not hard)
Ft is
is
banished to appendices.
acknowledge the
a pleasure to be able to
indirect
and
direct help
I
have received
from many quarters.
Donald Davies, who originally stimulated my interest in the topic; and Gesellschaft fur Mathematik und Datenverarbeiting (GMD), Darmstadt (and to GMD itselO who pioneered .so much security work in Europe, and who were always willing to share their expertise with others. Thanks are due also to many friends and colleagues in Denmark, the European Commission, the RARE/COSINE Community, Firstly to
then to friends
the U.K., to
Maeve
at the
and nearer home
in Ireland,
Costello, Antionette
and within Baltimore Technologies. Special thanks
O'Mahoney. and
struggled with the typescript and
my
in particular
Geraldine Eustace
impatience so nobly and so long. Finally,
I
who
would
acknowledge the permission to use Figure 1.1 given by the Commission of the European Communities and the Consortium led by BIS Information Systems for Infosec 92 Project S2014 "Risk Analysis", and to thank Robin Moses (BIS), Ian Glover (Insight), like to
and Andre Grissonnanche (XP Conseil).
Michael Purser Baltimore Technologies Ltd. Dublin. January 1993
Chapter 1
and Mechanisms
Security Threats, Services,
INTRODUCTION
1.1
Security
is
about keeping outside those
desire for security
may
range from zero
who
are not allowed inside.
in the
The
strength of the
case of the naive, to total for the paranoid.
For the majority of people, institutions, and businesses, more balanced views apply. Nearly of us have something we do not want known, used, damaged, or stolen by others; and
all
we
are prepared to incur reasonable costs to protect
insurer will probably oblige us to provide insured.
Thus
the
first
question
is:
What
some is
to
Even
it.
if
In the case of
•
opt for insurance, the
be made .secure? Behind
questions such as: Secure against which threats? At what cost?
specific, for
we
physical or other security for the objects it
follow further
How?
computer systems and networks we may make these questions more
example:
Are computers and communication channels unauthorised persons cannot get near them; or
to
be
is it
made
physically secure so that
sufficient to
make
the information
held or carried on them loi>ically secure (e.g. by encryption)? •
•
Are we worried about outsiders having any access to our data, or do we not mind if they read the data provided that they do not modify them? Are we prepared
to incur the cost
and recover)' procedures
to
of maintaining audit
enable
all
trails,
and associated analysis
detected .security infringements, however
to be traced fully; or is it sufficient to rely on a system reinitialisation (without analysis) to recover from infringements which evade the security defences?
trivial,
•
Do we
invent our
own
procedures and algorithms for data security, or do
on standard products (software and hardware),
for
we
rely
which substantial fees may be
charged?
The
security policy
defines what
is
to be
is
made
the starting point for creating a secure
computer system.
It
secure. In arriving at the policy, an assessment of the risks
attaching to the objects or information that are to be protected will have been made. Risk
analysis can be formalised (in theory at least) in mathematical terms. For example: Estimate the probability of loss or
damage
to
each item, and the resultant monetary
sum
loss; the
The expected loss can be altered by protecting the items, thereby reducing the probability of loss or damage and/ or the resultant monetary loss. Minimise the expected loss with respect to the methods of protection, or contain the expected loss (below some level) while minimising the costs over
all
items of the product of these two
is
the expected loss.
of protection.
When a product or system claiming to be secure has been designed or implemented, will then
be necessary to evaluate
Technology Security Evaluation
Book"
its
it
Documents such as the European Information (ITSEC) (see Appendix H) and the U.S. "Orange
security.
Criteria
A security
Series discuss the evaluation of the security of trusted computer systems.
evaluation will address both the correctness and the effectiveness of the security services
or functions in the product or system being tested, called the target of evaluation
by ITSEC. Evaluating correctness consists of testing
(TOE) have
that the specified functions
been correctly implemented. Evaluating effectiveness
tests that
they do indeed meet the
security requirements as defined by the security policy.
Security policies, risk analysis, the choice of evaluation criteria, and administrative
measures (such as those for employing highly trusted of
this
staff) are largely
beyond
the scope
book. They are concerned with commercial and political decisions which, while
very important, are often dependent on the details of the systems at
risk.
with the assumption that this preliminary work has largely been done.
A
We
start
here
security policy
has been formed, threats to security have been identified, evaluation criteria have been
chosen, and the question
course there the system
is
now
is:
How
an element of iteration.
must be
altered.
is
Of maybe
protection against the threats to be ensured?
If
protection of an item
But essentially
this
book
is
is
very expensive,
concerned with
"how?"
—
not
"what?" or "why?" In addressing this question tion, carried
we
are also concerned only with the security of informa-
between computers by networks,
The information
is
essentially in digital form,
in the face
of deliberate malicious threats.
and protection
is
assured largely by logical
rather than physical methods.
However, before considering the services (Sec. 1.3)
threats to the security of information (Sec.
and mechanisms (Sec.
1.4)
used to counter those
1
.2),
and
threats, the topics
of the security policy and risk analysis are briefly reviewed. This should enable the wider
framework, into which the safeguarding of information by logical means
fits,
to
be
appreciated.
1.1.1
The Security
Policy
Establishing and maintaining a security policy in any organisation
However many and complex mechanisms
is
a
management
issue.
are used to ensure security, their effectiveness
finally
depends on human beings; and
human
beings
they
know and understand
it
is
the role of
management
to
ensure that those
and
their responsibilities in the security area,
that
them.
fulfil
For information technology, the scope of the security policy has
at its
heart
computer
telecommunication systems. However, the scope of the policy
systems and
their related
will usually
extend considerably further to include
many
peripheral activities, such as
preparing data for processing, the handling of outputs (printing), and control of the user;
and
also
will
encompass security-relevant
topics such as insurance and risk analysis,
which are of more strategic than of day-to-day concern. objectives of the policy will be defined in the policy document.
The
of objectives might cover three main Security of systems.
The
A
typical
list
areas, as follows:
objective
is
to prevent, detect,
and recover from accidental
or intentional loss of information, fraud, error, damage, disruption, destruction of
systems, and so forth.
Commitment privacy of its
to contractual, legal,
all
and copyright obligations regarding the security and
information handled, whether belonging to the organisation
clients or associates; together with
commitment
or to
itself
of relevant security
to the use
standards.
Awareness of the
relative sensitivity
of information handled, and as a consequence the
application of the appropriate levels of security to the protection of that information.
A
principal task of the security policy
is
to define the responsibilities of persons
within the organisation for achieving the objectives. Typically, the policy itself will
be developed and updated as necessary by an appropriately constituted security policy committee. Once a policy has been established, responsibility for senior manager, a chief executive for example,
who
it
be vested
will
will then ensure that
it
is
in a
carried out.
Normally, responsibility for the security of information will be placed with the
owners and users of roles
owner of
•
custodian of the information to
•
user of the information
and the security policy
will identify clearly the
the information
the duty of the
who
owner
is
is
ultimately responsible for
whom
the
its
owner may delegate
allowed access
it
security;
responsibility
subject to suitable security controls.
to classify his information
under headings, such as "Not
be copied", "For internal use only", or "For sales department use only" so that the
custodian is
who
•
It is
to
that information,
and responsibilities of the
knows
the controls that are to be applied. Typically, the data processing
manager
responsible for the security of equipment and systems but not for the information
although
it
is
his duty to ensure that information is processed
itself,
on systems whose security
commensurate with the security classification of the information. The senior manager with responsibility for security will usually appoint a security manager whose role it is to establish security standards and procedures for the organisation. is
and
to help line
managers
to
implement them. These standards and procedures
will
be
wide-ranging and include: •
physical security of rooms, buildings
•
contingency plans
in case
etc.;
of breaches of security;
•
control of access to data;
•
the security of networks;
•
the procedures of classifying the security status of information;
•
monitoring of security;
•
handling of security incidents;
•
security training
•
risk analysis procedures;
and awareness; and so
forth.
manager will be a member of the security policy committee. The senior manager with responsibility for security will also establish an independent review body with a brief to audit the implementation of the security policy within the organisation at regular intervals. The results of these audits will be fed back to the security
The
security
policy committee.
One
Security policies vary significantly from organisation to organisation. tion
may be
only concerned with the availability of
oriented towards protection against flood, failover,
fire,
power
systems, and
its
failure,
its
organisa-
policy will be
and the provision of backup,
and recovery procedures. Another organisation may be principally concerned
with protection against fraud by users or
staff.
A
third perhaps has as
its
main objective
the maintenance of the privacy and confidentiality of the information being processed.
Such differences
in objectives will naturally
be reflected in the security procedures adopted
by the organisation; and the method of formalising analysis and risk
1.1.2
this
dependency
is
known
as risk
management.
Risk Analysis and
Management
There are many approaches to carrying out
risk analysis,
and several commercially
avail-
able methods are relatively highly computerised, both in terms of recording and processing
information about the components of the system
being analysed and
in
temis of
performing mathematical optimisation or similar functions, as indicated previously. But risk analysis
chosen for to
can also be a largely manual process. Whatever the details of the method
risk analysis, the essential
ensure that
all
requirement
is
that a series of logical steps are taken
the relevant aspects are properly covered
and
their interdependence is
correctly identified. In
broad tenns risk analysis consists of four major stages:
and valuation of the assets which are
•
identification
•
assessment of the threats to those assets;
•
assessment of the vulnerability of the assets to the threats;
to
be protected;
—
assessment of the resultant risk to which the assets are exposed, and of the impact
•
to the organisation if the risk
a reality.
management, which may be summarised as: The implementation, and monitoring of safeguards and countermea-
Associated with risk analysis identification, selection,
becomes
is
risk
sures which will reduce risk.
is, if
we provided
certain
—
management will often be imaginary that countermeasures how would risk be reduced, and at what cost?
For the purposes of analysis,
this risk
and only when the analysis reaches a conclusion
will the safeguards
and countermeasures
be put into effect.
The risk analysis procedure may be viewed in more The process starts by establishing the scope of the assets (information, equipment, etc.) etc.) that are
The
and needs (confidentiality,
integrity, availability,
going to be considered.
protected, including the establishment of dependencies is
between them. For example, the
usually critically dependent on the security of the
medium
it.
The security objectives associated with these assets some information must be kept confidential; but perhaps information.
Some equipment
is
are identified. For example, this is
unimportant for other
expensive and delicate and requires permanently function-
ing air conditioning and humidity control; other equipment are
analysis and categorising the
analysis then proceeds to review and value the different assets that are to be
security of information
holding
detail in Figure 1.1.
is
robust and cheap, and there
no associated environmental objectives. Then the threats to the assets must be examined. These can be divided into accidental
(flood, fire, software crash, etc.) etc.).
For each
and deliberate (malicious hacking, fraud, viruses,
threat, its source, likelihood, target,
and severity should be
Determine
measures impact
Establish review
boundary, categorise
needs and assets
of
theft,
identified; as
also the possible reason for
Section
its
occurrence
accidental) or motivation (if deliberate). In
(if
information are considered in more detail.
1.2, the deliberate threats to
must also take into account the existing safeguards, and assess the These will include physical, logical, personnel, management, and equipment vulnerabilities, and can range from the existence of dial-up lines with insecure password control for access, to staff shortages, to unreliable hardware.
The
analysis
vulnerabilities of the assets.
Additionally, before identifying the safeguards to be put in place as a result of the analysis,
it is
important to establish the constraints that apply to their possible implementa-
These constraints include money, time, and environmental, legal, technical, and even cultural aspects. (Possibly some safeguards would be unacceptable to staff in certain tion.
cultures.) If the assets are to
and
their vulnerabilities
risks. In reality, this is
be protected (including their value and the objective of protection),
and threats
to
them
are
known,
it is
possible to assess the associated
perhaps the hardest part of the risk analysis process, relying as
it
does on inputs which can be subjective, for example, the value associated with information database or the likelihood of a threat to
in a
its
corruption, and
its
vulnerability to that
The measure of the risk is likely to be quite sensitive to changes in these inputs. However, assuming some acceptable assessment can be made, the next stage is to determine
threat.
the impact of the risk, should
common
basis for
it
occur. Often this will be in monetary terms, to give a
comparing such different
risks as loss
of trade secrets, loss of client
confidence, or destruction of the hardware. Finally the
"imaginary"
risk
management process
will
be applied, during which
safeguards to remove or contain the risk are proposed, their cost assessed, and the impact
of the risk is
is
obviously
redetermined
—assuming
the safeguards have been implemented.
Indeed, the whole risk analysis process serious incidents occur (even
if
to the configuration or operating
is iterative,
and should be repeated whenever
they are defeated by the safeguards); whenever changes
procedures for the system occur; and
(e.g.,
annually) in the absence of these two.
1.1.3
Summary
It is
The process
iterative.
at
regular intervals
evident that the security policy, and risk analysis and management, have very wide
scope. This scope
is
protection by logical
far
wider than the protection of information only;
means against
deliberate threats,
which
is
in particular,
essentially our topic. In
considering this topic, the wider view should always be remembered so that a sense of proportion prevails. After likely risk than corruption
all,
destruction of the system by fire
may
in fact
be a far more
of data by some hacker with no obvious motive.
1.2
DELIBERATE THREATS TO INFORMATION
The
security policy and risk analysis will have identified the threats that are to be countered,
and
it
is
up
to the designer
of the security system to specify security services and
mechanisms which
will
do
Threats usually
that.
into
fall
one of the following major
categories: •
Leakage (disclosure) or the acquisition of confidential information by unauthorised persons; for example, by "listening in" to traffic on communication channels or "eavesdropping".
•
Modification (manipulation) of information, including removing or replacing part or
of the information; and resequencing a sequence of blocks of data to produce
all
an unauthorised effect. This
may
be done, for example, by intercepting
performing the modification, and then forwarding •
Masquerade (impersonation) or
on
it
the impersonation
traffic,
to its original destination.
by an unauthorized person or
system of an authorized person or system. Typically this
is
achieved by stealing
other people's passwords or credentials. •
Replay or the reproduction of valid messages under invalid circumstances in order to produce an unauthorised effect (e.g., resubmitting a copied payment order to obtain double payment).
•
Repudiation by a party to an exchange or transaction, of that exchange or transaction
by A's claiming
(e.g.,
payment order made by him
that a
to B,
was
in fact
forged
by B himself).
There are variants
to these threats.
For example,
of leakage, where the content of information
and destination
A
flow analysis
not disclosed but
its
is
a variant
existence, source,
leaked and analysed. This could reveal to
(if in transit), are
of business between
is
traffic
C
the level
and B, for example.
There are also more brutal
threats,
such as niisrouting of
traffic
in
a network,
maliciously engineered nonavailability of network services, or nonavailability of a subscriber connected to a network.
These
than to users' information, and require
To be
threats,
however, are more to the infrastructure
somewhat
different countering services.
successful, leakage, modification, masquerade, and replay should
tected. Since these last three are active threats, this
the intruder. Leakage,
can be very is
difficult,
by contract,
is
may
passive. Nothing
require is
some
skill
go unde-
on the
part of
altered. Detection of leakage
and may involve provoking an eavesdropper into revealing that he by sending some bogus alarm or other sensational message on
present; for example,
channels which he
is
unlawfully observing, to which he will react.
Repudiation, however, by
anything be done about
it?
Can
its
nature
is
blatant and detected.
Often threats are combined. Thus, masquerade gains access to infomiation, which he
1.3
The problem
the injured party prove that the other
may
is
the typical ruse
is
is:
Can
lying?
whereby an intruder
then modify or simply copy unlawfully.
SERVICES
Security services exist that
have one of two goals:
may
be used to counter the threats. In general, the services
•
Confidentiality-, traffic
by which
is
meant keeping confidential the content of users' data, in fact anything which is not to be made
volumes, even the users' identifies
—
generally known. •
Authenticit}-, or ensuring that identities, users' data,
and any other information whose
authenticity might be doubted, are indeed genuine, unaltered,
and complete, and
not an unlawful replay. In
more
detail, security services can, like threats,
be broken
down
into the following
major categories: •
Data
confidentiality, including the confidentiality of
all
data exchanged between
the parties invoking the service, or perhaps only of selected portions or
segments
of the data. •
Trajfic flow confidentiality, including the identities of the source
of the data •
Data
integrity,
modified •
in
and destination(s)
and the volumes.
traffic,
which
is
a service that ensures that the data received have not been
any way.
Data sequence
integrity,
which
is
a service that ensures that the sequence of data
blocks or units received has not been altered, and that no units are repeated or missing. •
Secure access management, or the service which ensures that directly communicating parties (such as a terminal
and
a host
computer, or a human user and a PC) are
reciprocally convinced of the identities of each other. Secure access is
management
usually closely related to authorisation services, which authorise the use of
resources by a party on the basis of his proven identity.
corresponding software layers
model
— OSI/RM)
in
(e.g.,
When
applied between
of the open systems interconnection reference
two communicating systems, secure access management
is
usually referred to as peer entity authentication. •
Proof of origin, in which the identity of the originator of the data (for example, of a message in a store-and-forward network, where originator and recipient are not
•
Proof of reception,
in direct
communication) in
is
probably authentic.
which proof
is
provided of the reception of the data by the
destination (typically to the originator of the data). •
Nonrepudiation services, which are typically stronger proofs of origin, reception, data integrity, that cannot be repudiated by their provider (e.g., by claiming that the proof
•
was
fabricated by
someone
Security context (security labelling,
else.)
etc.).
which are services
that define
and provide
various levels of security, and are intimately concerned with the problems of
intenvorking between systems of differing security characteristics. Further refinements of (and additions to) these services are needed
communication services
are considered in detail. For
for a broadcast service; proof that at least
possible party received them?
example, what
is
'
when
particular
'proof of reception"
one party received the data, or proof
that
every
Moreover, the services may overlap.
Non repudiation,
as stated,
is
usually just a
stronger form of some already existing service, while secure access management may be closely linked to the security context service.
The
identification of security services
any particular instance they
may
is
thus not completely unambiguous, and in
require precise definition, often in terms of the mecha-
nisms which provide the services. However, the concept of distinct security services useful,
and
is
adhered
by the relevant international standards,
to
is
albeit without a universally
agreed terminology.
1.4
SECURITY MFXHANISMS
The
security services are
provide confidentiality.
implemented using security mechanisms, such as encryption In
turn,
there
may
be
many
different
algorithms
to
for
(e.g.,
encryption) capable of serving as the mechanism. Algorithms and their use are discussed
more
fully in
nisms, and
1.4.1
it
For the moment we are only concerned with generalised mecha-
Chapter
4.
may be
fairly stated that there are three central ones.
Encryption
Encryption
is
a
fundamental security mechanism
in
which ordinary
data, or plaintext, are
transformed by the encryption process into cyphertext. The cyphertext all
but those
who know
string of digits which,
the secret of decrypting
when introduced with
it.
Usually
is
unintelligible to
this secret is a key, or secret
the cyphertext into the decrypting algorithm,
reproduce the plaintext. The original plaintext will normally have been encrypted also using a key.
If the
key system;
if
plaintext
Figure
1.2
1.3
we have
Encryptor
cyphertext
Decryptor
a synimrtric 1.2
and
1.3).
plaintext
Synimctric key encrypiion.
plaintext
Figure
encrypting and decrypting keys are the same,
they are different, an asymmetric key system (See Figs.
Encryptor
Asynimelric key encryption.
cyphertext
Decryptor
plaintext
10
(Note that encryption and decryption are sometimes referred to as encipherment and decipherment, respectively.) In an
other
—
there
asymmetric key system, knowledge of one key reveals nothing about the would be little point in the system otherwise. This means that, if we call
and the decrypting one k„ the holder of k^ can not decrypt kp. The importance of this is that it allows
the encrypting key kp
or any other cyphertext formed with
made
own
his
kp to
be
The holder of the decrypting key keeps k^ secret, but makes kp widely known; anyone can send secret messages to him which only he can decrypt.
public.
so that
For the above reason, cryptosystems based on asymmetric keys are often referred
key cryptosystems,
to as public
in contrast
with (symmetric) secret key cryptosystems.
Encryption can sometimes provide authenticity as well as confidentiality.
argued that
if
a cyphertext decrypts to a sensible plaintext, then
produced by a holder of the encrypting key (assuming this system), and is therefore authentic as to origin and content. Thus, encryption •
How
•
Given
a powerful
is
If in
its
It
can be
can only have been
secret, as in a
mechanism but not without
symmetric
problems, such
as:
are secret keys to be distributed securely to authorised holders? that
good cyphertext
is
an apparently random stream of data,
receiver to synchronise with this stream •
is
it
(i.e.,
where does
transmission a single bit in the cyphertext
algorithm
is
good
at
decrypting. This will
1.4.2 Integrity
randomising) affect
make
50%
is in error,
it it
start
how
is
the
and end)?
will (if the encryption
of the bits of the plaintext
when
the resultant plaintext unintelligible.
Checks
main mechanism for providing where parity bits, checksums, and CRCs are generated on transmission and appended to the data. On reception, the same calculation is performed on the received data, and the resultant integrity check value is compared with the received one. If the two check values agree, it is assumed
The second
principal
authenticity.
that If
no error
mechanism, the
The concept
in
is
transmission (either in the data or the check value
they do not agree, recovery
error-correction
integrity check, is the
familiar from data communications,
—
that
is,
is
either
itself)
has taken place.
by requesting a retransmission, or by "forward"
correction on reception, relying on the capabilities of the error-
correcting code employed. (See Fig. 1.4).
Check Data
generator
r
Integrity
check
^Compare
Data
Sender
Check generator
Receiver Figure 1.4 Integrity check, generation, and validation.
— //
this method is defective, because anyone who would simply regenerate the corresponding integrity check and place of the original one. The procedure for generating the integrity check
For defence against malicious attack
wished
to alter the data
append
it
in
needs to be secret, and
this is readily
achieved by encrypting the check value under a
more than
key. Note that this encryption pr(x:ess need not be reversible (no
check value
is
reception repeats the calculation and compares the result; [f
that
the unencrypted
reversible back to the data), because the procedure of authentication on
the integrity
check
is
it
does not reverse the calculation.
unforgeable unless one has the key, there
an intruder might alter the data
in
some way, which would
is still
leave them
still
with the existing integrity check, but give the data a new, unlawful meaning.
procedure for generating the check, such as hashing,
is
the
danger
compatible
A
nonlinear
usually required to frustrate
this.
The two-stage check generation process of "condensing" or hashing the data to checksum of some sort, then encrypting the result, may also be executed in one stage condense under
a
key (see
Fig. 1.5).
may be
Alternatively, the two-stage approach
procedure is
may
a
maintained, but the authentication
Now
be altered to use explicit decryption.
between the received and recalculated hashed values (see
the hashed-and-encrypted values of Figure
1
.5.
For
this
the
comparison on reception
Fig. 1.6), rather than
between
encryption/decryption process,
symmetric or asymmetric keys may be used.
Check Data-
generator
—
^Integrity check ;
[—Data
Compare
Check generator
Figure
1.5
Key-controlled integrity check generation.
Integrity
Data
Hashing
Encrypt
check - Data
Decrypt
Compare
— Hashing
Figure 1.6 Explicit encryption/decryption of hashed check.
-•
12
If
asymmetric (public) key cryptology
we have
check. Suppose the integrity check
may be
used for the second stage of authentication,
is
the possibiHty of including the nonrepudiation service along with the integrity is
generated with the sender's secret key,
authenticated by any holder of his public key,
that not only are the received data
of
k,.
No
by
kp.
The
check
is
and
k,.
The check
this recipient is then sure
unmodified, but they are also certainly from the holder
one else could have produced an integrity
A:,,;
check
integrity
that
was
correctly validated
a nonrepudiable digital signature to the data
by the holder
ofk,.
Note k,
that
when
discussing public key encryption, k^
was associated with encryption.
with decryption. But for digital signatures, as presented above,
kp for
decryption. Thus,
it
would appear
that (if the
we need
same algorithms
k, for
encryption.
are to be used) each
person requires two pairs of keys, so that he can distribute publicly an encrypting kp. and a distinct decrypting
k^.
Rather than do
the original value
(i.e.,
E{D{m)) =
we can use an algorithm in which the encrypting may be applied in reverse order and still produce
this
operation £() and the decrypting one D()
m
m
where
equals m, the requirement on the algorithm
is
commute: E(D(m)) = D(E{m)). Then we define decrypted (with
k,)
is
that
some message). Since D(E{m))
E
(using kp) and
D
(using
k,)
also
should
the integrity check/digital signature as the
value of the hashed value of the data; and the authentication procedure
as enci-ypting (with kp) the digital signature
and comparing the
result with the
hashed
received data.
1.4.3
The
Uniqueness Mechanisms grouping of fundamental mechanisms, after encryption and integrity checks,
third
that of
uniqueness mechanisms. These are required
resequencing.
The mechanisms
to
are usually simple:
is
counter threats such as replay and
To
the data are added a sequence
number, the date and time, a random number, or some combination of these. These are then included with the user data in the integrity check.
The sequence number,
date,
and
time, establish the position of the data in a sequence, and serve to detect loss and help
The random number provides an unpredictable component. As an example of the use of uniqueness mechanisms (and integrity checks), consider
recovery.
the
problem of identifying
a user initiating a login .session
from
his
PC
computer. The computer sends him by return a random number, to which he
to a is
to
remote
add an
The user adds the check using his secret key and returns it to the computer The computer authenticates the check, and if the comparison test does not
integrity check.
(see Fig.
1
.7).
computer may conclude that the actual user does indeed hold the secret key, which the computer associates with the (initially self-proclaimed) user. It is then reasonable fail,
the
to conclude that his stated identity is his real identity. (The integrity check could not be a replay of a previously valid one. acquired by spying on the line, because the random
number
is
unpredictable.)
These basic mechanisms can be put together previously
listed.
It
will be noted that the
in
various
mechanisms have
ways
to provide the services
three principal components:
i3
Computer
User
User sends claimed identity
Computer notes claimed identity Computer sends random number User forms integrity check with secret icey, and sends it
Figure
_
Computer
authenticates integrity
check
Secure identification of user.
1.7
•
Secret information such as keys and passwords, held by the appropriate parties;
•
Algorithms, such as those which perform encryption, decryption, hashing, and generation of random numbers;
•
Procedures, which define
how
the algorithms are used,
who
sends what to
whom,
and when. It
should also be clear that security systems require security management. The management
covers two broad
fields:
•
The secure generation,
•
The policing of
allocation,
only those authorised to hold
and Security
the services
it
and distribution of the secret information, so
do hold
that
it;
and mechanisms
to detect infringements
of security,
to take corrective action.
management
is
discussed
in
Chapter
3.
SECURITY STANDARDS
1.5
The development of standards for security dates from the late 1970s. Traditionally, there was a view that since security was concerned with secrecy, everything possible about algorithms and procedures should be kept secret. This, of course, becomes very difficult. It is hard enough to distribute keys securely, without also having to distribute oftencomplex mathematical functions (implemented mechanically in the past) without outsiders knowing about it. A further, more important factor in the opening up of security was that its scope grew from normal narrow military use, to a wider commercial one. In particular sectorial associations, for example of banks, needed common security procedures. The standardisa-
tion of algorithms •
•
and procedures for use by such associations has three advantages:
Communication between independent institutions using differing computer hardware and software becomes possible. The security of the algorithms and procedures, is exposed to a wide informed and critical
audience; and as a result the users' confidence
in
it
is
increased.
14
Economies of scale become
•
possible. For example, integrated circuits implementing
standardised algorithms, such as
With the requirement from for
common
to
its
be developed.
certain applications, particularly in the financial field,
security functions, there
Model [1]. The OSI concept
DEA, can
came
the parallel
development of the OSI Reference
that of a layered structure providing
is
users. Functions such as error-detection
communication services
and recovery, routing, flow control, fragmen-
and resembling of data blocks, and format conversion, which are necessary if two communicate over a switched network, are identified and allocated
tation
differing systems are to
to particular layers in the structure. to
it
A
higher layer adds more functions to those provided
by the services of the layers below
it,
and thus provides an enhanced service
to its
users.
On
the basis of this layered structure precise procedures
and protocols are defined,
enabling differing systems to perform in cooperation a variety of functions, such as
exchange of files, electronic mail, and interactive interworking, over a variety of networks.
"open systems" concept put forward in the International Standards Organisation An addendum to this document, ISO 7498-2 [2], was added later to address the requirement for security functions in OSI. (The layered structure of ISO 7498 is presented in more detail in Appendix A, together with the allocation of security
This
is
the
(ISO) 7498 standard.
recommended in ISO 7498-2.) document entitled 'Security Architecture', discussing threats, services, and mechanisms. A similar overview document is the European Computer Manufacturers' Association's TR/46 'Security Frameworks'. More specific security standards have also been developed by institutions other than ISO notably the Comite Consultatif International de Telegraphie et Telephonie (CCITT) and the American National Standards services to layers as
ISO 7498-2
is
a general
—
Institute
(ANSI).
CCITT
OSI Reference Model with a specific range of layered X.200 Series Recommendations [3]. At the top applications, notably (in CCITT's case) the X.400 message
has adopted ISO's
services and protocols, as defined in the layer are the standardised
handling system
(MHS)
[4J,
and the X.500 directory
Included in both of these
[5].
documents are a series of security elements of service, or individual security functions, in which the procedures mechanisms are worked out in detail. The algorithms which may be used (e.g., for encryption) are, however, only indicated.
substantial
ANSI, by
contrast, in the
X3
series,
and more particularly the
X9
series standards,
has concentrated on low level details of encryption, integrity, authentication, and key and
PIN
(personal identification number) management. For example, the well-known data
encryption algorithm
(DEA)
is
ANSI X3.92
[6].
issues for electronic data interchange (EDI).
ANSI's X. 12
Many
series also considers security
of these
ANSI
standards have later
been suitably modified and adopted by ISO.
The ongoing
standardisation
work of most relevance
to the
theme of
this
book
is
probably taking place in Subcommittee 27 (SC27) of the Joint Technical Committee No.
15
I
(JTCI
to as
)
of
ISO and
the International Electrotechnical
ISO/IEC JTC1/SC27. JTCI
SC27
is
is
dedicated to generic security
particular applications).
Commission (lEC). This
concerned with information technology (i.e.,
not as applied to our
Also excluded from SC27's terms of reference
tion of specific cryptographic algorithms.
identification of generic .security requirements and services for development of security techniques and mechanisms;
•
development of security guidelines
•
SC27
has three working groups (WGs).
WG2
embedded
in-
the standardisa-
IT;
(risk analysis is included under development of management support documentation and standards.
security services, and guidelines;
referred
SC27's scope covers
•
•
is
is
(IT).
WGI
for techniques
is
this heading);
responsible for requirements,
and mechanisms;
WG3 for security
evaluation criteria (see also ITSEC, Appendix H).
SC27
also liaises with other subcommittees and
technical committees of ISO, on
ISO/IEC JTC /SC ISO/IEC JTCI/SC5 1
I
its
Vocabulary
Telecommunications and information exchange between systems
(this
many OSI ISO/IEC JTC /SCI 7 ISO/IEC JTC /SC 8 ISO/IEC JTC1/SC2I ISO/IEC JTCI/SC22 ISO/IEC JTCI/WG3 ISO TC68/SC2 ISO TC68/SC6 I
I
1
working groups of JTCI, and with
own; namely
includes the
embedding of
security functions in
services and protocols);
Identification cards
and related devices;
Text and office systems; Information retrieval, transfer and management for OSI;
Languages,
in particular
POSIX;
Open EDI; Banking operations and procedures; Financial transaction cards, related media, and operations.
At the time of writing (1992), the principal items of work being undertaken by
SC27
include: entity authentication
mechanisms (WG2);
zero-knowledge integrity mechanisms (WG2); nonrepudiation mechanisms (WG2);
hash functions (WG2); registration of
encipherment of algorithms (WGI);
(WGI); management of IT security (WGI); evaluation criteria for IT security (WG3); key management (WGI, WG2); security information objects
guidelines for
glossary of IT security terminology
(Most of these topics are reviewed
(WGI, WG3). in
Chapters
2, 3,
absence of an agreed upon international glossary of terms,
and 4 of
this
book. In the
we have used
those most
16
commonly in use at present.) ISO/IEC also liaise with CCITT, in particular with Study Group VII (SG VII) in standardising the inclusion of security functions in OSI (see SC21). European Telecommunications Standards Institute (ETSI) has for example, for GSM (see Chap. 7). A subcom-
In recent years the
also
become involved
in security issues
mittee on security techniques
—
(STAG) of
committee for network aspects
the technical
(NA) has been formed. Other bodies engaged Manufacturers' Association
in security standardisation
(ECMA)
include the European
technical committees
TC32
Computer
and TC36, and
CEN/
CENELEC.
A
list
of relevant standards
is
to
be found
in the
Selected Bibliography section
at
the end of this book. In the following chapter, frequent reference will
specific cases of
1.6
A
MHS,
the Directory,
be made to these standards. The
and EDI are considered
in detail in
Chapter
5.
SUMMARY
security policy and subsequent risk analysis determine
system require protection.
If
which aspects and
parts of a
these include traffic on networks, most of the major security
identified in it, and the services to counter those threats, are already well documents such as ISO 7498-2. The mechanisms for providing these services are also threats to
many
considered in national and international standards, but here there are possible.
At the algorithm
level, there are
even more
possibilities, but a
alternatives
few well-defined
algorithms have been standardised. In the next chapter,
are looked at in
more
procedures which support the security services and mechanisms
detail. In
Chapter 3 security management
is
considered. Algorithms
are deferred to Chapter 4.
REFERENCES |l] 121 [3]
[41 [5] [61
ISO 7498, Open Systems Inierconnevtion Reference Model \S0 1A9^-2.0SI/RM~Sectmty Architecture 1988.
1988.
CCITT Fascicle VIII.4. X.200 OSI Reference Model. CCITT Blue Book. Geneva 1988. CCITT Fa.scicle VIII. 7. X.400 Message Handling Systems. CCITT Blue Book. Geneva CCITT Fascicle VIII. 8, X.500 Directory Sen ices. CCITT Blue Book. Geneva 1988. ANSI X3.92. Data Encryption Algorithm, ANSI. New York. NY.
1988.
Chapter 2 Security Procedures
2.1
A
ATTACKS TO BE THWARTED mechanism
security
more algorithms; for encrypting
also involves security procedures. Thus, in Chapter
it
that encryption is a
consists not only of secret information, such as keys, and one or 1
it
was shown
fundamental security mechanism which involves not only procedures
and decrypting, but also procedures for synchronisation and for the secure
distribution of keys.
Before reviewing the procedures
concerned with attacks against encr>'ption, since services and mechanisms.
given by Shannon, and
possibly
its
summarised
the basis of
we
in
Appendix
B.
A
are
most other security
pragmatic
list
of
been
common
here.
is
searched for recurring patterns, which will reveal
meaning. For example,
for another according to
characters
it
is
worth consider-
Statistical Analysis
The cyphertext
E is
it
it is
to outwit. In particular,
theoretical analysis of the security of cyphertext has
this is
methods of attack follows
2.1.1
A
mechanisms,
built into security
which they are designed
ing the techniques of attack
the
may
is
some
if
the cyphertext
is
its
structure
rule (the key), the frequency distribution (histogram) of
unchanged, except for the specific identity of each character. Thus,
most frequent character, and be guessed that
X
if
X turns out to be the most frequent
in the
in
English
cyphertext,
has been used to replace E. In any given language the character
histogram (including character pairs)
is
well known, so an analysis
language automatically. Character substitution statistical analysis attack
and
formed by substituting one character
may
yet succeed in
17
is
may even
identify the
a trivial encryption process, but the
much more complex
cases.
Computers can
/«
process large amounts of data rapidly, and even small deviations from randomness of
"white noise"
2.1.2
Known
— which
is
the ideal appearance of cyphertext
— may become
significant.
Plaintext Attack
If the plaintext as well as the
cyphertext
is
known,
knows
the attacker
the input to and
the output from the encryption algorithm, and has an enhanced chance of finding the key,
assuming the algorithm
itself is public
decrypt cyphertext whose plaintext
is
knowledge. Once found, the key may be used not
known.
Parts of plaintext are often
can be guessed, by attackers. For example, the standardised messages that occur intercomputer transfers, such as
many known symbols
EDI and
electronic mail, have a rigid structure
to
known, or in
— including
They also include other fields (e.g., name and whose contents are readily guessed. Known plaintext may
in fixed positions.
address, time of transmission)
also be forced through the encryption system, for example, by creating an event (e.g.,
money
depositing
may 2.1.3
This
in a
bank account)
that will give rise to
an encrypted transaction, which
then be analysed.
Chosen Cyphertext Attack is
very similar to the
known
plaintext attack, except that
it
is
on the decryption
an attacker can force chosen cyphertext, for example a continuous stream
algorithm.
If
of
the decryptor and observe the plaintext output (the difficulty), he or she
(7s, into
be able to determine the key. "Inside" attackers
keys are kept
in
who work
may
with secure systems, in which
tamper-proof devices but whose inputs and outputs
may
be observed by
the insiders, could use this method.
2.1.4
Searching the Key Space
The key space
is
defined as the
number of
all
possible keys. For example, there are 26!
possible keys for a simple substitution cipher, in which each of the 26 letters in the English
alphabet
is
bits,) in a
replaced by another. There are «! ways in which n symbols
block
may be permuted. The key
spaces are 26! and
force attack in which the entire decryptor key space
(e.g., characters,
n\, respectively.
A
brute
on the cyphertext, to see if meaningful plaintext results, is not out of the question for computers capable of ten or more million instructions per second (10 MIPS). (This attack presupposes knowledge of is
tried out
the decryption algorithm.)
2.1.5
Breaking the Algorithm
Typically, this approach It
assumes
would be used with
that the algorithm,
the
designed to make
known
plaintext attack to find the key.
this impossible, in reality
has some hidden
19
weakness. Usually such an attack
is
a mixture
of brute force and mathematical ingenuity.
Weaknesses may often be discovered by using, as
plaintext, repetitive patterns such as a
long string of Os.
2.1.6 Stealing the
This
is
Key
an obvious attack, and one which
cyphertext.
The
secret keys
have
attack
to be distributed to
2.1.7 Introducing a False
Introducing a false key also vulnerable.
The
corresponds to his user,
whom
2.1.8
is
far
more simple than
trying to break
symmetric key cryptosystems where
remote users.
Key
another obvious attack, to which public key cryptosystems are
attacker distributes, securely or (semi) publicly, a public key
own
secret key, but he pretends that
it
which
belongs to some other valid
he proceeds to impersonate.
Modifying Cyphertext
Without necessarily being able
to decrypt the cyphertext,
an attacker
undetected. For example, suppose the attacker
able to modify
it
tions, identical
except that one
The
may prove
particularly appropriate to
is
is
a
lodgement
to
how
withdrawals of cash central
one
to turn (e.g.,
into the other.
He
possibly be transac-
an account and the other a withdrawal.
attacker observes the corresponding cyphertexts as transmitted
and deduces
may
makes two bank
on the bank's network
or she then proceeds to
from a dispenser), which are
all
make
a series of
recorded on the bank's remote
computer as lodgements, because the cyphertext sent from the dispenser
computer has been intercepted and modified. The example
is
to the
probably fanciful, but serves
as an illustration.
2.1.9
An
Modifying Plaintext
alternative to
but signed or
MAC
modifying cyphertext
MACed
unaltered but
is
that of
modifying the
(see Sec. 2.3) message, in such a
still
valid for the
new
way
text
of an unencrypted,
as to leave the signature/
text.
There are many other possible attacks on systems based on encryption, depending on the details of their procedures, algorithms, and handling of secret data. For example, the replay threat (of Chap. 1) may be used with cyphertext, without the attacker having any knowledge of the keys or the plaintext retransmit the captured cyphertext.
—
other than that
it
is
to his
advantage to
20
ENCRYPTION PROCEDURES
2.2
First let us consider block 2.1. If « bits are
into itself. This
encrypted
mapping
is
encnption with a symmetric secret key, as shown at a time,
then effectively a set of 2" n-b\{ symbols
in
Figure
mapped
is
one-to-one for decryption to be possible; and there exists
possible one-to-one mappings. However,
if
the
key
K
has length
k,
2*
then only
(2")!
such
mappings are possible. Even if k = n, this serves to show that only a very small fraction (1/(2" - 1)!) of all possible mappings can be obtained by basing the encryption process on a key. Moreover, Appendix a given
n-b'\\.
B shows
the attacker's task (2")!
is
possible mappings
The
is
also very small; and a
ambiguous results. In short, much simpler than the apparently daunting one of identifying which
brute force search of the key space
of
that the probability of an arbitrary K, applied to
cyphertext block, producing meaningful plaintext
attacker's task
is
is
is
thus unlikely to produce
in use.
even easier
if
the configuration of Figure 2.1
same overcome
stands, because any given /2-bit plaintext input will always produce the facilitates attack
• •
by
statistical analysis.
Two
methods are used
to
The key is modified each time the algorithm is used. The input data are modified each time by merging them with version of previous input plaintext
The
first
method
is
{\.e.,
feedback
usually implemented by
is
and must be done
This update can be implicit, nication, or
it
in at
it
this:
a processed (encrypted)
XOR-ing
a counter or offset value with
new communication
synchronism by sender/encryptor and receiver/decryptor.
prespecified and readily identifiable break-points in
commu-
can be explicit, with the encryptor transmitting a new value for the offset
in a special control mes.sage, as
shown
in
a single bit in the counter should produce a the
used as
output. This
used).
the key. Typically, the counter will be updated at the start of a session,
is
Figure 2.2.
It
is
important that the change of
"complete" change
in the cyphertext;
change can be identified and discounted by the attacker performing
Plaintext blocks (n bits)
otherwise
statistical analysis.
21
Plaintext blocks Plaintext blocks
offset
offset
Cyphertext blocks
Updates
Figure 2.2 Updating
A
'
itie
(n bits)
of offset
effective key with an offset.
'complete change' means changing '
50%
of the cyphertext.
(
1
00% change
is
no change,
merely the complement.)
Changing
the
unbroken stream of
key data.
is
perhaps a risky procedure to employ
It
may
in the
middle of a long
be difficult to ensure correct synchronisation
if bit
errors
are present.
The more usual procedure
for handling long data streams
tively converting a block encryptor into a
exist for doing this fl].
the electronic
The block encypherment of Figure
code book (ECB) mode, since
book containing
it
cyphertext.
The procedure needs an
initial
is
with
/;/
bits
- m)
/?-bits are
encrypted and fed back to the input. The
previous in
may have any
IV
is
called
called cipher block chaining
with the preceding block of
in the
of encryptor output to produce
to the
/;;
(no feedback)
mode
value (IV)
appended
started.
2.1
XORed
Figure 2.4 illustrates cipher feed back (CFB). In this
XOR-ed
feedback, effec-
a table of 2" entries.
which each new block of plaintext
in
to use
can be thought of as looking up a code
Figure 2.3, by contrast, illustrates a feedback
(CBC),
is
stream encryptor. Various methods or modes
bits,
value from
I
m
by shifting into an
to
//.
buffer register to get started.
mode
bits
m
bits
of plaintext are
of cyphertext. These are
/j-bit register,
shift register al.so
and the resultant
needs an IV
to get
22
m
bits
selected
n-bit
Shift register
m m
bits of
plaintext
e-
bits
n-btt
Shift register
23
Buffer
plaintext
E'
cyphertext
24
Block buffer
Plaintext
blocks
^
25
pB
cypherlext
plaintext
Figure 2.9 ConfiJcnti;ility
'sB
vv
ith
asymmetric keys.
plaintext
26
27
from a stream encryptor by passing the data through several times (reversing the sequence of bits each time), under control of a key sequence which must be reversed for be
built
decryption. In short, in
one basic technique can be used
Figure 2.12; and
it
is
to construct
nonsensical to pretend, as
is
any of the others, as shown
sometimes done,
that
it
is
possible
to develop authentication algorithms (which are usually politically noncontroversial) in
isolation
from encryption algorithms, which are often subject
(Note that Fig. 2.12 does not
show
to political supervision.
all possibilities for constructing security procedures.)
Key-controlled authenticator
Repeated reversed use
Figure 2.12 Constructing one class of security procedure from another.
2.3.1
Secure Access Management
Access management can apply between two computing systems, such as work-stations. It
can also apply between a human user and a system. Secure access management
may
be regarded as on-line interactive authentication. System-to-system access management is
considered •
first.
Essentially three concepts are involved in secure access
identification,
which
is
taken here to
mean self-proclaimed
management:
identification
by one or
other party; •
authentication, in which the claimed identity
is
(usually) challenged and proved to
be correct or otherwise; •
authorisation, or the granting of access rights to a party
whose
identity has
been
successfully authenticated. Identification start
may
be
trivial
—one simply submits one's name or equivalent
of the dialogue. Authorisation
may
be more
trivial; for
at the
example, once authenticated.
;
28
the user of a
computer system might have unlimited
and manipulate data
rights to access
on the system. Authentication however, when present, is usually nontrivial. In practice most systems support hierarchies of access rights, for which authorisation is dependent on authentication procedures whose complexity is related to the access privileges allowed. The simplest form of access management is one-way. A, typically a terminal, sends its identity to B, a computer system, which looks up /4 in a file of authorised users. If found
there,
A
is
allowed
to use the system.
This insecure procedure unlike /4's identity which
is
is
usually supplemented with a password which
known
publicly (e.g.,
held hashed on the host system, by which
is
for E-mail use).
/4*s
password
meant scrambled by a one-way
is
is
secret,
normally
(iiTeversible)
function so that persons searching the system files cannot find passwords in clear. The procedure is for A to submit its identity and password in clear. B checks the identity for validity, and then hashes the submitted password and compares it with the filed version
of
hashed password, as shown
i4's
/4's
more
password
is
in
Figure 2.13.
easily leaked since
secure one-way procedure
is
shown
it
is
in
two values agree, A
If the
transmitted in clear.
It
A makes
Figure 2.14. Here,
its
unreplayable by including the date, time, and a random number, and makes
by adding a with
and
MAC. On
fi's values).
reception,
To avoid
B
current,
The by
B
then authenticates the
A
unforgeable agreeing
jB's
clocks,
between clock updates may be quite
one or two minutes). The random number then serves
B
accepted.
submission
(i.e.,
too tight requirements for synchronising y4's and
of the data incorporated into the integrity check within is
it
checks the date and time as "current"
to allow for transmission delays, the interval
large (e.g.,
is
can be replayed.
to guarantee
this interval.
Given
uniqueness
that the time
MAC.
MAC could be a full digital signature produced by A's secret key, and validated
with A's public key.
identity, the date and time, and the random number are covered and the procedure thus includes identification and authentication of A by B. Subsequently, A submits his password to B, and this is the basis of authorisation.
In
by the
many systems i4's
MAC,
File of
users
1
1
H(PW) A's identity (IQ^ I
71 Compare A's password (PW)
Hash function,
Figure 2.13 Password
verification.
H
H(PW)
29
IDA selects k Date-Time current?
IDA Dale-Time
Random
Random number
number
unique?
k
Aig.
Alg.
Figure 2.14
A one-way
MAC
Compare
authentication procedure.
The one-way procedure of Figure 2.14 may be over the data sent to B.
total control
number
— and
forge the
maybe an
MAC.
A can choose
criticised
on the grounds
the time of access
intruder could also choose values
that
A has
and the random
which would enable him
to
To avoid this supplies A with the
perhaps on the basis of previously leaked access messages.
weakness. Figure 2.15 shows a two-way procedure, in which B first random number. This could be in immediate response to /\'s call to B, as shown. Alternatively, as shown in Figure 2.16, -4 may first identify itself to B, after which B clears the call. Then B calls A back, using a network address stored as /\'s on file, and sends A the random number. The method shown in Figure 2.16 includes the added check that the calling system purporting to be A is at .4"s normal network address. In both Figures 2.15 and 2.16 4 is effectively challenged
Many
it.self fallible,
A
by
B
to
produce
a valid
MAC
for
something
users are tired of always being suspected by the host.
and should
establishes
call to
B
it
Is
B
sends to
A
not the host system
not be properly authenticated also? This question
is
particularly
30
File of
A establishes call to
users
~
B
r^
IDA
u B
Network Address
clears call
for
A
B establishes call to
A
Ra. IDA
IDA Date-Time
H
Date-Time
irv
Alg
Alg
MAC'
-k-*
T
Compare
Figure 2.16
relevant
if
A
two-way procedure following
systems
— both
A and B
which misrouting of
calls
callback.
are similar
might occur,
is
"hosts"
—and
if
a switched network, on
used to connect them. It shows two-way reciprocal (or mutual) making the procedure shown in Figure 2.14
Figure 2.17 addresses this requirement. authentication, using the very simple idea of reciprocal.
No
challenges are involved.
No
particular sequence of events
is
necessary:
B IDa, Date-Time,
Ra
Validate
(R.
Figure 2.17
A
,
Rn
=
MACb
Random numbers)
two-way
IDg, Date-Time,
MACb
MACa
reciprocal procedure.
Validate
MACa
Rb
A
31
and
B
should send their access data and corresponding
establishment, and
it
hardly matters
sequence were imposed
If a
random number, but
this
who
(e.g.,
would break
acts
B
MACs
to each other after call
first.
sends
first),
B
A with a B would remain unchal-
could then challenge
the reciprocity because
lenged.
Figure 2.18 tackles this problem by using a three-way across control exchange.
Such an exchange can be arranged approach.
A
starts
in
many ways, and
Figure 2.18 shows only one
by sending A's identity and a random number R^
to B.
MAC,
the received
B
thus securely identifying B.
Each party
authenticates.
is
now convinced
A
also
B
responds by
MAC for A authenticates returns a MAC for /?« to B, which
sending B's identity and a random number Rg, and returning a
/?,,.
of the others identity
— or
at least that the
other party does indeed hold a key held by the system he claims to be.
B
IDa.Ra
Validate
idb.
MACg
MACA(RBetc.)
A
Figure 2.18
Validate
MACs
in
Figure
2.
18 to provide nonrepudia-
Each party would sign the challenging random number with
its
own
secret key;
validate the signature of the other with the other's public key. Typically, the in
MAC A
Ihree-way reciprocal authentication procedure with challenges.
Digital signatures could be used for the tion.
Rb
MACelRAetc.)
Figure 2.18 would also include more data
(e.g.,
and
exchanges
date and time for recording with the
access control exchange) for later reference. Passwords could be included, to avoid further
handshakes. Encrypted data keys might be exchanged, for use
in the
subsequent secure
session.
Note
that there are perils associated with
procedures which involve requesting
another party to sign a random number, and return
it.
If the so-called
random number
is
an integrity check on an unseen message, the signatory has effecti\ely signed that
really
message.
If the
key, he or she
random number
is
is in
reality data
encrypted under the signatory's public
tricked into decrypting the data. Moreover, depending on the algorithm
used, these frauds can be concealed by previously multiplying the number, and dividing
out afterwards.
CCITT Recommendation X.509 access
management procedures
2.3.2 Personal Identification
in the
[3]
addresses one-way, two-way. and three-way
context of Directory Services.
Procedures
Reciprocal authentication between systems
is
based on each system holding a key (or
keys) and executing algorithms, such as one-way functions, random-number generation.
32
and encryption/decryption.
It
also supposes that the systems have the capacity to hold the
data being authenticated.
How
is
an individual to identify one's self to a computer in order to use
How
it?
can long keys be remembered, complex algorithms memorized to be performed, or several
pages of text held error-free is
needed
in
memory? The answer
to help; to act as the security
in Figure 2.19.
Between
agent
in
is:
they can't. Computing equipment
exchanges with other systems, as shown
the security agent and the remote system, the system-to-system
authentication procedures just discussed can apply; but
system?
his agent
The
We
answer
traditional
Once
in a private
password
—
the user authenticated by
been to make access to the agent system The agent system would be in a locked terminal
house, so that only a person holding a physical key could use
was gained,
entry
is
to this difficulty has
physically as well as logically secure.
room, or
how
are back at the original problem.
the user
would
then, in addition, have to supply his identity
either to the agent system, or if that
were a simple terminal, through
it
it.
and
to the
host for authentication. Thus, authentication of the user was based on: •
something held
•
something known If the
is its
to a
room);
(a password).
agent system
is
just a simple terminal, the only additional security
it
provides
location in a secure room, at a fixed network address (e.g., for callback). User
authentication
passwords
power so •
key
(a
is
really directly to the
in clear, that
remote host
have been discussed.
that its role, as
shown
in
A
Figure 2.19,
to authenticate the user initially,
and
to
— with
the risks, such as that of sending
proper security agent will have processing is:
ensure
at all
times thereafter that
it
is
sure
of the user's identity until the session ends; •
to act
on the user's behalf
systems, and to
make
in
ensuring the security of
sure that the user
is
fully
all
exchanges with remote
informed of what
is
being done on
his behalf.
Rather than rely on a physical (room) key to help control access to the agent, the authentication of the user can be based on the provision of a key (something held) directly to the agent.
Such
a key could be
encoded on the magnetic
stripe
of a plastic card.
Moreover, the card can contain not only the key for accessing the agent system, but also the keys to be used by
User
it
for accessing
remote systems on behalf of the
Security agent
Remote system
(workstation)
(host)
Figure 2.19 The security agent concept.
user.
33
This approach then allows for the mohility of the user, since the keys are portable
and not fixed
in
any particular agent system. The
system
role of the agent
is
to
execute
algorithms and procedures, not to hold secret data such as keys. Figure 2.20 shows a typical access control system based on the user holding a card with (encrypted) keys on identification
it,
number (PIN)
which at the
is
brought into action by his entering a personal
keyboard or PIN pad of the agent system. The card
holds the following read-only data: 1.
The cardowner's
identity (ID), encrypted with a secret
key shared by
all
authorised
agent systems so that they can decrypt ID again. 2.
A
hashed version of the owner's PIN, password (PW), and identity combined,
//(PIN, //(PIN, 3.
PW, PW,
The
is
irreversible^the PIN and
for use
is
as follows:
user places the card in the card reader, and enters his
strictly secret
3.
can not be found from
keys, to be used by the agent for remote communication.
(Having both a PIN and password allows
2.
PW
ID).
The owner's encrypted
The procedure 1.
Hashing
ID).
flexibility.
PIN and password.
For example, the PIN can be
and personal; the password a secret shared by
all
authorised users.)
The agent reads and decrypts the owner's identity (I) from the card. The agent computes the hashed value (2) on the basis of the three inputs and compares the
result with the version of (2) held
D
!
XYZCo.
PIN
PW
on the card.
it
holds,
34
4.
If the two versions agree, the agent concludes that the PIN and password entered by the user are compatible with item (2) held on the card that is, that user and cardowner are one and the same person; and that the user/owner is authorised for
5.
The agent
—
this
system, because the decrypted identity (1) reads, decrypts
and uses the keys
In this procedure, the agent has
no
list
is
also compatible.
on the user's behalf.
(3)
of authorised users and passwords.
checks that the cardowner and user are identical, and
It
simply
on the successful decryption
relies
of the identity to check their authorisation. The procedure could easily be altered to allow the hashed value //(PIN,
be accessed
in a table,
can be imagined,
all
PW,
ID) to be held by the agent rather than on the card.
using the
PIN entered by
with the basic aims of ensuring
Many
It
would
other variants
that:
and cardowner are one and the same person;
•
the user
•
the user/owner
•
if
the card
is
is
authorised to use the agent system;
stolen,
form) to the thief
can reveal neither
it
are encrypted); nor his
PIN and
who
sets
about analysing
at will
This problem
is
owner's
identity,
nor his keys, (which
in
its
in
hashed
contents.
Figure 2.20 has one major defect. Critical data, such
keys, are held in clear and used by the agent system. There, defective
or malicious software could leave
copied and used
its
password or PIN (which are not on the card, except
However, the system shown as the user's
the user as an index.
them unerased
after the user's sessions ends, to be
by intruders.
addressed by locating the security functions of the agent in a tamper-
proof unit that plugs into the agent system This security unit will contain a microprocessor .
which
will use the keys, held
algorithms and procedures. in the
The
by the
units functions will be
invoked by the application software
hosting agent system, which can issue calls to
and authenticate, with appropriate parameters will
from the card, and execute the
unit or read in
it,
such as encrypt, decrypt, sign
to indicate the data
invoked, but the keys
never enter the hosting system." Typically, PIN entry via a PIN pad (a compact
restricted
keyboard) will be directly to the security
unit, so that
even the PIN
itself
does
not enter the agent system. (See Figure 2.21.)
Tamper proofing of the
unit protects
cal attempts to read the data contained
by
it
against physical, electromagnetic, and chemi-
it.
Such attempts
will result in the data within
PIN (which is usually a short alphanumeric string for ease of memorisation) by means of trial and error are detected. For example, three successive entries of an incorrect PIN could be taken to be an attempt to search for the real one, and would lead to erasure of the security data. the unit being erased. Similariy, attempts to find the
This concept of a coprocessor the remote host system (e.g., a
in a
tamper-proof security unit
mainframe computer), as shown
in
is
also applicable to
Figure 2.22. Here,
it
would perform security functions for the mainframe and, in particular, control access to it by system-to-system secure access management procedures. The unit at the mainframe will also have an associated card reader, PIN pad, and probably a terminal, for use by that the system operators. With these they will be able to configure the security system
—
35
a
36
A
card's capabilities are further extended with a write facility. This usually
that the card is
means
based on a built-in microprocessor with associated memory, with a
Card ReadAVrite Control unit. Often the protocol for this interface all data in transit between the card and its control unit. A
serial interface to the
incorporates encryption of
typical use for the write facility
is
"debiting". For example, the card
a credit of
money, time, or accesses loaded onto
Each time
the card
is
it
may
be issued with
— and probably prepaid by
the user.
used the hosting system invokes the security unit to debit these
stored credits appropriately. Eventually the credits reach zero and the card must be scrapped
or recharged.
However,
certain items
on the card, such as the user's (encrypted) ID, should not
be able to be written from the agent, so that
new
cards with bogus security data can not
be created by fraudulent users.
A (with
card with a processor on
its
control unit).
It
it
can do more than just carry out one half of a dialogue
can perform full-blown security functions, such as generating
MACs or digital signatures. Such a card, based on integrated circuit technology, is variously called an IC card, a chipcard, or a If the .security
"smart"
Here
card.
it is
referred to as a chipcard.
functions for the owner/user of the chipcard are performed within
the chipcard, then his keys need never leave the chipcard. This
is
clearly a
major security
advantage. In the extreme situation, the chipcard could have the status and functions of a portable agent,
which would use a card control
unit
devices to reach the remote host. In practice, this the processing facilities
power
to
handle
all
is
and terminal simply as transparent
do not yet have
not so. Chipcards
the necessary algorithms, nor adequate input/output
(alphanumeric pad, display) for handling data, as opposed to commands. More
importantly, they lack significant filing facilities.
For these reasons the chipcard usually serves as a combined means of identification, security processor,
and secure store
for personal keys.
It is
used with a workstation with
a built-in card control unit that runs applications, supports files
and
their
management,
and provides the method of controlling the chipcard via keyboard and screen. system
is
nication. I.
If a
aKso involved, the workstation acts as agent for secure system-to-system
A
typical range of functions for such a system
would
remote
commu-
include:
Secure identification of the user. For example, the procedure could be that shown in Figure 2.23. Two steps are involved: checking by the chipcard itself that owner and user are one and the same person; checking by the agent system that the owner/
user
is
authorised to
u.se the
agent. In the
first
stage, the user enters his PI.N
and
PIN pad huilt into the chipcard. The PIN and the cardowner's stored ID are hashed and compared with a stored value of the result, all within the chipcard. If the comparison is successful, the second stage follows. Then the user enters his password (PW) to the agent via the keyboard. The agent hashes PW and ID (read ID
at a
encrypted from the chipcard) and uses the result to index into a table of authorised u.sers. In that table
(amongst other data)
sent to the chipcard for validation (e.g.,
Only
if
both stages are successful
is
is
a user-specific
number
N (say)
comparison with the A^stored
the user accepted as genuine
which
is
in the chipcard).
and authorised.
37
User
38
and in
typically be performed in the disk controller
would
this
keys
in
when
booting, using built-
tamper-proof hardware.
Finally,
it
should be noted that there are other methods of personal identification
besides that of chipcards interacting with a security agent workstation. is
as follows:
Each user has a small
and some secret personal data, contained he wishes to use
at the
keyboard
in
The user
it.
identifies himself to the
(local or remote) with his password,
sends a flashing pattern to the screen to the screen,
One such method
light-sensitive device with a microprocessor, a clock,
— which
which uses data concealed
is illegible.
The user holds up
in the pattern together
system
and the system the device
with the time and
its
one-way function. The access code
secret data, to calculate an access code, using a
is
displayed on a small display in the device.
The host system meanwhile performs
a similar calculation
on the basis of the user's
claimed identity and the time, and calculates the same access code, which remains valid for a short time.
device), which
To use
is
the host, the user
must submit
the access
code (displayed by the
then compared with that calculated in the host for validity. If the user
does not submit an identity and password compatible with the device the access
in his possession,
code displayed on the device will not match that generated
in the host,
and
access will be refused. is based on a small portable calculator that same time as the clock in the system to be used. To obtain an access code, the user enters his PIN to the calculator. The calculator validates the PIN, and then combines an internally stored owner-dependent secret number N and the time, to generate an access code A which it displays. The user logs into the host system with his ID, and on the basis of this claimed identity the host extracts its own copy of A' from
Yet another identification technique
contains a clock keeping the
the file of authorised users,
by the calculator access
is
When
and also calculates A.
to the host,
it
is
compared with
the user submits the
the host's version; and
permitted. Because of the time-dependence,
A
is
A produced
if
they agree,
constantly changing and, so,
guarding against a replay attack. Stolen calculators are worthless unless the thief knows both the owner's
PIN
In the future
it
(to activate the calculator)
is
one knows" and "what one has" (e.g.,
and ID
will be
supplemented with ones using "what one is"
by reading fingerprints) or "what one can do"
(e.g.,
The technology for verifying by computer items such not yet cheap enough for general use.
2.3.4
(for the host).
expected that personal identification procedures based on "what execute one's
as fingerprints
own
signature).
and signatures
is
The Secure Session
The purpose of secure access management is parties involved unequivocally. As has been
many forms and
to
are often quite complicated.
two systems or between a human user and
determine the identities and rights of the
seen, these access control procedures take
Whether
the procedures operate
between
a system, both parties are expected to hold
39
secret infonnation (keys, PIN, password); usually, both are expected to
algorithms (although a
human
may have
user
done
it
for
perform complex
him or her on
the chipcard);
both are expected to take part in procedures in which they are to react to actions by the other (challenges, requests)
As soon
more or
less at once.
as these procedures are successfully terminated, data
The
uninterrupted.
known and approved. Any
parties are
such as accessing a privileged
file,
exchange may proceed
special action they
want
to take,
can be easily vetted by checking the requestor's known
identity against his authorised capabilities.
Any
recording for audit purposes
simply a
is
matter of filing the details of the action with the requestor's identity appended. Unfortunately, this
access
is
is
moment
not so. Indeed, the easiest
for an intruder to gain
immediately after the successful completion of a secure access control procedure.
For example, the intruder arranges for the authorised user to be called away from his
(now
active)
u.sers' place.
B engage
in
impersonate not need to
To
work
station (e.g., to the telephone),
Figure 2.24 illustrates
passively observe systems
reciprocal authentication, and as soon as this
complete,
is
A to B, and B to A by actively intervening. Note that to achieve know any secrets, such as keys and PINs, held by A and B.
inhibit this kind
of the secure session cated
and the intruder takes the authori.sed
how system C can
at the start
is
C
A and
begins to
this,
C
does
of active intervention following passive observation, the concept
required.
The objective
is
to ensure that only the parties authenti-
can continue the session, and that the session
is
securely terminated at
the appropriate time.
The standard method of making the initial access control procedures. the current session.
It
the session secure
The key
is
to encrypt all traffic following
for this encryption
would be
could be generated by either party, and sent to the other
particular to in
encrypted
form. Figure 2.25 shows this approach grafted onto the simple two-way handshake of
Figure 2.17.
A
sends identification to securely to
based on a secret key
A:,^.
B
K. encrypted with /\'s public key
decrypt
all
subsequent
B
using a digital signature,
responds, signing with
traffic.
kf,^.
(Note
A
that
k.n,
decrypts K, with
1
Reciprocal authentication A-B
•C Impersonates
Figure 2.24 Intrusion
k,^,
and
A and B must know each
r
after reciprcx;al authentication.
'
in this case,
and returning a symmetric key,
K
is
used to encrypt/
other's public keys.)
40
I
B IDa Sig
,
A
•
Date-Time, F^, (IDA,
Date-Time,
•
Ra)
•
Validate
using
Sig^
kp/\^
Generate K
Validate Sigg
using kpg •
ID
Decrypt E(k
K)
PA
B, Date-Time, RB,E(kpA
Rb
B (IDg Date-Time,
Sig
,
,
,
K)
E(k
p/^
,K)
K
using ksAto get
Data exchange encrypted with symmetric key, K
SigX(Y) =
D(ksxY)
E=
Encryption/public key operation
D=
Decryption/secret key operation
Figure 2.25 Eslablishing
a
common
key {K) for a secure session.
Figure 2.26 shows a more symmetric approach, based on the three-way handshake
of Figure 2.18. Here, both parties determine the key K, each contributing a component Kf^
or Kb, with
K
=f{K/^, Kg). If the function /()
when
both components must be encrypted
sent
is
simple
—and
(e.g., the
this is
XOR
shown
of K^ and K^),
Figure 2.25
in
—
if
they are not to be leaked. However, techniques such as the Diffie-Hellman Exponential
Key Exchange Often situations
exist,
this
which make
explicit encryption unnecessary.
cooperative approach to key generation
where A and B do not
trust
subscriber to a commercial service B,
arranged for a readily breakable key
It
should be a low
to
preferred.
if
It
if
A
is
suitable to
is
fraudulent insiders at
an outside
B had
not
be used for the benefit of eavesdropping friends.
level, in the
level.
is
For example,
fully.
A might wonder
A',
This raises the question of the takes place.
each other
It
is
OSI
sense, at
which such encryption
not an application function. Users can
still
encrypt specific application data units whenever they want. The secure session concept is in
effect a connection confidentiality service
tions,
and the encryption can be performed
Alternatively,
if
a packet-switched
be on the content of units
(i.e.,
all
network
data packets
or,
when
at the is
applied to circuit-switched connec-
physical layer with a line encryptor.
used, the secure session encryption could
perhaps better, on
all
transport protocol data
built into the transport protocol).
Just as users of a secure .session can selectively encrypt critical application data, so
they should selectively authenticate such data. This particularly applies
\i
nonrepiidiation
41
•
Generate
IDA,
R^
•
Generate Kg,
Rg
R A etc. IDB.EikpA.KBl.RBetc.
Kg
•
Decrypt
•
Validate Sigg
•
Generate
SigB(RA.KB)
Ka •
Decrypt K
f^
E(kpRKA)" SigA(RB. Ka)_
•Validate Sigg
•K
•K
= f(I^.KB:
=
f(KA,KB
Secure session under symmetric key K
Figure 2,26 3-way handshake and cooperative key generation.
required. In this case, evidence of a critical item
is
to gather conclusive /4,
as
opposed
must be held, and
it
would be
difficult
evidence that the item had been received on a secure session from
to being generated
dialogue. In short, secure access
by B (who knows K) and inserted into the recorded management and the secure session provide a secure
infrastructure against attack by outsiders. Further application level confidentiality
and
authenticity services are required to guard against insider misbehaviour at both ends of the
communication channel. It
important that the secure session
is
is
securely terminated. Proper termination of
communication uses confirmation of the "clear" command the cleared terminal.
assuming the
Without
is
particularly
may
close
from
down,
when it has not. On a switched network, cany on the old suspended session. problematic with higher-level OSI protocols, which make explicit
that the other
end has done the
danger exists that a new caller
This
to the clearing terminal
confirmation, the clearing tenninal
this
may
saine,
pick up and
provision for session continuation in the face of tcmpoiary network breaks.
Secure sessions should have built-in timeouts. interval
If there is
of time, the .session should be cleared. Additionally,
regular intervals each party challenges the other to reprove a
random number
2.3.5
to
it
its
no tiiay
traffic for a certain
be desirable that
identity (e.g.,
at
by sending
be signed digitally and returned).
Anonymitv
Some systems need to know
They want
to support
anonymous
that the user
is
u.sers, as
vouched
for
opposed
to registered subscribers.
by someone trustworthy
(e.g., a
bank)
42
who
will, in
case of difficulty, identify and help pursue the user; but for ordinary trouble-
system
free transactions, the
preregister
This
him or the
is
is
not interested in the user's identity, and does not need to
her.
OSIS (open shop
for information systems) concept.
It
applies particularly
to services, such as those provided by on-line information bases, which would like a
numerous
clientele, but
whose users
and
are frequently casual
likely to be put off
by
registration procedures.
which
The requirement can be met using asymmetric key techniques as in Figure is the three-way handshake shown in Figure 2.27, further elaborated.
The
perhaps in "anonymous" form
i4's identity,
•
an expiry date, after which the certificate
•
y4's
•
a signature to the above items
Thus
public key,
key
Q,
is
(e.g., a
by
C
form of a
valid;
a Certification Authority (CA), using the
CA's
defined as
A:^^,
SigcA (IDa, Expiry Date etc.,
public key
some higher
level authority
who knows who A
kpCA,
must be widely known
—
—
reception,
{kpc, k,c)
who
is
really
prepared
is.
Maybe
as with a credit card issuer.
in particular to
can be authenticated on reception. The objective
to
/c^^))
X)
the relevant bank, or
generating an asymmetric key-pair
thus enabling
the
bank account number only);
no longer
also prepared to guarantee A's credit, within limits
The CA's
On
is
A's public key as belonging to A, and
that the certificate
on
is
Dik^cA,
The CA could be
CA
is in
k^A,
{/D^, Expiry Date etc.,
where SigcA (X) = to guarantee
it
k,cA-
i4's certificate,
Q=
C
submits his or her identity
initially
certificate consists of:
•
secret
the
A
when
In Figure 2.27, certificate.
2.26,
is
B
to stop
(and A), so
an outsider
and subsequently passing off
kpc as kp^,
impersonate A.
B authenticates A's certificate, and in sending R^ signed, Rb and so own (B's) certificate. Then A authenticates kpB and uses it to validate
t0y4, also sends its
B
A C/\, Ry\ etc.
•
Validate
C^
-
•
Validate
Cb
•
Decrypt
Kq
•
Validate Sigg
CB.E(kpAKB),RBetc. SigBtRAVKB)
" E(kpBKA) SigA(RB.KA) Figure 2.27 3-way handshake using
Decrypt Ka •
certificates.
Validate
Sig^i^
I
43
when B
B's signature to R^. In turn,
B
receives Rg signed by A.
uses
k^^,
to validate the
signature.
Note
that the use
of certificates enables
session) respectively, without having to
know
B and A and
A:,,4
Kb and K^ (for the secure advance (i.e., before the access
to encrypt k^g in
procedures began). In general, digital signatures for authenticity
can be accompanied by certificates to
permit authentication, with no prior need for either party to hold information keys) about or belonging to the other. The situation
The sender of encrypted data needs advance.
he does not have
If
certificate), either
it
A\
on B
(in the
conversations between
A
in
some
C
C
(e.g.,
confidentiality
is
public
required.
it
in
form of a
(e.g., in the
exchange or from a directory
initial
certificate.
passing off one bogus public key as
C
absence of certification) allows
and B.
if
key (or some other key)
the recipient's public
from the issuer of the
Finally, the possibility of
different
already, the sender must obtain
from the intended recipient
service, or possibly directly
another as
is
fi's
on A, and
passively to eavesdrop on
need only decrypt items received with the secret key
corresponding to the bogus public key he or she issued, and then reencrypt them with the real public key of the intended recipient. This, however, can be detected
A
sends half an encrypted item and refuses to send the other half until
cannot decrypt (and reencrypt) half an item. of
.sense
In short,
it
C
(when supplemented with
be trapped by
OSI
2.4
some
failure
C
the second
forced into impersonating
is
If
A
of knowledge
or B. (e.g..
forwards
it
B
if.
for
example,
has replied.
C
unchanged, B cannot make
halO since A used He becomes active
a
wrong public
key.
not passive, and can
correct response, password, and so on).
LAYERS AND NETWORKS
which layer in the OSI/RM individual security Appendix A). The question arose again in considering the secure session concept. ISO working groups are developing standards for security at all the layers identified in ISO 7498.2 [4]. In many practical cases we are concerned with In
Chapter
1
the question
was
raised as to
services should be allocated (see also
one or more of only three
The physical
•
layer,
layers:
where
the confidentiality services
is
often provided by
means
of line encryptors working on raw data (Fig. 2.28).
The transport
•
layer, in
which transnetwork, host-to-host security
confidentiality and authenticity, are provided. This
System
A
is
services, such as
the lowest end-to-end layer
44
•
above the network layer; and the approach is particularly suitable when the infrastructure is based on packet switching. The application layer, where confidentiality and authenticity services particular to an application
in the host(s) are provided.
However,
simple approach begins to break
this
down when
the nature and range
of functions provided by "networks" are considered.
Networks to users'
•
are not necessarily transparent, connection-oriented, or directly connected,
A
equipment.
Some networks
list
of some problem areas follows:
are accessed via other networks using, perhaps, switched connec-
For example X.25 packet-switched data networks (PSDNs) are often accessed
tions.
via the public-switched telephone network
management
PSTN •
(at the
(PSTN).
It is
desirable that secure access
PSDN
network layer?) between user equipment and
should be available,
(cf.,
Distribution networks which
CCITT Recommendation X.32
over the
[5]).
do not involve any mandatory confirmation of reception
of data by the destination exist in various forms. For example, datagram networks
More
are often used in this fashion.
based on mailboxes or X.400
MHS
possibly unconfirmed delivery.
It
importantly, most E-Mail systems, whether
(see Chapter 5), simply accept data for later,
is
desirable that the
"network"
at least
accept nonrepudiable responsibility for the users' data submitted to
network should also provide nonrepudiable proof of delivery so that the recipient can not claim that he never got •
"Connections" whether
to a
PSDN
to the
it.
should
Ideally, the
remote recipient
it.
PSTN), or across a network, The most secure procedures any standards provide for such procedures. The
network
(e.g.,
via
or both, use call establishment procedures that are l-way.
3-way
(see above) are
application layer
is
— but few
run on top of other applications.
be encrypted, for example? switching components such
Some "networks" duplicate
MHS
end-systems? The content, or segments of the
not including header information) of an
as the content of an •
as
An eritire MHS message exchanged between messageas MTAs? The entire content (not envelope) of an MHS
message exchanged between (i.e.,
ACSE. RTSE, and ROSE, applications For example, EDI can run over MHS. What should
(ASEs) such
application service entities
content,
if
not a single layer. Apart from the existence of recognised
them so
MHS
handle multiple delivery
that the
encryption again, either
same data
all
EDIFACT
message carried
message? arrive at
(i.e.,
copy data) internally or otherwise
many
distinct destinations.
these destinations share the
or secret symmetric), which
is
Considering
same key (public asymmetric
used by the sender, or the network performs encryption
transformations, or the sender has to send multiple copies of the key (e.g., a
symmetric key,
=
to N.
k,
common
repeatedly encrypted with different asymmetric public keys,
See Figure 2.29.
A„„
/
An
approach to these and other problems could be based on the following principles,
1
which go back
to service requirements rather than considering security procedures:
45
E(kpi
K),
E(kp^ K) E(kpN,K)E'(K,Data)
1
46
worked out and applied, and could provide a guide as to how services offered by the various OSI layers. The most important aspect, which is highlighted, is that
to select
in
and use security
most systems there are
certainly three parties, not two, as follows: •
the originator of data;
•
the recipient(s) of the data; the network(s) carrying the data, with varying degrees of active, nontransparent
•
participation.
(More than one network may be involved
in relaying the traffic.)
This provides two major interfaces: •
user end-system to user end-system;
•
user end-system to network infrastructure.
A third interface, which
will
likely to
be of increasing importance
have not only the usual
difficulties of
services, but also the restriction that
much
return to the topic of security in
the network-to-network interface,
security traffic cannot be translated or
from one standard to another without compromising
We
is
gateways between not-fully compatible
its
mapped
security.
OSI networks
in
Chapter
5.
REFERENCES
[4]
ISO 8732, Modefi of operation for a 64-bit block cipher algorithm. ISO 8730, Banking Requirements for message authentica{ion (wholesale). CCITT Fascicle VIII.8 X.509, The Directory Authentication Framework CCITT Blue Book,Geneva,l988. ISO 7498.2, OSI Reference Model. Security Architecture.
[5]
CCITT
[I]
[2] [31
—
Fascicle VIII. 2 X.32.
DTE/DCE
interface for
a packet-mode
PSTN. ISDN or CSDN. CCITT Blue Book, Geneva, 1988.
DTE
accessing a
PSDN
through a
Chapter 3 Security
Management
SCOPE OF SFXURITY MANAGEMENT
3.1
Management of security
is
a wide-ranging topic.
that contributes to attaining the goals
nisms, the infrastructure, errors, and failures.
management
is
the security
where the security domain
One major
is
domain. This
defined as
function of security
It is
concerned with managing everything
of the security policy
all
is
The
is
security procedures,
a concept taken
the areas to
management
—
mecha-
extent of responsibility of security
which
often the
a
form
ECMA
TR/46
[ I
J,
given security policy applies.
management of interworking with
other security domains, where different policies apply.
ISO 7498-2 •
[2] identifies four categories
of security management, as follows.
System security management. This covers the management of the overall policy (including updates and
management of consistency),
security event handling, audit
management, recovery, and the management of the access control •
policy.
Security service management. This includes the determination of the preci.se security services required, their mechanisms, and the local and remote negotiation of security
mechanisms •
Security
(e.g.,
between security domains).
mechanism management. This covers management functions associated
with detailed security mechanisms, such as encryption and authentication, including in particular
•
Security of
key management and PIN management. OSI management. This covers the secure management of
infrastructure
(i.e.,
the networks over
Secure management of the infrastructure should assure In this chapter
we
look
firstly
the (OSI)
which the computer systems communicate).
and principally
at
its
availability.
the third category of security
management functions, the management of security mechanisms. Since the security of most mechanisms is controlled by keys, the management of security keys is a major topic. 47
48
After reviewing key (and PIN) management, the
management
first
and second categories of security
are briefly discussed.
KEY MANAGEMENT
3.2
Keys
for security procedures
and algorithms have
to
be generated, stored, certified or
notarized, distributed, used, withdrawn, and destroyed at various stages in their existence.
Key management that the
includes
all
these operations, and has the central purpose of ensuring
keys concerned are kept secret
all
the time.
Keys must always be kept secret from unauthorised outsiders. Additionally, keys are often kept secret from their owners. For example, an owner may only be able to use his key, inside some tamper-proof unit, by entering a correct PIN. He knows the PIN but not the key. Again, a key is often shared between several owners. Each owner has a part of
the
and when all key-parts are entered to the security unit the real key is example by XORing the key-parts together. No owner individually knows
(a key-part),
it
recreated, for
whole key, although
all
know
their
own
key-parts.
two above examples the secrecy of a key is ensured by "locking" it away under PIN control, or trusting that the owners will not collude and recreate the key outside the security unit where it is used. A third, most common method is to encrypt the key In the
under another key-encrypting key. The original encrypted key need no longer be physically hidden, since
Of original
keys.
it
is
course,
now all
logically hidden.
these methods of ensuring the secrecy of keys
problems eventually: trusting
The techniques of key
the points
in
come back
to the
people, and keeping secret master key-encrypting
protection are not absolute.
They merely serve
to concentrate
and procedures where keys could be misused onto trustworthy and controllable
persons and equipment.
3.2.1
Key Generation
random or owner (A), by some key generation authority, or by some other person {B) who wishes to communicate with {A). There may be objections to all three of these approaches (see below), but there is usually no physical or computational difficulty in producing a random key. Some security algorithms, however, and notably RSA (see Chapter 4). require keys which are quite complex to generate, and even then need to be tested to see if they are "good". In this case, there
The
life
of a key begins with
pseudo-random numbers.
will be a
its
generation. In very
A random
key
need for a central authority
may
many
be generated by
cases, keys are its
to test, if not also to generate, keys.
True random numbers for ordinary keys can only be generated from some
random physical source outside the deterministic structure of computers and grammes. Chips, which generate numbers on the basis of low level electronic
truly
their pro-
noise, can
49
be such a source. In
many
cases, however,
pseudo-random numbers are quite adequate.
See Chapter 4 for a more complete discussion of
One
We
encryption.
demote
).
The process
date and lime coded into a binary necessary, to
make
it
starts
the
=
if
E,(d)
R
is
given by
V)
a seed value, updated each time after use as follows:
is
ANSI /
is
Then
an intermediate value, and the random number
V=
where
random
with a date-time vector, d, which
the length of the encryption block.
R = E^U + where V
based on block
is
pattern using repetition or other expansion,
bit
/
/ is
number
the encryption operation using a key, k. reserved for
number generation by £J
where
this topic.
standard method of generating a pseudo-random
E,{I
+
R).
recommends a double-length for the key, so k = kl. kr and right. The encryption operation in random number
standard X9.17 [3]
and
/•
stand for
left
now becomes
generation
E„[D,AEM)] where
D
is
method
the decryption encryption. Thus, the
is:
1 = Eu{IWEu(d)]] R = Eu{D,AEu(I+ V)]\ V=Eu{D,AEu{l + R)]]
Sometimes persons who are to share a key would like to generate it cooperatively it to only one party to generate and distribute. If the key is confined to
rather than leave
one system, then a simple method of achieving • •
•
the following:
.
f{k)
is
To
calculated by the system, where /(
regenerate k
from
a
.
.
k, (i
is
=
\
to
//)
and enter
calculated secretly by
and saved;
the system and A
(e.g.,
is
The system generates the pseudo-random key k\ The // users each generate random secret key components them to the system; k,„ where the plus sign signifies XOR, kn = k + ki + k2 the system
•
this
is
=
)
is
a
one-way
function.
It
is
saved by
destroyed.
A„
+
k^
+
k^
.
.
keyboard or chipcard) for
.
+
k,„
the
XORing
/;
users must
with
Av..
The
all
enter their
validity of k
is
own keys tested
by
50
evaluating if
they
/(/t)
and comparing
with the saved value. The n users cannot find
it
collude, unless they can also break into the system to find
all
m
Another method enables any system.
by p{x). To generate the key p{x) of degree
•
p{x)
is
(/i
-
-
1)
denoted
chosen with positive integer coefficients. (The choice of
1) is
numbers within an acceptable range
nontrivial if
(/i
following steps apply:
k, the
n arbitrary positive abscissae
•
out of n users to cooperate in "unlocking" the
based on a polynomial, with integer coefficients, of degree
It is
even
k,
^o-
(/
jc,
=
1
to n) are chosen,
are to be produced);
and the ordinates
y,
= p{x)
are calculated; •
the n users are issued with key-pairs
•
a further (n
•
the key-pairs
•
Xa
is
chosen
and k •
p(x)
To the 3.1
/;
is
- m)
v,) /
(.v,,
arbitrary abscissae x' are
{x-, y')
=
/
- m)
to (n
1
—but k
regenerate
k,
scheme
- m)
(n
=
for n
m
3,
(a', >')
=
2.
and any
Once
p{x)
not calculated unless needed,
are distinct,
oO pU)
If a
key
technique
[4]
is
is
of the n users'
(jc„ y,).
xq.
Note also
that
is
easily
provided that the in finding (the
n
is
of
Any two (x-|
between remote systems the Diffie-Hellman
illustrated in Figure 3.2.
It is
Xi
with
is
always nonsingular, giving a unique solution.
be used.
p(x)
Figure
regenerated in this way, k
and the system of n linear equations involved
is
to be generated cooperatively
may
m
k and p(x) are again destroyed after use. Note that k
p(xo).
changed, without changing users' keys, by changing x'i
p{x-) are calculated;
pix) must be created. This can be done by fitting a polynomial to
points made up from the
illustrates the
and
=
destroyed.
is
coefficients
is
>','
by the system;
not held by the system;
found from k =
X,
to n\
1
are held secretly
and held, and k=pixo)
arbitrarily
=
chosen and
Xo
X2
Xv
X3
degree 2 of (xh
1
,
y
1
) 1
Figure 3.1 Polynomial sharing of a key.
,
y^
)
(X2
,
y 2
can regenerate
)
and (X3 y3 ) and hence k, from x
p(x)
,
51
A
B
Generate n A
Generate ne
SendR^^modN k =
""""---,.^^^
SendR^gmod N
^"^^~*-
(R"g)"^modN"*'^''^''^
k =
(R"^)"
modN
Figure 3.2 Diffie-Hellman exponential key exchange.
The two number) and k
is
parties
A' (a
^4
and
B
have agreed
advance on two numbers
in
modulus). Each party forms secretly numbers fu and
R
/»/,.
(a
random
and the key
given by
=
;
This
power Up
is
formed by A sending
— and vice versa
for
B
R.
A
B
to
is
Without knowing one of n^ or
drawback
to the
(/?""
mod
A^
mod
The data
to A.
very large numbers are used, and this
know
R"""
AO, which
B
in transit reveal
raises to the (modular)
nothing about
particularly true for eavesdroppers
/?,
or
/?« if
who do
not
k can not be found.
M/j,
Diffie-Hellman scheme
is
A and B must
that
be completely sure
of each other's identities before they begin the key generation process; otherwise one could enter into a "secure" conversation with an imposter. But this authentication of identities itself requires keys, suggesting a circular
key cryptology
is
problem. However, when asymmetric
used for reciprocal authentication (as
it
often
is),
to
be followed by
symmetric key encryption for the secure session, the Diffie-Hellman technique tive
key generation
is
for coopera-
very relevant.
After generation, keys, or components of keys, need to be held securely by their
owners. The standard approach to
this is to store
them
as a secure coprocessor board or an unexplorable chipcard. less secure (e.g.,
decrypted
when
magnetic
stripe card)
must be held
tamper-proof hardware, such
Keys which
are held in anything
encrypted form. They are only
read into a secure unit. Similarly, keys held unencrypted
chipcard) must be encrypted for transfer between
3.2.2 Certification
To
in
in
it
(e.g., in a
secure
and another secure device.
and Notarisation of Keys
be used, keys often need to be distributed. The question immediately arises:
the recipient (B) of such a distributed key sure that
generated for the purpose for which
B
using the proper procedures to ensure
it
is
intends to use its
'
'goodness
genuine? By "genuine"
it,
is
How
is
meant:
hy the purported generator
(A),
'
'.
The danger we are trying to avoid is that an intruder C submits a key for B to use, it comes from the authorised source A. C would choose a key which would
purporting that
52
make
it
which B intends to use the key. communicate securely with A, C pretends to be A and B; C then continues pretending to be A in ^'s subsequent communication
possible to break
For example,
if fi's
submits the key to
and
all
purpose
steals the secrets
B
the security operations for
is
to
shares with A.
The standard method of guaranteeing
A
key cryptology. signs the key
question with
k, in
now
public key kpCA can
(the
its
the genuineness of a key
commonly
trusted third party,
CA's) key
validate the genuineness of
In practice, of course, since keys
is
to use
asymmetric
called a certification authority (CA),
Anyone who knows
k.cA-
(See also Chap.
k.
must usually be
the C/\"s
2.)
secret, certification
is
typically
reserved for signing users' public keys as held, for example, in a directory. Moreover,
must cover more than
the certification signature
owners,
(/\'s) identity,
unchanged hut belongs date
ED\
new
certificate.
just the key.
since a principal objective
is
CA
which the
will
no longer vouch
Thus, A's certificate by the CA, CcAiA)
CcAiA)
D(ki,cA,
should also cover the key
key
k,^
is
not merely
to A. Additionally, the certificate will usually include an expiry
the date after
where sigcA(X) =
It
to ensure that the
A^
=
is
for A, unless
A
acquires a
of the form
ID,, ED,, Ka, sigo (/D„ ED,, K,), k,cA
X decrypted
(i-e.,
under
k,cA
)
'Uid K^^^A^s,
key =
k,,,,
normally.
The Ci4"s public key k,,cA may form part of the certificate (as shown) or it may be presumed to be known by all parties potentially interested in the certificate. The CA can be responsible for generating k^, as well as signing it. In this case the
CA must by A)
to
also generate
A
Alternatively,
and deliver
k,,
— and ensure
that
A can
The CA
will
identity,
perform further
A
tests
tests to
securely (probably unread either by the
CA
or
A, not an imposter.
is
generate
now perform
it
A'^,,
on
(and
A,\,,)
k^, as to its
ensure that
A
and submit
k,,,
"goodness", convince
holds
itself as to A's,
compatible with
A:,,,
CA.
for signature to the
A,,,,,
and
finally
issue the certificate Cca {A).
How
own public key is genuine, and who is trying to pass off bogus users' (public) keys on other only one CA serving a community of users, and the certificates issued constant use, there is really no problem. k^cA will be too widely known
can users of certificates be sure that the C/4's
not invented by an imposter
users?
by
that
If
there
CA
is
are in
and familiar for an intruder
However, a user
may
in
to be able to introduce a
very large systems, or
well be presented with a certificate
and whose public key
(if
included
bogus version without detection.
when interworking between whose CA
in the certificate)
is
hitherto
different systems,
unknown
to
him,
he needs to validate before he can
believe the certificate.
The
solution to this problem
in a hierarchical structure.
certified user fl's public
Thus
is
if
to
X
key we have
is
have C/4's a
certify
CA known
each other's public keys, usually
to user A,
and Y
\s
a
CA which
has
53
A's certificate
=
Cv(/\)
^'s certificate = C,
nil.
the case
if
it
gives
I)'"),
giving
>
-
nil
string of is
to
test
— which
would not be
meaningful text chosen to be easily memorised.
make
For example, suppose
second, and that each
redundant
itself is not
is
H{S) = 2.3 for English,
H(S)/\og2'), which, taking
This assumes that the key
were a
Another approach feasible.
m
the keyspace so large that an exhaustive search
powerful computer can perform
that a
of a key takes
at least
is
not
operations per
lO**
one operation. Suppose also
that
we
by such a computer should take not target can be met if there are 1.5 x 10''
require that an exhaustive search of the key space less than
500 years
(1.5
x
Then this number
10'" sec).
possible keys, each equally likely. This
of 64 bits
is
approximately equal to
2'^,
so a key
in length is indicated.
Addition of a random keystream to the plaintext produces cyphertext
in
which
all
characters are equally likely, because:
p{x + o = h)=
where p() keystream
2,
PW p{a = h- x) = ^ of,
signifies "the probability (all
.v
is
2-
a plaintext letter,
as are assumed equally likely with p(a) =
'/26),
a
p{x)
is
and
=
—
a letter /;
is
from the added
a given cyphertext
letter.
More
generally,
if
we consider
p(y = b)=
y
the substitution y =/(.v) with
p(y = blx)p(x) =
.^tToz
where p(y =
b\x) is the probability
y=
b,
given
x,
and
—^p(x) ^ 26 is
=
/
THBIHE
THEIHE
THE
THE
THE
THE
THE
BEETTTC
ENHHGT
MIQSKU
^i
BEW
vm
PFJ Figure 4.2 Search for
likely
STJ word "THE".
BEN
to ni repeating,
26
averaged over
TOEIHE
1
—
V^UN0H(^iGJYV5EDYVMB0YTJPGXUJYWGQVMSZI^^
1HE
=
all
functions /(jr),
72
One
method of attack against such a general substitution cypher is the cyphertexts y, y from two unknown plaintexts .v, a'. We compare cyphertexts character by character in pairs. If the cyphertexts are not "in phase" y = fXx) while y =/+i(.v') say, where the encyphering of the second stream is k characters possible
following. Suppose
we have two
out of place with the
first.
Consider a given character position
/.
say.
Then,
Mib
Ml
h
Alth
two streams
since the
We
can write
are
supposed
to
be independent.
this
;;( V
=
v'l/)
=
J^ pi,)
;;{.v'
.
=
UU^])
Mix
Now
if
we average over p{y =
all
y')
character positions
= ^/7(J =
y'\i)/m
(=1
'" 1
= -S/'wX/n.v'=y;u-'(/(.v))) "' Mi
I
I
-r-.
'" ML.
=
if
m
is
/=1
m 26
= 0.0385 ^ zo
sufficiently large, because the
"randomising" function /+r'(/())
(m/26 times) over each of the possible values of If,
however.
A.
=
All X
which
is
independent of
/,
so that
.v'.
scatters
.v
evenly
7.?
which, for ordinary English
text,
has a value
ol"
about 0.067, or ahtiost twice the out-of-
phase value. Thus, the relative phase of the two cypherstreams can be found by noting the frequency of coincidences, which should be, for streams of length
phase and 0.067/j other and the
test
can be used also
The character streams can be
phase.
if in
repeated until the in-phase position to
distribution) 0. 192/j"-
if
out of
shifted with respect to each
achieved. Note that this procedure
is
determine the repetition frequency of the key
The standard deviations
0.0385/;
//,
///.
for these fret|uencies of coincidences are (using the
Binomial
and 0.250«"- respectively giving, for example. 1% confidence
limits
of ± 0.50/?"- and 0.65/?"- respectively. This implies that some 1628 pairs of characters of cyphertext should be compared for 99"c confidence
Once
the relative phase and
m
in
have been found,
determining the relative phase. is
it
in the two plaintexts, = 0.0169, or 25% of £s by examining coincidences at the same
and hence of the corresponding cyphertext coincidence, all
coincidences.
point
Note if
We
can
u.se this to
locate
within the repeating block structure of length
/
is
to
be simplified
these,
m
cyphers
to be
is
made
difficult.
(0.13)-
//;.
we
require a large
m
is
to
1
if
///
> 26
the statistical
Implementing such a system may perhaps
repetition frequency of the key
now
is
we
v =/(^i,',(.v))
the least
common
generate
with
/
=
I
multiple of
= Icm in
{qj). If q and / are coprime, //; = (//•. There are well-known two-stage which either the function g^i) or/() is modulo 26 addition (i.e., Vigenere). It
should be pointed out that adding extra stages to the encryption process tation.
certainly
instead of using ///-distinct functions /(.v) or look-up tables,
The
/.
//;;
essential
by tno-staf^e encryption. For example, we could make
//;
=
if,
substitution
is
be properly ".scattered". Moreover, a large
attack outlined above
to cj,j
"random"
that for really
plaintext
a large
easier to find the plaintext by
means. For example, the probability of two coincident Es
statistical
basic sequence of functions /(.v)
If the
improvement
in
(/
=
1
to
///)
is
is
to aid
implemen-
really randomising,
security can be achieved without either increasing
///,
no
or using techniques
other than pure substitution.
One ver>' large
addition
is called the Vernam cypher. The keystream has a The alphabet used is normally pure binary, so modulo 26 addition (i.e., XOR). There is clearly a problem in ensuring
further variant of Vigenere ///
—
ideally infinite.
becomes modulo
that identical
2
keys are held by sender and receiver. This type of cypher
is
discussed later
under the topic of stream cyphers. Finally, as with any block cypher, substitution cyphers can be turned into stream
cyphers using the techniques of Chapter 2
and
4.4).
The "block"
///-character
in this
case
is
(e.g.,
key sequence /(). Addition
is
modulo
stream cypher from the basic substitution cypher illustrated in Figure 4.5.
key-stream. encr}'ptors,
It
suffers
CBC
or
CFB,
as illustrated in Fig. 4.3
only a character, and the encryptor 26.
is
called the
from the error-propogating problem in the
fed with an
Autokey Vigenere, and
This involves feed-forward of the message
which necessarily imply feedback
is
Another method of generating
common
decryptor.
a is
itself to act as the
to all feed-forward
— 74
1
Character buffer
Key
Plaintext
Cyphertext
fi
Mod 26
Figure 4.3 Character substitution and
CBC
mode.
1
tiO
Character buffer
f Key
^'Q
Plaintext
Cyphertext
Modulo 26 Figure 4.4 Character substitution and
CFB
mode.
/
IV (M characters)
M-character buffer
e
Plaintext
Cyphertext
Modulo 26
Figure 4.5 Autoicey Vigenere cypher.
Many
systems have been invented for mechanising the encyphering process, most
= to m (i.e., y = fXx) German "Enigma" encryptor used 26 electrical cross x and output y) made via three rotors that moved with respect their original relative position after w = 16,9(X) characters.
of which are essentially based on polyalphabetic substitution
/
1
with a very large w). The famous
connections (between input to
each other, returning to
However
the
"key" was
essentially the three rotors (and their internal cross con-
75
if those internal connections were known, the size of the key space was number of ways (three) out of a library of A rotors that might be selected and ordered (i.e., k\l(k - 3)!), which in practice was not very large. The initial setting of the rotors
nections) and
the
formed an IV, transmitted connection
were
rotors
lamp
its
own
lit
output lamp
decryption was easy: assuming the
y,
receiver depressed the key corresponding to y, and
lit.
worth pointing out that the Enigma machine
is
An
if /(a)
It is
in series.
head of the message. Because encryption made a cross
in the correct position, the
was
.V
at the
which input key x
in
involution
a
is
mapping,
such that
/(),
inverse). Clearly, the cross connection
such a mapping.
Two
constructed from three involutions
= b
a (i.e../()
is is
involutions in series are not an involution, because
are involutions, the inverse of g{h())
not
is
but
itself,
/?(.?()),
Another mechanised polyalphabetic substitution cypher tively,
= f,[f,'^(x) + a], where a modulo 26. The/(.r) (/ =
specified by y
is
it
=
then f{h)
between o and h on an Enigma wheel
message, and addition
is
is
is
to
36
if
g()
and
/i()
quite different.
the Jefferson wheel. Effec-
an arbitrary
is 1
which
fixed for this
letter,
in practice) are
mappings of
the alphabet into a permutation of itself printed round the outside of a cylinder
(i.e.,
one
of the 36 "wheels"). (See Fig. 4.6.) The ordinary ordered alphabet must be imagined,
round the wheel.
al.so
one axle;
advanced bet.
in the
There
relative
is
it
A
positions of
U =f,(fr^(y)
-
to be
encrypted
is set
up on the wheels mounted on the
imaginary alphabet; and then conversion
no need
is
message
transformed into the imaginary order alphabet
show
to
/
'(
v)
is
(/^
back
a positions are
'(.v));
to the
permuted alpha-
or even locate the imaginary alphabet, because only the
and /''(a) matter, namely
a) a need not be
known;
a.
Moreover, for decryption
up the message y on the wheels and scan round the remaining 25 alignments for a message making sense. This is a direct application of
What alignments?
is
is
sufficient to set
Shannon's theory of secrecy.
the probability of finding
To answer
bits per character,
Thus
it
this
question
two or more meaningful
we suppose
26 H(S) = 2.3
plaintexts out or the
the entropy of English
is
')/» = (4.92)" meaningful messages of // characters. one meaningful message out of 25 selections of the 26" (approxi-
so that there are (2-
the probability of
mate) possible alignments,
is
Plaintext
25(0.189)". This
=THISISO, KIRZFCB
Cypher1ext =
Figure 4.6 Jefferson wheel cypher.
is
less than
1%
for
/j
>
5;
so
if
a meaningful
76
message of length greater than 4
found by scanning round the wheels,
is
is
it
almost
certainly the original plaintext.
A
example of
third
marked
has 27 positions ters.
a
mechanised substitution encryptor
A\oZ and
They may be considered
marked,
in a
Wheatstone
the
is
disc.
It
space round the outside representing plaintext charac-
numbers
as the
An
to 26.
permuted version of the alphabet,
inner circle has 26 positions
Two
for cyphertext characters.
hands are
geared together so that as the outer one moves round 27 positions, so does the inner one
on
its
dial
Plaintext
—and hence ends up
'/26th
of a
or a cyphertext character, advanced.
full circle,
encrypted by moving the outer hand from
is
letter to letter,
corresponding inner hand. Every time a plaintext character
mapping
the
and reading the
less than
is
its
predecessor,
plaintext to cyphertext changes, as follows:
If
.v^
_,
=/(.v,
= a +
then «:
.v^_i
mod
1
26;
+ a mod 26)
where a is the offset between the hands, and/(.v) is the permuting function. There is a problem with the Wheatstone disc when plaintext characters are repeated. If, on one hand, the hands are not advanced, y^ = v,-i could mean on decyphering either ,v^
=
or
.x^.,
character
The
.V,
is
=
-Vy^r'. If,
repeated,
solution
to
is
on the other hand, the
we have
remove
all
v^
=/(.v^-j
rule
+ « +
1);
is
to
advance the hands
which could mean
a)
=
.v^_i
if
a plaintext
or
a)
=
.v,.i*'.
repeated characters from plaintext.
A more interesting aspect of the Wheatstone disc is that dependent algorithm. This means
it
a
is
feed-forward, plaintext-
that decryption is feedback, plaintext dependent, as
follows:
A^
in
A,_i
then
If A)
1 ;
then
it
is
impossible
to use a superincreasing
sequence
namely
vt„
/-I
vv,
or, if
b =
>
^ (^-
l)u-
2,
I-
This also serves to
make decryption of
found by successively dividing by the dividend
is
dividend
is,
the remainder
of course,
from the
it„
c particularly simple, since the
starting with the largest.
last stage,
and the resulting quotient
The "trapdoor" aspect must now be explained. Essentially it is knowledge of the superincreasing sequence vt,, which
define secret.)
is
/?,.
The
initial
the secret key, is
all r; let
x be
new "public" weights
a vr,'
and
concealed from
u' be the modulus n- > X"^(h - l)u', so that number with an inverse x'\ .v..v"' = mod w; then we = .v.u', mod w. (v and w are also part of the trapdoor
everyone else by modular multiplication. Let greater than
can be
c.
consists of
vr is
/7,
At each stage, the
1
94
Encryption
now
consists of forming M-l
and can be done by anyone knowing the w'
To
vv',.
—knowledge of which does not
H-l
c
H-l
= a'c' mod w = X -'2^ piw' mod w =
and extracts the
p,
h',.
mod w =
/?,w,
^ p-Wj /=0
by division, as discussed above. To conceal the order of the
would normally be issued
of that of the
n-\
^ (=0
1=0
vv'
reveal the
decrypt, the holder of the secret key evaluates
When
must then be applied
to
own
in their
»v„ the
ascending order, which will be a permutation
the holder of the secret key finds the
them before evaluating
/?„
the reverse permutation
the plaintext p.
Unfortunately there are questions over the security of the trapdoor knapsack scheme, as well as practical difficulties. Since the calculations are relatively simple, the is
susceptible to attacks based on brute force (by
substantial use of brute force. In particular, that
vv,
much
if
it
all
is
scheme
possible solutions), or at least on
known
that the
vv,
are restricted, so
greater than Sj=o ^; by only a small amount, the range of possible solutions
is
reduced. Such a restriction might be imposed to keep
is
small, to minimise the
vv
in mapping p to c. more serious is the problem, mentioned previously, of not all c being valid. This means that an arbitrary c cannot necessarily be decrypted using the secret key; that
expansion which takes place Still
is,
certain messages (or their hashed values) cannot be signed. This problem can only be
avoided
if
the c span the
message space, implying
that
=
vv,
-
S]Io (^
\)Wj
+
which
1,
is
and readily cryptanalysed.
trivial
Yet a third problem
problem
is
is
the length of the key. Essentially, the complexity of the
proportional to the square of the size of the modulus. Complexity
compared with RSA's cubic complexity, because
the trapdoor
is
quadratic
knapsack uses only division
and multiplication, not exponentiation. This the
vv,'
may be remedied by
increasing the key length
(i.e.,
n the number of
are of a length similar to that of the modulus, so n of
vv,).
But
them can produce an
excessively long key.
One
ingenious variant of the trapdoor knapsack uses
but which are constructed in a special basis for the vector space in
which c vv,
where
r,
process,
and if
c
Sj
is
manner
lies. In this
=
fi
+
vv,
which are not superincreasing,
to form, effectively, a linearly independent
2**'
+
variant b
=
2,
and
2*^".9,-
>
S"Jo
found and represented as a binary number, the
bits
are
random numbers, and k
is
such that
2*
/*,.
In the decryption
corresponding to
2**'
95
which
indicate precisely
are present in
u-,
freedom exists for the choice of the
h-,
—
No
c.
division
The trapdoor knapsack scheme may be summarised cure",
required, and
is
much
greater
of expansion.
at the cost
as follows:
if
it
is
made "se-
implies undesirable properties such as data expansion, large keys, and probably
it
no support of
digital signatures.
These
difficulties
can only be redressed by reducing the
scheme's security.
Making Asymmetric Cyphers From Symmetric Ones
4.3.5
any asymmetric .scheme the iniplemeutatUmal
In considering
borne
in
always be one fundamental problem
will
difficulties
must always be
mind. Whatever the complexity of the algorithm or the length of the key, there
How
implementation:
in
the .secret key to be
is
many answers to the always come to the conclusion
introduced into, and held securely within, the system? There are
of the question, but for the second part
first
part
that
some tainper-proof device
we
nearly
neces.sary for holding the secret key. This device should
is
be unmodifiable and unexplorable, and should destroy the data held within detected by
is
Given the existence of a tamper-proof device, than just a secret key. For example,
keys within such a device
their
such a scheme each user else
knows.
other,
Two
secret
th*e
master key
in a
or
\',/
is
if
tampering
(/)
key E{K„„ is
v/, K,).
— which are not
way
them
that turns A',,
exploited to hold
into
asymmetric schemes.
exist; one, the public
A',
in the
In
key
EiK,„,
»;;
K,)\ the
made with another
tamper-proof device. The two versions are
in the
new
more
which neither the user nor anyone
encryption process, as defined by a "variant"
These variants exploit the
flipping a bit produces a totally
may be
The.se encrypted versions have been
embedded
secret.
it
possible to package symmetric algorithms and
has a symmetric key
encrypted versions of
which
K,„
it
achieved by judicious flipping of bits \\
it
it.
fact that (with a
good algorithm)
output, from which neither the original output nor
the input can be determined.
The scheme
is
illustrated in Figures 4.
1
2
and
the extent of the tamper-proof device. Variant
variant vj for secret decryption.
decrypt K, for in
response to
or
r,/,
respectively).
Note
DEA
this is easily
with the boundary line signifying
3,
used for public-key encryption, and
(i.e.,
to force encryption or decryption
that the action
so that K, encrypted under K,„ and variant
For example, with
1
input of the appropriate variant not only serves to
but also to determine the use
u.se; i,,
The
4.
iv is
v,
achieved
of the variants must be reversible
can be decrypted under if v,
complements
K,„
and variant
\'.
because encryption
bit 2,
and decryption are the same process with the key sequence reversed. Thus, E(K,„,
K,
by
v,.
in
Figure 4.12 the user supplies the plaintext for encryption and public key
Ki) plus variant
\',.
from the public key. K, \v.
In
Within the tamper-proof device, is
Figure 4.13 the internally held
the secret
key E(K„„
v,,;
K,).
K,„
and
v,
are used to decrypt
then used to encrypt the plaintext, encryption being forced K,„
and the entered
K, decrypts (forced by
\\i)
hold the secret key inside the tamper-proof device.
v,i
are u.sed to decrypt K, from
the cyphertext.
Note
that
one might
96
E(K^,Ve;Ki)
Ve
forces
K
m
I
\
':
^Tamper- proof box
,
J
Figure 4.12 Public key encryption with DES.
E(Kn^,Vd;Ki)
Vd
forces
\
D
K.
jTamper-proof
\_t
box
H
Figure 4.13 Secret key decryption with DES.
Security
is
assured because a holder of the public key E(K„„
•
cannot find K„ because he does not
know
•
cannot find the secret key, because
it
to the effect
of
\',/,
decryption, because it
is
It is
as if
opposed i',/
is
v,
interesting to consider
or
Wj.
iv,
K„,;
totally different to the public one,
owing
on the encryption process; cannot perform
used with the public key although decryption takes place
under a nonsensical key, not
how
existence of the tamper-proof device. variant
to
is
vv; K,):
Figure 4.14 shows
Kj.
a user's key-pair
We
how
need this
to
may
be generated, assuming the
be able to encrypt K, (as plaintext) with
might be done.
It
supposes that K, will be
encrypted under K„„ by supplying to the tamper-proof device the master public key K,„
encrypted under
itself
with variant
v,).
(i.e.,
97
Vg
E(Kni,Ve;Km)
\
I
forces
\
I
E
V^
\
\ Tarn per- proof
box
J E(^e/^d'Km;K
Figure 4.14 Froduclion of key-pair from
i)
K,.
Thus, persons wishing to generate a key-pair would be supphed with E{K,„, the master public key,
controlled encryption.
and would require
Such persons would generate
their resultant public keys, E{K,„,
of the master secret key E{K„„
A
drawback
to this
\\,\
K,),
v/, K,„)
is
made such
when
the extra input for
The important point
is
is
K, as
in the
random numbers, and
usual
way by
the holder
K)
to recover the base
This could be prevented in use,
is
\v/>',/
if
key
way
in
which portions are made secure and which not
encryption (Figure 4.14)
which is
it
is
is
more
to the
implemented and
\ K
m
D
problem
equally important.
forces
\ D \
\_1 Tamper-proof
D
box
J Cenificate =
Figure 4.15 Production of
a certificate.
is
in particular
E(Km.Ve;K:)
I
K—
the device
inhibited.
to note in this discussion is that there
of encryption than just the algorithm. The
master secret
that the holder of the
v,/v/,
K, or K„, itself. (See Figure 4.16.)
that,
own
signing them. (See Figure 4.15.)
key generation procedure
possible, but decryption (Figure 4.16)
their
could be certified
key can decrypt any public or secret key E{K„„
which might be
\\\ K,„),
of the device permitting variant-
a version
D(Kn^;E(K^,Vg;Kj
))
98
99
duces a result be
XOR,
form of another character
in the
handle conditional dependencies. That
is.
in the
alphabet. Such an operation could
The conclusion can
or multiplication in a finite field. if
also be generalised to
the probabilities of characters occurring in
nonrandom stream are dependent on certain conditions, but the probabilities of the random stream are independent of these conditions, the characters in the combined (added) stream are independent of those conditions. In particular, if the conditions are autocorrelations in the nonrandom stream, no autocorrelations exist in the comthe
characters in the
bined stream. Using these facts, stream cyphers based on the
mentioned
earlier
of the plaintext nesses
is
Vernam approach
can be seen to have obvious attractions, because the
(Fig. 4.17)
statistical structure
concealed by the cyphertext. However, the two inherent weak-
totally
transmission) and — very long keys (and be of — must be tackled such cyphers their
attacks
are to
if
susceptibility to
known
plaintext
practical use.
Appendix C, maximum length sequences generated from feedback shift registers are discussed, and it is shown there that they produce a p.seudo-random sequence output. More precisely, the average interval between successive occurrences of the In
(FBSRs) as
same character are
to I)
FBSR. Thus,
sequence (and
in the
is 2;
we
only consider the binary case where the characters
the variance of this interval
for large
/
the output sequence
is is
2
-
where
(1/2)'"',
independent equally probable characters from an alphabet of a
mean
interval of k,
is
t
the length of the
indistinguishable from that generated by
and interval variance equal
to k{k
-
A:
1),
letters,
which would have
with k = 2 for the binary
case.
FBSRs
Thus, the
first
the plaintext,
sequence
FBSR
of length
r,
generating sequences of length
is
and
and the key
to that
its initial
setting
but the feedback function table,
sequence can be the
of length L, the key length is
an octet
at a
t
=
log: L.
particularly simple
output pseudo-random sequence
up
2'
can be used to address
problem. The very long pseudo-random sequence can be merged (somehow) with
is
one
if
the
bit shorter (2'
implemented
is trivially
initial setting
of the
FBSR.
If the
Generation of the sequence from the
in
-
FBSR I),
is
linear. In this case, the
which
software
—
is
of no significance,
typically using a look-
time for speed. Using nonlinear feedback and the full-length (de
Bruijn) sequences, implementation
is
usually
more complex. For example,
the
well-known
"prefer-one" algorithm for the feedback function supposes the existence of substantial
memory. The problem with
this
approach
is
that a
known
plaintext (or even probable
attack can be used to extract a portion of the merged sequence. For example,
Keystream
—
-e Figure 4.17 Vernam cypher.
Keystream
-c
—-e-
in
word) Figure
— 100
4.17
it is
only necessary to subtract plaintext from cyphertext. Assuming that the feedback
function itself
known
is
to the
enemy,
of the pseudo-random sequence reveal
bits
t
the future sequence,
and the sequence's phase and the
backwards). For
reason
itself (as it is
well as
this
might be suggested
00
where
is
must be used, there
In the case of linear
form of a
only a
finite
r-bit
number of
determine which one
If
it is.
cases an attacker can
bits
t
break the cypher
still
pseudo-random sequence
the
its
— and if
algebraic normal form (ANF), but the key
also
much
harder to find. However, in both
he or she knows the plaintext and can extract
be able to resynthesise
to
it.
This raises the interesting problem of synthesising a given
FBSR
produce
to
may be based on
in
which case
pseudo-random sequence
It
length
be merged with the plaintext should have a large complexity
to
such an attack by synthesis; then one asks: What
sequence of L bits?
it
the complexity of a typical
is
What is the complexity profile of all sequences an L bit sequence has a complexity c = 2 log: L
bits in length? or:
turns out that, typically,
whereas the de Bruijn sequences,
in
= log.L =
once, have complexity c
which each Because t.
r-bit
content of the
Moreover the problem is
-
I
),
but
is
)
in
which the
clearly of
little
occurs only is
laborious.
place, a sequence of large
first
first
{L-
\) bits are
zero and the
in retrospect. If the
sequence again, the attacker might as well store
discovered, and later reuse a "one-time
is
it.
On
the other hand,
pad" and not reused,
real use synthesising
last is 1,
has complexity
use for merging with plaintext. Secondly,
purpose being able to synthesise a sequence to use the
L
L
bits;
not necessarily pseudo-random or useful for cryptography. For example, the
sequence (00 ... 01 (L
not as simple as stated. In the
is
FBSR
of
the effort involved in synthesising
proportional to c2'. synthesising arbitrary sequences of length
complexity
is
FBSR required to generate it. Complexity FBSR or an FBSR with an arbitrary but memoryless. is "maximum order". One might suppose that the
minimum
a linear (first-order)
feedback function,
sequence by con-
bit
sequence as output. The complexity of a sequence
that
defined (see Appendix C) as the
to preclude
if
general de Bruijn sequences are used, the feedback function
form of a key by
in the
would be very much longer than
structing a
FBSRs,
we assume them (0(2' - \)lt
key; but
Euler's totient-function) and an attacker could perform an exhaustive search
could be specified
enough of
in the
is
of the feedback function
that the details
form part of the key.
easy to specify the feedback connections
a primitive polynomial
to
it
setting) could
its initial
all:
FBSR
key (by rotating the
initial
there
is
if
no point
the in
it
serves
little
going
is
completely when
pseudo-random sequence synthesising
it.
is
In short, to
should be online, predictive, and adaptive. The partial
predict the next bit of the
it
attacked party
FBSR
it
is
from be of
should
pseudo-random stream, enabling the cyphertext to be decrypted, FBSR to cope with erroneous predictions
and adaptive techniques should extend the for example, as detected
by meaningless decrypted plaintext.
only exist for synthesising are
FBSRs
In practice
with linear feedback functions
much longer (higher complexity) than nonlinear ones. One method of circumventing the problem posed by an
such algorithms
—and such
linear
FBSRs
attacker synthesising the
pseudo-random stream is illustrated in Figure 4.18. Operation is an octet of time. Here two FBSRs are used, giving a very long combined sequence if the lengths of the individual
101
F1
F1 ''
If
e
Buffer
Buffer
sirj
SI
F2
F2
-
P'igure4.18
A
Q)
-
Cb'
P
stream cypher based on linear FBSRs.
sequences are co-prime. For example, they could be the output of
FBSR
one
(Fl
)
added (XORed)
is
(2'-
-
I)
and (2" -
1).
Moreover,
and the
to the fed-back cyphertext,
result
mapped through an 8-bit (256 entry) substitution table iSl) before addition to the plaintext. This "messed up" stream is made further unintelligible by the straight addition of F2's output, which should be pseudo-random for the reasons we have discussed. In is
all,
encyphering
is
a combination of
OFB
(the
fashioned nonlinear substitution. The key
is
(possibly) the entries in the substitution table
Decryption
straightforward, and
is
that the substitution table
is
FBSRs).
CFB
— although
shown on
and old-
(the cyphertext),
the initial states of the
two FBSRs. and
fixed ones could also be used.
the right-hand side of Figure 4.18.
need not be reversible;
it
is
only used
in
Note
one direction. Note
also that the encryption and decryption feedback loops each contain a one-octet buffer,
whose
initial state
would also be
part of the key.
Further elaborations to Figure 4.18 are easily made. For example, changing one
of cyphertext will change the corresponding octet). If this
property
bit
bit
of plaintext (and the entire subsequent
considered a defect, one could apply a substitution (S2) to the
is
a reverse substitution (52 ') on leaving the good measure we have merged or mixed the two streams by multiplication in CF(2'*), assuming that S\ can be arranged to
plaintext octet
on entering the encryptor. and
decryptor, as in Figure 4.19. For substitution
give always a nonzero output. In the decryptor, division (by the nonzero 51 output) applies.
Stream encryptors of the form be programmed software
at rates
Figures 4.18 and 4.19 (and more elaborate) can
in
some twenty assembly language such as 256 K octets/sec.
in
Yet another approach illustrated in Figure 4.20.
to
stream encryption
Two
key streams
is
instructions,
and can thus operate
Jansen's fip-flop-based encryptor
(A",, A'l)
are used,
and
K
(reset),
to
J
sets the state
.v„
-i-
5,,^,
=
J
s„.
(set)
Two
l.v
1
to
and one output which 1.
A
I
input at
simultaneously input
at
K
is
resets
J and
K
flip-flop.
the tlip-flop's "state" .v,,^,
to O.
complement
[6],
which could be generated
by FBSRs, and nonlinearity (and a form of CFB) are added by the inputs,
in
No
This has two
A
.v„.
input at J or
the output,
.v,,.,
=
input
1
K
leaves
s„.
102
I
103
K2
Figure 4,20 Jansen's nonlinear stream cypher.
These operations may be summarised by the equation
=
S„
where arithmetic If c„,
is.
(j„
as usual, binary (1
+
k„
+
l).Vl
+ 1=0).
p„ denote cyphertext and plaintext bits,
=
c„
(K2,„
+jn
+
l)cv,
+
we
/^,,,
then have
+ p„
giving rise to the decryptor of Figure 4.20:
p„
One of try to
=
c„
to decrypt
it.
It
is
clear that
if
A'l.,,
scheme
the objectives of this
change plaintext by flipping
+
+ (K2,„+
is
1)
(Vi
to foil an active
bits in the cyphertext.
eavesdropper
who might
without necessarily being able
such an attacker complements
r,,,,,
there
is
only a
50%
—
or 1. This probability can readily be chance of complementing p„ it depends if A',,.. = lowered by adding further flip-flops to the encryptor. as shown in Figure 4.21.
This type of stream cypher operates
at the bit level
equations
show
streams K^ and
it
A'2
is
best suited to hardware implementation, because
and uses a standard hardware "component"
to be a particularly simple
are generated
K2
combination of
OFB
—
a tlip-flop.
it
The
(assuming the key
from FBSRs) and nonlinear (one-bit) CFB.
104
4.5
SOME OTHER USEFUL ALGORITHMS
We
terminate the discussion of algorithms by considering
some which do
not perform
encryption or decryption, but which are frequently required by those procedures {md} either for
key generation or to perform ancillary functions. Three types of algorithms are reviewed
briefly: hashing,
4.5.1
random number generation, and
the Euclidean algorithm.
Hashing
Hash functions have a long history in computing. Perhaps their earliest application was that of mapping a large but sparsely filled file into a much smaller space. Because the principle very big, each record has a long identifier, but because most records
file is in
are missing
is
it
Chapter
certificates discussed in
many
certificates
•
(A good example
The
3.
certificate
1%
undesirable, but
at
— which can
of withdrawn there
may be
any time, so the
file
of
to
its
many
ability to
message
substitute
that
the occurrence of a hit that
is is
it
is
not so
it
to the substitute
Thus
by
it
is
With regard
he could do
it
/;
to
attempts
so for large enough
by unacceptably laborious
exhaustive trial-and-error searches,
m
is
exp
(e.g.,
the probability of
I,
he could take the
authentic.
needs
to
(-nil'").
m
-
be one-way
none of
and
(i.e.,
error).
the output of the hash
This probability drops below
64), a search
two sharing
this iterative
trial if
random, the probability of not achieving
is
famous birthday paradox
=
this,
some innocent message and
would be apparently
to
not feasible.
is
m
a birthday
is
if
50% when
on
is ni
a given
n >
2"7/;2,
However, an attacker could
you have more than 23 people
1/365'" x
in a
50%. To see this, let /?,„ be Then /?„, = /j,,,,, .v(366 - /;/)/365.
greater than
people share a birthday.
system solves
p,„=
a hit
reduce his or her labours.
This paradox states the surprising fact that
the probability that
cannot determine a
not possible to find inputs to the hash finiclion, which will produce
and hashing
bits in length
Putting pi
If
the victim, to (the hash of)
message, where
this value as output, other than
exploit the
that an attacker
for cryptographic purposes a hash function also
given a value,
value after
is
hashes to the same value.
signature, willingly provided
much
be predetermined. For example, when the hash function
cases
used for digital signatures a prime requirement
room
file
number and
a long
withdrawn
are
of the
that
Compress or digest information; Randomise the compressed information with the aim of preserving its uniqueness (i.e., minimising "hits" in which two distinct data sources hash to the same value).
Hits are unavoidable, but in
attach
is
to a smaller value is
can be small.)
The hash functions serves •
file.
certificates but, hopefully, less than
withdrawn
down
convenient to hash the identifier
be a direct index into the (small)
to
3657(365 - m)!
105
and n
=
becomes
/>„,
To of
less than 0.5
for
m
>
When
23.
a
"hit" occurs,
m
~
0(/;"-)
where
365.
use this paradox to forge signatures to messages, an attacker might
M messages, for which the attacker would
with their
A':
hashed values. The attacker would then observe
(distinct)
A',
signed messages (perhaps by eavesdropping) and evaluate their hashes. with one of his or her
M
make
a
list
like to get the victim's signature, together
of the victim's
one coincides
If
stored values, the attacker can replace the observed
message
with the (attacker's) forged message and append the victim's signature from the observed
message. The probability of not getting A' is the total
"no-hit"
is
hit
beyond
match of hashed values
M= if A^
A^i
=
UN - M)W)A'i.
is
=
probably after
A^,
=
2^-
where
A'"- this probability
2'"
m
with
hash output equal to 64, a conveniently ordered table of
bits in the
give a
a
number of hashed values possible. When \/e = 0.37, when A' is large. For example,
A^j
=
of
number of values would
the
2'-
attempts. These numbers, though large, are certainly not
the storage capacities of computers or the
volume of transactions on communication
channels.
Thus, to preclude the brute force, a large range of hash outputs
when used with RSA message
to be
hashed
is
trial
digital signatures).
a value,
and error inversion of the one-way function,
required (e.g.,
2'"
with in
= 512
—
as
Another useful defence
would be appropriate is
to include in the
such as the message length or the password-for-the-day,
which the receiver must verify as present, but which the attacker does not know when precomputing the
A^2
substitute messages.
Given the "size" of the one-way function, how should possibility
is
to use a block
encryptor which,
to-cyphertext, assuming the plaintext to be reversible
(i.e.,
is
if
it
is
any good,
known. However,
is
it
be constructed?
certainly
a block encryptor
not one-way) plaintext-to-cyphertext,
if
the key
is
One
one-way keyis
designed
known. These
observations give rise to various possibilities for a hash function based on repeated use
of a block encryptor. generation of a
MAC,
To understand discussed
in
the issues
is
instructive to look at the
Chapter 2 and redrawn
r
Key
it
in
Figure 4.22.
CBC-
106
The function
with
notation
initial
is
as follows: X,
the ith block of the message; Z,
E
is
the block encryptor;
5
value IV. In Figure 4.22,
Z,
can only be predicted
if
the final Z„
change or error e added if
is
the hash);
(i.e.,
an antidote d
added
is
is
produce a Z„ whose effect on
to X, will to X+i
is
A
known.
is
can be neutralised
the final hash value, while adding e to
and adding a hopefully innocuous d
to
jc,>i
x,
to hide
For a general purpose hash function secret inputs are perhaps undesirable
(secrecy should be confined to the real keys); so Figure 4.22
key
the key
Z,+i
Z,
Thus an attacker could possibly preserve to suit his or her nefarious purposes, tracks.
the running hash
such that
J=
any
is
a one-block buffer,
is
is
unsuitable because
if
the
not secret Z, and Z, are predictable, and fraud can be perpetrated using their
difference, as shown. (Note that
we have
written plus and minus so as not to prejudge
XORs
the issue whether conventional addition or In Figure 4.22, the
show some other
Figures 4.23-25
are used.)
message input and the feedback went
key entry point, feedback
•
message
to
•
message
to plaintext entry,
•
message and feedback
to
to plaintext entry (Fig. 4.23);
feedback to key entry (Fig. 4.24);
key entry point
(Fig. 4.25).
In Figure 4.23, to return to the original Z,+| after a
X) we need
to
to the plaintext entry point.
possibilities, as follows:
be able to find a "key"
new
+ d) which
{X,^\
will
Z,
(caused by adding e to
map
Z, to Z,
-f-
1.
This
is
not straightforward, but a "birthday paradox" attack might be possible. In Figure 4.24, to restore Z,+i given the reversibility of
system
is
E
and decrypt
under
Z, as
new Z„
all
we need
to
do
key to find the desired input
is
exploit the
(X,+|
+
d).
The
unacceptable.
In Figure 4.25, a fixed that
Z,>|
d = Z,-
Z, is
added
on the assumption
known
plaintext
is
supposed.
Z,+i
can be restored by ensuring
to Xj^^. This case is very similar to Figure 4.22,
that the
no secret input
(in this
•i-1
(Key)
Figure 4.23 Hashing with message as
Icey.
case plaintext)
is
and
is
used.
unacceptable
107
(Key)
Figure 4.24 Hashing with fed back key.
Fixed (plainlexl)
(Key)
e a
i-1
Figure 4.25 Hashing with fixed plaintext.
Figure 4.26 shows a variant to Figure 4.23 that has been proposed.
have
little
additional merit since
which maps
Z, to (Z,+
i
The conclusion and
it
relies
is
Z,^^
can
still
be restored
if
we can
It
appears to
find a key (X,^,
+
d)
Z,).
that Figure 4.23 is the
on a large key length,
All these .schemes (and
only scheme that should be considered,
to frustrate the birthday
paradox attack.
more can be invented) based on
di.sadvantage that the encryption function itself
is
a block encryptor have the
complex and slow. This
likely to be
has led to hash functions based on one of the simplest difficult-to-invert operations, which
we met when considering modular square
the Fiat-Shamir algorithm. This operation
roots. Let the encryption function
be
Z,
=
(X,
+
Z,_i)-
is
Figure 4.22 with no key input (or Fig. 4.25 with no plaintext input). Z,^, is
easily restored
from a changed
in
some way, perhaps
in
hash functions
regular in.sertion
comply.
Z,
by setting d = Z,-
addition of such a value
d
is
expand the message stream of fixed bit patterns, with which is
to
Z,.
But
not possible.
if
A
that
mod
n,
of extracting
and consider
As we have
typical constraint used
X, before input to the function it
is
seen,
the X, are constrained
by the
very unlikely an arbitrary d will
108
109
Xi
w ABCD
f()
ABCD
IE g()
ABCD
i_!L_ h()
IZ
T ABCD
Figure 4.27
MD4
structure.
Repeat (3)
(4)
until input is
The functions •
/?!=/?!+
•
Rotate R\
/(), g(),
function left
some
exhausted. The result
and
/;()
(/?2, /?3,
is
A, B, C. D.
are used in the processing in the form:
R4) + XX
j)
+ magic number;
bits.
R\ represents one of the words A, B, C, or D, and R2, R3, and
from
1
to 16
over
all
four limes over these
1
the 32-bit
words making up
6 iterations. Each X,{j)
is
A7.
Each
A
R4
the others, whiley runs
(or B. C. or
D)
is
updated
used three times over the three rounds per X,.
The functions /( ,i?() and hi) are bit-by-bit logical operations on R2. R3. and R4, AND. OR. XOR, and complement. MD4 handles an all-zero message by means of the initial values for A, B, C. D. It ).
such as
appears to have no particular mathematical foundation, and acts simply as an elaborate irreversible scrambler.
An
extension of
value, considered necessary for
RSA.
is
it
produces a 256-bit output; but a 512-bit hash
not supported.
110
There purposes.
4.5.2
are,
We
of course, innumerable other hash functions used for a wide variety of
have only considered one or two particularly relevant
Random Numbers
Random numbers used keys.
of
to digital signatures.
are required in several cryptographic procedures. For example, they are
in reciprocal authentication to frustrate replay attacks.
They
RSA
are the starting values
when
keys. Algorithms are required to generate these
There
is
They
are used as symmetric
searching for prime numbers in the generation
random numbers.
plways a philosophical argument about generated random numbers.
one hand, a random number
intuitively is totally unpredictable.
by a deterministic computer programme?
It
How
can
it
On
the
be generated
should depend on random physical phenomena,
such as electrical noise or even cosmic rays, and integrated circuits have been developed to
produce such noise-based random numbers. (Philosophers supporting
clearly
do not hold with
defined in terms of
a deterministic universe.)
statistical quantities,
On
the other hand,
these rigourous definitions.
given by the
maximum
length
FBSRs
of view
such as variances and correlations, and a fully
deterministic algorithm can be written to generate a sequence of
random by
this point
randomness can be
An example
numbers
that is formally
of such deterministic procedures
is
discussed earlier for stream encryption.
A
compromise is usually reached by using a deterministic algorithm that generates which an extraneous unpredictable component is also introduced. This extraneous component is, typically, based on the computer's internal clock. It could be the millisecond component of the real time, it could be the time interval between this and the previous activation of the random number algorithm, or the time could be implicitly involved by having a free-running continuous random number generator, which is sampled at unpredictable intervals by the routines which need it. a sequence into
Any randomising
function might be used in the basic sequence-generating algorithm,
and obvious candidates are block encryptors and hash functions with some suitable feed-
back connections input.
to ensure that the output
For example,
in
Chapter
3,
changes
function E, the date/time d, and an initialising
/
Note
that the plus sign
intermediate value. it
denotes
in the
absence of a varying plaintext
was presented based on an encrypting vector v (see Fig. 4.28). The algorithm is
a procedure
= E{d)
r
=
V
= Eir
XOR. The
Any randomising
+
E(i
v)
+i)
output random
number
is
function will serve for E. There
should be reversible, and a good hash function would be suitable.
r,
is
while
/
is
an
no reason why
III
Date/Time
ANSI random number
Figure 4.28
it
is
generation.
There are two objections to such a procedure for generating random numbers. Firstly, is invoked three times to
computationally slow. The encryption^ashing function
produce one random number and to update only want one or two numbers, but serious. Secondly, although
although is
statistical tests
it
series
is
produced show
series of r
This hardly matters
it
is
the
"period" of
r (i.e., after
we
cL
and
empirically to be random,
very hard to prove anything about the output of the procedure. For example,
held constant, what
if
required the delays could be
obvious that the procedure randomises
intuitively
is
on the
v for next time.
whole
a
if
how many
iterations will
/
if
J
it
is
return to
a previous value)?
Simpler random number generators, which address these problems, have long been
known. Perhaps
the best
known
the linear congruential generator
is
=
jc„^i
where the modulus m, the constants chosen. The usual requirement
is
+
{ax„
c)
mod m
and the
a, c,
that the period
long. Clearly a prerequisite for this
is
that
m
is
length of the if
computer
in use, thus
d divides m, then
v„
=
.v„
initial starting
of
x,„
value xn are suitably
the output
random numbers,
large, and a good choice for
prime number. (The intuitively appealing idea that because
(LCG) defined by
m
should equal
2'.
where
simplifying modular arithmetic,
mod
an
li is
LCG
is
m
/ is
is
is
a large
the
word-
not acceptable
with a smaller modulus and shorter
period. This implies that the least significant bits of x„ follow a short-period repetition
cycle and are far from random.)
U maximum
periodicity
is
required,
zero; so without loss of generality
.v„
must take on
we could
then take
.Vo
all
=
values less than
m
including
0. This gives
=
cr„
.v„
- ms„
112
for
some
integer
with
s„
we must have some is
of course achieved
=
periodicity, (o
implies that a
For r
.v„
=
this
if
m
is
=
1
!)/(« is
mod
MLCG
mod
-
LCG
LCG
=
.v„+i
is
prime
mod m. LCG (or MLCG),
in
which
which
+
m
-
Various methods are used for combining
common
-
since
1),
(Fermat's Theorem)
1
MLCGs
.v„
if
to
=
m
if
c)
a primitive element of the multiplicative
=
maximum
m
(.v„
the multiplicative
is
values less than m,
all
are relatively prime. This
can also be shown that for
It
trivial
a period of length {nt
(m), so n
m
c and
if
on
to take
is
.v„
the prime factors of m,
all
m, giving a rather
is
If
1).
only possible
already prime.
reason the most-used
This gives the implies o"
-
{a"
which
prime, and a
0, in is
=
1,
must be divisible by
I) I
r„
=
fl".Vn
group (modulo m).
mod
m. and
prime and a
is
is
.v„
=
.v,,
primitive.
produce sequences with longer
component sequences) and to satisfy, in particular, the "spectral" tests. However, in most applications of random number generation to cryptography we are more interested in the unpredictability of the numbers generated periods
(e.g., the least
multiple of the
than in their optimal statistical randomness.
Any
linear system
is
very predictable,
sense that observing or guessing a few outputs enables the parameters, such as Xo of the
LCG,
be determined. For
to
this
reason
is
it
often desirable to
in the
a, c,
m,
make simple
random sequences more random using nonlinear techniques.
One such
nonlinear approach
is
that of shuffling or reordering the output of
using the values output as ordering indices.
The
fact that the
m or (m -
that
we can
1
)
values before repeating
amount of shuffling
will
still
means
maintain iiniforniity
LCG goes through all
an
LCG
possible
be fairly confident that a reasonable
(i.e.,
equal frequencies for
of .v„). Shuffling can be performed using a buffer store holding
/
items, as
shown
all
values
in
Figure
The buffer b{j),j = to r - 1, is suitably initialised (e.g., by the first t numbers for LCG). Thereafter, an index mechanism is u.sed to pick a location y in the buffer from which the next number of the shuffled output is taken, and which is then refilled by the next unshuffled number from the LCG.
4.29. the
An
additional advantage of shuffling
is
that
increases greatly the period of the
it
sequence. Essentially, the shuffled output will repeat only
and the number In
state in the
of the buffer
is
the
same
as
it
was on
when
the shuffled input repeats
the first occurrence of the repeated
unshuffled input.
one standard procedure, the indexy=
from the buffer and
ni is the
LCG modulus.
where
v is the
not very
good
[ty/m],
This
is
previous value extracted
for unpredictability since
V///^.^V///./ X)utput
Input
(from
LCG)
\
/
\
/
Index mechanisms
Figure 4.29 Shuffling
IXG
output.
113
the output values y are, in principle, observed.
where
z is
some
nty/confiik'ntialily
•
Content integrity (B.l this
•
is
message
integrity of the content of a
(UA/UA)
end-to-end
is
protected by
function.
integrity, but the
message content's
protected.
Connection integrity (X.4()2). Protection of the integrity of (traffic on) the association
between neighbouring •
The
An
Content confidentiality (B.IO). As for content confidentiality
•
1).
element of service.
MHS
entities (e.g.,
MTA
to
MTA).
Connection confidentiality (X.402). As for connection is
integrity, but confidentiality
protected.
General Message Security Services •
Message sequence to
•
check
that
Message flow
An
integrity (B.42).
messages arrive
in the
UAs
end-to-end service permitting recipient
sequence
sent.
Concealment of
confidentiality (8.40).
the existence of
message
traffic.
Registration Security' Services
•
Register (X.402).
knows how
to
A UA
handle
it,
registers
its
what messages
MTA,
capabilities with an it
can deliver, and so
forth.
so that the
MTA
The normal X.400
register function can be extended to include security parameters and characteristics. •
parameters •
UA
MS-Register (X.402). The registration function between a
Change change
may be
credentials (X.402). its
and
its
MS.
Security
included.
An
MHS
entity
may
use this element of service to
credentials (e.g., passwords) in a neighbouring
MHS
entity.
optional. They are, in general, complex because mechanisms (e.g., symmetrical or asymmetrical permit maximum flexibility in implementation. They fre-
These elements of service are
all
they can be provided by a range of
procedures and algorithms) to
quently overlap, so that provision of one security element of service automatically provides another, in
whole or
in part.
For example, nonrepudiation of submission includes proof
of submission, or message origin authentication can include content integrity.
The mechanisms and detailed
in
for providing the specified security services are outlined in
X.411, covering PI and P3, and
in
X.4I3, covering the
MS
X.402
and P7.
It
is
notable that the end-to-end "protocol" (P2) (really formatting rules) contains no security
functions or parameters. End-to-end security services, such as content confidentiality, are
implemented by encrypting the entire content
(e.g., entire
P2 message) and carrying the
associated parameters in the PI/P3 message envelope. In
some
thorough.
A
respects the details of the security
huge range of
possibilities
is
mechanisms
in
X.411/X.4I3 are very
covered. In other respects they are incomplete.
126
For example, there hence,
RSA
no specification of algorithms
is
X.509 and,
to be used, although
are indicated as relevant. Similarly, the details of operation of the security
context and message security labelling elements of service are
left
largely unspecified,
and the recommendations confine themselves to the carrying of parameters in the envelope. The need for certification (see Chap. 3) for certifying a user's public key is recognised, •
and X.400 defines a
certificate as containing:
— identifying the algorithm used by
Signature algorithm identifier authority
(CA)
in
computing the signature
(to the certificate
the certification
owner's
identity, public
key, and so forth);
— the CA's — dates and times specifying the
•
Issuer
•
Validity
identity;
start
and end of a period of validity for
the certificate;
—
the owner's identity;
•
Subject
•
Subject public keys
•
Algorithms
•
— Signature—
—
the owner's public key(s);
the identities of the algorithms to be used with those public keys;
a digital signature
CA to (the hash oO all the previous parameters.
by the
Subject and subject public keys are the most important fields of the certificate. is
essential that there be
no ambiguity about the key's owner, the
allow imposters to claim that their
own
subject identifier being just another
(valid) certificate
name
was someone is
is
defined as
invoked to resolve
all
pseudonyms, and synonyms.
identity,
X.44 also defines
A
a token.
token
a special
is
package of commonly needed security
parameters, with an attached signature by the token's originator. •
It
which might
else's, with the
for that other person. Subject
being a directory name, so that the X.500 directory service
problems of
subject,
Signature algorithm identifier
— identifying
The token
the algorithm used
is
defined as
by the token's
origi-
nator in signing the token;
•
name — — of generations of Signed data — public
•
Encryption algorithm identifier
• •
the identity of the intended recipient of the token;
Recipient
Time
of the next •
the token;
(i.e.,
unencrypted) security data carried
— identifying
in the
token;
the algorithm used to encrypt the data
field;
Encrypted data
—data encrypted by
the token originator using the public key of the
intended recipient; •
Signature
—
to (the
hash of)
all
the
above parameters, generated by the token's
originator.
As an example of use of tokens, one may consider messages, and carried an integrity check label.
in the
(e.g.,
the
message token used
to protect
message envelope. Signed data would then typically include
hash or checksum) on the message content; or the message security
Encrypted data might include, for example, a symmetric key (with which the
message content
is in
turn encrypted), or the message's
sequence number.
727
is
It
clear that X.4I1
MHS
many
is
It
defining certificates and tokens
in
asymmetric key cryptology, and
exploiting
is
its
possibilities
security functions are available using only
worthwhile looking
at the
mechanisms
is
fully
committed
to
comprehensively even though
symmetric key cryptology. can be used to effect the X.4(X)
that
security elements of service. As previously indicated, some of these mechanisms are
most important aspects
relatively complicated, so only the
details the reader should study the X.4I
I
For the finer
will be discussed.
Recommendation.
Origin Authentication
5.2.1
One method of providing service
is
digital signature,
by the sender,
identifier or content
by any
MHS
the message/probe/report origin authentication elements of
corresponding "origin authentication check"
to generate a
to the critical
of a message). This check
component through which
is
elements of the item
in the
form of a
(e.g., the
content
put in the envelope and can be validated
check
the item (message/probe/report) passes, to
the genuineness of the purported origin. In the case of a
message whose content
is
way the signature is on the encrypted versions of the unencrypted version. As such it is not an adequate mechanism for providing
encrypted, being checked in this content, not the
nonrepudiation of the origin of the message plus
its
(unencrypted) content. For
reason
this
an alternative means of providing message origin authentication using the message token is
specified. Es.sentially, this consists of generating a content integrity
digits for the field
message prior
of the token, which
to encryption, if present)
itself is in the
and including
it
check
check
(e.g.,
in the
signed-data
message envelope.
This mechanism has been criticised on the grounds that
attackers could intercept
such a message with an encrypted content and, by regenerating the token using their
own
—
key for the signature, then claim authorship of the message for themselves even though the (unencrypted) content is not known. To avoid this weakness the content
.secret
integrity
check should be a
digital signature to the content
by the originator. This, however,
does imply a clumsy signature to a signature, when the structure of the token
is
taken
into account. It
will
be appreciated that origin authentication based on a digital signature not only
gives nonrepudiable proof of validity of the data
5.2.2
who made
this signature
—
covered by the signature. (See Sec.
it
also serves as check on the
5.2.4).
Proof and Nonrepudiation of Submission and Delivery
The.se security elements of service are provided to the originator of a to explicit request flags,
submitted to either the to
MS,
which are security arguments
MTS (UA
to
P7). For submission, the proof
operation, and guarantees that the
MTA, is
in the
message
in
response
envelope of the message
P3) or indirectly via the message store
(UA
returned immediately as a result of the submission
MTS
has accepted the message. This request-result
128
operation
and
effect interactive,
is in
relies
on an underlying layer 7 application service
(ASE), namely the remote operations service entity (ROSE), which provides the
entity
(See Fig. 5.4.) In reality, most operational
result.
UA and MTAs, so MTA-UA software.
internal
The proof of submission algorithm operating on
all
MHSs
do not support P3, but have implemented in
that this service, if provided, is usually
collocated
computed using an appropriate
consists of check digits
relevant submitted message parameters, plus the message
submission identifier and message submission time as determined by the receiving
check
If the
originating
digits are a digital signature,
MTA
(the
MTA
to
MTS.
implemented using the secret key of the
which the originator submitted the message) then we have
nonrepiidiation of submission. This leads to questions about holding and using secret
keys for nonrepudiation purposes stances not only have no
with no
human presence
in
human
equipment, such as
MTAs, which
MTS,
UA
to
which delivery
again as a result of the delivery operation based on
received by the
MTA
back
the report sent
normal circum-
at all.
Proof of delivery, by contrast, originates from the
by the
in
intervention, but are frequently installed in locations
ROSE. This
is
made
result
is
performing the delivery and then incorporated as an argument into
UA.
to the originating
as
shown
in
Figure 5.5. The proof of delivery
again consists of check digits computed from the identity of the actual recipient, the delivery time, the message content, and so forth. If the check digits are a digital signature
UA
created by the recipient
When that
MS
delivery
is
to an
for transmission
using
its
secret key,
MS, X.402
back
to the
we have nonrepudiation
of delivery.
allows "proof of delivery" to be generated by
remote originating
UA — although,
as discussed,
objections could be raised to this procedure. However, nonrepudiation of delivery to an
Submit (message ^ proof of submission request)
MTA
UA
Result (proof of submission)
Figure 5.4 Proof of submission.
Deliver
^ (ua)
Submit (message
(message Message_
+ proof of
^'^
delivery
MTA Report
lt
+ proof of
deliverK_^ request)
request
Re su
^ MTA
(proof of
(proof of
delivery)
delivery)
Figure 5.5 Proof of delivery.
(W)
Report JT^
129
MS
not supported, although the abstract service definitions of X.413 and X.41
is
ignore
1
this point.
Both nonrepudiation of submission and delivery make provision for the transmission of the signatory's certificate back to the message originator, so that the digital signature
can be validated.
5.2.3
Secure Access Management
MHS
This service can apply between any directly associated pair of
MTA, MTA
to
MS
MS,
to
UA,
to
UA
to
MTA,
exchange of secure identification parameters takes place establishes an
"association" between the entities
control service entity
(ACSE)
results are returned
formed
it
initiator
MTA
to
accordance with the association
in
relies.
Bind operations are
of the proposed association, and bind
by the responder.
management can be permany ways. At its simplest, it can be a one-way submission of a password as bind argument. More probably, two-way "strong" authentication (X.509) is used since The
a
in
UA
UA). The the "bind" operation, which
—another ASE on which X.400
two-way; bind arguments are sent by the
entities (e.g.,
and so on, but not
maps
reciprocal authentication required for secure access
in
readily onto the
two-way bind procedure.
In this case a
adapted to the security requirements of the bind operation)
and another token returned as a with the date/time held
signed data, and the
MAC
(i.e.,
procedure of Figure 2.16
result. Essentially, the
a token
used,
is
random number being
usual field of the token, the
in the
hind token
sent as a bind argument,
is
the
being replaced by the digital signature to the token. The
encrypted-data field of the token could be used to convey a symmetric key for ensuring
subsequent confidentiality of
all
transport layer). (See Sec. 2.3.4).
on the association
traffic
Accompanying each token
(e.g.,
will
by encryption
the
at
be the certificate of
its
signatory to permit validation by the receiving entity.
The bind operation must defined
in
also establish the security context for the association.
X.400, the concept of the security context
specifying, essentially,
which messages
(as
is
that
of a
list
determined by the message security label
carried in a message's envelope) can use or traverse the context (e.g., be the association). Security labels particular,
MTAs
and
MTS
may be
users (e.g..
As
of security labels
conveyed over
associated with other objects than messages. In
UAs) can have
security labels, and any security
context established between such entities must be compatible with their intrinsic security as defined
by these
Moreover,
labels.
MTS
security labels with the in a
users can register (see below) their security status in the form of
MTS. Thus, when
bind operation, that operation
both by the addressed the context
is
MTA
is
a security context is
only successful
and the registered
if
.security labels
successfully established, only those messages
compatible with
it
may be
proposed by an
the proposed context
of the
whose
MTS
is
MTS
user
permitted,
user and.
if
security labels are
transferred. Finally, an established security context can be
ISO
I
temporarily limited using submission/delivery control to a subset of the security labels originally
Recommendation X.41
1
agreed
commands
across the association
to.
defines security labels in the form of a four-level hierarchy:
•
security policy identifier;
•
security classification (ranging
•
privacy mark (a printed string such as
•
security categories (further qualifications such as "staff only").
However, despite
this detail
from unmarked, unclassified,
is
it
to top secret);
"IN CONFIDENCE"); undefined
to the
left
system dependent)
(i.e.,
security policy to determine whether or not security contexts and labels are anything if
a "top secret" context
any better protected than
if
an "unclassified" context
of an
MHS
is
likely to decide (for
example)
more
established, are messages in transit
than words. For example,
is
is set
up?
that high security
In practice, an operator
must be associated with
the presence of other security functions, such as strong reciprocal authentication, followed
by a "secure session"; use of proof of submission and proof of delivery. Security policies of this sort can readily be defined for a given MD, but problems then arise when interworking with other
MDs
where the security labels do not imply the same physical or logical further problem area is that most MDs will wish to support a range
A
protection services.
of security contexts, in particular to allow users with no security
messages with other users,
who may
may
or
capability too can be specified for a given
incompatibilities with other In
summary,
the
exchange
MD,
but
it
likely to
is
be a further source of
MDs.
security contexts and labels in
X.400
or not associations can be set up or messages passed.
form of determining the presence or absence of
of the security policy
facilities to
not have security facilities themselves. This
— undefined
in
are
To
words
that control
whether
give these words substance, in
real security services, is a function
X.400 MHS.
5.2.4 Integrity/Confidentiality
It
has been
shown how content
integrity (the integrity of the
message content), which
is
an end-to-end service, can be provided by the message origin authentication check (a digital signature) in the
envelope
if
the content
forge this signature, an attackers can completely
claiming authorship of the message
—
if
such as the originator's identifier. For explicit content integrity
the check; so, if the
check
is
if
not encrypted. it
Whereas no one can it with their own,
and replace
he can simultaneously alter other envelope fields
this reason, in certain cases
check mechanisms for
on the unencrypted content, and
is
remove
the content
this service.
is
it
This check
is
is
wiser to use the
always calculated
then encrypted, no attacker can regenerate
a digital signature,
it
is
indeed secure.
As
stated earlier, the
check usually forms the signed data of the message token, and covers not only the message content but also the content-integrity-algorithm identifier.
The content integrity check is however a per given message is sent to many recipients,
that if a
recipient parameter, by
which
is
meant
a different check can be used for each
131
one. This situation would arise the
message originator shared
integrity
check need not be put
However, use of the token has (e.g., the security label)
The
identifier
the check
was calculated using can be sent on
in the token, but
the advantage of associating the
is
symmetric key, and
its
own
envelope.
in the
check with other parameters
to the token.
also an end-to-end service provided by encrypting the
of the algorithm used
is
asymmetric algorithm there can be only one algorithm and key are used for
a
key with each recipient. Additionally, the content
under the one signature
Content confidentiality content.
if
a different
many
a
per message parameter, and
However
recipient.
if
if
it
key can be sent securely
recipients, then the
is
an
symmetric
a single
in the
encrypted data field of the (per recipient) token, as discussed previously.
Connection integrity and connection confidentiality services are not provided by the
MHS itself but can be invoked implicitly or explicitly by the security context established
with the association or by parameters
encrypted
bind token).
in the
the extent to
A
connection integrity/confidentiality keys,
(e.g.,
major area of discussion can be opened here, addressing
which connections between
MHS
components
(e.g.,
MTAs)
are
opened and
closed for each message transferred; and the extent to which there are permanent connections.
Obviously
ality services
part of the
this
discussion affects the degree to which connection integrity/confidenti-
can be related to specific
In practice,
MHS
users, as opposed to forming or not forming, do no enter this discussion here. most implementations would have a one-to-one mapping from an applica-
permanent infrastructure.
tion layer association
down
We
to a transport layer connection,
integrity/confidentiality services
would
in fact
be provided
and then the higher layer
at the transport layer.
Versions
of the transport protocol, permitting the encryption and protection with integrity checks of the transport protocol data units conveyed, exist
known
as SP4.
The format of SP4
Each transport protocol data
in the
protocol data units unit
(TPDU)
(i.e.,
prestandardised form,
is
complete transport layer command),
whether carrying data, or setting up or clearing a transport connection, header and an integrity check value (ICV) header and the
TPDU
itself. In
(e.g., a
MAC)
Clear
header
is
given a protected
calculated from the protected
turn these three fields can be encrypted.
preceding the three fields (encrypted or not), contains
Computer ICV
commonly
illustrated in Figure 5.6.
among
A
clear header,
other things the identifier
132
of the key for encryption, which
may
be the same as that of the ICV. This secure transport
protocol relies on the basic sequence numbers in the replay detection, and on a final sequence truncation.
A
novel feature
is
number
—always possible
if
for
sequence control and
header for detection of
a direction indicator, also in the protected header, to detect
"reflection", or a recipient echoing back a effect
TPDUs
in the protected
TPDU
to its originator to
produce some
evil
symmetric security algorithms are used.
General Message Security Services
5.2.5
Message sequence
integrity
signed data field of the
is
provided by means of a sequence number carried
message token
or. if
it
is
in the
considered desirable to enciypt
it.
in
the encrypted data field of the token. Clearly messages are sent with incrementally sequence
numbers, and these numbers are checked on receipt for correctness.
Message flow confidentiality is not supported by X.400, although identified as a security service. However, the "double envelope technique" is indicated in X.402 as a tool for this purpose. The technique consists of placing a complete message (envelope plus content), encrypted, as the content of another message sent to a different address. The recipient should be able to read the real destination address from the encr>'pted inner envelope and forward the message (probably reencrypted) in a new outer envelope, either to its destination or to a further
forwarding point. (See Fig. 5.7.)
Place (encrypted) message in
content
carrying
field of
message
MTS Extract (and decrypt)
message from content
field
and place (reencrypted) in
new
carrying
message
MTS
UA
Extract (and
decrypt)
message
from content
Figures.? Traffic flow confidentiality between
UA
(A) and
UA
(C) using double enveloping.
field
133
5.2.6 Registration Security Services
MTS
UA) may
users (e.g.,
register their security status, in the form of a
user-security labels, with the (see above)
need
when
MTS
(in practice the local
engage in any message traffic handling. The change-credentials service (also using
MTS
new
which
command
uses the
'
its
in the
own
the administration port of the
new
(presumably to identify themselves) with
proof of genuineness, although the old version
might have access to
its
is still
supplied with
fully
on how the
users' credentials in the first place; possibly via a directory
with the
MTS,
just as for
the later security-critical register
The
MS
register
MS
MS
command
security context, can be used to establish protection of
is
very similar to the register operation except that
user and the message store. Additionally,
user's credentials, the old and
MTS
user must establish an association
and change credentials operations.
new
in
which the
with change credentials, but to the
user to have two differing sets of credentials.
^^^ _
MS-register^
it
versions of them being
This addresses the configuration of Figure 5.8, to the
MTS
submission and delivery of messages. The associated secure
management functions and
applies between
change
MTS?
Before using the administration port, the
access
MTS)
ones. If these credentials
change credentials operation. X.40() does not elaborate
credentials on the
MS MS
'admin-
and may be invoked without the
service, but surely the directory should be updated directly rather than using
the
MTS-
one. If asymmetric cryptography applies, the credentials will be a certificate
carries
new
MTS
register
users to change their old security credentials for
are simply passwords, they submit the old ones
the
The
MTA)
of
management
to
allows
the
list
are then used in secure access
establishing the security context.
port" to the
istration
MTS. These
MS
with
MS MS
it
permits registration of
MS
register arguments.
u.ser talks
register
through the
— allowing
the
134
in
RFCs
13 and
1 1
header" which
1
is
14. It
1
provides end-to-end security only, by creating an "encapsulation
put in front of the message text, and both are treated as end-to-end
message content. The carrying mechanism could be X.400, or the 821), or a
file transfer
Internet
SMTP (RFC
protocol.
The header holds
the security parameters.
These include a message
integrity
check
DES or RS A, giving origin authentication or nonrepudiaIf encryption is employed, DES-CBC is used, and the DES key generated
(MIC), which can be signed using tion, respectively.
by the sender can be multiple-encrypted under the in the header.
Thus, the header
may contain
recipients' public keys for inclusion
multiple recipient fields. In summary, message
and data origin authentication (nonrepudiation) are the
integrity, data confidentiality,
security services supported.
To make plus header)
is
PEM even more converted by a
independent of the infrastructure, the entire message (text filter to
form
printable
This
in a restricted character set.
applies in particular to security parameters, such as signatures, encrypted keys (in hex),
and to encrypted message
PEM bered that
is it
text.
and sensible approach
a simple
to secure
messaging, but
it
must be remem-
does not attempt to address any of the X.400 (88) infrastructural security
services such as proof of submission or delivery, or secure access
management.
EDI SECURITY
5.3
Another application where security services have been reasonably well standardised of electronic data interchange (EDI).
that
EDI
is
is
used for trading between businesses.
Rather than have a computer prints invoices, which are sent by post to customers
who
type them into their computers, which print cheque and payment advice, which are sent
by post
to the original
prints a receipt,
company where
the details are typed into the computer,
and so on, these trading documents can be sent
between computers.
A
vast
amount of standardisation
Nations auspices specifying
EDIFACT)
supported and to detail their formats.
is in
in electronic
which
form directly
progress (notably under United
many types of transactions to be Because EDI is much concerned with financial to define the
transactions, security and, in particular, authenticity services, are of importance.
5.3.1
EDI
X.435 and Security
for
encapsulated in a
EDI
end.
—
many ways One method
interchanges, can be conveyed in
line or
We
is
to use
file transfer.
MHS; CCITT
for
example, directly over a telephone
of providing a supporting infrastructure
has developed the F.435/X.435 Recommendations to this
discuss these recommendations [4, 5] from the security point of view.
F.435 defines the EDI messaging sennce, whereas X.435 defines the EDI messaging system. This follows
CCITT
the service offered (what
it
normal practice
is),
in
which F-Series recommendations define
whereas X-Series recommendations define how
it
operates.
135
The
basic concept
and
a
body
could be an X.I 2
EDI
is
EDI messages (EDIMs)
that there are special
which form the content
part,
EDIFACT
field
of
MHS
interchange (as defined by the
The heading contains many
interchange.
message and specifying how
is
it
to
consisting of a heading
messages. Typically, a body part
ISO 9735
fields
[6] standards)
or an
ANSI
concerned with identifying the
be handled, only a few of which are relevant to
security.
Additionally,
EDI
Notifications
of confirmation of receipt as
opposed
is
a special
to
(EDINs)
simply confirming delivery. This
EDI-UA
functioning together
exist, specifically to
application level
at the
together with an in a trusted
environment
fields,
EDIN
EDIM
that acces.ses the in effect special
underlying
MTS,
messages linked
by appropriate cross-references. They contain fields,
which there
user, represented as
a series
of
with
to the
common
depending on the nature of the
(see Fig. 5.10).
introduces
EDINs
new EDI
X.400
as valid confirmations to
the threat that the
reception to at
use, the
mean
security elements of service, and F.435/X.435
security elements of service, essentially to guarantee the genuineness
EDIM
requested by the subject
Fraud
(EDI messaging)
followed by positive, negative, or forwarded
EDIMs and EDINs of
address the problem
by the receiving EDI application),
illustrated in Figure 5.9, in
is
EDIMG
added EDI message store (EDl-MS). EDINs are original subject
(i.e.,
EDIM
originator/recipient might
.something different
the application level
EDIM
EDIMs. These security service elements may be The particular threats being addressed include
originator.
is
(e.g., after
EDIM
originator
EDIM
MTS
and EDINs.
originator
trusted functionality
EDIN
EDIMs
EDIM
being forestalled.
trusted functionality
Figure 5.9
change the
after transmission/
nonrepudiation of submission/delivery).
136
Common field
1
Common field
If
negative
If
notification
Neg.
Neg.
n
forwarded
If
notification
field
field
Forwarded
1
Forwarded
n
positive
notification
field
field
Pos
1
n
Pos
field
field
1
n
Figure 5.10 Structure of EDINs.
Four of the new elements of service cover proof/nonrepudiation of an EDIN, and can be requested
in the original
EDIM, by
subfield of the recipients field of the
setting the appropriate flag in the
EDIM
sending the EDIN, incorporate the proof of integrity security service, to is
the procedure
is
that the content integrity
requests
its
when
genuineness by invoking the content
produce a content integrity check for the entire EDIN, which
the content. If nonrepudiation of the
EDIM;
EDIN
heading. The recipient should then,
the
EDIN
same except
check
is
is
requested by the originator of the subject
that the
sender of the
EDIN
should ensure
nonrepudiable using a digital signature, as previously
discussed.
A
further four security elements of service are concerned with proof/nonrepudiation
of content received
EDIM
that the
Essentially, this
received
EDIM
(i.e.,
they provide a service which guarantees to the sender of the
responding sender of the is
EDIN
provided by the sender of the
has received the
EDIN
EDIM
unmodified).
incorporating either the entire
(content of the complete message) or a received content integrity check
137
for
there
(if
it
was one)
into the
or content integrity check
EDIM
is
EDIN common
put in one of the
fields "notification security
The service is requested by flags in the EDIN requests subfield heading. The distinction between proof and nonrepudiation is achieved by
elements" (see of the
EDIN. and then guaranteeing the EDIN using a content it. The echoed EDIM content
check or message origin authentication check on
integrity
Fig. 5.1
1
).
using or not using a nonrepudiable digital signature for the content integrity check, or the
message origin authentication check, on the returning EDIN.
The preceding that proofs
This
is
ninth
may
EDIM
a multidestination
A
eight security elements of service are
of reception
EDI
"per recipient", meaning
independently.
security element of service
simply provided (when sending an
is
"nonrepudiation of content originated".
EDIM
message origin authentication elements of .service iable
all
be requested and received from each individual recipient of
by invoking the content integrity or
as discussed previously) using
asymmetric cryptography. The recipient validates the received check
signatures.
Envelope
Envelope
Content
integrity
check
Content = EDIN
Common
fields
F,
or
P
EDIN
in
response
N,
fields
Sent EDIM
Figure 5.1
1
Proof of content received.
nonrepud-
digits/digital
— 138
F.435 and X.435 recognise a further security function, namely the application security
element (of service). This
heading and applications.
It
is in
effect undefined.
EDIN common fields available
in the
It is
a blank field, both in the
EDIM
between EDI
for end-to-end security use
could be used, for example, to provide security (integrity, confidentiality) of
selected parts of a complete Finally, F.435
EDIM
MTAs) and
transfer (between
body
and X.435 make
part,
according to some bilateral convention.
tentative references to proof/nonrepudiation of
UA
of retrieval (between
and
MS)
—but publicly
state that
these functions are a "local matter".
EDI are optional, as are the X.400 security which they are based. Moreover, F.435 and X.435 envisage the alternative
All the extra security functions for services on
of notarisation of
EDI
interchanges by a trusted third party rather than incorporating
elements of service into the "abstract service" interfaces to the application and thus, by implication, into the protocol. in practice, but
It
security techniques to concrete
5.3.2
We
how much
remains to be seen
these options will be used
meanwhile they provide good examples of the application of various
OSI
protocols.
The ANSI X12 Secure EDI Approach
have seen how X.400 elements of service can be used by protecting a complete interchange
essentially
to provide security for
form of an
in the
EDIM
EDI,
together with
associated acknowledgement or EDIN. However, EDI interchanges can be carried over many infrastructures other than X.400 MHS. Moreover, the interchanges are themselves composed of subunits, such as "messages" and "functional groups" (groups of similar its
messages),
all
with the same destination, but not
and X.435 cannot provide
A is
more
this
all
different approach to protecting such interchanges,
to build the protection into the
to state
what the protection
MACs
or key identifiers. This
XI 2.58
particular
[7].
EDI
is (e.g., is
this provision
EDI
SITA
many
ANSI XI2
by the
the approach taken
To understand
(see below); but
form of flags or
identifiers,
encryption with algorithm X), and extra fields holding
of security functions,
standards, in it
is
necessary
interchanges.
There are several standards for EDI. In addition
EDIFACT
and subunits of interchanges
structure itself, in the
to look very superficially at the structure of
the
necessarily requiring protection
selective security.
to
ANSI XI2
there exists, notably,
others have been developed for specific industries (e.g..
standards for the air transport industry). Nearly
all
of these are based on the
use of printable messages using a character set limited to that purpose, and employing special printable character strings as separators of the
the messages. In
unwieldy
— and
computer terms, the syntax it
is
is
component
nontransparent
fields or
segments of
— and often primitive and
not possible to send arbitrary bit patterns (as could result from
encryption) without running the risk of inserting a (bogus) separator, for example, into the message. For this reason,
most secure EDI systems
rely
on so-called "filtering" or
turning arbitrary bit strings into harmless printable hexadecimal characters (0-9, A-F).
139
In the following discussion
data, and so
XI2
forth,
itself
we suppose
such filtering
that
is
applied to
MACs,
encrypted
whenever necessary.
recognises three main units: the interchange, the functional group, and
They are illustrated in Figure 5.12, where it can be seen and ends with the segments ISA*, lEA*, respectively; the
the transaction set (message). that the interchange begins
GS* and
functional group begins with segments
with
ST* and SE*,
respectively. Security
set level
by inserting
opening
GS*
a security
is
at the
set
functional group or transaction
header segment SIS* or S2S* immediately following the
or ST*, respectively; and a
ISA*....
ends with GE*; and the transaction
provided
trailer,
SIE*
or S2E*, immediately preceding
(Interchange header)
GS*....
(Functional group header)
SIS*.... (Security
header)
ST*....
(Transaction set header)
S2S*.... (Security header)
Transaction set segments
S2E*... (Security SE*...
Functional
trailer)
(Transaction set
group
Other
transaction
set(s)
SIE*....
(Security
.GE*....
trailer)
(Functional group
Other
Functional
Group(s)
lEA*... .(Interchange trailer)
Figure 5.12 Structure of XI2 secure interchanges.
trailer)
trailer)
140
the closing units,
we
flags
and
GE*
or SE*, respectively. Since the structure
shall in future refer to
The header segment SxS* identifiers,
while the
SxS* and SxE* where carries nearly
trailer
SxE*
all
.v
is
=
1
common or
to both types
the security information in the
carries a
MAC.
of
2.
form of
Essentially, authenticity and/
or confidentiality of the protected unit are ensured using symmetric key algorithms (DES).
Figure
5.
1
3 illustrates
SxS* and
but there are appropriate starting
its
nine data segments. Details of coding are omitted,
and ending characters for each segment
to delimit
them
unambiguously, and constraints on the contents (numeric, alphanumeric, etc.) that the reader
may
find in the original standard. In Figure 5.13,
SxS
M
signifies
mandatory and
O
141
Optional, while the character string (e.g.,
SxSOl
)
is
the identifier of the data segment.
The
data segments are: •
Security type
—
indicates whether authentication, encryption, or both are present. If
present, authentication generates/checks a
SxS* segment is
present,
last
begins with the
it
MAC covering the segment prior to the MAC itself, in SxSOi. If encryption
to the last character (*) before the first
character of the IV (SxS09) and ends with the
character before the segment terminator, before SxE. Note that, on transmission,
authentication
comes before encryption, which comes before
•
Security originator/recipient
•
Authentication key
•
Authentication service code
— application
filtering.
user identifiers, not just transmission
sources and sinks.
name
—
identifies the
—
pure binary strings, or whether editing or insertion
— — — gives
name
Encryption key
•
Encnpti(m service code
identifies the
MAC
is
calculated, this field
Initialisation vector (IV)
The SxE*
specifies
— used
trailer is illustrated in
form of four hex characters,
the
the left-most
ANSI
key used for encryption.
CBC, CFB,
32
bits
of
CBC
is
taken to be empty.)
for the encryption process.
Figure 5.14.
a blank,
It
contains a nine-character
and another four hex characters
processing of the data with DES. This
There are many minor details
empty
scheme should be •
removal of internal character delimiters)
is in
MAC
in
— representing
accordance with
X9.9.
essentially
•
(e.g.,
filtering, and so on. Length of data field the number of characters in the encrypted (but not filtered) text. This is an alternative means to providing data transparency. (When
the •
MAC.
of the time and date) has taken place.
(e.g.,
•
•
key used for the
defines whether the data authenticated are treated as
are to be handled clear,
XI 2.58 regarding, for example, how fields when encrypting or authenticating. But the
in
that are
general
namely:
encryption and/or authentication supported;
no support of confirmation as in X.435);
SxE
at the
EDI
application level
(i.e.,
no equivalent
to
EDINs
142
sequence numbers
•
detect loss of messages) are not supported but can and
(e.g., to
should be inserted by the user
protected text;
down
to the transaction set level
supported;
is
nonrepudiation and, more generally, asymmetric key cryptology are not supported.
•
XI 2.58 DES.
is
based on X9.9 (authentication), X9.23 (encryption), and, ultimately, on
Associated with sage
in his
selective protection of subunits of the interchange
•
(CSM)
very similar to
CSMs
XI 2.58
is
XI 2.42
ISO 8732
which defines a cryptographic service mes-
handle such a format. In
is
based on X9.
for processing
this application
mandatory, and IVs are not included
is
is
to define
by EDI applications which can only
of X9.17,
in the
which
17.
as discussed in Chapter 3. Essentially, the objective
XI 2-compatible format
in
[8],
transaction set for distributing the keys. This
CSM
all
keys are key
pairs, notarisation
since they are already in the
is
XI 2.58
header segments.
An XI 2.42
CSM
CSM
consists of a header containing the following:
code (KSM, RSJ,
RSM, and
so on. See Chap.
•
the
•
security originator/recipient identifiers for the
The
CSM
class
3);
CSM.
body containing:
also has a
which
•
tags identifying the contents
•
contents consisting of X9.17 fields and subfields with appropriate separators. Fields
hold counters, keys,
MACs,
(i.e.,
fields are present);
and so forth and are
all
encoded
in printable characters,
thereby avoiding transparency and filtering problems.
XI 2.42
is a large document but relatively straightforward given a knowledge of X9.17. complements XI 2.58 by providing an EDI-compatible mechanism for distributing the keys used by XI 2.58, and the interested reader should refer directly to it for details. It
5.3.3 Security
Whereas
the
and
EDIFACT
ANSI X12 EDI
international standard
standards are essentially North American,
(ISO 9735). EDIFACT's structure
is
EDIFACT
similar to that of
is
an
XI 2, with
messages within functional groups within interchanges. Each such item has appropriate headers and
ends
it.
trailers in printable
form; for example,
UNH
begins a message, while
UNT
Various nonstandard additional features have been added by system suppliers
to
support security, but, officially, no real security services and mechanisms as yet exist.
However, two proposals ing.
Both suppose
structure
(i.e.,
no
for incorporating security in the standard are worth consider-
that the security functions are entirely
use, explicit or implicit,
is
made of any
embedded
in
the
EDIFACT
security services provided by
X.400 MHS). TEDIS programme. The
the underlying infrastructure, whether a simple data link or a complete
The
first
proposal
is
from the European Commission's
proposal concentrates on authenticity
at the
message and interchange
levels,
and
is
based
.
143
An
on asymmetric key cryptology.
existing segment (field),
covering the message that precedes
digital signature
it.
contains the certificate needed to validate the signature. authenticated, these fields are built into a preceding confidentiality,
it
confidential and
is
proposed
embed
it
to
is
modified to carry a
If
an entire interchange
message
inside an (possibly
is
to
be
interchange. For
in the
encrypt the entire message or interchange that
new message,
in a
AUT,
Another new segment, CERT,
is
new) interchange.
to
be
New
header segments, immediately following the existing headers, are used to signify which security functions are present. (See Fig. 5.15.)
The second proposal financial transactions
payment orders is
more
(client to
similar to the
is
from the
between banks and
MD4
working group, which
bank) and debit and credit advices (bank to
ANSI X12 scheme
in that
it
is
concerned with
Such transactions include
their corporate clients.
client).
This proposal
has security header segments
(UNC,
UNK. UNL) immediately following the normal headers and corresponding trailer segments (UNW, UND. UNV) immediately preceding the normal trailers for interchanges, functional groups, and messages, respectively. Security services supported are: •
message origin authentication;
•
integrity of content;
•
confidentiality of content;
•
nonrepudiation of origin;
•
message sequence
•
nonrepudiation of receipt.
The
first
integrity;
five services rely
on security parameters carried one-way
(interchange, functional group, or message).
The
last service is
UNH.... (Message header)
SIF.... (Security
information header)
This segment identifies the recipient, the security functions provided, the algorithms used, etc
Other segments
AUT.... Carries digital signature
CERT.. Carries
UNT Figure 5.15 Proposed slnicture for secure
originator's certificate
(Message
EDIFACT
trailer)
messages.
in the basic
provided by a
new
item
service
— 144
message
in the
reverse direction, in response to a request parameter incorporated in the
original item. If nonrepudiation
is
not required, the algorithms generating the check digits
for origin authentication or content integrity can be based
on symmetric cryptography
provided that the key distribution problem has been solved.
If
asymmetric cryptology
cany
used, then the certificate can be incorporated in the item's header field to
is
the
signatory's public key for validation. For authentication and integrity the header contains
parameters such as the algorithm identifier, the security originator/recipient identifiers,
The checksum/ Message sequence integrity is provided by including the date/time sequence number in the header. If confidentiality is invoked, the encryption begins
the (symmetric) key identifier, and the initial value (IV) of the algorithm.
MAC and a
the trailer.
is in
with the IV
header and ends before the
in the
Transparency can be assured using
trailer.
a data length indicator in the header.
This proposal
is,
ANSI XI 2.
as noted, very similar to
features of nonrepudiation (with asymmetric keys), explicit
but includes the additional
acknowledgement of
receipt,
and imbedded message sequence numbers.
THE
5.4
X.500
DIRECTORY
Within the general OSI structure, an important application layer service directory its
[9].
The
directory
relevance here
and
is
is
recommended
that
to
it
is
defined
in the
CCITT X.500
involves security
in
Series
two ways.
that of the
is
Recommendations, and can be
Firstly, the directory
be used to hold security information about OSI users
credentials (e.g., certificates). Secondly, access to the directory, which
—
specifically
in
is
principle
distributed so that there are internal remote accesses as well as external ones, needs to
be controlled by appropriate security functions information held
is critical.
within the directory,
The OSI
directory
it
is
is
To
—
specifically authentication, because the
gain an understanding of the role of security functions
necessary to look
at its
general design, albeit very superficially.
essentially a distributed database designed to
services, in particular, application layer services.
information base (DIB)
in the
For each relevant "object" containing
The
all
It
form of a directory information
(e.g., a
is
It
may be
directory
name, address,
is
entries.
one
('/;^/v.
title).
that could be held in the
DIB and
the uses
name and address from
at
human user, but it is essentially As examples of the information we can cite:
accessed by the
envisaged as being accessed by application processes.
obtaining a
in its
(DIT) of object
not intended to be a general purpose database but one aimed
telecommunication applications.
•
tree
subscriber to a network service) there
the relevant attributes of that object (such as
directory
meet the needs of
holds information
made of
it,
a functional
title (e.g.,
"purchasing manager of
XYZCo."); •
mapping EDI names and addresses
into
expanding distribution
"all engineering staff") into their
members;
lists
(e.g.,
X.400 names and addresses and vice versa; component
145
providing "accessibility" information about an intended destination
•
ASCII
(e.g.,
"handles
only");
text
providing certificates of public keys to enable a sender to encrypt messages to their
•
owners
(as previously indicated).
The operations supported by
Read
•
the directory are:
retrieve) the types and/or values of
(i.e..
some
or
all
of the specified object's
attributes;
•
Compare Abandon
•
Search
•
the value of a specified object's attribute with a supplied value; the interrogation operation in progress;
(a portion of) the information tree for entries
meeting certain
criteria
and
return relevant selected information: •
List
•
Modify its
all
its
add
and modify
attributes),
change It is
the entries subordinate to a specified entry in the tree; entries, including
is
new
one. remove one, modify one (e.g., by changing
modify the distinguished name of an entry
(i.e.,
identifier).
when
self-evident that (particularly)
that their use
a
RON or
controlled,
which implies
operations such as modify exist, that secure identification
it
is
imperative
procedures are required
for the users of the directory.
Figure 5.16 illustrates
how the directory is structured. All users, human or not, make (DUA) an OSI application process which maps local
—
use of a directory user agent
interfaces into standard procedures
and protocols
offered by the directory are specified
in
X.51
1
.
for use with the directory.
The
network of directory service agents (DSAs), each controlling
DUAs
access the
DIB through DSAs. DSAs
protocols exist between
DSAs P7,
DUA
and
DSA
use of the
ACSE
and
ROSE
OSI
services
its
own
portion of the DIB.
applications, and application layer
(the directory access
(the directory service protocol-DSP).
make
are
The
directory itself consists of a distributed
protocol-DAP) and between
These protocols,
like the
MHS
PI, P3, and
ASEs.
DIB
User
/
\
UAP
/
^
\>»-'"ClIZZJ
User
Figure 5.16 Stiuctuic of the directory.
— 146
As
stated, secure access
(of identities),
is
management,
or. as
a central requirement for both
it
is
called in X.500. "authentication"
DUA-DSA,
and for
DSA-DSA
access.
X.500 envisages the authentication of information, such as the arguments submitted to or returned by the directory in a search operation. This form of authentication is provided by signing the arguments. X.509 specifies the general authentication framework for the directory, and is the most important of the X.500 series recommendations from the security point of view. For secure access management it considers two forms of authentication: Additionally,
•
simple authentication, based on passwords and one-way functions;
•
strong authentication, based on asymmetric key cryptography.
X.509 does not make use of symmetric key cryptography. The general situation Here A and B are OSI application processes, and in the simplest case B wishes to authenticate A, which is trying to access it. Note is
that
illustrated in Figure 5.17.
If
simple authentication
is
used,
A
could (according to X.509) present
its
identity,
random number, and a protected password to B for verification. The protected password would be the real password plus the three other quantities, scrambled by a oneway function. If B holds A's password, it can perform the same scrambling operation and compare results. Alternatively, B may submit A's protected password to the directory for a similar validation, and await the directory's Yes/No Reply. Note that this reply is the time, a
critical (i.e., if
of Figure 5.17
an attacker can forge is
when
A
is
a
directory to authenticate A. Again,
and
DSAs
need
can engage
in
to hold
it,
DUA
the
whole procedure
and B a
A
some minimal
DSA
is
useless).
A
particular case
needing to refer to other parts of the
and B could both be DSAs.
It is
clear that
DUAs
security information about each other so that they
secure exchanges to obtain more.
X.509's proposals for strong authentication are almost identical to the one-way,
two-way, and three-way procedures of Chapter
2,
so they are not further detailed here.
Generally, X.509 envisages senders of authentication (signed) data as also sending their certificate, so that their signatures
that certificates are already held
may
be validated. However,
which should certainly be the case when the recipient
ID, T, R,
/
is
possible to assume
is
a
DSA
itself.
P
YES/
Continue
it
by the intended recipients or obtainable from the DIB
abort
Figure 5.17 X.509 simple authentication.
NO
ID
=
A's Identity
T
=
Time
R
=
Random number
P
=
A's Protected
password
147
X.509's definition of a certificate also includes a
serial
number
for unique identifica-
tion inserted and signed together with everything else by the certification authority (CA).
The concept of X.509. itself
When
DUA-DSA
on the For
is
also elaborated in
these general reciprocal authentication concepts are applied to the directory
exchanged
are
the certification hierarchy discussed in Chapter 3
(X.5I
1)
"bind" tokens
in
DSA-DSA at the ACSE
or
(X.5I8) interface, the security parameters level.
protecting specific requests to the directory,
SIGNED macro
for signing, for
example,
all
X.509 includes
the definition of a
access operations (such as read or modify)
used with the directory. The signature optionally covers the arguments of the request and/ or the response that
make up
the operation.
These arguments include security parameters,
such as the name of the intended recipient; the date/time and a random number as a protection against replay; and in the request, indications as to what security the subsequent response. This authentication of accessing operations
DUA-DSA DSA in X.5I8.
the
Finally,
interface in X.51I
the
X.5(X)
and extended
Recommendations
is
is
wanted
in
again defined for
to the distributed situation
of
DSA
to
also consider the topic of authorisation,
namely: Given that a request and the requestor have been unequivocally identified as genuine, can the request be granted? that items in the
DIT
The approach
to
an answer to this question supposes
can be protected selectively against reading, modification, deletion,
The items themselves can be entries, or attributes within entries, or complete subtrees of the DIT. Naturally some users will be allowed to access items which other
or renaming.
users are not allowed to do. For example,
can modify X, and
C
A may
only be allowed to read X, whereas
B
can rename X. X.50I (Annex F) only sketches mechanisms for
effecting such protection, such as: •
associate with each protected item in the
persons allowed to access •
it;
DIT
the
names and access
rights of the
or
control access by "capabilities", so that persons of a given capability can always
perform certain specified operations on items belonging user's capabilities could, for example, be held in the in hi.s
credentials
— although
the existing definitions
DIB
to a particular class. itself,
would have
A
or even included
to
be extended for
this.
Summarising, the X.5(X) series Recommendations contain important security concepts and features, notably in X.509. However,
only and few are fully worked out. Designers
multidomain directory have
to invent the details
some of
the.se
concepts arc illustrative
who wish to implement a distributed, for example, the of many mechanisms
creation and maintenance of certification hierarchies and
—
paths,
and the mechanisms for
ensuring proper access authorisation.
5.5
CONCLUSION mechanisms have been and are being incorporated into the general accordance with the ISO 7498/2 schedule. However, most of the
Security services and
OSI framework
in
148
I detailed
work so
far has
concentrated on the apphcation layer, for example,
and the directory service. This is
very
is
more than
a coincidence.
Many would
MHS,
EDI,
feel that security
much an end-to-end function that users do not entrust to the network infrastructure, may welcome additional security services provided by it. A secondary
although they
reason for suspicion of security services provided by the infrastructure
complexity.
It
is
not easy to convince oneself of what
travel across extensive
is
or
is
is
not protected
and inhomogeneous networks, each providing
its
own
their sheer
when
data
security.
REFERENCES (II
ISO 7498-2. OSI/RMSecuhn
Architecture.
[2]
CCITT
DTE/DFX
Fascicle VFII.2 X.32,
interface for a pncket-mode
DTE
accessing a
PSDN
through a
PSTN. ISDN or CSDN. CCITT Blue Book, Geneva, 1988. [3] (4)
[5] [6| [7]
[81 [9]
CCITT CCITT CCITT
Fascicle VIII. 7, X.400 Messaging Handling.
CCITT
Blue Book, Geneva, 1988.
Message Handling—EDl Messaging Service, 1990. X.435, Message Handling— EDI Messaging System. 1990. ISO 9735. Electronic Data interchange for administration, commerce and transport (EDIFACT). ANSI XI 2.58. Electronic Data Interchange Security Structures, ANSI. New York, NY. F.435.
ANSI XI 2.42. Ciyptographic Senice Message Transaction Set. ANSI. New York. NY. CCITT Fascicle VIII. 8, X.500 Directory- Services. CCITT Blue Book, Geneva, 1988.
Chapter 6
and Architectures
Applications, Systems, Products,
In previous chapters, various theoretical aspects
of cryptography have been discussed,
shown how a range of security services can be constructed from mechanisms and procedures. The services require management, as reviewed in Chapter 3. If there is and
to
it
has been
be interworking between differing computer systems, standardisation
also required,
is
and the provision of security services within the open system Interconnection framework
was considered
in
Chapter
In this chapter
we
5.
look
at
some
real security
systems and products
that incorporate
The discussion does not attempt to be comprehensive, but confines itself to covering some typical systems (such as those providing secure communication for banking and financial transactions) and the more the ideas, theories, and standards presented previously.
common
sorts of security products, hardware, or software.
Builders, operators, and users of such systems and products often find that they
have created or are working with an unwieldy edifice
in
to login securely three or four times per session (to their
and
in
which administrators have
to
keep track
of, issue,
which, for example, users have
PC.
to a
LAN.
and withdraw,
to
remote hosts);
a
complex range
of secret information such as keys, authorisation attributes, and capabilities
— as well
as
operating and maintaining several widely differing security devices and products. This has led to the desire to establish accepted "security architecture", into which services, products,
and management functions would
fit.
all
indisidual
Perhaps such an architecture
should have been agreed years ago, before individual products and standards appeared, but the reality
is
that progress at the international level in defining .security architectures
dates from the late 1980s.
6.1
The
last par!
of this chapter looks
at
some
architectures.
SOME BANKING AND FINANCIAL APPLICATIONS
Banks and
heavy users of security services. Usually the.se services and are more concerned with authenticity than confidentiality,
financial institutions are
are not very sophisticated,
149
150
some
with
special exceptions, for communication. Within a bank's internal network, for
example, the typical networks linking branch offices to a head office computing centre,
The authentic and confidential nature of the assumed to be assured by the leased lines of the network. However, banks using permanent virtual circuits (PVCs) or switched virtual circuits (SVCs) within a closed user group (CUG) on an otherwise public packet-switched network may be more careful, not only about protecting transactions, but also in identifying the remote source and destination with which communication takes place. Typically, security services used on interbank transfers would be applied to the internal network to achieve this. there
is
often no use of security services.
traffic is
6.1.1
ISO 8730
ANSI X9.9/ISO 8730 standard DES) and relies on ANSI X9.17/
Interbank transfers are normally authenticated using the
which
[1],
is
based on symmetric key cryptology
ISO 8732 key distribution mechanisms
[2] (see
(e.g.,
Chap.
3).
The operation of a key distribution some national or interna-
or key translation centre can be delegated by individual banks to tional service provider.
According
to
ISO 8730,
must always be included
These •
The
that
forms the interbank
transfer.
The
DMC,
and
is
delimited by
identifier for the authentication
to the date It is
This
is
key (IDA) to be used by the recipient, with
QK- and -KQ.
The message loss.
(MAC) was computed. QD- and -DQ.
date on which the message authentication code
delimiters •
message
are:
referred to as •
certain explicitly delimited fields exist and, if present, they
in the authenticated
identifier
(DMC) and
delimited by
(MID), which
is
a
number generated by
the sender unique
the key (IDA), to provide protection against duplication or
QX- and -XQ.
(The
DMC
MID
and
fields
must always be
present.) •
Specific items in the message text, such as the transaction amount, currency, identification of the parties to be credited and debited, beneficiary party, and value date.
These
text items
can be explicitly delimited by QT- and
extracted for inclusion in the this is unnecessary.
Finally, the
MAC
MAC,
They can
itself,
but, if the entire
also be implicitly delimited, as
2), is
ISO 8730 supports 1.
The by
delimited by
QM-
if
they are to be
to be authenticated,
shown below.
when DES
is
used
in
CBC mode
as the
and -MQ.
five options for handling the data to be formatted.
entire message, in binary without modification,
MAC,
is
consisting of eight hexadecimal digits with a space in the
middle, being the 32 left-hand bits of output
algorithm (see Chap.
-TQ
message
is
processed to generate the
or possibly only portions of the message are processed-r— but this would be
bilateral
agreement between sender and receiver.
— 151
2. 3.
The The
entire text
is
processed, unedited.
selected text fields only (in addition to the mandatory fields such as
included
MAC,
in the
The
unedited.
fields
DMC)
can be identified by the explicit
and -TQ delimiters, or perhaps implicitly by
their position in a standard
are
QT-
message
structure. 4.
The
entire text
is
processed, edited. Editing consists of purging carriage return/line
and so
feeds, unnecessary loading zeros, that
waste transmission time and/or give
forth. rise to
It
aimed
is
removing characters
at
transparency problems
when used
with certain transmission media, such as Telex. 5.
The
selected text fields are processed, edited.
In options 2 to 5, the
parity bit zero
form the
text
is
is
processed to produce the
is
only the text as input to the
ISO 8730 and use, particularly
6.1.2
message
treated as text. Seven-bit
enforced, capitals replace small
its
MAC
MAC.
and so
code with the eighth
forth. In this
(Note that the text
itself is not
modified
changed,
computation.)
X9.9 predecessor are
on direct leased
letters,
line
relatively old standards
connections between
and are
in
money desks of
widespread
banks.
SWIFT
The Society
for
Worldwide Interbank Financial Telecommunications (SWIFT)
X.25-based packet-switched service for payment transfers to some 3,000 basic service has been in existence for
many
years,
and
its
security
is
offers an
institutions.
This
assured by:
encryption on trunk lines;
• •
protection of access to the network by login codes;
•
optional encryption on leased user-to-network connections.
Over
this infrastructure,
to various protocols
end-to-end financial transactions can be exchanged according
and formats and with further security features
authentication). Typically,
SWIFT
users are running
(e.g.,
transaction
SWIFT-supplied products on
their
computer-based terminals, and these products require secure identification of the human operator.
Recently
SWIFT
has upgraded the basic .security features of the network, with the
user security enhancement
(USE)
offering:
SWIFT; SWIFT.
•
secure key exchange over
•
chipcard-based access control to
The secure key exchange includes generation, encryption, and exchange, of bilateral keys. It is based on an add-on, tamper-proof security hardware module, which performs the exchange
in
four stages: initiation of exchange, reception of secure identification from
and signed), and response and test of keys. two keys are required to permit double signatures for example.) The security hardware module supports a
the responder, transmission of keys (encrypted (In
many banking
applications,
operator and security officer,
152
chipcard reader, and the chipcard it
activated by one or
is
(IFT)
responsible for handling the codes for login to
infrastructure.
It
is
—
SWIFT X.400
the
bulk payments (pensions, dividends, salaries); credit requests, analyses, authorisations;
•
securities statements;
•
risk
management information.
Two
levels of
password are required
secure access control between the user transfer uses the
to activate the
or asymmetric
CCITT
— may be used. The token
it
may
ETEBAC
A growing
generated by the originator, and
salaries.
file
SWIFT
itself.
over the basic infrastructure and
to run
messages designed for SWIFT.
of major
between them and
file transfers,
not merely between
their large coiporate clients.
An example
we
security services in this area
consider
ETEBAC
5, a
secure
protocol designed by the Comite Franca is d' Organisation et de Normalisation
(CFONB)
ETEBAC level, at
also contains
it
of transfers from company to employees' accounts, representing their
As an example of
file transfer
Bancaires
EDI products
field of financial transactions is that
of a
— symmetric
5
financial institutions but also that
pIFT content
integrity.
be expected that EDIFACT-defined messages will replace
the existing financial transaction
files;
is
a
These are end-to-end security functions, and algorithms or keys
also developing
over X.400. Ultimately
is
pIFT content
be established by bilateral or multilateral agreement, independently of is
There
X.509) holding security arguments
and message origin authentication, and a variety of algorithms
the algorithm identifiers.
SWIFT
site.
pIFT protocol (format) within X.400 messages. pIFT includes
for the transfer. Security elements of service include
confidentiality,
package on the user
and the network-based IFT service. The
site
security header, containing a token (based on
6.1.3
transfer
service itself being based on the X.25
•
may
file
file transfer,
designed to support:
•
file
SWIFT;
the operator and/or security officer.
As an example of a value-added product for SWIFT, the interbank may be cited. IFT operates over X.400 and provides store- and forward
with multiple destinations
is
is
two PINs, input by
for use with the
5 recognizes
two
French banking system
13j.
levels associated with a file transfer: the
customer-bank
which the principals exchange and accept/reject the content of secured financial
and the customer operator-bank operator
security of the physical
file transfer,
level,
which
and not with the
files'
is
only concerned with the
contents. These
two
levels
use different cryptographic keys. File transfers are always initiated by the customer,
although the subsequent transfer(s) can be
bank
in either or
both directions (customer to bank,
to customer).
ETEBAC based on
5 uses (but
FTAM. This
or over an X.25 line.
is
not restricted to
)
a file transfer protocol called PeSIT.
operates over a packet-switched network based on the X.25 protocol
The bank
will
have a leased X.25 connection
to the
network. The
153
customer can have leased X.25 or X.32 (dial-up X.25), or an X.28/X.29 asynchronous
ETEB AC 3 relies on asymmetric and symmetRSA and DES (or DES-CBC when appropriate), respectively. provided by ETEBAC 5 are as follows:
leased or dial-up connection to the network. ric
key cryptography, namely
The
security services
Reciprocal (mutual) authentication between the bank and customer (operators) on
•
establishment of a connection. The authentication uses pairs of asymmetric keys
at
each end of the connection.
Data integrity with
•
The key
for the
a
MAC,
MAC
is
based on
DES-CBC
Reciprocal nonrepudiation. The integrity checks
•
in the
normal fashion (ISO 8730).
generated by the sender and transmitted to the receiver.
(MACs) of files
are digitally signed
with the secret keys of the principals, (as opposed to the operators), thereby guaranteeing and accepting responsibility for the contents of transactions.
(Optional) transfer confidentiality, using symmetric key encryption
•
(DES-CBC).
with the key generated by the sender and transmitted encrypted under the recipient's public key.
ETEBAC
5 relies
on an X.509-like
certification authority, issuing certificates to
users containing their public keys. This and other information in the certificate
is
hashed
CA's asymmetric
using the "square-mod" function (see Chap. 4) and signed with the secret key. It
in the
will be appreciated that
ETEBAC
details are available in the
CFONB
handling differing situations, such •
5 uses
many of
the concepts presented earlier
book, originally developed for the TeleTrusT project, and later for X.509. The
Is
specification.
They cover
a
full
wide range of "profiles"
as:
the file-integrated (PeSIT) version in use with security parameters built into the
headers, or
is
the file-independent version
employed, with the parameters carried
in
separate files?
•
Is
there an operator layer present, or
•
Secure three-way handshake reciprocal authentication, or simple authentication using only the exchange of certificates
—
is
the transfer directly
the files themselves are, of course, signed.
•
The presence, or
•
The presence, or not, of a double signature to the transferred the exchange of two certificates in each direction. The direction of the file transfer.
not,
between the principals?
of encryption to provide confidentiality with the associated
generation, encryption, and transmission of the key.
•
ETEBAC to
5 contains
many
file
MAC
may
be
of the
made
file identifier is
securely.
— which
necessitates
points of detail to allow a very flexible range of services
be supported. For example, not only
but a
files
ETEBAC
5
a file's content (as
is
also
formed and signed
is
public key cryptography in the form of
also the
RSA.
first
condensed ,so
in a
MAC)
signed,
that references to a secure
major standard
in
use incorporating
154
ATMs
6.1.4
and Debit and Credit Cards
Another financial area where security cash transactions. The automatic
crucial
is
that of retail handling
is
machine (ATM)
teller
is
which two cryptographic functions are performed: authentication and prime requirement
is
to authenticate the
of customers'
a familiar example, through
withdrawer of the cash and
accordingly, subject to availability of funds. Authentication
is
confidentiality. to debit his
The
account
based on the customer
presenting: a card identifying the customer, the
•
facilities in
•
allowed
—encoded
either
bank account, and perhaps further
on a magnetic
stripe or, if
it
is
details as to
a chipcard, held
memory;
a personal identification at the
PIN pad; only
the
number (PIN) to be entered by the customer, unobserved, owner of the card knows the PIN, and this is the protection
against a thief using a stolen card.
The
ATM needs to verify that the entered PIN corresponds to the card. This is usually
but not always done centrally, so that PINs are not held at
ATMs
(where conceivably they
could be stolen) and so that other requirements (such as verification of the availability of funds) can be handled. Since
ATMs
are typically located at
bank branches, the
to-central-host link can be part of the bank's existing network,
ATM-
and telecommunication
overheads are minimised.
However,
users'
PINs must not be
sent in clear over a network (see Chap. 3),
PIN pad) and adjoined
therefore they are encrypted (usually directly in the
and transaction details for transmission tion are performed. Typically, there
is
symmetric key per
a single
to the card
where decryption of PINs and authentica-
to the host
ATM,
shared with the
host. In
some
instances
ATMs
perform PIN verification,
in
which case they hold PINs
only in encrypted form using a one-way function. Sometimes different banks the
same ATMs.
In this case, the parent
bank
will decrypt
entire transaction) for forwarding to the customer's
A
similar application
The
shop.
is
the debit card, with
details of the purchase are entered
keyboard, the user's debit card
may a
is
share
own bank
for authentication.
which a user pays
for a purchase in a
by the shop assistant on an appropriate
read by a terminal (keyboard and card reader terminal
be integrated with a normal cash register), and the user inputs (secretly) his PIN to
PIN
pad.
The PIN
is
encrypted, adjoined to the rest of the transaction, and transmitted
via a network for further processing, at the a positive reply
is
end of which the
sale
is
either complete (if
returned from the host) or cancelled.
Value-added networks may be used for providing host. Their
may
may
and reencrypt the PIN (or the
major function
will
be to route transactions
this link to the authentication
to the relevant bank.
Such networks
also be involved not only in debiting the customer's account, but in crediting the
account of the merchant
who
has
made
the sale.
.
155
It is
but for
common
many such
also for purchases
hosts, thus reducing
merchants
below a certain value not
to
be authenticated online,
transactions to be batched for later transmission to the appropriate
telecommunication charges borne by the merchants. In
will, typically,
case
this
bear the risk (of no funds being available, fraud, and so forth)
themselves. Credit card authentication is
another related financial application. Here, the objective
the credit purchase
card file" (the
file
is
below
Again,
this
may be performed
and an authorisation host, or subsequently
the terminal that reads the card if
is
to ensure that the card is valid, not stolen.
a certain value.
A
of withdrawn credit cards)
recent development
in the
online between in
batch
mode "hot
to carry the
is
terminal in compressed form, with
regular updates either by a terrestrial network or via data broadcasting by radio. In the latter case,
encryption of the broadcast
vertical interval of television,
may
file,
typically over sidebands of
FM
radio or the
be a requirement. Credit card terminals will usually
also support a "data capture" feature, in
which the transaction
(details of purchase plus
card number) are batched and forwarded to the card issuer for processing
in
electronic
form, rather than as paper dockets. Credit cards are normally used without a
PIN when
making purchases.
SECURITY PRODUCTS
6.2
Commercially available security products come •
Hardware devices such
in the
as plug-in boards for
form
of:
PCs with
appropriate firmware
for access control procedures); line encryptor units; chipcards
(e.g.,
(sometimes called
"smart cards") and interfaces for them; PIN pads; tamper-proof packaging; and, at a
very low level, integrated circuits for handling algorithms, such as
DES
and
other functions suitable for firmware. •
Software packages for incorporation by end-users into their systems, or for building into the operating
system or device driver software. Typically these packages execute
algorithms such as
RSA, implement key
generation and
management
services, or
are invoked to authenticate accessing systems. •
Ancillary devices, which are not specifically oriented towards security but which are useful in secure systems such as read only
and optical memory or archiving
devices. •
Systems
that integrate the
above
to provide
one or more security services, designed
to counter certain identified threats.
6.2.1
Communication Encryptors
Communication encryptors provide confidentiality of data exchanged between end systems. The basic configuration is the leased point-to-point configuration of Figure 6. 1
156
157
The encryptor
at
A
operates on
decrypts the data, and vice versa in
which case encryption
continuous on a
on is
a full
full
is
all
per character.
A to B. where the decry ptor The hnk may be asynchronous,
data sent from
reverse direction.
in the
It"
hnk
the
synchronous, encryption
is
duplex (two-way simultaneous) channel
duplex or half duplex (two-way alternate) channel.
or, possibly, If
may be
block-by-block
block-by-block encryption
used, the encryptor must be able to recognise the start and end of blocks, either by
taking into account the communication protocol used or by explicit
command from
the
controlling system.
Between
the
two encryptor
units, a proprietary protocol will
normally apply
in
order
to handle: •
synchronisation of the encryption and decryption procedures;
•
invocation of the encryption/decryption keys to be u.sed.
The most common key management procedure decryption unit containing a secure are preconfigured into the units.
list
of master keys
The keys
in
is
based on each encryption/
tamper-proof protection, which
power
are also protected against
each communication session one of these keys
is
failures.
For
selected, either for direct use as a data-
encryption key, or as a key-encrypting key for transmitting an encrypted data key, or as
an input to be merged with (for example) a transmitted random number
in
order to produce
a data key.
The most common encryption algorithms used
DES,
but proprietary algorithms are also
much
are
symmetric algorithms, such as
used.
Typical data rates supported by the encryptor units are 9.6 or 19.2 Kbps, and high
speed (megabit per second) products also
exist.
There are many variants of the basic configuration of Figure encryptor
may be
built into the
modem,
6.1.
or built into the host system
For example, the
(e.g., as a
PC
plug-
in board).
Encryptors
may be
protocol sensitive and operate only on the content of data blocks
or frames, such as those of
may be done unit.
The
in
BSC, HDLC, and SDLC,
an independent encryptor
unit, or in a
or of data packets in X.25. This
combined encryptor and protocol
protocol-sensitive approach allows the error detection and recovery procedures
of the protocol to be used on the cyphertext, without which communication errors will result in nonsensical plaintext In the case
would
on decryption.
of X.25 packet handling, the protocol implementation and the encryptor
typically be built into a plug-in interface card (e.g., for a PC).
The content of X.25
data packets will be encrypted, but not the header, and not other packets since they contain
information needed by the network, which must be
in clear.
(A possible exception
is
the
interrupt packet.)
For higher level communication, encryption will usually be performed by .software packages called by the protocol-implementing software or the application. Encryptor/ decryptor software products are available for running under common host operating systems.
They perform much
the
same functions
as low-level encryptors, except that
158
synchronisation
is
not a problem since that
is
taken care of by the structure of the protocol
data units carrying the encrypted higher-level data.
However, where
it
the security of keys in software
is
a problem.
One common way around
provide the software package on a tamper-proof coprocessor plug-in board,
this is to
may
be called for execution by application software. Keys (and the code) are
securely isolated from the rest of the software. Finally,
any
it
may be mentioned
digital stream, for
example
that encryptors
digitised voice.
It is
using modern compression techniques such as
working on raw data may be used with possible to envisage a digital telephone,
CELP
(code-excited linear prediction),
sharing a leased line and encryptor/decryptor pair with the two data end systems.
6.2.2 File Security
Products
File security products usually address
one or both of the following requirements:
by means of encryption;
•
confidentiality of files,
•
integrity of files, using integrity checks.
The associated algorithms and keys may be based
in
an interface board, such as a
disc controller; in an attached coprocessor; or in software on the host. That is
is,
the situation
similar to that of secure data communications, except that the local storage device (disc,
tape, diskette) replaces the
remote computer. This simplifies the key distribution problem.
new key management problem arises. In data communications a single key may serve many local users. All traffic is encrypted similarly. For local file protection, however, each user may require his own keys in addition to keys protecting system software. Moreover, keys potentially have a very long life, because files may be held for a long time. Between writing a file securely to store and rereading it, many months may have elapsed, and the file's owner may have changed keys repeatedly during this period. However,
a
File security products thus address the
two
related problems of
•
securing user identification for the purposes of authorisation;
•
selecting the user's key particular to the file in question.
Assuming
that a user has
been securely
identified, his personal security key(s)
may
be used by him or her. These are typically based on a single symmetric personal key, updated each time counter value
is
it
is
used by XOR-ing an incremental offset (counter) to
stored with the
file,
the key used
it.
If the
on encryption may .always be recovered
for later use.
Users' individual basic keys must be securely stored somewhere. This in a
commercially available products card.
may be done
tamper-proof interface board or coprocessor. Another method commonly used
The card may be read only
is
to hold the users' keys
(e.g.,
magnetic
stripe);
the capability of engaging in a secure dialogue with
its
or
on a user's portable it
may
be a
full
in
(plastic)
chipcard with
associated read/write controller,
or possibly of executing security algorithms on the card itself (see Chap.
2). In
the latter
159
The card
case, the user's secret key(s) need not leave the card.
coprocessor are often built into a single
The
shown
unit, as
controller and security
Figure 6.2.
in
is achieved by encrypting them using his or her The integrity is assured by appending an integrity check or manipulation check (MDC), which is essentially a MAC based (for example) on DES-CBC.
confidentiality of a user's files
personal key(s). detection
The
integrity
check
is
to storage. Usually the date
included value
in the
when Files
to the
check. The integrity check
the file
is
end of each
is
files,
file to
be secured, when written
read.
file
integrity
check and by encryption.
protection for individual users will also provide protection
using very similar mechanisms. In this case, however, there
system key, often securely
when
built into the disc controller
configured. Authentication of system software cally, the objective
and
to the file data
regenerated and compared with the stored
may, of course, be protected both by an
Systems providing of system
appended
and time and other information are added
at initial
loading
may
a
is
the system
is
master
initially
take place automati-
being to ensure that the software has not been modified
viruses or Trojan horses have been introduced). Alternatively, loading
may
(e.g.,
no
be conditional
on the secure identification of the operator (see below).
Coprocessor Chipcard
+
Host
Card
system
(keys etc.)
controller
Figure 6.2 File security based on keys held on card.
6.2.3
Many
Products for User Identification products exist for the secure identification of users by the system, based on the
general principles of Chapter is
to identify
him by means
2.
When
the user
•
a password or a personal identification
•
secret data held
The password or PIN
on the is
is
local to the system, a
common
procedure
of:
u.ser's
entered
at a
number (PIN);
personal chipcard.
keyboard; the secret information
is
read in from the
chipcard by a chipcard reader. These two inputs are proces.sed through one-way functions to
produce two values for comparison.
If the
comparison
is
successful, the user
is
.securely
identified.
One well-known chipcard-based The
product
is
illustrated in Figure
basic facility provided by this chipcard system
is
that
6..^.
of protected
files
held
on the card, accessible only through an operating system (OS) running on the card. The
OS
functions are invoked by suitable
commands from
the
"host"
(in reality, usually a
terminal device, such as a PC), passed to the card via the card controller and the
ISO
160
Card
Application
Auth. reg
and
PIN
0/S
reader
AiiltLCOde
Select Pin Inter-
face I
I
Access files
PIN
Files
protection
Figure 6.3 Protection of chipcard
7816
files
by PINs.
Interface; the resultant responses are returned in the reverse direction to the host.
Functions and/or the
been established,
files are
only accessible
in the authorisation register
if
the appropriate authorisation status has
of the card, by prior correct entry of a secret
code or PIN.
A
Files consist of descriptors plus bodies holding the data. flags,
which allow
a file to be
accessible, subject to the correct
match between the (authorisation)
and the current authorisation status of the card. The usual directory, read
Protection the card.
write
file, is
file,
update, erase, and lock
achieved by a
To change
descriptor contains
"locked" (completely inaccessible) or
list
file
be conditionally
to
flags in the descriptor
operations (make
file) are
file,
read
supported.
of PINs and associated authorisation codes held
the authorisation status of the card, the application
in
on the host must
—
PIN in the list, submit the correct PIN value and then the associated authorisais merged (OR) into the current authorisation status to produce a new one. A master PIN (number 0) is required to establish the status, which allows the commands that create and alter the list of PINs itself, to be invoked by the application. The value of PIN is first established by the manufacturer, and then changed by the card issuer specify a tion
code
(the security administrator for the systems
some • •
•
basic secure files at the
same
and users of the card), who
time. This
is
will
probably create
done as follows:
Make the file (i.e., create its directory entry). Load the PIN and associated authorisation code for protecting the file, into the list of PINs. (The load command is only accessible following correct submission of PIN 0.) Check (i.e., submit and
validate) the PIN, thereby establishing the correct authorisa-
tion status for accessing the file ju.st created (equivalent to
opening the
file).
161
Write the required data into the body of the
•
As an example of
the use of a protected
individual password for an application.
file.
file,
The user of
it
might contain
or her card in the controller and enter the corresponding
PIN
forward
list
is
to the card for validation against the entry in the
it
successful, the appropriate authorisation status
password from the
tion to read the
file.
is
As an added
is
password
In turn, this
a key for decrypting
security,
claimed owner. For example
it
is
any
u.sers.
When
a card
is
if this
some
(if correct,
as
more commands from
data in the application.
placed
PIN known only
in the controller the
its own. The application identity could be supplemented with one-way functions could be used on these values, and so forth.
The protection mechanisms described so between host and card. This
is
to
far
in
S.
This
is
to
be
the owner's
for encrypting/decrypting
ensure that
clear in the card
above. For the encrypted transfer a session key (S)
must create the same
to
do not involve cryptography. However,
DES.
adjacent, but separated by a network, the confidentiality of
can be maintained. Data are held
PIN
and checks the application identity
the card also provides an encryption function.
its
have
to the application, not
application provides this
the .same as
transferred
checked by the user; or
users' cards associated with an application might
all
the card, and after successful validation reads
identity,
comparison
usual to validate the card itself before validating
the application's identity protected under another to
at
of PlNs.
established which enables the applica-
the application) can allow the application to accept
perhaps the password
a specific user's
would then place his the host, which would
the application
when
all
data
host and card are not
PINs and
after data in transit
— but protected by OS
as described
created, and clearly host and card
is
done by using a basic reference key (K) shared between
card and application on a semipermanent basics. Creation of the 5
is
combined with
reciprocal authentication of card and application approximately as follows: 1.
2. 3.
4. 5.
The application creates a random number /?, and sends it in clear to the card. The card calculates R = E(K\ /?,) (E = DES encryption). The card creates a random number R, and generates S = f(R, /?,) where / is some one-way function. The card returns R, R, to the application. The application also generates R and compares it with the received R, thus authenticating the card (checking that the card knows A'). The application generates 5 = flR.R.).
6. 7.
The application sends P* = D (S\ PIN) to the card {D = DES decryption). The card calculates PIN = E(S\ P*) and checks that it is correct and if so, uses
—
to set the authorisation status.
card
the card
(i e.,
the use of 8.
S
is
now
K
knows
it
This effectively authenticates the application to the
As an
that the application holds PIN).
could be built into
additional check,
/().
u.sed for all further transfers.
In this particular card product, only encryption
always uses D, even for encryption as
in
step 6. (If
it
E
is
is
provided
— hence
the application
undesirable for the application to
162
K
hold a
in clear,
it
could be regenerated for a session by applying a one-way function to
password entered by the user
to the application.)
Further features of the product include the recording of the use of PIN's and locking
of a
file if
three consecutive attempts are
(Note that an application^
status.
accesses
fail.)
A
made
to access
not told that a
is
PIN
is
it
with the wrong authorisation
wrong.
It
can only be unlocked by submission of PIN
file
only finds out plus the
PIN
if file
relevant
to the file,
and these two PINs usually are held by different persons (md) the issuer and
the owner.
The
card's authorisation status
is
reset to null
when
the card
is
removed from
the controller or following certain types of validation failures.
Multidirectory cards are also supported and can be used with a range of applications. Protected
commands
Many for
exist for creating, maintaining,
and moving between
directories.
other personal identification systems exist. For example, one system suitable
remote unintelligent terminals
owning something.
In this case the
is
based on knowing something (PIN, password) and
"owned something"
is
not a chipcard (since there
is
no
chipcard reader), but a small portable device holding secret user identification information.
When
held against the screen
which are sent by the the time. is
host,
responds
it
to flashing data (not legible to the
The device responds by generating on
dependent on
all
human
eye),
and which are dependent on the user's claimed identity and a small display a login code. This
code
three inputs: claimed identity; time; secret identification data in the
device.
The user may now log
in
with this code, which
is
compared with
computer-generated value for authentication. The comparison else's device.
The
login code
component, thus invalidating
is
its
the corresponding
user has someone on account of the time
fails if the
valid for a limited duration
use in the future by an eavesdropper.
Other portable devices contain a clock (synchronised with
that in the host
and generate an access code dependent on the time and the device owner's access code
is
This
entered by the user and compared with one generated by the host, based
on the time and the user's claimed
6.2.4
system)
identity.
identity.
Products for Intersystem Access Control
When
both parties to a communication have computing capabilities, they can execute
reciprocal identification procedures involving substantial calculations of the sort that
human user or an unintelligent terminal. shown in Figure 6.4. The access control modules (ACMs) of Figure 6.4 may be
cannot be undertaken by a
cards integrated into the system. Their function
is
to identify
A
typical situation
is
freestanding units or
each other securely, as
members of a group (perhaps containing only two parties) who are permitted to communiBy extension, systems A and B are identified which presupposes that system A
—
cate.
and/or
its
user has identified itself securely to
above. (The same applies to system B.)
its
own
ACM using the techniques discussed
163
System
A
164
For some security products the generation and loading of keys into system components
is
A
performed by the manufacturer, before delivery.
to give purchasers the abihty to
manage
more
on a privileged PC, using protected software. This software with integrity checks on identity of the
file,
and when loaded
system onto which
it
The key management system into devices, such as plug-in boards
is
satisfactory solution
users" keys themselves. Typically this
booted
is
done
encrypted and held
will be
will only decrypt
is
and run
if
the hard-wired
correct.
is
will generate
keys for users' systems and load them
and free-standing devices
like
ACMs
and chipcards,
by means of the appropriate interface. Clearly such a key management system requires:
management system operator; management system and the device
•
authentication and authorisation of the key
•
reciprocal authentication between the key
into
which the keys are loaded; •
secure identification of the person bringing the device to be loaded.
For systems where keys are activated by PINs, the key management system
will
also help users to generate appropriate PINs, and will load an encrypted version of the
PIN
into the device
—
to
so, they will
be used
in future
user identification.
management system
Typically, the key
always be held
in
Some key management
will not hold users'
products support
RSA. and
well as generating and loading secret keys. These key certification capability
(i.e.,
(public domain) product
SecuDE oped by •
is
GMD, Germany
If
it
does
as such issue public keys as
management systems have
they can sign the public keys issued,
if
a
One such
required.
SecuDE:
development environment)
(security
keys or PINs.
encrypted form.
[4],
is
a library of software routines devel-
covering a wide range of functions, including:
basic cryptographic algorithms
(RSA. DES, Hash) and storage of cryptographic
data in the form of a personal secure environment or PSE; •
an authentication framework, or application interface for using a PSE, displaying those elements of
its
contents which are permitted to be displayed, and for performing
signature generation and verification encryptioii/decryption. and so forth, by calling
on PSE; •
key management for handling
certificates, following certificate paths in hierarchies,
maintaining old certificates, exchanging certificates with external agents, and so on; •
application routines
—
for
example, for the support of X.400 and
PEM secure messag-
ing (see Chap. 5).
PSE
is
an interesting concept that allows
the basic security functions
all
and data
(including the owners' secret asymmetric keys) to be handled and transmitted as a unit. It
is
the
method of
secret
key distribution, and may be viewed as
of a tamper-proof chipcard, within which
all critical
so that secret keys need never be extracted from
A
user's
/(), gives the
PSE
DES
is
PSE
is
emulation
performed
it.
protected by his PIN, which,
key for encrypting the
a software
cryptographic processing
when
put through a
one-way function
165
Key =/(PIN) This Key protects the PSE's table of contents, the owner's name, and also
PSE
so that the
contains
itself,
addition
in
K' = EiKcy: Key)
To unlock the K'.
and
it'
PSE
the
the stored
the
owner presents
his
and calculated values
PIN which tor
is
used to calculate Key and
K' agree. Key
may
then be used to
decrypt the rest of the PSE.
PSE
Within the
may
be
in clear,
are the "objects"" (files) listed in the table of contents. The.se objects
encrypted with Key, or encrypted with an individual key which
encrypted with Key and associated with the object.
A
typical
PSE
is itself
content includes the
following as objects: •
a secret key for signing;
key for decryption
two versions, new and
•
a (different) secret
•
a certificate holding the public signature-\erification key;
•
a certificate holding the public encryption key (two versions);
•
a certificate
(in
"path"" including the public key of the
old);
PSE owner"s
certification
authority (CA); •
the public key of the root
•
lists
As
CA
in the certification
hierarchy;
of other users" certificates.
PSE may
indicated, a
be transmitted over a network and no one can unlock
without knowing the PIN. The applications interface permits users to received
in this
manner. All cryptographic operations are performed within the
the secret keys, for example, are temporally decrypted for use. Protection
mechanisms exist
PSE does not remain in an unlocked state (Key available) The SecuDE library is written in C. runs under Unix, and (as stated) is
to ensure that the
it
new PSE, PSE where
install a
indefinitely. in the
public
domain.
6.2.6
Some Other
Relevant Products
Security systems nearly always require confidentiality of information, such as users" data, keys, and so forth.
They
also require information to be protected against modification.
These two requirements can be
satisfied
by logical procedures such as those discussed
above. However, protection against modification can also be assisted by the use of standard devices not specifically designed for security.
For example,
in
security products extensive use
(ROMs), EEPROMs. and
optical read-only discs are suitable for
is
made of read-only memories
power failure. More particularly, holding: security management system software;
battery protection against
166
RSA public keys and (encrypted) secret keys,; and which invokes security functions on attached security devices.
long-term security data, such as users' users' software,
6.2.7
A
A
Typical Security Product for a
typical security product for a
PC
PC
will include
many
if
not
all
of the functions that have
been discussed. For example, one commercially available security system product that consists of a security coprocessor unit with built-in chipcard controller supports: •
physical and logical protection of the security unit, against unauthorised use;
•
physical and logical protection of the contents of the chipcard;
•
user identification and authentication;
•
establishment of a user "profile" on the basis of authentication;
•
enforcement of the user profile by controlling access
to
modules, applications, and
so forth; •
selective authentication of user files with integrity checks;
•
selective confidentiality of user files with encryption; authentication of system files;
•
confidentiality of system files;
•
secure logging and archiving of security events;
•
authentication procedures for accessing a remote host (either by compatibility with the host manufacturer's security system or in cooperation with a host
ACM as seen
in Fig. 6.4.);
•
an offline secure key management system. In
summary, many
security products exist suitable for inclusion in
systems. Most of the independently supplied ones are stand-alone or address the
with their
own
PC
market. Major manufacturers have their
systems, and independent suppliers
specific sectors, such as banking,
are only beginning to
6.3
A
make an
may
own
(e.g., line
commercial encryptors),
security products for use
offer compatible products. Outside
and excluding the widespread use of DES, standards
impact.
Most products
are proprietary.
SECURITY ARCHITECTURES
security architecture attempts to provide a complete
framework within which many
particular security services (confidentiality, integrity, authentication, nonrepudiation, etc.)
may be
fitted coherently; for
example, by sharing procedures or resources, or by providing
services to each other. Additionally, a security architecture should be applicable to situations,
such
in several hosts
as: local
cooperating over a network and acting as proxies for each other
LAN
directory service agent, see Chap. 5);
LAN-based systems and
shared services, such as
communication gateways, bridges, or
In practice, the
many
or remote use of host-based systems by a terminal; applications
file
servers;
(e.g.,
interconnections with routers.
concept of a security architecture usually turns into a scheme for
issuing keys and other authorisation, identification, and enabling attributes to persons and
167
systems for use (hopefully)
mechanisms of individual cryptology applies
—
in a
wide range of
security servers
are often left
situations.
The
specific procedures and
—even whether symmetric or asymmetric key
open or optional. Some architectures are presented
below.
6.3.1
Kerberos
Kerberos
(5| originates
suggests,
is
systems
a
by permission of Kerberos,
is
application
is
to
to
computer systems. Access
its
name
to protected
which prior application must be made.
If the
approved, Kerberos issues a "ticket" to the applicant enabling him or her
to use the protected in
with the Massachusetts Institute of Technology and, as
watchdog service guarding access
system following presentation of the
ticket.
The scheme
is
illustrated
Figure 6.5 and described in the following steps. 1.
The
client
(e.g., a
Client
C
(C)
is
a
human
user
who
wishes to access services
workstation or PC) as the local computing
facility.
(5).
C applies
C
uses an agent
to the
Kerberos
168
watchdog {W)
S by sending
for a ticket for
C and
S and the current
C
S,
the identities of
time (02.
W responds
by sending:
a session
lifetime (L) for the ticket,
under key
to
be used by
—
symmetric key shared between Kerberos and the service
ticket.
is
determined by
by S for callback, verification
enters the password,
/() to produce
K,„.
in a public area
P
else can understand
Having decrypted
which
=f(P). Thus, C's agent
— does not hold
A",,,.
It
Ws
is
it
may
C
good
valid (time. L), that
that
Kerberos has vouched for
is
C's agent that sent the
and acquired tickets ensure that S
it
sends an authenticator
S decrypts
as a client.
S does not know
/
C's address with those of the
who had
it
was
observed
comes from C and C's agent, the agent t)). S can decrypt this using the
ticket.
is
a real danger)
is
and
because C, the holder of
his agent A',.,,
current and from C.
and by matching
C
and
C's address can also be compared with the
from a network service such as X.25 packet switching. At
is
verifies
now knows
{K,\(C, C's address,
source address received on establishing the connection between
C
that
on the network, and was replaying them
(replay of the authenticator
remainder of the session.
and
for certain that
could have been an impostor
session key from the ticket, and verify that the authenticator
by validating
it
C
that the ticket really
= E
ticket.
intended for S, and notes C's details. S
It
(i.e.,
and C's agent knows
ticket,
is
ticket.
in transit
knows
are coirect
/
it.
C's agent establishes contact with S and sends S the it
it
cannot understand) are not replays of
being able to decrypt
that
achieve
and, as will be shown, uses
it
response, C's agent checks that S and
W by
from
To
A",,,.
one-way function
be destroyed immediately after use.
prior responses). C. of course, trusts IV to issue a is
without
it
proces.sed by a
— which might be a workstation located
generates
the responses and hence the ticket (which
the response
and can be used
of clients, and so forth.
say.
only once during the user's sessions, so
This
The
a secret
be used. Specifically,
to
W at connection establishment,
in a table
C must decrypt Ws response. No one this, the client
5.
client.
A'„,,
,
network address)
To
S's identity, a
DES-encrypted
= E (K,,,\{K\, C S, time, C's address, L)). Thus, only S can read the The time states when W issued the ticket. Cs address (i.e., the agent's
the ticket
4.
all
encrypted under key
ticket itself contains similar information, but
3.
and
ticket itself
symmetric key shared between Kerberos and the
a secret
A",,,,
key (K,)
(echoed back), and the
/
used
may this
Cand S,
this stage,
for
example
and
for the
be regarded as one and the same.
key
to obtain
A',,
which has been
entrusted to C's agent to use on his or her behalf for the duration of the session. 6.
C
and 5 may now communicate securely using A\
exchanges. C's belief that S
is
to encrypt or authenticate
genuine and not an impostor
rests
on C's
trust in
S could only have gotten A', from IV encrypted under A',,,; and A", is shared by 5 with no one else but C. Thus, an indirect sort of reciprocal authentication exists. VV.
It
is
possible that
and perhaps
to
C
wishes to access
many
different servers while using the agent.
keep several simultaneous sessions
active.
The
basic
mechanism of
the
169
including
ticket,
lifetime L, clearly permits this since 6' can resubmit
its
and reauthenticate
at will.
(TGS) of Kerberos
itself (i.e., the
may
C
In particular,
server
is
can do
TGS).
this
still
valid tickets
with the ticket-granting service
In this case the initial
access to Kerberos
be regarded as accessing a key distribution service (KDS), which gives the client a
ticket
and session key for the TGS. Repeated access to Kerberos'
may
other servers by the client
P
password
is
made
as long as the ticket
working from
for tickets or for
valid; reentry of the
clear
from the above description. Kerberos aims
to ensure that a server
convinced of the identity of the
is
TGS
is
not required each tiine.
As should be application
be
client accessing
it.
even
if
that client
is
such as a publicly available workstation.
a relatively insecure terminal,
Kerberos does not specify authorisation attributes, although the server might deduce these
from the although
client's identity.
Kerberos does not
state
how
K,
is
used after authentication,
could certainly be employed to support further data confidentiality, data origin
it
authenticity,
and integrity services. Kerberos as an "architecture"
is,
thus, limited to
"getting started" by establishing a properly authenticated interactive session. firmly on symmetric key cryptology,
6.3.2
(secure European system for application in a multivendor environment) (6)
European project
ECMA
that
138 (see Chap.
In
SESAME,
subject (user).
The
aims 3).
to
fill
and also
out the details of the approach of to
ECMA
by a subject sponsor (or user agent)
certificate contains information about the subject,
commands and
transmission by the sponsor. The basic key
is
communica-
to obtain access rights for the
such as identity and
personal attributes, sealed or signed by a trusted certificate-issuing service.
joined to other data and/or
is
TR/46 and
provide products for commercial use.
"certificates" are presented to target applications across a
tion link or network,
is
based
SESAME
SESAME a
It is
DES.
The
certificate
sealed under a basic (session) key before
created by a key distribution service
(KDS)
for this subject-target session, so that if the target successfully authenticates the certificate
(and other) data
it
is
sure that they
from the subject's sponsor,
Two
came from
the subject identified in the certificate,
which the subject entrusted
to
classes of certificates exist.
Sponsor
Subject
Target (Action/data, cert)
BK
BK (
Figure 6.6
)
= Basic key = Sealed under
BK SHSAMF.
prescnialion
BK
nl'
certilicatcs.
and
the basic key. (See Fig. 6.6.)
170
The authentication
(AUC)
certificate
is
provided by an authentication server (AS)
following successful authentication, for example by the exchange of data
to a subject
encrypted with a secret key shared between the subject and the server (see below). The
AUC
has a defined lifetime,
is
sealed (symmetric cryptography) or signed (asymmetric)
by the server, and contains as principal data the subject his
sponsor (subjects are mobile). The purpose of an
obtain a privilege attribute certificate
much of
same way
the
(PAC) from
may
as Kerberos
be used
is,
ture.
PACs
the target application for an
The
AUC
is
a
is
to
enable the subject to
a privilege attribute server (PAS), in to issue a (ticket granting) ticket to a
client to subsequently obtain tickets for other targets
That
and information about
identifier
AUC
from the ticket-granting service.
PAS.
PAC has as target any suitable application available over the network infrastrucare signed (asymmetric cryptology)
information the privilege attributes
("may
by the PAS, and contain as essential
access top secret information", "belongs to
working group 19", and so on) of the subject. Other information valid lifetime
and the identity of the subject
(not necessarily the subject,
AUCs
and
PACs
who
to
in the
PAC
includes
its
be charged for use of the target service
could be anonymous).
carry their
own
identification, as certificates, for auditing.
lifetime controls include not only expiry dates but also a
maximum "use
The
count", which
same certificate. The basic scheme for certificates is illustrated in Figures 6.7 and 6.8, including the situation when the authentication and privilege attribute services are combined. SESAME aims to be of much wider scope than Kerberos. As two examples of this,
a single target can use to reject repeated presentations of the
we
cite the privilege attributes
and proxying.
Privilege attributes apply to users/subjects and also to applications. to
be "global". Unlike Kerberos, the
PAC
They
are intended
does not grant access to a specific target
service; but instead states the category of person, institutional affiliation, position in
organisation, subscription rights, and so forth that the subject
Subject
Password
Sponsor
is
or has.
It is
for the target
171
Sponsor
c A P
A S
172
The
protection value
known
initially
target,
it
is
the result of applying a
only to the subject.
one-way
function, and
proxy on another
target,
comparing
provided
The second and subsequent nied by the correct control value.
even
if
the
SS-IDs
by decrypting the control value, putting results.
The
target
can
now
value",
it
through
use the certificate as
passes on the (reencrypted) control value.
it
targets accept such certificates only if they are
A certificate proxied
validly in this
way
will
accompa-
be acceptable
and those associated with the target-target basic key
in the certificate
do not agree. The mechanism protects
a trusted target
pretending to be, or pretending to be a proxy
from the possibility of a
original user
to a "control
wishes to give power of proxy to a
send the control value (encrypted under the basic key) to the target: the
will
target can validate the protection value
the
one-way function
If the subject
from being accessed by a system
for. the subject.
does not protect the
It
target breaking his or her trust,
certificate to other untrustworthy systems. (It
and passing the
could be argued that a simpler way of
authorising the use of a certificate within a trusted group, would be for the subject to sign the corresponding permission with an asymmetric secret key.) Finally, in
we
look briefly
Figure 6.9 and described
(AUC 1.
2.
3.
4.
or
AUC/PAC)
at a
key distribution procedure used
in the steps listed
below.
A
in
subject
SESAME,
is
as
shown
getting a certificate
for a target (privilege attribute server or application, respectively).
The subject requests the certificate. The subject sponsor and certificate issuing server (CIS) generate A^l - f{P, t) where P is the subject's password (known to CIS), / /() is one-way function. The CIS sends to the subject sponsor: a. E{K\\ K2), a new key K2 encrypted under A'l: b.
E(K3\ K2, SS-ID,
c.
the certificate, including SS-ID.
etc.), a
key package
The sponsor decrypts and holds
1
for the
A'2: pas.ses the
KDS
a is
common
encrypted under
key package
I
to
KDS
key
the time, and
A'3:
and
with a request
for a basic key; holds the certificate. 5.
KDS
decrypts K2, using
A'3,
which
KDS
and the CIS share, and sends
to the
sponsor: a.
£(A'2; BK),
where
BK
is
the basic key for the subject-target session, generated
by KDS; b.
6.
7.
E{K4; BK, SS-ID,
etc.), a
key package 2
for the target.
The sponsor decrypts and holds BK: passes the new key package 2 to the target; requests some action from the target by sending the action and the certificate sealed (e.g., a MAC) under BK. The target decrypts BK using A4, which KDS and the target share; authenticates the action request using BK\ validates the certificate: compares SS-ID from the key package 2 and from the it
is in
certificate for equality;
conformance with the subject's
and
finally,
executes the action
attributes in the certificate.
if
173
buDject
174
•
In Kerberos, the ticket grants a user (client) access to an application (server).
contains a key for the session. For each session a
new
It
ticket is usually required.
Tickets are not public. •
In
SESAME,
Kerberos to •
the certificate identifies a user's (subject's) attributes.
SESAME
an SS-ID.
certificates
may have
a longer life
tickets, but essentially they are short
It
incorporates
and wider scope than
term (for a session) and not intended
be publicly available.
In X.509, the certificates are publicly available proofs of the validity of a user's
public key. Security of access to an application (server/target) •
is
assured as follows:
owner of
In Kerberos, the client is identified as the
the ticket
authenticator, encrypted using the session key. Subsequent
similarly encrypted, or could rely •
In
SESAME,
means of In
is
the certificate by encrypting
and access commands with a basic key
—
a relatively
tively, a single initial access request
rely
6.3.4
owner of
identified as the
be
integrity of the connection.
established separately by complex process, and linked to the SS-ID. X.509, commands may be signed by the user with his or her secret key. Alterna-
the certificate
•
the subject
on the supposed
by means of an
commands could
on the supposed
may be
signed, and subsequent
commands can
integrity of the connection.
Other Security Architectures
The importance of Kerberos, SESAME, and X.509
is
that they are contributions to the
development of a standardised security architecture. Such an architecture differing systems
from different manufacturers
to
communicate securely
in
will permit
accordance
with the principles of OSI. Kerberos has had a significant influence on the security aspects
of the open systems forum (OSF) distributed computing environment (DCE). There are proposals for extending the current
from is
DCE
security features to include ideas and techniques
SESAME. The X.509 approach, more overtly based on asymmetric key cryptography,
also a contributor. In this connection
it
is
interesting to see that proposals based
on
public-key certificates have been put forward by Digital Equipment (SPX).
There
however, other proprietary security architectures, as well as architectures
are,
developed for specific groups or
common
institutions.
IBM has a comprehensive DES algorithm, covering the
For example,
cryptographic architecture, largely based on the
usual functions of confidentiality and authenticity. This architecture
is
implemented on a
wide range of systems and contains software components, a standard cryptographic application programming interface (API) to them, and also hardware components such as the IBM 4753 network security processor, the 4754 security interface unit, the 4755 Cryptographic
adaptor, and the
IBM
personal security card.
related architecture called to
fit
into their
own
"Krypto Knight"
architectures.
IBM
[8].
has recently proposed a
new Kerberos-
Other manufacturers have similar products
175
example of an architecture
Finally, as an
NATO OSI
security architecture
for a specific user group,
(NOSA), addressing
seven-layer model, and the related
we may
cite the
the provision of security in the
US OSD "plus" program
[7 J.
OSI
based on public key
cryptography.
REFERENCES 1
1 1
ISO 8730. Rniikinn-'Requiiemeiiis
(2|
ISO
[}\
"HTtiBAC 1.2.
|4|
(5|
— Key
87.12. Bankini^
5
CFONB,
The Standard
lunii.
Darmstadt, 1992.
S.
Miller; B. C.
P.
Secure Data Exchange between Banks and their Corporate Clients"', Version
Newman;
T. A. Parker.
"A
J.
1.
Schiller;
Institute of
J.
3.0, Gesellschajl fiir
Malhemaiik
iind
Datcnverarhei-
H. Salt/er; "Kerberos Authentication and Authorisation
Technology. April 1988.
Secure European System for Applications
in a
Multi-Vendor Environment
(the
SESAME
ICL Secure Systems, UK.
V. E. Hampcl. "Encryption and Digital Signatures in the
of Defense. Presented |X|
for
Wolfgang Schneider. "SecuDE Overview", Version
Project)". [7]
messof'c aulheniicoiion (wholesale).
1990.
System", Massachusetts |6|
fi>r
inoiuigement (wholesale).
Molva and Nalick
at
et al,
ESORICS, Springer
ASIT
OSD
"Plus" Program". OIHce of
the Secretary
'90.
"Krypto Knight Authentication and Key Distribution System", Proceedings of
Vcrlag. 1992.
Chapter 7 Conclusion
In the
previous chapters
we have looked
at a
range of security services, procedures, and
mechanisms; the algorithms they use and the security management systems they require.
The use of these techniques in
products,
in
in
open networking has been discussed,
systems and. more generally,
on computer networking, where the
as also their realisation
The focus has been
in security architectures.
traffic is inherently digital
and the equipment has
processing capability, for executing procedures and algorithms; and memory, for storing a variety of data from cryptographic keys to access control
lists.
somewhat artificial. The whole field of telecommunications becomes progressively more digital with time, and even commonplace equipment may nowadays contain a microprocessor. The result is that However,
the restriction to
(digital) security
that
computer networking
is
systems potentially have a very much wider
of application than
field
of computer communications. Additionally, as the
voice.
TV,
volume of
traffic carried
by networks of
all
sorts (computer,
telemetry, and so forth) increases, and as the connectivity of networks
extended, the need for security services has also increa.sed. Private
channels outside the control of
and systems from the
far side
scientific, financial, political,
its
traffic is carried
is
on
owners. Outsiders can gain access to local networks
of the globe. As more and more applications (commercial,
and so forth) use computer systems and networks
to
an
ever-increasing extent, the volume of confidential or sensiti\e data carried grows steadily. In short, the ideas tion.
7.1
Some examples
and techniques presented
in this
book are of very general applica-
of other applications follow.
VOICE AND VIDEO NETWORKS
Digitised speech based on
samples per .second
to
CCITT's G.7I1 Recommendation
cover a 4
KHz
bandv\idth) has been
177
at
64 Kbps (80(X)
common
8-bit
on trunk networks
178
The newer CCITT G.726 Recommendation introduces 16 Kbps voice However, proprietary coder/decoders, or codecs, are available which compress speech down to about 8 Kbps, and the new GSM standards (see below) use 13 Kbps. This means that end-to-end exchange of digitized speech is a possibility even on for
many
years.
encoding
[1].
a conventional analogue voice channel, using
or leased circuits
(ISDNs)
in
[2]. In
many
modems such as the CCITT V.32 on switched
addition, the introduction of integrated services digital networks
countries offers direct end-to-end digital connectivity at 64
Kbps
[3].
Thus, digitized voice signals are no longer confined to the trunk network, and codecs can be employed directly for call control It is
to
in
telephone handsets, which in any case
may contain microprocessors
and other purposes.
relatively simple to at least envisage
how
cryptographic functions
may
be added
such a digital telephone. For example, the digitised speech can be encrypted to provide
confidentiality.
from the
files
The key used can be held
by exchanging a suitable
in files in the
conversing telephones, and selected
on
call establishment. Alternatively, a
identifier
key exchange protocol such as Diffie-Hellman could be used, following some secure reciprocal identification procedure
network, as
is
possible with
—or relying on
some modern
identification being provided
by the
services. Full public-key cryptographic tech-
niques for reciprocal authentication, exchange of symmetric keys encrypted by asymmetric keys, and signature validation using certificates, are also possible.
The user may
also be
made
part of the process of authentication. Clearly, recognition
of the remote speaker's voice will influence whether the caller continues or aborts his or her
call.
Additionally, the correctness of the symmetric key established as above and the
compatibility of the two handsets
may be
verified
N =f{key, where /()
is
a
by evaluating and displaying
time)
one-way function computed independently at each end; and having the odd digits, the called person the even digits of N, and checking that
caller read out the
they correspond to the local values.
Such
a secure telephone system needs synchronisation functions to ensure that the
switch from clear to encrypted a block of encrypted voice
niques
may
is
mode
is
simultaneous
unambiguously
at
identified.
both ends, and that the
start
Forward error-correction
also be necessary to ensure that transmission errors
do not make
of
tech-
the encrypted
speech undecipherable. Clearly, digital (e.g., group 3) facsimile transmission, which uses voice channels with suitable
modems,
is
also a candidate for encryption using
many of the above
techniques, and
several such products are commercially available.
Not only voice, but also video information is often digitized. The CCITT H.261 Recommendation specifies procedures for compressing video, as used in video conferencing, down to 384 Kbps [4], and proprietary techniques and emerging standards support video (e.g., for picture phones, at « x 64 Kbps, where n is an integer. Channels with these capacities may be established dynamically over ISDN, for example. Digitized television.
179
higher quality, can be handled over 2
at a
switched,
H.120
at least at
|5|.) Clearly,
short notice
Mbps
channels, which are available,
if
not
from many network operators. (See Recommendation
the cryptographic functions used for voice security also
applied to video. Decisions need to be
made
or whether, for example, visual information
as to is
whether
may
be
traffic is protected as a unit
handled .separately from accompanying
speech.
SECURITY OF MOBILE- AND RADIO-BASED SYSTEMS
7.2
Many
users of telecommunication services based on cables will not be
much worried
about their conversations being overheard or tapped or about imposters managing to
masquerade as genuine secure and
is
interlocutors.
The
terrestrial
network
is
regarded as reasonably
trusted to be able to identify correctly the terminals taking part in a conversa-
tion.
Mobile communications,
makes radio contact with via
in
which a mobile
station (e.g., a hand-portable telephone)
a base station, are another matter.
mobile switching centres (MSCs)
is
The
link
between base stations
usually by cable and relatively secure, but the
two end-portions over radio channels are wide open to eavesdropping, and possibly to impersonation both by the caller and called mobile stations. (See Fig. 7.1.) Provision of security on analogue radio-based systems has relied on a variety of techniques
in the past.
spectrum technology
is
Typically, "spread spectrum"
of radio channels, centred on to
channel
at
is
used.
One example of
frequent intervals (e.g., 20 ms), and the sequence of channels used
regarded as the key. Calling and called terminals must share the in
spread
A community of users shares a number different carrier frequencies. A given call hops from channel
"frequency hopping".
may be
same key and operate
synchronism. Other conversations use different keys. Keys are designed to minimise
collisions, in
which two or more conversations simultaneously use the same frequency. Terrestrial
Figure 7.1 Mobile telephony sysCem.
network
IHO
This
is
relatively easy if the use of all keys
number of
small
is
synchronized but more complex
collisions does noi impair speech quality significantly.)
spectrum technique uses code division multiple access
(CDMA).
Here,
if
not.
(A
Another spreadall
conversations
use the same wide-band channel but with massive redundancy built into the information its own set of codewords formed from real added redundant information. The redundant informa-
being sent. In effect, each conversation has (arbitrary) information, along with tion
is
a function
information of
its
of the
own
real data,
A
and of the code being used.
receiver picks out the
conversation from the apparently meaningless white noise on the
channel by performing correlations between the received noise and the permitted code-
words
for that conversation.
the transmitted one.
some
CDMA
The codeword operates
that has the highest
conelation
low information
at relatively
serious synchronisataion problems. Nevertheless,
it
is
used
is
rales,
in
taken to be
and presents
both military and
commercial applications. Spread-spectrum techniques, however, are not suitable for a large public population of users. The use of the spectrum
is
too wasteful, and the organisational problems arc
too great. Fortunately, the advent of digital mobile services based on time division multiple
access
(TDMA)
enables normal security techniques to be applied, for example
in the
GSM standards |6] and in emerging standards such as DCT 1800. GSM uses two (one forward, one reverse) 25 MH/. bands, divided into 125
new
European
carriers
200 KHz spacing. Each canier supports 8 voice channels of approximately 34 Kbps, of which 13 Kbps are available for compressed digitized voice. End-to-end confidentiality and authentication can clearly be provided over such a channel by the users' mobiles. at
Additionally, there
is
a requirement for secure reciprocal identification
and the calling or called mobiles. This
is
particularly so
and vouching for the identity of one mobile manufacturer's number
may
be held
in
ROM
to another. in the
when
A
between the network
the network
is
supplying
mobile's identity and unique
handset, but this
is
hardly adequate
protection against intrusion by holders of (for example) illegally imported and uncontrolled
mobiles. Cryptographic techniques are required. In the
European Telecommunication Standards
Institute's
Recommendation
GSM
03.02 these requirements for security are met by four service elements, as follows.
Siihschher Identity Confidentiality
This enables the subscribers' identity, specified by his or her IMSI (international mobile subscriber's identity) to be concealed, so that neither the caller nor the callers' location
can be traced by eavesdroppers. The mechanism
is
to use a
temporary
MSI (TMSI).
plus
a local area identifier (LAI) for uniqueness, issued by the service, and changed frequently (e.g.,
TMSI
when roaming from
area to area).
The
service (e.g., an
MSC)
sends the replacement
encrypted under symmetric key Kc (see below) generated by
Algorithm A5
is
used.
it
and the mobile.
I,SI
Subscriber Identity Authentication This
performed using
is
a key,
K\. unique to the subscriber, issued with his or her IMSI
and buih securely into the mobile. Authentication
dom
number,
E
/?,
to the
mobile
that the
is
achieved by the service sending a ran-
mobile must return
SRES = E(K\\
form
in the
R)
means encryption using algorithm A3. The service validates SRES, because it also holds A'l and so can generate SRES and compare the two values. (There are some complicating issues regarding where in the terrestrial network A'l is held.) where
here
Confidentiality of Sii>naUin^
Some
GSM
signalling elements of
above) and user data carried
(XOR) stream
encryptor using algorithm
to permit roaming.
(DCCH). Kc in the prior
may
is
new TMSI
be confidential, as well as the
connectionless exchanges. This
in
A5 and key
The stream encryptor here
generated from the basic
A'l
is
(see
provided by a symmetric
Kc. This algorithm
is
a
GSM standard
applies to the dedicated control channel
by encrypting the random number
authentication, with algorithm A8. Thus,
Kc
is
/?,
used
a once-off key.
Data Confidentiality of Physical Connection This
is
confidentiality of, for example, the digitised voice on the traffic channel
Algorithm to
GSM
1
algorithm
A5 and key Kc 14-bit block
A5
numbers, enabling recovery
In
if,
is
for
summary,
at
is lost. The and outgoing blocks of a
example, a block
about 50 Kbps.
a mobile
implements three algorithms, A3 and A8 (which can be and A5 (which
particular to a giver public land mobile network),
is
a
GSM
Kc is generated. It holds its IMSI. and Kc is 64 bits. SRES is 32 bits.
holds a basic key. A'l, from which A:1
and R are 128
bits in length.
example of
Satellite transmission provides another Satellite broadcasting
used for data, satellites are usually transmitting
ing)
It
TMSI.
the requirement for security.
must also be
fast.
Often
at
is
familiar from satellite
megabit/second
satellite
rates,
requirements
—
for
scramblers
TV. When
and an encryptor
channels are one-way only (broadcast-
and forward error-correcting techniques are necessary, resulting
chronisation
standard).
a current
intended for a chosen group of receivers/subscribers can be picked
up by anyone with suitable equipment. The situation for confidentiality
(TCH).
achieved by explicit reference
generates the additive stream for both incoming
duplex conversation
full
are also used. Synchronisation
and equalisation
in
extensive syn-
of modems,
for
error
correction, for the decryptor. and for the data blocks themselves.
7.3
SOME OTHER APPLICATION AREAS FOR SECURITY
In addition to
networking and telecommunications, security techniques have many other
application areas.
Two
are given
examples below.
182
Secure archives are a familiar concept, in which access to them
controlled by
is
various authentication and authorisation mechanisms, and within which data are encrypted
being introduced in
to provide additional protection against leakage. Privacy legislation
many (e.g.,
countries controls the information that
be held about an individual on
of credit worthiness). The individual's right to see the information held
usually guaranteed.
One can imagine
security techniques enforcing them.
read-access to his all
may
file,
any abuse can be
the sources of
also
these legal guarantees being supplemented with
Not only should
the individual be able to have direct
one might also require
that
be obliged to sign them, nonrepudiably, so
that
with the necessary decryption
persons with write-access to such
files
is
files
facility;
identified.
Such archives could be truly open to the public, subject only to cryptographic once raises the question of identification a second application area
—
protection. This at for security.
We
have seen
backed up by a
how
an individual
may
identity himself or herself with a signature
certificate linking the individuals' public
most people have multiple to certain services,
identities: as a citizen
and so
forth. Typically,
of a
key and
state, as
identity. Unfortunately,
an employee, as a subscriber
each time one subscribes to a service one uses
some new variant of one's name, address, and title, and one is given a new identification code. Most people jealously guard these identities. They do not want entity A, with which they are associated, to
know
no possible reason why based services
is
to
this
that they are also associated with entity
should offend
A
or B. But
if
truly
B
—even
open access
to
there
if
is
computer-
be supported, so that a user can protect his anonymity yet assert his
dealt
—and be successfully — with he misuses — some widely
Such
a directory
billed for
rights to
if
it
would need
this
use of a service
— and be traced and
available identification directory
is
and controls
a range of cryptographic protections
suitably
required. if
it
were
to meet the requirement that outsiders should be able to convince themselves of the
genuineness of a person, without necessarily knowing his complete identity, and should be able to find out that identity
when
they legitimately need
to.
We conclude by stating that if the applications of cryptography are likely to increase, so too are the techniques.
weaken
if
It
is
almost certain that ingenuity and computing power will
not break the strength of currently acceptable algorithms.
raphy consists of little else but
new "unbreakable" cyphers and
Whether basic new concepts, such be discovered
is
less certain.
But
The
their
history of cryptog-
subsequent downfall.
as public key cryptography invented in the 1970s, will it
would be unwise
to say that they will not.
REFERENCES (
1
1
CCITT Recommendation G.726, 40,
32. 24, 16
Khps adaptive
differential pulse
code modulation (ADPCM),
Geneva, 1990. (2|
CCITT
Fascicle Villi,
Recommendation V.32, A family of modems operating up
to
9600
bps,
Blue Book, Geneva, 1988. (3)
CCITT
Fascicles
III.7, III. 8, III.9
ISeries Recommendations,
CCITT
Blue Book, Geneva. 1988.
CCITT
I8J
(4)
(5|
CCITT CCITT
Reci)mmci)da(ion H.26I. Vidci) codec Jor aiuUovisiuil services al Fascicle
transmission. |61
ETSI/TC
IFI.6.
CCITT
SMC
/»
x 64 Khiis/s. Geneva, 1990.
Rccoiiimendalion H. 20. Codecs for video conferencing^ 1
Blue Book. Geneva, 1988,
Recominendaiion
GSM
0.^.20.
usint;
prinum
digiiol i>roiip
Appendix
A
The Open Systems Interconnection Reference Model (OSI/RM) and Security
and in CCITT X.200 |2], identifies seven layers "open systems'". (Open systems are systems in computer systems can, in principle, communicate with each other same formats, syntax, and semantics, which are internationally
The OSI/RM, presented
ISO 7498
in
of communication between entities
which
participating
all
because they use the
[I]
in
accepted rather than being the property of a particular manufacturer.)
Each layer
A^
and enhances them layer
(N +
I
).
uses the services provided by the immediately lower layer to
In relying directly
relies indirectly
on the services of the
on those of the still-lower
layers.
The
(A^
-
1
layer, the
)
A' layer is
and data by means of an entities
I
),
N
layer clearly
implemented by two (or
possibly more) communicating A^ layer entities (software modules), exchanging
These
(N -
provide a more comprehensive service to the immediately higher
invoke the services of the
interfaces, to transport the entities in turn offer the
commands
A' layer protocol.
N layer protocol
enhanced service
(A'
-
)
I
layer, as
provided on local internal
(PDUs) between them. The A' layer + layer at internal interfaces (see
data units to the (A'
I
)
Fig. A.I).
As an example of "enhancement"", we may consider to
provide error correction.
with errors.
The
It
relies
on the lower layer
error-correcting layer
a layer
whose function
to transport the data
removes the errors
(e.g.,
it
is
— but maybe
by retransmission or the
use of forward-error-correction (FEC)) and offers an error-free channel to the higher layer(s).
Another example of "enhancement""
is
a layer that uses a packet-switched
network as the immediately inferior communications medium. The enhancement would consist of concealing the packetising of data from higher layers.
when
transmitting,
would receive
large blocks of data
packetise them for use by the lower layer.
On
The
layer in question,
from the sending application and
reception, the layer
would reassemble
packets into the original large blocks and deliver them to the receiving application.
IS5
the
A
/86
Enhanced service offered to (N +
I)
Enhanced service
layer
offered to (N +
N-layer entity
N-layer
N- layer protocol
(N-
I)
layer
N-layer entity
layer services
1)-
Figure A.I The layered model.
protocol
how
is
necessary so that the two entities comprising the layer are in agreement as to
from the packets.
the large blocks are built
For OSI, the protocols must be precisely defined in
which the significance of each
communicating
bit
A' layer entities reside
The
form of a detailed standard is
because the
on different computers, probably from
manufacturers, and the software of the two entities different groups of people.
in the
clear and unambiguous. This
is
may have been
written by
internal "abstract service" interfaces,
by
different
two
quite
contrast, are
only defined functionally. Details of representation and formats are a local matter. Thus
two standards per
there are typically
service (i.e.,
(i.e.,
For example,
layer.
layer 4 functions offered to layer 5; while
communication between two layer 4
precise rules for
The OSI
CCITT X.214
X.224 defines
layers,
entities
and the services each provide, are shown
These seven layers are
illustrated in Figure
defines a transport
a transport protocol
over layer 3 services).
in
Table A.l.
A. 2, which shows the well-known OSI
"tower" or "stack".
The X.800
addendum
security
OSI 7498.2 [3] and the related CCITT Recommendation OSI layers, as shown in Figure A. 3.
to
[4] allocate security services to
All services
may be offered
services are unique to this layer.
at layer 7,
but selective field integrity and nonrepudiation
Most other services may be offered
at
layers 3, 4, or 7.
The
presentation layer handles only confidentiality and encryption, and low-level encryption at the physical or link layer
may
also apply. In practice, these allocations should be taken
only as guidelines. Not only might one argue against them on the grounds that instances they appear to be arbitrary
(Why
are
no services allowed
at
layer 5?
in
many
Why
is
selective field confidentiality but not integrity allowed at layer 6?), but also definitions
of the services themselves can give rise to ambiguity. For example, "data origin authentica-
tion"
is
achieved (see X.400) by appending an integrity check, dependent on a key held
by the originator,
to the data.
or nonrepudiation,
if
As
such,
it
is
hard to distinguish
asymmetric cryptology
does not contain authorisation attributes
is
—and
guishable from peer entity authentication.
it
from an
used. Again,
if
in practice
seldom does
it
integrity
check
the access control service
—
it
is
indistin-
187
Table A.l
OS lxi\cr
I
layers
Name
Seniccs Provided
Physical
Physical connection between directly communicating
Link
FZrror correction
entities. Bit
sequence
on a
is
preserved.
direct physical connection,
possibly multiplexing. Note that in
communication, layer enated links
Network
(e.g..
2
is
composed
many
and
instances of
of a series of concat-
across a network).
Trans-network connection using switching and routing of
traffic
over concatenated
links.
Multiplexing of
many
network connections over one physical connection
Flow
possible (see for example X.25).
is
control and rcse-
c|uencing are also optional functions. 1 ransport
[-^nd-to-end transport of arbitrary data over the
connection, whose details
network
packeiisation) are hidden
(e.g..
sequence
layer. l:nd-to-end error control,
by the transport
control, and end-Io-end tlow control (to stop the sender
overloadmg Session
the receiver). Multiplexing
Dialogue Control tion
(i.e..
between communicating processes
tems. Quarantining of data until the
Presentation
in the
holding
(i.e.,
it
end sys-
for delivery
appropriate moment).
Syntax, or representation of data. Formatting of data for presentation on devices such as
can also be implemented Application
also possible.
is
the turn to transmit). Synchronisa-
Application of X.4(K)
all sorts,
MHS. FTAM,
VDl
at the
'
screens. Encryption
presentation layer.
but standard applications include
X.-'^OO directory services.
standard layer 7 "sub-layers" relevant to tions
many
Three applica-
have been identified and defined. They are called
application service entities (SEs), and are: a.ssociaiion control
between
two
(ACSE), establishing an association
applications,
including
secure
mutual
authentication or access control, using "bind"'. reliable transfer
(RTSE). providing one-way guaranteed
transfer of large data blocks,
down
even
in the
face of break-
of the connection.
remote operations (ROSE), providing support for
inter-
active applications, including relating answers from a
remote system
As
is
the case with
to the original queries.
most aspects of the OSI/RM, the
.security
addendum
as a basis for discussion or design, but should not be taken to be infallible.
is
useful
188
Application
189
REFERENCES fl) [2]
ISO 7498
CCITT CCITT
—
for
Applications. Blue Book. Geneva. 1988.
[3]
ISO 7498-2 Open systems
|41
CCITT Recommendation tion.s.
—
Open systems interconnection Basic reference model. Recommendation X.2()n Rct'erencc Model of Open Systems Interconnection
Inforniution Processing Systems
Fascicle VIM. 4
interconnection. Reference Model-Security architecture.
X.SOO. Securil\ architecture for open s\slems interconnection for
CCITT applica-
Appendix
B
Shannon ^s Theory of Secrecy Systems
Shannon's original paper
many
topics.
fl]
on the communication theory of secrecy systems covers
This appendix highlights two of the principal concepts and conclusions
concerning theoretical secrecy. Theoretical secrecy means the probability of discovering
from examining cyphertext, assuming
a key or plaintext
power
are at the disposal of the cryptanalyst.
that unlimited time
of practical secrecy, in which the cypher can be broken in theory, but too
much computing
—
as
Shannon's approach tion theory, of
and computing
(Shannon also recognised the importance
RSA
in practice requires
with very long keys.)
is
the case with
is
based on probability theory, and more particularly on informa-
which he was the founder. Both the
results presented here involve the
probability distribution of the original plaintext messages,
summarised concisely by
its
entropy (or uncertainty) H(p), where p stands for "plaintext". However, for readers unfamiliar with information theory, this presentation uses another less rigourous and more heuristic approach.
B.l
PERFKCT SECRECY
Perfect secrecy
is
sages, given the
defined as existing
knowledge of the
when
the probability distribution of plaintext
related cyphertexts,
is
unchanged from
probability distribution of plaintext without that knowledge, as follows:
Prob(/7/c)
That
is,
knowing
= Prob(p)
p =
plaintext
c
= cyphertext
the cyphertext reveals nothing about the plaintext.
By Bayes' Theorem, Probip/c) X Prob(c)
=
Prob(f//j)
x
Prob(/))
the
mes-
a priori
IQ2
where Prob(c//7) given
evaluated over
is
Since this probability
c.
Prob(c//?)
is
all
possible keys,
when
1
the given
p
into the
otherwise,
simply the sum of the probabilities of those keys which perform the mapping.
is
Thus
for a perfect cypher, putting the
Prob(cV/7)
vary the key
two equations
together,
= Prob(c)
any given plaintext the probability distribution of the cyphertext as always the same (i.e., independent of the plaintext when perfect
In other words, for
we
which map
A,
key performs the mapping and
a
—
is
secrecy applies). Let
P = number
of plaintexts
C = number
of cyphertexts
K
= number of keys
then, for a given key, all
C
possible), therefore
Again, for is
this
independent of/?
all
p
>
are
mapped
into distinct c (for reversibility to
given key and mapping, c
if
possible plaintexts
make decryption
P. is
reached from
perfect secrecy applies, this c
/?,
but because Prob(c//?)
must be capable of being reached by
when we consider other keys and mappings. This conclusion applies can arise. Therefore, each individual p is mapped into all the c
to all cyphertexts, c, that
as
we
var>' the keys.
But, for a given
key.
And
so,
K
Thus,
/?,
the mapping, aind therefore
> C. > C >
P, and, for perfect secrecy, the
number of possible plaintexts. K> same alphabet we have the following
than the the
condition
is
c\ will
only change
if
we change
the
K
that the length of the key
P. If keys
condition:
must not he
number of keys must
not be less
and plaintext are constructed from
For perfect secrecy a necessary
less than the length
of the plaintext.
more thorough analysis using information theory is performed, it can be shown that H{k) > H(p) is necessary for perfect secrecy. The entropies of the key and the plaintext give the "effective" numbers of each, taking into account that some keys and plaintexts are more likely than others and that some may be ruled out altogether. P is an upper, bound on H(p), and Hik) < K always, so the necessary condition for perfect secrecy A" > P is a less stringent version of H{k) > H(p).) (If a
—
Note again example,
it
that the condition
is
necessary but not sufficient for perfect secrecy. For
only imposes a condition on the key length, but says nothing about
An example
of such a perfect cypher
key are taken from an alphabet of as the plaintext,
is
the
Vernam
m
symbols, the key
c
=
is
and
In this ca.se Prob(/;/c), for a
/?
+ k mod
given c* and
(//;)
/r'\ is
its
value.
when the plaintext and completely random and as long cypher,
given by
193
Prob(/>
=
p'^/c
Prob(A;
But Prob(A: = c* Prob(
/?/()
=
time pad",
mod
{)*
/;/)
is
- c*) = Prob(/7 =
= c* -
constant for
p''
all
mod m) c and p. because k
Prob(/?) and perfect secrecy applies. This in
which the key
/?*)
example
is
that
is
random. Therefore
of the famous "one-
taken from a book, used once, and thrown away.
is
THE UNICITY KEY LENGTH AND UNICITY DISTANCE
B.2
Consider mappings (encryptions) of plaintext p into cyphertext c under a key length of the key remains constant, but the lengths of p and c increase, each c
mappings from some corresponding plaintexts if K is principle there are P - M^ plaintexts, where N is the length of
be the result of keys. In
K
the size of the alphabet, and
C
=
P =
A/^ cyphertexts. Thus.
the
k.
If the
will
still
number of
the text and
C. But in practice
M
many
plaintexts will never occur, or are impossible in the source language.
Let PiL)
t,„.
+
-'"-"" a''-'"
'"'-'•'-'
if
•
.(?,„(.v)
g„{x)
we
+
if /„
>
f,„
+
in
-
111)
,i,',„(.v)
if /„
(/;/)
2, (4)
=
2, (f)(5)
=
4,
0(6) =
2,
theoretns relevant to cryptography
.v,
/,
/.
mod m
m, then
mod
1
where
x,)
impossible, ax,
simply the
=
for distinct
Proof. Consider the set (a to
some
j.
is
a"^""
prime
4>0) =
1,
useful properties, and
HI
runs through the (f>(m) integers less than and j;
is
because
prime
to
this
m
would imply
another order. Therefore, Product
in
that ni divides
by construction. Therefore, the (ax,)
- Product
(.v,)
mod
or
«"^""
Product
(.V,)
= Product
(.v,)
mod m
or
because
we can
Theorem Proof,
divide by the 2.
ll'a,
(J>(ah)
-
.v„
being prime to
{a)(t){b) solutions
But there can be no other values
to
Proof.
is
.v
Remainder Theorem.
as a, (3 vary as follows.
.v
to
is
prime
a uniquely distinct solution for
prime
the so-called Chinese
is
the solutions
all
1,
= p{^p{'
.
All integers
.
where
Pr"\
.
< p' except
4
2, 3,
(o
terms of
-
e,
1) ...
/j,
+
using
/^r'
'
Theorem
(/^,
-
1))
=
2:
.V,
/>,''
which
.
209
where
X\
We
sum of terms containing only = 0, \,2, e^.
a
is
correspond
to /i
.
.
/;,,
/>:,
.
.
The terms
/>,.
.
parentheses
in
.
can repeat the above procedure picking out the terms
in
in
.V|
which p^ appears
to get
=
•^1
where
as
a
is
sum of terms
p{'
-V:
containing only
/?,
.
.
/),,
.
thus giving
,/
Repetition leads finally to
X since x,
=
\'',
= p{'pf
(d)
.
.
pr
giving
(I
We now
prove two further theorems of relevance to the totient function.
Theorem
5.
Amongst
=p -
the (f}ip)
non-zero integers prime to and
\
modulo p. (The order of an than p such that a'' = mod p. Such an
there exists at least one primitive integer, a. is
the smallest integer, d, less
because successive powers of a 0(/>),
because
imply
that
=
I
if
a*^""
such exponent. Proof.
it
A
/;
must eventually
repeat.
Moreover, d must divide
did not 4Kp)
= qd +
r for
=
mod p,
contradicting the assumption that
a'^''
a'
=
a'
primitive element
The proof
relies
is
on the
sums and products of elements
some
q.
and a remainder
one whose order d =
fact that the integers
in the field
additive and a multiplicative inverse.
As
a
mod p
integer exists,
I
mod
less than p,
integer
/•
(.v)
to
of degree n
have
at
most n
roots in the field. Firstly, we show that if a, h are two elements with order / respectively and if mod p /are coprime, then the order of {ah) is {ef). Consider {ahy' = (fl'V (h'Y = = mod p Therefore, Therefore, if d is the order of («/?), d divides ef. But (ah)'''' = mod /), so/divides de, and since e. /are coprime. /divides d. Similarly, we can show e divides d. But since e and / have no common factors, (ef) must divide d. Therefore, d ('.
e,
I
h''"'
1
divides (ef) and (ef) divides
Now elements
consider
in the field
(/>(/>)
d
so
d = efimd
=/?-!=
which do not
/j,''
p/-
satisfy
v''
the order of (ah) .
.
=
p," and
.
1
(i.e.,
let
is
I
(ef).
q = (p -
\)/p^.
There exist
do not have order q or
a divisor
210
of q) because there are element, and suppose
=
fli''
mod p
I
most q < p -
at
has order
a^
/?/'
because the order of
solutions to the equation. Let a\ be such an
\
pf-
.
.
.
+
>
0.
0.
Set
0.
Set
I,
=
y =
if
+
y)(.v
(.v
odd.
.V
is
-
y), exit.
if
I
.v
is
even.
to (5).
r=r+ /=/-
2(.v + y), .v = .v + y = y 4y - 4, y = y + 2. and go to 1
.
I
.
and go
to (2).
(2).
There are no divisions involved and no multiplications except is
— which may be used
speed up the algorithm, as follows.
at step
only of linear complexity. However, the number of iterations
(p)
F.2
when
n has a very large prime factor,
( 1 ),
is still
and the algorithm
potentially of order
/;.
POLLARD'S MONTE CARLO METHOD
An ingenious random method of factorisation of order (y?'^-) has been proposed by Pollard It is
based on the "birthday paradox"
—
that if a
].
1
[
group contains more than 23 people,
it
is
very likely that two will have identical birthdays. The essence of this surprising fact
is
that
it
arises because, as
with one already recorded,
To
see this, consider a series of
with values ;
t
if
were not
it
so, then
would not correspond
/
to the first
repeated value r r
Therefore
(2,
=
=
r.
/? is
c because c
because
is
< mc
r\ Q' is divisible by p for / > /'. E{c') = V^T-p/S. But if Q' =
/;,
instead of
n,
and the
x,
Thus, Pollard's method consists of looking
when
constructed;
Xi is
expected number of iterations for is,
at
hcf
this is greater than unity, a factor
the duration of the algorithm
this to
is
occur
(n,
of
Qi) at intervals as the series n,
fo und, a nd the
p has been
lies in the interval {sfiTpl^,
order {p'-) where,
p
is
^Trpll). That
the smallest factor of n.
As an
example, consider factorising 1073.
We forth.
take
= 2 and
.v„
The values of
the series
the smallest factor of 1073, If e,'
=
we
0,0
By making every Q, for hcf
(/
found with
evaluate the series
5, 22, 12,
.v,
>
1) is 3, 8,
63, 749, 894, 923, 1039, 82, and so
Q, are 5, 486, 563, 29, and so forth, hcf (29, 1.073)
x,
mod
r
= 4 = order
29, then
we
J.
M.
Pollard.
29,
which
is
get 3, 8, 5, 24, 24,
and so
forth,
with
....
Q, a product of
{n, Q,)
(.v.^
-
.v^)
and the algorithm
mod
is
n, j
facturers'
See also Fiat-Shamir signatures Digitized speech, 177-78
Direction indicator, 132
Association, 14, 16
European Information Technology Security Evaluation Criteria, 2, 229-32
239
SESAME
European systems. See
ITSEC. See European Information Technology Security Evaluation Criteria
European Telecommunications Standards Institute,
IV. See Initialization vector
16
Expansion function, 80 Jensen's stream cypher, 101, 103
Expiry data, 35 Jefferson wheel cypher, 75
Exponentiation, 88-89 Factorizing,
223-26
KDC. See Key
distribution center
KDS. See Key
distribution service
False key, 19
FBSR. See Feedback
Kerberos, 167-69, 173-77 shift registers
Key(s), 9
Feedback, 20-23. 98-101
Feedback
shift registers,
99-103, 196-99
algorithms, 82-98 certification,
51-54, 97
Feed-forward, 23, 73 change, 21
Fermat factorization, 223-24 Fiat-Shamir signatures, 90-92 File security products,
158-59
172-73
generation, 40, 48-51. 87-88,
96-97
management, 157-58, 164
138-39
Filtering,
distribution. 55-59, 150, 169,
Financial applications. See Banking applications
space, 18
stream, 22-23
Footprint technique, 60
withdrawal, 59-60
Frequency hopping, 179
FS signatures. See Fiat-Shamir signatures
Key-controlled authenticator, 26
Functional groups, 139, 142
Key Key
Generation. See Keys, generation
Key-encrypting key, 48, 56
distribution center, 55, 58
distribution service, 169
Key-part, 48
Hamiltonian path, 201
Hardware devices, 155 Hashing,
1
1,
104-10
28, 59, 83-84,
HCF. See Highest common
factor
Known plaintext attack, 18, 22, 70, 99-100 KSM. See Key service message
Header, 135, 140, 142. 152 Highest
common
factor,
1
Key service message, 56 Key translation center, 55 KK. See Key-encrypting key
13
KTC. See Key
translation center
Histogram, 17 Hits,
Layered
104-5
structure, 14,
43-46,
1
17-22
See also Open Systems Interconnection
IBM
systems, 174
Reference Model
ICV. See Integrity check value Identification.
LCG. See
26-27, 79, 126, 150, 159-62
lEC. See International Elcctrotechnical Commission IFT. See Interbank
file
transfer
Integrity, 10-12,
Linear feedback shift registers, 196-99
24-25, 64, 82,
1
19-20, 125,
file transfer,
1
See Message authentication check
Masquerade. 7
Massey algorithm, 204—6
52
Interchanges. See Electronic data interchange International Elcctrotechnical
MAC.
Mapping, 84-85, 101, 104. 131
check value, 131
Interbank
Linear feedback shift registers
56
130-32, 136, 159 Integrity
Leakage, 7
LFBSR. See
Linear congruential generator, 111-12
Information technology, 15 Initialization vector,
Linear congruential generator
Commission, 15
International Standards Organisation, 14-15, 117
Matrix cyphers, 77
Maximum length sequences, 195-206 MCL. See Message class
8730 standard, 150-51
MD4
9735 standard, 142^4
MDC.
function, 108-9, 143
Involution, 75, 78
See Message detection check Message authentication check, 25-31,
ISO. See International Standards Organisation
Message
IT.
See Information technology
class.
56, 150, 153
56
Message detection check.
1
Message handling systems.
59 14, 44,
121-34
240
See also Cryptographic service messages; Electronic
Output feedback, 22-23, 101
data interchange
PAC. See
Message
identifier,
Message
integrity check,
Message
store, 123,
150 1
Privilege attribute certificate
Packet-switched data network, 44
34
PAS. See Privilege
133,228
Passive threat,
Message Message
MHS.
7,
attribute server
39
transfer agent, 122, 128 transfer system, 122, 132,
228
PC products, 166 PEM. See Privacy enhanced
See Message handling system
MIC. See Message MID. See Message
integrity
Passwords, 28, 159, 161
check
mail
Perfect secrecy, 191-93 identifier
Permanent
virtual circuits,
150
Misrouting, 7 Permutation. 77-80, 94
Mixer
stage, 22
MLCG.
Personal identification. 31-35
See Multiplicative
linear congruential
Personal identification number, 14, 33-34, 36, 38,
generator
MLS. See Maximum
60-61, 154, 159, 160-62
length sequences
Personal secure environment,
Mobile systems, 179-81
PeSIT Mobility of user, 33
Plaintext, 9, 18-19, 22, 70,
MTA.
store
99-100
Point-to-point system, 55, 57, 156-57
See Message transfer agent
MTS. See Message
64-65
PfN. See Personal identification number
Modification, 7, 19
MS. See Message
1
protocol, 152
59-60
Pois.son distribution,
transfer system
Pollard's
Multiple delivery, 44-45
Monte Carlo method, 224-26
Polynomial sharing, 50 Multiplicative linear congniential Predictability, 112
generator,
12
1
Primmanent
NE. See Network Network entities,
virtual circuits
entities
Quadratic residues, 90 1
19
NeUvorks. 44-46, 150, 177-79
Radio systems, 179-81
See also Open Systems Interconnection/Reference
Randomne.ss. 31,48-49, 98-99, 110-13, 195
Model
RCV. See
Nonavailability, 7
Nonlinear feedback, 99, 199-200 Nonlinear generation, Nonrepudiation,
8,
Recipient
Recipient, 56
1
Reciprocal authentication, 30-31, 39, 51, 110, 129,
12
147, 153
40-41, 82, 121. 124, 127-29,
136-37, 142, 153
Regeneration. 49-50 Registration, 125. 129. 132-33
Notarization, 53-54, 138
Remote operations Replay.
OFB. See Output feedback
7,
service entity. 128
19
Repudiation.
7.
See also Nonrepudiation
Offset value, 20
One-way authentication, 28-29 One-way encryption, 81 Open shop for information systems, 42 Open systems forum, 74 Open Systems Interconnection Reference
Request
flags.
127
Request for service
initiation,
56
Request for service message. 56
Response service message. 56. 58
1
Model,
"Orange Book"
ORG. See
14,
43-46, 62, 64, 185-88
Response
to requestor
message. 56. 58
Reversibility. 87
RFS. See Rept 6 series,
2
Originator
Originator, 56
operations service entity
RSA
2,
cryptography.
86-90. 153. 164, 213. 220-21
RSI. See Request for service initiation
Origin authentication, 127, 137
OSF. See Open systems forum OSI Reference Model. See Open Systems Interconnection Reference Model OSIS. See Open shop
ROSE. See Remote
for information
systems
RSM. See Response RTR. See Response
service
message
to requestor
Seals, 25, 54
Secrecy systems, 191-94
message
241
Synthesizing sequences, 204-6
Secret keys, 10, 55, 82. 87, 89, 95, 128
See also Symmetric keys Target of evaluation,
SecuDE, 164 Secure access management. See Access management
TGS. See
Secure session, 38-41
Three-way authentication, 31
agent concept, 32-33 architectures,
Ticket-granting service, 169
166-75
Time domain violation, 64 TOE. See Target of evaluation
archive, 182 trail,
65
Token, 126. 129. !52
129-30,228
context, 8, 67,
TPDU. See
Ruropean, 229-32
criteria,
Traffic
domain, 47 EDI,
Ticket-granting service
Threats, 6-7, 19, 39, 135
Security
audit
229-32
2,
TEDIS program, 142-43
Transport protocol data unit
now, 7-8, 121
Transport protocol data
134^4
events,
63-64
labels,
130
Two-stage encryption, 73
management,
Two-way
13-17.47,63-66
1-4,
authentication,
mobile systems, 179-81
UA. See User agent
OSI/RM, 117-22
Unicity, 193-94
products, 155-66
Uniformity,
serv'ices.
unit, 131
Trapdoor knapsack schemes, 92-95
7-9, 66-67
29-30
12
1
Uniqueness mechanisms, 12 13
X.400MHS, 122-34
Unpredictability,
Security development environment. See
SecuDE
1
12
User agent, 122
Security enforcing functions, 229-32
User group. 150
SEP. See Security enforcing functions
User
identification.
159-62
Selective fields, 121
Sequence complexity, 100
Validation, 82-83.91
Service elements, 14,45, 123, 125, 135-38, 143
Vemam
Service request, 56
Video networks, 177-79
SESAME,
Vigencre cypher. See Autokey Vigenere cypher
169-75
Violations, 64
Session key, 161
Shannon's theory, 71,
Voice networks,
191-94
75,
Shuffling, 112
1
77-79
Wheatstone disc cypher. 76
Signature algorithm identifier, 126 Signatures,
cypher, 73. 99
Witnesses, 90
82-86 Write
facility,
36
See also Digital signatures; Fiat-Shamir signatures Society for Worldwide Interbank Financial
Telecommunications. See
SWIFT
Software packages, 155
SP4
X9.9 standard, 150-51
X12
standard, 138-42
X. 25 packets, 157
format, 131
X.400 Series
MHS,
122-38, 152, 227-28
Spread spectrum techniques, 179-80
X.500 Directory, 144-47
Square-mod
X. 509 standard. 174
function, 153
Stream cyphers, 21, 23. 98-103
XOR procedure, 22-23,
Substitution cyphers, 69-77, 101
SVC. See Switched virtual SVR. See Service request SWIFT, 151-52 Switched
virtual circuits,
Symmetric keys,
circuits
150
9, 53, 55, 123, 127, 131, 140, 144,
150, 153, 157
See also Secret keys Synchronization, 23-24, 178, 198
Zero knowledge, 92
58. 73, 99, 101, 158
780890 066928
About lis
this
Artech House IPF^ Book
book has been produced
as part
oTtRe Artecfi
lOUse In-Print-Forever' (IPF) program. IPF
books are
copies of previously printed Artech House books,
now
available exclusively as single copies
;
when
requested by readers. For information on hundreds
of
titles
available
through the IPF program, please |
'^ntact Artech House
,
Artech House, Inc. 685 Canton Street Norwood, MA 02062
j^i^^vh ivu;.^ w^^-v^
46
Gillingham Street
London
SW V AH
www.aitechhouse.com
r ISBN D-fl^DOb-b^E-E
London 0-89006-692-2 Boston
•
1
1