Weak Link in Security? Not the Technology

The public perception of the Internet is that it’s insecure. We’re constantly hearing stories of identity theft, bombarded by unsolicited offers for the medically improbable, or generally wary of predators lurking in the ether. It was initially intended to be robust, not necessarily secure. Today that need is great.

Those who opted out of the Internet all together provided an early answer to secure networking. Why bother with the risks? If you could afford your own private network you were much more likely to rest easy at night as the gathering storm of Internet hacking turned from challenge to criminal intent.

The Net has grown up and with it the need to provide services that are secure, and transacted between known parties. You need to validate with whom you are electronically interacting, and be sure the content of the information exchanged is authentic, unaltered by any middleman acting to invisibly pass messages and read their content.

Public Key Infrastructure:
(noun) a system of digital certificates, Certificate Authorities, and other
registration authorities that verify
and authenticate the validity of
each party involved in an Internet
transaction.

Webopedia.com
http://www.webopedia.com/TERM/P/
PKI.html


That’s good for business but what do academics gain from a secure infrastructure? Many academic interactions need flexible mechanisms that manage access based on complex attributes among distributed populations and organizations. Here’s a sampling, but you can envision many others.

Applications for federal student loans and related financial services. The federal government is developing secure transactions systems to allow the transfer of personal information required by various public agencies to process loans and other financial awards.

Expanded use of campus directory systems. Making directories interoperable among campuses could make it easy to create secure cross-institutional mailing lists. If directories were secure, those listed in them might be willing to disclose more about themselves, their research interests, or other data, confident that those accessing this information were only from among the community to which they belong.

Electronic assignment turn-in with timestamps. With the increase in course management systems, a standard and secure way to determine that submissions originated from a specific student, have not been electronically tampered with and were submitted by the assigned deadline is becoming imperative.

Replacing IP address access controls restricting licensed library materials. Internet Protocol address (IP) controls are the standard method used by many academic library database vendors to provide access control to site licensed materials purchased by libraries. This causes difficulties for traveling faculty or students and anyone using some other ISP to obtain Internet access from home or elsewhere.

Faculty and student transactions with campus administrative systems. Course enrollment, applying for housing, and managing debit accounts are among business interactions occurring daily in academic institutions. Using electronic documents with multiple signatures that cannot be repudiated has applications in these as well as payroll actions, benefits selection, and grant submission. Use of these systems requires, the individual be able to trust the computation, obtain appropriate confirmation, and protect their data from theft.

Secure wireless network access. Wireless networks are rapidly becoming the norm rather than the exception on our campuses. Ask your network administrators how they are securing their network from unauthorized use.

Public Key Infrastructure
The most promising strategy for achieving secure net transactions is to deploy public key infrastructure. Encryption technologies are difficult to grasp and communicate, even by those doing their development. There are two considerations to keep distinct. The first are the encryption approaches applied to encode information so it cannot be read or altered by anyone but the intended recipient. The second is the mechanism by which the identity of either the sender or the recipient is determined, whether or not the information sent is protected. The infrastructure needed to enable all of this depends on the particular security strategies used, but here we’ll concentrate on so-called public key approaches.

Public-key cryptography uses a pair of mathematically related algorithms called keys. If one key is used to encrypt information, then only the related key can decrypt that information. The trick is you can’t easily decipher one from knowing the other. One key, the public key, you make widely known. The other key, the private key, you keep secret. Someone sending you confidential information, their homework, for example, encrypts the message with your public key (1). Let’s assume that was available from a campus directory service. The recipient, you in this example, uses a private key to read the information. You are assured that the homework sent has not been tampered with or altered. What you don’t know for sure is if the person sending the homework was in fact your student.

Key (2) Key Type Key Use By
Encrypt data for sending Public Key Recipient
Digitally sign message Public Key Sender
Decrypt received message Public Key Recipient
Verify signature Public Key Sender


Authenticating the sender. A digital signature is accomplished by using a private key to sign the message, based on a mathematical algorithm determined by the content of the message itself. It is therefore different for every message, but the process by which it is derived is a function of the key. The algorithm determines a value, called a hash value, and attaches it to the message either directly within it or as a corresponding separate file. The corresponding public key must be available to decrypt the value and reverse the algorithm confirming the sender’s signature. Note that anyone receiving the message (digitally signed) can read the contents and determine from whom it was sent. There is no confidentiality here. Privacy is a function of the first process, not the second.

Certificates. To manage public keys, a certificate (CA) is used that contains user information, an expiration date, usage criteria, the issuer of the certificate, and related data. The certificate is digitally signed to validate who issued it. It is the protection and management of the certificates that is a major concern for PKI. The certificate is installed on your computer. If someone has access to that, the information therein is easily read. Hence, you need to password-protect access to your certificate.

Who makes the password? You do—often using your dog’s name, or your birthday, or…are you seeing a weakness? Further, the certificate is installed on your computer—what if you’re using someone else’s computer? Somehow you still need to access your certificate, or install it from the certificate authority on the machine you’re temporarily using—either setting a
1-day expiration (so the next person can’t use it tomorrow) or deleting it when you’re done. On public computers, however, you often can’t download and install things because security programs prevent the installation of programs to protect them from being downloaded from the Net. This is, of course, exactly what you’re doing.

The infrastructure required for public key encryption systems and the life cycle of a user’s public key certificate pose challenges to scale and human nature that no purely technological solution can address. It is tempting to let the white horse of technology rescue us from otherwise complex security problems. Being so lulled into complacency, we become increasingly at risk. Where are the dangers?

A short list of the vulnerable spots in the PKI infrastructure include:
(1) Issuance. Authenticating the user. This is not a technical issue but a social problem associated with verifying the user’s identity by non-technical means.
(2) Validation. Authenticating the CA. Is the source of the certificate real or itself uncertain?
(3) Revocation. Certificate Revocation Lists. People loose things or move on from job to job. Once issued certificates must be revoked. Keeping track of this as their usage increases is a potentially significant task.
(4) Single Sign-on. Private key management. Using your private key is required to decrypt messages sent to you. Do you keep this key in memory (exposed to potential intruding software) or in something more secure like a “Smart Key Card” that you insert into the computer so it can be read when needed? Yet another item to manage and infrastructure to support.
(5) Password change. Password quality control. We’ve alluded to this already. The best privacy in the world is often protected by a password that is simply too easy.

We should move forward with these promising security infrastructure initiatives, but we cannot lose sight of where their real weaknesses lie. The most secure security systems are often protected by passwords based on the names of our favorite animal. Passwords, like underwear, must be changed often. Making them hard to guess makes them hard to remember, but that’s true for those trying to steal them, as well. When was the last time you changed yours?

REFERENCES

The PKI Page
http://www.pki-page.org/ Last accessed Feb. 25th, 2004.

An Introduction to Public Key Infrastructure http://www.articsoft.com/wp_pki_intro.htm

PKI Applications in Academic Computing
http://ww.cs.dartmouth.edu/~pkilab/acapps.shtml, last modified July 17th, 2001. Last accessed Feb. 27th, 2004.


1In practice usually messages in PKI systems are symmetrically encrypted, that is, a randomly generated key made at the time of sending the message encrypts the content and is itself encrypted with your public key and included in the message. The recipient then decrypts the transient key, which in turn is used to decrypt the message content. This is done because it’s much faster technically to perform than so-called ‘asymmetric encryption’).
2 Table modified from Introduction to Public Key Infrastructure, http://www.articsoft.com/ wp_pki_intro.htm/

Featured