Technology Guide: Security

Data Integrity and PKI (Public Key Infrastructure)

The PKI service of integrity may employ one of two techniques. First, a digital signature, while it serves the purpose of providing authenticity (that is, entity authentication), simultaneously provides integrity over the signed data. This is a consequence of a necessary property of cryptographic hash algorithms and signature algorithms; any change in the input data leads to a large, unpredictable change in the output with very high probability. In other words, if the data has changed (either by accident, or by deliberate manipulation) between "there" and "here" or between "then" and "now," the signature will fail to verify, and the loss of integrity will be obvious to the recipient. If, on the other hand, the signature verifies, the recipient is very likely to be in possession of the original (that is, unaltered) data.

The second technique that can be employed for integrity is a Message Authentication Code, or MAC. This technique typically uses a symmetric block cipher (for example, DES-CBC-MAC [FIPS113]) or a cryptographic hash function (for example, HMAC-SHA-1 [RFC2104]). Although these are both symmetric solutions (as opposed to public-key solutions), it is important to note that they are both keyed mechanisms; in particular, they depend on a key that must be shared between the sender of the integrity-protected data and the "consumer" (for example, receiver) of the integrity-protected data. In some environments, the shared key can be derived from a PKI.

The PKI service of integrity for this second technique, then, is that of putting in place the mechanisms to achieve this key sharing when necessary. If Alice wants to send to Bob some integrity-protected data and Bob has an encryption public key, Alice can employ the following sequence of steps:

1. Generate a fresh symmetric key.

2. Use the symmetric key to generate a MAC for the data.

3. Encrypt the symmetric key for Bob using his encryption public key.

4. Send the data to Bob along with the encrypted key.

Alternatively, if Bob has a key exchange public key (such as a Diffie-Hellman public key), Alice can instead use the following procedure:

1. Use Bob's key-exchange public key in combination with her key-exchange private key to generate a symmetric key.

2. MAC the data using that symmetric key.

3. Send the data to Bob along with her public key certificate.

Bob can then regenerate the symmetric key using Alice's public key and his own private key to verify the integrity of the data.

If a digital signature is not used to provide data integrity, a good cryptographic MAC function is required.

RSA

RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system is owned by RSA Security. The company licenses the algorithm technologies and also sells development kits. The technologies are part of existing or proposed Web, Internet, and computing standards.

How the RSA System Works

The mathematical details of the algorithm used in obtaining the public and private keys are available at the RSA Web site. Briefly, the algorithm involves multiplying two large prime numbers (a prime number is a number divisible only by that number and 1) and through additional operations deriving a set of two numbers that constitutes the public key and another set that is the private key. Once the keys have been developed, the original prime numbers are no longer important and can be discarded. Both the public and the private keys are needed for encryption /decryption but only the owner of a private key ever needs to know it. Using the RSA system, the private key never needs to be sent across the Internet.

The private key is used to decrypt text that has been encrypted with the public key. Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. A table might help us remember this.

Data Encryption Standard (DES)

Data Encryption Standard (DES) is a widely-used method of data encryption using a private (secret) key that was judged so difficult to break by the U.S. government that it was restricted for exportation to other countries. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.

DES applies a 56-bit key to each 64-bit block of data. The process can run in several modes and involves 16 rounds or operations. Although this is considered "strong" encryption, many companies use "triple DES", which applies three keys in succession. This is not to say that a DES-encrypted message cannot be "broken." Early in 1997, Rivest-Shamir-Adleman, owners of another encryption approach, offered a $10,000 reward for breaking a DES message. A cooperative effort on the Internet of over 14,000 computer users trying out various keys finally deciphered the message, discovering the key after running through only 18 quadrillion of the 72 quadrillion possible keys! Few messages sent today with DES encryption are likely to be subject to this kind of code-breaking effort.

DES originated at IBM in 1977 and was adopted by the U.S. Department of Defense. It is specified in the ANSI X3.92 and X3.106 standards and in the Federal FIPS 46 and 81 standards. Concerned that the encryption algorithm could be used by unfriendly governments, the U.S. government has prevented export of the encryption software. However, free versions of the software are widely available on bulletin board services and Web sites. Since there is some concern that the encryption algorithm will remain relatively unbreakable, NIST has indicated DES will not be recertified as a standard and submissions for its replacement are being accepted.

Triple DES was the answer to many of the shortcomings of DES. Since it is based on the DES algorithm, it is very easy to modify existing software to use Triple DES. It also has the advantage of proven reliability and a longer key length that eliminates many of the shortcut attacks that can be used to reduce the amount of time it takes to break DES. Triple DES takes three 64-bit keys, for an overall key length of 192 bits. In Stealth, you simply type in the entire 192-bit (24 character) key rather than entering each of the three keys individually. The Triple DES DLL then breaks the user provided key into three subkeys, padding the keys if necessary so they are each 64 bits long. The procedure for encryption is exactly the same as regular DES, but it is repeated three times. Hence the name Triple DES. The data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key. Consequently, Triple DES runs three times slower than standard DES, but is much more secure if used properly. The procedure for decrypting something is the same as the procedure for encryption, except it is executed in reverse. Like DES, data is encrypted and decrypted in 64-bit blocks of data.

However, even this more powerful version of DES may not be strong enough to protect data for very much longer. The DES algorithm itself has become obsolete and is in need of replacement. The next standard will be known as the Advanced Encryption Standard (AES).

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is an encryption algorithm for securing sensitive but unclassified material by U.S. Government agencies and, as a likely consequence, may eventually become the de facto encryption standard for commercial transactions in the private sector. (Encryption for the US military and other classified communications is handled by separate, secret algorithms.)

In January of 1997, a process was initiated by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, to find a more robust replacement for the Data Encryption Standard (DES) and to a lesser degree Triple DES. The specification called for a symmetric algorithm (same key for encryption and decryption) using block encryption (see block cipher) of 128 bits in size, supporting key sizes of 128, 192 and 256 bits, as a minimum. The algorithm was required to be royalty-free for use worldwide and offer security of a sufficient level to protect data for the next 20 to 30 years. It was to be easy to implement in hardware and software, as well as in restricted environments (for example, in a smart card) and offer good defenses against various attack techniques.

The entire selection process was fully open to public scrutiny and comment, it being decided that full visibility would ensure the best possible analysis of the designs. In 1998, the NIST selected 15 candidates for the AES, which were then subject to preliminary analysis by the world cryptographic community, including the National Security Agency. On the basis of this, in August 1999, NIST selected five algorithms for more extensive analysis. These were:

MARS, submitted by a large team from IBM Research
RC6, submitted by RSA Security
Rijndael, submitted by two Belgian cryptographers, Joan Daemen and Vincent Rijmen
Serpent, submitted by Ross Andersen, Eli Biham and Lars Knudsen
Twofish, submitted by a large team of researchers including Counterpane's respected cryptographer, Bruce Schneier

Implementations of all of the above were tested extensively in ANSI C and Java languages for speed and reliability in such measures as encryption and decryption speeds, key and algorithm set-up time and resistance to various attacks, both in hardware- and software-centric systems. Once again, detailed analysis was provided by the global cryptographic community (including some teams trying to break their own submissions). The end result was that on October 2, 2000, NIST announced that Rijndael had been selected as the proposed standard. On December 6, 2001, the Secretary of Commerce officially approved Federal Information Processing Standard (FIPS) 197, which specifies that all sensitive, unclassified documents will use Rijndael as the Advanced Encryption Standard.

Hardware Security Module (HSM)

Hardware Security Module (or Host Security Module) is a hardware-based key generation process, offering a more secure key generation technique than software-based generation. HSMs provide secure management of private keys in that the keys never leave the module unencrypted.

HSM is physically secure, tamper-resistant security server that provides cryptographic functions to secure transactions in retail financial applications including PIN encryption and verification, debit card validation, stored value card issuing and processing, chip card issuing and processing, message authentication and symmetric key management. HSM may support public key cryptographic operations including digital signatures, certificates, and asymmetric key management. Acting as a peripheral to a host computer, the HSM may provide the cryptographic facilities needed to implement the wide range of data security tasks including those required in the following environments: Automatic Teller Machine (ATM) systems, Electronic Funds Transfer at Point-of-Sale (EFT/POS) systems, Electronic trading and matching systems for bonds and securities, Financial Electronic Data Interchange (EDI) systems, Key management and Internet Commerce.

The most popularly used worldwide are Racal (now Thales) HSMs, Atalla (now HP/Compaq) Network Server Processors and Eracom ESMs. These product families provide essentially the same underlying security functionality but they vary significantly in supporting different client operating environments, throughput and connectivity requirements and interfaces to third-party software solutions. These products are extremely reliable, cost-effective solutions for providing host/server-based cryptographic processing whether DES, Triple-DES or PKI.

Click here for more details of the leading products.

Message Authentication Code (MAC)

A message authentication code (MAC) is an authentication tag (also called a checksum) derived by applying an authentication scheme, together with a secret key, to a message. Unlike digital signatures, MACs are computed and verified with the same key, so that they can only be verified by the intended recipient. There are four types of MACs: (1) unconditionally secure, (2) hash function-based, (3) stream cipher-based, or (4) block cipher-based.

Simmons and Stinson proposed an unconditionally secure MAC based on encryption with a one-time pad. The ciphertext of the message authenticates itself, as nobody else has access to the one-time pad. However, there has to be some redundancy in the message. An unconditionally secure MAC can also be obtained by use of a one-time secret key.
Hash function-based MACs (often called HMACs) use a key or keys in conjunction with a hash function to produce a checksum that is appended to the message. An example is the keyed-MD5 method of message authentication.
Lai, Rueppel, and Woolven proposed a MAC based on stream ciphers . In their algorithm, a provably secure stream cipher is used to split a message into two substreams and each substream is fed into a LFSR; the checksum is the final state of the two LFSRs.
MACs can also be derived from block ciphers. The DES-CBC MAC is a widely used U.S. and international standard. The basic idea is to encrypt the message blocks using DES CBC and output the final block in the ciphertext as the checksum. Bellare et al. give an analysis of the security of this MAC.

Firewall

All firewalls act as a perimeter access-control device. They let some people into a network of computer systems, and they keep some people out. Firewalls enforce a set of rules that determine which information is allowed to pass.

There are two basic types of firewalls: packet-filters and proxy servers. Some other sources define more categories, but these are the basic two. Many commercial firewall products are hybrids of these two types.

A packet-filter firewall does just what the name implies. It blocks access through the firewall to any packets, which try to access ports which have been declared "off-limits." Some versions allow you to specify that only packets from specific IP address can pass particular ports. Others allow for all except specific IP addresses. But regardless of the method, they all are trying to block access based on some set of rules.

The proxy server (also known as "application gateway") type of firewall attempts to hide the configuration of the network behind the firewall by acting on behalf of that network, or as a "proxy." All requests for access are translated at the firewall so that all packets are sent to and from the firewall, rather than from the hosts behind the firewall. These firewalls also allow for various access control rules to be enforced. The major difference between these and packet filters, is that packet filters operate on individual packets, whereas the proxy servers must be aware of the entire session.

You will also hear the term "stateful inspection" with regard to firewalls. What this feature does is have the firewall remember what outgoing requests have been sent and only allow responses to those requests back through the firewall. This way, attempts to access the internal network that have not been requested by the internal network will be denied. Either type of firewall can use stateful inspection.

There are highly flexible and configurable firewalls (like those from Check Point Software) that operate on dedicated computer systems. These are generally used by organizations with the need to specifically configure the firewalls for their own purposes -- and the resources to do so. At the other end of the spectrum are firewalls that come as part of an appliance or some other system, like those from Sonicwall Inc. or Linksys Group Inc., and that have limited configurability. These are generally made to drop into the home and SOHO environments. Then you have everything in between, depending on what is needed. Cisco, for instance, builds its firewall into routers and VPNs.

Regardless of which type of firewall, someone has to configure the firewall to make it work properly. The rules for access must be defined and entered into the firewall for enforcement. A security manager is usually responsible for the firewall configuration. How the particular policy is set that the rules are to enforce is an internal matter for the owner of the internal network. Also keep in mind that there is no such thing as absolute security - just the extent of risk reduction. Companies generally don't feel insecure until they're violated.

The above is a greatly simplified introduction to firewalls. A good reference book to learn more would be “Building Internet Firewalls, Second Edition” by Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman (Published by O'Reilly & Associates; Second Edition June 2000; 894 Pages; ISBN 1-56592-871-7).

Demilitarized Zone (DMZ)

Security is very important, especially if you host your own servers. To separate your corporate LAN from public servers is a safety solution. To set up a ´demilitarized zone´ or DMZ, you need a firewall with three connections. The first one for the Internet, the second one for your corporate LAN and the third one for the DMZ. That firewall can also be a router but firewalling is very important to set up a correct DMZ.

All sessions from Internet to the LAN are forbidden. Also all sessions from the public server to the LAN are forbidden.

Only explicitly specified sessions only are allowed from LAN to the public server and to Internet, from Internet to the public server and from the public server to Internet. That fits with a good security practice: All is forbidden except what is allowed. You can allow web browsing, mail and news, file transfer. The firewall can also perform other security or routing tasks like NAT or VPN.

Internet Key Exchange (IKE)

A hybrid protocol which implements Oakley and Skeme key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.

Internet Key Exchange Security (IKE) Protocol

The Internet Key Exchange (IKE) protocol is a key management protocol standard which is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets.

IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.

IP Security (IPSec) Protocol

IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

Internet Security Association an d Key Management Protocol (ISAKMP)

A protocol framework which defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association.

Oakley

A key exchange protocol which defines how to derive authenticated keying material.

Skeme

A key exchange protocol which defines how to derive authenticated keying material, with rapid key refreshment.

Diffie-Hellman

A public-key cryptography protocol which allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys.

MD5 (Message Digest 5)

MD5 (HMAC variant) is the most popular hash algorithm used to authenticate packet data. HMAC is a variant which provides an additional level of hashing.

SHA (Secure Hash Algorithm)

SHA (HMAC variant) is a hash algorithm used to authenticate packet data. HMAC is a variant which provides an additional level of hashing.

X.509v3 certificates

Used with the IKE protocol when authentication requires public keys. This certificate support allows the protected network to scale by providing the equivalent of a digital ID card to each device. When two devices wish to communicate, they exchange digital certificates to prove their identity (thus removing the need to manually exchange public keys with each peer or to manually specify a shared key at each peer).

Anti-replay

A security service in which the receiver can reject old or duplicate packets in order to protect itself against replay attacks. IPSec provides optional anti-replay services by use of a sequence number combined with the use of authentication.

Data authentication

Data authentication includes two concepts:

1. Data integrity (verify that data has not been altered).

2. Data origin authentication (verify that the data was actually sent by the claimed sender).

Data authentication can refer either to integrity alone or to both of these concepts (although data origin authentication is dependent upon data integrity).

Perfect forward secrecy (PFS)

A cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not also compromised, because subsequent keys are not derived from previous keys.

Repudiation

A quality that prevents a third party from being able to prove that a communication between two other parties ever took place. This is a desirable quality if you do not want your communications to be traceable. Non-repudiation is the opposite quality—a third party can prove that a communication between two other parties took place. Non-repudiation is desirable if you want to be able to trace your communications and prove that they occurred.

Security association (SA)

A security association (SA) describes how two or more entities will utilize security services to communicate securely. For example, an IPSec SA defines the encryption algorithm (if used), the authentication algorithm, and the shared session key to be used during the IPSec connection.

Both IPSec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate and establish its own SA. The IPSec SA is established either by IKE or by manual user configuration.

Hash

A cryptographic "hash" creates a unique signature for a message. The key feature behind a hash is that it is "one-way". That means that while you can generate a hash from plain-text, you could never create plain-text from a hash.

For example, let's say that you create a story that is 20 pages long, and you want to make sure that nobody alters to the story. You run one of hash algorithms (such as MD5, MD4 or SHA) over the story creating a 128-bit hash. In theory, it is virtually impossible to create another version of the story that matches that same 128-bit value.

Hashes are a "cryptographically secure" form of a "checksum" or "CRC". A checksum is used to detect unintentional changes in data, such as when a network packet gets corrupted when transmitted over a wire. A cryptographically secure hash, on the other hand, is used to protect data from intentional changes in data.

Updated on August 9, 2002

Contents

How the RSA System Works

Internet Security Association and Key Management Protocol (ISAKMP)

Internet Security Association an d Key Management Protocol (ISAKMP)