Weak Link in Security? Not the Technology
The public perception of the Internet is that it’s insecure. We’re
constantly hearing stories of identity theft, bombarded by unsolicited offers
for the medically improbable, or generally wary of predators lurking in the
ether. It was initially intended to be robust, not necessarily secure. Today
that need is great.
Those who opted out of the Internet all together provided an early answer to
secure networking. Why bother with the risks? If you could afford your own private
network you were much more likely to rest easy at night as the gathering storm
of Internet hacking turned from challenge to criminal intent.
The Net has grown up and with it the need to provide services that are secure,
and transacted between known parties. You need to validate with whom you are
electronically interacting, and be sure the content of the information exchanged
is authentic, unaltered by any middleman acting to invisibly pass messages and
read their content.
Public Key Infrastructure:
(noun) a system of digital certificates, Certificate Authorities, and
other
registration authorities that verify
and authenticate the validity of
each party involved in an Internet
transaction.
Webopedia.com
http://www.webopedia.com/TERM/P/
PKI.html
|
That’s good for business but what do academics gain from a secure infrastructure?
Many academic interactions need flexible mechanisms that manage access based
on complex attributes among distributed populations and organizations. Here’s
a sampling, but you can envision many others.
Applications for federal student loans and related financial services.
The federal government is developing secure transactions systems to allow the
transfer of personal information required by various public agencies to process
loans and other financial awards.
Expanded use of campus directory systems. Making
directories interoperable among campuses could make it easy to create secure
cross-institutional mailing lists. If directories were secure, those listed
in them might be willing to disclose more about themselves, their research interests,
or other data, confident that those accessing this information were only from
among the community to which they belong.
Electronic assignment turn-in with timestamps. With
the increase in course management systems, a standard and secure way to determine
that submissions originated from a specific student, have not been electronically
tampered with and were submitted by the assigned deadline is becoming imperative.
Replacing IP address access controls restricting licensed library
materials. Internet Protocol address (IP) controls are the standard
method used by many academic library database vendors to provide access control
to site licensed materials purchased by libraries. This causes difficulties
for traveling faculty or students and anyone using some other ISP to obtain
Internet access from home or elsewhere.
Faculty and student transactions with campus administrative systems.
Course enrollment, applying for housing, and managing debit accounts are among
business interactions occurring daily in academic institutions. Using electronic
documents with multiple signatures that cannot be repudiated has applications
in these as well as payroll actions, benefits selection, and grant submission.
Use of these systems requires, the individual be able to trust the computation,
obtain appropriate confirmation, and protect their data from theft.
Secure wireless network access. Wireless networks
are rapidly becoming the norm rather than the exception on our campuses. Ask
your network administrators how they are securing their network from unauthorized
use.
Public Key Infrastructure
The most promising strategy for achieving secure net transactions is to deploy
public key infrastructure. Encryption technologies are difficult to grasp and
communicate, even by those doing their development. There are two considerations
to keep distinct. The first are the encryption approaches applied to encode
information so it cannot be read or altered by anyone but the intended recipient.
The second is the mechanism by which the identity of either the sender or the
recipient is determined, whether or not the information sent is protected. The
infrastructure needed to enable all of this depends on the particular security
strategies used, but here we’ll concentrate on so-called public key approaches.
Public-key cryptography uses a pair of mathematically related algorithms called
keys. If one key is used to encrypt information, then only the related key can
decrypt that information. The trick is you can’t easily decipher one from
knowing the other. One key, the public key, you make widely known. The other
key, the private key, you keep secret. Someone sending you confidential information,
their homework, for example, encrypts the message with your public key
(1). Let’s assume that was available from a campus directory service.
The recipient, you in this example, uses a private key to read the information.
You are assured that the homework sent has not been tampered with or altered.
What you don’t know for sure is if the person sending the homework was
in fact your student.
| Key (2) |
Key Type |
Key Use By |
| Encrypt data for sending |
Public Key |
Recipient |
| Digitally sign message |
Public Key |
Sender |
| Decrypt received message |
Public Key |
Recipient |
| Verify signature |
Public Key |
Sender |
Authenticating the sender. A digital signature is
accomplished by using a private key to sign the message, based on a mathematical
algorithm determined by the content of the message itself. It is therefore different
for every message, but the process by which it is derived is a function of the
key. The algorithm determines a value, called a hash value, and attaches it
to the message either directly within it or as a corresponding separate file.
The corresponding public key must be available to decrypt the value and reverse
the algorithm confirming the sender’s signature. Note that anyone receiving
the message (digitally signed) can read the contents and determine from whom
it was sent. There is no confidentiality here. Privacy is a function of the
first process, not the second.
Certificates. To manage public keys, a certificate
(CA) is used that contains user information, an expiration date, usage criteria,
the issuer of the certificate, and related data. The certificate is digitally
signed to validate who issued it. It is the protection and management of the
certificates that is a major concern for PKI. The certificate is installed on
your computer. If someone has access to that, the information therein is easily
read. Hence, you need to password-protect access to your certificate.
Who makes the password? You do—often using your dog’s name, or
your birthday, or…are you seeing a weakness? Further, the certificate
is installed on your computer—what if you’re using someone else’s
computer? Somehow you still need to access your certificate, or install it from
the certificate authority on the machine you’re temporarily using—either
setting a
1-day expiration (so the next person can’t use it tomorrow) or deleting
it when you’re done. On public computers, however, you often can’t
download and install things because security programs prevent the installation
of programs to protect them from being downloaded from the Net. This is, of
course, exactly what you’re doing.
The infrastructure required for public key encryption systems and the life
cycle of a user’s public key certificate pose challenges to scale and
human nature that no purely technological solution can address. It is tempting
to let the white horse of technology rescue us from otherwise complex security
problems. Being so lulled into complacency, we become increasingly at risk.
Where are the dangers?
A short list of the vulnerable spots in the PKI infrastructure include:
(1) Issuance. Authenticating the user. This is not a technical issue
but a social problem associated with verifying the user’s identity by
non-technical means.
(2) Validation. Authenticating the CA. Is the source of the certificate
real or itself uncertain?
(3) Revocation. Certificate Revocation Lists. People loose things or
move on from job to job. Once issued certificates must be revoked. Keeping track
of this as their usage increases is a potentially significant task.
(4) Single Sign-on. Private key management. Using your private key
is required to decrypt messages sent to you. Do you keep this key in memory
(exposed to potential intruding software) or in something more secure like a
“Smart Key Card” that you insert into the computer so it can be
read when needed? Yet another item to manage and infrastructure to support.
(5) Password change. Password quality control. We’ve alluded to this already.
The best privacy in the world is often protected by a password that is simply
too easy.
We should move forward with these promising security infrastructure initiatives,
but we cannot lose sight of where their real weaknesses lie. The most secure
security systems are often protected by passwords based on the names of our
favorite animal. Passwords, like underwear, must be changed often. Making them
hard to guess makes them hard to remember, but that’s true for those trying
to steal them, as well. When was the last time you changed yours?
REFERENCES
The PKI Page
http://www.pki-page.org/ Last accessed Feb. 25th, 2004.
An Introduction to Public Key Infrastructure
http://www.articsoft.com/wp_pki_intro.htm
PKI Applications in Academic Computing
http://ww.cs.dartmouth.edu/~pkilab/acapps.shtml, last modified July 17th,
2001. Last accessed Feb. 27th, 2004. |
1In practice usually messages in PKI systems are symmetrically
encrypted, that is, a randomly generated key made at the time of sending the
message encrypts the content and is itself encrypted with your public key and
included in the message. The recipient then decrypts the transient key, which
in turn is used to decrypt the message content. This is done because it’s
much faster technically to perform than so-called ‘asymmetric encryption’).
2 Table modified from Introduction to Public Key Infrastructure,
http://www.articsoft.com/ wp_pki_intro.htm/
