Internet Security Terms and Techniques

spongehousesSecurity

Nov 3, 2013 (3 years and 8 months ago)

87 views

Internet Security Terms and Techniques


U
-
Cubed ‘99


1

1. Introduction

There are technical and other imperatives
leading organisations to use the Internet to carry
data which were once only carried over private
and secure inte
r office links.

At the same time there are increasing legal and
more clearly outlined ethical reasons for
organisations to provide strict security for much of
this information.

The world wide web protocols have been
developed and software created to enabl
e
excellent levels of security. Assuming an
organisation has control over the servers on which
its Intranet is run, then a private certification
authority can be created to provide a basic
authentication service on which much of the
Internet security is bu
ilt.

In this paper, these legal ethical and technical
imperatives are outlined in the next section. The
current trend toward Intranets is outlined in
section 3. In section 4 we briefly outline current
network security measures and some threats to
Intranet
security. Public key cryptography and
X.509 certificates are briefly described in section
5 and followed in section 6 by the options
available to an organisation for the choice of
certification authority.

2. The security imperatives

In this section, we gi
ve some legal, ethical and
technical reasons for improving the security of
information put on and carried over the Internet.

2.1 Privacy

The international context in which Australian
privacy laws were framed sheds some light on the
purpose of these laws. T
he Australian Privacy Act
1989 was passed 10 years after the OECD
guidelines for privacy were accepted.

2.1.1 The OECD guidelines for privacy of
personal data

The Universal Declaration of Human Rights,
Article 12 provides in part:
-

"No one shall be subject
ed to
arbitrary interference with his privacy ...
Everyone has the right to the protection
Internet Security Terms and Techniques


CHRISTOPHER P. AVRAM

Faculty of Information Technology, Monash University, 900 Dandenong Road,

Caulfield East 3145, Vic., Australia


Telephone: +61 3 9903 2196 FAX.: +61 3 9903 1077

E
-
Mail Address: C.Avram@InfoTe
ch.monash.edu.au

ABSTRACT

The evolution from private wide area networks to Intranets, that is, private local area networks
interconnected with public, Internet links, has increased a number of security risks. The Internet is a
loosely managed collection of

cooperating parties. More than in any other computer system, security must
be carefully managed. We discuss the following security issues: security as confidentiality, availability and
integrity; threats; the SSL Internet security protocol; the role of ce
rtification authorities. A strong
recommendation in favour of private C.A.s is made.

Internet Security Terms and Techniques


U
-
Cubed ‘99


2

of law against such interference or
attacks."

Prior to 1980, the OECD foresaw national
privacy regulations could affect international trade
for this and other reason
s, international guide
-
lines
on privacy were developed.

In September 1980 the OECD council



Adopted privacy guide
-
lines



Suggested

"Basic Principles of National
Application"



Recommended

nations should not create
"... in the name of
privacy protection, unjust
ified obstacles of
trans border flows of personal data."

[1]


The 8 privacy principles are:

1.

Collection limitation

-

lawful and open
means to be used;

2.

Data quality

-

only data relevant for the
purpose of collection be collected, it must be
up to date, accur
ate and complete;

3.

Purpose specification

-

the purpose for
collection must be disclosed and the data be
used only for that purpose;

4.

Use limitation

-

third party disclosure of
personal data requires the consent of the
subject of the data, there may be except
ions to
this principle for law enforcement;

5.

Security safeguard

-

data must be protected
against loss, destruction, unauthorised use,
access and modification;

6.

Openness
-

the subject can determine the
whereabouts, use and purpose of personal
data relating to

the subject;

7.

Individual participation

-

the subject can
know data exists, have timely access, know
the reasons for secrecy and challenge the truth
of data about the subject;

8.

Accountability

-

the collector is accountable
for compliance with these principle
s.

2.1.2 Australian Privacy Act 1988

The Australian Privacy Act 1988 created the
Federal Privacy Commission. The Act adopted
the OECD guide
-
lines for Australian Federal
public service bodies.

State rights prevented the acts application to
state governments
.

Perhaps financial and constitutional
considerations also prevented its application to
private enterprise in general. But the need for
privacy against excessive information collection
and cross matching lead to some jurisdiction over
private corporations.

The act extended the reach of the privacy
commissioner to any person or organisation
collecting tax file numbers. At the same time many
organisations were required to collect these
numbers as a normal part of business
operation[2].

Perhaps this was politi
cally possible because
the tax file number provisions were a fall back
from the unacceptable Australia Card proposal.
The tax file number privacy provisions increased
the burden on business and addressed some
privacy concerns.

Credit reporting agencies are

now also
covered by Federal privacy laws.

From time to time, when poor business
practice is revealed, there are calls to extend the
reach of the privacy act.

The OECD Principle number 5, the security
safeguard principle as reflected in the Australian
Pri
vacy Principles give us our legal and some
would say ethical justification for certain security
measures being applied to certain of the data held
by our organisations. In the next subsection, the
OECD guidelines for security will be examined in
order to a
llow us to refine a little further our ideas
on the need for security.

Internet Security Terms and Techniques


U
-
Cubed ‘99


3

2.2 Security

The OECD used the same procedures to
develop Security guide
-
lines.

The Honourable Justice Michael Kirby chaired
both committees while they developed the
guidelines, both th
e privacy group and the security
group.

Its harder to see the why OECD stepped in to
make security guide
-
lines.

Perhaps it is again because EEC was forging
ahead and there was a risk EEC laws may affect
international trade [5].

In the case of privacy, some

European
countries have strict privacy protecting laws, in
order that such laws not be used as protectionist
shields, the OECD guide
-
lines if applied should
give moral force to the argument that such trade
barriers must be removed. In the case of
informat
ion systems security, the law in Europe is
not as well developed as the privacy laws. The
most important of the stated reasons for the
security guidelines is, in my opinion, that with
increased flow of data through ever less secure
networks, there is need
for security guidelines to
better protect privacy.

In any case there are many instances of trans
border computer security related problems,
viruses, theft and data trespass, fraud etc. Reason
enough for an international organisation to get
involved.

2.2.1
The security guide
-
lines

Formulation of the OECD Guidelines for the
security of information systems began in January
1991. The final draft appeared in September
1992 and was adopted by the council of the
OECD in November 1992.[5]

The documentation for the
guidelines is in three
parts:



A rec潭men摡ti潮 批 the C潵ncil 潦 the
OECD that nati潮s esta扬ish measures t漠reflect
the 灲inci灬es c潮cerning the security 潦
inf潲mati潮 systemsⰠ c潮sult 潮 stan摡r摳Ⱐ
摩sseminate the 灲in
ci灬es an搠review them every
㔠5ears;



Gui摥
-
lines f潲 the security 潦 inf潲mati潮
systems which have the 潢oective 潦 灲潴ecting
fr潭 failures 潦 c潮fi摥ntialityⰠ availa扩lity an搠
integrity (CAI) within inf潲mati潮 systems


ensuring⁴hey⁣潮f潲m⁴漠㤠灲inci灬es;



An E灬anat潲y mem潲an摵m am灬ifying
the‹⁰ inci灬es.

The 潢oectives 潦 inf潲mati潮 security are
摥fine搠ds⁢ ing⁴he⁴hree扪ectives⁃AI:



confidentiality

-

only those authorise
d have
access (the threats are theft of data, loss of
privacy; the solutions are closed systems or
cryptographic data protection)

B)

availability

-

access is available as and when
needed (the threats are primarily physical
events like floods and fires; the so
lution is
back
-
up);

C)

integrity

-

information is not modified except
as it should be (the threat is fraud and error the
solution is good authentication of identity and
well designed fault free systems).


The nine security principles set down by the
OECD are:

1

Accountability
-

everyone (owners,
providers, users) is in part responsible, all must
know how much and for what, they must be
accountable for security (CAI);

2

Awareness

-

everyone should know as much
as possible about the security measures in
place;

3

Ethic
s

-

the rights and legitimate interests of
others must be respected;

4

Multi
-
disciplinary

-

technical, administrative,
organisational, operational, commercial,
educational and legal issues must be
considered;

Internet Security Terms and Techniques


U
-
Cubed ‘99


4

5

Proportionality

-

the benefits must match or
exce
ed costs;

6

Integration
-

information systems security
measures should integrate with each other and
the organisations procedures;

7

Timeliness
-

all should respond in a timely
manner to breaches in security;

8

Reassessment
-

measures should be
reassessed period
ically;

9

Democracy

-

security and the systems to
provide it should not infringe on the democratic
aims of free information flow.


2.2.2 Application in Australia

The OECD guidelines on information security
are too new, it may take 9 years again for a
legisla
tive response.

The OECD council recommendation explicitly
takes federal country constitutions into account
and recognises the difficulty they may have so our
states can delay progress again.

The most useful principle, in my opinion, is
number 5, the
propor
tionality principle
. One
can use it to limit the use of technology. Only as
much as is justified by the value of the potential
data loss, need be used.

So much for legal and ethical reasons for
security, the technical reasons follow.

2.3 The Internet and I
ntranet security
needs

There is growing use of the Internet for the
provision of strategic business services. The
Internet was developed for the provision and
dissemination of public information as quickly and
conveniently as possible. It developed as a
r
esearch tool, disseminating academic research.

Electronic Commerce, the provision of a range
of value moving transactions on the Internet means

security (confidentiality and integrity at least) must
be provided on the Internet.

Even if an organisation is n
ot using the Internet
for electronic commerce, the Internet is a very
cheap and convenient global data communication
network [3]. Organisations are replacing private
network links with public network (Internet) links
in some parts of their network. So some

purely
internal business transactions are now moving
over public links.

The third technical issue leading to increased
information security measures is quite technical
and may be ignored on first reading. Replacing
leased lines with their zero marginal co
st of
transmitting an extra bit, with packet switched
public network lines, like those on the Internet,
leads to a reduction in the amount of data
padding, so opening up the opportunity for traffic
flow confidentiality problems in modern networks.

In the
next section we take a closer look at the
trends in corporate networking with greater use
being made of the Internet.

3 The trend in networking

The figure below shows the form of the
network for a large organisation one with two
large offices, each served
by a local area network.

The traffic between these two offices warrants the
organisation purchasing and installing a dedicated
link between the two networks. This link, being
private, can be simply secured preventing eaves
dropping and other types of unaut
horised access.

The organisation shown has some staff who
work in small or home offices (SOHO). Some of
these are directly connected to an office LAN,
others connect to the Internet, then access the
organisation via public lines.

In our sample network, the

organisation
supports inter
-
organisation systems via the
Internet. It also services a number of its clients
directly through the Internet.


Internet Security Terms and Techniques


U
-
Cubed ‘99


5


Figure 1 Internet based client server computing


4. Current security measures and
threa
ts

General information security is too broad to be
considered in this paper. We will focus on two
matters, the confidentiality of data in transit and
the problem of integrity, specifically the
authentication problem. In order to ensure only
authorised peop
le can change the data, we must
know who our users are.

The solution to the authentication problem has
been by passwords. Thus access to data is
restricted to users logged on to the system., when
a user logs on, they must provide a user name and
matching p
assword. The problem of
eavesdroppers collecting passwords has been
addressed in the older networked systems
(Netware and NT both encrypt passwords prior
to moving them on the network). Many newer
WWW based systems and systems like telnet (a
virtual termin
al system) move passwords in clear
form. Passwords have been found to be a
problem if each of many systems want the
password entered. Single password systems with
system provided authentication is difficult to
achieve unless the organisation restricts the
range
of suppliers of server computers systems.

These password systems address only the
problem of servers which need to identify clients.
What of the dual problem, how does a user or
client know that the confidential information being
sent to a server is
in fact being sent to the server
claimed? Password systems don’t required
servers to identify themselves. This identification is
essential in the Internet.

So these are the threats made worse by the
current trend in networking:



Impersonation:



of clients,



o
f servers,



Passive electronic eaves dropping,



Modification of information in transit,



Traffic analysis,



Denial of service.


The problems of traffic analysis and denial of
service in Internet based systems are still open
questions. The other threats will be

addressed in
the next two sections.

5. Public key cryptography and
certificates

There are two technologies available to
address the greater vulnerability posed by the
Internet. These are public key crypto
-
systems [7]
and certificates [4] [10].

Public key
crypto
-
systems are crypto systems,
that is schemes for scrambling messages, such that
the information required to scramble a message,
the public key, can be just that, made public. The
scheme is described in the diagram below. Note
that an organisation whi
shing to receive
confidential information creates a secret key and a
public key. The public key is put in a publicly
accessible directory. A second organisation
sending confidential information to the first, looks
up the public key of the first, encrypts t
he
message using the public key and sends the
cipher
-
text in what may be an insecure channel.
An eavesdropper doesn’t have access to the first
organisations secret key, so can’t de
-
cipher the
message. The intended recipient, the first
organisation, can use

the secret key to decipher
the message.[7] [4]

Internet Security Terms and Techniques


U
-
Cubed ‘99


6



Figure 2 Securing an insecure channel

with a public key system


Public key crypto systems can also be used to
generate digital signatures. The diagram below
depicts such a scheme[7] [4].



Figure 3 Digital signature with

a public key system


In practice, public key systems and more
familiar secret key crypto systems are used
together to achieve confidential communications.
The identity of the corresponding party is assured
by usin
g public key signature systems. This more
complex arrangement is known as an X.509
certificate system. It is named after the
international standard X.509.

Rather than use a public directory to distribute
public keys, organisations can submit a public key
a
nd the name of a computer or server in a
message to a third party called a
certificate
authority
(CA). The certificate authority will
undertake checks to ensure this really is a
message from the organisation and will if satisfied,
sign this message. The ne
w signed message is
called an X.509 certificate.



Figure 4 The issue and use of an

X.509 certificate


In use, this scheme works as follows. An
organisation, often a third party, sets up a
certificate authority (CA) with appropriate
software and rules of

operation. The CA creates a

public key and a certificate (lets call this CA cert).
This CA cert is made widely available, for
example, each copy of the world wide web
viewing program from Netscape includes a
number of such certificates from many
organisat
ions, including AT&T, RSA and even
Netscape. Here in Australia, we might expect
Australia Post and others to set up a CA [10].

An organisation wishing to collect credit card
numbers over the Internet could set up a secure
server, generate a certificate req
uest (a message
with the server name and the servers public key)
and send the request to the CA. The CA will
follow the verification procedures and sign the
certificate request. Then return this signed
message to the server (lets call this a site
certifica
te) [8].

Given the previous two steps occurred some
time in the past. From time to time, if a client
wants to view some information from the secure
server or send some confidential information to
Internet Security Terms and Techniques


U
-
Cubed ‘99


7

the secure server, each time this happens, the
client reques
ts a site certificate from the secure
server, this is sent, the client checks the signature
on the site certificate by using the public key in the
CA cert. If the site certificate is valid, the client
and the secure server agree an a scheme for
secure comm
unication and exchange confidential
information.

The CA is running a business and makes a
charge for its service, checking identity and to
some extent guaranteeing it. Not all organisations
will want to pay for these services, nor trust the
existing CAs. I
n the next section we outline some
options for CAs.

6. Options for certificate authorities

Netscape Navigator Version 4.6 ships with the
following certificate authority certificates installed:



VeriSign Class 4 Primary CA,



Bellsign CA,



Thawte Consulting, Ca
pe Town,



VeriSign Class 3 Primary CA,



GTE CyberTrust Root CA,



RSA Secure Server CA,



UPS,



and others.


From this list you will see that some
organisation run more than one CA, each with a
different level of trust [8]. Each of the CAs listed
above maintains
a page on the web listing details
of the service provided. Typical costs are
$US350
-

$US1,300 per annum per server [9].
The CA will maintain what is known as the

Certificate Revocation List

(CRL). This
ongoing operating cost may lead some
organisation to
use commercial services.

Though we have focused on server certificates,
the world wide web security protocol SSL, also
supports client certificates. These replace user
names and passwords as identification systems.
The CAs provide client certificates for a
bout
$US15 per annum per person [9].

Public key systems can be used to secure
email and telnet services too.

Thus organisation may choose to create private

CAs. There is CA software available from:



Netscape,[6]



X509.com,[10]



Microsoft,



and others.


With a
private CA, the organisation chooses
the level of proof of identity appropriate and may
be able to better control costs.

The task of operating CRL may, in a large
organisation, be onerous. In a small organisation
or one that only uses server site certific
ates, the
task of operating a CA can be a minor part of the
whole network management task.

Internet Security Terms and Techniques


U
-
Cubed ‘99


8

7. Recommendations

If an organisation plans to use the Internet for
more than the distribution of public information,
for example:



selling,



collecting monetary va
lue from credit and debit
cards



collecting personal information,



customer confidential communications,

Then the confidentiality of the information
transferred and the identity of the servers
collecting this information must be protected using
secure serve
rs with site certificates. Organisations
running such servers should consider running a
private certificate authority.

8. References

[1]....
Information privacy principles
, The office
of the Australian Government Privacy
Commissioner; pp 1
-
6.


[2] Caelli, W
. J.; et al (1989)

Implications of the
tax file number legislation for computer
professionals

in The Australian Computer Journal
Volume 22 Number 1 February 1990 pp 11
-
20.


[3] Cronin, Mary J. (1996)
Global advantage in
the Internet : from corporate connec
tivity to
international competitiveness
, Van Nostrand
Reinhold.



[4] Kaufman, Charlie, Perlman, Radia and
Speciner, Mike (1995)
Network security :
private communication in a public world
,
Prentice Hall PTR.


[5] Kirby, M. K.; (1992
) OECD guidelines for
th
e security of computer stored & transmitted
information

in Information Security Management
Conference AIC Conferences December 1992,
Sydney.


[6] Netscape Communications Corporation
(1996)
Server Central Product Platforms

at
URL http://home.netscape.com/co
mprod/
server_central/product/pricing/index.html
accessed August 27, 1999 see the table for
NETSCAPE CERTIFICATE SERVER.


[7] Salomaa, Arto (1990)
Public
-
Key
Cryptography
, Springer
-
Verlag, EATCS
Monographs on Theoretical Computer Science
Volume 23.


[8] Ve
riSign (1999)
VeriSign, Inc.
at URL
http://www. verisign.com/ accessed August 27,
1999.


[9] VeriSign (1996)
Secure Server Digital ID
Prices

at URL http://www.verisign.com
/server/prod/compare.html accessed August 27,
1999. See also [8].


[10] Xcert Softwa
re Inc. (1996)
Welcome to
-

Xcert Software Inc
. at URL http://www.
x509.com/ accessed August 27, 1999.