AERONAUTICAL INFORMATION SERVICES TO AERONAUTICAL INFORMATION MANAGEMENT STUDY GROUP (AIS-AIM SG)

wanderooswarrenΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

70 εμφανίσεις



AERONAUTICAL INFORMATION SERVICES TO AERONAUTICAL
INFORMATION MANAGEMENT STUDY GROUP (AIS
-
AIM

SG)


7th

MEETING



Montréal
,
14
-
17 January

2013



Agenda Item

3:


AIM processes and requirements



FUTURE INFORMATION SECURITY NEEDS AND CONSIDERATIONS



Presented by Jan
-
Philipp Lauer

(R
apporteur Kelly Ann Hicks
-
Tindale)



SUMMARY

This
study note proposes a
n ICAO operated Public Key Infrastructure
in
support of aeronautical in
formation exchanges. Further, the paper introduces
Trusted Computing as an emerging trend that needs to be duly considered by
the aviation stakeholders
.


1.

INTRODUCTION

1.1

Current regulations (e.g. ICAO Annex 15, European EC IR 73/2010) require digital
aeronautical data to be protected by the inclusion of a 32
-
bit cyclic redundancy check (CRC32) to
ensure their integrity.
CRCs are specifically designed to protect against com
mon types of errors on
communication channels, where they can provide quick and reasonable assurance of the integrity of
messages delivered. However, they are not suitable for protecting against intentional alteration of
data.
EC IR 73/
20
10 (ADQ 1) inter a
lia aims to address common issues of information security,
namely:



A
uthenticity
;



N
on
-
repudiation
;



I
ntegrity
;



and
C
onfidentiality.

Authenticity/non
-
repudiation means that only authorized users can send their data and that all
transactions are logged to ensu
re traceability. Integrity means that data
is

not modified accidentally or
deliberately with malicious intentions. Lastly, confidentiality is a technical concept that ensures only
authorized users can submit or get access to data. The
se

requirements cannot

be met solely
by
using
CRCs
.



AIS
-
AIM SG/7
-
SN 4

09/01
/2013



AIS
-
AIM SG/7
-
SN/4


-

2
-

1.2

How to meet these additional information security requirements



Data integrity can be ensured by using a combination of CRC plus a digital signature. This not
only protects data from transmission errors but also from deliberate

modifications.



Traceability and non
-
repudiation requirements can also be met by using digital signatures to log
every change to a data item. This leads to a change log
attached to each

data item that adds
a
metadata wrappe
r

encapsulating the actual data i
tem, whereas a new layer is added (like a
matryoshka doll) whenever a piece of data is manipulated.



Appropriate levels of confidentiality can be achieved through data encryption.



Last but not least authenticity can be verified through digital signatures an
d authentication of the
system and/or user.

Different protection level requirements can be accommodated by using these technologies.

1.3

What IT security infrastructure is needed to meet these requirements?

An information technology infrastructure to enable
encryption
and
digital signatures
to ensure
integrity, authenticity, confidentiality, back
-
traceability and non
-
repudiation for internal and
external data communication is required. This infrastructure needs to be highly
interoperable
to
enable secure data

exchanges between all aviation stakeholders.

2.

PROPOSITION

2.1

State of the art technology uses
asymmetric cryptographic techniques
to address all
the requirements outlined. Figures 1
-
3 outline how this technology works.


Figure 1 Overview of asymmetric
cryptographic techniques

AIS
-
AIM SG/7
-
SN/4



-

3
-


Figure 2 State of the art processes: Signing and encrypting data for transmission


Figure 3 State of the art processes: Decryption and verification of data after transmission

2.2

Using digital signatures to make changes traceable an
d unforgeable

The aeronautical data payload will be digitally signed upon creation and at each modification
performed on it. These digital signatures ensure the authenticity of the data originator as well as back
-
traceability and non
-
repudiation. Such digi
tal signatures will be stored in the metadata section. These
signatures are created and used independently of digital signatures used for transmission protection
(encryption and authentication). Further, such signatures have to be retained throughout the e
ntire data
management process and data lifecycle for auditing purposes (see Figure 4
-

overleaf).

AIS
-
AIM SG/7
-
SN/4


-

4
-


Figure 4 Using digital signatures to make changes traceable and unforgeable

2.3

Example Public Key Infrastructure

To enable this technology, a Public Key Infras
tructure (PKI) is needed. A PKI creates a hierarchy of
trust starting with a root certification authority that issues digital certificates and branches out into a

number of subordinate certification authorities plus a directory service. This directory ser
vice allows
access to public keys (as part of a digital certificate) and the revocation of keys

(through certificate
revocation lists)
. An example implementation on a regional level is illustrated in Figure 5.


Figure 5 Example regional implementation

However,

due to the hierarchical architecture of this technology

a global top level certification
authority

(root certification authority) is needed for implementation. ICAO already operates a Public
Key Infrastructure (called ICAO PKD) in support of machi
ne readable travel documents.

2.4

ICAO Public Key Directory (PKD)

The
ICAO PKD implements a global broker system for the validation of electronic machine readable
travel documents (eMRTDs, e.g. ePassports) at national border control offices
.
This is technicall
y
achieved via the exchange of PKI certificates and certificate revocation lists, establishing a chain of
trust
.
PKI participants are governmental institutions/public authorities of participating States or “any
other entities issuing or intending to issue
electronic machine readable travel documents (eMRTDs)”
.
AIS
-
AIM SG/7
-
SN/4



-

5
-

The c
urrent services and interfaces are
specifically designed for the purpose of ePassport validation
.

Figure 6 illustrates the ICAO PKD.


Figure 6 ICAO PKD (source:
A Primer on the ICAO PKD
)

The ICAO
PKD operates under the authority of the

Memorandum of Understanding
(MoU)
Regarding Participation and Cost Sharing in the Electronic Machine Readable Travel Documents
ICAO
Public Key Directory”.

It is governed by the ICAO PKD Board. Amendments to the PKD have
to undergo a „proposed amendment“ process and have to be approved by the ICAO Council. Payment
of a one time registration fee (USD 56,000) and an annual fee (USD 13,600

in 2012)
is

required
. The
ICAO
PKD is hosted in Singapore by a commercial PKI provider (
Netrust
)
.

Leveraging the current ICAO PKD for securing aeronautical data e
xchanges would at least require the
p
articipation of

all ANSPs and appropriate other stakeholders in the PKD via appropria
te
governmental institutions. Further,
ICAO
would need
to provide a dedicated infrastructure similar to
the
PKD
it already operates specifically
for aeronautical data exchange purposes

b
ecause several
stakeholders have voiced concerns over such critical infrastructure being provided by a commercial
company.

3.

EMERGING TREND: TRUS
TED COMPUTING

3.1

Another important aspect to consider in respect to information security for
aeronautical data excha
nges is Trusted Computing.
Many Governments have recognized that
software
-
based security measures need to be augmented by
hardware
-
based measures. They
have
developed standards around smart cards and hardware tokens for authentication and other key securit
y
functions w
ithin government networks.
As a result, Governments
are increasingly specifying
hardware
-
based security requirements in their procurement
practices. For example,
branches of the

United States Government

(e.g. the
Department of Defense
) require new computer hardware to be
equipped with a
Trusted Platform Module

(TPM)
.
This trend to
specify
hardware
-
based
data
protection and network access control solutions

is also taken up by other governments. A recent
whitepaper on the subject by the German Government is contained in Appendix A.

3.2

Such hardware
-
based security mechanisms do not replace a Public Key Infrastructure,
but merely augment it by providing increased

security on the platform level
, e.g. providing a more
AIS
-
AIM SG/7
-
SN/4


-

6
-

secure data storage capability
. Standards for such hardware
-
based security mechanisms are developed
particularly through the Trusted Computing Group (TCG). The
TCG works within the international
standa
rds community and has liaison and working group relationships with the Internet Engineering
Task Force (IETF) and the JTC1
J
oint
C
ommittee of the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC).
The Trusted Platform
Module

is defined by an
ISO/IEC international standard
.

However, d
ue to legal restrictions T
rusted
P
latform
M
odule
s may not be deplo
yed in a number of
countries. Possible reasons for these legal restrictions include t
he fact that S
tate security services may
not be able to access data or keys secured with a TPM

(
source
)
:

China
,
Russia
, Belarus, Kazakhstan.
This trend will have to be closely monitored to identify a common global way forward in the
exchange of aeronautical data.

4.

ACTION BY THE AIS
-
AIM

SG

4.1

The AIS
-
AIM
/
SG is invited to:

a)

Consider the need for increased
information security provisions to enable secure
aeronautical data exchanges
;

b)

Discuss the need for ICAO to set up a dedicated Public Key Infrastructure in
support of aeronautical information exchanges
; and

c)

Consider the Trusted Computing trend and evaluate
its consequences for future
aeronautical information exchanges
.


















AIS
-
AIM SG/7
-
SN/4



-

7
-

APPENDIX A


German Federal Government
White Paper on Trusted Computing and Secure Boot


August 2012



1. Definitions

The Federal Government understands "trusted computing" to mean the architectures,
implementations, systems and infrastructures which use or are based on the standards of the Tr
usted
Computing Group (TCG). This includes "secure boot" and additional functions in the Unified
Extensible Firmware Interface (UEFI) standard of the Unified EFI forum which builds on the TCG
standards or closely related technologies. To avoid misunderstan
ding, more general use of the term
"trusted computing" will always be noted.


2. Increasing IT security

The Federal Government supports raising the level of IT security on IT platforms of industry, public
administration and private users by introducing
trusted computing solutions based on TCG standards
that meet the criteria listed in this White Paper.


3. Complete control by device owners

Device owners must be in complete control of (able to manage and monitor) all the trusted computing
security systems

of their devices. As part of exercising control over their devices, device owners must
be able to decide how much of this control to delegate to their users or administrators. Delegating this
control to third parties (to the device manufacturer or to hard
-

or software components of the device)
requires conscious and informed consent by the device owner (i.e., also with full awareness of
possible limits on availability due to measures taken by the third party to whom control options were
delegated).


4. Fre
edom to decide

When devices are delivered, trusted computing security systems must be deactivated (opt
-
in
principle). Based on the necessary transparency with regard to technical features and content of
trusted computing solutions, device owners must be ab
le to make responsible decisions when it comes
to product selection, start
-
up, configuration, operation and shut
-
down. Deactivation must also be
possible later (opt
-
out function) and must not have any negative impact on the functioning of hard
-

and softwar
e that does not use trusted computing functions.


5. Public administration, national and public security interests

Because trusted computing security systems are widely used in the private
-
law mass market, public
administration can and should be able to be
nefit from the availability of cost
-
effective solutions as
well. However, the operation and availability of devices in public administration and in the field of
national and public security require the owner's sole control over the trusted computing securi
ty
systems on the devices used by the owner. Due to public and national security interests, under no
circumstances may the owner be forced to give up control, even partial control, over a trusted
computing security system to other third parties outside the

public administration's sphere of
influence.


AIS
-
AIM SG/7
-
SN/4


-

8
-

6. Private use

The Federal Government explicitly calls on makers of trusted computing devices and components
(both hard
-

and software) to offer devices and components also to private users which allow owners
complete control over the trusted computing security system at all times.


7. Availability of standards

All applicable standards for trusted computing must be available in full to everyone, members of TCG
and non
-
members alike, at all times. Any secondary
TCG documents which explain, specify or
delimit must also be freely available to all interested parties.


8. Open standards

Everyone, whether members of TCG or not, must be in a position to fully use all trusted computing
standards for implementation in ar
chitectures, implementations, systems and infrastructures. No
licensing fees (e.g. based on patent rights) may be charged for using the standards.


9. Freedom of Research

Trusted computing standards should be designed not to create barriers to academic res
earch on trusted
computing
-
based solutions and their interaction with alternatives. Ways to restore defined previous
settings should be provided. The Federal Government supports independent academic research on the
technology of trusted computing and its e
ffects.


10. Interoperability

When creating secure platforms, the interoperable use of trusted computing solutions with alternative
approaches must be a priority at all times and should be implemented wherever it does not interfere
with the specific purpos
e of the device. In addition, the same types of trusted computing applications
should be interoperable. For use in the federal administration, trusted computing products must be
interoperable with other solutions based on trusted computing and with alterna
tive solutions.


11. Transparency

All standards, solutions and their development in the field of trusted computing are to be transparent
with regard to their actual purpose, their functional features and the encryption technologies used. The
required
transparency means that only completely documented functions and no hidden processes will
be carried out. Transparency refers not only to documentation, but also to explaining the technologies
used and their effects to owners and users in language they can

understand.


12. Certification

Every trusted computing solution based on TCG standards should be transparent, understandable and
certifiable for various security levels. As a basic component, the Trusted Platform Module (TPM)
must have at least one certif
ication under the Common Criteria EAL4+ ("resistant against moderate
attack potential"). Certification may not lead to the exclusion of businesses, academic research or
solutions under free licences if these solutions can be examined in the necessary depth
.


13. National IT industry

In the Federal Government's view, trusted computing technology affects both national security
interests and the competitiveness of the German IT security industry. The Federal Government
therefore calls for fair, transparent and

non
-
discriminatory competition between all IT security
companies and calls on German industry to offer products based on the TCG standards that meet the
criteria given in this White Paper.


14. Ensuring IT security

The Federal Government believes that tru
sted computing can greatly help achieve the IT security
objectives of confidentiality, integrity, availability and authenticity. Every trusted computing solution
is to be checked for compliance with the required security objectives. In particular, availabi
lity must
not be subject to external control, and confidentiality must not be compromised by insufficient
authority over own keys. In the interest of the transparency needed to evaluate IT security, it is in any
case important that there are no undocumente
d functions and that other hardware components or
AIS
-
AIM SG/7
-
SN/4



-

9
-

functions cannot influence the functioning of TPMs. For use in security
-
critical networks in particular
(e.g. in public administration), only certified TPMs may be used. In the Federal Government's view,
th
is criterion is currently met only by discrete TPMs.


15. Availability of critical infrastructures

Trusted computing solutions for operators of critical infrastructures must be used in a way that does
not result in any additional risks to critical processe
s, especially with regard to the security objective
of availability. It must be possible to restore infrastructure rapidly without impediment and flexibly,
even in case of crisis or disaster.


16. Protection of digital content

In line with the requirements

of this White Paper, the Federal Government regards the long
-
term
protection of stored, processed and transmitted digital content for all as a key function of trusted
computing. TC
-
based mechanisms should not restrict or alter the general legal and social

conditions
for using such digital content.


17. Data protection

The protection of personal data is an important prerequisite for increasing IT security. For this reason,
when developing and running trusted computing applications, the principles of data p
rotection must
be upheld (privacy by design) and may take priority over economic interests in the context of a
constitutional
-
law weighing of interests.


18. Standardization

Standardization is crucial to the widespread use of trusted computing technology
and is primarily the
responsibility of the companies involved. The Federal Government is also involved in designing the
standardization process and is watching to make sure that businesses, research institutions and interest
groups in Germany have fair, op
en, appropriate and non
-
discriminatory access to the drafting of
standards. The participation of German organizations is being supported.


19. International cooperation

In this age of globalization, especially with regard to information and communications

technology,
"going it alone" at national level has little chance of success. For this reason, the Federal Government
calls on businesses and organizations in Germany to become involved in trusted computing projects
and in the TCG in particular. In additio
n, the Federal Government is actively working at international
level with government and non
-
governmental organizations on issues of trusted computing, in
particular to see that the requirements for the trusted computing strategy defined in this White Pape
r
are met. The Federal Government also serves as an advocate in the TCG and other trusted computing
projects and initiatives for the public sector's special IT security needs.




END