May 7996 Network Securitv

The Role of

Cry phy in Global Communications Tom Parker ICL Enterprise Technology

Since the days of Julius Caesar, cryptography has been used for scrambling information as it is transmitted over insecure channels, whether the channel has been a physical one, such as a runner carrying written message through hosttie territory, or whether it has been an electronic one, such as telegraphic, radio or computer message. This article describes how it is now being used in computer systems in new ways in support of securing global computer communications.

New tasks for cryptography

Not long ago, a computer software vendor would simply supply crypt0 technology only if customers asked for their user data to be protected over communications links. Nowadays, crypt0 is starting to be used as a most potent weapon in many other security contexts. Software vendors are including crypt0 functions as part of their own security functions, in order to offer user authentication, distributed access control and new capabilities such as digital signatures. As well as being able to offer direct protection for user data, vendors also need to protect their own security data as it is exchanged over insecure links. Cryptography has come of age.

Symmetric versus asymmetric cryptography

Symmetric cryptography

Traditionally, the security of a cryptographic exchange has been based on each party sharing the same secret key.

The sender encrypts and the receiver decrypts using this key, and anyone listening to the exchange cannot decipher its contents unless they know the key-The security of the exchange has depended on two things:

The strength of the algorithm - is there a means of deciphering by finding a weakness in the scrambling algorithm?

The key size - if the range of possible keys is sufficiently small, the attacker may be able to try every possible key until the right one is found.

One of the best known algorithms is the Data Encryption Standard (DES). Despite earlier suspicions of secret government trapdoors, this is now believed to be pretty strong, its main weakness being its small key size - effectively 56 bits long. The latest research into key space search times shows that 56 bits for some purposes is too short. For example, someone with $300 000 to spare would be able to construct a machine using

Application Specific Integrated Circuits (ASICs) which could find any DES key within a period of three hours(l). It is virtually certain that many national governments have the computing power to achieve much faster search speeds.

DES can be applied more than once, and this will increase the effective key size. One multiple application in common use in the banking environment is what is called ‘Triple DES’, in which the sender encrypts the message with a first key, ‘decrypts’ it with a second key and re-encrypts with a third key. The receiver, who must know all three keys, simply does the reverse. This results in ciphertext which is dependent on three keys, increasing the effective key space well beyond the size that can be attacked by brute force key search methods. The reason for the middle step being a decryption is for backward compatibility with single DESlf the first two keys are chosen to be the same, the pseudo decryption becomes real and results in the original plain text. Triple DES thus becomes single DES on the third key value.

The US Government in general disallows export of encryption technology with keys of longer than 40 bits so, for example, the exportable version of the Netscape web browser, uses only 40 bits for its symmetric cryptography. The latest estimates for search times for 40 bits indicate that a normal hacker with only $400 to spare would be able to find a 40 bit key in only five hours using Field Programmable Gate Arrays. Any commercial organization can crack a 40 bit key in a

01996 Elsevier Science Ltd 13

Network Security May 1996

matter of minutes. However, it should be noted that the only thing being protected in current applications of the browser is a credit card number, and $400 per number is probably more than hackers would be prepared to spend to obtain what is not a particularly secret value anyway,

real hand-written signature on a piece of paper.

Asymmetric cryptography

In asymmetric cryptography keys come in pairsThe sender encrypts with one key and the receiver decrypts with the other. The same key cannot be used to decrypt data that it has just encrypted. Knowing one of the keys of the pair does not help in finding the value of the other key. These simple properties open a new world of opportunities whose importance is hard to overestimate.

Although the public key of a person is not in any way secret, it is important that the user of such a key really knows for sure who is the owner of the corresponding private key. To provide this guarantee of authenticity of a public key we use Public Key Certificates. These are electronic statements, signed by a known authority, naming who is the owner of the private key corresponding to this public key. The certificate is digitally signed using the private key of the authority, known as a Certification Authority (CA), that produced it. The form of such a certificate has been standardized and is known as an X.509 certificate after the number of the ITU standard that defined it (2).To check a certificate one uses the public key of the CA that signed it, and the problem of knowing who a public key belongs to recurs - how do we know that the public key belongs to the CA? To help solve this problem, certificates can also be used to certify other certificates and so on, giving rise to certificate chains. In the end though, a user of public keys needs to know at least one person’s public key that is guaranteed by out of band means to belong to a known individual or authority,

The strength of RSA depends on the difficulty of factoring the product of two large prime numbers. This is a problem that has been the subject of mathematical research since the 17th century, but has been given a new impetus by the problem, cryptographic connections, so factorization is getting quicker at a rate exceeding nearly everybody’s expectations. Schneier (3) says that a private key size of 384 bits is currently about as strong as a 56 bit symmetric key; 512 bits is equivalent to a symmetric key length of 64 bits.

Global communications and the Internet

One of the keys of a pair is kept private to a single individual, and is unsurprisingly known as a Private Key. The other key, the Public Key, can be broadcast to the world’. If Alice wants to send Bob ‘a secret message she encrypts it using Bob’s public key. Only Bob can decrypt this, since only he knows the value of the corresponding private key. If Alice wants to send Bob something that she wants Bob to really know came from her, she can encrypt it (or in practice encrypt a digest of it) using her private key. Bob, or for that matter anyone else knowing Alice’s public key can decrypt it, but since only Alice knows the private key, it must have been her that produced it. An encryption with a private key is known as a Digital Signature, and it has many of the properties of a

More business is being done over the Internet than ever before. It is the fastest growing network that has ever been created by the human race. In the year 2000, it has been forecast that the annual value of trade on the Internet will reach $600 billion. But the Internet is jungle country, and the predators are out there practising now, Cryptography has an important role to play in providing protection against these people. The rest of this article describes some of the main areas in which it is being applied, or where at least the appropriate basic technology is now becoming available.

‘Hence asymmetric cryptography is often called Public Key Cryptography.

The security of exchanges protected by asymmetric cryptography is dependent on the strength of the algorithm used and the key sizes involved. However, the numbers are quite different; private and public keys are much longer than symmetric ones. The most widely used asymmetric algorithm is RSA, an algorithm based on use of keys involving large prime numbers and their products.

Secure end-to-end associations

If our use of the Internet is merely as a means of communication in a worldwide corporate network, and the workstations and servers involved are all known and managed by our organization, the requirement is just one of protecting information as it moved from

14 01996 Elsevier Science Ltd

May 1996 Network Security

civilization at one end, through the jungle, to civilization at the other end. We need to authenticate our own known and registered users, perform access control checks and prevent the predators from eavesdropping or interfering. To do this we need to form what in IS0 terminology are known as ‘Security Associations’ (4). Details of how this work are as follows.

The user authenticates to a remote authentication server, using a means of authentication not susceptible to eavesdroppers (for example using a challenge-response protocol), and receives in return a data token or certificate which can subsequently be used to prove the user’s authenticity (we shall refer to all these forms of returned data structures as ‘tickets’, though their content and method of protection varies on the technology used).

The user selects a target application server to access, and components in the workstation use the authentication ticket to obtain from a remote security server an access ticket suitable for use in accessing the target. In some cases different access tickets may be obtained for different target servers, in others the same access ticket can be used at multiple targets. In some cases the original ticket is directly used at a target, the middle step being missed out.

Finally, special code in each selected target receives the access ticket, validates it and establishes an authorized and secure connection.

01996 Elsevier Science Ltd

Cryptography plays its role in the protection of the tickets against theft, manipulation and misuse. Across an insecure global network, the access ticket would be accompanied by a second ticket containing cryptographic keying information to be used to establish a symmetric key between the user’s workstation and the targep. The key is used to protect operational and security data exchanges, It is through this kind of technology that a proper distributed security infrastructure can be built.

Examples of Open Systems technology that provide the functionality are Kerberos (5) and SESAME (6). Kerberos originated in the USA, uses symmetric cryptography and is used as the basis of a number of products. SESAME originated in Europe, funded partly by the European Union. It builds upon Kerberos, adding the capability of carrying access control information, and using asymmetric cryptography to improve its scalability to globally sized networks. SESAME also is being integrated into a number of commercial products.

Secure Electronic Mail

A number of solutions have been developed for providing confidentiality and integrity of electronic mail, primarily intended for use over the Internet. ‘Pretty Good Privacy’ (PGP) (7), is a general purpose, very strong set of encryption functions, free1 available over the Y Internet , designed to provide an easy

‘or this information can be part of the ticket itself.

yhough the idea of obtaining security software from jungle country is problematical to say the least.

way of encrypting messages, It uses the IDEA encryption algorithm, which has so far shown itself to be strong, and can make use of keys up to 128 bits long, PGP also includes RSA-based asymmetric technology, allowing a key size of up to 2047 bits. Both of these key sizes are easily long enough to provide very good security against brute force attacks for the foreseeable future. PGP was designed and developed by Phil Zimmerman who has since been chased by the American authorities for illegally cryptography4.

exporting

The Internet Engineering Task Force (IETF) developed a standard secure mail protocol known as Privacy Enhanced Mail (PEM) (8). PEM supports authentication, confidentiality and integrity. It specifies that DES should be used, with either the MD2 or MD5 message digest functions. PEM also supports the use of RSA alongside X.509 Directory Certificates. A reference implementation of PEM was produced by a US company called Trusted Information Systems (TIS) under contract from the US Government. It is known as TIS/PEM. A version of PEM called RIPEM is available in the USA under licence for commercial use but this cannot legally be exported5. An exportable modified version called RIPEM/SIG has also been developed. This cuts out all of the confidentiality capabilities. PEM and its variants has been very actively worked upon, but the take up has been

4However. they have now decided to drop all charges, possibly because they can see when they have got a lost cause.

?hough this doesn’t seem to have prevented it appearing on bulletin boards outside the USA.

15

Neiwork Security May 19%

somewhat disappointing.

Internet cryptographic protocols for doing business

Until recently there were four dominant protocols developed for the purpose of securing interactive business exchanges across the Internet. There were two, known as SSL and SEPF? espoused by Netscape and Mastercard, and two, known as PCT and Sll, espoused by Microsoft and Visa. Thus, the giants appeared to be positioning themselves for battle. SSL and PCT are at communications level and still have life as general purpose cryptographic protocols, but SEPP and STT, which were application level protocols designed specifically for electronic payment processing are now being superseded by one common protocol called Secure Electronic Transmission (SET) (9) supported by all of the protagonists, Truce has been declared, fortunately for the rest of us who were faced with a ‘spot the winner’task.

The aims of SET have been declared to be:

l build on standards practical

existing where

l create and support an open bank car standard

l be independent of platform type

l achieve acceptance

global

l authentication of cardholders, merchants and acquirers

l provide confidentiality and integrity of payment data

SET supports a mix of symmetric and asymmetric technologies but does not use standard X.509 certificates. Instead it uses its own proprietary ones. This is not good news,

The future and IPV6

The Internet Protocol is to be replaced by a new version 6 called IPV6. The prime motivation for this is increasing the address space availability - IP is rapidly running out of addresses. However, the opportunity was then taken to design into IPV6 its own built-in security, and it has provision for authentication and privacy, and will be standardizing on specific cryptographic algorithms, Unfortunately, at the time of writing, the security details of lPV6 have not been agreed, and such is the demand for the speedy implementation of this protocol that there is a danger of IPV6 coming out with its security features still in flux.

The main lesson

Cryptographic solutions are becoming more and more important - even if the customer does not directly request the use of cryptography, the techniques are needed by vendors for most security solutions now.

Be careful of key sizes. For symmetric algorithms 40 bits isn’t enough. For RSA, you should be thinking of 512 bits as borderline.

DES is a strong algorithm, though 56-bit key size is marginal. Triple DES is (at present) unbreakable.

There are many pitfalls - use expert advice before attempting any DIY approaches. In particular

do not attempt to invent your own cryptographic algorithms, Unless you are a specialist in this area, it is certain to be weak.

End-to-end security is a good approach, when practicable, and you can use technologies like Kerberos or the more sophisticated SESAME.

You can use general or mail technologies like PGP and PEM, or low level crypt0 protocols like SSL or PCT, though the latter are more intended for software vendors rather than direct use by users, Watch out for SET as the possible future standard business protocol for financial transactions.

IPV6 may change things when it starts to take off - and take off it will.

References Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Security, a report by an ad hoc group of cryptographers and computer scientists, ftp://ftp. research.att.com/dist/mab/k eylengt.txt.

The Directory - Authentication Framework, CCITT (now ITU) Recommendation X.509.

Applied Cryptography, Bruce Schneier, 2nd Edition, John Wiley and Sons.

Security Association Management and Support, ISO/IEC JTCl /SC21 /WG8 ULS Group 4th working draft, from the Ottowa meeting, Summer 1995.

The Kerberos: Network Authentication Service (V5). J. Kohl and C. Neuman, 1993, Internet RFC 1510.

SESAME V4 Overview, T.A. Parker and D. Pinkas, available from the SESAME web site: http:09/04/96/www.esat.kuleu ven.ac.be/cosicsesame.html,

16 01996 Elsevier Science Ltd

May 1996 Network Security

(7)

(8)

The Official PGP Users Guide, PR. Zimmerman, MIT Press, Boston, 1995.

Privacy-enhanced Electronic Mail, M Bishop, Distributed Computing and Crypfography, edited by J.

Feigenbaum and M. Merritt, American Mathematical Society, 1991, pp. 93-106.

(9) SET specifications can be obtained from

http://www.visa.com or www.mastercard.com.

This paper was presented at SecureNet 96 at Olympia, London, UK.

Internet Attack Mechanisms A. Padgett Peterson, f?E.

Current media is filled with theoretical attacks, vulnerabilities and malicious activities, but the problems that make the news are rarely the ones that result in the common, day to day losses. A Mitnick might be able to mount an obscure sequencing attack against a perceived adversary, but such attacks will fall against virtually any firewall since it depends on a network finding nothing wrong with an internal machine suddenly appearing on the outside. Similarly, a SATAN/SANTA attack will quickly reveal holes but only if you happen to be running Unix with RPC and NFS active. This is not to say that such attacks are not common, just that they require a specific configuration to exist at the attackee’s site.

The fact is that most reported attacks are those done by amateurs who generally were noticed due to things which failed as a result of their intrusion. While a kid with a $50 PC and a $20 network card can certainly mount a manual attack, this is the easiest to detect (because they make mistakes). On the other hand, a directed attack by a professional will be almost invisible except for someone who is watching. The following will describe such an attack scenario. Some items are exaggerated for demonstration purposes, a real attack could be considerably more subtle.

Step I - Target Identification

For an amateur, this might be the result of an innocent posting or an attractive domain name. Whitehouse.gov in the United States attacks a great many

01996 Elsevier Science Ltd

such attacks but it is also probably the best equipped system in the country to deal with such since it is monitored by some of the top experts in the country.

Whatever the reason, such an attack will probably begin with identification of the domains used by the target. For this a simple inquiry directed at a name registry is enough and does not need to touch the target at all. For instance a NICNAME search for a popular tourist destination such as Disney reveals domains and IP network addresses for the following:

Disney Art Editions, Disney Consumer Products Inc., Disney Direct Marketing Services Inc., Disney Gallery, Disney Magazine Publishing, Disney Magazine Publishing, Disney Online, Disney Online, Disney Online/Family Fun

Magazine, Disney Pictures, Disney Vacation Club, Disney Worldwide Services Inc. (28 separate entries), The Walt Disney Company, (lP addresses and personal listings omitted).

Thus, without touching the target at all it is possible to gain considerable information but it does not stop here. Targeting a specific network it is possible to gain even more information from the Network Information Centre (NIC) such as:

The Walt Disney Company (NET-DISNEY) 500 South Buena Vista St. Burbank, CA 9152 1 Netname: DISNEY Netnumber: xxx.xxx.xxx.xxx

Coordinator: xxxxxxxx, xxxxx (xxxx) xxx@CORPDISNEYCOM (8 18)555-l 2 12

Domain System inverse mapping provided by:

WALT.DISNEY.COM xxx.xxx.xxx.xx HUEY.DISNEY.COM xxx.xxx.xxx.xx

Record last updated on 20-Jun-95.

At this point the poitential attacker knows quite a bit:

l the location of the network (time zone)

l address and size of the network (Class A and Class B networks are particularly attractive)

17