Information security: Difference between revisions
imported>Howard C. Berkowitz |
imported>Howard C. Berkowitz |
||
Line 53: | Line 53: | ||
Only if he made a penetration into the computers verifying the times of service could he avoid detection. | Only if he made a penetration into the computers verifying the times of service could he avoid detection. | ||
====Atomic integrity==== | ====Atomic integrity==== | ||
When a record or message has atomic integrity, there is verification that it has not been altered. A cryptographic [[hash]] is created before transmission and further encrypted if content confidentiality is enabled. On reception, the receiver verifies atomic integrity if repeating the same cryptographic hash process produces the received hash value. | |||
There may be additional levels of security, such as plausibility checks based on trusted timestamps, digital signatures, etc. | |||
====Sequential integrity==== | ====Sequential integrity==== | ||
The basic mechanism of sequential integrity assurance is to put encrypted sequence numbers into each method, and, on reception, verify the sequence number sequence is correct, with exactly the same number of records as there are sequence numbers. Other measures exist, such as verifying that a cryptographic hash of the entire sequence, sent securely, can be recomputed exactly on the decrypted text. Independent control channels also can contain the sequence information. | The basic mechanism of sequential integrity assurance is to put encrypted sequence numbers into each method, and, on reception, verify the sequence number sequence is correct, with exactly the same number of records as there are sequence numbers. Other measures exist, such as verifying that a cryptographic hash of the entire sequence, sent securely, can be recomputed exactly on the decrypted text. Independent control channels also can contain the sequence information. |
Revision as of 16:29, 3 September 2008
Communications security are the set of protective measures applied to information that traverses a telecommunications network or computer network. There are a wide range of such measures, and not all are needed in every situation. There is no longer any sharp distinction between communications and information security. In a simpler world, once a user could gain access to a computer, all resources on that computer became available. As information threats grew, user rights were restricted on individual computers; a casual user of a public library no longer could install a new operating system. Now that many applications, invisibly to the user, may be executed using multiple computers, the distinction becomes minimally useful.
Still, it is reasonable to talk about the needs of the entire system. Governments may invest billions in communications intelligence organizations dedicated to breaking the strongest military and diplomatic communications of other governments. Each individual and organization has to address the question of whether a miscreant, whether an individual or a government, is likely to try to access one's own information and communications, and how much effort and expense the miscreant will use.
If one is a celebrity, the risks are greater. [1] In the cited example of hospital employees looking at an entertainer's records, however, the unauthorized access came from authorized access of the computer system, who had no justification to access those records. Restricting access, by health care workers, to a strict subset of records could limit the needed ability for legitimate access in an emergency. There are no simple answers.
Many years ago, Dennis Bransted, then with the U.S. National Institute of Standards and Technology coined the "5-S mnemonic that described attributes of a secure communication. We have additional threats today, but this is an excellent start about deciding if a given application needs all of these properties, or if some are not needed. For example, it may be important that a stock market transaction be protected against modification, but, since it will soon be announced, secrecy is not terribly important.
- Sealed: cannot be modified without detection
- Sequenced: protected against loss, replaying, or reordering of messages
- Secret: protected against unauthorized disclosure
- Signed: confirmed as coming from the sender
- Stamped: the sender cannot deny sending and the receiver cannot deny receiving
The Security Process
One eternal truth about security is that it does not exist unless every action affecting a secure event can be audited. A reliable (often replicated) tamper-proof log is essential.
Administration
As an example, CZ gives limited privileges to a user who has not established an account. In the CZ case, to gain additional privileges, one minimally gives one's name and has it verified. That conveys author privilege. Additional privilege is needed to be an author or constable, and there appear to be additional system administrator and software modification privileges.
Articles, and text with them, have varying levels of object sensitivity. Anyone can read them. Any author can add or edit an unlocked version. Deletion of articles, however, requires constable privileges.
Note that privileges are described here as an administrative assignment, as are the restrictions on operations that can be performed on articles. These administrative controls precede interaction with the system.
Interactions
Access
To gain access beyond general reader, one begins by entering a user name known to CZ. Identification, in this security context, is the process of claiming an identity. Once that claim is made, it is subject to user authentication that confirms the user's identity.
While user authentication can be complex, any reasonably secure scheme uses at least two "factors": a purported identity, and a factor by which the system verifies the identity. In the CZ case, the second factor is "something you know", such as a password. In other cases, the second factor might be "something you are", such as a person with a biometrically verified fingerprint, or "something you have", such as a physical key or electronic security token.
After the user is authenticated, the system grants credentials. In an information system, a credential is a right to use a privilege. This usage of the term probably originated in the Kerberos authentication system. [2]
A user might have a privilege that cannot be exercised due to additional rules of credentialing. For example, a given user might need to be at a workstation within a physically secured perimeter to use some privilege; the credential to use that privilege will not be granted to the same user accessing the protected system from the public Internet.
The wise user, however, may want mutual authentication. Some excellent online banking systems not only require two-factor authentication from the user, but also to the user. Phishing is a security attack in which the miscreant convinces the user that a false server is the real one. A common phishing technique is to send an HTML-formatted electronic mail message, which appears to have a link to the real server. Unless the HTML code is examined, for purposes of this example, there is no easy way to distinguish a well-forged message, linking to the miscreant's server, from a real message.
If, however, server identification is in effect, the server must present a second factor to the user, such as a password the user assigned to the bank account from the bank's customer service department. More sophisticated techniques present digital certificates, which, minimally, use cryptography as a means of authentication. By adding server authentication of any sort, the overall authentication process now has at least three factors. Techniques of encrypting or all of the factors make the authentication even stronger.
Information transfer
Sender authentication
Potentially, an unauthorized sender might inject secured packets into the informaton flow. Should the sender have analyzed the protection being given the content, but not the method by which packets are verified as authentically from the authorized source, such a violation should be detectable.
Many methods can be used for sender authentication, not all of them cryptographic in nature. Assuming the parties to the communication have synchronized time-of-day references, a false sender could be recognized by administrative means as simple as a transmission made outside working hours for the function. Since the working hours never appear in the secured flow, a pure interceptor of traffic could not know that test could be applied.
Only if he made a penetration into the computers verifying the times of service could he avoid detection.
Atomic integrity
When a record or message has atomic integrity, there is verification that it has not been altered. A cryptographic hash is created before transmission and further encrypted if content confidentiality is enabled. On reception, the receiver verifies atomic integrity if repeating the same cryptographic hash process produces the received hash value.
There may be additional levels of security, such as plausibility checks based on trusted timestamps, digital signatures, etc.
Sequential integrity
The basic mechanism of sequential integrity assurance is to put encrypted sequence numbers into each method, and, on reception, verify the sequence number sequence is correct, with exactly the same number of records as there are sequence numbers. Other measures exist, such as verifying that a cryptographic hash of the entire sequence, sent securely, can be recomputed exactly on the decrypted text. Independent control channels also can contain the sequence information.
Content confidentiality
When content confidentiality is in effect, unauthorized users cannot obtain the cleartext content of the message. Cryptographic means are the primary way to achieve this service, although pseudo-cryptographic methods such as frequency agility or spread spectrum radio can make it difficult to capture material even transmitted in the clear. Other means of achieving content confidentiality include physical protected distribution systems, or concealing the data using steganography.
Nonrepudiation
Sender nonrepudiation
Receiver nonrepudiation
Denial of service
References
- ↑ "27 suspended for Clooney file peek", Cable News Network, 10 October 2007
- ↑ C. Neuman, T. Yu, S. Hartman, K. Raeburn (July 2005), The Kerberos Network Authentication Service (V5), Internet Engineering Task Force, RFC 4120