090902 Conference Presentation

Transcription

TecSec®, Incorporated
Protecting Information
From Ancient Times To The Digital Age
©TecSec®, Incorporated 2008. All rights reserved.
Session Objectives
There are three primary objectives for this Session
§
Provide an historical overview of
the need for Information Security
§
Establish the need for
Information Security in the
Digital Age
§
Explain how TecSec’s
Constructive Key Management®
(CKM®) Technology provides
data confidentiality in a
networked world
Definitions
§ Plain text
– Readable text
§ Cipher text
– Data that has been encrypted.
– Cipher text is unreadable until it has been converted into plain text
(decrypted) with a key.
§ Cryptography
– Creating and using secure codes
§ Cryptanalysis
– Breaking other people's codes
§ Cryptology
– The study of code, includes Cryptography and Cryptanalysis
Where We’ve Been…
Shared Secrets
The need to control access to information can be traced
backed to ancient times
Secrets needed to be shared in a controlled manner
The Eqyptians
The Egyptians concealed information using hieroglyphics as
far back as 3000 BC
Steganography
The science of sending concealed messages is known as
"steganography", Greek for "concealed writing"
§
Persian Emperor Xerxes moved to
attack Greece in 480 BC. The
Greeks were warned by
Demaratus, who was living in exile
in Persia. Demaratus wrote a vital
message on the wooden tablet
itself and covered it with wax.
§
Other techniques included
tatooing a message on the scalp
of a messenger, letting his hair
grow back, and then sending him
on a journey. At the other end, the
recipient shaved the messenger's
hair off and read the message.
Codes and Ciphers
§ If someone finds the hidden message, all its secrets are
revealed.
§ That led to the idea of obscuring the message so that it could
not be read even if it were intercepted, and the result was
"cryptography", Greek for "hidden writing".
§ The result was the development of "codes", or secret languages,
and "ciphers", or scrambled messages.
The Spartans
Spartans established the first system of military cryptography
as early as the fifth century B.C.
They employed a device called the
'skytale' which consists of a staff of
wood around which a strip of
papyrus or leather or parchment is
wrapped close-packed.
The secret message is written on
the parchment down the length of
the staff; the parchment is then
unwound and sent on its way.
The Romans
Julius Caesar invented the first substitution cipher around 50 BC,
which bears his name to this day.
The substitution key is formed by
cyclically displacing an alphabet with
respect to itself.
A plaintext message is enciphered by
substituting for each letter the
corresponding letter from the shifted
alphabet.to produce cipher text. A
cryptogram enciphered in this way
can be deciphered by reversing the
process and translating each cipher
text letter into its plaintext equivalent.
Caesar Substitution
An example of a four character “Caesar-shift” for a 21 character
alphabet is shown below:
Monks, Scientists and Alchemists
Ciphers were used by monks "for scribal amusement”
Around the middle of the 13th
century, the English monk Roger
Bacon wrote "Concerning the
Marvelous Power of Art and of
Nature and Concerning the
Nullity of Magic". He listed seven
cipher methods and asserted
that "a man is crazy who writes
a secret in any other way than
one which will conceal it from
the vulgar".
Scientists and alchemists used
ciphers to protect their writings.
Chaucer
Geoffrey Chaucer used cryptography in his writings
In The Equatorie of the Planetis, a
supplement to his 1391 Treatise on the
Astrolabe, Chaucer included six
passages written in cipher. The cipher
system consists of a substitution
alphabet of symbols as shown below:
Picture Copyright © President and Fellows of Harvard College
The Venetians
By the 15th and 16th centuries, ciphers had become extremely
important for diplomatic purposes
The art of frequency analysis
had been reinvented in Europe.
The first famous European
codebreaker was Giovanni Soro,
who was appointed as the
Venetian cipher secretary in
1506.
He acquired a great reputation
for cracking ciphers for Venice,
the Vatican, and other Italian
city-states.
Frequency Analysis
Frequency analysis is a statistical method
e: 12.7
t: 9.1
a: 8.2
o: 7.5
i: 7.0
n: 6.9
s: 6.3
h: 6.1
r: 6.0
d: 4.2
l: 4.0
c: 2.8
u: 2.8
m: 2.4
w: 2.4
f: 2.2
g: 2.0
y: 2.0
p: 1.9
b: 1.5
v: 1.0
k: 0.8
j: 0.2
x: 0.2
q: 0.1
z: 0.1
§
In every language, some letters
are used on the average more
than others, and the
percentages of characters in
different languages tends to be
constant.
§
For example, the "frequencies"
of the different letters of the
alphabet in English are shown.
§
Statistics could now be used to
decrypt ciphers
Leon Alberti
Leon Alberti wrote about Cipher Disks around 1470
Leon Battista Alberti
invented the cipher disk.
Alberti dealt "especially with
theories and processes of
cipherment, methods of
decipherment, and statistical
data"
Graphics source: www.mega.it
Mary, Queen of Scots
Mary, Queen of Scots was executed based on decrypted cipher
that utilized “nulls”
Picture source: www.royal-stuarts.org
§
Mary, Queen of Scots, was executed
as directed by Queen Elizabeth I of
England.
§
Mary was condemned on the basis
of evidence obtained from
enciphered messages cracked by
Thomas Phelippes, in the employ of
Elizabeth's Principal Secretary, Sir
Francis Walsingham.
§
Phelippes was able to crack a cipher
used by Mary and conspirators who
wanted to place her on the English
throne.
Thomas Jefferson
Thomas Jefferson wrote about a 26-disk Cipher Wheel in 1780
Jefferson expanded upon
Alberti’s Cipher Disk.
The disks on the Cipher
Wheel can be rotated
individually, making the
associated key more complex
than just shifting letters left or
right.
Picture source: www.Whitehouse.gov
Thomas Jefferson – Cipher Wheel
This enciphering and
deciphering device was
acquired from West Virginia
by NSA in the early 1980s.
It is thought to have been a
model of the "Jefferson
cipher wheel," so called
because Thomas Jefferson
described a similar device in
his writings.
Picture source: www.NSA.gov
Native Americans
Codetalkers were used in WWI and WWII
•
Lacking secure battlefield voice communications during the Great War,
the Army employed Choctaws to encrypt voice communications, using
their native language, itself encoded.
•
The Army studied the program even before war was declared in 1941,
and during World War II employed Commanches, Choctaws, Kiowas,
Winnebagos, Seminoles, Navajos, Hopis and Cherokees.
•
The Marine Corps took the Army work and codified, expanded, refined
and perfected it into a true security discipline, using Navajos
exclusively.
Navajo Codetalkers in WWII
§ The Japanese, who were skilled code breakers, remained
baffled by the Navajo language.
§ The Japanese chief of intelligence, Lieutenant General
Seizo Arisue, said that while they were able to decipher the
codes used by the U.S. Army and Army Air Corps, they
never cracked the code used by the Marines.
§ Praise for their skill, speed and accuracy accrued
throughout the war. At Iwo Jima, Major Howard Connor, 5th
Marine Division signal officer, declared, "Were it not for the
Navajos, the Marines would never have taken Iwo Jima."
Connor had six Navajo code talkers working around the
clock during the first two days of the battle. Those six sent
and received over 800 messages, all without error.
The Germans
German Enigma Encryption/Decryption Machine used in WWII
The German Enigma, as famous
for its insecurities as for the
security that it theoretically gave
to German ciphers.
It was broken, first by the Poles in
the 1930s, then by the British in
World War II. Americans
furnished many of the resources
to attack ever more complex
versions of the Enigma,
especially the naval Enigma.
Information from the decrypted
messages was used by the Allies
to outmaneuver German armies.
Picture and information source: www.NSA.gov
The Digital Age and Cryptology
§ The development of the computer provided a very powerful tool
to both break ciphers and generate them.
§ Computers could perform high-speed searches and statistical
analyses of ciphertext and perform a set of scramblings on data
that would be easy to implement as compared to rotors or
electromechanical devices, and do it much more quickly and
reliably.
§ In order to counter the computational capability of
cryptoanalysts using computers, the encryption key was
lengthed.
The Migration from Text Data to Streaming Data
§
Data on a computer is generally stored as a file, which is electronically
equivalent to paper files in a file cabinet
§
The data in the file is the form of a sequence of binary bits.
– The digitized data can be text, sound, a picture, etc.
– The data file does not represent a text message.
§
Traditional encryption schemes can be implemented with a computer
program (For example, replicating Enigma machines)
– It is much more useful to encrypt data files at the bit level.
– For binary data, it is more appropriate to change the colloquial of plaintext
and ciphertext to plaindata and cipherdata.
§
Rather than speaking of encrypting a data file, computer cryptographers
speak of encrypting a data "stream".
§
Stream and Block ciphers were developed to address streaming data.
Key Distribution
Steam and Block Ciphers provide adequate security for on-line
transactions. However….
§
…how are the cryptographic keys distributed in a secure manner?
§
Key distribution is traditionally the weak link in cipher security
– The British defeated the Enigma by stealing German codebooks
§
The open environment of the Internet makes the problem that much
greater.
– The Internet is an open environment, implying a certain "promiscuity" in
handing out keys.
"New Directions in Cryptography" - 1975
Diffie, Hellman, and Merkle published "New Directions in Cryptography" paper
in 1975
§
Explains the group’s key exchange scheme and the outline for the
concept of public key cryptography.
– Public Key ciphers consist of two keys, one that is "public", available
to anyone, that can be used to encipher a message; and one that is
"private", known only to one person, that can be used to decipher a
message.
§
When the paper was published, they did not know whether Public Key
could be done.
RSA - 1977
Rivest, Shamir and Adleman developed Public Key Cipher in
1977
§
Ron Rivest, Adi Shamir, and Ron Adleman named their public key cipher
"RSA" after their initials.
§
Enables the use of public key cryptography to protect information.
§
Good for point-to-point and/or person-to-person communications
The Digital Evolution
The Digital Evolution began with Mainframes which evolved into
Intranets and Extranets
The network becomes the computer in a distributed
computing environment
Business Shift in the Digital Age
§
Paper processes migrate to
electronic processes
§
Processes become more
streamlined
§
Real time access to information
– improved service to customers
§
Business is moving from “faceto-face” to faceless
§
Information is shared with
entities vice persons
The challenge is to control access to information based on “need-to-know”
Summary
Security concepts have stayed the same from Ancient
Times to to the Digital Age…
§ Physical Security
– Castles and Moats versus Buildings, Locks and Firewalls
§ Transportation Security
– Guards versus SSL and VPNs
…All of the models presented so far are point to point – person to
person, here to there.
Where We are Today…
Interconnectivity
The need for people and businesses to be connected has
created complex and interconnected networks
Internet
We are a virtual point on the network
A Networked World
We live in a networked world of electronic information - The
Internet makes connectivity ubiquitous
§
§
§
There are approximately 110 million Internet hosts on the World Wide
Web – 5 years ago there were only 6.6 million
There are 30 million domain names – 3 years ago there were 2 million
It is estimated that 62% of all U.S. households are online*
Who is on the net? Who has access to my data? Where is my data?
Unable to tell.
* Jeffrey Eisenach, Thomas Lenard, and Stephen McGonegal, The Digital Economay Fact Book (3rd edition, 2001),
(Washington, D.C.; Progress and Freedom Foundation), 1-9.
Risks in the Digital Age
§ Gross National Product (GNP):
– “Information Warfare currently costs the United States an estimated
$100-300 billion per year, and the financial impact on our economy
increases every year.” *
§ Personal – Credit cards, credit reports, DMV, health records,
insurance profiles, identity theft, etc.
§ Corporate – Intellectual Property, business strategies, account
numbers, denial of service, etc.
§ Global – Economic sabotage through electronic means
* Information Warfare, Winn Schwartau; © 1994, Winn Schwartau
Business Challenges
§ The Business needs the ability to control access to information
– Data in transit across networks can be compromised
– Keeping track of the data and who accesses the data is difficult
§ Data at rest may be accessed by an unauthorized person who
could use the information in a detrimental way
– Laptops can be stolen
– Over 50% of attacks come from “insiders”
Challenges for Organizations
§ Increased work load - The retirement of baby boomers will
dramatically increase workload, especially Healthcare
– Processes will need to be automated in order to maintain quality of
service
§ Service to the Citizen - Access to personal information and online
services are expected – typically by citizens at home using the
Internet
§ Compliance with Regulations
– Health Insurance Portability and Accountability Act (HIPAA) of 1996
– Gramm Leach Bliley Act (GLBA) of 1999
– Government Paperwork Elimination Act (GPEA)
The Information Security need in a Networked World
“How does one protect selective electronic information
that has been released without having a chance of
knowing who may see it or come into possession of it
downstream?”
For Example
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Healthcare payment claims
Enrollment and disenrollment in a health plan
Eligibility transactions
Healthcare payment and remittance advice
Health plan premium payments
Healthcare claim status
Referral certification and authorization
Provider inquiries
Customer financial transactions
Customer records and information
Customer financial information and records
Client information in the new m-Commerce world
What is Constructive Key Management® (CKM®)?
CKM Provides Data Confidentiality in a Networked World
CKM is a technology and methodology that provides an organization
with the ability to control access to data based on a user’s role, at the
object level, using cryptography.
CKM® Characteristics
§ Properties of CKM:
– Key material is specific to roles - not specific to individuals
– Addresses the one-to-many distribution problem of cryptography
key management
– Access privileges bound to data via cryptography
– Built-in key recovery performed by system owner
§ What is CKM good for?
–
–
–
–
Modeling Role-Based Access Control (RBAC)
Enterprise information security
Content-based security
Complementing Public Key Infrastructure (PKI)
CKM® System Architecture
§
System owner creates a CKM Domain
– Credentials are created based on business process needs
– Roles are mapped to Credentials
§ Members are enrolled into the system through a registration
process
– Members are assigned Roles
– Token created for each Member
– Token is distributed to each Member
CKM® Roles and Credentials
§ Roles are established by function and responsibility
§ A Role is defined by a set of Credentials
– Each Credential represents an attribute of the data described in the
underlying information classification model (e.g. Project X, Software
Engineer, Company Employee)
§ Individuals may perform multiple roles
§ Those performing the same role, and thus having the same
Credential(s), share the same ability to access information
The Quality Net Exchange
Data Confidentiality Provided by CKM®
§ Secure Web Portal
– Access to portal is through CKM Smart Token™ - Single Sign On
– Portal content is based on user’s role(s)
§ CKM Smart Token™ stores PKI certificate and CKM credentials
– PKI certificate is used for identity authentication and digital signature
(when required)
– CKM credential(s) are used for the following:
• Data Confidentiality
• Role-based authentication and access control
• Persistent protection of sensitive data (Patient Healthcare
Information) – on workstation, in transit over the Internet/Intranet
and at rest in an Oracle database
CKM® Status at CMS
§
Approved as Emerging Technology
for QNet Exchange
§
Contract with OIS:
– Develop Policy for CMS Programs.
– Determine options on the
implementation of CKM within the
CMS enterprise architecture.
– Meet with business areas to make
them aware that CKM is available
as a tool to help meet HIPAA and
GPEA, improve processes, save
money, etc.
§
Electronic State Plan Amendment
submissions
§
Electronic Forms
One Document, Different Access Levels
Different sections of this
document were encrypted with
different Credentials…
ABC, Inc.
ABC, Inc.
Financial Report -1Q01
…and sent over the
Internet, Corporate
Network, Intranet,
Extranet or VPN
Executive Information
Financial Information
General Information
Users holding
the “CMSExec”
Credential
can see all
the
information
This information is intended for
the Executive Management Team
100
80
60
East
40
West
20
North
0
1st
Qtr
2nd
Qtr
3rd
Qtr
4th
Qtr
This information is general
information and is intended for all
Members of CCE Domain
ABC, Inc.
ABC, Inc.
Executive Information
General Information
General Information
ABC, Inc.
Note: Users must identify and authenticate themselves
to activate their Credentials
Users holding
the “OFM”
Credential
can see
Financial &
General
information
Users not
holding any
Credentials
can only see
the
unencrypted
information
What does this mean to you?
§ You can be assured that sensitive data within QNet Exchange is
protected
§ CKM enables the following:
–
–
–
–
–
–
Data confidentiality
Secure automation of business processes
Role-based access control to information
Control of access to information “downstream”
Secure transmission of information over the Internet
Information protection in transit and at rest
Summary
§ Cryptography has been used throughout history to protect data
from point to point
– In today’s networked world, that is not enough
§ CKM provides data confidentiality in a networked world
§ CKM can be a key component of a HIPAA compliant information
system
In Closing….
“Never discourage
anyone...who continually
makes progress, no matter
how slow”
Plato
(427 – 327 B.C.)
Constructive Key Management® (CKM®) enables the
enforcement of the rules and roles of business processes
CKM Features
Benefits
Integrated enterprise information security and
information management
Access to information can be controlled, based on
roles, in a distributed environment
Administration is managed centrally, yet it can be
controlled locally in a distributed manner
Centralized management of policy with the ability to
delegate authorities to business owners
Role-Based Access Control (RBAC) through
Cryptographically Enforced Access Management
(CEAM™)
Assignment of fine -grained access control, at the
object level, for data and information
Security adjudication performed on client
Users can work disconnected; network performance
is improved
Fully scalable across the enterprise
Remote management of tokens for millions of users
across the enterprise
Built-in cryptographic key recovery
Key and data recovery (100%) is controlled solely by
System Owner
Supports x.509v3 digital certificates for PKI
encryption, digital signature creation and verification
Flexibility to choose which processes and digital
certificates to use for Identification and Authentication
(I&A) as well as non-repudiation
Standards based technology
CKM has been through the peer review of ANSI
The HIPAA Security Rule (NPRM) and TecSec (1) *
Security Requirement
Access Control
Implementation Description
§ Procedure for emergency access
§ At least one of the following features:
– Context-based access
– Role-based access
– User-based access
Audit Controls
§ Mechanisms to record & monitor system
activity
Authorization Control
Data Authentication
§ Provide corroboration that data has not
been altered or destroyed in an unauthorized
manner
– Role-based access
– User-based access
TecSec Technology
§ 100% key recovery by system owner –
who, what and when defined in procedure
§ RBAC enforced though cryptography
§ Integrates with PKI for User-Based access
§ Audit trails can be developed based on data
access by User and/or Role
§ Access to data based on user’s Role
§ PKI certificate can be stored on CKM Smart
Token™
§ MAC is currently an option – and is the
default for the next version of products
§ Supports the use of digital certificates
* Based on the Draft Security Regulation
* A message authentication code (MAC) is an authentication tag (also called a checksum) derived by applying an authentication scheme, together with a secret key, to a
message. Unlike digital signatures, MACs are computed and verified with the same key, so that they can only be verified by the intended recipient. There are four types of MACs:
(1) unconditionally secure, (2) hash function-based, (3) stream cipher-based, or (4) block cipher-based.
The HIPAA Security Rule (NPRM) and TecSec (2) *
Security Requirement
Entity Authentication
Implementation Description
§ Automatic logoff (Mandatory)
§ Unique user identification (Mandatory)
– Biometric
– Password
– PIN
– Telephone callback
– Token
Communications/ Network
Controls
(If employed)
§ Integrity controls
§ Message authentication
§ At least one of the following:
– Access controls
– Encryption
Network Controls
(If employed)
§ Mandatory Controls
– Alarm
– Audit trail
– Entity authentication
– Event reporting
Digital Signature
(If employed)
§ Message integrity
§ Non-repudiation
§ User authentication
* Based on the Draft Security Regulation
TecSec Technology
§ Integrates with PKI
§ Can be integrated with Biometrics
§ Smart Token™ is password protected
§ CKM issues soft tokens – and can be integrated
with hard tokens
§ Business owner controls access to data
§ Message can be MACed
§ Supports the use of digital certificates
§ Provides access control using encryption
§ CKM provides persistent protection of data at
the object level.
§ See above.
§ CKM supports RSA and DSA and is compliant
with the electronic signature law
§ The CKM Smart Token™ stores multiple
x.509v3 certificates
§ Can be integrated with PKI

090902 Conference Presentation

Transcription

Similar documents

Charles Tyrwhitt Shirts Case Study

SUTPHEN TOWERS INCORPORATED COLUMBIA,MISSOURI HS

Kinetico 2060f Sulfur Guard System Non

2nd Quarter 2009 Working in Teams (download)

The lifestyle magazine for real guys!

A Story of Jacques Cousteau

Purpose

Eco-Centre Waste Processing Center

Presentation