This post includes 2 major parts: review of major trends of IT security and possibilities of dealing with these trends.
More IT complexity = Less IT security.
IT security professionals are engaged in a game of cat and mouse with hackers. As fast as they deploy security countermeasures, these rogue elements discover loopholes or entirely new avenues of attack. Traditional security methods have relied upon closely guarding the perimeter of a company’s network. The continuously escalating and mutating threat environment has led many firms to layer security countermeasures one upon another; starting with firewalls, companies have added intrusion detection and prevention systems, malware filters, client-side firewalls, and encrypted network tunnels. Networked business can create a virtual fortress around its infrastructure but still must share information with mobile employees, external business partners, and remote customers. This fortress is not providing business with the adequate level of security and stopping from hackers preying for sensitive data.
Cisco published a report, summarizing the status of IT security worldwide and determined a quantitative index describing this status. According to this report “Enterprise Networks are experiencing persistent infection. Consumer Systems are infected at levels capable of producing consistent and alarming levels of service abuse. ” More money is now being made from cyber-crime than the billions that come from drug trafficking. Last year there were more online bank robberies than there were actual on-site bank robberies. Many consumers suffered ID theft. Large Percentage of consumers who experienced this issue decided to refrain from using the Internet, causing much concern to banks and other institutions. Organized crime funds these activities and makes huge profit. In US Senate hearing the figure of $1 trillion dollars was mentioned as the result of cyber data theft. Extensive cyber crime network exists with a clear division of labor. RSA coined this network name: FRAUD AS A SERVICE. The ultimate goal of this network is one: to steal sensitive data.
Where does this lead? Howard Schmidt, an adviser to Pres. Obama, predicts the perfect storm caused by a combination of several factors simultaneously.
One can argue that some of factors mentioned here can be dealt with, but we must realize that by rapidly expanding our application platforms we ourselves are causing weakening of IT security. There is inevitable trend that will cause the situation to worsen in the future. This is increasing complexity of IT systems. More complex our systems and networks become- more points of vulnerabilities and security failures will occur: the number of security bugs goes up, increased modularity means increased security flaws, because security often fails where two modules interact , more complex the system is, the harder a security evaluation becomes, harder it is to understand and analyze. IT security teams must continue their Sisyphean effort just to stay up and protect perimeter from being overrun by our adversaries.
So we need to realize that in the future we can not completely prevent penetration of computerized systems and be prepared to cope with this situation. We must admit that we cannot really keep the bad guys out.
Dealing with the failure to keep the bad guys out.
If we cannot keep them out of our perimeter – we still must protect the data that is valuable and sensitive. This protection must be scalable and adequate for data sensitivity: more sensitive data – stronger protection becomes. This is the time to mention that data-centric security inevitable introduces some burden on data users. Therefore it must be applied in conjunction with data value. Most of the data we use today is insensitive and may be left intact. Of course what is sensitive and what is not is decided by data owners. There are two main types of potentially sensitive data: transaction data and un-structured data. Sensitive Transaction data include something that may be monetized immediately and therefore it must be protected in real time, as well in transit and storage. Un-structured data cannot be monetized immediately and therefore it must be protected in transit and storage only.
Transaction data protection.
Let’s start with transactions: Gartner analysts published in December 2009 that all existing means of strong authentication are inadequate to protect transaction integrity for simple reason that Trojan horse malware resident on our infected PCs circumvent these means. Nearly 50% of PCs worldwide are infected with some sort of malware. The vulnerability exploited is called Man in the Browser. Man-in-the-Browser, is a trojan that infects a web browser and has the ability to modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities is virtually undetectable to virus scanning software.In an example exchange between user and host, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Therefore US regulators and FBI recommend that all financial activities will be performed only from dedicated computers. Obviously this is a short-term solution. It has been demonstrated that Out-of-band transaction confirmation , such SMS sent over mobile phone , merely adds complexity to the process and is still vulnerable to targeted attack .The need exists for malware-resilient solution to the problem.
Our solution is a 2-stage process including signing of web form by user and signed form authorization by the service provider. No transaction will be authorized without both stages fully completed. In order to use our Software-as-a-Service end-user must download our client software, register his PC and enroll his Biometrics VoicePrint, the whole process takes less then a minute. Signing software includes data verification module that ensures that What you See is What you Sign, Strong Authentication module that ensures the identity of the person signing transaction and Advanced Electronic Signature module that ensures transaction integrity in transit and at rest.
The following flow highlights the signing process for medium-sensitivity transaction. End-user signs web-form for third-party money transfer. Our software prompts end-user to confirm transaction integrity and verify the data. Finally end-user is prompted to enter his 4 digit PIN. It takes about 15 sec of end-user time to sign filled web-form. Meduim-sensitivity transaction is signed using 2-factor strong authentication, including proprietary PC ID (something you have) and PIN (something you know). Higher-sensitivity transactions may be signed using 3-factor strong authentication by adding Live Voice Biometrics (something you are)..
Signed web-form includes 2 parts: end-user attributes and transaction details. It complies with the definition of Advanced Electronic Signature. Both end-user and service provider will keep the same signed web-form for future audit. Service provider may access this signed web-form through our API. This solution is malware-resilient, does not require any dedicated hardware and does not add complexity to the business flow. This solution is generic and is applicable to Banking transfers, E-commerce purchases, Insurance claims, Healthcare prescriptions, E-Gov voting.
Let’s discuss un-structured data protection. In most organizations, 70-90% of business data is in an unstructured or semi-structured state and recent research indicates that only 23% of organizations feel this data is properly protected. Unstructured data includes files of any kind such as office documents, images, videos and so forth, not to mention the billions of emails and instant messages generated every day. Much of this is sensitive data, such as personally identifiable information (PII) and intellectual property (IP) that must be protected with appropriate measures. Another challenge of unstructured data is that the data must support multiple distribution needs.
Un-structured data protection.
Un-structured data files protection needs to be independent of infrastructure and needs to be applicable across the board from Enterprise servers to laptops to USB drives to email to cloud storage. Our Software-as-a-service solution for sensitive data file protection is based upon binding of granular authorization for data rights management, strong authentication and crypto technology.
For example we may take any file , encrypt it with seal to be opened only by specified recipient or group members , for example medical expert providing second opinion. This encrypted file may be sent by email or stored on the Cloud. The level of recipient Strong Authentication (2 or 3 factor) is dependent on sensitivity of the file. In this example data owner have chosen 3-tier authentication for the file recipient.
We see that creating encrypted file, includes the steps of:
Choosing file for encryption,
Defining digital rights management rule
Defining file sensitivity (medium or high).
and takes ~15 sec of user’s time.
Deleting decrypted file after encryption will take another ~5 sec of user’s time.
Recipient belonging to the group may decrypt this file in 3 easy steps: click, authenticate (in this case 3 factor authentication, including Live Voice Biometrics is preset) and view. After viewing – the decrypted file must be erased. This adds some 20 sec to the current flow. If file was preset to medium sensitivity, requiring only 2 factor authentication from the recipient – addition to the current flow would be only 5 sec.
The resulting data-centric security is applicable to any type of files and any type of enterprise infrastructure. Using encryption is nothing new of course. But our solution does not weaken the encryption by using a weak password, it is applicable across domains and all types of files and is scalable depending on data sensitivity, to ease a burden on end user. Data access audit trail is required in order to comply with many regulations.
Summary.
I would like to summarize my post with following: Many people believe that adding more complexity to IT security will not provide significant benefits to the customers. Data-centric security is about binding of security perimeter with sensitive data, irrespective of its origin or its destination. All it matters is the level of sensitivity of the data as determined by data owners. The level of the burden imposed on the end-user is proportional to the data sensitivity and is in range of 5 to 15 sec per sensitive data operation. The level of integration required by our Software as a Service solution is minimal and do not impose additional burden on IT Security professionals, keeping their day-to-day fight to protect Company perimeters from their adversaries.
More IT complexity = More data-centric security.
June 27th, 2010Data-centric security.
June 6th, 2010IT security professionals engaged in a game of cat and mouse with hackers as fast as they deploy security countermeasures, these rogue elements discover loopholes or entirely new avenues of attack. Traditional security methods have relied upon closely guarding the perimeter of a company’s network.
The continuously escalating and mutating threat environment has led many firms to layer security countermeasures one upon another; starting with firewalls, companies have added intrusion detection and prevention systems, malware filters, client-side firewalls, and encrypted network tunnels. Networked business can create a virtual fortress around its infrastructure but still must share information with mobile employees, external business partners, and remote customers.
In most organizations, 70-90% of business data is in an unstructured or semi-structured state and recent research indicates that only 23% of organizations feel this data is properly protected. Unstructured data includes Word and Excel documents, images BLOBs (Binary Large Objects), not to mention the billions of emails and instant messages generated every day. Much of this is sensitive data, such as personally identifiable information (PII) and intellectual property (IP) that must be protected with appropriate measures.
Another challenge of unstructured data is that the data must support multiple distribution needs: from enterprise servers, to laptops, to USB drives, through email or on top of cloud storage.
Many businesses now realize that rather than continuing to add layers of infrastructure security, it’s more effective to protect critical data throughout its life cycle, regardless of where it resides or moves. This concept of protecting data rather than devices is known as data-centric security.
Data-centric security must provide data protection at rest (storage) and transit. The unstructured data that requires protection is encrypted before it is transferred or stored.
Paul Stamp from Forrester Research said that: “In an evolving, more complex business and IT environment, organizations need to work toward a more data-centric approach to protecting the most sensitive information. Sensitive data needs to be encrypted as close to its point of creation as possible, and decrypted as close to its point of use as possible.”
In practical applications: the point of creation is one user’s PC and point of use is same user’s PC or other user’s PCs. Data is created and used in decrypted form only using computer software residing on user’s PCs. Therefore for security reasons – decrypted data must be manually destroyed after creation and/or use.
Any data-centric technology must include: data rights management, real-time strong authentication and encryption.
Not everyone is a technology guru. Most users concentrate on getting their work done, not on the underlying technology powering that work. And when security solutions are deemed too difficult to use, many users will circumvent the solution as well as the security. Data rights management and strong authentication require user intervention and therefore cannot be transparent. The issue is how easy these steps for users. Reviewing the example below:
http://www.sentry-com.net/files/SecureContentDecrypt_2FA.swf
We see that creating encrypted file, including the steps of:
1. Choosing file for encryption,
2. Defining Rights Management Rule
3. Defining file sensitivity (medium or high)
takes ~15 sec of your user’s time.
Deleting un-encrypted file after encryption will take another ~5sec of user’s time.
Preparing for use and decrypting encrypted file we will take steps of:
1. Choosing file for decryption
2. User’s strong authentication.
takes ~10 sec of user’s time.
Deleting un-encrypted file after viewing will take another ~5sec of user’s time.
So encrypting/decrypting routine of medium to high sensitivity files will take ~20-25 sec.
Overall this scheme is applicable across the board, independent of enterprise infrastructure and for any type of unstructured data.
What is missing from this discussion: transaction-based data. Transaction-based data must be protected in real-time, from being modified by malware and not only from being stolen. This will be discussed separately.
How to deal with failure to keep the bad guys out.
May 12th, 2010More money is now being made from cybercrime than the billions that come from drug trafficking, AT&T’s Chief Security Officer Edward Amoroso has told a US Senate Commerce Committee. Some $1 trillion annually is being siphoned off by cyber criminals according to the security chief.
American Banking Association and Financial Services Information Sharing and Analysis Center urged business bank customers to “carry out all online banking activity from a stand-alone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.” According to Gartner (Dec. 2009) this warning calls into question the safety of online banking for business account holders, and confirms that criminals are winning the cyber war against financial institution account holders.
Bruce Schneier , CTO and founder of BT Counterpane , explains that :
“Computer security is not likely to improve in the near future because of two reasons. One, bad guys are getting better at attacking us. And two, we’re not getting better at defending ourselves.
The overarching reason for both of these trends is complexity.
Complexity is the worst enemy of security; as a system gets more complex, it gets less secure. Complexity makes it both harder for us to secure our systems and easier for the attacker to find a weakness.
Carl von Clausewitz talked about this with respect to war.
Defenders have to defend against every possible attack, while attackers just have to find one weakness .
Complexity explains one of the most perplexing questions about computer security: Why isn’t it getting better?
We in the computer world are used to technology making things better. Moore’s Law means that computers get more powerful.
Graphics get better. Printing gets better. Video gets better. Networking gets better. Everything gets better — except security.
Why? Complexity is an explanation of that.
The reality is that security really is improving, just not when measured against the complexity juggernaut.
Every year there’s new research, new techniques, and new products. But complexity is making things worse faster.
So we’re losing ground even as we improve.”
Quoting a blog named “https://www.infosecisland.com/blogview/3460-On-The-State-of-Global-Information-Security.html
“Simply stated, the state of global information security efforts is dismal. Cybercrime, fraud, corporate espionage, and threats to critical infrastructure are escalating at a record pace, and we can all count on the fact that things are certain to become much worse over this decade.
…
The crux of the problem is endemic to the industry focus on Data Loss Prevention (DLP), which is Sisyphean effort at best. Yes, every effort needs to be made to enhance DLP, but the focus of information security – our combat strategy – needs to make a fundamental shift away from the notion that we can really keep the bad guys out.
The new paradigm for information security needs to center around resiliency, which consists of three basic elements: detection, isolation, and mitigation for the sake of continuity of operations.
…
Data breaches are like the common cold – we can all be assured of the fact we will suffer one sooner or later, and with varying degrees of severity.
With that fact in mind, would you rather have a medicine cabinet full of products that claim to prevent an infection , or one full of products that ease the impact of an infection by relieving the symptoms so you can get on with your day? I choose the latter…
Data Loss Resiliency (DLR) is the future of information and network security.”
In fact critical Data Loss can be prevented even if we cannot keep the bad guys out (after we gave it our best effort and $$$).
First we need to know what are Mission Critical Assets, which must be protected?
There are two kinds of data in our day-to-day activities: instantaneous (transactions) and permanent (files).
Both may be mission-critical and must be resilient, even if breach has occurred.
Filling web-forms became the backbone of third-party money transfers for Banking, credit-card purchases for E-Commerce, filling Insurance claims, filling prescriptions for Healthcare and E-Gov voting . Each time we use our PCs we are in danger that Trojans will modify transaction or fraudsters will presume our identity. Obviously web-form filling is a mission critical transaction that must be resilient to bad guys’ attempt. Adding complexity to the process by adding additional device simply delays the breach from happening. We must find a way to authorize transactions from basically non-trusted device (our PC) . For more information please refer to :
http://www.sentry-com.net/Transaction.html
Critical data files must be protected at any times, no matter if they are resided at the Enterprise servers, copied to USB drive , stored on a laptop, sent by email or shared on the cloud. In other words protection must be tied to the content – and not to be dependent on potentially compromised environment. This can be achieved by providing granular authorization for the mission critical files. For more information please refer to:
http://sentry-com.net/blog/?p=202
May be this is not quite Data Loss Resiliency, since data will not be lost. I would call it instead dealing with failure to keep the bad guys out.
Vertical Implementation: Healthcare Industry.
February 5th, 2010An electronic health record (EHR) (also electronic patient record or computerised patient record) is an evolving concept defined as a systematic collection of electronic health information about individual patients or populations. It is a record in digital format that is capable of being shared across different health care settings, by being embedded in network-connected enterprise-wide information systems. Such records may include a whole range of data in comprehensive or summary form, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, and billing information.
Medical records must be shared among doctors, for providing “second opinion” and so forth. The way these records may be shared may differ, but one requirement remains paramount: patient privacy.
Privacy concerns in healthcare apply to both paper and electronic records. According to the Los Angeles Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient’s records during a hospitalization, and 600,000 payers, providers and other entities that handle providers’ billing data have some access also. Recent revelations of “secure” data breaches at centralized data repositories, in banking and other financial institutions, in the retail industry, and from government databases, have caused concern about storing electronic medical records in a central location. Records that are exchanged over the Internet are subject to the same security concerns as any other type of data transaction over the Internet.
SentryCom VoiceProof® provides a way to secure share medical records (containg information in any form or type) :
The above demo allows to:
· Choose file (medical record),
· Encrypt it,
· Deliver it via MS Outlook and
· Seal it for specified recipients (doctors by name).
Only doctors specified by name will be able to view this medical record.
Another problem facing healthcare industry is the issue of digitally signing doctors prescription for dispensing by online pharmacies.
Two issues arise here: strongly authenticating doctor online and ensuring integrity of prescription content.
SentryCom VoiceProof® provides a way to respond to these requirements.
The above demo allows to:
· Choose file (medical prescription),
· Sign by Doctor and Encrypt it,
· Deliver it via MS Outlook and
· Seal it for specified recipient (pharmacist by name).
Only specified pharmacist will be able to view this prescription.
When specified pharmacist receives this prescription – he will be strongly authenticated and on success – will view doctor’s signature and prescription as shown below:
It should be emphasized that there are a number of operational advantages in our approach:
· No need for acquiring digital certificates
· Complies with Secure Digital Signature
· Prevents privacy disputes
· Preservs information integrity
· Do not require changes in current procedure
· Do not require integration with existing IT infrastructure.
· Available as Software-as-a-Service.
Additional Benefits:
· The same software infrastructure allows 2-factor/3-factor strong authentication for remote domain access and remote portal access.
· Eliminates the need for multiple hardware OTP tokens to access multiple domains
· Prevents from doctors to carry “ token necklace” to access different medical insurance companies
Vertical Implementation :Integrating with Payment Data Storage within Payment Card Industry (PCI) infrastructure.
February 4th, 2010ID Fraud Statistics:
The problem with “Verified by Visa” solution to ID fraud:
•Branded as “Verified by Visa” and “MasterCard SecureCode”; hereinafter 3DS
•Lets you use a password with your credit card to pay at many merchant websites
•Like Passport, OpenID etc, it redirects you to a central login service
•It was the card industry’s answer to a big rise in card-not-present (CNP) fraud that followed the introduction of the Europay-Mastercard-VISA (EMV) smartcard payment system
•Customer presents card to merchant
•Merchant passes card number to its bank (the acquirer) who supplies a URL for logon
•The URL is often to a third-party service such as RSA
•The logon page was originally presented as popup
•Because of popup blockers, the standard now recommends that the merchant embeds it in an iframe:
•If successful, auth code is returned for merchant using TLS and client certificate
•Similar systems are being introduced (or are planned) for more and more payment systems
–VISA original credits
–Single European Payment Area (SEPA) e-Mandates
•The latter will replace cheques in Europe!
•So how secure is all this? Not much due to phishing as seen below:
For full discussion see :
http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
Verified by Visa relies on banks to authenticate the customer. Since different banks may use different authentication schemes – using password is the only common solution open for credit-card-using customers. Therefore relying on banks is not helpful. The need exists to look for different solution.
Today many merchants use the services of Payment Data Storage (PDS) providers , assigned by credit-card companies, compliant with PCI strict requirements. It would be natural to them if external service provider will not only store credit-card data , but also authenticate credit-card data holders. Our MACS-Managed Authentication&Crypto Service may provide such a function working independently from Payment Data Storage provider. How this may work :
System administration by Merchants, MACS and PDS:
· PDS X assigns customer username (say X342159) ·
· PDS X sends to MACS customer username and customer email.
· MACS sends registration email to customer.
· Online Transaction will be signed by customer
· Customer may update (add/delete) his credit card info (self-service with MACS)
· Merchant Y will verify credentials of customer username using PDS X database. If transaction is signed by the customer – merchant Y will approve it. If transaction is not signed by the customer and PDS database contains customer username – merchant Y will reject it. Therefore customer credit card is protected against Identity Fraud. If customer username do not appear at PDS database – Merchant Y will use currently adopted best practices.
MACS & PDS integration:
· Identity Assurance of customer by PDS
· Assignment of username & email by PDS
· Send username/email to MACS
· Register user by MACS
· Transaction Verification by MACS
· Audit payment data by PDS
The customer and the merchant will keep signed transaction in the following form:
Vertical implementation: Insurance Industry
February 4th, 2010Significant part of Insurance Industry sales involves Insurance Agents. Their day-to-day business involve interaction with customers, in order to help individuals, families, and businesses select insurance policies that provide the best protection for their lives, health, and property.
On selection – customer needs to sign insurance forms. In this day and age – forms are signed using agent’s laptop and computer tablet:
Computer tablet is used to acquire what is called electronic signature. The U.S. Code defines an electronic signature as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”
There two major issues here, related to Identity Fraud:
1. How customer can be sure that policy terms received by insurance company are indeed the terms he intended?
2. How insurance company can be sure about the insurance agent identity?
There is a need to incorporate Secure Electronic (or Digital) Signature of insurance agent on top of electronic signature of the customer to resolve these issues.
A Secure Electronic Signature is as an electronic signature that
(a) is unique to the person making the signature;
(b) the technology or process used to make the signature is under the sole control of the person making the signature;
(c) the technology or process can be used to identify the person using the technology or process; and
(d) the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.
Therefore Secure Digital Signature must include Online Strong Authentication to identify Insurance Agent and Advanced Crypto Technologies to ensure that signed poicy document will not be altered undetected. This is accomplished using our patented CryptoBiometrics™ technology.
All customer needs to do is to demand from agent to sign in front of him:
Insurance Company receiving the digitally signed form will open to see the following:
Insurance company will learn that customer John Smith signed the policy in from of agent Steve Jones. The company will also know that agent Steve Jones digitally signed on front of the customer vs. Service Provider and date/stamp is valid.The content of the form was not changed.
It should be emphasized that there are a number of operational advantages in our approach:
· No need for acquiring digital certificates
· Complies with Secure Digital Signature
· Prevents customer dispute
· Prevents agent dispute
· Do not require changes in current procedure
· Do not require integration with Insurance Company IT infrastructure.
· Available as Software-as-a-Service.
Additional Benefits:
· The same software infrastructure allows 2-factor/3-factor strong authentication for remote domain access and remote portal access.
· Eliminates the need for multiple hardware OTP tokens to access multiple domains
· Prevents from insurance agents to carry “ token necklace” to access different insurance companies
CryptoBiometrics – answering 10 Risks of PKI.
January 21st, 2010The term PKI is sometimes erroneously used to denote public key algorithms, which do not require the use of a CA (Certificate Authorities). For example Web of Trust and Simple Public Key Infrastructure (SPKI). CryptoBiometrics™ is another implementation of this approach to use public key algorithms , while addressing known weaknesses of Certificate Authorities.
I was reading Wikipedia on PKI and found a 10-year old reference to “Ten Risks of PKI: What You’re Not Being Told About Public Key Infrastructure” by C. Ellison and B. Schneier , http://www.schneier.com/paper-pki.html.
So this blog will be written to answer these risks with our CryptoBiometrics™. The risk questions and quoted comments are from this paper .
Risk #1: “Who do we trust, and for what?”
“There are those who even try to induce a PKI customer in believing in names. Their logic goes: (1) you have an ID certificate, (2) that gives you the keyholder’s name, (3) that means you know who the keyholder is, (4) that’s what you needed to know. Of course, that’s not what you needed to know.”
What is needed is the process capable of verifying online and in real-time vs. Certificate Authority that the person appearing in the certificate indeed is assigned with the key shown on the certificate.
Risk #2: “Who is using my key?”“
One of the biggest risks in any CA-based system is with your own private signing key. How do you protect it? You almost certainly don’t own a secure computing system with physical access controls, TEMPEST shielding, “air wall” network security,and other protections; you store your private key on a conventional computer. There, it’s subject to attack by viruses and other malicious programs. Even if your private key is safe on your computer, is your computer in a locked room, with video surveillance, so that you know no one but you ever uses it? If it’s protected by a password, how hard is it to guess that password? If your key is stored on a smart card, how attack-resistant is the card? Most are very weak.] If it is stored in a truly attack-resistant device, can an infected driving computer get the trustworthy device to sign something you didn’t intend to sign?”
Aram Perez correctly commented on that saying “ that you have this risk with any encryption system. The whole basis for modern cryptography is the protection of the secret (symmetric) key or the private (asymmetric) key, whether or not a CA is involved. If either the secret or private key is exposed or used by the wrong person, you lose all security offered by cryptography.”
If protecting private key is virtually impossible in Open Internet – does it mean that asymmetric key cryptography cannot be used to sign transactions? I believe that instead of using CA assigned private key bound to person’s identity we need to use another attribute, that can be bound to the person’s identity as well as to the existing Crypto technology. SentryCom CryptoBiometrics™ does just that.
Risk #3: “How secure is the verifying computer?
“Certificate verification does not use a secret key, only public keys. Therefore, there are no secrets to protect. However, it does use one or more “root” public keys. If the attacker can add his own public key to that list, then he can issue his own certificates, which will be treated exactly like the legitimate certificates. They can even match legitimate certificates in every other field except that they would contain a public key of the attacker instead of the correct one.”
Verifying computer cannot accept forged SentryCom CryptoBiometrics™ certificates. If for example bank wants to verify transaction , signed with CryptoBiometrics™ certificate , then this verifying computer will be securely connected with SentryCom CA server. Forgery will need to go to rogue servers and this connection will be prevented.
Risk #4: “Which John Robinson is he?”
“Certificates generally associate a public key with a name, but few people talk about how useful that association is.”
SentryCom CryptoBiometrics™ certificate adds email address to the person’s first name and last name , which makes this description unique. If person updates his email address with SentryCom CA (using self-serving administration , contingent on 3-factor strong authentication) then SentryCom CA will keep track of new as well as old email, as bound to the person.
Risk #5: “Is the CA an authority?”
It is- if it does the job it claims to do.
Risk #6: “Is the user part of the security design?”“
Does the application using certificates take the user into account or does it concern itself only with cryptography?”
In our case the answer is obviously yes, the user is an integral part.
Risk #7: “Was it one CA or a CA plus a Registration Authority?”“
Some CAs, in response to the fact that they are not authorities on the certificate contents, have created a two-part certification structure: a Registration Authority (RA), run by the authority on the contents, in secure communication with the CA that just issues certificates. The RA+CA model is categorically less secure than a system with a CA at the authority’s desk. The RA+CA model allows some entity (the CA) that is not an authority on the contents to forge a certificate with that contents.”
We are one authority, secure by design.
Risk #8: “How did the CA identify the certificate holder?”
“Whether a certificate holds just an identifier or some specific authorization, the CA needs to identify the applicant before issuing the certificate. Meanwhile, having identified the applicant somehow, how did the CA verify that the applicant really controlled the private key corresponding to the public key being certified?”
To enroll into SentryCom CryptoBiometrics™ one needs third-party Identity Assurance , provided by enterprise, requesting our service. For example by bank providing us with its customer’s credentials. From that moment one can be assured that customer is using our service.
Risk #9: “How secure are the certificate practices?”
“How is key lifetime computed?” The CryptoBiometrics™ key lifetime is until it is revoked.
“Does the vendor support certificate or key revocation?” yes.
“ Is that dating done by a secure timestamp service?” yes
“ How long are the generated public keys and why was that length chosen?”. We use 1024 bit RSA keys , as legally accepted standard.
Risk #10: “Why are we using the CA process,
anyway?”
“After the CA was installed and all employees had been issued certificates, the customer turned to the PKI vendor and asked, “OK, how do we do single sign-on?” The answer was, “You don’t. That requires a massive change in the underlying system software.”
We can do SSO and many other software apps., but this is a different story.
What needs to be done to achieve transaction non-repudiation.
January 14th, 2010Electronic Signature.
A signature is a stylized script associated with a person. It is comparable to a seal. In commerce and the law, a signature on a document is an indication that the person adopts the intentions recorded in the document. An electronic signature is any legally recognised electronic means that indicates that a person adopts the contents of an electronic message. The U.S. Code defines an electronic signature as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”
In law, if a signature on a contract or other document is contested, the signature must meet certain tests before a court will uphold them if contested. A central question in such cases is forgery and spoofing of assent, and in these decisions, courts have held that forgery and spoofing can be in practice ruled out. Nevertheless, it is easily possible, for many electronic methods of signature, or imputed signature, to forge or spoof assent. The rapidly rising problem of identity theft illustrates the ease of such forgeries.
An electronic signature may incorporate a digital signature if it uses cryptographic methods to assure, at the least, both message integrity and authenticity. All current cryptographic digital signature schemes require that the recipient have a way to obtain the sender’s public key with assurances of some kind that the public key and sender identity properly belong together, and that message integrity measures (also digital signatures) which assure that neither the attestation nor the value of the public key can be surreptitiously changed.
Biometrics.
Another approach is to attach some biometric measurement to a document as evidence of signature. Since each of these physical characteristics has claims to uniqueness among humans, each is to some extent useful as a signature method. Unfortunately, some are easily spoofable by a replay of the electronic signal produced and submitted to the computer system responsible for ‘affixing’ a signature to a document. Biometric measurements of this type are useless as passwords, as they can’t be changed if compromised. However, they might be serviceable as electronic signatures of a kind – except that, to date they have been so easily spoofable that they can carry little assurance that the person who purportedly signed a document was actually the person who did.
What you see and what you sign.
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery and tampering.Technically speaking, a digital signature applies to a string of bits, whereas humans and applications “believe” that they sign the semantic interpretation of those bits. In order to be semantically interpreted the bit string must be transformed into a form that is meaningful for humans and applications, and this is done through a combination of hardware and software based processes on a computer system.
Documents are immaterial because the information is represented by logical bits that can be stored on, and copied to, any suitable electronic medium, and they only become meaningful to humans when represented through an analogue physical medium such as a computer screen or a printout. The validity of a digital document is authenticated by verifying that an immaterial digital signature logically matches the already immaterial document. Because a digital document in its immaterial form can not be observed directly by the signer, the digital signature can only serve as evidence of the signer’s agreement to some analogue representation of the document, although it is usually assumed that it represents the signer’s agreement to the immaterial electronic document itself.
A desirable property of digital signature systems is to guarantee that what you see is what you sign., abbreviated as WYSIWYS.
Fundamental problems:
1. In general, the property of providing WYSIWYS depends on the integrity of the digital signature system and platform. In case there is insufficient evidence regarding the integrity of digital signature systems and platform, they can in principle not be trusted. This is a fundamental problem for the practical usage of digital signatures.
A fundamental aspect of digital documents is that displaying and digitally signing them are separate and unlinked processes.
2. All public key / private key cryptosystems depend entirely on keeping the private key secret. A private key can be stored on a user’s computer, and protected by a local password, but this has two disadvantages:
· the user can only sign documents on that particular computer
· the security of the private key depends entirely on the security of the computer
Another fundamental problem of digital signing is that strong authentication and private key signing are separate and unlinked processes.
3. Do electronic documents bearing digital signatures and some form of biometric identifier qualify for the enhanced evidentiary treatment, i.e., should the use of a digital signature and a biometric identifier create a presumption that the originator of the message is the person indicated and that the content of the message has not been altered?
The parties are always free to agree in advance to the use a particular security procedure, and the presumptions arise if the security procedure indicates that one of the parties is the originator of the electronic document. A security procedure must be both “commercially reasonable” and implemented in a “trustworthy manner” in order to qualify as a “secure electronic signature.” Do digital signatures and biometric identifiers meet these standards? The use of biometrics, even though not yet standardized, might be useful in showing that a digital signature was implemented in a “trustworthy manner” in a high-value transaction where an abundance of caution would be considered prudent. A combination of these security procedures may come very close to achieving a non-reputable method for identifying both the originator and content of an electronic document.
Conclusions:
1. Signing process : the need exists to bind online strong authentication of the signatory, digital signing and digitally signed documents display into one process to prevent tampering and fraud.
2. Verification process: the need also exists to provide a structure for binding biometrics and digital signature so that Online service will be able to validate in interdependent way document integrity and originator authenticity.
Use Cases for Secure Public Cloud Storage and Transaction Verification
December 13th, 2009Use Case: Rapidly Scaling an Insurance Application using a Public Cloud.
Raised by Cloud Computing Security Use Cases group
http://groups.google.com/group/cloud-computing-use-cases/browse_thread/thread/a591dee0861f4e93?pli=1
Description:
I quote:
“An insurance company’s new Insurance policy claims application’s has proven to be valuable in capturing customer and property damage data.
A hurricane is predicted to hit the gulf coast region of the United States and the IT Staff wishes to elastically scale out the new application to accommodate the additional customers and field agents that may need it in the aftermath. The company’s IT Staff selects a Public Cloud Provider to fulfill their short-term compute needs and host additional images of their insurance policy claims application.”
The problem: ID fraudsters. They might utilize the system as well: impersonating field agent (you may weight it’s motivation as $) , modifying (beneficiary) of the claim form in browser (you may weight it’s motivation as $$$) or stealing the stored form from the cloud (you may weight it’s motivation as $$). From that analysis you might deduce that greatest vulnerability is in the agent browser.
Our vulnerability-addressing approach – from bottom-up, where:
1. Man-in-the-Browser vulnerability is resolved.
2. Field agent impersonation vulnerability is resolved.
3. Public Cloud Stored form vulnerability is resolved.
Implementation:
1. Insurance company agent log-ins using our external SaaS to access form-filling app.
http://www.sentry-com.net/files/MAS-SSO.jpg
2. The form is filled, digitally signed by insurance agent and uploaded to the cloud.
http://www.sentry-com.net/Transaction.html
3. The uploaded form is encrypted, but cannot be decrypted in the cloud.
http://www.sentry-com.net/CloudComputing.html
4. Insurance company staff downloads the form from the cloud and decrypts signed form.
http://sentry-com.net/blog/?p=202
Another use cases raised by the same Cloud Computing Security Use Cases group (same link above) :
I quote: “A financial investment company is about to internally announce a new investment products to its agents and affiliates. This will involve include creation of several videos to explain the benefits and features new product to its staff and agents, as well as to train/instruct them on when to recommend these products to their customers. These videos are quite large and need to be made available (on-demand) as secure, confidential data to appropriately certified company agents worldwide. There are federal regulations and industry obligations that need to be enforced (policy) to assure that this new product announce and the videos are kept confidential during a restricted period. The financial company decides to utilize a Public Storage Cloud to elastically scale to handle the secure hosting (storage) and streaming for these new videos while using security features in the cloud to auditable access control to the videos in accordance with security policies when employees and agents access the videos.”
This use case is different from the first one and its implementation is different . We have to differentiate between the “quite” restricted period and aftewards. For the restricted period the videos on the public cloud needs to be stored encrypted and they should not be decrypted under any circumstances.
1. The uploaded video is encrypted and can be accessed on the cloud during the restricted period by the group including staff and agents. The uploaded video is encrypted, but cannot be decrypted in the cloud.
http://www.sentry-com.net/CloudComputing.html
2. Financial investment company staff and agents downloads the encrypted video from the cloud and decrypts it on their desktop.
http://sentry-com.net/blog/?p=202
3. Audit trail for anybody – anywhere accessing these restricted video’s is available and is built-in into the system.
4. Following restricted period – video’s (this time not encrypted) should be uploaded again for public viewing.
Innovation is needed for Identity Fraud Prevention!
December 6th, 2009Where Strong Authentication Fails and What You Can Do About It”- is the name of the latest Gartner Inc. Research Report , written by Aviva Litan.
Security measures such as one-time passwords and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud, a new report from research firm Gartner Inc. warns.
“Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled by one-time password tokens,” Gartner wrote in their report of December 3, 2009. “Other strong authentication methods, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated,” Gartner said.
For instance, a request to transfer a certain amount of money from one account to another could be modified so that the request the bank gets would be different from the request sent by the user. However, when the bank asks the customer to confirm the transaction, the details of the transaction would appear to the user to be the same as the one he had requested, Gartner said. “The malware is changing what the user sees. So even if you put in a one-time password, you are confirming the wrong transaction,” Gartner said.
In instances where a bank might use a phone-based, “out-of-band” authentication system, criminals are increasingly using call forwarding so that it is the fraudster rather than the legitimate user that is being called by the financial institution, Gartner said.
If security application places outbound call, synchronized to a Web session – then this outbound call can be forwarded to fraudsters. If in addition security application displays a number on the Web screen that must be entered via telephone keypad in the phone – then this number can easily intercepted by Man-in-the-Browser Trojan and forwarded to the same fraudsters , thus hijacking the session. We can reverse the loop and request user to sent some transaction info using phone keypad. But this does not make any difference.
Nokia 1100 became VERY POPULAR amongst fraudsters as seen by Google Searches worldwide:
”
Measuring risks and probabilities changed over the last year. The attacks are becoming increasinlgy focused and targeted on people performing high-value transactions. For them – the probability of hacker “cloning” mobile phone as well as planting man-in-the-browser may be very high! For those inclined for further reading :
http://www.pcworld.com/article/163409/article.html?tk=nl_dnxnws
http://threatpost.com/en_us/blogs/new-spyphone-iphone-app-can-harvest-personal-data-120409?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
http://www.flexispy.com/spyphone-call-interceptor-gps-tracker-symbian.htm
http://en.wikipedia.org/wiki/SMS_spoofing
So putting together these “weak” defences cannot prevent fraud.
Why browser cannot be “fixed”? Because fixing the browser will make Internet inoperable. Fraudsters use the same functionalities that run our day-to-day activities.
So if browser communications are infiltrated – one should use “out-of-band” communication, that are beyond the reach of fraudsters. We need to perform strong user authentication, transaction content acquisition and transaction integrity confirmation – all outside the browser channel. This is what we do with our Transaction Verification solution:
http://www.sentry-com.net/Transaction.html
