Security Volume 96 No

Contents

Telektronikk Feature: Security Volume 96 No. 3 – 2000 ISSN 0085-7130 1 Guest Editorial; Editor: Øyvind Eilertsen Ola Espvik Tel: (+47) 63 84 88 83 2 An Introduction to Cryptography; e-mail: [email protected] Øyvind Eilertsen Status section editor: Per Hjalmar Lehne 10 Advanced Encryption Standard (AES). Encryption for our Grandchildren; Tel: (+47) 63 84 88 26 Lars R. Knudsen e-mail: [email protected] 13 Development of Cryptographic Standards for Telecommunications; Editorial assistant: Leif Nilsen Gunhild Luke Tel: (+47) 63 84 86 52 e-mail: [email protected] 21 Show Me Your Public Key and I will Tell Who You Are; Lise Arneberg Editorial office: Telenor AS, Telenor R&D 26 Security in a Future Mobile Internet; PO Box 83 Henning Wright Hansen and Dole Tandberg N-2027 Kjeller Norway Tel: (+47) 63 84 84 00 34 Mobile Agents and (In-)security; Fax: (+47) 63 81 00 76 Tønnes Brekne e-mail: [email protected] 47 An Overview of Firewall Technologies; Editorial board: Habtamu Abie Ole P. Håkonsen, Senior Executive Vice President. 53 CORBA Firewall Security: Increasing the Security of CORBA Applications; Oddvar Hesjedal, Vice President, R&D. Habtamu Abie Bjørn Løken, Director. 65 Telenor’s Risk Management Model; Erik Wisløff Graphic design: Design Consult AS, Oslo 69 Risk Analysis in Telenor; Layout and illustrations: Erik Wisløff Gunhild Luke, Britt Kjus, Åse Aardal (Telenor R&D)

Prepress: ReclameService as, Oslo

Printing: Optimal as, Oslo

Circulation: 4,000 Guest Editorial

To a certain extent, security has been regarded Although most users are still not concerned with as a matter that should be left to military and the security of services, the awareness is cer- national security interests. With the advent of tainly growing rapidly, and the ability to offer worldwide electronic networks, such miscon- security-enhanced services will become an ever ceptions can be dangerous. Luckily, it is now more important issue for service providers. standard procedure to carry out a risk analysis of all new products and systems before they are Even if the “paper-less office” is still far from put into service. A problem is that security con- becoming a reality, more and more information siderations are often ignored until the product that previously only existed on paper is now is almost finished, when someone remembers: stored on electronic media. While this develop- “Oh, and we need some security”. Security fea- ment makes it easier to share information among tures are among the first to be removed from those who need it in their daily work, it also projects suffering from exceeded budgets. It is increases the potential for outsiders (malicious an important issue to make sure that security is or not) to intrude. Industrial espionage is a threat built into applications from the very beginning. that all competitive companies must consider. Last-minute introduction of security features will generally lead to both higher expenses and In the real world, the so-called “Bribe the secre- poorer security. tary attack” is probably the attack with the lowest complexity of them all, whereas crypto- Apart from the actual physical damage resulting graphic protection often is the strongest link in from a security breach, the loss of goodwill after the chain. Cryptographic security can be quanti- a blearing front page in the tabloid press or a fied (relatively) easily compared to other aspects prime-time news story must not be overlooked. that are much less tangible. Thus, we are in the The latter may actually represent a much more somewhat paradoxical situation that purely aca- serious and long-lasting loss potential. demic weaknesses in otherwise secure cryptographic algorithms get a disproportionate inter- This feature section addresses communication est compared to other security risks. Neverthe- security comprising both the security of the less, with the number of available strong algo- users (security services and security as a value rithms, there is simply no excuse for using weak added service) and the security of e.g. a tele- cryptography. phone operator (security against malicious in- truders, competitors, etc.). Physical security (e.g. barbed wire, locks and fences, but also personnel questions) will generally be left out.

Telektronikk 3.2000 1 An Introduction to Cryptography

ØYVIND EILERTSEN

Cryptography constitutes one of the main building blocks of secure communications. While cryptography historically has been largely a military and diplomatic discipline, the development of electronic communication (e.g. the ubiquitous Internet) and the increased used of computers in almost all layers of society have emphasized the need for secure communication solutions also in the civilian sector. A particularly relevant issue is the so-called “new economy”, including electronic commerce, where the parts involved need cryptographic methods to prove their identity and to protect transactions against unauthorized disclosure and tampering.

Øyvind Eilertsen (34) is Re- The purpose of this article is to present an introduction to some of the basic elements of search Scientist at Telenor R&D, cryptography. We will first look briefly at the history of cryptography and then have a closer Kjeller, where he has worked in look at some cryptosystems that are in use today. We conclude with some remarks about the Security group since 1992. Special interests include cryp- an application of quantum theory with possible far-reaching impact on the future of cryptography and mobile security. tography. [email protected]

1 Some Basic Notions means of some secure key channel. We write The word Cryptology is derived from the Greek the encryption and decryption as follows: words kryptós “hidden” and lógos “word”. Cryp- tology comprises cryptography (from kryptós C = Ek(P) and P = Dk(C) (1) and graphein, “write”), and cryptanalysis (cryp- tós and analyein (“loosen” or “untangle”). Cryp- The adversary E(ve), who is eavesdropping on tography is the science of principles and tech- the insecure channel between Alice and Bob, niques to hide information such that only those does not have access to k and cannot gain any authorized can reveal the content. Cryptanalysis information from the ciphertext. See Figure 1. describes methods of (unauthorized) solving or breaking of cryptographic systems. 1.1 Ciphers and Codes The principal classes of cryptographic systems A cryptographic algorithm or cipher is a system are codes and ciphers. A code is a system where (mapping) where a plaintext is transformed into sentences, words, syllables, letters, or symbols a ciphertext. This transformation is known as are replaced with certain groups of letters or encryption (or encipherment) and is defined by numbers (code groups). The code groups (nor- a key that is known only by the sender and the mally 2–5 letters or figures) are listed in a code- receiver. The inverse mapping is called decryp- book together with the corresponding plaintexts. tion (or decipherment). The idea behind the code can be to hide the message from unauthorized persons, to shorten the Breaking a cipher means disclosing the plaintext message in order to save transmission costs (e.g. without prior knowledge of the key. A perfect telegram expenses; bandwidth), or to translate cipher is impossible to break with any (finite) the message into a form that is suitable for trans- amount of resources. mission (e.g. Morse code). During World War II, the resistance movements in e.g. France and In its simplest form, the setting consists of the Norway received coded broadcast messages two persons A(lice) and B(ob)1) who want to from London where a short sentence had a pre- communicate securely over an insecure channel. arranged meaning. “Jean a un moustache très Alice encrypts the plaintext P into the ciphertext longues” was the code signal sent to the French C by means of the encryption function E and the resistance movement to mobilize their forces key k. Likewise, Bob uses the decryption func- once the Allies had landed on the Normandy tion D with k to decrypt C in order to find P. beaches on D-day. Before the communication can take place, Alice and Bob must have exchanged the key k by In this article we will concentrate on ciphers and discuss codes no further.

1) Alice and Bob were first introduced in [7].

2 Telektronikk 3.2000 1.2 Cryptanalysis Key channel Figure 1 The fundamental While cryptography denotes the search for meth- cryptographic objective ods and algorithms to protect communication against adversaries, cryptanalysis finds weak- Alice Bob nesses in these algorithms (breaks them) to facilitate eavesdropping or counterfeiting. Cryptanal- ysis is not necessarily “evil”; your friendly Eve cryptanalyst can disclose weaknesses in your systems and propose countermeasures. Much cryptologic research is concerned with finding weak points in existing cryptosystems, and then modify them to withstand these attacks. A frequently used method for testing the security The one-time-pad system, where the key and the of computer systems is employing a team of message have the same length, was described by experts with knowledge of security “holes” the American engineer Gilbert S. Vernam in (tiger team), and let them try to break into the 1917. If the key is truly random (e.g. resulting system. from fair coinflips), such a cipher is perfect, as was shown mathematically by Claude Shannon In earlier times, cryptosystems usually depended [9] in 1949. The main drawback with this cipher on the language in which the plaintext was writ- is that the key must be at least as long as the ten. Cryptanalysts employed knowledge of the message, and it must be used only once (hence message language, including the structure, fre- the name). Because of the key exchange prob- quencies of letters and words, and the relation- lem, one-time-pad systems are used only in en- ships between vowels and consonants. The use vironments where security is paramount and the of computers for cryptanalysis has generally messages are rather short. As an example, a one- made such systems obsolete. time-pad system developed by the Norwegian telephone manufacturer STK was used to protect Analysis and breaking of modern cryptosystems the “hot line” between Washington D.C. and require advanced mathematical/statistical meth- Moscow in the 1960s. ods and major computer resources. Typically Terabytes of storage space and operations 2 Some History counted in thousands of MIPS-years are neces- The history of cryptography is probably is old as sary; see e.g. the account of the breaking of RSA the history of writing itself. Of course, during keys in Chapter 3.5. most of the history of writing, the knowledge of writing was enough – there was no need to en- If cryptography is used in a communication sys- crypt messages (or encrypt messages further), tem with a significant number of users, one must because hardly anyone could read them in the assume that the details of a cipher cannot be kept first place. There are a few examples of Egyptian secret. If the security is based on the secrecy of scribes playing around with the hieroglyphic the cipher, the system is said to rely on “security symbols, possibly to attract the curiosity of the through obscurity”, a rather derogatory term readers, much like rebuses. (Considering the within the crypto “community”. This does not problems modern linguists encountered trying to imply that all secret ciphers are insecure, al- read hieroglyphs, one is tempted to say that they though this is a common misunderstanding. were thoroughly encrypted in the first place.) Obviously, it is much more difficult to cryptana- lyze an unknown cipher than a known one, and 2.1 The Caesar Cipher cryptosystems that protect matters of national One of the most well-known ciphers in history security are generally kept secret. is the Caesar cipher, probably employed by the Roman emperor Gaius Julius Caesar. Each letter While considering the security of a cipher, secret in the alphabet is “moved” three places to the or public, it is therefore assumed that an attacker right, so that A is replaced by E, B with F, etc. knows all details of the cipher, except the actual This is an example of a simple substitution key in use. This principle was first stated by the cipher, as each letter in the plaintext is replaced Dutch/French philologist Auguste Kerckhoffs with another letter (monoalphabetic substitu- in his seminal book La cryptographie militaire tion.) (1883), and is known as Kerckhoffs’s principle. In addition, a common assumption is that an The Caesar cipher is a simplified case of the attacker can generate an arbitrary number of linear congruence cipher. If we identify the corresponding pairs of plaintext and ciphertext English letters with the numbers 0–25, encryp- for a given key. This is called a known plaintext tion and decryption is defined as follows: (We attack, or a chosen plaintext attack if the attacker assume the reader is familiar with the modulo can choose which plaintexts to encrypt. notation.)

Telektronikk 3.2000 3 = ⋅ + E(P) a P b (mod 26) 2.3 The Nomenclator D(C) = a ⋅(C − b) (mod 26), (2) The most widely used (indeed almost the only) with aa = 1 (mod 26) method of protecting secret information from the 15th to the 18th century was the nomenclator. A nomenclator is a kind of mix of a codebook and The key is the number pair (a, b), where we have a cipher. It contains hundreds (or even thou- the additional restriction that a must be invert- sands) of letter groups that represent commonly ible modulo 26. This is the case if and only if used words and phrases, typically together with a and 26 have no common factors except 1. We an extended monoalphabetic cipher. write this as gcd(a, 26) = 1, where gcd stands for “greatest common divisor”. The Caesar cipher 2.4 The Rotor and uses a = 1 and b = 3, so unique decryption is Mathematical Cryptanalysis guaranteed. Around 1920 several people independently thought of using electrical versions of the cipher The main problem with a simple substitution disks, so-called rotors. By stacking several cipher is that the statistical variations in the rotors serially, one can construct polyalphabetic plaintext language are still present in the cipher- ciphers with arbitrary complexity. Cipher text. The cipher is therefore easily broken with machines include the Swedish Hagelin and the frequency analysis of single letters, pairs Enigma, which was patented by the German (bigrams) and triples (trigrams) of letters. For engineer Arthur Scherbius in 1918. instance, in ordinary written English, the letter ‘e’ accounts for about 13 % of the letters, the In the 1920s and 1930s rotor machines were pro- letter ‘q’ is always succeeded by ‘u’, and so on. duced commercially in several countries, includ- Obviously, the longer a message is, the more ing USA, Sweden and Germany. The machines substantial the statistical skews. A plain mono- were used by both military and civilians alphabetic substitution that contains more than 40 letters can (almost) always be trivially bro- In the 1930s, growing unrest in Poland over the ken, because only one plaintext is possible. Later German military build-up led to extensive Polish cryptographers introduced countermeasures to efforts to encounter the German cryptosystems statistical analysis, e.g. by letting several cipher- (The Enigma). With help from the French intelli- text letters represent the most common plaintext gence service (and the German spy Hans-Thilo letters. Schmidt [5]) the Poles got the details of the Enigma, and led by the brilliant mathematician 2.2 Polyalphabetic Substitution Marjan Rejewski, they managed to outline the A significantly more advanced method is the principles for breaking the encryption. polyalphabetic cipher, which uses several ciphertext alphabets. Around 1470 (according During World War II, all parties used rotor- to Kahn [4]), Leon Battista Alberti described based cryptographic machinery; the German a “cipher disk” with two concentric circular Enigma (several different models), UK TYPEX metal disks mounted on a common axis. Along and USA SIGABA. The British headquarters of the circumference of each of the disks an alpha- cryptanalysis was located at Bletchley Park bet is outlined; one for the plaintext and one for north of London. Here, up to 12,000 people the ciphertext. By turning the disks, the cipher- worked in the utmost secrecy with the decryp- text alphabet is changed. Alberti’s device can be tion of Enigma cryptograms. Based on the work used to construct polyalphabetic ciphers. Poly- by Rejewski prior to the war, and further devel- alphabetic ciphers were described by Blaise de oped by (among many others) Alan Turing, the Vigenère in 1586 and are often called Vigenère Allied Forces were able to more or less routinely ciphers. break and read German secret communication. It has been argued that this work probably short- The polyalphabetic ciphers were considered ened the war by at least one year. The different unbreakable for almost 400 years, even though parts of the German army used different variants several cryptologists in their writings were close of the original Enigma design. The Wehrmacht, to discover a general method for breaking the Kriegsmarine, Luftwaffe, and the military intelli- ciphers. The method was at last described by the gence (Abwehr) all had their own version of the Prussian officer Friedrich W. Kasiski in 1863. Enigma, which were constructed from the same This did not, however, stop a device principally starting point, but all had their own idiosyn- identical to Alberti’s disk from being patented crasies that had to be dealt with by the Allied in Norway in 1883 under the name “Strømdahls cryptanalysts. kryptograf”. This device was used in the Norwe- gian defence up to the Second World War. Simi- The Enigma was (principally) used for encryp- lar systems were used by the US Signal Corps in tion of Morse traffic. In addition, the Germans 1914. used the cipher machines SZ 40 and 42 (Schlüs-

4 Telektronikk 3.2000 selzusatz) for teletype traffic, as well as the 3.1 The Data Encryption Standard Siemens T 52 Geheimschreiber. At Bletchley To keep up with the need to protect banking, Park, the foundation of modern electronic com- health, and other sensitive communication, while puting was laid down. The first electronic com- allowing intercommunication, the US govern- puter (“Colossus”) was constructed to break the ment moved to make public a cryptosystem. The German Lorenz cipher. National Bureau of Standards (now the National Institute of Science and Technology or NIST) In USA, the Japanese ciphers (dubbed RED, invited interested parties to offer candidates. BLUE and PURPLE by the Americans) were A handful of algorithms were presented, and routinely broken from the mid-1930s. The after a period of scrutiny and adaptions, the Data American ability to read Japanese secret com- Encryption Standard was published in 1976. munication probably had significant influence on the outcome of the war in the Pacific, e.g. The winning algorithm was based on an algo- the battle of Midway. rithm called Lucifer from Horst Feistel of IBM. The 128 bit key of the original design was After World War II, the British government dis- reduced to 56 bits, and additional so-called S- pensed Enigma-type cipher machines to several boxes were introduced. The adaptions were sug- former colonies (India, Pakistan, etc.), but the gested by the National Security Agency (NSA), recipients did not know that the cryptography and this immediately caused great controversy. could be broken. This was not generally known Non-governmental cryptographers maintained until the end of the 1960s. (Actually, the fact that the NSA either had deliberately weakened that German Enigma messages were being bro- the algorithm by reducing the key size to a ken and read by the Allies was not published breakable level, or that they had incorporated until 1974 [12].) a “trap door” that enabled the NSA to easily break ciphertexts. 3 Computers and Modern Cryptography: Crypto No substantial evidence was presented, however, goes Public and DES was published as a Federal Standard The electronic computer has had an enormous for “un-classified government communication” impact on cryptography. As we have seen, the in January 1977. DES was also adopted by the first electronic computer was developed speci- American National Standards Institute (ANSI) fically for cryptographic purposes. for use in the private sector in USA, and by ISO as an International Standard for protection of On the one hand, the computer and the interna- banking communication (ISO 8730 and 8732). tional communication networks (e.g. the Inter- net) make it possible to move data around the 3.1.1 The DES Key globe in seconds. On the other hand, this inter- DES is by far the most widespread and also the connectivity opens new possibilities for fraud. most publicly analyzed algorithm. No traces of trap doors or deliberate weakening have been In a time when all banking orders were sent as found, but with the rapid development of com- tangible pieces of paper, a fraudster needed to puting power the 56 bit key is now under serious get hold of the specific piece of paper. When the attack. order is sent electronically, however, the fraudster may sit in a different part of the world but In 1998 The Electronic Frontier Foundation nevertheless have access to the data. (EFF) presented their DES breaking machine called “Deep Crack”. With this hardware device, An interesting scenario is a thief stealing very it was possible to check all the 256 ≈ 7.2 ⋅ 1016 small amounts of money from a very large num- keys in less than 72 hours. To counter this type ber of victims, a so-called “salami attack”. If the of attack, the newest version of the DES stan- amounts are sufficiently small, the victims will dard [3] recommends only use of triple-DES. not notice, but the grand total will be significant, In this scheme, three instances of the original because the number of victims is so large. It is DES algorithm is used as follows: e.g. conceivable that a thief may collect fractions of cents from interest calculations. This scenario C = EK3(DK2(EK1(P))) (3) has often been cited, but it is not known to have occurred. A less subtle variation is actually The sequence encryption-decryption-encryption transferring small amounts from accounts in the was chosen to facilitate interoperability with hope that the victims will not notice until their older DES implementations; if K1 = K2 = K3 next account statement, at which time the thief equation (3) reduces to simple DES encryption. is long gone. A common variation is letting K1 = K3, giving a key size of 2 ⋅ 56 = 112 bits.

Telektronikk 3.2000 5 In 1997, NIST initiated the process of finding a 3.3 Building a (Symmetric) successor to DES, known as the Advance En- Block Cipher cryption Standard (AES). The selection process Obviously, an encryption function E must be for AES is the theme of an article by Lars Knud- complex, preventing unauthorized reversal of the sen in this issue of Telektronikk. transformation. Modern block ciphers achieve this goal by combining simple functions in 3.2 Stream Ciphers and clever ways. Block Ciphers Symmetric algorithms are usually divided into 3.3.1 Confusion and Diffusion block and stream ciphers. Ciphers are based on two basic techniques (operations); transpositions and substitutions. A A block cipher breaks the plaintext message into transposition changes the order of the symbols strings (blocks) of a fixed length (the block (permutation), without changing the symbols length and encrypts one block at a time. With a themselves. In a substitution, each symbol is given key, a pure block cipher will always pro- replaced by another symbol (from the same duce the same ciphertext from a given plaintext. or some other alphabet). In many applications this is not a favourable feature, and some kind of feedback must be intro- 3.3.2 Product Ciphers duced. Almost all modern block ciphers are product ciphers. The idea is to build a complex encryp- A stream cipher produces a key stream k1k2k3 ... tion function by composing several simple func- The key stream is combined with plaintext tions, each offering some, but not adequate, pro- stream p1p2p3 ... using a simple transformation E tection. The simple functions are then combined and producing the ciphertext C = c1c2c3 ..., with in such a way that the combination is more ci = E(pi, ki). Usually, E is the XOR operation, i.e. secure than the individual components. Basic operations include transpositions, linear transfor- ⊕ ⊕ ⊕ c1 = p1 k1, c2 = p2 k2, c3 = p3 k3 ... mations, arithmetic operations, modular multi- plications and simple substitutions. In a synchronous stream cipher, the sender and the receiver must be synchronized to allow for 3.3.3 Iterated Ciphers correct decryption. This means that they must An iterated block cipher involves a sequential use the same key stream and operate at the same repetition of an internal function called a round position in that key stream. If the synchroniza- function. Let F be the round function, r the num- tion is lost, decryption will fail, and re-synchro- ber of rounds, and let Ti be the temporary output nization, e.g. re-initialization of the stream of the round function. Then we get these equa- cipher is necessary. tions:

In contrast, in a self-synchronizing stream cipher T1 = F(T0, K1) the key stream is generated as a function of the T2 = F(T1, K2) . encryption key and a fixed number of previous . key stream bits. If ciphertext bits are deleted or . inserted, only a fixed number of plaintext bits Tr = F(Tr-1, Kr) will come out garbled before the synchronization is re-established. The plaintext is the input to the first round (T0), and the ciphertext is the output from the last (rth) Most stream ciphers are based on linear feed- round (Tr). The Ki are the round-keys that are back shift registers, a structure very well suited derived from the encryption key K according for fast hardware implementations. The ciphers to the key scheduling. In order to make unique that protect the confidentiality of the radio com- decryption possible, the round function must munication in GSM and UMTS are both stream be a bijection for all round-keys Ki. ciphers. 3.3.4 Feistel Ciphers The difference between stream ciphers and block A Feistel cipher is an r-round iterated block ciphers is a bit “academic”. Observe that a cipher with block length 2t. The plaintext is the stream cipher may be considered a block cipher ordered pair (L0, R0), where the t-bit values L0 with block length 1. On the other hand, there are and R0 represent the left and right half-block, standardized modes of operation that turn a respectively. In each round i, 1 ≤ i ≤ r, (Li-1, Ri-1) block cipher into a stream cipher. is mapped to (Li, Ri) as follows:

6 Telektronikk 3.2000 ⊕ Li = Ri-1, Ri = Li-1 F(Ri-1, Ki) (4) early as 1970; see [2]. This work was, however, not made available to the non-governmental where Ki is the round-key of round i. DES is an crypto-community until 1997. example of a Feistel cipher. In a traditional (symmetric) cipher, the sender 3.3.5 Round Keys (Key Scheduling) and the receiver must have access to a common, In the round function, the output of the last secret key. This key must be distributed in a round is mixed with the current round-key. secure way before the communication takes Typically, these entities are approximately place. In an asymmetric cipher, each user has a equal in length, i.e. equal to the block length. private and a public key. Asymmetric ciphers are therefore often called public key ciphers. In The encryption key must be expanded (typically principle there is a distinction here, as it is con- r-fold). Ideally, all round-key bits should be ceivable to have an asymmetric cipher without dependent on all encryption key bits to maintain public keys. The distinction is, however, some- maximal entropy. The expansion of the encryp- what academic, and no secret-key asymmetric tion key to round keys is known as key schedul- cipher has been published, so we will treat these ing. as synonyms. The private key is only known to the user (it is called “private” rather than 3.3.6 S-boxes “secret” in order to avoid confusion with sym- An m × n substitution box or S-box is a mapping metric ciphers), while the public key is broadcast that takes an m-bit input and returns an n-bit out- to all parties the user wants to communicate put. A one-to-one n × n S-box is a permutation. securely with.

S is non-linear if for two numbers a and b, where A message that is encrypted with a public key a ≠ b, S(a) ⊕ S(b) is not equal to S(a ⊕ b). S- can only be decrypted with the corresponding boxes are typically used to provide non-linearity private key, and vice versa. Knowledge of a pri- (often they are only non-linear operations in an vate key shall not make it possible to reconstruct encryption algorithm), and are thus very impor- the corresponding private key. tant. 3.4.1 Usage A number of criteria for selection (generation) Assume that Alice wants to send a confidential and testing of S-boxes have been proposed, i.e. message to Bob. Alice encrypts the message the strict avalanche criterion (SAC), which states with Bob’s public key. Now only somebody who that flipping one input bit should cause a change has access to Bob’s private key (presumably in (on average) 50 % of the output bits. only Bob) can decrypt and read the message.

S-boxes are generally visualized and imple- Assume on the other hand that Alice does not mented as look-up tables, but some may addi- care about secrecy, but she wants every reader of tionally be computed arithmetically. Smart-card the message to be sure that Alice is the source. implementations of look-up tables are vulnerable She then encrypts the message with her own pri- to power attacks (attacks that measure power vate key. Now everybody with knowledge of consumption on the chip when performing en- Alice’s public key can read the message. In addi- cryption). Countermeasures to power attacks tion, since the message can be decrypted with include duplicating the look-up tables in RAM; Alice’s public key, only Alice can have en- thus large S-boxes are more difficult to protect crypted it. This is a kind of electronic signature. than small ones. If an S-box can be implemented Alice can combine these features by first en- arithmetically, protection against power attacks crypting the message with her own private key, becomes much easier. and then encrypt the result with Bob’s public key. Now only Bob can decrypt and read the 3.4 Public Keys message, and he can be convinced that Alice In 1976, Diffie, Merkle, and Hellman described is the source. the principles for asymmetric or public key cryptography. The principle is to use different keys Asymmetric ciphers are typically much slower for encryption and decryption, thereby avoiding than symmetric. Hybrid systems are common, some key management problems. In addition, where messages are encrypted with a symmetric asymmetric cryptography presents the ability cipher, while the (symmetric) key(s) are pro- to make digital signatures, with approximately tected with an asymmetric cipher. An efficient the same features as ordinary hand-written sig- variation of the digital signature above, is to natures. It has turned out that researchers at the generate a hash value (or checksum) of the mes- British Communications-Electronics Security sage, encrypt it with one’s private key and send Group (CESG) discovered these principle as it together with the message. A recipient can

Telektronikk 3.2000 7 decrypt the signed hash value, recompute the tions were done on a Cray supercomputer. The hash value of the received message, and com- total amount of CPU time was estimated to 8000 pare the two values. MIPS-years.

3.5 RSA Most applications now use 1024 bit RSA keys. While there is a large theory on the construction Compared to a 512-bit key, factorization of a of symmetric ciphers (see Chapter 3.3), no gen- 1024 bit key will demand an increase in CPU eral method is known for construction of asym- time by a factor 5 ⋅ 106 and in RAM capacity metric ciphers. Existing asymmetric ciphers are by a factor of at least 6 ⋅ 103. based on suitable mathematical problems, of which discrete logarithms and integer factoriza- 4 A Quantum Future? tion have shown the most promising results. The David Kahn notes in [4] that “The war of cryp- most widespread public key cryptographic algo- tographer against the cryptanalyst has been won rithm is RSA, which was published in 1978 by by the cryptographer.” Rivest, Shamir and Adleman [7]. (The algorithm is obviously named after its inventors.) The He argues that present-day ciphers are so diffi- security of RSA is based on the intractability of cult to break, even with enormous amounts of integer factorization. computing power, because of the exponential nature of the work factor (rule of thumb: When 3.5.1 The Algorithm the cryptographer does twice as many calcula- To construct an RSA public/private key pair, tions, the work factor of the cryptanalyst is Alice finds two large prime numbers p and q and squared.) A so-called quantum computer may chooses a number e. The public key consists of actually reduce the work of the cryptanalyst the pair (m, e), where m = p ⋅ q. Typical values from exponential to linear again. As an example, for e are 3, 17, and 65537. Alice then solves the an efficient factorization algorithm is described equation in [10]. Whether a quantum computer will ever be built is quite another matter. Today, this e ⋅ d ≡ 1 (mod (p – 1) (q – 1)) (5) “beast” is well outside the range of practical implementations, even if reports pop up from with respect to d. The private key is d, together time to time. with p and q. Encryption and decryption is done by computing powers modulo m: On the other hand, quantum key distribution utilises the uncertainty principle to provide key C ≡ Pe (mod m) and P ≡ Cd ≡ Ped (mod m) (6) distribution between two parties with no prior common (secret) key [1]. If the parties have The decryption works because ed = k(p – 1) access to a separate channel with only a passive (q – 1) + 1 for some integer k, and by Euler’s adversary (i.e. the adversary cannot actively theorem influence on the signals), the key distribution as provably secure, even against adversaries with P(p-1)(q-1) ≡ 1 (mod pq) (7) unlimited computing power.

If an adversary (Eve) can factor the modulus m 5 Suggested Further Reading to find the prime numbers p and q, she can easily David Kahn’s The Codebreakers [4] is the major solve equation (5) and find the private key d. work on the history of cryptography up to the Presently, no efficient method of integer factor- 1960s. However, it was first published before ization is known, but it has not been proved that the details of the Enigma solutions were pub- no such algorithm exists. It is not proved that lished. These events are the theme of a large integer factorization is necessary for breaking number of accounts, including Kahn’s Seizing RSA, but no other efficient attacks are known, the Enigma [5] and Gordon Welchman’s The except in very theoretical cases. Boneh and Hut Six Story [11]. Venkatesan [13] present strong evidence that breaking low-exponent RSA cannot be equiva- Much of the theoretical background of modern lent to factoring. ciphers was laid down by Claude Shannon in the papers A Mathematical Theory of Communica- As of today, the largest RSA modulus whose tion [8] and Communication Theory of Secrecy factorization has been published had 155 digits Systems [9]. The most comprehensive work on (512 bits). The main part of the work was done present-day cryptography is the Handbook of using a network of 285 workstations and PCs, Applied Cryptography [6] by Menezes et al. running for 3.5 months, while the final calcula-

8 Telektronikk 3.2000 References 1 Bennett, C et al. Quantum cryptography, or unforgeable subway tokens. In: Advances in Cryptology – Proceedings of CRYPTO’82, 1983, 267–275.

2 Ellis, J H. The Possibility of Secure Non- secret Digital Encryption. January 1970. (CESG report.)

3 NIST. Data Encryption Standard (DES). Federal information processing standards publication. 1999. (FIPS PUB 46-3.)

4 Kahn, D. The Codebreakers. [Rev. ed.] New York, Scribner, 1996.

5 Kahn, D. Seizing the Enigma. London, Arrow Books, 1996.

6 Menezes, A J, van Oorschot, P C, Vanstone, S A. Handbook of applied cryptography. London, CRC Press, 1997.

7 Rivest, R L, Shamir, A, Adleman, L. A method for obtaining digital signatures and public key cryptosystems. CACM, 21 (2), 120–126, 1978.

8 Shannon, C E. A mathematical theory of communication. The Bell System Technical Journal, 27, 379–423, 1948.

9 Shannon, C E. Communication theory of secrecy systems. The Bell System Technical Journal, 28, 656–715, 1949.

10 Shor, P W. Algorithms for quantum computation : Discrete log and factoring. In: Pro- ceedings of the 35th FOCS, Los Alamitos, 116. IEEE Computer Society Press, 1949.

11 Welchman, G. The Hut Six Story. M&M Baldwin, 1997. ISBN 0947712348.

12 Winterbotham, F W. The Ultra Secret. London, Weidenfeld and Nicholson, 1974.

13 Boneh, D, Venkatesan, R. Breaking RSA may not be equivalent to factoring. In: Advances in Cryptology – EUROCRYPT’98, 57–71, 1998.

Telektronikk 3.2000 9 Advanced Encryption Standard (AES). Encryption for our Grandchildren

LARS R. KNUDSEN

Introduction With a few encrypted messages on hand, one Encryption used to be something which only the can simply decrypt these under all possible val- secret services and military had a real interest in ues of the key. The value of the key which yields and which private citizens only knew from some meaningful messages is with a high proba- crosswords and puzzles in Sunday newspapers. bility the correct one, and the system is broken. Today encryption is an important part of the information society. Outside of the secret ser- Technical Detail vices the interest in encryption started to blos- In a cryptosystem the message is always first som at the end of the 1970s. converted to a number. This number is then

Lars R. Knudsen (38) is Profes- encrypted by applying some mathematical or sor at the Institute of Informatics First, IBM (International Business Machines) non-mathematical operations to it, and the at the University of Bergen. He developed the cryptosystem Lucifer, which later resulting number is then transformed back to received his M.Sc. and Ph.D. degrees in computer science was adapted as a US Federal Information Pro- cipher-text. The numbers are represented in the and mathematics from Aarhus cessing Standard, although slightly modified. binary number system, that is, a number is either University, Denmark, in 1992, This standard was published in January 1977 a zero or a one. As an example, the number 17 respectively 1994. He has written numerous scientific papers as the DES (Data Encryption Standard) and is in the decimal number system (the one we use in the area of cryptology and is today probably the most used encryption system normally) is 10001 in the binary number system. regarded a world expert in block in the world (at least outside of the secret ser- The symbols in the binary number system are cipher encryption algorithms. vices). The system is a so-called secret-key cryp- called bits. [email protected] tosystem, where the same information, or key, is used to encipher (or encrypt) and decipher (or AES – Advanced Encryption decrypt) the messages. Standard In 1997 the American National Institute for Second, the researchers Whitfield Diffie and Standards and Technology (NIST) decided that Martin Hellman discovered (or re-discovered1)) it was time to find a substitute for the DES. Sur- so-called public-key cryptography, where the prisingly (at least to this author) NIST invited secret key is split into two parts, a public part parties from all over the world to participate in and a secret part. The public part of the key is this process and announced a call-for-candidates made available to everyone; the secret part stays for the Advanced Encryption Standard (AES). secret with one party. The public key can be The conditions for the competition were many used by everyone to encrypt a message, while and included a whole range of documentation the secret key can be used to decrypt the cipher- requirements and test results. text and restore the message. The most important requirements for the system The differences between today’s secret-key and are that there must not be any trapdoors (short- public-key cryptosystems are many, but there is cuts), and that the best attack against the system a need for both of them. Even though the DES is the trivial one of trying all keys one by one. A has withstood almost 25 years of cryptanalytic more specific requirement is that the secret keys attempts to find shortcuts in the algorithm by must be of length of at least 128 bits. This means cryptanalysts from all over the world, time is that there will be at least 2128 different keys, running out for the algorithm. The main problem which is about 1039. The above mentioned spe- is that the DES was designed to accept keys of cial-purpose built machines to try all keys one only 56 bits, which means that there are 256 ≈ by one will not have a chance of being applica- 1017 different keys. Even though this number ble in practice before 2030 – 2040, or probably may seem huge, (as an example, 256 seconds are even later. about 2 billion years), it is small enough to enable the design of special-purpose built hard- NIST also invited the world’s cryptanalysts to ware, which can run through all possible values participate in the process. The goal of NIST is of the key in a very short time. In 1998 it was that the whole process be as open as it can be, estimated that an attacker who is willing to and that all aspects of the design and analysis invest one million US dollars, could try all val- are made public. ues of the key, one by one, in just half an hour!

1) The English intelligence service claims that they invented the public-key techniques around the same time.

10 Telektronikk 3.2000 The deadline for submitting candidates to the AES around and mixed. This recipe is then repeated a was June 15, 1998. Out of a total of 21 submis- sufficient number of times, until the resulting sions, six were discarded because of incomplete ciphertext looks like total gibberish (and often documentation. Of the remaining 15, five are from more than that). the USA, two from Canada, there is one candidate each from Australia, Belgium, Costa Rica, France, Serpent is constructed as above and has 32 itera- Japan, Korea, and Germany, and then a multi- tions or layers. In each layer the 128-bit text is national candidate from Denmark, United King- split into 32 smaller parts of four bits each. The dom and Israel. This author represents the Scandi- four bits are input to a small S-box, which again navian colours in this competition. returns four (other bits). Then the 32 blocks of four bits are concatenated (put together) and the After one year of gathering information about 128 bits are mixed using a permutation. The nice the 15 candidates NIST decided in August 1999 feature of Serpent is that the 32 S-box evalua- to pick five candidates for a final and last round. tions can be done in parallel. Most computers This author was involved in the breaking of two today operate on 32-bit words, which enables us of the 15 candidates and in the finding of serious to look up 32 S-box values in parallel; that is, on weaknesses in a third candidate. The five candi- computers with just one processor. This means dates for the final round are in alphabetical that the 32 look-ups are much faster than doing order. 32 conventional look-ups. On 8-bit processors • MARS by IBM, USA; it is possible to do eight evaluations in parallel. • RC6 by RSA Inc., USA; The substitutions and permutations are well cho- • Rijndael by researchers from Belgium; sen, such that all known attacks on block cipher • Serpent by researchers from Denmark, UK, have to give up after 7 to 9 layers. Therefore Israel; there is a big safety margin in Serpent, big • Twofish by Counterpane, USA. enough to handle even considerable improvements in the known techniques. In April 2000 the last conference on the AES took place in New York, USA, and May 15, On the average PC Serpent is not the fastest 2000 was the deadline for sending in comments algorithm of the final five candidates left in the and analysis of the five candidates. NIST ex- competition. On the other hand, on other plat- pects to announce the winner(s) some time in forms, e.g. in smart card applications, Serpent is the year 2000. one of the fastest; also in hardware Serpent is the fastest of the five. The great advantage of Ser- Serpent pent is that the safety margin protecting against Serpent is a snake; the idea is that Serpent will future cryptanalytic improvements is the largest slither away from all cryptanalytic attacks. My of all five candidates. co-authors on Serpent are Ross Anderson from Cambridge University in England and Eli Biham Licenses? from Technion University in Haifa, Israel. The One of the great properties of the AES, apart first version of Serpent (later called Serpent-0) from high security (if Serpent is chosen!) is that was developed in 1997 and presented at a con- the system must be royalty free and free to use ference on encryption in Paris, March 1998. The for everybody all over the world. It was a con- version we submitted to NIST, called Serpent, is dition to participate in the competition that all a slightly modified version of Serpent-0. Today patents and rights were waived, in case the algo- (July 2000) no one has managed to find any rithm should be selected for the AES. weaknesses of any kind in Serpent. Hidden Trapdoors Secret-key cryptosystems are traditionally con- One of the favourite subjects in the boulevard structed by running the message through several press when it comes to encryption system is hid- so-called substitutions and permutations depen- den trapdoors. As an example, when the DES dent on the value of the secret key. Substitutions was first published there was a lot of debate on are also sometimes called S-boxes and are often the possibility that the American government implemented in terms of a look-up table, which had put in a trapdoor enabling them to read for every input specifies the function value. The encrypted traffic without knowing the secret advantage of this approach is that it is relatively key. However, I am convinced that no such trap- easy to choose and use functions with complex door exists for the DES, and I guarantee that no mathematical formulae. Permutations are often such trapdoors have been put into Serpent. It is simple functions which permute (or re-order) the very hard to break the encryption systems which bits of the messages typically, one uses a set of are constructed according to the state-of-the-art, small substitutions each modifying a small piece but it is even more difficult in my opinion to put of the message, but such that the whole text is a trapdoor into a public cryptosystem without modified. Subsequently, the pieces are moved being detected.

Telektronikk 3.2000 11 Table 1 Timetable for AES 01/97 Announcement of AES going to choose several candidates for the stan- 04/97 First workshop in Washington, USA dard. The advantage of this is that the users get 06/98 Deadline for submission of candi- more flexibility, since one scheme could be bet- dates ter suited for a certain platform or application 08/98 First AES conference in Ventura, USA, with presentation of candidates and another scheme for some other platform or application. Furthermore, with several algo- 03/99 Second AES conference in Rome, Italy rithms, one would be able to switch from one 08/99 NIST announces the five candidates algorithm to another in case the first one should for the final become vulnerable to some cryptanalytic attack. 04/00 Third and last AES conference in This would save us having to go through a long New York, USA tedious process like the one for the AES will be. ??/00 Announcement of the AES winner(s) The disadvantage of having more than one algorithm is that not everyone would use the same and that the AES therefore should not become On the Need of Encryption as popular as the DES. There are applications, In a modern society when we send a (conven- e.g. smart cards, where it is not feasible to tional) letter, we expect that only the intended implement more than one encryption system. recipient can open the letter and read it. Like- wise, we probably expect that documents on our NIST claims that they will consider all submit- desk are inaccessible to the public. It ought to be ted attacks and comments, and that the whole exactly the same for electronic information, no process will be open to the public. This is proba- matter if it is sent over a public channel or if it is bly true but with one small modification. I think stored on a hard disk. I say “ought to”, because it is very likely that NIST will receive input I do not think that this is the case today, unfortu- from the NSA (the National Security Agency). nately. By far the most electronic mail (e-mail) This input will probably not be accessible to the is sent in clear text today, which at least in prin- public. There is of course also politics involved ciple makes it accessible to everyone. And how in the AES. Is it likely that NIST will choose a many people encrypt the data on their hard disk? non-American algorithm for a federal American Encryption does not require a change in attitude, standard? I do not know, but I think that if NIST I think, since I believe everyone would use it for chooses more than one algorithm, a non-Ameri- both the above purposes, if all it took was to can algorithm will be one of them. press a button on a screen. I am perfectly aware that the existence of a good encryption system is NIST does not have the means to pay money to not sufficient to enable secure e-mail communi- any of the designers and analysts. Also, the win- cation. One needs to solve the problem of how ner(s) will not receive any direct monetary bene- do the sender and receiver share a secret key fit from NIST. All the work of the submitters between them such that no one else knows it? and people who have spent hours analysing the This is not a trivial problem, but there are known candidates is unpaid and voluntary. solutions. Why do we do it then? I guess we do it for the And the Winner is ... fame and recognition one would get in case Who knows? NIST will decide sometime this one’s algorithm is selected or even being among year (2000). There are rumours that NIST is the final five. Also, the AES is a chance to give a good encryption algorithm royalty-free to people from all over the world, and to our children Name Country and grandchildren. Cast256 (Canada) Crypton (Korea) More Information Deal (Canada) More information can be found at the official DFC (France) AES-site http://www.nist.gov/aes; or my site E2 (Japan) http://www.ii.uib.no/~larsr/aes.html, or my Ser- Frog (Costa Rica) pent-page http://www.ii.uib.no/~larsr/serpent. HPC (USA) Loki97 (Australia) Feature Editor’s Note: Magenta (Germany) On October 2, 2000, NIST announced that the Belgian algorithm Rijndael is the winner of the Mars (USA) AES contest. NIST said that Rijndael was cho- RC6 (USA) sen because of its combination of security, per- Rijndael (Belgium) Table 2 The 15 AES formance, efficiency, ease of implementation Safer+ (USA) candidates. The underlined and flexibility. NIST tentatively expects the AES algorithms are the final five Serpent (Denmark/England/Israel) standard to become official in April – June 2001. candidates Twofish (USA)

12 Telektronikk 3.2000 Development of Cryptographic Standards for Telecommunications

LEIF NILSEN

The development of secure information systems encompasses the use of system technical security solutions based on cryptographic techniques. The article provides a basic tutorial on cryptographic algorithms and describes the development of cryptographic standards for use in telecommunications. We review the set of algorithms that has been developed for dedicated use within ETSI standards. This development has been targeted to balance divergent technical and political requirements and has produced a variety of system specific solutions. The article also includes a survey of the most influent standardisation initiatives for general- purpose cryptographic algorithms.

Leif Nilsen (48) is Senior Cryp- tologist with Thomson-CSF Nor- com AS and Associate Profes- sor at the University of Oslo 1 Introduction systems, see D. Kahn [2]. In this paper we will Graduate Studies at Kjeller Moving towards an information society where discuss several issues related to the development (UNIK). He is working with infor- we see a rapid integration of information systems and use of cryptographic standards with empha- mation security, cryptographic algorithms and key management and communication systems, more and more of sis on their use in telecommunication systems. systems. He is Norwegian ex- public, industrial and private business take place pert to ISO/IEC JTC1/ SC27 in an open, distributed and digital marketplace. 2 Basic Model of a and member of ETSI/SAGE. This trend implies an increasing need for secu- Cryptographic System [email protected] rity services for protection of both user data and In order to give some tutorial background to how network management data. The ISO Security cryptography is used in a communication sys- Architecture [1] defines the following set of tem, we will briefly discuss the basic model of security services and also specifies at which a cryptographic system as shown in Figure 1. layer of the communication protocol the service should or could be implemented: The sender A wants to send the message M to the receiver B. The communication will take place • Peer Entity Authentication over an insecure channel, where an eavesdropper • Access Control Z may listen and get unauthorised access to the • Connectionless Confidentiality information passing over the channel. • Connection Integrity with Recovery • Non-Repudiation By applying the encryption device Enc, the • Data Origin Authentication entity A transforms the message M, often called • Connection Confidentiality the plaintext, into an unintelligible message C, • Traffic Flow Confidentiality called ciphertext, under the control of the en- • Connectionless Integrity. cryption key KE. The receiver B has the corresponding decryption key KD and is able to The use of encryption algorithms is a basic tech- recover the plaintext M from the ciphertext nique for the implementation of several of the C using the decryption device Dec. services mentioned above, even if the traditional use of cryptography has been to provide infor- In a symmetric cryptosystem KE = KD and the mation confidentiality. For an excellent histori- exchange of keys has to take place over a confi- cal overview of the use and importance of crypto dential key channel. In an asymmetric crypto

Key channel KE KD

MC M A Enc Dec B

Figure 1 Basic model of a Z cryptographic system

Telektronikk 3.2000 13 different modes as defined by the international Stream Stream K K cipher cipher standard ISO/IEC IS 10116 [4]. By operating a algorithm algorithm block cipher in Cipher Feedback Mode (CBC) or Output Feedback Mode (OFB), a block cipher ki ki behaves like a stream cipher. There are also stan- mi ci mi dardised methods for using a block cipher to compute Message Authentication Codes (MAC) [5] and for hashing operations [6]. This means that a strong and efficient block cipher is a handy tool for implementation of several security services. The general principle for a block Figure 2 Principles for system (also called public key system), it is cipher is shown in Figure 3. synchronous stream cipher impossible to find KD from knowledge of KE and the encryption key can be a public parameter The strength of a cryptographic system relies belonging to the entity B. In this case there is a heavily on the two components, the encryption need for an authenticated key channel from B to algorithm and the key management system; nei- A. Current systems often solve this distribution ther is simple to design. For the encryption algo- problem using certificates and a Public Key rithm several security requirements can be sum- Infrastructure (PKI). marised in the following: Without knowledge of the secret key, it shall be impossible for an For symmetric systems, the algorithm defining attacker to find the plaintext, given the cipher- the encryption/decryption transformation can text; or from known plaintext/ciphertext pairs to either be a block cipher or a stream cipher de- find the secret key. This means that the security pending on the use of internal memory in the of the system does not depend on the secrecy of encrypting device. the algorithm itself. When an algorithm is analysed, it is important to assume that the opponent A stream cipher breaks the plaintext message has detailed information about the specifications. into successive characters or bits m1, m2, ... mn and encrypts each mi with the i’th element of a 3 The Strength of key stream k1, k2, ... kn derived from the basic Cryptographic Algorithms key K and optionally an additional message key. Cryptographic algorithms are fundamentally Most stream ciphers operate bitwise by adding different from other algorithms with respect the message bit and the key stream bit modulo 2, to their intended goal. Normally an algorithm is ⊕ i.e. ci = mi ki. The receiver can now recover designed to solve a specific problem like error the plaintext bit mi from the ciphertext bit ci by correction or finding a path through a complex adding with the corresponding key stream bit ki. network. We are then normally able to prove Note that this requires full bit synchronisation that the algorithm solves the problem com- between the encrypting and decrypting devices. pletely, even if other and more efficient algo- The general principles for a stream cipher are rithms may be found. As long as we can meet shown in Figure 2. operational requirements, the algorithm will continue to do its job and it will never be A block cipher breaks the plaintext message into “worn out” or “broken”. successive blocks M1, M2, ..., Mn and encrypts each block using the same key K. A typical The goal of an encryption algorithm is to protect block length is 64 or 128 bits. For a fixed key information against all possible attacks of known K, the cryptographic transformation can then be and unknown enemies. Even if we are able to seen as a permutation on the set of all possible prove that an algorithm is resistant to a specific blocks. The US Data Encryption Standard DES attack, we can never be sure that it can withstand [3] is a well-known example of a block cipher a novel attack tomorrow. Perhaps we can design Figure 3 Principles for using a 56 bits key and operating on 64 bits data an algorithm that is secure against the computa- block cipher blocks. Note that a block cipher can operate in tional power of a single enterprise. With the current growth in processing power, the same algorithm could be vulnerable to governmental agencies and dedicated hardware in a few years’ time. We see today that some of the most mod- K K ern and secure crypto systems will be easy tasks for new computational models like DNA computing [7] and quantum computing [8].

M Block C Block M A theoretical foundation for cryptographic sys- cipher cipher tems may be based on information theory or encryption decryption computational complexity theory, but neither of

14 Telektronikk 3.2000 these approaches can be used to design practical Type of attacker Key length needed Table 1 Guidelines for systems that provide provable security in a strong selection of key lengths sense. Most algorithms are designed using a sys- Pedestrian hacker 45-50 tem-theoretic approach combining well-estab- Small business 55 lished principles with partial security proofs. Corporate department 60

All cryptographic algorithms can be attacked by Big company 70 a brute force attack on the key space. Assuming Intelligence agency 75 an enemy has knowledge of the algorithm involved, he can try to decrypt the ciphertext with all possible keys. Meaningful plaintext will appear when the proper key is found. If the length of the secret key is n bits, there are 2n different keys to try. This means that the key length is a simple have been a carefully chosen design balancing parameter used to indicate the strength provided the specific threats involved and the need for by a cryptographic algorithm. However, it is general exportability. For such systems there are important to recognise that a sufficient key no export controls on the terminals, but a license length is a necessary but not a sufficient require- is normally needed for network equipment. ment for a strong algorithm. An algorithm could have a long key, but still be vulnerable to other 5 Open or Secret Algorithms attacks more efficient than exhaustive key As stated above, the strength of a cryptographic search. A report from 1996 [9] gives guidelines system should not rely on the secrecy of the for selection of key lengths as shown in Table 1. system description. In order to provide optimal analysis and confidence in a cryptographic algo- It is important to stress that this table is only rel- rithm, it will be important to have public avail- evant for symmetric algorithms. The situation able specifications that have been studied by for asymmetric ciphers is much more complex independent experts. By standing such public and adequate key lengths for such systems are scrutiny over a long period of time, an algorithm completely different from those in Table 1. An can achieve the necessary trust and assurance. excellent guide is [10]. This is a strong argument in favour of open algorithms and it seems clear that this is the only 4 Encryption Policy model for wide acceptance of general-purpose The implementation of encryption solutions is cryptographic algorithms. not only a technical matter, but also sensitive political issues are involved. For a long time Open algorithms may be subject to a variety of serious use of cryptography was restricted to research analysis and many results are published diplomatic and military use and encryption tech- as “breaks”, even if the announced attack cannot nology was considered to be of strategic impor- be conducted within the operational environment tance to national security. National and interna- of the system. Normally any attack with com- tional regulations were developed to monitor the plexity lower than exhaustive search is reported use and dissemination of the technology. Most as “cracking the algorithm”, often resulting in countries still enforce some kind of export con- much publicity and worried users. In many cases trol, but the rules have gradually become more such results are mostly of academic interest and liberal. have minimal impact on the security of the actual system. The introduction of confidentiality as a standard service in telecommunication systems will not However, in the same way as openness is no only protect the involved link against fraud and guarantee for strong algorithms, a secret algo- malicious eavesdropping, but it will also prohibit rithm does not implicitly mean that the algo- police and security agencies involved in legal rithm is weak. Cryptographic algorithms used interception as part of their combat against ter- in military systems for protection of classified rorism and organised crime. In many countries information are seldom or never revealed. These such interception has been an important tool organisations have a strong internal competence against serious criminal activity, but normally in design and analysis of algorithms and do not a special court order must be available before have the same need for an open process. From the interception can take place. history they know the difference between attacking a known versus an unknown crypto system. In mobile systems like GSM and DECT, the In order not to provide an enemy cryptanalyst radio link is considered to be an exposed and with any advantage, they prefer the use of secret vulnerable channel and the standards specify algorithms. encryption of this link. The solutions involved

Telektronikk 3.2000 15 6 Use of Encryption in 7 The Data Encryption Telecommunications Area Standard (DES) Traditionally the use of encryption technology in For many years the US Data Encryption Stan- the telecommunications area has been seen along dard (DES) [3] has been the de-facto standard the following lines: for commercial encryption. DES was proposed in 1975 and approved in 1977 as a Federal Stan- 1. Protection of network management infor- dard for protection of sensitive, but unclassified mation. Operator initiated encryption of dedi- information. DES was designed and proposed by cated connections in order to secure important IBM, endorsed by the National Bureau of Stan- connections vital to the operation and mainte- dards (NBS, now NIST) and later approved by nance of the network itself. This approach may ANSI as US standard. Around 1985 there was work well within one domain controlled by one work within ISO to establish DES as an interna- operator, but may face problems in multiple tional crypto standard, but this project was domain solutions implementing the Open Net- halted due to political problems. DES is widely works Provision policy. used by banks for protection of electronic funds transfer. 2. End-to-end encryption by dedicated users with high security requirements. Users that DES is a symmetric block cipher, which en- exchange confidential information over public crypts a 64-bits data block under the control of networks using secure phones or crypto-faxes. a 56-bits key. From the very first moment there Such solutions normally depend on expensive was strong criticism against the key length of and proprietary equipment. Due to the complex- DES and it was argued that the key space could ity of key management, the solutions do not be searched by strong opponents using dedicated always scale well and there are no standards for hardware devices. In July 1998, using custom such connections. designed chips and a personal computer, the Electronic Foundation built “DES Cracker” [11]. 3. Encryption of vulnerable links. Modern Costing less than USD 250,000 and taking less mobile networks like GSM, DECT, UMTS and than a year to build, DES Cracker broke a DES- satellite-based networks involve a radio link encoded message in fifty-six hours. There was especially vulnerable to eavesdropping (as well nothing terribly novel about the decryption as other security threats). In order to protect user machine except that it was built. From Table 1 in data and signalling information in such systems, Section 3 we see that this result fits nicely with encryption techniques have been introduced on the predictions from 1996. the radio link between the mobile terminal and access points to the fixed network.1) The immediate response to the shortcomings of the DES key length has been to implement 4. Entity authentication. Mobile communica- Triple-DES systems, in which the DES algo- tions lacks the conventional access point to the rithm is used in three consecutive steps using network and there is a strong need for authenti- two or three different keys. The long-term solu- cation of users involved in a call. It may also tion will be to develop a replacement algo- be necessary for the user to authenticate the net- rithm(s), see section on AES below. work. In most systems such authentication is based on a “challenge and response protocol” in Even if DES is approaching the end of its life which an entity authenticates itself by proving cycle, it has been an example of a carefully de- knowledge or possession of a unique secret key. signed algorithm, which have resisted open anal- The challenge and key are then input to some ysis over many years. Today we know that it cryptographic algorithm which outputs the cor- was designed to withstand attacks that were not rect response.2) publicly known back in the seventies [12]. Even new attacks have appeared over the years, but they had little impact on the practical strength provided by DES.

1) Due to interoperability requirements, this encryption has to be based on standardised algorithms known both to the mobile station and the network. 2) This authentication is often a protocol between the subscriber’s SIM module and the operator and may be based on an operator-controlled algorithm. In this case it is not necessary to have one standardised algorithm.

16 Telektronikk 3.2000 8 ETSI Standardisation the need for an export algorithm was identified. ETSI is the European Telecommunications Stan- The original A5 now became A5-1 and a new dards Institute. It has approximately 450 mem- export version A5-2 was designed by SAGE. bers and its main objective is to produce techni- Both algorithms should be implemented in the cal standards in the area of telecommunications. handset and it is up to the network to decide which algorithm to use. Both A5-1 and A5-2 is The specification of security standards for a spe- based on stream cipher technology. cific telecommunications area or system within ETSI is in principle carried out by the responsi- The GSM system also uses an algorithm for ble Technical Committee (TC) or ETSI Project authentication of the user and generation of the (EP). For general security issues there is a dedi- encryption key. This algorithm is called A3/A8 cated Technical Committee called TC Security. and is not a standard algorithm in the system. For the design and specification of cryptographic The operator is free to design their own algo- algorithms a Special Committee was installed: rithm or they can use an example algorithm from the Security Algorithm Group of Experts the GSM Association called COMP128. Some (SAGE). Unlike other TCs or EPs, SAGE is security problems have been found in COMP128 a closed group with an appointed membership. and a replacement example algorithm is now available. The outline procedure for the design of cryptographic algorithms for ETSI standards is that the For the new data services in GSM, the General ETSI TC or EP first decides if there is a need for Packet radio service (GPRS), a special encryp- a standard algorithm. Then the TC/EP drafts a tion algorithm called GEA was developed by document specifying the requirements for this SAGE. SAGE also developed a special authenti- algorithm. These requirements normally de- cation/integrity/key generation algorithm for scribe issues like use of the algorithm, imple- GSM Cordless telephone System (CTS) in 1999. mentation complexity, performance, resilience, exportability and management of the algorithm DECT – Digital Enhanced Cordless and its specifications. The document also speci- Telecommunications fies if the algorithm should be published or con- DECT has security features that are similar to fidential. If needed the TC Security assists the those in GSM. As in GSM it uses an encryption responsible committee to draft the requirements algorithm, the DECT Standard Cipher (DSC), specifications. and an authentication and key generation algorithm called the DECT Standard Authentication In the next phase ETSI SAGE designs and speci- algorithm (DSAA). Like A5-1 both DECT algo- fies the algorithm according to the requirements. rithms were designed before SAGE was set up, The algorithm is then delivered to the algorithm but the algorithms have recently been reviewed. custodian (in most cases this is ETSI) which takes care of the distribution of the algorithms to ISDN based audio-visual system the intended users. SAGE also produces a report CCITT (ITU) has drafted recommendations for the ordering committee describing the work H221, H261 and H233 in the area of the use of done, the rules achieved and the rules for man- audio-visual systems and specifies security for agement of the algorithm. these. The CCITT recommendations were adapted by ETSI. Recommendation H233 9 Algorithms Used in (“Confidentiality for audio-visual services”) ETSI Standards specifies the use of encryption and allows differ- In this section we will review several standards ent algorithms to be used. SAGE designed an developed by ETSI and describe the use of cryp- encryption algorithm especially for this purpose. tographic algorithms in those standards. It is called BARAS (baseline Algorithm recommended for Audio-visual Services). GSM – The Global System for Mobile Communications Multi-application telecommunications GSM was the first public standard digital tele- cards communication system which included substan- A sub-committee of the ETSI TC terminal tial use of cryptographic algorithms. The origi- Equipment (TE) drafted a series of standards for nal system employed a standard encryption algo- Multi-application telecommunications IC rithm called A5 for encryption of user data and (Smart) card. The specifications included a num- signalling information. Only the vulnerable radio ber of security functions. link was protected by this encryption and the traffic was in clear within base stations, switches To support these functions SAGE was asked to and networks. When GSM began to expand design a cryptographic algorithm called TESA- beyond Europe there were difficulties involved 7. The specification included four modes of use in exporting the system to certain countries and for the algorithm. These are authentication

Telektronikk 3.2000 17 mode, integrity mode, key diversification mode tem has been chosen by major Public Safety (i.e. generating an individual key from an iden- organisations in Europe as their future mobile tity and a master key) and a secure key loading communication system, but can also be used in mode. public networks. Security is a big concern in TETRA and the system includes a large number So far there has been little use of the Multi- of security features. These are supported by a application standards and it has recently been large number of standard cryptographic algo- agreed to broaden the use of TSEA-7 to the rithms. For the moment there are four standard GSM SIM (Subscriber Identity Module – the encryption algorithms defined for TETRA. smart card of GSM). TEA1 and TEA4 are for general use in TETRA and provide a baseline level of security. The use UPT – User Personal telecommuni- of TEA2 is restricted to European Public Safety cations organisations (mainly from the “Schengen” UPT is a telecommunication service standard- countries). TEA3 is a similar solution for use ised by ETSI that enables users to register on by other Public Safety organisations. All the en- a foreign telephone and then be reached there cryption algorithms are dedicated stream ciphers under their own telephone number. This service designed by ETSI SAGE and their intended use requires authentication before it can be invoked. is for the protection of user data and signalling information over the radio link. ETSI SAGE designed a standard authentication algorithm, called USA-4, for this service. How- Furthermore SAGE has specified one set of ever, until now there has been limited use of the TETRA Authentication and key management UPT standard and hence the USA-4 algorithm. Algorithms (TAA1). The TAA1 is designed for use in all TETRA systems. Hiperlan – High Speed radio LAN Hiperlan is a standard for high-speed radio LAN UMTS – Universal Mobile Telecommuni- over which data is transmitted at high speeds cations System over the air interface. For this standard SAGE The next generation of mobile systems will be developed a dedicated encryption algorithm UMTS specified by the 3rd Generation Partner- called HSEA (Hiperlan standard Encryption ship Project (3GPP). The first set of technical Algorithm). The export restrictions on the algo- specifications was finalised January 2000 and rithm should be minimal and the algorithm pro- includes the definition of confidentiality and vides a basic level of security. The ETSI project integrity algorithms. Both algorithms are based BRAN is currently standardising a successor on a standard block cipher called KASUMI. for Hiperlan. This standard (BRAN) will support KASUMI is a modified version of the Japanese higher data rates and it seems that it will employ block cipher MISTY ([13]) which has been a standard encryption algorithm. available and publicly analysed for several years.

BEANO – Binary Encryption Algorithm Due to the high-speed requirements in 3GPP for Network Operators systems, it was important to design an algorithm A few years ago the ETSI TC Security identified which was suitable for efficient implementation the need for an algorithm that could be used to and could offer a high degree of security. KA- protect the confidentiality of network manage- SUMI makes full use of a 128 bits key operating ment data. ETSI SAGE designed a special en- on 64 bits blocks. cryption algorithm called BEANO (Binary En- cryption Algorithm for network Operators). The design and specifications of the standard BEANO is a strong block cipher algorithm em- algorithms for UMTS were conducted by SAGE ploying an 80 bits key. To overcome the con- enlarged with experts from manufacturers in flicting requirements for broad exportability and Europe, Asia and US. In addition to the internal a high level of security, the license and confi- evaluation and analysis of the 3GPP algorithms, dentiality agreement explicitly limits the use of three different groups of independent experts the algorithm to the protection of network man- were involved in an additional external evalua- agement data. The use of the algorithm for other tion. The intention is to have these specifications purposes such as the protection of user data is published in the same way as other technical explicitly excluded. standards, but all issues related to such publication have not been resolved at the time of TETRA – Terrestrial Trunked Radio writing. TETRA is the new standard for digital private mobile radio communications system. The sys-

3) Information on AES can be found at http://www.nist.gov/aes

18 Telektronikk 3.2000 10 Regional Initiatives 12 Conclusions – AES and NESSIE Cryptographic algorithms are a fundamental building block for a variety of security services. AES – Advanced Encryption Standard3) The design of such algorithms is a long and In 1997 the US National Institute of Standards tedious process involving a mixture of skills, and and Technology (NIST) initiated a process to the final solution is often a trade-off between di- select a new symmetric-key encryption algo- vergent requirements. We have presented some rithm to be used as a replacement for DES. The of the basic principles of such algorithms and call for candidates stipulated that AES would have described the variety of standard algo- specify an unclassified, publicly disclosed algorithms that exist for different telecommunication rithm available royalty-free, world-wide. The systems. We argue that the development of stan- algorithm must be a block cipher supporting a dard algorithms will benefit from the use of open block size of 128-bits and key sizes of 128-, and well-analysed algorithms. AES and NESSIE 192- and 256-bits. In 1998 NIST announced the are examples of new initiatives intending to acceptance of fifteen candidate algorithms and develop and evaluate new and secure primitives. requested the assistance of the cryptographic Future standardisation projects will then focus research community in analysing the candidates. more on how to embed these primitives securely This analysis included an initial examination of into a system in order to achieve defined security the security and efficiency characteristics and goals. the outcome was five finalist algorithms. The five finalist algorithms are currently subject for References further study before selecting one or more of 1 ISO. Information processing systems – Open these algorithms for inclusion in the Advanced Systems Interconnection – Basic reference Encryption Standard. If all steps of the AES model – Part 2 : Security architecture (first development process proceed as planned, it is ed.). International Organization for Stan- anticipated that the standard will be completed dardization, Geneva, 1989. (ISO 7498-2.) by the summer of 2001. It seems obvious that the final AES algorithm(s) will be the preferred 2 Kahn, D. The Codebreakers. The Story of algorithm in the years to come. Secret Writing. New York, Macmillan, 1967.

NESSIE – New European Schemes for 3 FIPS 46. Data Encryption Standard. Federal Signatures, Integrity and Encryption4) Information Processing Standards Publica- NESSIE is a new European 3-year project that tion 46, U.S. Department of Commerce/ started in January 2000. It falls within the Infor- National Bureau of Standards, National mation Societies Technology (IST) Programme Technical Information Service, Springfield, of the European Commission and includes par- Virginia 1977. ticipants from industry and the academic world. NESSIE will contribute to the final phase of 4 ISO. Information processing – Modes of AES, but has a much wider scope. The main operation for an n-bit block cipher algorithm objective of the project is to put forward a port- (first ed.). International Organization for folio of strong cryptographic primitives that Standardization, Geneva, 1991. (ISO/IEC have been obtained after an open call and evalu- 10116.) ated using a transparent and open process. These primitives should be the building blocks for the 5 ISO. Information processing – Security tech- future standard protocols of the information niques – Data integrity mechanism using a society. check function employing a block cipher algorithm (second ed.). International Organi- 11 Work in ISO zation for Standardization, Geneva, 1994. Within the International Standards Organisations (ISO/IEC 9797.) (ISO) there are several groups defining security standards. There is one sub-committee (ISO/IEC 6 ISO. Information processing – Security tech- JTC1/SC27) dedicated to this work, but for niques – Hash functions – Part 2 : Hash many years the development of international functions using an n-bit block cipher algo- standards for confidential algorithms was explic- rithm. International Organization for Stan- itly excluded from their work program. This rule dardization, Geneva, 1994. (ISO/IEC 10118- has recently been changed and a new project for 3.) development of such standards is now approved. We can expect that results from the regional initiatives described above will be forwarded to ISO for global standardisation.

4) Information about NESSIE can be found at https://www.cosic.esat.kuleuven.ac.be/nessie/

Telektronikk 3.2000 19 7 Beaver, D. Computing with DNA. Journal of Computational Biology, 2 (1), 1995.

8 Steane, A M, Rieffel, E G. Beyond Bits : The Future of Quantum Information Pro- cessing. IEEE Computer, 33 (1), 38–45, 2000.

9 Blaze et al. Minimal Key Lengths for Sym- metric Ciphers to Provide Adequate Com- mercial Security. Counterpane (2000, June 20) [online] – URL: http://www.counterpane.com/keylength.pdf

10 Lenstra, A, Verheul, E. Selecting Crypto- graphic Key Sizes. Cryptosavvy (2000, June 20) [online] – URL: http://www.cryptosavvy.com/cryptosizes.pdf

11 Electronic Frontier Foundation. Cracking DES : Secrets of Encryption Research, Wire- tap Politics, and Chip Design. Sebastopol, Calif., O’Reilly and Associates, 1998.

12 Coppersmith, D. The Data Encryption Stan- dard (DES) and its strength against attacks. IBM J. Res. Dev., 38 (3), 243–250, 1994.

13 Matsui, M. New block encryption algorithm MISTY. In: Fast Software Encryption ‘97, LNCS 1267. Biham, E (ed.). Berlin, Springer-Verlag, 1997.

20 Telektronikk 3.2000 Show Me Your Public Key and I Will Tell Who You Are

LISE ARNEBERG

A short introduction to digital certificates and some thoughts on their significance to the digital economy.

Internet and Security The problem in the B2C segment is slightly dif- – Two Contradictory Terms? ferent because you often do business with some- It has been repeated again and again – the lack one you do not know in advance. From the busi- of security mechanisms on the Internet slows ness perspective you may have no option but to down the development of the new economy. Is trust that the name, address and credit card num- Lise Arneberg (40) is Senior it true? Hard to say, really. It is a fact that there ber supplied are actually genuine. It is a fact Consultant at Telenor Business are no global trust mechanisms on the Internet however, that Internet shops make quite an effort Systems, in the department of infrastructure, you cannot be really sure of to check for false orders, false credit cards and e-commerce. She holds a Cand.Scient. degree in Mathe- whom you are talking to. The only global identi- false shipment addresses, but may still experi- matics/Algebraic Geometry from fication mechanism is the network address, and ence losses or fraud. the University of Oslo, 1985. network addresses may be forged rather easily. She has long experience from security and cryptography re- As a consumer, you may have experienced that lated issues at Alcatel (research On the other hand, you can build as much secu- it is a lot of work to remember username and department, telecom and de- rity as you like into one specific application. password for a number of different Internet fence communications), and at Scandinavia Online (electronic You may issue usernames and passwords and shops or services. It would be nice if I did not commerce). even equip your users with password calculators have to. And it would also be nice if I had a way [email protected] or one-time passwords to ensure strong authenti- of checking the authenticity of the service at the cation between the user and your application. other end. Is this really my bank that I am talk- And you may encrypt user sessions by SSL and ing to? build crypto based cookie mechanisms to obtain confidentiality and preserve session integrity. Whether the need for more global authentication mechanisms comes from practicality reasons, What is the problem then? A number of issues productivity reasons or genuine lack of trust, of course. Key lengths is one, secure storage is the answer to the authentication problem may another. But in my opinion, the lack of common be digital certificates. As web-based services authentication mechanisms is one key issue. The involves more and more valuable transactions, consequences differ slightly depending on which the issue of non-repudiation and legally valid market segment is addressed, the Business to signatures on documents arises. These services Business (B2B) or the Business to Consumer may be built on top of an infrastructure based (B2C) segment. on digital certificates.

In the B2B segment, the relation to the customer The rest of this paper is an introduction to digital is often established through other channels than certificates, the infrastructure to make them the Internet. For a long time relation, you can function and some examples of use. afford a (partly) off-line registration procedure and you might take the trouble of managing The General Idea of usernames and passwords for all your users. So, Digital Certificates the authentication problem can be coped with. A digital certificate is really an ID card for the As I see it, the problem is on the customer side. digital world. As an analogy, consider an old- How many different passwords, userids and fashioned, paper-based ID card. What it does is tokens can you possibly handle? If your daily really to establish a binding between a name and work involves using five or six web-based ser- a picture. If you resemble the picture I accept vices, delivered by as many companies, you that the name belongs to you. In the same way, a might have to remember five or six passwords or digital certificate establishes a binding between a handle five or six password tokens. And all of name and a cryptographic key. If you can prove them issued to you in the same role in the same that you possess that key I accept that the name company. A general authentication mechanism belongs to you. would leave the user with one token, valid as authentication mechanism on any service.

Telektronikk 3.2000 21 In both cases, my trust depends on the issuer of level of trust than a credit card (at least in the the ID card or the digital certificate. If I recog- sense of ID cards). Once again, the analogy can nise the issuer as trustworthy, the ID card has a be made to the world of digital certificates. If an value. Passports and ID cards issued by banks or authentication process is based on cryptographic the postal service are normally recognised as keys, how sure can you be that those keys are in trustworthy anywhere. While the ones issued the hands of the right person? That depends by a school or an employer are not generally pretty much on the checks performed during accepted outside that school or company. The registration, as well as distribution procedures same mechanism applies for digital IDs. If you for the certificate and the cryptographic keys. present a digital certificate and I do not trust or If you have to show an ID card to apply for and recognise the issuer, it would be of little value receive the certificate, this is a high level of to me. security. If you fill in a form on the Internet and receive the certificate by mail, the level of trust Issuers of digital certificates are normally re- would be low. Requirements for registration and ferred to as Trusted Third Parties (TTPs). In distribution processes is often called a certificate Norway, we have currently three actors on this policy (CP). In a sense, the certificate policy scene: Bankenes Betalingssentral (BBS), Posten defines the likeliness that the certificate is in the SDS and Telenor. All these three are companies right hands. or institutions we are used to trusting. They are all currently running digital certificate services. Two different TTPs may agree to accept each other’s digital certificates. They would do so Their certificates may be designed for different only if the process of registration and distribu- purposes or services. For remote LAN access, tion are similar and ensures the same level of for Internet banking, for security services within security or trust. This is called cross certification an organisation, for tax reporting or for other and is a formal process between to TTPs. If your special applications. And the contents may dif- TTP accepts the certificates of my TTP and vice fer. But generally the content is at least: versa, then we can actually trust each other’s certificates. And we may check each other’s sig- • Name of the owner; natures. • The public key; • Name of the issuer; And a Little Bit on the • Validity period and expiry date; Cryptographic Protocols • The issuer’s signature. to Make it all Work Digital certificates are based on public key The issuer’s signature ensures the authenticity techniques, mostly RSA. For the slightly rusty of the certificate. If any part of the content is reader, I will just repeat that an RSA key pair altered, a signature check will reveal the fraud. consists of a modulus, a private key and a public And it is not possible for anybody else to issue key. If you sign a message with your private false certificates, because you cannot forge such key, the signature may be checked using your a signature. If we use the passport analogy, the public key. If someone encrypts a message with issuer’s signature is the seal of Norwegian your public key, only the private key can decrypt authorities, as well as the special paper quality the message. that makes a passport so difficult to forge. The modulus and the public key are public Registration and Distribution knowledge. The private key must be kept secret. – the Key Issues for Key lengths these days are normally 1024 bits Building Trust but sometimes the double. Encryption processes If you have applied for a passport lately perhaps involves exponentiation modulo 1024 bits num- you remember that it is quite a tedious process. bers and may be time consuming. You are required to meet personally, show an ID and fill in a couple of forms. To receive the The beauty of public key encryption is that you passport, you must once again meet at the police can easily prove that you possess a key (the pri- station and show your face and an ID card to vate) without exposing it. verify that you are the correct owner of the passport. Getting a new credit card is much easier. Some definitions before we look into the authen- You simply phone and tell that the previous card tication process: is broken. After a few days you receive a new one by mail. • The Registration Authority (RA) receives certificate applications and verifies the appli- These two examples represent different registra- cant’s identity according to what is specified tion procedures and different distribution proce- in the Certificate Policy. dures. The result is that a passport has a higher

22 Telektronikk 3.2000 • The Certificate Authority (CA) issues certifi- a blacklist or revocation list must be publicly cates and distributes them to the user. available for everyone to check. And there must be someone who controls and updates the revo- • The CA also publishes all issued certificates cation lists. in a catalogue or directory, which is available via the Internet. There is a number of standards describing the details of these steps. Most important is the • When a certificate is revoked for some reason, CCITT X.509 standard for digital certificates. the CA updates the Certificate Revocation List Currently, version 3 of the standard is in use. (CRL). The PKCS-7 standard describes how to create and verify signatures. The directory is an X.500 These are all services operated by the TTP. They service, and the LDAP protocol specifies the are critical applications and are run in a physi- interface to the directory. A number of PKCS cally secured environment by specially autho- protocols describe cross certification and other rised personnel. certificate exchange protocols.

In the world of digital certificates, when I want On the Practical Side to prove my identity to you, the authentication Suppose your Internet provider or someone else process would go like this: has equipped you with a digital certificate. How do you receive it, keep it and how do you get to 1. I claim my identity by sending my digital cer- use it without knowing the details of the proto- tificate. Or you look up the certificate in a cer- cols above? tificate directory. Keys can be kept in SW or in a smart card. Keys 2. You check the issuer’s name. If you recognise in SW must be protected by encryption and you the name as someone you trust, you do the will need a password to decrypt the keys and get signature check to verify authenticity of the access to cryptographic operations. In a smart certificate. If not, you look up the directory card, the keys are protected by the operating sys- of your Trusted Third Party to check if this tem of the card and the private key will never issuer is someone he trusts (i.e. is certified by leave the card. A PIN is required to open the him). If that is so, you receive the information card for use. you need to check the signature of my certificate. If not, you reject my certificate because The certificate issuing process may take differ- you have no reason to trust its origin. ent forms. It may be done online with the CA and with keys generated locally. In this way, the 3. You check the revocation lists (CRLs) to see private key never leaves “home”. To secure the if this certificate is still valid. certificate generation process, the user is first equipped with two codes used for authentication. 4. If all is well so far, you send me a challenge. The certificates may also be personalised offline 5. And my response is the challenge signed by with centralised key generation (mainly smart my private key. cards) and then shipped to the user according to policy. 6. You verify the signature, using the public key of my certificate. If keys are in SW, there must be a “bridge” between the application (for instance a login 7. If the signature is OK, you will trust that I am script) and the cryptographic keys. Let us call the genuine owner of the certificate and now this bridge a security module. It offers a speci- you know who I am. fied interface (API) of security operations to any application on the PC. The application may be The reader may have noticed that the steps able to order a signature, perform the steps of an above require a bit of infrastructure. First of all, authentication and perhaps to check the certifi- digital certificates must be issued by the CA and cate of the entity at the other end. The API may transported securely to their owners. Secondly, also specify a number of other services such as the user must know whom to trust, i.e. (s)he encryption mechanisms and exchange of encryp- must have access to the public key (or rather the tion keys. With keys in a smart card, all crypto- certificate) of the trusted TTP. Thirdly, certifi- graphic operations may be performed at the card, cates must be available in a directory. If the cer- and the application (or the security module) may tificates are general purpose IDs, this directory communicate with the card through the smart must be available to the public. As some certifi- card reader. cates inevitably will get lost, stolen or corrupted,

Telektronikk 3.2000 23 A number of standard PC applications, such as The protocol, it seems, took into account any mail clients and web browsers, is available today experience with practical use of credit cards, with plug-ins that are adapted to a specific secu- as well as exploited the new possibilities that rity module. For the security module from one came with the new technology. The best of two major supplier, Entrust, there is a wide range of worlds? Unfortunately, SET has not been a suc- applications, denoted “Entrust ready”, that cess so far, despite all its beautiful cryptography. exploits the security services in their security Partly because it was early. But also because in module. This is all done seamlessly to the user. its first implementation it had two practical The user may sign or encrypt mail, or communi- weaknesses. cate securely with a web service, simply by clicking icons in her regular applications. The certificates were in software and had to be installed on your PC. (Smart card readers were For more specific or proprietary applications, expensive in 1997, about 7 times the prices security services must be built in by utilising today, and were out of the question.) Do you the API of the security module. know how to take care of a credit card residing on your PC? If it is not in your wallet, how do Digital certificates can be managed or unman- you keep control of who is using it? Should it be aged. With a managed certificate, the security on your home PC or on your work PC? What module automatically communicates with the happens if your children or your cleaning lady CA to handle necessary certificate updates, key are not to be trusted? Now, after a few years, we backup for encryption keys and other services. have got used to the idea of SW certificates, but personally I am still not sure that credit cards SET – Digital Certificates should be in SW. as Credit Cards The Secure Electronic Transaction (SET) stan- The second practical weakness occurred on the dard was perhaps the first example of a commer- merchant side. A specialised SW called a SET cial use of digital certificates. It was developed Merchant is required to run the SET protocol. as a cooperation between VISA and Eurocard. And in 1997, the SET Merchant applications Their goal was to establish secure credit card were so expensive that they were out of the transactions on the Internet. It is an open stan- question for most Internet shops. Not to mention dard, based on digital certificates. It was pub- the requirements for infrastructure. A SET mer- lished in 1997 and the first SET transactions in chant with its certificates is not an application Norway were performed late 1997. you would want to put on the server directly accessible on the Internet. The certificate issuers or CAs of SET certificates are the credit card companies. Both card holders So, in spite of SET, most Internet transactions and shops will have certificates. Each credit card are still paid by old fashioned credit cards. company will define their own procedures for Shops add a bit of security by use of SSL to registration and distribution of certificates. There avoid sending credit card numbers as cleartext is no cross certification between CAs, i.e. you on the Internet. But they have to put a lot of cannot pay with a VISA credit card unless the effort in manually handling all their credit card shop (or merchant in SET terminology) has a transactions. To help this situation, some credit VISA certificate too. card companies now develop further another option of the SET – without card holder certifi- The payment process is based on a set of pre- cates. It is called MOSET (modified SET?) and defined messages between the card holder, the permits on-line handling of credit card transac- merchant and the acquirer payment gateway tions without card holder authentication. (also called payment gateway) – the interface to the credit card company. All messages in the What About the m-Business? protocol are encrypted and signed. The protocol The “mobile Internet” is evolving just these ensures maximum anonymity. The merchant will days. There are two approaches to services on a only know that the card holder is authentic and GSM phone. One is the WAP – Internet brows- that the amount is accepted by the credit card ing and Internet services adapted to the format of company; she will not know the credit card num- the cell phone screen and the bandwidth of the ber of the card holder. The payment gateway GSM network. The second approach is building will only know the amount and not what was explicit services into the SIM card of a regular purchased. The card holder can be sure that this GSM phone. Any way, a phone is much more is an authentic shop with a real VISA (or other) personal than a PC. It is also more quickly en- certificate and not just someone who set up a abled and services will seem more easily acces- fraud service. sible than on a PC. So it should be expected that

24 Telektronikk 3.2000 services accessible by mobile phones will evolve tificate on your GSM phone, which only reflects quickly and offer a wide range of services. you as a private person. So we will probably have to cope with a number of digital certificates With banking services, shopping and subscrip- – just as we cope with a number of magnetic tion services, the issue of authentication arises cards. Let us just get used to the idea! And let also in the m-world. Even though the GSM algo- us pray that someone invents the all-secure-PIN- rithms themselves provide some authentication, storage-device – real soon now! (Based on fin- this is not automatically available to applications gerprint identification?) outside the GSM systems. Abbreviations However, SIM cards are smart cards and as such B2B Business to Business ideal for storage of cryptographic keys and digital certificates. Telenor Mobil are planning to B2C Business to Consumer equip all their new GSM subscribers with a larger SIM card, containing a digital certificate, CA Certificate Authority a security module and a set of application clients, thereby providing a new electronic CCITT Comité Consultatif International Télé- world with a “global” authentication mechanism. phonique et Télégraphique (Now: ITU-T)

Paperless Business? CP Certificate Policy Digital Certificates and Legally Valid Signatures CRL Certificate Revocation List Although so much business communication is done over electronic channels, there is still no GSM Global System for Mobile Communi- mechanism or infrastructure in place to substi- cations tute a legally valid, hand written signature on a paper document. What would it take to establish LAN Local Area Network legally valid signatures on a document? In such a manner that none of the signing parties can LDAP Lightweight Directory Access Protocol deny that they have signed, what they have signed and when? PKCS Public-Key Cryptography Standards

The answer to the “when” is a timestamp service RA Registration Authority – a trusted party that adds the time to the signed document and then uses its own certificate to RSA Rivest-Shamir-Adleman (algorithm) sign it. SET Secure Electronic Transaction The answer to the “what” part may be a public http://www.europay.com/common/ notary – a trusted party that stores valuable doc- Index.html uments and may verify signatures upon dispute, even after many years. SSL Secure Sockets Layer

And the parties must have their digital certificates, TTP Trusted Third Party containing keys that may be used for signing. WAP Wireless Application Protocol The issue of legally valid signatures still has not reached enough maturity to bring out the implementations. This is due to legislation, but also to infrastructure and trusted actors.

Conclusive Remark Would it be nice to have only one digital id, one smart card valid in all situations? With credit cards, health information, access to entrance doors at work and whatever. I am not so sure. On the other hand, I may never have that option. So far, the structure or content of a digital certificate must reflect some information about its usage. Your certificate as an employee with a certain role in a certain organisation will be different from your SET certificate or from the cer-

Telektronikk 3.2000 25 Security in a Future Mobile Internet

HENNING WRIGHT HANSEN AND DOLE TANDBERG

Introduction same time obtain and use a new topologically Everyone knows it – computers are getting more correct IP address. This may be achieved by and more common. Computers are also getting using e.g. tunneling mechanisms. more and more portable. At the same time the Internet has become a common place. The pro- Internet mobility may be achieved without alter- fessional computer users demand the possibility ing the routers or other hosts on the Internet, the to work as usual independent of time and place. only thing really needed is a Home Agent placed And why not? The technology that will make on the home network. The Home Agent is this happen is more or less here. responsible for registering the current locations Henning Wright Hansen (28) is (IP addresses) of mobile nodes, and forwarding Research Scientist at Telenor However, the companies that own and control packets destined for the mobile node out to its R&D, Kjeller, where he has been working on aspects related to the computers used by these demanding users current location. Authentication is built-in in Internet security since 1996. His have second thoughts. What about security? The order to make it difficult to redirect traffic to research interests include wide Internet is itself a “dangerous” place to be, and unauthorised hosts, this will help prevent some- aspects of security related to computing, focusing on the even highly skilled personnel make mistakes one stealing traffic destined to the mobile nodes. security consequences of intro- when implementing security solutions to protect ducing Internet mobility as well the internal network from script kiddies or may- When a mobile node connects back to the home as solutions making the Internet a safer place to be for the mobile be even worse, from unscrupulous competitive network, an extension is made from the LAN to users of the future. He is also companies or foreign governments. Who really the Mobile Node. Traffic traditionally being involved in the TigerTeam acti- knows what might be out there? internal and restricted to the LAN only, now vities (practical security testing) at Telenor R&D. ends up being routed over the Internet for every- henning-wright.hansen And now the users want to open up the internal one to see. Utilising VPN technology is there- @telenor.com network to be accessed from the Internet. How fore very important if privacy, authenticity and could this be done in a satisfyingly secure man- integrity of the data exchanged is of any con- ner? How should the mobility management be cern. Traditionally VPN systems have been used implemented to allow for transparent access – for protecting traffic between different kinds of both to and from the machines on the road? networks, but the same technology may be integrated directly on the mobile nodes in a net- This article will try to cover these issues and work-to-host scenario. (Or host-to-host for that propose solutions that may become the future matter.) The technology used to achieve this is foundation for secure Internet mobility in the typically IPsec. years to come, with a particular focus on the users and their terminals. Only selected security At the home network, the extension of the home technologies will be covered, focusing on the network towards the mobile nodes is typically mobile users and their terminals. combined with the use of firewalls. The firewall Dole Tandberg (38) is Research is supposed to enforce a security policy separat- Scientist in the Security Group at A Mobile Wireless Network ing those “inside” from those “outside” the fire- Telenor R&D, Kjeller, where he has been working since 1997. of the Future wall. His research interests include The Internet has traditionally offered very poor security in Internet and mobile support for mobility. It is of course possible to Wireless technology such as the IEEE 802.11 distributed systems. He is also involved in the TigerTeam acti- move computers connected to the Internet from may be used as one attractive method of access- vities and practical security one local area network to another, but there has ing the Internet or LAN IP networks. The secu- exploits. been no support for mobility. That is; when rity mechanisms in these standards are however Background: 1982–1988 Univer- moving a computer from one LAN to another, limited in flexibility, and VPN technology is sity of Zagreb, Croatia; 1988– you have to supply it with a brand new IP add- therefore needed on top. WLAN technology is 1996 ABB Corporate Research; 4 patents holder (2 WW and 2 ress. From the network point of view, this is sometimes envisioned to replace traditional UK); 1994 Sheffield University seen as a totally different computer since the IP wired LAN networks, particularly in dynamic (UK), Largest civilian FEM-test address is used to identify it. Even today, some and new environments. Time and money may be research program; 1995 London Conference “New Era Technol- legacy operating systems claimed to be “up to saved as the need for cabling is reduced consid- ogy” paper holder. date” need to be rebooted in order to use a dif- erably. In future office environments, WLAN dole-stojakovic.tandberg ferent IP address. technology may be used as a shared access tech- @telenor.com nology, e.g. within a large office building. It Mobile IP is about to change this, however, would be much more efficient to offer WLAN allowing the computer to be moved to keep its access to all employees in different firms within old IP address used for identification, and at the the building, instead of having each firm imple-

26 Telektronikk 3.2000 menting its own WLAN system. Visitors may network will not be able to protect those users. also be given network access through the This is the reason why firewalls must be imple- WLAN within or nearby the office building. mented locally on the mobile terminals, and not only on the borders of the home network. However, using WLAN technology in this manner, the concept of firewalls separating It is however not enough to install “traditional” the “internal” from the “external” network is firewalls on these mobile terminals, some re- no longer useful. The once physically protected quirements that firewalls on mobile terminals internal network is now more or less publicly should meet include the following: available. To maintain the concept of a “secured local area network” completely new firewalls, • They need to be configured dynamically, VPN, as well as other security mechanisms are depending on the current location; needed. • They should be able to adapt themselves to the This article describes selected techniques needed current network traffic (e.g. blocking attacks to fulfil the security needs in such a future wire- dynamically); less mobile network. • They need to be easily and securely remotely Secure Networking controlled by their administrator or automati- in the Future cally by a server on the corporate network;

Technical Solutions • They need to adapt to dynamic IP addresses;

Local Adaptive Firewall Services • They need to automatically adapt to the net- A commonly used technique used to protect a work interfaces currently in use (ethernet, “private” or “internal” network from an external modems/ISDN, IrDA, Bluetooth, etc.); network such as the Internet is to implement a firewall service. Firewalls started out as simple • They need to be integrated seamlessly and packet filters, capable of filtering out packets transparently (for the user) with other applica- based on IP addresses and information contained tions running on the mobile nodes, rejecting within other higher level protocols, such as the all network connections unless the firewall TCP and UDP headers. has been properly activated;

The simplified firewall illustrated in Figure 1 • They need to be integrity protected as well as accepts only inbound connections from TCP verifiable, ensuring that the configuration is port 80, which is dedicated to HTTP traffic, and trustworthy. rejects other types of traffic. To administer these firewalls will be a challenge While traditional “static” terminals typically are in the future world of mobile communication. protected from the Internet by the use of firewalls, mobile terminals of the future are envi- Some of the same principles presented here are sioned to roam freely, using the Internet wher- also found in a recently published paper from ever it is available. The firewalls on the home Steven M. Bellovin, Distributed Firewalls [1].

“Telnet” to an internal machine

Surfing the web´, Internet Explorer

“Ftp” to an internal machine

Request to an Intranet server

Figure 1 A simple packet filtering firewall allowing web surfing only

Telektronikk 3.2000 27 Securing Locally Stored Information server side. This would also reduce the load on Locally stored information needs to be protected the server, as establishing SSL connections is from unauthorised access. much more processing intensive than establishing traditional HTTP connections. The way to properly protect locally stored information while it is not being used is to use strong The pages could then be downloaded using tra- cryptography, e.g. through properly encrypted ditional HTTP connections that are not consid- file systems. If a terminal is lost or stolen, this ered secure. However, since the object (the web- may prevent unauthorised access to the informa- page) is itself encrypted, only the authorised tion stored. It may still be a security problem recipients would be able to decrypt the contents. that a terminal may be lost or stolen while the locally stored information is in use (currently Using PGP (Pretty Good Privacy) to encrypt unencrypted). email, this is what actually happens. The object itself, and not the communication channel, is Using tamperproof hardware tokens for storing secured. The encrypted object might be de- cryptographic keys that are used for accessing crypted at its endpoint for use at once, but the the locally stored protected information will help object originally received (encrypted) might protect against unauthorised access if the termi- (should) be stored securely for later use if nal is lost or stolen. needed.

While the locally stored information is being There are several benefits using this approach: used, making certain parts of this information read-only may help prevent unauthorised modi- • Less processing-intensive: Objects are crypto- fication. This may help prevent the installation graphically secured only once, not once per of viruses, Trojan horses, etc. Of course, some connection (as with SSL or IPsec). parts of the system need to be writeable, and hence there is still a need to have mechanisms • More secure: Even if the server where the to detect and possibly remove viruses, Trojan object is stored is broken into and the objects horses, etc. on this server are modified or replaced, this will be detected since the signature is no In addition, there is a need to have file integrity longer valid (content signing). mechanisms installed, in order to detect all unauthorised modifications made to the file system. • More secure: An intruder that has managed to break into a server will not be able to decrypt Distributed Secured Storage the protected objects unless he/she is autho- Modern state-of-the-art solutions for communi- rised to do so (has the necessary keys). cation security offer excellent security for the communication channels using e.g. IPsec. How- • More secure: It will be possible to use the net- ever, although the use of such technology is well work as a secure place for storing user infor- suited to protect private or sensitive data in tran- mation without worrying whether the server is sit, the same data is often stored without protec- well enough protected or not. The network tion at both ends of a secure communication could be used for e.g. backing up important channel. data remotely in a secure manner, if the objects are sufficiently cryptographically pro- This leaves the data vulnerable to attacks. In par- tected before they leave the mobile terminal. ticular, servers connected to the Internet have proved extremely difficult to secure, and even • Cheaper: Since objects are protected in a less servers that have been properly configured and CPU-intensive way, cheaper machines might well protected are frequently broken into. be used.

In order to offer sufficient protection of data • Cheaper: The servers need not be protected as stored in such servers, one has to protect the data much as servers that hold unencrypted sensi- itself, not only the communication channel. One tive data. way to achieve this is to use “object security”. One example of how this could be done is static • Legal benefits: If Telenor offers a “secure web pages on a web-server. Instead of establish- storage” for e.g. backing up GSM/UMTS-tele- ing a secure communication channel using e.g. phone data (e.g. address books or calendars), SSL (Secure Socket Layer), these web-pages it would only need to provide a storage space, could be encrypted and/or signed digitally once not security services to protect the object with and for all before being made available on the regard e.g. to privacy.

28 Telektronikk 3.2000 • Less prone to attack: Since the sensitive data each company had to build their own corporate is encrypted, the potential gain from attacking network, WLAN or cable based. In addition, the these servers is reduced. employees would benefit from having access to the internal corporate network from within • Cheaper: The servers themselves need not be WLAN reach of the office building. However, monitored as closely as servers containing using this Virtual VPN technology combined unprotected information. with mobility, the employees could have transparent secure access to the corporate resources • Cheaper: It is no longer that critical to up- from every access point imaginable. grade the systems once new vulnerabilities have been discovered. Currently, firewall solutions are however not well suited to protect such a virtual network. Of course, in order to prevent Denial of Service The firewall services need to be integrated on attacks when storing protected objects on a the terminal itself, as stated earlier in this article. server, there is still a need to secure these servers. The point being made is that it is no IPsec, smartcards and PKI systems are the ideal longer as crucial as for servers where unpro- security technologies to be used to implement tected sensitive information is being stored. the scenario “Multiple shared Virtual VPNs” described above. VPN Access to the Corporate Network The mobile professional computer user needs Intrusion Detection Systems to be able to connect to the corporate (home) Even though you have implemented a local fire- network while being “on the road”. Whatever wall policy, have integrity checking mechanisms access technology used, there is a need to secure in place as well as updated anti-virus software the communication channel back to the corpo- and partially read-only system installed, there rate network. This may be achieved using the is still a possibility that you may be exposed to VPN technology currently being standardised successful “hacking attempts”. Even though you and implemented. The technology used to build may not have been compromised, it is important VPN networks is typically IPsec. IPsec offers to detect such activities. (You should know your encryption, authentication and integrity protec- “enemy”.) Intrusion Detection Systems (IDS) tion services on IP packets, and may be inte- have been designed for exactly this purpose. grated with future PKI and hardware token based security solutions. The user may e.g. be required There is a need for both network based and host to use their smartcard in order to gain access to based IDS. In our case, focusing on users using the corporate resources using the network. mobile terminals, the network based IDS would be responsible for monitoring all network inter- The same technologies as described here may be faces against unauthorised activities. The net- used to secure access to home network expected work based IDS may pass this information on Figure 2 A simple WLAN Vir- to be implemented in future homes. the other parts of the security system on the ter- tual VPN technology combined minal, e.g. allowing dynamical modification of with mobility The VPN technology needs to be able to adapt to different network interfaces as well as working transparently with e.g. Mobile IP.

Novell Home Multiple Shared “Virtual” VPNs server agent Implementing wireless access technologies such as 801.11 (Wireless LAN), the security thought NT to be available in a physically protected cable server based network is no longer there. In a large office building with many different companies, WLAN access may be offered as a generic net- DMZ work access service to all. On top of this “generic” network access, each company may WLAN build a “Virtual” shared VPN network to protect communication within their own defined security domain. Since unauthorised users may be receiving this radio based communication, spe- Security Firewall Mobile cial care is needed to protect all communication gateway node within this virtual network. IP ordinary IPSEC Enc. (IP Ordinary) This would be a much more efficient and MIP Enc. {IPSEC Enc. (IP Ordinary)} cheaper solution, compared to the case where

Telektronikk 3.2000 29 CA The mentioned countermeasures have been enforcing a stricter security policy on the local terminal. Other countermeasures may be possi- CA ble, e.g. trying to track the source of the unauthorised activity. However, one should be very careful implementing and using such counter- IKE Digital Cert. Session measures, as there is a substantial risk of spoof- IKE ing (e.g. falsifying the IP source address of pack- Session ets reaching the mobile terminal). This may Authenticated Encrypted tunnel again lead to sophisticated and hard to prevent Denial of Service attacks.

PKI as the “Security Glue” of the Future A Public Key Infrastructure (PKI) is a system Local Local supporting the use of public key cryptography, Network Network Bob Alice often combined with the authorised issuers of public key certificates (also called digital certificates). In a PKI system each user, being a person or a service/machine, would have at least one such certificate.

Figure 3 A simple Public the security policy as well as warning the user A public key certificate typically contains in- Key Infrastructure and maybe the home network as well. The host formation about its legal user such as the name, based IDS will monitor access to local resources address, e-mail address as well as the public key. in an attempt to detect unauthorised activity. It The certificate is signed by its issuer, a certifi- may, as the network based IDS warn the user as cate authority, in such a manner that all attempts well as his home network, and trigger a different at modifying the information contained in the Figure 4 A “simple” user- and stricter security policy if needed. certificate is easily discovered. to-user public key cryptography To each public key certificate there is a unique corresponding private key. The public key certificates are part of the public domain and are published through large searchable databases

A - public accessible to everyone. The corresponding pri- B - public vate keys are strictly personal and are at all times B - public A - public C - public expected to be accessible by its legal user only. 7 ...... 4 ...... An ideal protected place to store such private ...... keys would be tamper-proof hardware tokens, Public DB such as smartcards. 1 A - public B - public A PKI would offer a scalable security platform A - private B - private B - public for services such as e-commerce, dynamic VPN 2 networking, secure messaging, non-repudiation and digital signatures. There need not be a pre- Signature #4%# defined trust relationship between the communi- A Mr. A B B - public + A - private cating parts using a PKI system. As there are 3 several different issuers of public key certificates, there must be a trust relationship between A - public B - public these issuers, hiding the fact that these certifi- A - private B - private cates are issued by different issuers from the 5 users (cross-certification). There may also be Signature many different types of specialised digital cer- Mr. B o%””x# tificates, according to the policy and service A B - private + B A - public provided. 6 ? Mr. A ABCD 8 A - private AAA Services A - public Mr. A Authentication, Authorisation and Accounting A - private Verified B Signature (AAA) are services needed in a mobile Internet Decrypt #4%# 9 where different operators want to enable e.g. Mr. B chargeable roaming between the different Mr. B EFGH Verified ? Signature A o%””x# domains (ISPs). A A - private Decrypt

30 Telektronikk 3.2000 The AAA systems supporting scalable Internet The results of all these checks and configura- mobility are currently under development by the tions need to be securely reported to the home IETF. Radius and Tacacs, the commonly used network before access is granted to internal AAA systems today, have major shortcomings resources at the corporate network. This is actu- with respect to support for roaming and mobil- ally required if the home network is supposed to ity. The IETF is currently investigating trust that the mobile terminal has not been com- the requirements and working on the solutions promised. Using the currently deployed state-of- needed to support the future mobility services the-art security technology, users establish a expected to be offered on a future mobile Inter- secure VPN channel back to the corporate net- net. work based on proper authentication only, leav- ing the mobile terminal to be hacked by anyone A PKI would be an ideal platform to build these without the home network ever finding out. AAA systems upon. Having a PKI available would enable easier mechanisms for trust across The challenge is however to enforce the required different security domains, allowing simpler policy, e.g. automatically configuring and check- roaming between different operators. ing the mobile terminal as presented above.

Use of Hardware Tokens A proper security policy may e.g. include: The SIM card (smartcard) in the GSM system has turned out to be a successful way of achiev- • What security services are needed; ing secure user mobility. • The right order to enable the different security Using a relatively tamperproof secure storage services; and processing device as a smartcard, access control on the terminal may be enforced in a • How to configure the different security ser- secure manner. In particular, storing and using vices; private keys used in a Public Key Infrastructure on smartcards currently offers the best combina- • How to verify that all services and checks tion of user mobility and security available. have been performed successfully;

Integrating the • What to do if some services and/or security Security Technologies checks fail; Each of the selected security technologies described in the previous section is important in • What to do if attempts to compromise the cur- order to protect the mobile users of the future. rent policy is discovered once the policy has However, the security technologies described been successfully established; need all to be co-ordinated according to a defined security policy. This policy should be • How to inform the right entity on the corpo- defined and managed by the security organisa- rate network about the attempt to compromise tion on the corporate network for professional the current policy. users, and maybe as a service for its customers from the ISP perspective. Different users may have different security policies defined, according to e.g. the type of ser- Take the professional corporate and mobile user vices the user is authorised to access. For each on the Internet as a scenario. Let us say she has user, there may also be different security policies arrived in the UK on a business trip, having left defined reflecting the current network access. Telenor R&D at Kjeller earlier the same day. Three examples of different scenarios include Having arrived at the hotel in London, she one for using dial-up connections to the corpo- decides to connect to the Internet using the rate network, a second one to be enforced when offered WLAN connection at the hotel. Once connecting directly to the Internet and a third connected, she establishes a VPN connection one to be enforced if being on a physically back to Telenor R&D to read the latest mail secured corporate network. using a combination of Mobile IP and IPsec together with her smartcard for authentication The different security policies and its “enforce- purposes. However, the security policy requires ment software” need to be secured as well, mak- several security services to be established before ing sure any attempts on modification is detected the home network accepts the VPN connection. and properly handled according to the defined A local firewall has to be configured properly, a security policy. virus scan has to be performed, the integrity of important files and system aspects need to be verified, important security logs need to be audited, etc.

Telektronikk 3.2000 31 The Policy Control Center • VPN access through the use of “FreeS/WAN” An implementation of a policy enforcement [4], a Linux IPsec implementation. mechanism described in the previous section is currently being developed at Telenor R&D, • Disk encryption mechanisms. called a “Policy Control Center”. The Policy Control Center is controlled by a secured “Pol- All policies need to be verifiable. To verify that icy Control Center Server” located at the home/ the policies defined are actually implemented corporate network. correctly on the mobile terminal, we need to build our implementation upon strong crypto- For communication between mobile terminals graphic protection mechanisms as much as pos- and this server (between the Policy Control Cen- sible. All software components to be used as part ter and the Policy Control Center Server) LDAP of the Policy Control Center need to be integrity over SSL is currently being used with both client protected so that as many attempts as possible on and server side certificates. modifying and bypassing the protection mechanisms are discovered. Successfully bypassing The Policy Control Center Server contains dif- of the Policy Control Center could mean that a ferent policies for different users, as well as dif- compromised mobile terminal is able to access ferent policies for different network configura- the internal corporate network. tions. When a mobile terminal is outside the corporate network, we enforce a stricter security We are currently investigating the possibility of policy compared to the case where the mobile integrating local information protection through terminal is connected via a physically “secured” further use of disk encryption, incorporating the cable inside the corporate network (and behind use of smartcards and PKI systems as well as all the corporate firewalls). other security mechanisms required covered earlier in this article, in order to achieve the best However, when introducing the concept of Mul- possible security for the future users of Internet tiple shared virtual VPNs as described earlier mobility. where a physically secured cable is simply not available, you need to introduce a security policy Our current work covers the development of a similar to the one used when connected directly pure JAVA version of the Policy Control Center, to the Internet. making sure that all kinds of different terminals running JAVA may be secured using our PCC. The initial implementation of the Policy Control Although the PCC implementation is platform Center was running on Linux, where we have independent, the policies themselves are how- investigated among other things the following ever highly platform dependent. security technologies to be integrated and used to secure the mobile terminal: Challenges currently under investigation include for example: • Local firewall service through the use of “Ipchains”. This is a rather basic packet filter- • How to most efficiently and securely write ing firewall available on Linux systems. and handle the policies for different platforms;

• A simplified network Intrusion Detection Sys- • How to protect the Policy Control Center tem by a combination of “Ipchains” and “Port- itself from unauthorised modification and Sentry” [2], allowing dynamical blocking of bypassing attempts; unauthorised network attacks using TCP- wrappers. • Making sure the right policy is selected automatically, how do you know where you are? • Host based Intrusion Detection System through the use of “LIDS” [3], the Linux Conclusions Intrusion Detection System. Keeping a computer system connected to the Internet secure is a challenging task even for • Integrity protection on the PCC itself as well experienced security personnel. New software is as on all system critical parts of the file sys- frequently being introduced, often with little or tem through the use of “LIDS” [3]. LIDS no concern for potential security implications, enables the strict enforcement of read-only and new vulnerabilities are constantly being policies, making selected parts of the file sys- found both in old and new software. In particu- tem read-only or append only even for the lar, without an open development model, mis- superuser (root). takes made before are bound to be repeated over and over again without the customers ever hav-

32 Telektronikk 3.2000 ing the possibility to verify the functionality of References the software or detect potential security flaws in 1 Bellovin, S. Distributed Firewalls. ;login: the implementation themselves. special issue on security, November 1999.

Other security mechanisms are needed to secure 2 Psionic PortSentry 1.0. 2000, September 28 computers, in particular mobile terminals roam- [online]. – URL: http://www.psionic.com/ ing the Internet; the security focus must be abacus/portsentry/ shifted towards the terminals themselves. The Policy Control Center takes the security level 3 Linux Intrusion Detection System. 2000, steps ahead compared to the currently imple- September 28 [online]. – URL: http://www. mented state of the art security mechanisms lids.org/ available for mobile (as well as other) terminals. In particular, there are two aspects of the Policy 4 Linux FreeS/WAN. 2000, September 28 Control Center worth repeating; it is able to [online]. – URL: http://www.freeswan.org/

• Automatically configure the mobile terminal 5 The Internet Engineering Task Force. 2000, with respect to a predefined security policy; October 9 [online]. – URL: http://www.ietf. org/ • Verify the state of the mobile terminal with respect to security before access is granted to 6 3GPP. 2000, October 9 [online]. – URL: the internal corporate network. http://www.3gpp.org/

When designing the actual security policies, 7 PGP Security. 2000, October 9 [online]. – “Defence in Depth” should be the guideline; add URL: http://www.pgp.com/ redundant security mechanisms – do not rely on a single protection mechanism that will be a “single point of failure” with respect to security!

The security level that may be achieved by introducing a Policy Control Center however is only as good as the actual security policies themselves; even with a flawless Policy Control Center in place, it will not be able to defend your terminal if there is an “opening” or a flaw in the actual security policies.

Coming technologies and products that introduce some similar concepts as our PCC include COPS within the IETF [5], MEXE within the 3GPP [6], and PGP Desktop Security 7.0 from PGP Security [7].

Telektronikk 3.2000 33 Mobile Agents and (In-)security

TØNNES BREKNE

1 Introduction agent which is also represented by the agent. In A mobile autonomous agent is a process that is any case some sort of signature traceable back capable of migrating between different execution to the agent’s owner will probably be required. environments during its computation. In doing so, it may cross boundaries between different Agents acting as representatives of legal persons domains, and do parts of its computation on may also have other requirements they must ful- different hosts. fill.

EXAMPLE 1. An autonomous mobile agent could be EXAMPLE 3. Consider an agent that carries out a

Tønnes Brekne (31) is on leave a program which visits database hosts to search transaction on behalf of its owner. What hap- from his position as Research for data, and place orders for query results at pens if a fault disrupts the transaction? Two Scientist at Telenor R&D. He is those sites where relevant data are found. possibilities are: currently a doctoral student at the Department of Telematics at the Norwegian University of Sci- There also exist mobile agents that are not • The agent crashes on the host platform right ence and Technology in Trond- autonomous, which follow data, and might after it commits to the transaction. Because heim. even be embedded in data. it crashes, it does not return to its owner to [email protected] inform the owner of the transaction’s comple- [email protected] EXAMPLE 2. Word and Excel macros embedded tion. If the agent system has “at least once” in the corresponding document types are exam- semantics, then the owner’s system might send ples of mobile agents that are embedded in doc- a new agent with the same instructions once ument data, and that are supposed to lack auton- more, potentially duplicating all the transac- omy, although they sometimes are autonomous. tions that the first agent was supposed to carry out. If the agent system has “at most There is no inherent harm in using mobile soft- once” semantics, then the owner’s system ware. As with other software, security issues might not do anything, and get a surprise should be satisfactorily resolved before using when the service provider sends its bill. mobile software. Unresolved security issues usually introduce risks which are not under control. • The agent crashes during the transaction. Depending on the exact type of fault, and the Knowledge about how to secure systems free construction of the agent platform itself, the of mobile agents is fairly widespread – at least host may not be able to recover the computa- among security professionals. What is not so tion. In this case, the host might be able to roll widespread is knowledge about how one secures back the transaction. Otherwise this is similar a system properly against any ill effects caused to the case above, with the exception that the by mobile agent systems, especially those where transaction was not completed. the agents supported can be autonomous. This is primarily because such knowledge is currently The point of the above exercise is to demonstrate far from complete. that fault-tolerance issues border on some security issues, and that the fault handling one selects Code mobility violates several assumptions has an influence on what happens when things which are usually considered reasonable for sys- go wrong. Faults may be induced by attacks tems without code mobility. Chess lists in [2] a (denial of service attacks, for example), so the number of previously reasonable assumptions way one handles faults is relevant not only for that are violated by mobile code. Each of these dependability, but also in part for the security violations gives an attacker more possibilities. of mobile agent systems.

Many of the services envisioned as important There are other issues as well. When an agent applications of mobile agents, require the agents enters a domain under the control of another to act as representatives of one identifiable legal operator than the one it was sent from, there person. This has important implications for the is the question of policy compatibility: required level of security, because such action somehow has to be made legally valid. Such ser- • The agent may have defined which parts of it vices will probably require the agent to be capa- the host platform may pass on to the host, and ble of generating a valid digital signature on which are only for use within the agent plat- behalf of its owner: the legal person sending the form. This access control pattern may or may

34 Telektronikk 3.2000 not be compatible with the security policy A process p has an associated set of possible Ψ within which the host platform operates. executions p.

• Regardless of whether data are passed on to Let φ be the set of all algorithmically definable the host or not, the second issue after policy operations. A very general model of access con- compatibility is the enforcement of legitimate trol is an extension of the access control matrix. data usage. This has a lot in common with The normal access control matrix model consists copyright issues. of a matrix of elements A[s, o], which contains the rights subject s has to object o. An object is Policy data that an agent carries with it, may merely a named data structure. A subject is an therefore end up having a lifetime significantly object that happens to represent executable code longer than the agent’s entire computation. This or a hardware processor of some kind. A right is in turn implies that agent visits may entail irre- a reference to an operation in φ that may be versible changes to remote security policies or applied to an object. Note also that s may apply access control structures. some right r ∈ A[s, o] to o at any time. This model may be generalized by: Enforcing security policies is a problem that is generally difficult, particularly when the policies • letting A[s, o] be a set of triples (r, q, c), also say something about how data may be used, where distributed, etc. There are mainly two sides of - r is a reference to an algorithmically this problem in the mobile agent context: expressible operation selected from φ;

• securing the host against policy violations by - q is a state of some sort; an agent running on the host’s agent platform; and - c is an algorithm that takes q as a parameter and checks if s may apply r to o; and • securing an agent against policy violations by the host platform on which it is running. • requiring c to return the decision result as well as a q' that replaces the q stored in A[s, o] A lot of work has already been done on the first prior to the access attempt. half of this problem. Schneider recently proposed in [8] a mechanism that handles a class of By dropping the informal requirement of algo- policies more sophisticated than those that can rithmic expressibility, as well as allowing sub- be modeled by the classic access control matrix. jects to be both legal persons and automated The real challenge is providing the same protec- components, the above model can accommodate tion to the agent and its data. This appears to be both the automated and manual parts of a system a very hard problem, as the agent computation is (read: both computers and people). running on a platform completely under the control of a potential attacker. Therefore one must A subject s has a right (r, q, c) to an object o assume that the attacker effectively has read and if and only if it has the legitimate authority to write access to all parts of the agent. apply r to o under the constraints defined by c and q. A security policy can be viewed as a 2 Terminology system for assigning and managing rights. For the sake of brevity, the term agent will hereafter refer to mobile, autonomous processes An interesting model proposed by Schneider in (sometimes also called mobile agents), or code [8] is one based on execution monitoring. In the for processes embedded within data (sometimes execution monitoring model, a security policy also called embedded agents), unless otherwise is defined by a predicate P operating on a set is stated. The main practical difference between P ⊆ Ψ. Since it is not practical to evaluate predi- ^ the two types of processes covered by the term cates on sets, another predicate P is defined, mobile agent is that code embedded in data most which operates on the elements of each set: the ^ often is not autonomous. A platform is the envi- execution of a process. P is necessarily at least as ronment within which an agent executes. restrictive as P (see [8] for details), and one says that a process p adheres to its security policy if ^ Denote by Ψ the set of all possible executions for any given execution σ, P (σ) holds. (terminating and non-terminating) by any single process. Each element in Ψ is a string where each symbol represents an event, a state, or a combination of these; the type of representation is not relevant for the purposes of this article.

Telektronikk 3.2000 35 Sets definable by such predicates are also called Many of the relevant problems have been stud- properties. Sets that cannot be defined by first ied in some depth before, either in the context of order logic are called quasi-properties for the viruses (in the sense of Cohen in [3]) or hostile duration of this article. applets. The results for viruses are perhaps especially interesting for agents embedded in docu- A system, or a part of it, is called secure if: ment data, as is the case with Excel and Word macros, and languages like PostScript. This arti- 1. the operator’s risk associated with operating the cle, however, will not focus on the challenges system is bounded and under control; and/or that still remain with respect to malicious software. 2. all executions adhere to the security policy defined using the risk assessment. In the following, subsections titled “Agent Attacks” deal with attacks carried out by agents There exist a lot of models for access control, on other agents in the host platform environment but until recently there was only one widespread or on the host platform itself. mechanism employed in implementations: the reference monitor. Execution monitoring can be 4 Availability considered a generalization of the reference Availability is of fundamental importance. If monitor model, where a monitor can be built resources are not available to legitimate users, into a process p prior to execution. This monitor other security properties or quasi-properties are observes events, states, or a combination of usually of little or no interest. For an agent plat- these as they occur during p’s execution. These form at some host, availability may be associ- actions form a string σ which is the prefix of ated with an ability to: ψ ∈ Ψ σ some execution p. If is such that there is Ψ ∩ σ no execution in p P having as prefix, the • receive incoming agents, and initiate their process p is terminated. By definition p has vio- computation within a reasonable amount of lated the security policy by attempting an execu- time; tion not in P. • supply visiting agents with the resources nec- 3 Securing Agents essary for them to complete their tasks at that This section lists many of the properties (and host within a reasonable amount of time; and quasi-properties) one could wish from mobile agents in a security context. It outlines the chal- • do limited recovery from faults, for as many lenges that arise when one tries to construct types of faults as is cost-effectively possible. agents that satisfy these properties. The challenges are subdivided according to the source- For an agent at some platform, availability may based partitioning of threats given in Section 1. be associated with an ability to:

Mobile agents are dependent on a host platform, • have limited fault-tolerance in the face of which: host-induced faults;

1. supports their computations; • have some graceful mode of failure as a (hopefully) last resort, which informs the 2. interacts with them; and sender of the failure, and how far the computation had proceeded prior to the failure. 3. supports their interaction with other “nearby” agents. Availability is primarily a dependability issue, but it is also security relevant. Several attacks In the case of the autonomous agent in Example base themselves on causing resource outages in 1, one possible platform type would be TACO- the attacked system (or a component therein). MA. In the case of the macro agent in Example Attacks of this type are usually called denial-of- 2, the platform could be a Word or Excel pro- service attacks. The point of causing resource gram combined with underlying network ser- outages may be to: vices used to transport Word and/or Excel documents between hosts. 1. cause parts or all of the system to stop func- tioning and cause economic or other damage; From this starting point, threats can be parti- or tioned according to their source(s): 2. generate a vulnerability, which can subse- • agents; and quently be used to mount the “real” attack. • agent environments.

36 Telektronikk 3.2000 This subsection will concentrate primarily on 2. depriving the agent of resources necessary to denial-of-service attacks, hereafter abbreviated continue execution; or DOS. 3. inducing faults in the agent execution causing 4.1 Agent Attacks it to crash or enter a deadlock. The most obvious attacks are those originating with the agent itself. Agents may mount DOS There may be other types of DOS attacks that attacks by: platforms can carry out against agents executing on them, but the attacks described above are rea- • attempting to consume certain types of system sonably well modeled with the failstop failure resources such that system performance de- model. The agent can to a certain degree be grades drastically; or made resistant against such attacks with a slightly modified and specialized version of • disabling system resources by changing cru- the Norwegian Army Protocol (NAP). Example cial data in configurations or executables. 3 provides some additional motivation for the introduction of fault-tolerant behavior into Similar attacks by viruses and Java applets or agents and their platforms. It is desirable to similar software have been studied in some have a fault-tolerant computation that executes detail. at least once, but not more than once, neither in part nor in whole, provided no more than f faults The remedies for these types of attacks are occur. usually: 4.2.1 The Norwegian Army Protocol • Only allowing agents that run in interpreted (NAP) languages, and that may only access virtual NAP represents a solution that gives limited resources, thereby allowing the host system a fault-tolerance to a mobile agent, and is pro- very effective reference monitor-based control posed by Johansen et al. in [6]. This scheme of the agent’s actions. allows an agent to detect failures and initiate recovery actions, and can to a limited extent • Absolute caps on system resources that may cope with the DOS attacks mentioned above. be allocated to any single process or owner of processes. NAP assumes that each host has a platform capable of running the agent, and that platform • Pre-emptive scheduling constructed to ensure crashes can be detected by a well-defined set fairness for processes with similar priorities. of platforms. A fail-stop failure model is thus assumed, and in addition, a bounded crash rate • Termination of entities that do not adhere to is assumed: security and/or usage policies. There exists a positive integer f such that for Apart from these methods, the host platform’s any 0 ≤ if≤ no more than i crashes of hosts or “judgement” in a very primitive sense must be platforms occur during the maximum period employed to filter agents assumed untrustworthy of time taken by an agent to traverse i distinct from agents assumed trustworthy. To do this, the hosts. digital signing of agents has been proposed (and implemented in some commercial browsers). In In NAP a mobile agent is an ordered collection order for this to have the intended effect, how- of mobile processes. ever, the signature should ideally represent a seal th of approval derived from (trusted) third party The i action, ai, of an agent is transformed to a code inspection of some type. Additionally, it is fault-tolerant action, which is a pair (ai, a'i) such necessary to employ digital signatures that can that ai is a regular action, and a'i is a recovery be traced to a real-world legal person via a action. The execution of a fault-tolerant action trusted key repository. To the author’s knowl- satisfies: edge, none of the commercial implementations satisfy both the conditions needed for such a 1. ai executes at most once, irrespective of scheme to be effective. whether it fails or not.

4.2 Platform Attacks 2. If ai fails, then a'i executes at least once, and Platforms may mount DOS attacks on an agent executes without failing exactly once. by doing one or more of the following things: 3. a'i executes only if ai fails. 1. terminating the agent execution;

Telektronikk 3.2000 37 A failure is caused by some type of fault during supporting a process pj is written Pj. Note in par- the execution of an action. When a failure occurs ticular that it is not necessarily the case that ij= ⇒ = no earlier than action ai and prior to action ai+1, Pi Pj. Note also that Pj changes during the the recovery action a'i starts execution. agent execution if the agent ever changes platform. A broadcast message associated with the A simplified and slightly modified version of completion of action i is written bi. NAP (hereafter called NAP') is presented here. Whereas the NAP protocol tolerates f fail-stops The NAP' execution itself is carried out by let- during a computation, the modified version ting the head execute action a1,i, immediately should tolerate f fail-stops per action-broadcast followed by a reliable broadcast of bi to the tail pair. processes containing the new state information of the head. The head is elected to ensure that Since a mobile agent is represented by many the broadcast is delivered to all the tail pro- similar agents in the NAP' protocol, write ai,j for cesses. The broadcast itself proceeds as the the jth action taken by agent number i for the one given in [6], but with some differences. f + 1 agents in a single NAP' protocol execution. The possible outcomes of the broadcast are Similarly the recovery action for the jth action essentially unchanged: taken by agent number i is written a'i,j. In the following, the head will refer to the primary pro- 1. No platform delivers bi. This happens if either cess, which is doing the actual agent computa- P0 failed or if p0’s execution of action a0,i tion. The tail consists of the remaining backup somehow failed. One of the tail processes pj processes. must therefore begin recovery action a'j,i. Immediately after recovery (including the It is assumed that the agent execution consists new broadcast) is completed, pj takes on p0’s of a series of actions satisfying the following role and spawns a new process pj to take its assumptions. previous role.

1. At least one action is executed on any given 2. The platform P1 delivers bi. This happens only platform. if all non-faulty platforms supporting the agent have delivered bi. The head process p0 2. An action may consist of a move to a new may thus begin executing action a0,i+1. platform, possibly entailing movement to a different host. 3. A platform Pj delivers bi+1, but P0 does not. Thus either P0 failed or p0’s execution failed 3. After each completed action, state information somehow before the broadcast terminated. = = is propagated to the backup processes using a The Pj with the lowest j 0 such that Pj P0 reliable broadcast. This state information acts as rearguard, and executes the recovery should be enough for recovery if the subse- action a'j,i+1. Immediately after recovery quent action fails. (including the new broadcast) is completed, pj takes on p0’s role and spawns a new process 4. The actions need not be specifically listed, but pj to take its previous role. are given algorithmic expression. The postconditions of a NAP' execution is the 5. Upon completing an action, reliable broadcast following: is immediately initiated. 1. The head has completed the last action a0,n. The preconditions of a NAP' execution is the 2. The last broadcast has terminated. following: 3. The head and tail processes have terminated.

1. The degree of fault-tolerance f ≥ 1 is fixed. This description concentrates on the invocation of the fault-tolerance parts. The broadcast proto- 2. The sender has a platform within his domain col details and other details necessary for a com- capable of supporting (part of) a NAP' complete implementation should not deviate much putation. from that described in [6].

3. The 1 + f head and tail processes are initiated 5 Confidentiality at the sender’s platform, with the initial state Confidentiality is about controlling the ability of of the head distributed to all tail processes. any given subject to extract information from an object. Information here is taken in the widest By convention, the head is written p0, and the known sense, the information-theoretic sense. tail processes are written p1, ..., pf . The platform There are three basic methods controlling such information extraction:

38 Telektronikk 3.2000 1. Rendering data uninterpretable for all practical ware support for controlling memory access purposes (which is what encryption does), from the operating system and/or platform such such that the usual transformation of data to that agents cannot exploit host-specific architec- information through interpretation becomes tural information to mount attacks. practically impossible. The second attack above is not necessarily 2. Partitioning data into discrete units, and treat- halted by a virtual machine-based platform, ing the units as distinct objects in a secret although such a platform still forms a fairly sharing scheme, or more generally: an access effective defense. The reason is that if the agent control scheme. is allowed to write to a file and can choose part of or all of its name, it can still attempt the 3. Blocking the release of non-sensitive data A installation of a Trojan horse. that could reveal information about other, sensitive data B due to known or deducible func- The third attack represents the typical attack tional dependencies between A and B. In prac- implemented by a hostile Java applet, where tice these are inference controls as those used bugs in the implementation are exploited in in statistical databases. order to execute unauthorized actions. Defend- ing against this type of attack depends for the For platforms the techniques for implementing most part on a correct implementation that actu- these are well-known. The challenge is replicat- ally logically isolates the agent from manipulating those mechanisms in mobile agents. It might ing the platform in an unauthorized manner. also be of interest to replicate them for embedded agents. The fourth attack is hard to avert. Any invest- ment spent to defend against these attacks EXAMPLE 4. An embedded agent might be con- depends on how information is made available tained in a partially encrypted document, with to the agent. instructions to only reveal the encrypted parts to pre-specified platforms. This is something with 5.2 Platform Attacks typical application to Word documents or simi- The complementary case, where the platform is lar document formats. regarded as a potentially malicious entity resem- bles to a great degree the problem outlined in a 5.1 Agent Attacks paper by Anderson and Needham [1]. The host The agent attacks are fairly well studied. Some has effectively complete control of all plaintext ways of leaking confidential information are data, including the agent platform, and any agents executing on it, along with any of their 1. attempting unauthorized accesses of other code and data stored at the host in question. agents’ code/data areas; The host can under such circumstances achieve 2. installing a payload on the host computer, effortless compromise of all information, save executable outside the platform as a “normal” that which somehow is encrypted in such a form process (such as word macro viruses with as to still be of use to the agent. This problem is DOS virus payloads); a difficult one to solve. It appears to be crucial to enable mobile agents to: 3. attempting to manipulate the platform in order to gain access to confidential information 1. use secrets in their data without revealing (attacking crypto-APIs, for example); or them to the platform;

4. using pure information theoretic attacks to 2. securely generate digital signatures; and design queries used by agents to collect data for subsequent tracker-type attacks (see [5]) 3. securely encrypt information extracted from on collected data, a technique which could the host platform or decrypt encrypted infor- typically be employed in business (or other) mation meant for that platform. intelligence activities. Properties such as these are only possible if one The first attack above is fairly effectively halted can encrypt the agent’s code without changing by a virtual machine-based platform (as for Java its properties when viewed from the outside as applets), provided the transformation from an a process. In other words, the encrypted agent agent’s implementation language to the code must ideally be able to: actually run on the platform is correct, and intro- duces no new functionality. For agents somehow 1. encrypt/decrypt selected inputs and/or outputs; running as native machine code, one needs hard-

Telektronikk 3.2000 39 Figure 1 This figure illustrates E 1. For all f and f': x E(x) i i the general principle of pri- f’(a’, ..., a’ ) = vacy homomorphisms. The i i gi plaintext is x, the encryption f f` E (f (D (a’), ..., D (a’ ))), K i K 1 K gi function E, decryption function D, and f is a function applied D where a’, ..., a’ ∈ S’, and K is a symmetric f(x) f`(E(x))=E(f(x)) 1 gi to plaintext data. The function encryption key. f' is the counterpart of f, when applied to encrypted data 2. For all pi and p'i:

p’(a’, ..., a’ ) if and only if i 1 gi p (D (a’), ..., D (a’ )). i K 1 K hi 2. interact with its environment using either encrypted or plaintext messages, or a com- 3. For all si and s'i DK(s'i) = si. bination of both; Although this is elegant, it has an inherent weak- 3. sign certain data in complete confidentiality ness, summarized in theorem 3.1 in [5]. In while executing on a potentially malicious essence, it is impossible to have a secure encryp- host; and tion function E for an algebraic system like U when that system has a predicate pi inducing 4. support encrypted Turing-universal compu- a total order on the constants s1, ..., sm, and it tation. somehow is possible to determine the encrypted version of each constant. The following example If one looks at these requirements, it should is from the proof of the theorem in [5]. become clear that what is actually needed is the ability to apply operations to encrypted data. This EXAMPLE 5. Take a plaintext system where ∈ ≤ ≤ problem was originally studied in the form of pri- si =i N for all 1 i m. Let one function be vacy homomorphisms for databases. The concept addition (written +), and one predicate be the of privacy homomorphisms is a good idea, and relation less-than-or-equal-to (written ≤ ). The addresses many of the requirements above as corresponding function applied to encrypted long as strong encryption is not a requirement. data is written +', and the corresponding predi- In spite of this, the concept could be central to cate is written ≤ '. If the cryptanalyst knows 1 and solving the above problem. The few subsequent 1', it is possible to decrypt any c' to c by doing a approaches in the field have to some degree binary search using +', 1', and ≤ '. based themselves on the privacy homomorphism concept, even if the resulting system is strictly 5.2.2 Computing with speaking not a privacy homomorphism. Encrypted Functions The privacy homomorphism is revisited in work 5.2.1 Privacy Homomorphisms by Sander and Tschudin [7]. They mention two Let S and S' be non-empty sets with the same potential candidates for encrypted computation: cardinality. A bijection E : S → S' is the encryption function, with its inverse D being the corre- 1. polynomials encrypted with a particular type sponding decryption function. Denote an alge- of privacy homomorphism; and braic system for cleartext operations by 2. rational function composition, where one U = (S; f1, ..., fk; p1, ..., pl, s1, ..., sm), rational function is used to encrypt another.

g → where the fi:S i S are functions with arity gi, Only the first scheme, called non-interactive the pi are predicates with arity hi, and the si are evaluation of encrypted functions, is detailed in distinct constants in S. Denote U’s counterpart their work. Sander and Tschudin present a sim- for operation with encrypted data by: ple protocol demonstrating how it could work. The protocol is as follows: C = (S'; f'1, ..., f'k; p'1, ..., p'l; s'1, ..., s'm), 1. Alice encrypts f. where each f'i corresponds to fi, and each p'i corresponds to pi, and each s'i corresponds to si. 2. Alice creates a program P(E(f)) which imple- Thus f'i has arity gi and p'i has arity hi. ments E(f).

A mapping E is called a privacy homomorphism 3. Alice sends P(E(f)) to Bob. if it satisfies the following conditions:

40 Telektronikk 3.2000 4. Bob executes P(E(f)) using x as argument. Integrity can typically be boiled down to the unauthorized detection of modification of sys- 5. Bob sends P(E(f))(x) to Alice. tem objects by editing, creating, deleting, or reordering data in objects. Integrity is usually 6. Alice decrypts P(E(f))(x) to obtain f(x). achieved by the inclusion of redundant information strongly dependent on the data (or system The encryption itself uses an additively homo- structure) to be protected such that attempts at morphic encryption scheme on a ring Zn. unauthorized

EXAMPLE 6. An additively homomorphic scheme 1. modifications (or creations or deletions) of is presented in [7]. The encryption function objects are detectable; and → x E:Zp-1 Zp for a prime p is g for plaintext x. g is a generator of Z/pZ. Addition of plaintext 2. modifications (or creations or deletions) of is thus arithmetic addition, while addition of the redundant information, are detectable. ciphertext is done using multiplication. In addition to the common integrity concept The plaintext function is a polynomial with coef- there is also a concept of sequence integrity, ficients from Zp-1. Encryption of f is achieved by where a mandatory order is imposed on other- encrypting each of f’s coefficients individually. wise individual data/messages/processes in the The resulting f' is applied to plaintext data by system. Such integrity is relevant for ordered using so-called mixed multiplication. Mixed mul- data, such as video and audio streams. It is also tiplication is an operation where the product relevant for protocols being executed by an E(xy) is computed from E(x) and y directly. Note agent, its platform, or the host upon which the that E(xy) = (gx)y, so E(x) must be raised to the platform resides. yth power in order to compute E(xy). This can be done using a double-and-add algorithm, which 6.1 Agent Attacks translates into a square-and-multiply algorithm As with confidentiality, the agent attacks are for encrypted data. fairly well studied, and they are also very similar. Most of them can be realized if the access The scheme in Example 6 appears to avoid the controls are not precise or not secure (as de- inherent weakness of privacy homomorphisms fined in Denning [4]). Some ways of violating by selecting an encryption function such that integrity are there is no known easily computable total ordering of the encrypted elements. Along the way, 1. attempting unauthorized accesses of other the ability to do repeated applications of the agents’ code/data areas; function on the encrypted data appears to be lost, as the result is encrypted, and Bob can only 2. unauthorized creation, modification, or dele- compute mixed-multiplication. Note in particu- tion of data associated with host software lar that if Bob were able to compute multiplica- (such as changing mailing lists in MS Out- tion in the encrypted domain, he would probably look); be able to decrypt the ciphertext fairly easily. The ability to do multiplication with only en- 3. feeding the platform with misleading informa- crypted elements requires knowledge of either: tion or falsifications; or

1. the generator g; or 4. intentionally trying to trigger race conditions or confuse host protocol state machines by 2. a method of efficiently solving the discrete manipulating protocol messages used in com- logarithm problem. munication with the platform.

Thus the second scheme trades functionality for In addition, mobile agents may also become increased security compared with easily applica- malicious if their state is corrupted during their ble privacy homomorphisms. execution, irrespective of whether that corrup- tion was intentional or not. 6 Integrity Integrity deals with the detection of unautho- The first attack above is also halted by any effec- rized operations on data in a system. The tive virtual machine-based platform (as for Java restoration of damage after unauthorized opera- applets), under similar conditions as those men- tions have occurred is usually considered a part tioned in Section 5.1. Similarly, if the agent is of dependability, while the prevention of the running as a native machine code process on the unauthorized operations is typically taken care platform, there must be hardware support for of by authentication and access controls. controlling memory access from the host’s oper-

Telektronikk 3.2000 41 σ σ σ σ ating system(s) and/or platform to enforce access some sequence = 1 2 ... n of actions must restrictions placed on the agents. not be interfered with, or any interference must be detectable. The second attack is not necessarily halted by a virtual machine-based platform, although such a 6.2.1 Execution Traces platform can thwart a selection of direct attacks. Vigna proposes in [9] a protocol, which in com- The problem is that the agent may try to do bination with a trusted third party, enables the actions allowable within its platform environ- sender to check the execution of an agent upon ment, that still affect host data external to the completion. The protocol bases itself upon a sys- platform in accordance with the platform’s pol- tem where each platform records the execution icy, but in violation of the agent’s policy. trace of an agent from the agent’s execution on that platform. An execution trace is a series of EXAMPLE 7. Consider a spreadsheet which pairs (n,s), where n uniquely identifies a particu- includes an embedded agent in the form of lar action in the agent, and s records changes in macros for a computation. A virtual machine internal variables as a result of the execution of executing those macros might allow write opera- n. In a sense this is nothing more than specifying tions to one particular file on the host. An the format of an “action”, as mentioned earlier, attacker could exploit this by letting the original so these traces can also be considered executions embedded agent itself be harmless, while the in the sense mentioned in Section 2. output to the file is a spreadsheet with macros that make up a malicious agent. Such an agent The protocol itself consists of messages prior to, might subsequently be executed with the permis- and after, the agent’s execution which transmit sions of a local user on the host. This type of data about the agent and its execution. After an attack is also related with the problems concern- execution, the agent’s sender should be able to ing legitimate usage of resources. check an execution trace Tp by using the data in Tp to simulate the complete execution of the The third type of attack can in part be thwarted agent locally, and compare the outcome to that using systematic trust management. Discerning provided by the remote platform. Obviously, this intentionally falsified information from wrong check is only done when there is a suspicion that information given in good faith is at best very the remote platform somehow has tried to com- difficult, and undecideable, as it encompasses promise the agent’s computation. at least one problem with inherent ambiguity (computers are generally not particularly good Denote by EK(data) the symmetric encryption of at deducing intent). Farmer et al. give examples “data” by encryption function E using key K. of this type of attacks in [5]. Denote by Xs(data) the “data” signed with X’s private key. Denote by H(data) the hash value The fourth attack is usually stopped by protocols of “data”. Write the identity of the trusted third m constructed to take such conditions into account, party as T. The notation A → B:data denotes the or by restricting the communication of the agent transmission of message m from A to B, where (as is already done with Java applets). message m consists of “data”.

6.2 Platform Attacks Let A be the sender of the agent in question. Platforms can attempt to compromise the Denote by B1, ..., Bn the list of platforms the integrity of an agent by agent is to visit. For the initial platform, the following steps initiate the protocol: 1. modifying data carried by the agent or in the m1 agent’s workspace; 1. A → B1 :

As(A, B1,EKA (p, SA),As(A, iA,tA,H(p), T )) 2. manipulating the agent’s execution; or m2 2. B1 → A : 3. not properly protecting the agent’s workspace. B1s(B1,A,iA,H(m1),M)

The novel attack here is the manipulation of exe- The field As(A, iA, tA, H(p), T ) will also be writ- cution. Not only must the agent’s data be pro- ten agentA, and be referred to as the agent tected, but the agent’s execution must also be token. The contents of the messages is given protected. Even if an agent could be executed in in Table 1. an encrypted form, this would still be a problem – the only difference would be that the platform would not know what it was doing. In effect,

42 Telektronikk 3.2000 Before continuing, A must examine M to see if it Message Sender Recipient Message part Explanation constitutes an acceptance or refusal on B ’s part. 1 m AB A ( Signature generated by A If it is a refusal, the protocol is finished. If it is 1 1 s an acceptance, the protocol continues for the ini- A, A’s identity tial platform as follows: B1, B1’s identity

EK ( Encryption with A’s key KA A m→3 B : A 3. 1 p, The agent’s code As(A, B1,iA,B1p(KA)) SA), The agent’s initial state

m4 A ( Signature generated by A 4. B1 → A : s A, A’s identity B1s(B1,A,iA,H(m3)) iA, The agent’s identifier The contents of the messages is given in Table 2. tA, Time stamp for agent dispatch H(p), Hash of agent’s code When all necessary verifications have been T)) Identity of TTP done, B1 can begin executing the agent. This execution continues until the agent requests m2 B1 AB1s( Signature generated by B1 migration to a new platform B2. The migration B1, B1’s identity from any given Bi to Bj requires a separate proto- A, A’s identity col. Denote by T p the trace produced by the part Bi i , The agent’s identifier of the execution carried out on Bi. The migration A to the next platform Bj is initiated by the follow- H(m1), Hash of previous message ing three messages: M) B1’s reply

m 1. Bi → Bj : B (B ,B , ,H(T p ),H(S ,t )) is i j agentA Bi Bi Bi m 2. Bi → Bj : It is important to note that authenticity of origin Table 1 Initialization of proto- is not the same as authenticity of the sender: data col for execution traces Bis(KBi (p, SBi ),H(m)) may be sent without their creator having to do m 3. Bj → Bi : the sending in person. Bjs(Bj,Bi,iA,H(m, m ),M) Authenticity of identity deals in general with The last field in the third message (M) contains proving or disproving the identity claimed by either Bj’s acceptance to run the agent, or its a subject. Traditionally, authenticity has been refusal to run the agent. The contents of the proven using one or more independent tech- messages are given in Table 3. niques, and efforts have been concentrated on the case where humans prove their identity to an 7 Authenticity (automated) subject of some sort, or where auto- There are two types of authenticity: mated subjects need to prove their identities to each other as the initial step in some protocol. 1. authenticity of origin; and Within automated environments, only passive Table 2 The rest of the initial- 2. authenticity of identity. data have been authenticated. What one effec- ization of the protocol for exe- tively needs for agents is authentication of pro- cution traces, if B1 agrees to Authenticity of origin deals with proving or dis- cess instances. participate in the protocol proving the claimed identity of the creator of some data, be it art, code or something else. Authenticity of origin is a very hard problem, which might not have any good solution. With Message Sender Recipient Message part Explanation respect to agents, the most relevant cases proba- m3 AB1 As( Signature generated by A bly include authenticity of the origin of: A, A’s identity

1. data carried by an agent from its sender; B1, B1’s identity 2. data acquired by an agent at some platform; iA, The agent’s identifier 3. an agent’s code. B1p( Encryption with B1’s public key

KA)) A’s symmetric encryption key

m4 B1 AB1s( Signature generated by B1 AA’s identity

iA, The agent’s identifier

H(m3)) Hash of message m3

Telektronikk 3.2000 43 Message Sender Recipient Message part Explanation 1. its own data; 2. data acquired from visiting agents; or mBi Bj Bis( Signature generated by Bi 3. data fed to visiting agents. Bi,Bi’s identity

Bj,Bj’s identity As with the corresponding agent attacks, this could be based on digital watermarking tech- agentA, The agent token p niques, if there are any that work with the type H(T B ), Hash of agent trace at Bi i of data in question. H(S ), Hash of agent state at migration B1 t ) Time stamp at migration B1 Without proper authentication of the platform’s identity, an agent may be exposed to any attack m' B B B ( Signature generated by B i j is i involving: K ( B ’s symmetric encryption key Bi i p, The agent’s code • unauthorized access of the agent’s data; or S ) The agent’s state at migration Bi H(m)) The hash of Bi’s previous • simulation of a transaction that was supposed message to execute somewhere else, thereby “duping” the agent. m'' Bi Bj Bis( Signature generated by Bi Bj,Bj’s identity 7.2.1 Watermarking and Steganography Bi,Bi’s identity One suggested mechanism for authenticating iA, The agent’s identifier origin, is the digital watermark. Watermarking H(m,m'), Hash of messages m and m' works by placing information in the data one wants to mark. This information may or may not M) Bj’s reply to Bi be visible, although most efforts are directed at invisible watermarks, as one does not want the marking to affect the data in any perceivable Table 3 Messages for han- 7.1 Agent Attacks way. The information will typically contain the dling migration from one plat- Without some mechanism for ensuring authen- identity of the originator/creator, along with form to another ticity of origin, agents may present false claims other document-specific information of rele- of origin for some or all of vance.

1. its own data; Systems for invisible digital watermarks are 2. the data it acquires during its execution; or often based on steganographical techniques. 3. data it feeds the platform. When a digital watermark is invisible, it may be

One method of ensuring authentication of origin 1. only perceptually invisible; or is to use steganography to mark the object in question. This can be difficult, however, for 2. both perceptually invisible and hidden as a reasons mentioned in subsubsection 7.2.1. communication of data.

Almost all ways of exploiting insufficient The digital watermark can be considered a com- authentication of identity are forms of masquer- munication where the message is an identity of ade attacks. In particular, an agent may attempt a creator, possibly along with other information. to masquerade as another agent by exploiting Steganography is the art of concealing the exis- insufficiently authenticated protocol messages. tence of a communication, so steganographical Ensuring this type of authentication in agents techniques are necessary for the second variant properly seems to require either: of invisible watermarks.

• an ability to execute cryptographical primi- Ideally any steganographical marking used for tives in plain view; or authentication of origin should:

• platform-supported communication with the 1. not affect the original data such that legitimate agent’s sender. users perceive it as degraded;

The former “solution” runs into the problems 2. withstand changes to the original data without mentioned in Section 5. being compromised, and becoming uninterpretable for at least the owner; and 7.2 Platform Attacks Without proper authentication of origin, plat- 3. encode the identity of the originator and other forms may present false claims of origin for information in a robust manner. some or all of

44 Telektronikk 3.2000 So far so good, but this is still insufficient. This 8 Legitimate Usage is only of use against the casual attacker. In Legitimate usage concerns itself with ensuring order for such a marking to actually be of use that an object (which may be a subject) is used in this context, it must also subject to constraints imposed by that object’s creator. In a sense it contains confidentiality 4. withstand tailored attacks designed to destroy and integrity as specialized forms of legitimate that particular type of marking; usage. In essence, legitimate usage can be considered the enforcement of a security policy 5. contain enough information to beyond any defined for a particular instantiation of an object, reasonable doubt separate the markings of regardless of whether it is beyond the reach of different originators. the formal owner or not.

This is an impressive list, and any marking that EXAMPLE 9. Enforcement of copyright on DVD actually satisfies this list will be fairly good. movies, as well as their zoning, is a matter of There remains but one property that must be enforcing legitimate usage. Whether zoning satisfied if the marking is to be of any real use: actually is a legal policy or not is another matter. 6. The first marking must withstand all subsequent markings satisfying properties 1 – 5 Example 9 illustrates the point of control fairly subsequently applied to the data, and it must well: enforcement of copyright would be possi- be possible to single out the first marking as ble with known techniques provided the object such – the marking applied first to the data. is kept within the boundaries of the system in which it was created. This last property is not likely to be satisfied, as it depends on the first marking being affected by This problem has many similarities with that of all subsequent markings without losing any of its confidentiality in an agent context. It should be data. To the author’s knowledge, no such system immediately obvious that legitimate usage is in exists. Any document with two or more stegano- general impossible to enforce unless some robust graphically “strong” markings may therefore be form of authenticity of origin exists. Unless of little or no use as evidence in any court case. authenticity of origin can be ensured, the policy Copyright cases would seem to be a relevant restrictions placed on an object may be circum- example. vented by simply changing the creator’s identity. This is the core of all problems regarding copy- Even if one ignores the last property, achieving right enforcement. the first five properties for most data types is in itself a formidable task. The reason for this is Since there as of today exist no known schemes that steganographical techniques are notoriously for authenticating origin based on difficult prob- type-dependent when it comes to their influence lems, or problems conjectured to be difficult, on perceived data degradation. such as the discrete logarithm problem, the existence of such a scheme will be assumed for the EXAMPLE 8. Steganographic techniques that pro- remainder of this section. vide little or no image degradation, and may work very poorly when applied to text. This Enforcing legitimate usage where objects move means that image manipulations that pass un- out of their owner’s control, has always been a noticed to the naked eye, may stand out as glar- problem. Agents only highlight the difficulties ing errors when applied to text, and vice versa. with respect to enforcing confidentiality and integrity. In effect, this is the problem of global In addition to all this, the five first properties security policy enforcement for objects, even will almost always compete with the actual mes- though access control mechanisms only control sage for bandwidth. In particular, relatively the objects as long as they exist within their sys- small objects may be extremely difficult to pro- tem. This problem in itself consists of the fol- tect steganographically, which could rule out lowing subproblems: use of such techniques to some degree. 1. authentication of origin, which is assumed Currently, steganography has not advanced far solved in this section to highlight the other enough to sort out all the above problems. Espe- problems; cially property 2 above demands a lot of bandwidth out of that which is available. Stegano- 2. policy interaction; graphical techniques do, however, have a certain promise in this area. 3. mechanisms for enforcing very general types of policy (see the generalized access matrix model in Section 2).

Telektronikk 3.2000 45 Assume some agent a carries with it a set of References objects D, which is to be distributed to other 1 Anderson, R, Needham, R. Programming systems via agent platforms. Each of the objects Satan’s computer. In: Computer Science D has a usage policy A[⋅,D] that is to be en- Today : Trends & Developments. van forced irrespective of which domain they exist Leeuwen, J (ed.). Lecture Notes in Computer in. A[⋅,D] is interpreted as: the rights for an arbi- Science, vol. 1000. Berlin, Springer, 1995. trary subject to objects in D. 2 Chess, D M. Security issues in mobile code The platform can control the agent’s action by systems. In: Mobile Agents and Security. inserting execution monitoring into the agent. Vigna, G (ed.). Lecture Notes in Computer This enables the platform a fairly general and Science, vol. 1419. Berlin, Springer, 1998. detailed control of the agent’s actions. 3 Cohen, F. Computer Viruses. PhD thesis. The interesting thing is that embedded agents University of Southern California (USC), may come into their own here. Many data types 1985. are constructed such that they effectively depend on embedded agents to be displayed and/or used 4 Denning, D. Cryptography and Data Secu- correctly. This means that the platform must use rity. Reading, Mass., Addison-Wesley, 1982. the data by executing the agent. The agent effectively provides a service to the platform. Thus it 5 Farmer, W M, Guttman, J D, Swarup, V. is possible to implement a certain control of Security for mobile agents : Authentication usage by constructing an agent with execution and state appraisal. In: Proceedings of the monitoring. This time however, the agent moni- European Symposium on Research in Com- tors the platform’s requests, and terminates if the puter SEcurity (ESORICS), number 1146 in platform attempts a series of requests that violate LNCS, 118–130. Berlin, Springer, 1996. the data’s security policy. 6 Johansen, D et al. Nap : Practical fault-toler- There are two problems with this approach: ance for itinerant computations. In: Proceed- ings of the 19th IEEE International Confer- 1. it requires some method of enforcing agent ence on Distributed Computing Systems execution integrity; (ICDCS ’99). Gouda, M G (ed.). 180–189, 1999. 2. it probably requires the data to be encrypted, and thus the agent to be capable of encrypting 7 Sander, T, Tschudin, C F. Protecting mobile and/or decrypting data using encrypted code. agents against malicious hosts. In: Mobile Agents and Security, LNCS State-of-the-Art 9 Conclusion Survey. Vigna, G (ed.). Berlin, Springer, This article has outlined some of the major chal- 1998. lenges in making agents viable as a computing paradigm in contexts where a high level of secu- 8 Schneider, F B. Enforceable security poli- rity is necessary. cies. Cornell University, Ithaca, New York 14853, Dept. of Computer Science, 1998. Among the main challenges facing constructors (Technical report.) (Revision of July 24, of secure mobile agent systems are: 1999.)

1. enabling the secure generation of strong cryp- 9 Vigna, G. Cryptographic traces for mobile tographic functions by mobile agents; agents. In: Mobile Agents and Security. Vigna, G (ed.). Lecture Notes in Computer 2. ensuring sufficient fault-tolerance; Science, vol. 1419. Springer, 1998.

3. enforcing agent policies; and

4. handling policy interactions.

Work on these issues has started in earnest only recently. It may be a while before one can con- clusively state whether or not mobile agents will be sufficiently securable for applications in, for example, electronic commerce.

46 Telektronikk 3.2000 An Overview of Firewall Technologies*)

HABTAMU ABIE

The increasing complexity of networks, and the need to make them more open due to the growing emphasis on and attractiveness of the Internet as a medium for business transactions, mean that networks are becoming more and more exposed to attacks, both from without and from within. The search is on for mechanisms and techniques for the protection of internal networks from such attacks. One of the protective mechanisms under serious con- sideration is the firewall. A firewall protects a network by guarding the points of entry to it. Firewalls are becoming more sophisticated by the day, and new features are constantly being added, so that, in spite of the criticisms made of them and developmental trends threatening them, they are still a powerful protective mechanism. This article provides an Habtamu Abie (42) is Research overview of firewall technologies. Scientist at the Norwegian Com- puting Centre. He has previously worked as Senior Engineer and Research Scientist at Telenor R&D (1997– 1999) and as Sci- 1 Introduction • All traffic from inside to outside, and vice entific Associate and Scientific Fellow at CERN in Geneva, Today’s networks change and develop on a reg- versa, must pass through it. Switzerland (1989–1993). From ular basis to adapt to new business situations, 1994 to 1997 he also held a such as reorganisations, acquisitions, outsourc- • Only authorised traffic, as defined by the local research position at ABB Corpo- rate Research and worked as a ing, mergers, joint ventures, and strategic part- security policy, is allowed to pass through it. Software Development Engineer nerships, and the increasing degree to which at Nera AS and Alcatel Telecom internal networks are connected to the Internet. • The firewall itself is immune to penetration. Norway AS. He received his Engineering Diploma in Electri- The increased complexity and openness of the cal Data Processing from Gjøvik network thus caused makes the question of secu- Such traditional network firewalls prevent un- Engineering College (1983), and rity more complicated than hitherto, and necessi- authorised access and attacks by protecting the his B.Sc. (1985) and M.Sc. degrees (1988) in Computer Sci- tates the development of sophisticated security points of entry into the network. As Figure 1 ence from the University of Oslo. technologies at the interface between networks shows, a firewall may consist of a variety of He is also working towards his of different security domains, such as between components including host (called bastion host), Ph.D. in Computer Science at the Department of Informatics, Intranet and Internet or Extranet. The best way router filters (or screens), and services. A gate- University of Oslo and UNIK. His of ensuring interface security is the use of a fire- way is a machine or set of machines that pro- past and present research inter- wall. vides relay services complementing the filters. ests encompass security for distributed systems, distributed Another term illustrated in the figure is “demili- object computing, architecture A Firewall is a computer, router or other com- tarized zone or DMZ” [6]. This is an area or sub- and methodology, formal meth- munication device that filters access to the pro- network between the inside and outside net- ods and tools, data acquisition and control systems, hard real- tected network [16]. Cheswick and Bellovin [6] works that is partially protected. One or more time systems, and mobile and define a firewall as a collection of components gateway machines may be located in the DMZ. personal computing. or a system that is placed between two networks Exemplifying a traditional security concept, [email protected] and possesses the following properties: defence-in-depth, the outside filter protects the

Filter Inside Filter Demilitarized Zone (DMZ) Outside

Internal & External Gateway Systems

Figure 1 Firewall schematics

*) The work was carried out while the author was a Research Scientist at Telenor R&D.

Telektronikk 3.2000 47 gateway from attack, while the inside gateway 2.2 Circuit proxy guards against the consequences of a compro- The second approach is the use of what is called mised gateway [6, 9]. Depending on the situa- a circuit proxy. The main difference between the tion of the network concerned, there may be circuit proxy and the packet filtering firewall is multiple firewalls, multiple internal networks, that the former is the addressee to which all VPNs, Extranets and perimeter networks. There communicators must address their packets. may also be a variety of connection types, such Assuming access has been granted, the circuit as TCP and UDP, audio or video streaming, and proxy replaces the original address (its own) downloading of applets. Different types of fire- with the address of the intended destination. It wall configuration with extensive practical has the disadvantage of laying claim to the pro- guides can be found in [6, 4]. There are also cessing resources required to make changes to many firewall products on the market from dif- the header, and the advantage of concealing the ferent vendors. See [8] for an updated list of IP address of the target system. products and vendors. 2.3 Application Proxy This article surveys the basic concept of firewall The third approach involves the use of what is technology by introducing the various kinds of known as an application proxy. An application approach, their applications, limitations and proxy is more complicated in operation than a threats against them. packet filtering firewall or a circuit proxy. The application proxy understands the application 2 Firewalls: Basic Approaches protocol and data, and intercepts any informa- and Limitations tion intended for that application. On the basis Firewall technology can be used to protect net- of the amount of information available to make works, by installing it strategically at a single decisions, the application proxy can authenticate security screen station where the private network users and judge whether any of the data could or the Intranet connects to the public Internet, pose a threat. The price to be paid for this more making it easier to ensure security, audit and comprehensive function is that the clients often monitor traffic, and trace break-in attempts. have to be reconfigured, sometimes a compli- It can also be used to isolate sub-networks, in cated process, with a consequent loss of trans- order to provide additional layers of security parency. Application proxies are referred to as (defence-in-depth) within the organisation. proxy services, and the host machines running There are three basic approaches or services that them as application gateways. a firewall uses to protect a network: packet filtering, circuit proxy, and application proxy [6, 2.4 Packet Inspection Approach 10]. Some authors [12, 9] broadly classify these This approach, in contrast to the technologies so into two kinds of approach: transport level and far described, involves inspecting the contents of application level (by including circuit proxy in packets as wells as their headers. An inspection this category). firewall carries out its inspection by using an inspection module, which understands, and can 2.1 Packet Filtering therefore inspect, data destined for all layers Firewalls having this function perform only very (from network layer to application layer). It car- basic operations, such as examining the packet ries out its inspection by integrating all informa- header, verifying the IP address, the port or both, tion gathered from all layers into a single inspec- and granting and denying access without making tion point, and then examining it. A state-full any changes. Due to this simplicity of operation, inspection firewall is one which also registers they have the advantage of both speed and effi- the state of any connection it is handling, and ciency. The filtered packets may be incoming, acts on this information. An example of a state- outgoing or both, depending on the type of full inspection firewall is the state-full packet- router. An additional advantage is that they do filtering mode in Checkpoint’s “Firewall-1” [5] their job quite independently of the user’s or Network Associates’ Gauntlet. knowledge or assistance, i.e. they have good transparency. Packets can be filtered on the basis Inspection firewalls can provide address transla- of some or all of the following criteria: source tion and hiding, virus scanning, Web site filter- IP address, destination IP address, TCP/UDP ing, screening for key words (typically in e-mail), source port, and TCP/UDP destination port. and context-sensitive security for complex appli- A firewall of this type can block connections cations. to and from specific hosts, networks and ports. They are cheap since they use software already 2.5 Firewall Limitations resident in the router, and provide a good level As pointed out in [9], “Information security proof security since they are placed strategically at fessionals often find themselves working against the choke point. misconception and popular opinions formed

48 Telektronikk 3.2000 from incomplete data. Some of these opinions Content Caching spring more from hope than fact, such as the While caching is not traditionally a function of idea that internal network security can be solved firewalls, it is becoming an increasingly frequent simply by deploying a firewall”. While it is true and important feature. An increase in perfor- that firewalls play an important and central role mance is achieved by caching the contents of an in the maintenance of network security and any accessed location with the result that subsequent organisation that ignores them, does so at its requests for access will lead to already cached peril, they are neither the panacea of every secu- contents being used, without it being necessary rity aspect of a network, nor the sole sufficient to access the location again (except when it is bulwark against intrusion. Knowing what fire- necessary to refresh). walls cannot do is as important as knowing what they can. The following are limitations one Logging and Alerts should be aware of. It is important for a firewall to log events, determine their legitimacy or otherwise, and notify • A firewall is by its nature perimeter defence, the network administrator. It should be noted and not geared to combating the enemy that it is essential to protect the integrity of the within, and consequently no useful counter log, since unauthorised access to, and editing measure against a user who abuses authorised of, the log will, of course, neutralise its raison access to the domain. d’être. Whether the function of protecting the log is fulfilled by the firewall itself or not, is • A firewall is no real defence against malicious a matter of implementation. code problems like viruses and Trojan horses, although some are capable of scanning the Management code for telltale signs. Management ranges from command line to sophisticated GUI-based and secured remote • Configuring packet-filtering rules tends to be access. Security management and administra- a complicated process in the course of which tion, particularly as it applies to different fire- errors can easily occur, leading to holes in the walls using different technologies and provided defence. In addition, testing the configured by different vendors, is a critical problem. As rules tends to be a lengthy and difficult pro- more and more security services are introduced cess due to the shortcomings of current testing and applied to different firewall components, tools. Normal packet-filtering routers cannot properly configuring and maintaining the ser- enforce some security policies simply because vices consistently becomes increasingly diffi- the necessary information is not available to cult. An error by an administrator in maintaining them. a consistent configuration of security services can easily lead to security vulnerability. A fire- 3 Additional Important wall should thus provide a security management Features interface that enables it to be locally or remotely Firewalls are becoming more complex and managed in a coherent and comprehensible fash- sophisticated by the day, and thus more efficient ion. at identifying attempted intrusions and logging them, and automatically notifying the right peo- Virtual Private Networks (VPNs) ple. They provide multiple layers of protection A VPN is an encrypted tunnel over the Internet and some cache data to improve performance, or another untrusted network providing confi- and support Virtual Private Network (VPNs), dentiality and integrity of transmissions, and Web-based administration, authentication, etc. logically all hosts in a VPN are in one Intranet There is also a tendency to add non-security- [16]. Some firewalls include VPN capabilities related functions to the firewall such as built-in (reasonable extension) to secure networks, so Web servers, FTP servers, and e-mail systems, that they can safely communicate in private over and even proxy servers for streaming audio and the public network. They achieve this by strong video. authentication and encryption of all traffic between them. We agree with those who feel that some addi- tions to firewalls make sense and are useful Adaptive Firewalls when they enhance security, while others do not The new trend is towards adaptive firewalls that make sense and may even be dangerous, espe- tie filters, circuit gateways and proxies together cially over time, when they represent a decrease in series [2]. This gives the firewall administra- in security and an increase in vulnerability. For tor greater control over the level of security used example, to add services that increase the admin- for different services or at different points in the istration load adds another potential avenue of use of those services. He may, for example, con- attack. figure the firewall to give priority to speed of

Telektronikk 3.2000 49 transfer at the expense of security when this is 4 Trends Threatening Fire- appropriate. The firewall will then on such occa- walls – and Counter Trends sions reduce security to a lower level, thus allowing for greater speed of transfer, and return it 4.1 Trends Threatening Firewalls to its original level on completion of the transfer. Common network denial of service attacks include mail bombs, ping floods, and attacks Phoenix [15] states that Adaptive Firewall Tech- using known software bugs, all of which are nology provides fluid, self-adapting control of reported to be on the increase. This fact alone network access, a key to establishing an effec- means that traditional firewalls performing tive network security policy by examining every packet analysis using rules and patterns are no packet (and adapting rules “on-the-fly” based on longer adequate protection against network- information in the packet) passing through the based attacks, in addition to which, according network interface. to recent risk surveys [18, 17], more than half of all breaches today are perpetrated by some Quality of Service (QoS) legitimate user already behind the firewall. Some firewalls include QoS features that allow administrators to control what proportion of a The traditional assumption that all inside the given network connection is to be dedicated to a firewall are friendly and all outside it potentially given service. There are those who feel that QoS hostile, is now becoming somewhat outdated. should be handled by Internet routers, while oth- Internet connectivity has expanded, Extranets ers insist that this is a matter of access control, can allow outsiders access to areas protected by and thus should be included in the firewall. firewalls, and some machines require greater Quoting [2]: “Moreover, some vendors, notably access to the outside than others, which often Check Point, have built their QoS engine using involves a change in the internal IP address. the same technology that is in their firewall. The Another threat is the use of end-to-end encryp- philosophy here seems to be, access control is tion since the firewall is unable to peer through access control.” the encryption.

Policy and Firewalls In the literature [3], some people have gone so There are two levels of network policy that far as to suggest that a more adaptive approach directly influence the design, installation and would be to drop firewalls altogether on the use of a firewall system: higher-level policy and basis that they are obsolete, or that the use of lower-level policy [9]. The former is the network cryptography obviates the need for them. service access policy, which lays down which Bellovin [3] disagrees with this view, and so services are to be accessible to whom, and how do we. they are to be used. The latter is the firewall design policy, which describes how the firewall 4.2 Counter Trends and Arguments will implement the network service access pol- Bellovin [3] argues that firewalls are still power- icy, and precisely how it will take access deci- ful protective mechanisms for the following rea- sions in accordance with it. Firewalls typically sons: implement one of two design policies. The firewall may permit any service not expressly • Most security problems are due to buggy code denied, or it may deny any service not expressly – in 1998, 9 of 13 CERT advisories concerned permitted. buffer overflows and two of the rest were cryptographic bugs – and cannot be prevented Service access policy may, for example, decree by encryption or authentication. A firewall that there shall be no access to a site from the shields most such applications from hostile Internet, but allow access from the site to the connections. Internet. Alternatively, it may decree that access from the Internet shall be restricted to certain • Firewalls are also useful at protecting legacy selected services in the site. The latter is the systems. While applications that require more widespread of the two. strong authentication should provide their own, there are too many older protocols and Today’s business environments are, however, implementations that do not. Saying that dynamic. Organisations are continually changing strong cryptography should be used is true but to adapt to new circumstances brought about by irrelevant. In the context of such applications, reorganisations, mergers, acquisitions, etc. it is simply unavailable. Therefore there are regularly new policies to be enforced, and, to remain effective, today’s fire- • More subtly, firewalls are a mechanism for walls must be able to adapt to them. policy control. That is, they permit a site’s administrator to set a policy on external

50 Telektronikk 3.2000 access. Just as file permissions enforce an (Object Request Brokers), thereby increasing internal security policy, a firewall can enforce the security of CORBA-based applications [1]. an external security policy. These trends in the development of firewalls As already stated, we concur with the above, and make them important mechanisms to ease the cite the following additional arguments. transition to flexible and truly distributed security solutions, such as CORBA Security Services Cryptography notwithstanding, the use of fire- [13], thus sparing traditionally-minded network/ walls is deeply entrenched in a number of organ- firewall administrators much discomfort. After isations and is part and parcel of their security all, the laboratory test results described in set up, and will continue to be so for some years “Super firewalls” [11] show that today’s high- yet. While it is true that cryptography is the heir end firewalls are tougher, faster, and easier to apparent to the firewall, the number of as yet use. unresolved issues prevents the assembling of a comprehensive solution for securing distributed 5 Conclusions computing resources around Public Key Infra- Notwithstanding the limitations of firewalls and structure (PKI) and encryption. In addition, the the fact that they are neither the panacea of every process of standardisation within the area of PKI security aspect of a network, nor the sole suffi- is not proceeding particularly rapidly. Thus, cient bulwark against network intrusion, and even those organisations favouring technologies despite development trends that threaten them, other than firewalls will just have to bite the bul- they are still a powerful protective mechanism, let and live with them for the moment. and will continue to play an important and central role in the maintenance of network security Another factor is the ongoing development of for some years yet, and any organisation that new features and services at present being con- ignores them does so at its peril. tinually added to firewalls. These reduce a number of the limitations listed above and increase They continue to change and develop, and new the firewall’s flexibility while allowing it to features are regularly added as the need arises. If retain its original function unimpaired. Exam- developments follow the present trend, they will ples, to mention but a few, that illustrate this continue to combine configurable access control point are: and authentication mechanisms with their traditional functions, thus providing more powerful • The proposal of a distributed firewall [3], and flexible protection for networks to make using IPSEC (IP Security), a policy language, them secure. and system management tools, that preserves central control of access policy while reducing References or eliminating any dependency on topology. 1 Abie, H. CORBA Firewall Security: Increas- ing the Security of CORBA Applications. • Phoenix’s Adaptive Firewall Technology [15], Telektronikk, 96 (2), 2000. as noted above, provides self-adapting control of network access, thus establishing an effec- 2 Avolio, F M. Firewalls: Are We Asking Too tive network security policy by examining Much? http://www.crossnodes.com/ every packet and adapting rules “on-the-fly” icsa/perimeter.html. based on information in the packet passing through the network interface. 3 Bellovin, S M. Distributed Firewalls. Draft Paper version, 7 July 1999. • FORE Systems’ Firewall Switching Agent [7], in combination with Check Point’s Firewall-1 4 Chapman, D B, Zwicky, E D. Building Inter- [5], provides 20 Gbit/s of firewall switching net Firewalls. Sebastopol, Calif., O’Reilly, bandwidth while delivering wire-speed rout- 1995. ing, switching, and class-of-service delivery. 5 Check Point Firewall-1, version 3.0. White • OMG’s [14] CORBA Firewall Security [12], Paper, June 1997. Checkpoint (2000, June which brings firewalls to distributed object 19) [online] – URL: http://www.checkpoint. technology and provides a standard approach com/products/whitepapers/wp30.pdf. by which a firewall identifies and controls the flow of IIOP (Internet Inter-ORB Protocol), 6 Cheswick, W R, Bellovin, S M. Firewalls which has become the de facto standard inter- and Internet Security, Repelling the Wily operability protocol for Internet, providing Hacker. Reading, Mass., Addison-Wesley, “out-of-the-box” interoperation with ORBs 1994.

Telektronikk 3.2000 51 7 FORE Systems. Firewall Switching Agent. 14 OMG. The Object Management Group. White Paper, October 1998. (2000, June 20) [online] – URL: http://www.omg.org/. 8 Fulmer, C. Firewall Product Overview. (1999, December 30) [online] – URL: 15 Phonex Adaptive Firewall Technology, http://www.waterw. com/~manowar/ Multi-Layer Stateful Inspection. White vendor.html. Paper. Progressive Systems, Inc. (2000, June 20) [online] – URL: http:// www. 9 ICSA. ICSA Firewall Policy Guide V2.00, progressive-systems.com. Security White Paper series. ICSA (1999, December 15) [online] – URL: http://www. 16 Schreiner, R. CORBA Firewalls White icsa.net/services/consortia/firewalls/fwpg. Papers. TechnoSec Ltd. (1998, December shtml. 15) [online] – URL: http://www. technosec. com/whitepapers/corba/fw/main.html 10 Moran, T. Fight Fire with Firewalls. Micro- soft Corporation (1998, July 27) [online] – 17 Thompson, M J. Corporate Network Secu- URL: http://msdn. microsoft.com/work- rity (1998, September 21) [online] – URL: shop/server/proxy/server 072798.asp. http://www.thestandard.com.au/metrics/ display/0,1283,750,00.html 11 Newman, D. Super Firewalls. Data Commu- nications, Lab Tests. (1999, May 21) 18 Warroom Study. Security in Cyberspace : [online] – URL: http://www.data.com/. Hearings before the Permanent Subcommit- tee on Investigations of the Committee on 12 OMG. Joint Revised Submission, CORBA/ Governmental Affairs. United States Senate, Firewall Security+Errata. OMG Document. 104th Congress, 2nd Session, 1996. ISBN 0- OMG (1998, July 6) [online] – URL: 16-053913-7. (http://www.warroomresearch. ftp://ftp.omg.org/pub/docs/orbos/ com/researchcollabor/infosecuritysurvey. 98-07-03.pdf. htm)

13 OMG. The CORBA Security Service Speci- fication (Rev. 1.2). OMG (1998, January 15) [online] – URL: ftp://ftp.omg.org/pub/ docs/ptc/98-01-02.pdf.

52 Telektronikk 3.2000 CORBA Firewall Security: Increasing the Security of CORBA Applications*)

HABTAMU ABIE

Traditional network firewalls prevent unauthorised access and attacks by protecting the points of entry into the network. Currently, however, there is no standard mechanism by which a firewall identifies and controls the flow of Internet Inter-ORB Protocol (IIOP), that has become the de-facto standard interoperability protocol for Internet providing “out-of-the- box” interoperation with ORBs, and is based on vendor-neutral transport layer. The OMG’s intention in proposing its CORBA Firewall Security is to provide a standard approach to the control of IIOP traffic through network firewalls, allowing controlled outside access to CORBA objects, thus increasing their accessibility and security. This article describes and analyses the OMG’s CORBA Firewall Security, paying special attention to such issues as Habtamu Abie (42) is Research the specific problems associated with it, how current firewall techniques are used to control Scientist at the Norwegian Com- CORBA based communication, their potential limitations and how these might be overcome, puting Centre. He has previously worked as Senior Engineer and and the various aspects of firewall traversal. In addition, a possible CORBA firewall applica- Research Scientist at Telenor tion scenario is presented. Some CORBA Firewall compliant products are emerging on the R&D (1997– 1999) and as Sci- market, and this current trend in the implementation of CORBA firewall products will also be entific Associate and Scientific Fellow at CERN in Geneva, described. Switzerland (1989–1993). From 1994 to 1997 he also held a research position at ABB Corpo- rate Research and worked as a Software Development Engineer at Nera AS and Alcatel Telecom 1 Introduction ment Group (OMG) [10], a non-profit consor- Norway AS. He received his Engineering Diploma in Electri- Nowadays networks are subject to continual tium with a current membership exceeding 840 cal Data Processing from Gjøvik change and modification as they are adapted organisations, whose purpose is to promote the Engineering College (1983), and to changing circumstances and new situations theory and practice of object technology in dis- his B.Sc. (1985) and M.Sc. degrees (1988) in Computer Sci- brought about by reorganisations, acquisitions, tributed computing systems, is the body respon- ence from the University of Oslo. outsourcing, mergers, joint ventures and strate- sible for setting standards and specifications for He is also working towards his gic partnerships. In addition, networks are in- CORBA Firewall Security. The purpose of the Ph.D. in Computer Science at the Department of Informatics, creasingly connected to the Internet. Due to OMG’s CORBA Firewall Security is to provide University of Oslo and UNIK. His these developments, the maintenance of security a standard approach to control IIOP traffic past and present research inter- has become a far more complicated matter than through network firewalls, allowing outside ests encompass security for distributed systems, distributed hitherto. Common Object Request Broker Archi- access to CORBA objects, thereby increasing object computing, architecture tecture (CORBA) has become the de-facto stan- their security. This article discusses CORBA and methodology, formal meth- dard. Its extensive infrastructure supports all the Firewall Security with the emphasis on such ods and tools, data acquisition and control systems, hard real- features required by new business situations of issues as the specific problems associated with time systems, and mobile and the type mentioned above, and its increasing use it, how CORBA communication can easily and personal computing. in open systems necessitates the development of securely be handled by firewalls, how current [email protected] sophisticated security technologies at the inter- firewall techniques are used to control CORBA face between networks of different security based communications and their potential limita- domains such as between Intranet and Internet tions, and how to overcome such potential limi- or Extranet. One of the best ways to ensure inter- tations. It also describes various aspects of fire- face security is the use of a firewall. wall traversal, IIOP/SSL, callbacks, desired proxy behaviour, chaining or pass-through mode Conventional network firewalls (see [1] for an for IIOP/SSL, and CORBA interworking overview of firewall technologies) prevent un- through firewalls. authorised access and attacks by protecting the points of entry into the network. Currently, how- In addition, this article assesses the CORBA ever, there is no standard mechanism by which a Firewall implementation technologies available firewall identifies and controls the flow of IIOP, on the market, such as WonderWall of IONA, since IIOP has become the de-facto standard Inprise’s Gateway, ObjectWall of Technosec, interoperability protocol for Internet providing NAI’s ORB Gateway, etc. This discussion is “out-of-the-box” interoperation with Object essential to an understanding of current trends in Request Brokers (ORBs). The Object Manage- the development of CORBA firewall products.

*) The work was carried out while the author was a Research Scientist at Telenor R&D.

Telektronikk 3.2000 53 Figure 2-1 Object invocations Client Client-side Server-side Server through firewalls over the enclave firewall firewall enclave Internet Client objects Server objects Internet

2 CORBA Firewall Security As already pointed out, in a CORBA environ- – an Overview ment, firewalls protect objects from client CORBA is widely available, provides an exten- objects in other networks or sub-networks. sive and mature infrastructure, and plays a cru- A firewall will either grant access from another cial role in integrating many existing enterprises, network to a particular object or deny it. When and has thus become today’s most important it grants access, it can do so at different levels system integration technology for distributed of granularity. For example, access to selected applications. The increasing use of CORBA in objects may be granted, but not to others, and, open systems requires sophisticated security similarly, access to selected operations within a technologies to isolate networks or sub-networks given object may be granted, but not to others. that are in different security domains. A security Firewalls have two distinct functions: inbound domain here means a network or sub-network and outbound protections. Outbound protection under common administrative control, with a involves allowing authorised client objects to common security policy and security level. The initiate communication with objects outside the domain boundary may be between Intranet and enclave (see below), while preventing those not Internet or Extranet. The appropriate means to authorised to do so from doing so. Inbound pro- enforce security policies at the boundaries be- tection involves granting authorised outside tween security domains are firewalls. client objects access to inside objects while denying unauthorised outside objects access. The aim of OMG’s CORBA firewall is to With no outbound protection, clients would be improve accessibility to CORBA application able to access any outside resource, and with no servers when there is a firewall separating a inbound protection the contents of an enclave server from a client. It makes it easier to enable would be totally unprotected against the (fre- and control client-firewall-server communication quently malicious and destructive) machinations under a broader range of circumstances with sig- of the world at large. nificantly reduced administrative burdens. Inter- operable CORBA communication is via the Figure 2-1 shows the basic concept of CORBA General Inter-ORB Protocol (GIOP), which on object invocations through firewalls in an Inter- the Internet is implemented by IIOP (a mapping net environment. An enclave, as shown in the of GIOP to TCP transport). Because firewalls figure, is a group of CORBA objects protected control IP networking communication, and by the common firewall which controls all net- because ORBs communicate via IIOP, a large work communication between them and the out- part of the activity of the CORBA Firewall is side world. Enclaves can be nested, so that an dedicated to the various operations involved in enclave may contain other enclaves arranged handling IIOP traffic through a firewall [8]. hierarchically on the basis of different access policies. The figure shows a client object calling The main function of the CORBA Firewall is an operation on a server object in another en- thus to recognise an IIOP message, process it, clave. The client object can communicate and then allow it to pass through providing fine- directly with all objects in its own enclave, grained access control. CORBA firewall tech- but must communicate through the firewall nology is applied to both inbound1) and out- with objects outside. bound2) protections. It processes requests from objects outside the firewall wishing to invoke It should be noted that outbound protection operations on objects inside the firewall, and involves granting or denying inside objects requests from client objects inside the firewall access to the outside world, but in most cases wishing to use CORBA-based applications out- does not involve restricting which operations side the firewall on the Internet or Extranet. they are permitted to invoke on which outside

1) Inbound protection is used to control external access to internal resources. 2) Outbound protection is used to limit the outside resources to be accessed from within the enclave.

54 Telektronikk 3.2000 objects. On the other hand, inbound protection 3.2 Callbacks involves not only denying or granting outside Traditionally in a client/server system, there is a objects access to inside objects in the enclave, very clear and sharp distinction between client but also restricting which operations they are and server. The server accepts connections from permitted to invoke on which inside objects. the client, but not vice versa.

3 Specific Problems Associ- This is not the case in a CORBA object system, ated with CORBA Firewalls a system of communication objects. In many Unlike traditional firewalls, CORBA Firewall cases it is desirable for a CORBA object server Security addresses some of the specific problems to contact a client object, for example, to facili- associated with addressing, callbacks, encryp- tate asynchronous information flow. This is tion, cascading of firewalls, transparency, and achieved by the client creating a callback object, integration into security systems [8, 11]. the reference to which, an IOR containing the address of the callback object’s inbound fire- 3.1 Addressing wall, is passed by the client to the server. The Today’s standard firewalls with static configura- server can then contact the callback object tions are not well suited for dynamic CORBA through its own outbound firewall and the call- applications because they work on the assump- back object’s inbound firewall. tion that a client will always use a fixed, designated port on the basis that a given type of server It should be noted that this is not possible where always listens at that particular port. An HTTP the client-side ORBs have been downloaded as server, for example, always listens at port 80. A Java applets since these applets are not permitted CORBA server object, however, does not listen to accept inbound connections or to create ob- at a specific, designated port. While it is possible jects in the client space, and neither do they have to bind a CORBA object to a specific port in the any knowledge of the inbound firewall. case of simple applications, this is not possible in most cases, because CORBA applications and 3.3 Encryption ORBs generally use objects launched at arbitrar- Encryption technology is the ideal protection ily selected ports. technology, especially for protecting communication over the Internet or other insecure net- Since it is not usually possible to predict which works against tapping and tampering. In CORBA hosts and ports will be used for inter-enclave communication, if the CORBA requests contain CORBA communication, it is difficult to config- confidential information the use of encryption is ure firewalls in this situation. While the Interop- the only way of protecting it. erable Object Reference (IOR) provided by the server, containing host/port addressing informa- Where firewalls are involved, there are three dif- tion, is sufficient within the enclave, since no ferent patterns of encrypted connection: 1) be- firewalls are involved, it does not help client tween client and server, 2) between firewall and objects from outside as they are unable to reach firewall, and 3) between client and firewall and the server object directly. Instead of the actual firewall and server. This means that CORBA address of the server, the client needs a proxified firewalls must be able to handle any combina- address, the address of the firewall. The firewall tion of these three patterns. will process the request and forward it either to the server or to the next firewall. The address of 3.4 Cascading of Firewalls the outbound firewall on the client side can be In many cases an invocation of an operation configured manually, but the IOR containing the passes from client to server through more than address of the inbound firewall on the server one firewall. Figure 3-1 shows such a situation. side must be supplied by the server. In the figure we see how an invocation passes

Company Company Server-side Server enclave firewall firewall enclave

Server objects Internet

Department firewalls Department enclaves Figure 3-1 Cascading of fire- with client objects walls in nested enclaves

Telektronikk 3.2000 55 from a client object in the enclave of a group, for In general, however, the client side knows noth- example the Research Lab, over the Internet, to a ing about the server side, so that the only inter- server object in a server enclave. It passes from operable way of giving the client access to the the client object to the firewall of the Research information about inbound firewalls is to have Lab, then to the firewall of the department, then this information included in the IORs provided to the firewall of the organisation, then over the by the server. Internet to the server side firewall, and finally to the server object. Such cascading presupposes 3.7 Management the ability of invocations to pass through a series A CORBA firewall needs a secure interface of firewalls even when the latter do not use the through which administrators can configure it same technology. remotely and manage security policies. The functionality of this interface should permit the 3.5 Transparency security policy to be configured dynamically. A CORBA firewall should be transparent to Preferably the firewall should be auto-config- users (application programmers, administrators urable. Such functionalities are of paramount and end-users). Schreiner [11] has proposed a importance in the dynamic world of the Internet, transparent firewall that allows a client object to since closing down a site is inconvenient and can use the normal IOR of the server object instead be costly. The management functionality must of a proxified address. The client attempts to also support key management interfaces if the connect to the server object as though no fire- firewall is to be involved in the encryption and walls were present. The firewall intercepts the decryption process as described above. CORBA request and launches a proxy object, which firewall management should also be integrated relays the request to the server object. into the organisation’s overall security management systems, especially into CORBA Security In Schreiner’s opinion this will make things sim- Services [9] management. pler for programmers and administrators since it obviates the need for proxification and will only 4 The OMG Firewall Proposal work if the incoming side uses an officially The Joint Revised Submission on CORBA Fire- assigned IP address. It occurs to me, however, wall Security (submitted in response to the OMG that the use of officially assigned IP addresses Firewall RFP (Request for Proposal)) [8] speci- will limit the use of dynamic IP addresses. Will fies the use of IIOP in network firewalls for con- the use of interceptor and smart agent technolo- trolling access to CORBA-based applications gies be the trend in the development of the new from Internet, Intranet or Extranet, and specifies generation of firewall technologies? and describes how inter-ORB interoperability through such firewalls can be achieved. Accord- 3.6 Interoperability ing to the Joint Revised Submission, firewalls As described earlier, firewalls have two distinct are broadly speaking of two kinds (in contrast to duties, inbound protections that are used to con- Figure 4-1), transport level and application level trol external access to internal resources, and firewalls. The former permit or deny access to outbound protections that are used to limit the different resources using different application outside resources that should be accessed from level protocols on the basis of addressing infor- within the enclave. In order for an ORB to estab- mation in the headers of transport packets, and lish a connection to an object in another ORB, thus on the basis of where things are coming outbound and inbound firewalls that need to be from or going to, and not what is being accessed. traversed must be known. The latter, on the other hand, are in addition restricted to granting or denying access to partic- Information about outbound firewalls is speci- ular application level protocols, such as IIOP or fied in the client side ORB, and information HTTP, and to those resources known to the Figure 4-1 3 Levels of about inbound firewalls may also be specified in application protocol. Consequently, they can different firewalls the case of Intranet and Extranet configurations. grant or deny access on the basis of both addressing information and specific resources.

Figure 4-1 shows the operation of three different types of firewall. Each type operates on the basis Application Application proxy objects of information available at a specific level, app- (socket, request header & body) lication level, transport level or network level. At the transport and network levels, IIOP can be Transport IIOP/TCP proxy, SOCKS (IIOP/TCP) (socket & request header) handled like any other TCP/IP-based application protocol. This means that well-known firewall techniques like packet filters and transport-level Network (IP) Packet filter (IP header) proxies can be used.

56 Telektronikk 3.2000 On transmission, the message body at the appli- As a result, most of today’s firewalls make low- cation level is encoded in CDR (Common Data level access control decisions on the basis of Representation). CDR then translates IDL (Inter- port used. Since there is no well-known “IIOP face Definition Language) data types into a byte- port”, this practice does not facilitate ORB inter- ordering independent octet string. For such an operability through TCP firewalls. As part of its octet string to be decoded back to IDL data type, proposed solutions, the OMG has defined a rec- the interface definition of the object is needed. ommended “well-known IIOP port” and a “well- This information, however, is not as a rule at the known IIOP/SSL port”. This will enable client firewall with the result that the firewall is unable enclaves with TCP firewalls to permit access to to decode the message body. This means that an IIOP servers by enabling access to this port IIOP proxy cannot base filtering decisions on the through their firewalls. request body [11]. The OMG’s firewall RFP points out that, while Since the mechanisms involved in interaction these ports are not mandatory since IIOP servers with a firewall will vary with the type of fire- can be set up to offer service through other ports, wall, it is necessary to have a precise definition the ports serve as a basic guideline for server or of which types of firewall are supported in TCP, SOCKS or GIOP proxy deployment, and CORBA if ORB interoperability is to be make it possible for client enclaves to identify achieved. In this connection, the current joint or filter immediately the traffic as IIOP without revised firewall submission proposes three types processing. of firewall (see below) for use in different situations [8, 11], a TCP firewall for simple and static 4.2 SOCKS Firewalls applications, a SOCKSv5 [16] proxy for client- The SOCKS [16] protocol is an open Internet side firewalls, and a GIOP application level standard (IETF RFC1928) which performs net- proxy for enforcing fine-grained security poli- work proxying at the transport layer, mainly on cies (especially on the server-side). the client-side. SOCKS creates a proxy which is transparent to either party, and which serves as a 4.1 TCP Firewalls data channel between clients and servers based A TCP Firewall is a simple firewall that operates on TCP or UDP. In this case a client can have at the transport level, basing its access control control over which server it wishes to connect decisions solely on information in TCP headers to, in contrast to the situation when normal static and IP addresses. When a connection request is mapping of TCP connections by a TCP proxy is received on a given port of the firewall, the fire- used. A SOCKS firewall could then reasonably wall establishes a connection to a particular host be referred to as a “dynamic TCP proxy”. and port. In the course of this process the firewall uses the combination of host address and SOCKS consists of a SOCKS proxy server on port () to authenticate the client on the firewall and a client-side library. In the client the basis of the IP address alone. Having estab- program the normal network calls of the socket- lished the connection, the firewall will allow interface have to be replaced by the correspond- GIOP messages to pass through uninterrupted. ing calls of this SOCKS library, and the process In other words, ORB protocols are of no signifi- is called ‘socksification’. The server is un- cance to a TCP firewall. changed. The socksified client calls the corresponding functions of the SOCKS library. These A simple form of ORB interoperability through SOCKS functions communicate transparently TCP firewalls can be achieved without any mod- with the client and server over the SOCKS proxy ifications to CORBA. TCP firewalls must be server on the firewall. statically configured with host/port address information in order to process access requests. Figure 4-2 shows a typical scenario of a client The server can then be configured to replace its communicating with an application server own host/port address with that of the firewall through a SOCKS firewall. There are six phases in its IOR for use outside the enclave. How this to the communication process: In the first, the is implemented varies with the situation. One client authenticates itself to the SOCKS proxy Figure 4-2 SOCKS proxy method is to proxify the IOR manually. The server, and if successful, the process proceeds to firewall traversal scenario client thus receives an IOR containing the address of the firewall rather than that of the server, and sends GIOP messages to the firewall (which forwards them to the server) under the impres- sion that is where the server is. 1 Client application SOCKS proxy 2 4 linked with server Application Due to the tradition of TCP/IP using one port per 3 SOCKS client 6 server service, it is common practice to identify a TCP library 5 Relay data service by the port number used for the server.

Telektronikk 3.2000 57 phase two, in which the client requests a connec- of the content of the TCP connection between tion to an application server. In the third phase, the client and server (with the reservation that the SOCKS proxy grants the client’s request SOCKS can be extended to act as an application and, in the fourth, creates a connection to the level firewall). Neither of them is able to check application server. In phases five and six client whether the content of the TCP stream is valid and server exchange data transparently over the IIOP. Hence, neither of them provides any real SOCKS proxy. In practice the SOCKS proxy is defence against the malicious client or allows relaying data between them. From the server’s fine-grained enforcement of security policies. point of view, the SOCKS proxy server is the client, and from the client’s point of view, it is A GIOP Proxy is an application level firewall the server. SOCKS also supports authenticated that understands GIOP messages and the specific traversal of multiple SOCKS proxy servers. transport level Inter-ORB Protocol supported (i.e. a TCP GIOP Proxy understands IIOP mes- SOCKS supports strong authentication of clients sages). A GIOP Proxy Object is a fully-fledged using GSS-API compliant security mechanisms CORBA Object which provides operations for such as User/Password, Kerberos, SESAME firewall navigation. Note that this CORBA [15], or SSL [17]. The client and SOCKS server Object does not require a full ORB to be imple- can enter into an authentication-method-specific mented in the firewall, as long as it behaves in a sub-negotiation. If SSL is deployed, the client’s way that is consistent with the semantics of a certificates can be passed through the connec- CORBA Object, and understands the GIOP pro- tions to allow the SOCKS server and the appli- tocol and a transport mapping (such as IIOP) [8]. cation server to authenticate the client directly. A SOCKS proxy can base transparent access A GIOP Proxy firewall relays GIOP messages control on both IP address information and user between clients and server objects. A GIOP information stored in its server’s and the client’s message consists of a GIOP header, a message configuration files. header and a message body. The message header, which is important for the GIOP proxy, From the perspective of SOCKS, IIOP is simply contains the operation to be called, the object an example of a TCP-based application protocol. key to identify the target object, and the request- Thus, SOCKS is already capable of serving as a ing client. The GIOP proxy makes access control proxy mechanism for IIOP, enabling IIOP traffic decisions or fine-grained filtering decisions to traverse firewalls. So, to handle the simple based on the information in the message header. case of a CORBA client invoking an operation For example, it could block requests to an object on a CORBA object across a firewall (a special with a particular object key, or it could block case of Figure 4-2), the only requirements are requests for a particular operation on a specific that the CORBA client must be linked with a object. SOCKSified TCP library (that provides an identical API for sending TCP/UDP traffic and re- To establish a connection to a server, a client implements these functions to interact with a establishes a connection to the GIOP proxy. SOCKS firewall), and that the firewall must support SOCKS (which most existing firewalls do). If the GIOP Proxy is an outbound one, the ORB An additional change is that the client host must should be configured manually with the IOR of be configured to route SOCKS requests to the the proxy object. If the GIOP Proxy is an in- appropriate proxy server. This is controlled by bound one, the IOR provided by server to the the client-side configuration file [8]. client should contain the IOR of the proxy object on the firewall. The server places this informa- The information on the security provided by tion in a tagged component, which it then SOCKS firewalls, gleaned from recent research includes in the IOR it provides. and experiment [13], is as follows: “As a server side firewall, it doesn’t protect the server ORB The GIOP proxy first authenticates the client, from malicious traffic in the TCP octet stream, and then, if successful, connects to the server. and doesn’t allow a fine-grained enforcement of Now the client sends a GIOP message to the security. These can both be added to the SOCKS proxy. The proxy examines this message to see server, but today’s SOCKS doesn’t support it. whether it conforms to the security policy, and, On the client side an outbound firewall normally if it does, sends it on to the server object. The doesn’t need this feature, so this would be a rea- proxy can, in addition, log the request and the sonable application of the SOCKS firewall.” communication if this is desired.

4.3 GIOP Proxy Firewalls 4.3.1 Connection Styles The two firewall techniques described above There are two styles of connection through work on the transport level with no knowledge a GIOP Proxy: normal and passthrough.

58 Telektronikk 3.2000 •A Normal connection is one in which the Proxy object at the client side too, making a client connects to the firewall, which in turn callback similar to a normal request (but in the connects to the server. The client perceives the opposite direction) from the server to the client, firewall as the server, and the server perceives allowing security enforcement at the client side. the firewall as the client, neither being aware that it is connected to a mediator. It is the fire- 4.3.3 IIOP/SSL wall’s job to ensure that both the connections The standard protocol in use today for the en- are correctly maintained, and to raise the right cryption of requests sent over the Internet is exception and inform the client in the event of SSL. SSL supports strong authentication based a request being blocked or denied. on asymmetric cryptography and standard X.509 certificates, while symmetric encryption is used A GIOP proxy in this mode can examine the on the IIOP message itself. ORB interoperability GIOP message and do fine-grained filtering as is frequently based on IIOP/SSL. Therefore, mentioned above. This gives rise to two secu- GIOP Proxy firewalls that forward IIOP requests rity issues. Firstly, the client may not trust a must support the use of SSL as a transport mech- GIOP proxy, and hence would not want the anism for secure invocations, and the proxy proxy to examine the traffic. Secondly, the administrator must have an interface to the client and server may be using a particular proxy in order to be able to specify different authentication and/or encryption mechanism levels of access control for different users, client that is unknown to the proxy. Both of these objects and target objects. The proxy should problems can be solved by the concept of a include client and server side authentication for passthrough connection. proxified connections, access to client and server X.509 certificates, and access control to proxies. •A Passthrough connection is one in which the GIOP proxy does not terminate the con- For proxy firewalls to support the use of SSL a nection at the GIOP level. The difference number of requirements must be met. The first is between a TCP proxy and a GIOP proxy oper- that the certificate of the client must be accessi- ating in this mode is that the latter provides ble at each link in the proxy chain, and at the security enforcement at the CORBA object server. The second is that each (inbound) proxy level rather than at the transport level. Like in the chain must be able to impose its own the former, it simply forwards GIOP messages access policy on the traffic passing through it. without processing or examining them, or The third is that Certificate Authorities (CAs) raising exceptions, once the connection has must be known to both parties and trusted by been established. them. In addition, either the certificate policies at both sides must be compatible, or it must be The passthrough mode is mainly used for possible for the parties to negotiate a common encrypted communication. certificate policy acceptable to both.

An OMG compliant GIOP proxy has to support Proxies that support the use of SSL fall into two both normal and passthrough connections, but categories: trusted and untrusted. may reject the latter if the security policy dictates so. An untrusted proxy can forward a message from a client by pass-through connection. This means 4.3.2 Callbacks that the proxy has no access to the encrypted The OMG firewall RFP also proposes two solu- message. While this ensures the integrity of the tions for handling callbacks over a GIOP fire- communication between client and server wall: Bi-directional GIOP and GIOP Proxy (which is necessary when one or both of the object. objects are sceptical of the proxy), it gives the proxy little scope for access control, since it is The proposed Bi-directional GIOP solution in- unable to apply its access control list fully. volves allowing a server to reuse a client’s connection to send GIOP request messages. This is A trusted proxy, on the other hand, can, in addi- a very simple approach because if the client can tion to forwarding messages using this same contact the server, callbacks are possible without pass-through mechanism, also forward messages further measures on the client side and only by establishing a separate connection to the works if the server object and the object making server. This enables a trusted proxy to apply full the callback to the client are on the same host. access control, which means that when a trusted proxy is used, access control can be applied at The second proposed solution, more generic and the server, or at the proxy on a per operation secure than the first, involves the use of a GIOP basis.

Telektronikk 3.2000 59 5 CORBA Firewall Traversal possible. If the client object has in its configuration information about an outbound firewall to 5.1 Firewall Tag Components be traversed, it will send the request to that fire- In a CORBA-based system, client objects connect wall. In the absence of such information it to server objects by using an IOR. An IOR con- chooses the first FirewallMechanism in the tains the address of the target object, such as a TAG_FIREWALL_TRANS field of any fire- host/port pair. For an object to be able to pass wall component in the IOR. through firewalls, the IOR must contain access information for these inbound firewalls. In a situ- Having determined which is the first firewall ation where there are multiple enclaves, i.e. cas- to be traversed, the behaviour the client object caded firewalls, it may be necessary for the IOR exhibits will be dependent upon the type of fire- to contain access information for all the firewalls wall involved. For further information on the to be traversed, although, according to the OMG’s traversal algorithm for each of the three OMG firewall RFP, it is strictly speaking only necessary compliant types of firewall, see [8]. for the IOR to contain access information for the first inbound firewall to be encountered by the 5.3 HTTP Tunnelling object, i.e. the outermost inbound firewall. HTTP tunnelling is a mechanism for traversing client-side firewalls [4] by encapsulating IIOP The TAG_FIREWALL_TRANS component, packets in HTTP. In the Web environment fire- contained in an IOR, designates a single point of walls are normally configured to pass HTTP entry into the network of the target object, and traffic, and to block the passage of messages may appear several times, once, or not at all in using other protocols, including IIOP. One way an IOR. The presence of multiple firewall com- of allowing an IIOP message to pass through a ponents in an IOR indicates that there are multi- firewall not configured to pass IIOP traffic, is ple points of entry into the target’s network, to encapsulate, or tunnel, the IIOP message in through any one of which the client can reach the HTTP. This makes possible communication target object. The TAG_FIREWALL_TRANS between CORBA objects through the firewall component is encoded as an encapsulated without any reconfiguration of the firewall. sequence of FirewallMechanism structures. This sequence is important since it describes The client ORB encapsulates the IIOP request in the chain of known inbound firewalls to be tra- HTTP (encodes it into HTTP), which allows it to versed, and therefore dictates the order in which pass through the HTTP proxy at the client side they must be traversed. Each firewall mecha- firewall. At the server side there is an HTTP-to- nism in the sequence contains a FirewallPro- IIOP-gateway which decodes the request from fileId and a sequence of firewall profile data. HTTP to IIOP, and forwards it to the target The latter contains information about the type object. When the target object replies, the gate- of firewall supported. The OMG’s firewall RFP way encodes it into HTTP and sends it back to currently defines three types of firewall, TCP, the client [11]. SOCKS and GIOP proxy. There are, of course, additional processing over- 5.2 Firewall Traversal Algorithm heads associated with this technique due to the CORBA Firewall Traversal enables CORBA encoding of the IIOP message into HTTP, and objects to communicate with each other across the decoding of the HTTP message into IIOP. different security domains and different combi- An additional disadvantage is that it does not nations of different types of firewall, and hence support callbacks. achieves ORB interoperability through firewalls. Since each type of firewall has its own specific 6 CORBA Firewall Application mechanisms for allowing connections through it, One of the benefits of CORBA is the ease with it is necessary to be acquainted with these mech- which it is able to integrate with legacy systems anisms, and to know how firewalls of different through object wrappers which define object-ori- types work in combination. The rules necessary ented interfaces for legacy applications to enable for the traversal of any combination of the above them to interoperate with other objects in a dis- mentioned types of firewall are laid down in the tributed object computing environment. This OMG’s firewall RFP [8]. means that a CORBA firewall can enable legacy systems behind the firewall of an enterprise to A client object will determine whether it needs interact safely with application objects running on to traverse a firewall in order to call a target systems outside the firewall. For example, users object, and will do this by examining the IOR it on the Web can access services of objects that are is assumed to possess. If the client object is in part of the internal system of an enterprise, and an the same domain as the target object it wishes to external third party can access objects for the pur- call, it can make a direct invocation. If the two pose of remotely monitoring and controlling their objects are not in the same domain, this is not activity on behalf of the enterprise.

60 Telektronikk 3.2000 Company B Figure 6-1 CORBA firewall enclave applications over the Internet

Research R&D Research firewalls Company C Company A enclave Company server enclave firewalls Server objects Internet

Department firewalls Company Department enclaves firewalls with objects

Company D enclave fig.2

One of the most important characteristics of tional assumption that all those behind the fire- CORBA is its wide availability and its provision wall are friendly, and all those outside it are at of an extensive and mature infrastructure, which least potentially hostile, more than half of all enables it to play the crucial role it does in the breaches of security are perpetrated by legiti- integration of distributed systems. CORBA fire- mate users behind the firewall, according to walls can therefore fulfil the function of enforc- recent risk surveys [19, 18]. ing different security policies at the boundaries between integrated domains. 7 Emerging CORBA Firewall Implementations Figure 6-1 shows a situation in which four dif- CORBA Firewall Security compliant products ferent organisations engaging in joint research are emerging on the market and this section activities communicate over the Internet using gives an overview of these. This discussion is CORBA firewalls. Companies B, C and D use essential to an understanding of current develop- cascaded firewall access, which enables them to ments in CORBA Firewall Security trends. enforce different access policies for different departments, while company A uses single fire- 7.1 WonderWall of IONA wall access for its server objects, allowing it to WonderWall is an IIOP proxy with a bastion enforce access policy at only one single point of host as its basis, whose job is to decide which entry for the entire company. This means that objects are to be permitted to communicate with the research department, for example, of com- which objects across which security domains [4]. pany B can be permitted to access the domain of the research department of company C, while It filters all messages arriving on the server’s other departments of the same company C can- well-known port on the basis of request message not. Thus a relationship of limited trust can be header, and provides fine-grained control secu- established between partner companies. Those rity. WonderWall supports the exchange of en- organisations using CORBA-based solutions in crypted IIOP messages using Orbix transformer their information systems will benefit from the mechanism, and has a facility for logging mes- use of CORBA firewalls. These include, to men- sages, which allows the tracing of the history of tion but a few, healthcare, telecommunications, suspicious message exchanges and provides a financial, manufacturing and government entities. useful debugging and monitoring facility. A general feature of WonderWall’s security practice is One may reasonably wonder why it should be that all messages are blocked unless specifically necessary to have such defence in depth consist- allowed. It uses proxies, reinforced with special ing of so many cascading internal firewalls when security features, to foil sophisticated attacks on the company’s network is already adequately the network. In addition WonderWall supports protected by the outermost inbound firewall. The HTTP tunnelling of IIOP. explanation is quite simple. In spite of the tradi-

Telektronikk 3.2000 61 7.2 Visibroker Gatekeeper of Inprise 7.5 ORB Gateway of NAI Traditionally, to safeguard network security, The ORB Gateway functions like a firewall Java applets have not been permitted to commu- proxy in that it controls the access of CORBA nicate with objects other than those in their own operations to an enclave, but does so with a enclave of origin. Gatekeeper is a gateway higher degree of granularity in its control over through which Java applets can communicate the CORBA access policy than is typical of a across Intranets or the Internet with CORBA proxy. The access policy is expressed in server objects outside their own enclave of ori- DTEL++, like OO-DTE, and each request is cat- gin without compromising network security. egorised according to this policy. The domains to which an object is granted access are deter- Gatekeeper uses an IIOP proxy server, and sends mined by the category in which the object has all traffic through a single port [2]. It supports been placed on the basis of the degree of trust- SSL, which it uses to secure the Internet com- worthiness of the authentication mechanism. An munication between a client object or a Java unauthenticated object may be granted access to applet, and the firewall. Gatekeeper supports a limited domain with few privileges, while callbacks, HTTP tunnelling and GUI-based con- strongly authenticated objects will be allowed figuration, and provides location transparency. much freer access.

7.3 Custom Firewall Solutions The ORB Gateway currently supports SSL as These may take the form of TCP proxy fire- an authentication mechanism, but in the future, walls; for example SOCKS or TIS Gauntlet’s according to NAI, DCE, IPSec and Kerberos generic plug proxy. They have the advantage of will be used. using IIOP/SSL and providing application transparency, and the disadvantage of lacking appli- The ORB Gateway is a single point of external cation level filtering, having a low level of secu- access to the object services of an enclave which rity and requiring firewall configuration [11]. vets access requests on the basis of the nature of the request and of the attributes of the object TIS Plug-gw as a CORBA firewall from which the request comes, and implies con- The plug-gw of the TIS Firewall Toolkit can be trol of traffic between ORBs of multiple en- used as a very simple transport level IIOP fire- claves rather than gateway or proxy control wall proxy. It needs proxified IORs, which can of traffic with the outside world [5]. be hard if one does not have the ORB’s source code and the environment is dynamic. It does 7.6 OO-DTE of NAI not support secure callbacks [12]. Object-Oriented Domain and Type Enforcement (OO-DTE) [6] provides scaleable, role based SOCKS as a CORBA firewall access control for CORBA systems, and is an As pointed out earlier, SOCKSv5 [16] is one of object oriented extension of DTE, under which the current OMG Firewall Joint Submission’s sug- each resource is assigned a type and each pro- gested firewall mechanisms. In recent experiments cess runs under a domain. What types of re- SOCKS has been successfully socksified [13]. source the processes of a given domain are permitted to read and write is specified by the DTE 7.4 ObjectWall of TechnoSec policy. Analogously in OO-DTE a CORBA ObjectWall is a tool kit to be used in combina- operation is assigned a type, and the client object tion with other firewall tools, such as SOCKS, and server object (called processes by NAI) each to construct secure firewalls for CORBA based runs in its own domain. The client object can applications. It supports transparent proxies at invoke an operation if it is permitted to invoke inbound and outbound sides, callbacks, central an operation of that type, and similarly, the policy management (i.e. it only grants access to server object can implement that operation if it is an object if the security policy defined by the permitted to implement an operation of that type. administrator allows it) and firewalls with several levels of defence, and provides proxies As mentioned above, the language for express- and packet filters. It also supports the dynamic ing OO-DTE policy is called DTEL++. launching of proxies at runtime. There are two versions of OO-DTE already ObjectWall consists of two parts, Enforcement implemented, a DTE-kernel based system that Modules and Policy Manager. The former are provides non-bypassable access for CORBA standard firewall tools, packet filter, NAT (Net- systems, and an above-kernel OO-DTE system work Address Translation), and TCP level prox- that performs access control in an Orbix filter ies with CORBA interface. The latter, the Policy without the non-bypassability feature. The two Manager, has the task of checking whether the versions are, however, interoperable and use the requests are in accordance with security policy same access control policy. [14].

62 Telektronikk 3.2000 NAI state that they are currently working on the where encryption of messaging and authentica- addition of SSL to above-kernel OO-DTE and tion of users may not be necessary. The SSL the improvement of security policy administra- handler supports SSL for authentication between tion, and that the policy distribution and the syn- client and MPOG, and between MPOG and chronisation tools presently under development server, and for negotiating the supported crypto- will allow a centrally administered DTEL++ pol- graphic parameters between client and server, in icy to be automatically distributed to CORBA situations where security is an important consid- systems within the enclave. eration.

7.7 Gauntlet 5.0 of NAI As stated in [3], the MPOG access control mech- Gauntlet 5.0 for UNIX (Solaris & HP-UX) from anism separates the access control decision from NAI [7] is an IIOP proxy for Gauntlet. This the distributed object message handling, and proxy forwards messages sent between CORBA supports OO-DTE domain derivation, trust man- objects across Gauntlet firewalls, only after agement, and per-object and role-based access ascertaining that they meet CORBA’s IIOP control. standard, thus ensuring that only valid IIOP messages travel across the firewall. This protects the 8 Conclusions network by ensuring that IIOP-designated ports Because of CORBA’s popularity as a distributed are used solely for IIOP traffic, and by reducing object technology supporting cross-language and the exposure of CORBA objects to invalid mes- cross-platform interoperability and integration sages that could disable them. of enterprise-wide distributed applications, it is being increasingly used for the development of Gauntlet 5.0 is compatible with IIOP 1.1. It applications over the Internet, Intranet and accepts only well formed IIOP messages, which Extranet in specialised market areas, such as it passes unchanged to both clients and servers in healthcare, telecommunications, manufacturing accordance with the policy expressed in its ad- and financial services. ministrative tools and netperm table, and, in the event of communication failure or a message The OMG recognises the need to safeguard the being rejected, it generates an appropriate error security of CORBA objects, and the fact that message. Gauntlet operates transparently for firewalls are still a powerful protective mecha- both inbound and outbound connections and nism that will continue to play an important and supports callback requests from servers to clients central role in the maintenance of Internet secu- using bi-directional IIOP, and the “NORMAL” rity for some years yet. As a result they have mode of IIOP proxy connection, but the current specified CORBA Firewall Security with a view version does not support the “PASSTHRU” to bringing firewall technology to the world of mode. distributed object computing technology, enabling firewalls to identify and control the flow According to NAI information, Gauntlet has of IIOP traffic, and thus enabling CORBA appli- been tested for correct interoperation with client cation objects behind a firewall to interact safely and server applications based on the ORBs with objects outside the firewall. CORBA fire- Orbix v2.3, OrbixWeb, and VisiBroker v3.3 walls can also make fine-grained access deci- (C++ and Java). sions based on the attributes and operations of objects. 7.8 MPOG of NAI The Multi-Protocol Object Gateway (MPOG) Firewalls continue to change and develop, and [3] is an application proxy server that has been new features are regularly added as the need installed on Network Associates’ Gauntlet fire- arises. If this development follows the present wall. It provides access control for operations on trend, CORBA firewalls will continue to com- distributed objects, and its architecture allows bine configurable access control and authentica- reuse of policy data base and access control tion mechanisms with their already existing techniques for multiple distributed object tech- functions, thus providing more powerful and nologies such as DCOM, CORBA and Java flexible protection mechanisms for the Internet, RMI. It has facilities for message routing based Intranet and Extranet. In the future it is probable on the CORBA, Java RMI or DCOM interface that they may also handle moving agents, and requested. may perhaps be able to provide migration transparency. For handling security protocols, MPOG currently has two protocol handlers, a non-secure OMG CORBA firewall compliant products are handler and an SSL handler. The non-secure emerging on the market, and will continue to do handler uses an unencrypted communication so. channel which can be used in an environment

Telektronikk 3.2000 63 References 11 Schreiner, R. CORBA Firewalls White 1 Abie, H. An Overview of Firewall Technolo- Papers. TechnoSec Ltd. (1998, December 15) gies. Telektronikk, 96 (2), 2000. [online] – URL: http://www. technosec.com/ whitepapers/corba/fw/main.html 2 Inprise’s VisiBroker Gatekeeper. Borland (1999, December 15) [online] – URL: 12 Schreiner, R. TIS plug-gw as a CORBA fire- http://www.borland.com/visibroker/gate- wall White Papers. TechnoSec Ltd. (1998, keeper/ December 15) [online] – URL: http://www. technosec.com/whitepapers/corba/ 3 Lamperillo, G. Architecture of Distributed tis_plug_gw/cfwexp1.html Object Firewall Proxy. NAI Labs, December 30, 1999. 13 Schreiner, R. SOCKS as a CORBA firewall White Papers. TechnoSec Ltd. (1998, 4 IONA Technologies PLC. WonderWall December 15) [online] – URL: http://www. Administrator’s Guide. IONA (1997, Decem- technosec.com/whitepapers/corba/socks/ ber 10) [online] – URL: http://www.iona. socks_exp.html com/ 14 Schreiner, R. ObjectWall : Integrated Protec- 5 NAI, Network Associates Labs. An ORB tion of Dynamic CORBA Applications. Gateway. NAI Labs (2000, June 20) [online] TechnoSec Ltd. (1998, December 15) – URL: http://www.nai.com/ [online] – URL: http://www.technosec. com/products/Objectwall.html 6 NAI, Network Associates Labs. Object-Ori- ented Domain Type Enforcement (OO- 15 SESAME, A Secure European System for DTE). NAI Labs (2000, June 19) [online] – Applications in a Multi-vendor Environ- URL: http://www.nai.com/ nai_labs/ ment. SESAME (2000, June 19) [online] – asp_set/applied/arse_corba.asp URL: http://www.esat.kuleuven.ac.be/ cosic/sesame/ 7 NAI, Network Associates Labs. Gauntlet 5.0 for Unix, an IIOP proxy for Gauntlet. NAI 16 SOCKS V5. SOCKS (2000, June 19) Labs (2000, June 19) [online] – URL: [online] – URL: http://www.socks.nec.com/ http://www.nai.com/asp_set/products/tns/ gauntletunix_intro.asp 17 SSL3.0 Spec. Netscape Communications (2000, June 22) [online] – URL: http:// 8 OMG. Joint Revised Submission, home.netscape. com/eng/ssl3/3-SPEC.html CORBA/Firewall Security+Errata. OMG Document. OMG (1998, July 6) [online] – 18 Thompson, M J. Corporate Network Secu- URL: http://ftp.omg.org/pub/docs/orbos/ rity (1998, September 21) [online] – URL: 98-07-03.pdf. http://www.thestandard.com.au/metrics/ display/0,1283,750,00.html 9 OMG. The CORBA Security Service Speci- fication (Revision 1.2). OMG (1998, January 19 Warroom Study. Security in Cyberspace : 15) [online] – URL: http://ftp.omg.org/ Hearings before the Permanent Subcommit- pub/docs/ptc/98-01-02.pdf. tee on Investigations of the Committee on Governmental Affairs. United States Senate, 10 OMG. The Object Management Group. 104th Congress, 2nd Session, 1996. ISBN 0- OMG (2000, June 19) [online] – URL: 16-053913-7. (http://www.warroomresearch. http://www.omg.org/ com/researchcollabor/infosecuritysurvey. htm)

64 Telektronikk 3.2000 Telenor’s Risk Management Model

ERIK WISLØFF

Introduction This understanding could be used in many ways. Telenor defines risk as “the possibility of loss For instance, it is difficult to cost justify loss caused by threats or unwanted events” [1]. How- reduction measures unless one knows the risks ever, risk is a fuzzy, abstract and highly subjec- one faces. In addition, it is equally difficult to tive concept that is inherently difficult to mea- select reasonable risk financing strategies with- sure and sometimes next to impossible to come out knowing the risks one faces. Selecting a rea- to terms with. sonable risk balance between different products, services or branches is impossible without a One reason for the difficulties in understanding realistic understanding of the business environ- Erik Wisløff (39) works in the risk is the fact that risk comes from a variety of ment. Discontinuing a product or service without field of risk management at sources: political, cultural, financial, legal, tech- regard to the business’ critical success factors Telenor R&D. Prior to this he worked in the security domain nical, environmental, competitive and personal could turn into a nightmare. Thus, knowledge at AIRMATCOMNOR. framework. Another reason is that one risk may and understanding lead to an improved competi- [email protected] be a business requirement in one context, but a tive edge and the benefits mentioned in the in- threat to the same business requirement in a dif- troduction. However, risk management must be ferent context. an on-going business process in order to harvest the benefits. Good risk management will improve the competitive edge of a business, product or service. Risk management is a flexible business process. The improved competitive edge comes from bet- You can use risk management to manage risks ter project management, fewer nasty surprises, associated with a single product or service or to fewer accidents, lower costs while at the same manage aggregate business risks. time improving quality, meeting deadlines, meeting budgets, better customer communica- The primary goal of risk management in Telenor tion, etc. Consultancy firms, hoping to land a is to minimise the aggregate risk cost, which is “hefty contract with lots of money attached”, the sum of all individual risk costs in the busi- are quick to point to these benefits of risk man- ness. The first challenge is to balance future agement. costs caused by an unwanted incident against costs of attempting to prevent the incident from Small wonder, then, that some people view risk happening in the first place. The next challenge management more as magic than science, and is to balance all the individual risks and costs in are deeply suspicious of the claims that risk such a way that the grand total is minimised. managers promote. Risk management is neither science nor magic. Risk management is a repeat- The optimal protection level point, as a risk able business process that systematically exam- manager sees it, is the lowest point in the curve ines all the various products, processes, business labelled “total costs”. This is illustrated in Figure surroundings and business objectives at all levels 1. of the company. No more, no less. A secondary goal is quite simply to identify risks What is Risk Mmanagement and then selectively “fixing any unacceptable in Telenor? problems”. This is typically a support activity in Telenor defines risk management as the business the business process of managing aggregate risk process of managing risks by identifying, ana- exposure. It is a necessary activity, but it quickly lysing and controlling costs related to risks. The turns into an isolated series of suboptimalisa- rewards of an on-going risk management regime tions. However, this is also an important step include towards developing a mature risk management oriented business attitude. • Better knowledge of the risks one faces; Telenor’s Risk Management • Better understanding of the interaction Model between the business and its environment; Telenor’s risk management model illustrates the business process of managing risks. The risk • Better understanding of the business’ critical management model is based on a refinement of success factors. the classical ‘analyse – act – evaluate’ cycle. As

Telektronikk 3.2000 65 Objectives, Strategies and Requirements Economic loss caused Economic cost of by unwanted incidents protection measures The first step in the risk management model is to define the business objectives, strategies and requirements.

Contrary to popular belief, the object of risk Total costs management is not to avoid risk at all cost. The (loss + protection) object is to avoid or transfer unnecessary or

Cost unacceptable risks, while accepting selected risks. Taking calculated risks is an excellent business practise. Accepting risks blindly, or trying to remove all risk, is a very bad habit. There- fore, risk management cannot be effective without consciously deciding which level of risk is acceptable.

The applicable goals, strategies and business requirements define the background – be they Protection level wide-ranging business goals or narrowly defined product requirements. This background is a necessary foundation for the acceptance criteria.

The acceptance criteria come from the objec- Figure 1 Minimising total illustrated in Figure 2, the model consists of five tives, strategies and requirements, and they will costs major steps. be used to decide whether a risk should be accepted or not. Acceptance criteria can be Risk management should not be isolated from described qualitatively (“we will not break any the rest of the business. An obvious drawback laws”) or quantitatively (“We will not accept of the model is that it does not visualise an more than n instances of abc”). Acceptance cri- important risk management practise: communi- teria can also be used to develop risk indicators cation. All relevant risks must be communicated and decide the trigger levels for the risk indica- to the involved stakeholders, and stakeholders tors. Figure 2 Telenor’s risk must communicate their interests to the risk management model manager. Understanding the objectives, strategies and requirements is vital for the risk management cycle. This understanding must be communicated to the next stage in the model, the risk analysis.

Objectives, strategies, requirements Risk Analysis Risk analysis is the second step in the risk management model, and is an essential tool in risk Risk analysis management. The goal of a risk analysis is to identify and analyse risks, compare the risk exposure with the acceptance criteria and suggest loss reduction measures to the unacceptable Acceptance Yes Acceptable risks. This gives the decision-maker the neces- criteria risk? sary background to make a decision on how he No or she wants to treat risks. Acceptable risks should be monitored. Risk analysis is discussed Risk treatment in some detail in another article, and further Avoid Prevent Reduce Transfer reading is available at Telenor’s Risk management homepage [A] or Telenor’s TeleRisk homepage [B]. Risk financing There are different ways to do a risk analysis – Traditional Financial Funding Retention insurance insurance qualitative or quantitative, with formal methods or without formal methods – but the idea is to have a repeatable process that gives high quality Follow-up and evaluation answers at a reasonable cost.

66 Telektronikk 3.2000 Mitigation Strategies • Financial insurance is somewhat opposite to The third step in the risk management model is traditional insurance. With financial insur- to select a mitigation strategy. One can achieve ance, an insurance company charges a lump risk reduction by applying a relevant mitigation sum to cover aggregate risks. Sometimes the strategy toward the unacceptable risks. Telenor’s costs of the materialised risks are less than the four mitigation strategies are lump sum. In this case, they return the difference minus a fee. However, should the costs • Avoiding the risk altogether. If a risk is totally be higher than the lump sum, then the insur- unacceptable and risk reduction is not possible ance firm cannot reclaim the difference from by any other means, then it is necessary to Telenor. avoid the risk, for instance by discontinuing a product or service. Financing is necessary for risk reductions and acceptable risks. If the risk is too low, it is possi- • Preventing the risk from materialising. This ble to remove risk reduction controls thus lower- mitigation strategy corresponds to reducing ing the cost of financing risks. the frequency or likelihood of a risk materialising. An example of this strategy is the As a rule it is necessary to keep the mitigation widespread use of virus control to prevent cost lower than the cost suffered if a risk materi- malicious software from harming a PC. alises. The risk manager might know a lot about risk and risk mitigation, but the finance officer • Reducing the consequence if risk does materi- is the financial expert. Therefore, there are close alise. Backup of servers is a classical example links between risk management in Telenor, the of consequence reduction. Even if malicious finance officer and insurance in terms of Telenor software does take out a server, up-to-date Forsikring AS, the Captive of Telenor. backups minimise harm. Monitor and Review • Transferring the risk to a third party. Insur- The final step is monitoring and reviewing. Risk ance, contracts and disclaimers are traditional management is a continuous process, an on- methods of transferring risk to a third party. going cyclical activity. The background, risks discovered during the risk analysis, risk mitiga- Usually a mix of the mitigation strategies will tion and risk financing must be monitored con- give the best result. The importance of the finan- tinuously and reviewed regularly. cial mitigation strategies is highlighted by the situation where it is impossible to avoid or pre- In addition to this, the risk manager must com- vent an unacceptable risk, and the decision- municate regularly with all stakeholders and any maker accepts the risk. At this point, the offen- other interested parties. sive risk manager should prepare fallback strategies and suggest financial mitigation measures. Supporting Framework Risk management is heavily dependent on senior Risk Financing management involvement. The board of direc- The fourth step, risk financing, is necessary tors approved Telenor’s original risk manage- whether the mitigation costs are payable up front ment policy 17 March 1995. This policy is re- or they turn up when a risk materialises. Risk placed by the current policy, approved by the financing in Telenor primarily falls into one of board of directors, dated 18 September 1999 [2]. the four main strategies: An important benefit of good risk management • Funding the mitigation is usually used if is that one is on top of the situation. There is less “something” is done to prevent, avoid or uncertainty, one addresses only the unacceptable reduce a risk. The funding can be self-financ- risks and there will be fewer crises and nasty ing or financed by the customer. It is possible surprises. However, even a good framework to build up reserves without having to pay needs support. Telenor’s risk management taxes when the funding is unfunded or funded framework is supported by methods, guidelines, by way of a Captive. leaflets, word lists, template files, etc. The Risk Manager Forum plays an important role as an • Traditional insurance is commonly used. An arena where the risk managers meet and discuss insurance company usually accepts the costs topics of interest. associated with a risk materialising. Of course, they expect payment for accepting this risk. Concluding Remarks The perception of risk management appears to • Retention is the sum or cost the business has be changing globally, as does the concept and to carry by itself in order to get a lower insur- definition of “risk”. ance premium.

Telektronikk 3.2000 67 In the coming years it is likely that risk manage- References ment will have two parallel perspectives. The 1 Faglig plattform for risikoanalyser i Telenor. first perspective is the defensive side, where one Telenor Infotorg. (2000, June 26) [online] – attempts to minimise aggregate risk costs. Today URL: http://134.47.108.143/staber_og_ this is the primary focus of risk management in selskaper/sikkerhet/dokumentene/24/10/ Telenor. The second perspective will be the telerisk20.doc offensive side, where risk managers actively support risky business ventures by identifying 2 Konsernprosedyre for risikostyring i risks, opportunities and exits, preparing fallback Telenor. Telenor Infotorg. (2000, June 26) strategies while aggressively supporting an [online] – URL: http://134.47.108.143/ increased risk exposure. The offensive perspec- staber_og_selskaper/sikkerhet/doku- tive reflects the adage that it is not possible to mentene/67/49/konsernprosedyre_for_ make money without taking risks. risikostyring.doc

Risk is traditionally associated with a negative Suggested Reading impact and unwanted incidents. Today, many A Telenor Infotorg website for Risk manage- risk management forums attempt to embrace the ment, select Risikostyring in the menu bar at concept of risk as both a positive and negative http://134.47.108.143/staber_og_selskaper/ factor. The argument for this varies, but more or sikkerhet/index.htm. less appears to follow these lines: risk is not necessarily the incident itself, rather: it is the conse- B Telenor Infotorg website for TeleRisk (risk quence of an incident. Thus, if an incident analysis), select TeleRisk in the menu bar at occurs, the outcome is either a downside (loss) http://134.47.108.143/staber_og_selskaper/ or an upside (gain). The opposition points out sikkerhet/index.htm. that while this may be correct, one is better off if this is called uncertainty management with two C AS/NZS 4360, which embraces the concept distinct and separate processes: the traditional that risk is neutral (can have an upside and risk management minimising the downside, and downside). AS/NZS 4360 is a much cited opportunity management maximising the upside. risk management standard.

Telenor has set out to take advantage of these D BS7799, which only views risk in the tradi- emerging trends by setting up a project to pro- tional sense (downside). BS7799 is on track mote a corporate business risk management to becoming an ISO standard. methodology. This methodology will include risk management practices for “uncertainty” E CORAS, an IST project proposal for a plat- management, while taking advantage of both the form for risk analysis of security critical sys- defensive and offensive perspectives to risk tems at http://www.telenor.no/fou/prosjekter/ management. coras/coras.htm.

F Risk management site at http://www. riskmanagement.com.au.

68 Telektronikk 3.2000 Risk Analysis in Telenor

ERIK WISLØFF

Risk analysis is an essential activity in the risk Australian standard [3]. The model is illustrated management business process. Risk analysis in Figure 1. identifies threats, assesses how often they will materialise, assesses the impact the threat will The risk analysis consists of several sequential have if it does materialise, presents the individ- steps, beginning with a description of the TOE. ual threats in an easily understood risk exposure The result of the analysis is a written report that statement and identifies possible loss reduction usually includes recommended loss reduction measures. The object of a risk analysis is to sup- measures. port a decision-process by explicitly stating the Erik Wisløff (39) works in the risk exposure. Describing the Target of Evaluation field of risk management at The first step is to define the target of evaluation Telenor R&D. Prior to this he worked in the security domain Important deliverables of the risk analysis are (TOE). The TOE can be anything – a business at AIRMATCOMNOR. the identified threats, the risk exposure of each process, a physical object, a logical object or [email protected] threat and appropriate loss prevention measures. social interactions. A precise description usually includes Among the benefits of performing a risk analysis is a better understanding of the target of evalua- • The name of the TOE and the stakeholders; tion (TOE) and the possibility to cost justify loss protection measures. However, an on-going Risk • An unambiguous purpose for the analysis; Management regime must be in operation to harvest the full benefit of a risk analysis. • A rough draft of the TOE and how the TOE interacts with the surroundings; Telenor’s Risk Analysis Model Telenor’s risk analysis model is described in • All relevant facts, conditions or circumstances Faglig plattform [1]. The model is in part in- of importance to the analysis. This is informa- spired by Norsk Standard for risikoanalyse [2], tion about the TOE or the TOE’s surround- and is compatible with [2] and the more recent ings, and may be technical, political, legal,

Describe the target of evaluation

Threat analysis

Frequency analysis Consequence analysis

Exposure description

Acceptance Acceptable Yes criteria risk?

Recommend loss Monitor and reduction measures review

Figure 1 Telenor’s risk analysis model

Telektronikk 3.2000 69 financial, social, environmental, humanitarian niques [5] even though this is a less structured and/or organisational information; approach to threat identification.

• A clearly stated boundary between what is The next half step is an analysis of what causes a included and what is not included in the risk threat to occur. A separate brainstorming session analysis. may be necessary unless the causes were established during the threat identification phase. In The quality of the analysis is heavily influenced this session one tries to answer the question by this first step. If a critical part of the TOE is “what can cause this threat to materialise”. forgotten or deliberately omitted the analysis may be invalidated. Missing or inadequately de- The depth of the causal analysis is determined scribed parts of the TOE usually produce con- by the length of the causal chain. The direct fusion and arguments instead of a good under- cause of the threat is sometimes enough, but it standing of the TOE. Arguments are also com- may be necessary to establish a chain of causes mon when people do not accept the limits of the before the causality is sufficiently examined. analysis. Frequency and This step is important, because it synchronises Consequence Analysis people’s understanding of the TOE and lays The third and fourth step consists of analysing down the ground rules for the threat identifica- the frequencies and consequences related to each tion phase. threat. The model shows these steps side by side, because it is a matter of personal preference and Unfortunately, the layperson is seldom prepared practicality whether one is completed before the to spend time on this step because “everyone other begins, or if they are analysed in parallel. knows what the TOE is”. Maybe, but it is a rare occasion when everyone knows what the TOE The frequency analysis examines each threat to actually is, understands what it really does, cor- determine how often the threat is likely to occur. rectly describes the critical success factors, pre- The frequency analysis should be quantitative, cisely describes the customer, etc. but lack of time and hard data usually prevents this. The preferable alternative is to quantify a Threat Analysis range of frequencies – for instance high, medium, The second step is the threat analysis, which low – and allocate each threat to one of the Telenor splits into two half steps. labelled ranges. If this is impossible, a qualitative description of the likelihood of each threat The first half step involves identifying the threats is called for. to the TOE. A threat is a present or future vulnerability, activity, accomplishment or event that The consequence analysis focuses on the dam- could have a negative future impact on the TOE. age a threat can set off, preferably expressed in economic terms. An indirect consequence occurs It is essential to use a structured approach in the when the triggered threat sets off a chain of threat identification phase. Significant threats are events before the consequence shows up, where- usually overlooked when the threat identification as a direct consequence is set off by the trigger- phase is unstructured, thus lowering the credibil- ing threat. Sometimes it is necessary to look for ity of the analysis. An unstructured approach both direct and indirect consequences before the also leads to repeatedly returning to the threat total loss is determined. In any case, it is essen- identification process, thus increasing costs. tial to determine the consequences because no loss prevention measure should cost more than Telenor recommends Hazard and Operability the loss it prevents. studies (Hazop) [4] as a basis for threat identification. Hazop is a technique for structuring a The consequence analysis should also outline brainstorming process, and is well suited when the mechanisms or barriers that are supposed to analysing complex objects. A skilfully executed prevent the damage. This knowledge is useful Hazop will supply an exhaustive list of threats, when selecting measures to minimise the conse- what causes the threats to materialise and to a quences when a threat is set off. certain extent the consequences of the threats. However, Hazop is not recommended if the ana- Exposure Description lyst does not have previous experience with this The previous steps analysed threats, frequencies technique. and consequences. The next step is to present the threats in terms of risk exposure. The risk expo- For the layperson, Telenor recommends using sure is a description of the impact a materialised specially designed threat identification tech- risk will have. There are three main points to consider:

70 Telektronikk 3.2000 Firstly, the aggregate risk exposure for a given Frequency time period should be presented when the previous analyses are quantitative. Aggregate risk ex- Improbable Possible Usual Common posure is defined as Insignificant Aggregate risk exposure Σ = T (frequency * consequence) Substantial

Σ where T is the summation of the T threats (in Serious this article a threat includes vulnerabilities and Consequence unwanted events), frequency is the number of Disastrous expected incident in a given time period and consequence is the economic consequence per incident.

Secondly, the exposure description should be NOK 250,000 and NOK 10,000 per year. The Figure 2 Risk matrix as clear, concise and informative as possible. analyst will have to assign a qualitative meaning Therefore, while the aggregate risk exposure is to the label if it is not possible to quantify the precise, it is not informative in terms of individ- threats. For instance, Disastrous might mean ual threats. To this end, the individual risks can “National media will have a feeding frenzy lead- be presented in a table, a matrix or in a verbal ing to significant loss of reputation to Telenor, narrative. discontinued service of the TOE and customers claiming substantial monetary compensation in Thirdly, the exposure description must follow addition to a significant number of customers a format similar to the decision-maker’s accep- fleeing from other Telenor products or services”. tance criteria. Acceptance criteria are ideally expressed by the decision-maker before the risk A decision-maker usually hesitates to implement analysis starts, and they represent the level of remedial action unless the cost of loss preven- risk the decision-maker can accept. tion is less than or equal to the risk exposure. Therefore, the risk exposure should be stated in There is usually not enough data to support stat- economic terms whenever possible – in addition ing the aggregate risk as a single number. In to the risk matrix. addition, many of the finer points of the analysis are lost when the result is aggregated into a sin- In a real world of risk analysis it is often neces- gle number. Tabulated risks are effective only sary to assign both qualitative and quantitative when the decision-maker is comfortable with definitions to the labels. this format, and verbal descriptions are often too verbose. Therefore, Telenor recommends using a Deciding Whether a Risk risk matrix to present the acceptance criteria and is Acceptable the risk exposure; see Figure 2. Deciding what is acceptable is the decision- maker’s responsibility. As mentioned previ- The two axes are frequency and consequence. ously, the decision-maker should express the The granularity of the axes must be suitable for acceptance criteria before the analysis begins. the purpose of the analysis. Usually four or five When this is done, the risk analysis team can suitably labelled intervals are sufficient. Each determine whether a risk is acceptable or not, threat is then plotted according to the result of without setting up a meeting with the decision- the frequency and consequence analysis. makers.

It is vital to ensure that the verbal label one A recommended format for the acceptance crite- assigns to the intervals is acceptable to the ria is the risk matrix. The unacceptable risk reader. For instance, the label Insignificant is exposure is quite simply shaded, in Figure 3 the probably offensive when the consequence of a unacceptable risk exposure is shaded in a darker threat is life threatening injuries or permanent colour. The decision-maker’s intentions are eas- disability. ily understood: Any threat plotted in a shaded area is unacceptable. It is also necessary to explain what the labels mean. For instance, Possible might mean “be- Recommending Loss Reduction tween 1 and 10 occurrences per decade”, and Measures Substantial could be “between NOK 100,000 The plotted acceptance criteria, which describe and NOK 250,000 per incident”. The expected the level of risk a decision-maker accepts, and economic risk of a threat plotted in the cell pos- the risk exposure of each individual threat will sible/substantial in this example is between reveal whether

Telektronikk 3.2000 71 Frequency A Especially security critical – a thorough risk analysis is required, possibly Improbable Possible Usual Common with a series of focused risk analysis of specific vulnerabilities. Insignificant B Security critical Substantial – a Standard risk analysis is required.

Serious C Not security critical – a Minimal risk analysis is required. Consequence Disastrous This categorisation offers a win-win situation where managers can use the security category to filter and prioritise information, and the owner of an especially security critical system will get Figure 3 An example of a risk • The risk exposure is too high; in which case it management’s attention while managers of other matrix with decision criteria is necessary to prevent loss. A loss reduction systems are relieved of unnecessarily detailed measure is an action taken or a physical safe- reporting. Thus the total effort a system owner guard installed before a loss occurs. must put into a security risk analysis is also minimised since the bulk of Telenor’s systems falls • The risk exposure is acceptable; in which case into category C or B. one should monitor the risk. No loss reduction measures should be recommended for an In practice, the categorisation is a simple and acceptable risk. straightforward task, requiring an interdisciplinary team which assesses the security profile • The risk exposure is too low; in which case of the system according to the assessment proce- one should consider removing unnecessary dure. The procedure explores five domains; loss prevention measures. The argument for economy, marketplace, dependencies, the legal this is to shift a resource from unnecessary framework and the security profile of the sys- measures to more productive risk reduction tem. These five domains are explored from both measures. the customers’ and Telenor’s point of view through a number of questions. Each domain The recommended loss reduction measures is assigned an integer value between 1 and 5, should be grouped according to the risk mitiga- the values are added and, depending on the sum, tion strategies (avoid, prevent, reduce, transfer). the security category is either A, B or C.

Telenor’s Corporate Framework The current security categorisation system was for Security Risk Analysis deployed in late spring 1999 and has given some Telenor’s senior management has formally surprises. The biggest surprise is that users gen- approved company-wide policies making risk erally perform a categorisation faster in real life analysis mandatory. So risk analysis is supported than expected, while the quality of work meets by senior management. The challenge to the or exceeds the expectations. practitioner is to balance the depth of analysis with the expected benefits of performing the An interesting result is that the categorisation analysis, and to avoid “paralysis by analysis”. procedure which translates the security attributes confidentiality, integrity and availability into the Telenor’s risk analysis framework is twofold. five domains appears to be an eye-opener for On the one hand it consists of corporate-wide users unfamiliar with security. policies, guidelines and tools. On the other hand there are the policies, guidelines and tools There are interesting variations in how the users unique to each business area. Below, we outline perform the categorisation. Some users meticu- the corporate risk analysis tools, biased towards lously work through the full set of questions for the security domain. each of the five domains, document all answers in detail and then work out a “correct” value for Security Risk Analysis each domain and finally select the appropriate The corporate policy for systems security [6] security category. Other users skip questions instructs all owners of information systems to they do not like, slap an integer value they are perform a security categorisation of their system, happy with on each domain, and summarily and perform a risk analysis according to the select the appropriate category – and are done security category. The three security categories, with the job. In one case users in different busi- with corresponding depth of analysis, are ness areas have categorised almost identical sys-

72 Telektronikk 3.2000 tems as category B, with only a one point differ- The Minimal Risk Analysis (MRA) was devel- ence, using very different approaches. When oped as a response to these complaints. The pri- questioned informally, the meticulous user said mary objective was to propose a generic risk that they learned a lot about their system and its analysis framework that would give a methodi- environment, and that the resulting report would cal user a high success rate. The secondary ob- be used as part of the system documentation. jective was to have the Minimal Risk Analysis The other user reported that the classification take less than one week to plan, execute and procedure was acceptable, but that they did not document. This contrasts the then current corpo- learn very much from the exercise and that the rate methodology requiring a specialist analyst main benefit was that their security officer was using perhaps 200 – 300 man-hours in a two to satisfied. four month time scale.

Risk Analysis During Product The resulting design of the MRA is three-part: Development and Introduction The product development and introduction pro- 1 A process guide; directing the user through cess, or P3 as it is more commonly referred to in a proven sequence of activities; Telenor, calls for risk analysis both of the project risks and a security risk analysis of the 2 A template file; giving the user a skeleton future product or service. report;

The project risk analysis follows an intuitive 3 Threat assessment guidelines; assisting the process, and is quite straightforward. user in uncovering threats.

On the other hand, the security risk analysis The Minimal Risk Analysis is object oriented. begins with a security categorisation which The TOE is described as an object consisting decides the depth of analysis. A review of the of sub-components which interact with and are security risk analysis is required for each formal influenced by external objects. As a minimum, phase evaluation the project is subjected to. each object or sub-component will be described by its internal structure, its function and its inter- Given enough time and that the product or ser- action with other objects or sub-components. vice is categorised A or B, the security risk anal- The following threat identification phase sys- ysis is repeated one or more times before the tematically explores each object to identify product or service is launched. threats.

Risk Analysis in Practice The Minimal Risk Analysis differs from the All risk analyses are company confidential in Standard Risk Analysis in three areas: Telenor. Confidentiality is necessary because one is very vulnerable after a risk analysis. Not • Formal methods are not mandatory in a Mini- only has the analysis uncovered weaknesses, it mal Risk Analysis. This means that risk analy- has also exposed and documented the mecha- sis expertise is not required, though it is help- nisms that can be used to exploit the weakness. ful. However, the lack of formal methods does not mean that the analysis is unstructured. The Instead of looking into specific risk analysis, this user has a guideline for the work process, a article will highlight the methodology behind template file for the report and structured aids Telenors Minimal Risk Analysis and some of the to the security threat identification. lessons learned. • Acceptance criteria are not developed before The Minimal Risk Analysis the risk exposure is written. With a finalized Users complained that the previous corporate risk exposure the decision-maker quickly sees risk analysis framework was too demanding, which risks are acceptable or unacceptable. time consuming, inflexible and too focused on security risk analysis. Informal discussions with • Causal analysis is omitted from the threat disapproving users pinpointed problems such as analysis phase since the causal analysis is not untrained analysts using semi-formal analysis very useful for the acceptable threats. A causal methodologies, guidelines written by experts for analysis is occasionally necessary to identify expert use and too voluminous template files. In cost-effective treatment strategies for unac- addition to this, the users had little or no chance ceptable threats, but treating an unacceptable of performing a risk analysis within real-world risk is often quite straightforward. time constraints. In short; they felt the corporate risk analysis standard was impractical and theo- Practical use shows that a Minimal Risk Analy- retical. sis of acceptable quality can be performed with-

Telektronikk 3.2000 73 in a one week time-frame, using approximately What is the threat in this scenario? What is the 20 – 30 man-hours in addition to the threat iden- cause? What is the consequence? Is there an tification meeting. effect? Anything goes as long as a single threat has one ore more causes and leads to one or As yet, no formal evaluation of the effectiveness more consequences. Moreover, one cause can of a Minimal Risk Analysis has been undertaken. trigger several different threats, while one consequence can be triggered independently by a However, user feedback indicates that the Mini- number of threats. mal Risk Analysis methodology is acceptable in the “real world”, while the quality of the risk Actually, it is often a matter of perspective. A analysis appears to be adequate. In addition it is good description of the TOE and an unambigu- becoming clear that the first few times a user is ous purpose for the analysis will go a long way in charge of a Minimal Risk Analysis they feel toward giving the answer. This is one of the rea- they would benefit from some kind of expert sons why a precise and correct description of the support. TOE is important.

Typical Problems Management Decisions Risk analysis should ideally be performed when- Management decisions should be based on ever something changes in the TOE environ- explicitly expressed decision criteria. The man- ment. This can be personnel changes, reorgani- agement may be eager to express their decision sations, changes in technology or market be- criteria early on. This is a good sign – provided haviour, new laws and so on. A more practical they actually manage to come up with decision approach is to perform a new risk analysis when- criteria relatively easily. ever there are significant changes either in the TOE or in its environment. In real life, people However, when the business environment or are busy designing new products, solving prob- TOE is very complex, the decision criteria are lems, reporting to management and so on. So the easier to express at a late stage of the analysis. risk analysis tends to be postponed, sometimes This is also the case when it is apparent that the indefinitely because the TOE causes so many managerial logic is fuzzy or inconsistent. When problems that there is barely time to fix one the risk exposure is presented in the risk matrix, before a another crops up ... the risk analysis team should grab hold of the principal decision-maker, and have him/her Another problem is finding the right people, the point at the unacceptable cells. This usually people who do know what the TOE is. They, or works. The interesting thing is that the manager management, give other tasks higher priority. is usually grateful because he/she gets a clearer Ironically, occasionally these highly prioritised understanding of their “gut feeling”. tasks are problems – making the best experts work reactively ... Risks and Problems It is worth noting that a risk is not the same as a Risk analysis is an interdisciplinary activity. problem. A risk is something that has not hap- Sadly, on occasions the quality of a risk analysis pened, and it may not happen at all. A problem is below the quality the decision-maker requires is something that has happened, that causes con- because the interdisciplinary focus is lost in the cern and which (normally) cannot be ignored. “need for speed”. Sometimes a threat analysis meeting is bogged down by participants looking for solutions to Cause and Effect something they see as a problem. On the other Differentiating between cause, effect and conse- hand, decision-makers sometimes dismiss a risk quence is not always easy. because the risk is not yet a problem – but this is not necessarily the same as accepting the risk. Imagine this chain of events; you receive software with malicious code by e-mail, you open Work in Progress the e-mail and run the software. Unfortunately, Currently several key issues are being addressed; the virus protection does not catch the malicious code, the malicious code destroys your files and • The Standard risk analysis package is being you have no access to the backup files. Worse revised, to make it more user friendly. yet, your friendly IT-support person is unavailable due to acute sickness, you cannot reach the • A methodology for performing quantitative deadline for the bid you are working on and you risk analysis has been developed and has been lose an important contract. Your boss then tested in a live risk analysis in Telenor. The promises you a “lengthy, uncomfortable meeting test was successful, and the methodology with with much shouting, waving of arms and point- supporting simulation tools are being im- ing of fingers”.

74 Telektronikk 3.2000 proved and prepared for practical use. This work is a joint effort between Telenor and Norconsult.

• New threat assessment guidelines are in development. Guidelines for project risk, delivery risk and business process risk will be deployed during 2000.

• Telenor R&D is the project manager of a consortium proposing to EU that the consortium, through the IST framework, “... provide an integrated methodology to aid the design of secure systems and thus establish trust and confidence in our products”.

• A methodology for Business Risk Analysis is being developed and is expected to be deployed in 2001.

References 1 Faglig plattform for risikoanalyser i Telenor. Telenor Infotorg. (2000, June 26) [online] – URL: http://134.47.108.143/staber_og_ selskaper/sikkerhet/dokumentene/24/10/ telerisk20.doc

2 Norsk Standard. Krav til risikoanalyser/ Requirements for risk analyses. (NS5814.)

3 Australian standard. Risk management. (AUS/NZ 4360:1999.)

4 Risikoanalyseteknikker. Telenor Infotorg. (2000, June 26) [online] – URL: http:// 134.47.108.143/staber_og_selskaper/ sikkerhet/dokumentene/24/44/ risikoanalyseteknikker_v1-0.doc

5 Trusselidentifikasjon sikkerhetsrisiko. Telenor Infotorg. (2000, June 26) [online] – URL: http://134.47.108.143/staber_og_ selskaper/sikkerhet/dokumentene/24/58/ trusselid_sikkhet_ver_10.doc

6 Konsernstandard for systemsikkerhet. Telenor Infotorg. (2000, June 26) [online] – URL: http://134.47.108.143/staber_og_ selskaper/sikkerhet/handbok/retningslinjer/ vedlb08.htm

Telektronikk 3.2000 75