《电子工程师手册》学习资料（英文版）Chapter 97 Computer Security and Cryptography

Cooper, J.A., Goldreich, O. Computer Security and Cryptography The Electrical Engineering Handbook Ed. Richard C. Dorf Boca raton crc Press llc. 2000

Cooper, J.A., Goldreich, O. “Computer Security and Cryptography” The Electrical Engineering Handbook Ed. Richard C. Dorf Boca Raton: CRC Press LLC, 2000

97 Computer Security and Cryptography 97.1 Computer and Communications Security Arlin Cooper hysical Security.Cryptology. Software Security. Hardware Sandia National laboratories Security. Network Security. Personnel Security Oded Goldreich 97.2 Fundamentals of Cryptography Central Paradigms. Pseudorandomness. Zero-knowledge Weizmann Institute of Science Encryption. Signatures.Cryptographic Protocols 97.1 Computer and Communications Security . Arlin Cooper Computer security is protection of computing assets and computer network communication assets against abuse, unauthorized use, unavailability through intentional or unintentional actions, and protection against undesired information disclosure, alteration, or misinformation In todays environment, the subject encom passes computers ranging from supercomputers to microprocessor-based controllers and microcomputers, software, peripheral equipment(including terminals, printers), communication media(e.g, cables, antennas, satellites), people who use computers or control computer operations, and networks(some of global extent) that interconnect computers, terminals, and other peripherals Widespread publicity about computer crimes(losses estimated at between $300 million and $500 billion per year), hacker(cracker)penetrations, and viruses has given computer security a high profile in the public eye Hafner and Markoff, 1991]. The same sorts of technologies that have made computers and computer network communications essential tools for information and control in almost all businesses and organizations have ovided new opportunities for adversaries and for accidents or natural occurrences to interfere with crucial functions. Some of the important aspects are industrial/national espionage, loss of functional integrity (e.g in air traffic control, monetary transfer, and national defense systems), and violation of society's desires(e.g compromise of privacy). The emergence of the World Wide Web access to the Internet has been accompanied by recent focus on financial transaction vulnerabilities, crypto system weaknesses, and privacy issues Fortunately, technological developments also make a variety of controls(proactive and follow-up)available or computer security. These include personal transaction devices(e.g, smart cards, and tokens), biometric verifiers, port protection devices, encryption, authentication, and digital signature techniques using symmet rical(single-key) or asymmetrical (public-keyapproaches, automated auditing, formal evaluation of security features and security products, and decision support through comprehensive system analysis techniques. Although the available technology is sophisticated and effective, no computer security protective measures perfect, so the goal of prevention(security assurance)is almost always accompanied by detection(early discovery security penetration)and penalty( denial of goal, e. g, information destruction; or response, e. g, prosecution he information in this section is intended to survey the major contemporary computer security threats, vulnerabilities, and controls. A general overview of the security environment is shown in Fig. 97. 1. The oval in the figure contains an indication of some of the crucial concentrations of resources that exist in many facilities, including digital representations of money, representations of information about operations, designs, software, and c 2000 by CRC Press LLC

© 2000 by CRC Press LLC 97 Computer Security and Cryptography 97.1 Computer and Communications Security Physical Security • Cryptology • Software Security • Hardware Security • Network Security • Personnel Security 97.2 Fundamentals of Cryptography Central Paradigms • Pseudorandomness • Zero-Knowledge • Encryption • Signatures • Cryptographic Protocols 97.1 Computer and Communications Security J. Arlin Cooper Computer security is protection of computing assets and computer network communication assets against abuse, unauthorized use, unavailability through intentional or unintentional actions, and protection against undesired information disclosure, alteration, or misinformation. In today’s environment, the subject encom￾passes computers ranging from supercomputers to microprocessor-based controllers and microcomputers, software, peripheral equipment (including terminals, printers), communication media (e.g., cables, antennas, satellites), people who use computers or control computer operations, and networks (some of global extent) that interconnect computers, terminals, and other peripherals. Widespread publicity about computer crimes (losses estimated at between $300 million and $500 billion per year), hacker (cracker) penetrations, and viruses has given computer security a high profile in the public eye [Hafner and Markoff, 1991]. The same sorts of technologies that have made computers and computer network communications essential tools for information and control in almost all businesses and organizations have provided new opportunities for adversaries and for accidents or natural occurrences to interfere with crucial functions. Some of the important aspects are industrial/national espionage, loss of functional integrity (e.g., in air traffic control, monetary transfer, and national defense systems), and violation of society’s desires (e.g., compromise of privacy). The emergence of the World Wide Web access to the Internet has been accompanied by recent focus on financial transaction vulnerabilities, crypto system weaknesses, and privacy issues. Fortunately, technological developments also make a variety of controls (proactive and follow-up) available for computer security. These include personal transaction devices (e.g., smart cards, and tokens), biometric verifiers, port protection devices, encryption, authentication, and digital signature techniques using symmet￾rical (single-key) or asymmetrical (public-key) approaches, automated auditing, formal evaluation of security features and security products, and decision support through comprehensive system analysis techniques. Although the available technology is sophisticated and effective, no computer security protective measures are perfect, so the goal of prevention (security assurance) is almost always accompanied by detection (early discovery of security penetration) and penalty (denial of goal, e.g., information destruction; or response, e.g., prosecution and punishment) approaches. The information in this section is intended to survey the major contemporary computer security threats, vulnerabilities, and controls. A general overview of the security environment is shown in Fig. 97.1. The oval in the figure contains an indication of some of the crucial concentrations of resources that exist in many facilities, including digital representations of money; representations of information about operations, designs, software, and J. Arlin Cooper Sandia National Laboratories Oded Goldreich Weizmann Institute of Science

RIGHT WRONG WAY ITITITIIIITT FIGURE 97. 1 An overview of the computer and communications security environmen people; hardware for carrying out(or peripheral to)computing and communications, people involved in operating the facility; utility connections (e.g, power ) and interconnection paths to outside terminals and users, including hard-wired connections, modems for computer(and FAX) communication over telephone lines, and electromag- etic links(e.g, to satellite links, to ground antenna links, and to aircraft, spacecraft, and missiles). Each of these points of termination is also likely to incorporate computer(or controller) processing. Other factors implied include the threats of fire, water damage, loss of climate control, electrical disturbances (e.g, due to lightning or power loss), line taps or TEMPEST emanations interception, probes through known or unknown dial-up connections, unauthorized physical entry, unauthorized actions by authorized personnel, and delivery through ordinary channels (e. g, mail)of information(possibly misinformation) and software (possibly containing embedded threat programs). Also indicated is guidance for personnel about acceptable and unacceptable actions through policy and regulations. The subject breadth can be surveyed by categorizing into physical security, cryptology techniques, software security, hardware security, network security, and per sonnel security (including legal and ethical issues). Because of the wide variety of threats, vulnerabilities, and assets, selections of controls and performance assessment typically are guided by security-specific decision- support analyses, including risk analysis and probabilistic risk assessment(PRA) Physical Security Physical access security ranges from facility access control (usually through personal identification or authen- tication)to access(or antitheft)control for individual items(e. g, diskettes and personal computers). Techniques used generally center around intrusion prevention(or invoking a significant time delay for an adversary) and intrusion detection, which allows a response through security guard, legal or administrative action, or automatic devaluation of the penetration goal(e.g, through information destruction)[ Cooper, 1989] Physical environmental security protects against natural threats, such as power anomalies or failures,water damage, fire, earthquake, and lightning damage, among others. An example suited to computer requirements c 2000 by CRC Press LLC

© 2000 by CRC Press LLC people; hardware for carrying out (or peripheral to) computing and communications; people involved in operating the facility; utility connections (e.g., power); and interconnection paths to outside terminals and users, including hard-wired connections, modems for computer (and FAX) communication over telephone lines, and electromag￾netic links (e.g., to satellite links, to ground antenna links, and to aircraft, spacecraft, and missiles). Each of these points of termination is also likely to incorporate computer (or controller) processing. Other factors implied include the threats of fire, water damage, loss of climate control, electrical disturbances (e.g., due to lightning or power loss), line taps or TEMPEST emanations interception, probes through known or unknown dial-up connections, unauthorized physical entry, unauthorized actions by authorized personnel, and delivery through ordinary channels (e.g., mail) of information (possibly misinformation) and software (possibly containing embedded threat programs). Also indicated is guidance for personnel about acceptable and unacceptable actions through policy and regulations. The subject breadth can be surveyed by categorizing into physical security, cryptology techniques, software security, hardware security, network security, and per￾sonnel security (including legal and ethical issues). Because of the wide variety of threats, vulnerabilities, and assets, selections of controls and performance assessment typically are guided by security-specific decision￾support analyses, including risk analysis and probabilistic risk assessment (PRA). Physical Security Physical access security ranges from facility access control (usually through personal identification or authen￾tication) to access (or antitheft) control for individual items (e.g., diskettes and personal computers). Techniques used generally center around intrusion prevention (or invoking a significant time delay for an adversary) and intrusion detection, which allows a response through security guard, legal or administrative action, or automatic devaluation of the penetration goal (e.g., through information destruction) [Cooper, 1989]. Physical environmental security protects against natural threats, such as power anomalies or failures, water damage, fire, earthquake, and lightning damage, among others. An example suited to computer requirements FIGURE 97.1 An overview of the computer and communications security environment

tility Power Rectifier BAttery Charge Gate Battery Bank FIGURE 97.2 Uninterruptible power system. is Halon fire suppression(although Halon use is now being replaced because of environmental concern). Note that some of the natural threats can also be adversary-caused Since there is potential (in spite of protection) for a loss, contingency planning is essential. This includes provisions for software backup(usually off-site hardware backup(e.g, using reciprocal agreements, hot sites, or cold sites [Cooper, 1989]), and disaster ecovery, guided by a structured team that has prepared through tests(most typically simulated) An example of power protection technology is the widely used uninterruptible power system(UPS).An online UPS implementation is shown in Fig. 97. 2. Utility power is shown passed through a switch to a rectifier and gated to an inverter. The inverter is connected to the critical load to be protected. In parallel, continuous charge for a battery bank is provided. Upon loss of utility power, the battery bank continues to run the inverter, thereby furnishing power until graceful shutdown or switching to an auxiliary engine generator can be accom plished. The switch at the lower right protects the UPS by disconnecting it from the load in case of a potentially catastrophic(e.g, short)condition. Cryptology Cryptology includes techniques for securely hiding information (encrypting) from all but intended recipients, for authenticating messages, and for digital signatures, all through the use of ciphers(cryptosystems)[ Simmons, 1992]. It also includes techniques for deducing at least a subset of encrypted information( cryptanalysis)without the privileged knowledge possessed by the intended recipients. Cryptanalysis knowledge is an important asset evelopment of cryptosystems. An example of a contemporary measure of cryptanalysis resistance is putational complexity, which can be applied to measure the inherent difficulty of numeric cryptanalysis processing for some cryptosystems. Figure 97.3 shows the main components of cryptology. The information to be protected is called plaintextcleartext), and protected information is called ciphertext. Adversaries can assively obtain ciphertext, or they might actively interrupt the communication link and attempt to spoof the information recipient. Some of the objectives of encryption are secrecy, authentication(assurance to recipient of sender identity ) and digital signatures(authentication plus assurance to the sender and to any third parties that the recipient ould not have created the signature). As in physical security, assurance of integrity means preventing inter erence in the information-conveying process or, failing that, detecting interference. Here, interference may have the aims of eavesdropping, modifying, introducing misinformation, disavowing messages, and falsely laiming receipt of messages. Almost all cryptosystems involve transformations( frequently made public and almost always assumed to be known by adversaries) of information based on one or more keys(see Fig. 97.3), at least one of which must be kept secret to protect against adversaries. A single-key(symmetric) cryptosystem has only one secret key, c 2000 by CRC Press LLC

© 2000 by CRC Press LLC is Halon fire suppression (although Halon use is now being replaced because of environmental concern). Note that some of the natural threats can also be adversary-caused. Since there is potential (in spite of protection) for a loss, contingency planning is essential. This includes provisions for software backup (usually off-site), hardware backup (e.g., using reciprocal agreements, hot sites, or cold sites [Cooper, 1989]), and disaster recovery, guided by a structured team that has prepared through tests (most typically simulated). An example of power protection technology is the widely used uninterruptible power system (UPS). An online UPS implementation is shown in Fig. 97.2. Utility power is shown passed through a switch to a rectifier and gated to an inverter. The inverter is connected to the critical load to be protected. In parallel, continuous charge for a battery bank is provided. Upon loss of utility power, the battery bank continues to run the inverter, thereby furnishing power until graceful shutdown or switching to an auxiliary engine generator can be accom￾plished. The switch at the lower right protects the UPS by disconnecting it from the load in case of a potentially catastrophic (e.g., short) condition. Cryptology Cryptology includes techniques for securely hiding information (encrypting) from all but intended recipients, for authenticating messages, and for digital signatures, all through the use of ciphers (cryptosystems) [Simmons, 1992]. It also includes techniques for deducing at least a subset of encrypted information (cryptanalysis) without the privileged knowledge possessed by the intended recipients. Cryptanalysis knowledge is an important asset in the development of cryptosystems. An example of a contemporary measure of cryptanalysis resistance is computational complexity, which can be applied to measure the inherent difficulty of numeric cryptanalysis processing for some cryptosystems. Figure 97.3 shows the main components of cryptology. The information to be protected is called plaintext (cleartext), and protected information is called ciphertext. Adversaries can passively obtain ciphertext, or they might actively interrupt the communication link and attempt to spoof the information recipient. Some of the objectives of encryption are secrecy, authentication (assurance to recipient of sender identity), and digital signatures (authentication plus assurance to the sender and to any third parties that the recipient could not have created the signature). As in physical security, assurance of integrity means preventing inter￾ference in the information-conveying process or, failing that, detecting interference. Here, interference may have the aims of eavesdropping, modifying, introducing misinformation, disavowing messages, and falsely claiming receipt of messages. Almost all cryptosystems involve transformations (frequently made public and almost always assumed to be known by adversaries) of information based on one or more keys (see Fig. 97.3), at least one of which must be kept secret to protect against adversaries. A single-key (symmetric) cryptosystem has only one secret key, FIGURE 97.2 Uninterruptible power system

Encryption Key Plaintext) Encryption Decryption Active Adversary FIGURE 97.3 Basic cryptosystem functions 64-bit plaintext bloc ck 56-bit key(8 parity checks discarded) split into two 32-bit groups split into two 28-bit groups 匚 expansion to48bts 48-bit key extract combine/extract/transpose □8 S-boxes:6m4ou permutation nterchange (total of 16 sequentially produ and similar key extractions total of 16 sequentially produced and similar rounds") 匚64 bit ciphertext block FIGURE 97.4 Basic function of the DES algorithm. which is used to encrypt information by the sender and to decrypt information by the recipient. a prior secure process is necessary so that both sender and recipient know(and no adversary knows)the key. The most well-known and most widely used single-key cryptosystem in history is the Data Encryption Standard(DES), published by the U.S. National Bureau of Standards [1977](now the National Institute of Standards and Technology, NIST), with National Security Agency(NSA) consultation. DES utilizes a 56-bit key(some weak and semi-weak keys are excluded) to encipher information in blocks of 64 bits. It involves substitution and permutation, linear and nonlinear transformations, and 16 successive rounds" of key-depen- dent processing(general indication of logic shown in Fig. 97. 4). The DES cryptosystem is identical for encryp- on and decryption, except that the order of application of the 16 key extractions is reversed. Like most cryptosystems of this type, DES is usually used with some form of chaining(mixing ciphertext or information that produces ciphertext from one block with plaintext or information that produces ciphertext in the quent block at the transmitter, and then inverting the process at the receiver). Three chaining technique specified for DES (and usable in most other cryptosystems)are indicated in Fig. 97.5, along with the basic electronic codebook block form. The k bits shown are typically eight bits, and these are shifted into the first k positions of a shift-register/buffer after each encryption. Coordinated time stamps or initial values(Ivs)ar used to prevent identical transformation for each system start. c 2000 by CRC Press LLC

© 2000 by CRC Press LLC which is used to encrypt information by the sender and to decrypt information by the recipient. A prior secure process is necessary so that both sender and recipient know (and no adversary knows) the key. The most well-known and most widely used single-key cryptosystem in history is the Data Encryption Standard (DES), published by the U.S. National Bureau of Standards [1977] (now the National Institute of Standards and Technology, NIST), with National Security Agency (NSA) consultation. DES utilizes a 56-bit key (some weak and semi-weak keys are excluded) to encipher information in blocks of 64 bits. It involves substitution and permutation, linear and nonlinear transformations, and 16 successive “rounds” of key-depen￾dent processing (general indication of logic shown in Fig. 97.4). The DES cryptosystem is identical for encryp￾tion and decryption, except that the order of application of the 16 key extractions is reversed. Like most cryptosystems of this type, DES is usually used with some form of chaining (mixing ciphertext or information that produces ciphertext from one block with plaintext or information that produces ciphertext in the subse￾quent block at the transmitter, and then inverting the process at the receiver). Three chaining techniques specified for DES (and usable in most other cryptosystems) are indicated in Fig. 97.5, along with the basic electronic codebook block form. The k bits shown are typically eight bits, and these are shifted into the first k positions of a shift-register/buffer after each encryption. Coordinated time stamps or initial values (IVs) are used to prevent identical transformation for each system start. FIGURE 97.3 Basic cryptosystem functions. FIGURE 97.4 Basic function of the DES algorithm

V-i chain block Encryption Encryption 64 bits ciphertext 64 bits ciphertext Electronic codebook mode Cipher block chaining mode Encryption Encryption k bits output k bits output I k bits plaintext-++ k bits plaintext k bits ciphertext Cipher feedback mode Output feedback mode FIGURE 97.5 Modes of use for block cryptosystems. Although the dES key length was acceptable to most users when the standard was released in 1977, increases in computing power have made exhaustive search less expensive, so the relative security of dES has decreased. NSA now supports some of its own secret algorithms as DES replacements("COMSEC Commercial Endorse ment Program, Type Ir"devices), although NIST support for DES continues and no algorithmic weaknesses in DES have been publicly revealed Public-key cryptosystems [Diffie and Hellman, 1976] use two different keys(asymmetric systems). For example, information can be encrypted with one key and decrypted with a different(but related through a secure process)key. If the aim is secrecy, the decryption key must be secret so only the recipient can decrypt. In this case, however, the encryption key can be publicly known and known to be associated with a particular potential recipient. Although the sender can be assured of information secrecy in this process, the recipient cannot be assured of sender authenticity. If the secret key of a pair of keys is used by a sender to encrypt, any ecipient who knows the sender's public key can be assured of sender authenticity, but there is no assurance of secrecy. If the public-key cryptosystem has commutative transformations(as does the RSA cryptosystem) encryption with the sender's secret key and with the recipients public key for encipherment, and decryption by the recipient with his or her secret key and with the sender's public key provides both secrecy and authenticity. RSA (named after Rivest, Shamir, and Adleman) is the most well known and most widely used public-key cryptosystem. Unlike DES, the key length ot rsd enof the public key is not helpful in determining the secret key). Key selection begins with the choice of two prime numbers, each can be approximately 150 decimal digits ng, giving about a 300-digit number on which the RSA encryption is based [Eq(97. 1)]. The security of the system depends on the difficulty of factoring large numbers that have no relatively small factors. Equation (97. 2)shows how a secret modulus is determined, and Eq. (97.3)shows how the modulus is used to relate the secret key and the public key. Equation(97. 4) gives the RSA encryption process, and Eq. (97.5)gives the RSA decryption process. An adversary who could factor n could use Eq. (97.2)to determine the modulus, o, and then the secret key, d, from Eq (97.3), given the public key, e. (97.1) φ=(p-1)(q-1) d=1(mod o) c 2000 by CRC Press LLC

© 2000 by CRC Press LLC Although the DES key length was acceptable to most users when the standard was released in 1977, increases in computing power have made exhaustive search less expensive, so the relative security of DES has decreased. NSA now supports some of its own secret algorithms as DES replacements (“COMSEC Commercial Endorse￾ment Program, Type II” devices), although NIST support for DES continues and no algorithmic weaknesses in DES have been publicly revealed. Public-key cryptosystems [Diffie and Hellman, 1976] use two different keys (asymmetric systems). For example, information can be encrypted with one key and decrypted with a different (but related through a secure process) key. If the aim is secrecy, the decryption key must be secret so only the recipient can decrypt. In this case, however, the encryption key can be publicly known and known to be associated with a particular potential recipient. Although the sender can be assured of information secrecy in this process, the recipient cannot be assured of sender authenticity. If the secret key of a pair of keys is used by a sender to encrypt, any recipient who knows the sender’s public key can be assured of sender authenticity, but there is no assurance of secrecy. If the public-key cryptosystem has commutative transformations (as does the RSA cryptosystem), encryption with the sender’s secret key and with the recipient’s public key for encipherment, and decryption by the recipient with his or her secret key and with the sender’s public key provides both secrecy and authenticity. RSA (named after Rivest, Shamir, and Adleman) is the most well known and most widely used public-key cryptosystem. Unlike DES, the key length of RSA encryption is user-selectable. However, the length chosen must be securely long (long enough that knowledge of the public key is not helpful in determining the secret key). Key selection begins with the choice of two prime numbers, each can be approximately 150 decimal digits long, giving about a 300-digit number on which the RSA encryption is based [Eq. (97.1)]. The security of the system depends on the difficulty of factoring large numbers that have no relatively small factors. Equation (97.2) shows how a secret modulus is determined, and Eq. (97.3) shows how the modulus is used to relate the secret key and the public key. Equation (97.4) gives the RSA encryption process, and Eq. (97.5) gives the RSA decryption process. An adversary who could factor n could use Eq. (97.2) to determine the modulus, φ, and then the secret key, d, from Eq. (97.3), given the public key, e. n = pq (97.1) φ = (p – 1)(q – 1) (97.2) ed = 1 (mod φ) (97.3) FIGURE 97.5 Modes of use for block cryptosystems

C= Me(mod n) (974) (mod n) For equivalent security, the computational burden of RSA and similar public-key cryptosystems is signifi antly greater than DES and similar single-key cryptosystems. As a result, where large amounts of information must be communicated, public-key systems are frequently used for secure communication of a key intended for a single-key system, which is then in turn used for mainstream encryption RSA has well known cryptographic digital signature capabilities( transformed by the sender using the sender secret key; transformed by the receiver using the senders public key), which gives assurance that the information was initiated by the signer and that the sender cannot deny creating the information. a signature technique Digital Signature Standard(DSS)(NIST, 1991], has been proposed by NIST. The basic differences between DSS ed only for digital signatures, DSS the proposed DSS key lengths will be constrained, and the security of DSS is based on the difficulty of finding logarithms of large numbers Examples of relatively new encryption techniques coming into popular use are PGP( Pretty Good Privacy) IDEA (International Data Encryption Algorithm), and PEM(Privacy Enhanced Mail). The U.S. Government has proposed SKIPJACK, a secret and controlled system, as an intended replacement for DES. The proposal which includes"trusted third-party "key escrow, has met with ant controversy. Sof A number of techniques that are commonly implemented in software can contribute to protection against adversaries. These include password authentication; memory, file, and database access restrictions; restrictions on processing actions; development and maintenance controls; and auditing. asswords, which are intended to authenticate a computer user in a cost-effective way, are sometimes user selected(a technique resulting in a relatively small potential population), sometimes user-selected from a computer-generated collection, sometimes randomly generated, and sometimes randomly generated from a phonetic construction(for pronounceability and memorization ease)[Cooper, 1989]. Examples of phonetic passwords are TAMOTUT, OTOOBEC, SKUKOMO, ALTAMAY, and ZooLTEE. These five were each chosen om a different phonetic construction(five of the approximately 25 commonly used) Security control can be physical, temporal, logical, or procedural. Two important logical or procedural contr principles are part of fundamental multilevel security(multiple levels of sensitivity and multiple user clearance levels on the same system), as described by part of the Bell-La Padula model. The simple security principle restricts users of a particular clearance level from reading information that is of a more sensitive(more highly classified)level. The star property prohibits information flow from the level at which its sensitivity has been determined to any lower level(write-down). Analogous integrity protection is provided by the Biba integrity Protection rules can be mandatory(used mainly by the government or military) or discretionary(compart mented according to need-to-know regimes of trust typically determined by file owners ). The combination of security levels and protection rules at the same level can be associated with a lattice model. In addition to matching the security controls, the lattice model facilitates mathematical verification of security implementations. A common logical protection rule specification gives the rights of subjects(action initiators)to act on objects (action targets) at any particular time. One way to view these rules(although seldom implemented in this manner)is to consider an access matrix(Table 97. 1) containing rows for subject indicators and columns for object indicators. The matrix entries are the rights of subjects to objects. Actual implementation may differ e.g., by using directories, or capability lists, or capability tokens(row designations for rights of subjects)or access control lists(column designation for rights to objects) These types of rules can be augmented by software(and/or hardware)memory protection through techniques including fences, base/bounds registers, tagged registers, and paging [Gasser, 1988] Database management system(DBMS)security and integrity protections include access controls but generally require finer granularity and greater protection(especially for relational databases)against subtle forms of c 2000 by CRC Press LLC

© 2000 by CRC Press LLC C = Me (mod n) (97.4) M = Cd (mod n) (97.5) For equivalent security, the computational burden of RSA and similar public-key cryptosystems is signifi- cantly greater than DES and similar single-key cryptosystems. As a result, where large amounts of information must be communicated, public-key systems are frequently used for secure communication of a key intended for a single-key system, which is then in turn used for mainstream encryption. RSA has well known cryptographic digital signature capabilities (transformed by the sender using the sender’s secret key; transformed by the receiver using the sender’s public key), which gives assurance that the information was initiated by the signer and that the sender cannot deny creating the information. A signature technique, Digital Signature Standard (DSS) [NIST, 1991], has been proposed by NIST. The basic differences between DSS and RSA are that DSS is intended only for digital signatures, DSS patents are intended to be government owned, the proposed DSS key lengths will be constrained, and the security of DSS is based on the difficulty of finding logarithms of large numbers. Examples of relatively new encryption techniques coming into popular use are PGP (Pretty Good Privacy), IDEA (International Data Encryption Algorithm), and PEM (Privacy Enhanced Mail). The U.S. Government has proposed SKIPJACK, a secret and controlled system, as an intended replacement for DES. The proposal, which includes “trusted third-party” key escrow, has met with significant controversy. Software Security A number of techniques that are commonly implemented in software can contribute to protection against adversaries. These include password authentication; memory, file, and database access restrictions; restrictions on processing actions; development and maintenance controls; and auditing. Passwords, which are intended to authenticate a computer user in a cost-effective way, are sometimes user￾selected (a technique resulting in a relatively small potential population), sometimes user-selected from a computer-generated collection, sometimes randomly generated, and sometimes randomly generated from a phonetic construction (for pronounceability and memorization ease) [Cooper, 1989]. Examples of phonetic passwords are TAMOTUT, OTOOBEC, SKUKOMO, ALTAMAY, and ZOOLTEE. These five were each chosen from a different phonetic construction (five of the approximately 25 commonly used). Security control can be physical, temporal, logical, or procedural. Two important logical or procedural control principles are part of fundamental multilevel security (multiple levels of sensitivity and multiple user clearance levels on the same system), as described by part of the Bell–La Padula model. The simple security principle restricts users of a particular clearance level from reading information that is of a more sensitive (more highly classified) level. The star property prohibits information flow from the level at which its sensitivity has been determined to any lower level (write-down). Analogous integrity protection is provided by the Biba integrity model [Gasser, 1988]. Protection rules can be mandatory (used mainly by the government or military) or discretionary (compart￾mented according to need-to-know regimes of trust typically determined by file owners). The combination of security levels and protection rules at the same level can be associated with a lattice model. In addition to matching the security controls, the lattice model facilitates mathematical verification of security implementations. A common logical protection rule specification gives the rights of subjects (action initiators) to act on objects (action targets) at any particular time. One way to view these rules (although seldom implemented in this manner) is to consider an access matrix (Table 97.1) containing rows for subject indicators and columns for object indicators. The matrix entries are the rights of subjects to objects. Actual implementation may differ, e.g., by using directories, or capability lists, or capability tokens (row designations for rights of subjects) or access control lists (column designation for rights to objects). These types of rules can be augmented by software (and/or hardware) memory protection through techniques including fences, base/bounds registers, tagged registers, and paging [Gasser, 1988]. Database management system (DBMS) security and integrity protections include access controls but generally require finer granularity and greater protection (especially for relational databases) against subtle forms of

140 Factored TTTTTTTTTTTTT 197419761978198019821984198619881990199219941996 IGURE 97.6 Factoring history. Because of the importance of factoring to RSA security, factoring methodology and mplishments are of considerable interest. Techniques for factoring"hard"numbers were available for only up to about digits in about a days computing time until 1983, when a match between mathematical development(the quadratic sieve)and computer vector processing capabilities contributed to factoring up to 58-digit numbers in equivalent time. The next year, a 69-digit number was factored in about 32 hours on a Cray 1S. A few months later, a 71-digit number was factored in less than 10 hours on a Cray XMP. By the end of the decade, collections of small computers had been coupled in a worldwide effort to demonstrate that numbers of more than 100(116 in 1991)digits could be cost-effectively factored. This explosive trend, although not expected to continue because of current mathematical limitations(at present many orders of magnitude more computation time is needed than would threaten 300-digit numbers), demonstrates the importance factoring prognosis in forecasting the long-term security of RSA TABLE 97.1 An Access matrix Subjects/Objects Own, write, read Own, read, execute Own, read, delete Read, write, execute Read Read Write Read Read information deduction such as inference and aggregation. Integrity protection mechanisms include field checks, hange logs, two-phase updates, error protection codes, range comparisons, and query controllers Pfleeger 1989]. Secrecy depends on access control (e.g, file passwords), query controllers, and encryption. Processing restrictions can, in addition to those implied by memory, file, and database controls, limit the ability of users to, for example, try multiple passwords or multiple user IDs; make financial transactions; change security parameters; move, rename, or output information; and deliver covert channel information(signaling ystematically using authorized actions to codify unauthorized data delivery) Software development and maintenance controls include standards under which programs(including secu- rity features)are designed to meet requirements, coded in structured or development, tested, and maintained. Configuration or change control is als modular form, reviewed during mportant Computer auditing intended to provide computer records about user actions for routine review(a productive application for expert systems)and for detailed investigation of any incidents or suspicious circumstances. It is essential that audit records be tamper-proof. Software security features(including auditing)can be provided as part of the computer operating system or they can be added to an operating system as an add-on product. A U.S. government multilevel trusted computing base development program through NSAs National Computer Security Center(NCSC)resulted in a well known ecurity methodology and assessment scheme for these types of software(and hardware) products [DOD, 1985 A significant number of operating systems and software security packages have been evaluated and given c 2000 by CRC Press LLC

© 2000 by CRC Press LLC information deduction such as inference and aggregation. Integrity protection mechanisms include field checks, change logs, two-phase updates, error protection codes, range comparisons, and query controllers [Pfleeger, 1989]. Secrecy depends on access control (e.g., file passwords), query controllers, and encryption. Processing restrictions can, in addition to those implied by memory, file, and database controls, limit the ability of users to, for example, try multiple passwords or multiple user IDs; make financial transactions; change security parameters; move, rename, or output information; and deliver covert channel information (signaling systematically using authorized actions to codify unauthorized data delivery). Software development and maintenance controls include standards under which programs (including secu￾rity features) are designed to meet requirements, coded in structured or modular form, reviewed during development, tested, and maintained. Configuration or change control is also important. Computer auditing is intended to provide computer records about user actions for routine review (a productive application for expert systems) and for detailed investigation of any incidents or suspicious circumstances. It is essential that audit records be tamper-proof. Software security features (including auditing) can be provided as part of the computer operating system or they can be added to an operating system as an add-on product. A U.S. government multilevel trusted computing base development program through NSA’s National Computer Security Center (NCSC) resulted in a well known security methodology and assessment scheme for these types of software (and hardware) products [DOD, 1985]. A significant number of operating systems and software security packages have been evaluated and given FIGURE 97.6 Factoring history. Because of the importance of factoring to RSA security, factoring methodology and accomplishments are of considerable interest. Techniques for factoring “hard” numbers were available for only up to about 50 digits in about a day’s computing time until 1983, when a match between mathematical development (the quadratic sieve) and computer vector processing capabilities contributed to factoring up to 58-digit numbers in equivalent time. The next year, a 69-digit number was factored in about 32 hours on a Cray 1S. A few months later, a 71-digit number was factored in less than 10 hours on a Cray XMP. By the end of the decade, collections of small computers had been coupled in a worldwide effort to demonstrate that numbers of more than 100 (116 in 1991) digits could be cost-effectively factored. This explosive trend, although not expected to continue because of current mathematical limitations (at present many orders of magnitude more computation time is needed than would threaten 300-digit numbers), demonstrates the importance of factoring prognosis in forecasting the long-term security of RSA. TABLE 97.1 An Access Matrix Subjects/Objects O1 O2 O3 O4 O5 S1 Own, write, read Own, read, execute Own, read, delete Read, write, execute Read S2 Read Execute Read S3 Write Read Read

TABLE 97.2 NCSC Security Evaluation Ratings Class Name Summary of Salient Features Class Al Formal top-level specification and verification of security features, trusted software distribution, covert channel formal analysis Class amper-proof kernelized security reference monitor(tamper-Proof, analyzable, testable), structured ass B2 Formal security model design, covert channel identification and tracing, mandatory controls for all resources Class Bl Explicit security model, mandatory(Bell-La Padula)access control, labels for internal files and exported files, code analysis and testing lass C2 Single-level protection for important objects, log- in control, auditing features, memory residue erasure Class Cl Controlled discretionary isolation of users from data, authentication, testing No significant security features identified ratings by NCSC, in addition to hardware-software combinations, encryption devices, and network security stems. The basic evaluation determines the degree of confidence that the system will be resistant to external penetration and internal unauthorized actions. The most secure systems known are classified Al and utilize a reference monitor(checking every request for access to every resource), a security kernel(concentration of all security-related functions into a module that facilitates protection and validation), and protection against covert channels. Formal analysis is used to assure that the implementation correctly corresponds to the intended security policy. There is an operational efficiency penalty associated with secure multilevel operating systems. Other classes(in order of progressively fewer security features, which results in decreasing security)are B3. B2, B1, C2, Cl, and D(see Table 97. 2, where security features generally accumulate, reading up from the table bottom) In addition to computer activity directly controlled by personnel, a family of software threats can execute without direct human control. These techniques include the Trojan horse, the virus, the worm, the logic bomb, and the time bomb. The virus and worm(because they copy themselves and spread)are both capable of global spanning attacks over relatively short time frames. Protection against these threats includes limiting user threats through background screening, using expert system software scanners that search for adversarial program haracteristics, comparators, and authenticators or digital signatures that facilitate detection of software tampering. Other software-intensive threats include tra wolve unauthorized actions by authorized people and are most ors, superzapping, browsing, asynchronous attacks, and the salami attack [Cooper, 1989]. These all usually inv effectively counteracted by insider personnel controls(see Section 97.7, Personnel Security) Hardware Security In addition to personal authentication through something known (e.g, passwords or PINs), users can be authenticated through something possessed or by something inherent about the user(or by combinations of the three). Hardware devices that contribute to computer security using the approach of something possessed include tokens and smart cards. Biometric verifiers authenticate bymeasuring human characteristics. Other hardware security devices include encryptor/decryptor units and port protection devices( to make dial-up attacks by hackers more difficult). A generic diagram depicting some of these applied to control of users is shown in Fig. 97.7. The controls can be used individually or in various combinations Tokens are devices that can be hand-carried by authorized computer users and are intended to increase password security by that passwords are used only once, thereby reducing the vulnerability to password compromise. The devices contain an internal algorithm, which either works in synchronization with an identical algorithm in the host computer or transforms an input derived from a computer prompt into a password that matches the computer-transformed result In order to protect against loss, most also require a user password for token access Smart cards are credit-card-sized devices intended to facilitate secure transactions, such as credit card purchases, purchases or cash withdrawals that result in bank account debits, or information interchanges. The most common application uses a card reader/network that exchanges data with the smart card over a serial data bus. User information and security information are stored in encrypted form in the card, and physical c 2000 by CRC Press LLC

© 2000 by CRC Press LLC ratings by NCSC, in addition to hardware–software combinations, encryption devices, and network security systems. The basic evaluation determines the degree of confidence that the system will be resistant to external penetration and internal unauthorized actions. The most secure systems known are classified A1 and utilize a reference monitor (checking every request for access to every resource), a security kernel (concentration of all security-related functions into a module that facilitates protection and validation), and protection against covert channels. Formal analysis is used to assure that the implementation correctly corresponds to the intended security policy. There is an operational efficiency penalty associated with secure multilevel operating systems. Other classes (in order of progressively fewer security features, which results in decreasing security) are B3, B2, B1, C2, C1, and D (see Table 97.2, where security features generally accumulate, reading up from the table bottom). In addition to computer activity directly controlled by personnel, a family of software threats can execute without direct human control. These techniques include the Trojan horse, the virus, the worm, the logic bomb, and the time bomb. The virus and worm (because they copy themselves and spread) are both capable of global￾spanning attacks over relatively short time frames. Protection against these threats includes limiting user threats through background screening, using expert system software scanners that search for adversarial program characteristics, comparators, and authenticators or digital signatures that facilitate detection of software tampering. Other software-intensive threats include trapdoors, superzapping, browsing, asynchronous attacks, and the salami attack [Cooper, 1989]. These all usually involve unauthorized actions by authorized people and are most effectively counteracted by insider personnel controls (see Section 97.7, “Personnel Security”). Hardware Security In addition to personal authentication through something known (e.g., passwords or PINs), users can be authenticated through something possessed or by something inherent about the user (or by combinations of the three). Hardware devices that contribute to computer security using the approach of something possessed include tokens and smart cards. Biometric verifiers authenticate bymeasuring human characteristics. Other hardware security devices include encryptor/decryptor units and port protection devices (to make dial-up attacks by hackers more difficult). A generic diagram depicting some of these applied to control of users is shown in Fig. 97.7. The controls can be used individually or in various combinations. Tokens are devices that can be hand-carried by authorized computer users and are intended to increase password security by assuring that passwords are used only once, thereby reducing the vulnerability to password compromise. The devices contain an internal algorithm, which either works in synchronization with an identical algorithm in the host computer or transforms an input derived from a computer prompt into a password that matches the computer-transformed result. In order to protect against loss, most also require a user password for token access. Smart cards are credit-card-sized devices intended to facilitate secure transactions, such as credit card purchases, purchases or cash withdrawals that result in bank account debits, or information interchanges. The most common application uses a card reader/network that exchanges data with the smart card over a serial data bus. User information and security information are stored in encrypted form in the card, and physical TABLE 97.2 NCSC Security Evaluation Ratings Class Name Summary of Salient Features Class A1 Formal top-level specification and verification of security features, trusted software distribution, covert channel formal analysis Class B3 Tamper-proof kernelized security reference monitor (tamper-proof, analyzable, testable), structured implementation Class B2 Formal security model design, covert channel identification and tracing, mandatory controls for all resources (including communication lines) Class B1 Explicit security model, mandatory (Bell–La Padula) access control, labels for internal files and exported files, code analysis and testing Class C2 Single-level protection for important objects, log-in control, auditing features, memory residue erasure Class C1 Controlled discretionary isolation of users from data, authentication, testing Class D No significant security features identified

ho verifier FIGURE 97.7 Depiction of hardware controls access to the internal card circuitry is protected by tamper-proof (self-destructive)sealing. Use of the card is controlled by password access. Because of the vulnerability of passwords to compromise by disclosure or various forms of information tapping, and because of the vulnerability of loss of carried items(e.g, ROM keys, magnetic stripe cards), biometric devices have been developed to measure human characteristics in ways that are resistant to counter feiting. These devices include signature verifiers(for examining the velocity, acceleration, and pressure char acteristics imparted during signing as a function of time), fingerprint and palmprint readers(for examining print pattern characteristics, for example, with the flesh applied to a glass platen), voice verifiers(which evaluate speech characteristics, usually in response to system prompts), hand geometry(including some three-dimen- sional aspects), eye retina vessel pattern examination(through infrared reflection), and typing rhythm assess ment(for user keyboard inputs) 6, Systematic cracker attacks on dial-up computer ports frequently include searches for modem tones followed attempts to guess passwords. In response, port protection devices(PPDs)enhance dial-up security. The basic feature of many PPDs is that no modem tone is provided until an additional security barrier(or barriers is overcome. Most PPDs require a code before computer port connection. Some also identify the user by the code entered disconnect the call dial the number at which the user is expected to be(typically using a separate line to avoid dial-in intercept of the outgoing call Personal computer(PC)security is of contemporary interest because these relatively new tools have con- tributed to a set of security vulnerabilities that differs substantially from conventional computer security concerns. For example, PC users may be more naive about security in general, PC hardware and software and administrative controls are generally more primitive, the PC physical environment is generally less controlled, and PCs are generally more easily misused(e.g, company PCs used for personal benefit An additional hardware security topic is associated with TEMPESt (a program to assess the potential for data processing equipment to inadvertently generate"compromising emanations"that convey information to a surreptitious remote sensor). Although originally of concern because of requirements to protect government and military classified data, industrial espionage is now also a concern. Various forms of protection can be sed, such as electromagnetic shielding, physical separation of processing equipment from potential adversary locations, fiber-optic communication, and encrypted data transmission. Some commercial equipment has beer certified by nSa to have low emanations Network Security Many business, informational, and scientific interchanges take place nationally and internationally over net works under computer control. Management of network security is exacerbated by physical dispersal and security philosophy disparity. For example, network adversaries may be harder to identify and locate than local c 2000 by CRC Press LLC

© 2000 by CRC Press LLC access to the internal card circuitry is protected by tamper-proof (self-destructive) sealing. Use of the card is controlled by password access. Because of the vulnerability of passwords to compromise by disclosure or various forms of information tapping, and because of the vulnerability of loss of carried items (e.g., ROM keys, magnetic stripe cards), biometric devices have been developed to measure human characteristics in ways that are resistant to counter￾feiting. These devices include signature verifiers (for examining the velocity, acceleration, and pressure char￾acteristics imparted during signing as a function of time), fingerprint and palmprint readers (for examining print pattern characteristics, for example, with the flesh applied to a glass platen), voice verifiers (which evaluate speech characteristics, usually in response to system prompts), hand geometry (including some three-dimen￾sional aspects), eye retina vessel pattern examination (through infrared reflection), and typing rhythm assess￾ment (for user keyboard inputs). Systematic cracker attacks on dial-up computer ports frequently include searches for modem tones followed by attempts to guess passwords. In response, port protection devices (PPDs) enhance dial-up security. The basic feature of many PPDs is that no modem tone is provided until an additional security barrier (or barriers) is overcome. Most PPDs require a code before computer port connection. Some also identify the user by the code entered, disconnect the call, and dial the number at which the user is expected to be (typically using a separate line to avoid dial-in intercept of the outgoing call). Personal computer (PC) security is of contemporary interest because these relatively new tools have con￾tributed to a set of security vulnerabilities that differs substantially from conventional computer security concerns. For example, PC users may be more naive about security in general, PC hardware and software and administrative controls are generally more primitive, the PC physical environment is generally less controlled, and PCs are generally more easily misused (e.g., company PCs used for personal benefit). An additional hardware security topic is associated with TEMPEST (a program to assess the potential for data processing equipment to inadvertently generate “compromising emanations” that convey information to a surreptitious remote sensor). Although originally of concern because of requirements to protect government and military classified data, industrial espionage is now also a concern. Various forms of protection can be used, such as electromagnetic shielding, physical separation of processing equipment from potential adversary locations, fiber-optic communication, and encrypted data transmission. Some commercial equipment has been certified by NSA to have low emanations. Network Security Many business, informational, and scientific interchanges take place nationally and internationally over net￾works under computer control. Management of network security is exacerbated by physical dispersal and security philosophy disparity. For example, network adversaries may be harder to identify and locate than local FIGURE 97.7 Depiction of hardware controls