Having identified the relevant security threats to a system, the system operator can apply various security services and mechanisms to confront these threats and implement a desired security policy. In this section we provide a general description of such services and techniques. The science behind these methods is researched and developed as part of the broad discipline of Cryptography. Cryptography embodies the mathematical principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification, and/or prevent its unauthorized use. Cryptographic functions may be used as part of encipherment, decipherment, data integrity, authentication exchanges, password storage and checking, etc. to help achieve confidentiality, integrity, and/or authentication.
The following subsections summarize some key security services and mechanisms.
Encipherment is a security mechanism that involves the transformation of data into some unreadable form. Its purpose is to ensure privacy by keeping the information hidden from anyone for whom it is not intended, even those who can see enciphered data. Decipherment is the reverse of encipherment. That is, it is the transformation of encrypted data back into some intelligible form. Encipherment which is performed on cleartext (intelligible data) to produce ciphertext (encrypted data whose semantic content is not available). The result of decipherment is either cleartext, or ciphertext under some cover.
Encipherment can provide confidentiality of either data or traffic flow information and can play a part in, or complement other security mechanisms.
Encipherment and Decipherment require the use of some secret information, usually referred to as a key, which directs specific transformations. This is one of two cryptovariables used: The other is the initialization variable, which is sometimes required to preserve the apparent randomness of ciphertext.
Encipherment techniques can be symmetric or secret key, where knowledge of the encipherment key implies knowledge of the private decipherment key and vice versa, or asymmetric. In asymmetric algorithms, generally one key is called public (because it is publicly available), while the other is called private (because it is kept secret). Once a private key has been compromised, the system (or at least the use of that private key) is no longer secure. Both encipherment techniques are used to provide the data confidentiality service.
Modern cryptographic systems also provides mechanisms for authentication, for instance through digital signatures that bind a document to the possessor of a specific key, or digital timestamps which bind a document to its creation at a given time. In general the existence of an encipherment mechanism implies the use of a key management mechanism.
Figure 6.1 illustrates a simple public key cryptographic system that provides data confidentiality. When Alice wishes to send a secret message to Bob, she looks up Bob's public key in a directory, uses it to encrypt the message, and sends it off. Bob then uses his private key to decrypt the message and read it. No one listening in can decrypt the message. Anyone can send Bob an encrypted message but only Bob can read it. Clearly one requirement is that no one can figure out the private key from the corresponding public key.
Digital signature is the process of binding some information (e.g., a document) to its originator (e.g., the signer).
The essential characteristic of a digital signature is that the signed data unit cannot be created without using the private key. This means that
1. The signed data unit cannot be created by any individual except the holder of the private key.
2. The recipient cannot create the signed data unit.
3. The sender cannot deny sending the signed data unit.
Therefore, using only publicly available information-the public key-it is possible to identify the signer of a data unit as the possessor of the private key. It is also possible to prove the identity of the signer of the data unit to a reliable third party in case of later conflict.
Thus, a digital signature attests to the contents of a message, as well as to the identity of the signer. As long as a secure hash function (a function that is easy to compute in one direction than the opposite direction) is used, one cannot take away a person's signature from one document and transpose it on another one, or alter a signed message in any way. The slightest change in a digitally signed document will cause the digital signature verification process to fail. However, if a signature verification fails, it is in general difficult to determine whether there was an attempted forgery or simply a transmission error.
In short, a digital signature mechanism involves the two procedures of signing a data unit, and verifying the signed data unit. The former process uses information which is private (i.e. unique and confidential) to the signer. The second process uses procedures and information which are publicly available but from which the signer's private information cannot be deduced.
Figure 6.2 illustrates a digital signature mechanism. To sign a message, Alice appends the information she wishes to send to an enciphered summary of the information. The summary is produced by means of a one-way hash function (h), while the enciphering is carried out using Alice's secret key (E). Thus the message sent to Bob is of the form:
X{info} = info + Xs[h(info)]
The encipherment using the secret key ensures that the signature cannot be forged. The one-way nature of the hash function ensures that false information, generated so as to have the same hash result (and thus signature), cannot be substituted.
In his turn, upon receipt of Alice's message, Bob verifies the signature by applying the one-way hash function to the information, and comparing the result with that obtained by deciphering the signature using the public key of Alice. If these two are the same, it is verified that Alice is the "true" sender of the message. It should be clear and imperative that for the authentication to be performed correctly, both Alice and Bob must be using the same hash function.
Authentication is defined by [KAUF95] as "the process of reliably verifying the identity of someone (or something)".
Authentication can be "One-Way" or "Two-Way."6.3 Each of these is described below.
¥ One way Authentication: Involves a single transfer of information from one user (A) intended for another (B), and establishes the following:
¥ the identity of A and that the authentication token was generated by A;
¥ the identity of B and that the authentication token was intended to be sent to B;
¥ the integrity and originality (the property of not having been sent two or three times) of the authentication token being transferred.
¥ Two-way Authentication: Involves, in addition, a reply from B to A and establishes, in addition, the following:
¥ that the authentication token generated in the reply was actually generated by B and was intended to be sent to A;
¥ the integrity and originality of the authentication token sent in the reply;
¥ (optionally) the mutual secrecy of part of the tokens.
Corroboration of identity is often established by demonstrating the possession of a secret key. Authentication may be accomplished by applying symmetric or asymmetric cryptographic techniques.
When using private keys (symmetric) corroboration of identity is often based on a "shared secret."
When using public keys (asymmetric), authentication is accomplished based on digital signatures and digital timestamps. Since the digital signature binds the possessor of the private key with a document and the timestamp can be verified to protect against replays, corroboration of identity can be established by combining digital signature and a timestamp.
Cryptographic protocols are designed to resist attacks and also, sometimes, traffic analysis. A specific traffic analysis countermeasure, traffic flow confidentiality, aims to conceal the presence or absence of data and its characteristics. This is important because knowledge of the activity can be as useful to the bad guys as the content of the activity itself.
If cyphertext is relayed, the address must be in the clear at the relays and gateways. If the data are enciphered only on each link, and are deciphered (and are thus made vulnerable) in the relay or gateway, the architecture is said to use link-by-link confidentiality (or encipherment). If only the address (and similar control data) are in the clear in the relay or gateway, the architecture is said to use end-to-end data confidentiality (or encipherment). End-to-end encryption is more desirable from a security point of view, but considerably more complex architecturally.
Furthermore, traffic padding can be used to provide various levels of protection against traffic analysis. This mechanism can be effective only if the traffic is protected by a confidentiality service.
Data integrity is the property of data which has not been altered or destroyed in an unauthorized manner. It is achieved via a calculated cryptographic checkvalue. The checkvalue may be derived in one or more steps and is a mathematical function of the cryptovariables and the data. These checkvalues are associated with the data to be guarded. If the checkvalue is matched by the value calculated by the data recipient, data integrity is assumed.
Two aspects of data integrity are: the integrity of a single data unit or field, and the integrity of a stream of data units or fields. Determining the integrity of a single data unit involves two processes, one at the sender, and the other at the receiver. The sender appends to the data unit a quantity which is a function of the data itself. This quantity may be supplementary information such as a block code or a cryptographic check value and may itself be enciphered. The receiver generates a corresponding quantity and compares it with the received quantity to determine whether the data has been modified in transit.
Protecting the integrity of a sequence of data units (against misordering, losing, replaying, and inserting or modifying the data) requires additionally some form of explicit ordering such as sequence numbering, time stamping, or cryptographic chaining.
Key management encompasses the generation, distribution, and control of cryptographic keys. It is implied by the use of cryptographic algorithms. Important points to be considered are:
1. The use of a lifetime based on time, use, or other criteria, for each key defined, implicitly, or explicitly. The longer a key's lifetime, the greater the probability that the key will be compromised by the bad guys.
2. The proper identification of keys according to their functions so that they are used only for their intended function. The greater the key's exposure (to multiple applications) the greater the probability that the key will be compromised.
3. Physical distribution and archiving of keys. This is both a logistics and security issue, especially in distributed systems such as WANs.
Points to be considered concerning key management for symmetric key algorithms include:
1. The use of a confidentiality service in the key management protocol.
2. The use of a key hierarchy ("flat" hierarchies using only data-enciphering keys, multilayer key hierarchies, etc.)
3. The division of responsibilities so that no one person has a complete copy of an important key.
For asymmetric key management, confidentiality services are used to convey the secret keys. Additionally an integrity service (or a service with proof of origin) is needed to convey the public keys.
Access control mechanisms are used to enforce a policy of limiting access to a resource to only those users who are authorized. These techniques include the use of access control lists or matrices, passwords, capabilities, and labels, the possession of which may be used to indicate access rights.
NLSP is an international standard that specifies a protocol to be used by end systems and intermediate systems in order to provide security services in the network layer. It is defined by ISO 11577. Much of the material appearing here is from the American National Standards Institute (ANSI) which is the official U.S. representative to ISO.
NLSP specifies a series of services and functional requirements for implementation. The services, as defined in ISO 7498-2 are:
¥ peer entity authentication.
¥ data origin authentication.
¥ access control.
¥ connection confidentiality.
¥ connectionless confidentiality.
¥ traffic flow confidentiality.
¥ connection integrity without recovery (including data unit integrity, in which individual SDUs on a connection are integrity protected).
¥ connectionless integrity.
The Procedures of this protocol are defined in terms of:
¥ requirements on the cryptographic techniques that can be used in an instance on this protocol.
¥ requirements on the information carried in the security association used in an instance of communication.
Although the degree of protection afforded by some security mechanisms depends on the use of some specific cryptographic techniques, correct operation of this protocol is not dependent on the choice of any particular encipherment of decipherment algorithm that is left as a local matter for the communicating systems.
Furthermore, neither the choice nor the implementation of a specific security policy are within the scope of this international standard. The choice of a specific security policy, and hence the degree of protection that will be achieved, is left as a local matter among the systems that are using a single instance of secure communications. NLSP does not require that multiple instances of secure communications involving a single open system must use the same security protocol.
NLSP supports cryptographic protection either between End Systems (and in this case resembles the Transport Layer Security Protocol - TLSP) or between Intermediate Systems that are located at the borders of security domains. This latter aspect makes NLSP quite appealing to those who would like to provide security services not by securing each and every system in a domain but by forcing all external communications to transit through a small set of secure systems (assuming that communications within the domain need no security services). In this sense, one can see NLSP as supporting (at the domain level) administrative policies (mandatory security) while TLSP is more tuned towards discretionary communication policies.