Glossary of Information Technology security terms
ITSS Legal Issues Working Group
11/07/95


                              G - 2
        Glossary of Information Technology Security Terms


Access controls                                             G-2
Advance card technologies (including smart cards)
G-3
Audit trails                                                G-4
Authentication                                              G-4
Authorization                                               G-5
Bulletin Board Systems                                      G-5
Clipper Chip: see encryption
Communications, Transmission, Computer Security
(COMSEC, TRANSEC, COMPUSEC)                                 G-5
Data Matching                                               G-5
Digital Signature                                           G-6
Dynamic Data                                                G-6
EDI and electronic commerce
G-6
Encryption                                              G-7
 (including algorithm, symmetric and asymmetric
 encryption, Digital Encryption Standard (DES), public
 key cryptography, digital signature, hash,
 confidentiality encryption, RSA algorithm, factoring
 problem, discrete logarithm problem,
 public key infrastructure, public key certificates,
 key escrow (Clipper Chip) )
Firewalls and Gateways                                      G-12
Hacking (examples of network security vulnerability)
G-13
Integrity                                              G-15
Internet (including World Wide Web, FTP, TELNET and Gopher)
G-15
Legacy system                                               G-15
Non-repudiation                                             G-16
Public key infrastructure, public key cryptography: see
encryption
Sensitive information
G-16
TEMPEST                                                G-16
Tokens                                                      G-16
Value Added Networks (VANs)
G-17
Virus (including trojan horse, worm, bacteria, logic bomb, time
bomb and bugs)      G-17

Access controls
(see Firewalls and Gateways and Hacking) Access controls refers
to the ability of computer systems to be set up so that only
specified individuals or computers are permitted to have access
to specific parts of the computer system. Passwords is one form
of an access control. Tokens, such as a smart card (see Advanced
Card Technologies) can also be required before a computer will
permit a person to use that computer. Access controls are
generally set by the administrator of the computer system, and
can include both discretionary and manadatory access controls.

Discretionary access controls (DAC) are controls based on the
identity of the user, the data requested and access control
information. The owner of the data (and privileged system users)
can changed the access control information. Because DAC is based
solely on user identity, it is vulnerable to certain types of
attacks, such as a Trojan Horse.

Mandatory access controls (MAC) are based on the clearance of the
user, the sensitivity of the data requested, and access control
information. Only privileged system users can change the access
control information. Because MAC is based on clearance and data
sensitivity, it can defeat Trojan Horse attacks.

Mode of Operation: There are different modes of operation (or
“processing states”) depending on the clearance levels of users
and their need-to-know the information in the system. To define
the modes of operation, it is necessary to know the clearance of
the system users and the sensitivity of the system data, the
number of users in any particular mode of operation and how they
communicate on the network (e.g., dial-in access, telnet access,
direct access). The user profile, system characteristics (e.g.,
does the system have MAC and DAC), and confidentiality
considerations dictate the appropriate mode of operation. There
are three modes of operation: dedicated, system-high and multi-
level.

            All users cleared for    All users have need to
            all information on the        know all the
                    system             information on the
                                             system
Dedicated            Yes                      Yes
System               Yes                       No
High
Multi-                No                       No
level

Multi-level requires the most technical security features, but
allows the most flexible use of the computer system. It permits
users with different security clearance levels and information
with different security designations to operate on the same
system.

Advanced Card Technologies
“Advanced Card Technologies” (ACT) refer to any cards used for
the purposes of identifying the end-user to gain access to an
information system.

There are significant privacy issues related to the use of
advanced card technologies because potentially an individual
could be carry on a single card all of his or her personal data
(e.g. medical, criminal, education and employment information and
spending habits). In addition to carrying personal information,
the card could (when used with a personal identification number)
provide access to the individual’s money (e.g. bank card, credit
card), home, office car and computers (used as a key or password
to gain entrance), and to government and other services used by
the individual, and could carry the individual’s secret
encryption key which would used to produce electronic proof of
identity for many different transactions. Thus, unauthorized
access to information on an advanced technology card could result
in serious invasions of privacy, and potentially could result in
frauds and thefts as well.

There are a number of different kinds of advanced card
technologies:

The magnetic stripe card is undoubtedly the most recognizable
ACT. Anyone who uses a credit card or an automated teller banking
card is using a magnetic stripe card. This type of card is
distinguishable by the dark stripe of magnetic material which is
placed on one side of the card. The magnetic stripe is capable of
storing 400 bytes (characters) of information.  Its very limited
information storage capabilities require that systems utilizing
this technology store only essential information, such as
cardholder identification codes to the card. Although the
magnetic stripe card has gained massive acceptance throughout the
world, it is widely recognized that its limited data storage
capability and the data's susceptibility to fraudulent alteration
will severely limit the future uses of the technology.

The smart card is perhaps the most promising ACT of all. A smart
card is a credit card sized plastic card that contains an
imbedded computer chip which possesses computer logic and is
capable of processing, storing and retrieving information loaded
onto the chip. Although memory storage capacity is currently
limited to a maximum of 64 kilobytes, the smart card's
microprocessor offers functionality that is not available with
any other ACT. The smart card's microprocessor is able to employ
sophisticated password and encryption/decryption techniques to
prevent unauthorized users from accessing or modifying data
stored on the card. Also, the smart card's microprocessor is
capable of performing computer logic functions such as addition,
subtraction, multiplication, division, conditional branching,
etc. In fact, these functions are used by the smart card's
microprocessor to monitor access attempts and to shut off the
smart card when the number of incorrect access attempts reaches a
predefined number.

The PCMCIA (Personal Computer Memory Card International
Association) is a standard which describes the physical
requirements, electrical specifications and software architecture
for PC cards. These standards define three physical sizes of
cards: Type I, Type II and Type III. All three card types measure
the same length and width, roughly the size of a standard credit
card, and use the same 68-pin edge connector for attachment to
the computer. Where they differ is only in thickness. A Type I
Card is typically used for various types of memory enhancements,
including RAM, flash memory, one-time programmable (OTP) memory
and electronically erasable programmable read only memory
(EEPROM). A Type II Card is typically used for memory
enhancements and/or for I/O features such as data/fax modems,
LANs and host communications. A Type III Card is twice the
thickness of the Type II and is used for memory enhancements
and/or for I/O features that require a larger size, such as
rotating mass storage devices (removable hard disk drives) and
radio communication devices.

The optical card incorporates optical data storage technology
(such as high-capacity optical disks) to portable credit-card
sized plastic cards.  Data is stored and retrieved using laser
beams in essentially the same manner as used for optical disks.
Unlike some ACT which allow data to be written, erased and re-
written, optical cards employ a write-once technology, i.e., the
media can be written to only once and it cannot be altered
without destroying the card. Under the proper circumstances, this
unerasable write-once system is desirable (e.g., medical
records). The main advantage of this technology is its high data
storage capacity, typically in the 4 to 6 megabyte range
(equivalent to 1800 to 2400 typewritten pages of text). A
disadvantage of this technology is its relatively weak capability
to prevent unauthorized users from reading data stored on the
card, unless the information is stored in an encrypted form.

The small memory card's memory storage capacity of 2 kilobytes to
64 kilobytes of memory (2,000 to 64,000 characters) is much more
limited than that of the large memory card.  The small memory
card's credit card like appearance, source of memory and memory
capacities are very similar to that of a smart card.  It is often
referred to as a smart card without the intelligence of a
microprocessor.

The large memory card is another ACT which under the right
circumstances can be a very useful product.  Physically, the
card's length and width conform to credit card standards, however
these cards are considerably thicker than a credit card or other
ACT products. The large memory card is basically an electronic
computer memory board shrunken to the length and width of a
credit card.  The memory capacity of this medica can be as high
as 2 megabytes (equivalent to 800 typewritten pages of text)
depending on the type of memory that is used. A drawback
associated with this ACT is that it is not very portable, that is
one cannot carry a large memory card in one's wallet.

The final type of ACT is classed as other. This refers to card
types which do not apply as noted above or combinations of the
above card types, for example an ID card which has both a
magnetic stripe and a computer chip or a number generating card
(e.g., SECURE ID or RACAL) or other token based systems (e.g.,
KSD-64)

Audit Trails
Audit trails in computer systems are intended to allow management
to investigate events leading up to any incident or to trace or
monitor activities or transactions on the system.

Audit and monitoring are oftened sacrificed in computer security
is because implementing them means dealing with a range of
challenging cost, policy and legal issues. Audit functions have a
high overhead in processing speed and storage space and are
normally turned off except for minimal, critical events, although
frequently even these are not audited. audit functions are often
sacrificed. The cost implications in terms of storage media,
archival facilities, regular review and updating, documenting the
system and policies with respect to its use, and dealing with
issues relating to personal privacy and public access are very
demanding.

Authentication
(see also authorization and integrity) Authentication means
evidence (as conclusive as possible) that the person identified
as the send in the electronic message is in actually the person
who sent the message.

Authorization
(see also authentication and integrity) Authorization means
evidence (as conclusive as possible) that the person who sent a
message (e.g., signed a contract, approved a payment, certify
receipt of goods) actually had the authority to send that
message. Authorization is based on the individual’s financial
authority, security clearance and need-to-know.

Bulletin Board System (BBS)
An electronic computer dial-in service which provides multiple
services to computer users such as e-mail, discussion groups,
games, news services. documents, images and data, and access to
other computer systems.

Certification, Certification Authority, Public Key Certificate
(see encryption)

Classified Information (see sensitive information)

Clipper Chip, Capstone Chip (see encryption)

Communications, Transmission, Computer Security
COMSEC includes Emission Security (electromagnetic emanations
from computers), Cryptographic Security and Transmission Security
(telecommunications - TRANSEC). TRANSEC includes measures
designed to protect transmissions from intercept and
exploitation. TRANSEC does not include protecting encrypted
messages from surreptitious decryption (which is Cryptographic
Security). TRANSEC measures include adherence to approved
operating procedures, use of equipment that encodes messages
(i.e., cryptography), frequencies (i.e., frequencies at which
signals are sent, various megahertz) and spectrum (across which
signals are sent). Computer security is known as COMPUSEC.

Confidential information (see sensitive information)

Data Matching
The comparison of personal data obtained from different sources,
including personal information banks, for the purpose of making
decisions about the individuals to whom the data pertains.
Generally, it applies to comparing computerized sets of data
rather than comparing records from two government departments
about a single individual. Thus, data matching is generally
described as a “program.” In accordance with the Privacy Act,
prior to initiating a data-matching program, government
institutions must assess the feasibility of the proposed match,
analyzing the potential impact on the privacy of individuals and
the costs and benefits of the data-matching program. This
matching activity may or may not generate a new body of personal
information. Data linking or data profiling involves combining
personal information from a variety of sources to create a new
body of personal information.

Matching institution: A government institution that is planning
to conduct or is conducting a matching program.

Matching source: An organization that discloses personal
information to an institution for the purposes of a matching
program. A matching source may be within the matching
institution, another government institution, or any other
organization.

Designated Information (see sensitive information)

Digital Signature
(see encryption for more information) A digital signature is
commonly interpreted as involving a mathematical summary (“hash”)
of a document, encrypted by an individual’s secret encryption
key. (If the message is short, there is no hash: the message
itself is encrypted, not for the purpose of confidentiality for
the message, but for the purpose of proving who sent the
message.) Generally, encryption is tied to a unique encryption
key, which only one person has. If a message is encrypted with
that key, it proves that the message was sent by the person who
purportedly holds that key, and thus serves the same function as
a signature, although it is not similar in nature to a hand-
written signature. By way of contrast, a digitized signature
means reproducing an electronic image of a person’s handwritten
signature (such as by faxing a document signed by hand). The
received fax will have a digitized signature on it.

Dynamic data
Data that is constantly changing, such as data in a spreadsheet
or database which is constantly being updated.

Electronic data interchange (EDI); electronic commerce
Electronic data interchange and electronic commerce are terms
that refer to electronic transactions and contracts. Generally,
EDI involves sending purchase requests and payment invoices
electronically, but electronic transactions can cover many other
kinds of transactions, such as filing income tax returns,
applying for licences, paying tickets. Frequently, there will be
a signed, paper agreement between the parties setting out how the
electronic transactions will occur (Trading Partner Agreements).

EDI makes it possible to order goods and services, invoice them
and authorize payment for them without a person actually filling
out those forms or even entering that information. For example, a
car manufacturer can have a relationship with a steering wheel
supplier. The steering wheel supplier might have direct access to
the manufacturer’s computer which says how many cars will be
manufactured in a given period of time. It is the supplier’s
responsibility to ensure enough steering wheels are provided to
be put into the car. No purchase order is required. After the
cars are built, the manufacturer simply counts the number of cars
produced and transfers funds to the supplier for the price of the
steering wheels for that number of cars (knowing that the cars
could not have been produced without steering wheels and that
each car has only one steering wheel). No invoice, certificate of
receipt, payment authorization or cheque is required. This kind
of electronic commerce requires an established, trusted
relationship between supplier and purchaser.



Encryption
Encryption means transforming plain text into text which is
unintelligible to anyone who does not have the “key” (or “code”)
which explains the relationships between the plain text
characters and the cipher text characters. For example, the key
used in the time of Julius Ceasar was simply to replace a letter
with the letter which appeared four letters later in the
alphabet. Thus, where the letter ‘A’ appeared in plain text, it
would be replaced by ‘D’ in cipher text; ‘B’ would be ‘E’, and so
on. ‘X, Y, Z’ would be ‘A, B, C’ respectively. Now, encryption
involves applying a series of complex mathematical formulae to
the characters. Any given set of formulae are known as an
algorithm.

Mathematical formulae can be applied to letters because in
computer language, letters are represented by 0s and 1s. The 0s
and 1s which represent a letter also can represent a number.
Thus, letters have numerical equivalents and performing numerical
calculations with them is relatively straight-forward.

There are two kinds of encryption: symmetric and asymmetric.
Symmetric encryption means that the same key that is used to
encrypt a message is also used to decrypt a message. For almost
the entire history of cryptography, encryption has used symmetric
keys. The problem with symmetric encryption is that two parties
must have access to the key, and those parties must both keep the
key secret to ensure that no one else can read their messages or
that no one else can impersonate them (if an encryption key is
secret and is thought to be known only to two persons, a third
person with the key could impersonate either of the other two
persons. Getting the key from the sender to the receiver, without
anyone else finding out about the key was difficult, and meant
that the uses of cryptography were relatively limited.

One of the most popularly used symmetric encryption algorithms is
the Digital Encryption Standard (DES), which is used on bank
cards for Automated Teller Machines, among other uses. The U.S.
National Institute for Science and Technology adopted DES as a
standard in 1977, and the American National Standards Institute
adopted the same encryption algorithm as a standard for
commercial purposes, calling it the Digital Encryption Algorithm
(DEA). The continued use of DES as an encryption standard is
subject to some question as new technology begins to make it
feasible that persons could compromise DES encryption. One
alternative is use triple the DES processes (known as ‘Triple
DES’) in order to make the encryption stronger. Another
alternative is to migrate to different encryption standards.

In the mid-1970s, a revolution in cryptography occurred:
asymmetric cryptography was discovered. Asymmetric cryptography
makes it possible to divide an encryption key into two parts: one
part is secret and the other part is public. For this reason,
asymmetric encryption is also called private key/public key
encryption. Public key encryption allows one person to send an
encrypted message to another person without worrying about how to
get a secret key to that other person. All the sender has to do
is publish the public key, which anyone can see. (Public keys
should be notarized by a trusted third party to ensure that the
key is unique and that it was issued to the specific individual
who claims to hold it.) One of the more popular public key
encryption products is PGP (Pretty Good Privacy) which is
available for free on the Internet and uses the RSA encryption
algorithm (discussed below), although there are intellectual
property claims against PGP (thus, PGP should be avoided for
commercial uses).

Public key encryption can be used for two separate purposes:
Digital Signature and Confidentiality Encryption.

Digital signature works as follows:

Digital signatures involve encryption and hash functions. A
‘hash’ of a message is produced by performing an algorithm on the
message. Hash algorithms are different than encryption
algorithms. Hash algorithms are designed to produce a very short
sequence of bits that are mathematically calculated from the bits
in a larger file with the effect that any change in the message
will produce a change in the hash (i.e., each bit in the hash has
a 50% probability of changing for every change to the original
text). There are a number of hash algorithms which are widely
known. There is no need to keep a hash algorithm secret as
confidentiality is not its purpose. (If the message is short,
there is no hash: the message itself is encrypted, not for the
purpose of confidentiality for the message, but for the purpose
of proving who sent the message.)

·    A sends a plain text message, and encrypts a hash of that
 message using A’s private key.
·    B receives the plain text message and performs a hash of the
 message, producing the Plain Hash.
·    B retrieves A’s public key from a public directory, decrypts
 the encrypted hash that A sent. If A’s public key successfully
 decrypts the hash, this proves that A actually sent the message,
 because A’s public key only works in conjunction with A’s private
 key, and only A has the private key.
·    B compares the Decrypted Hash with the Plain Hash. If the
 Plain Hash and Decrypted Hash are identical, it proves that the
 message has not been altered by anyone. If the two hashes are in
 any way different, B should disregard the message, inform A of
 the mismatching hashes and ask A to send the message again and
 both A and B should report the mismatch to their respective
 computer security officers.

A digital signature does not provide confidentiality because the
message itself is not encrypted (only the hash is) and the hash
is encrypted using A’s private key, which means that anyone can
decrypt the message using A’s public key. The purpose of digital
signature is to prove (1) that A sent the message
(authentication) and (2) that the message has not been altered in
transmission (integrity).

Confidentiality encryption works as follows:

Public key encryption can be used to ensure confidentiality by
reversing which keys are used by the sender and receiver. In
Digital Signature, we saw that A used A’s own private key to
encrypt the hash. B used A’s public key to decrypt the hash. In
Confidentiality Encryption:

·    A retrieves B’s public key and encrypts a message with it
 and sends it to B.
·    B is the only person who can decrypt the message because
 only B has the private key which is necessary to decrypt to the
 message.

Some public key algorithms can be used only for digital signature
(such as the Digital Signature Algorithm (DSA)) but not for
confidentiality encryption because part of the algorithm requires
knowing the hash of the message. Thus, when an unencrypted
message is sent accompanied by an encrypted hash of that message,
the only way to decrypt the hash is to make a hash of the
unencrypted message and use that in the decryption algorithm. In
confidentiality encryption, there is no unencrypted message which
can be used to derive the hash.

Using symmetric and public key (asymmetric) encryption together

Symmetric encryption is faster than public key encryption.
Depending the algorithms used, it can be anywhere from 100 to
1,000 times faster. Thus, where symmetric encryption is feasible,
it is preferable to public key encryption. The two can be used
together.

For digital signature, A can encrypt the hash using a symmetric
key, and send that symmetric key to B by encryptiing the
symmetric key with A’s private key. When B receives the message,
B will use A’s public key to decrypt the symmetric key that was
sent and then use the symmetric key to decrypt the hash.

For confidentiality encryption, A will encrypt a message using
A’s symmetric key, then will encrypt that symmetric key using B’s
public key. This way, only B will be able to decrypt A’s
symmetric key. Once B has decrypted A’s symmetric key, B will
decrypt the message.

Public Key Revolution

The concept of public key cryptography was invented by Whitfield
Diffie and Martin Hellman, and independently by Ralph Markle.
Their contribution to the field was the notion that keys could
come in pairs; a public key and a private key, and that it could
be infeasible to generate one key from the other Therefore, one
could know how to encrypt without knowing how to decrypt; or
verify a signature without knowing how to generate it.

Public key cryptography is made possible due to one-way functions
associated with modular arithmetic and the properties of large
prime numbers. Although there a number of public key algorithms,
all of them are based on one of two different mathematical
problems associated with prime numbers: the factoring problem and
the discrete logarithm problem.

Diffie and Hellman first presented the concept of public key
cryptography in 1976 at the (U.S.) National Computer Conference
in the paper entitled “New Directions in Cryptography,: which was
published in the Institute of Electronic and Electronic Engineers
(IEEE) periodical Transactions on Information Theory. This
prototype algorithm makes use of the discrete log problem.

Three professors at the Massachussets Institute of Technology
(Rivest, Shamir and Adleman), inspired by the article written by
Diffie and Hellman on one-way functions, developed their public
key algorithm in 1977 (known as RSA). RSA’s strength is based on
the difficulty of factoring the modulus that is used in the trap-
door one-way function. Simply stated, it is very easy to multiply
two large prime numbers together, P1*P2=C, but very difficult to
take C and calculate P1 and P2 (so long as P1 and P2 are large).
Every private key/public key pair uses different combinations of
prime numbers. As computers become more powerful and perhaps
become able to factor large numbers into their primes, the
solution is simply to use larger prime numbers, to continually
keep ahed of the power and speed of computers.

In symmetric encryption, the most popular algorithms, such as
Digital Encryption Standard (DES) use keys that are 56 bits long
(bits are 0s and 1s, and generally, a numerical digit is equal to
approximately three and a third (3.322) bits). The new
International Data Encryption Algorithm (IDEA) will use a 128 bit
key. Public key cryptography, by contrast, uses much longer keys
to produce the same level of protection as DES. For example, the
Rivest, Shamir, Adleman (RSA) public key algorithm uses a 512 bit
key. The difference in length of keys is based on the technical
design of the algorithms and the methods that are available for
unauthorized persons to discover the keys through mathematical
calculations.

Although the RSA algorithm (on which PGP is based) uses the
factoring problem, there are public key systems whose strength is
based on the difficulty of evaluating discrete logarithms (e.g.,
the Diffie-Hellman key exchange algorithm). The discrete log
problem is based on the difficulty of evaluating x, when given x
mod p ( is publicly known and so is p (a large prime)). Protocols
based on the discrete log problem can be used for key management,
signatures, encryption, etc., just like RSA.

The components of the public key and private key

When public key encryption is based on the factoring problem,
public key is actually two numbers, and a private key is one
number. (The public key is three numbers for the discrete log
problem.) These three numbers are derived from the public key
algorithm. The RSA algorithm is as follows:
 
                       RSA algorithm
         To encrypt:                   To decrypt:
                                             
   AB  C = D, remainder E         EF  C = G, remainder A
                                             
 
          “A” is the original text                “E” is the
cypher text.

 “C” is the modulus, produced by multiplying the two large prime
                        numbers together

Not only are the two prime numbers used to create the modulus,
they are also used to determine the values of “B” and “F”. “B”
can be any number that meets a few limiting parameters. “B” is
usually a relatively small number, often only 5 bits long. Rather
than calculating “B”, one chooses a value for “B” and then
calculates the value for “F”, using a fairly complicated
mathematical formula that requires knowing the two prime numbers
used to generate the modulus (F=B-1 mod (P1-1)(P2-1)). Many
encryption schemes will use the same “B”.

·    The public key is two numbers: “B” and the modulus “C”.
·    The private key is the number “F”.

The prime numbers needed to create the modulus “C” or the private
key “F” are not in either the public or private key, but if a
person had one of the prime numbers, it would be possible to
calculate the numbers needed to learn the private keys.

Public key infrastructure and key management:

For public key encryption to work, your public key must be
public. This is done by posting your key on an electronic
directory. It is important to have confidence that your public
keys has not been tampered with because:

·    If A’s public key has been altered in any way, it will be
 impossible for anyone to use the altered public key to decrypt
 A’s messages.
 
·    If C replaces A’s public key with C’s public key (but the
 key continues to be publicly identified as A’s public key), then
 when B intends to send a confidential message to A, it will be C
 that is able to decrypt the message and not A. Further, using his
 own private key, C will be able to digitally sign documents and
 convince B that it was A who signed them.
 
It is also important to keep the private key secret. If C has A’s
private key, C will be able to digitally sign documents and
convince B that it was A who signed them and will be able to
decrypt messages intended for A that are encrypted using A’s
public key.

To ensure there is confidence that the public and private keys
which are purported to be associated A are in fact associated
with A, the key management services are provided by a trusted
third party: a public key infrastructure or PKI. Typically,
generating the public keys, posting them, and preventing
tampering with them is provided as a central computer service.
The human involvement are the technology specialists who monitor
the operation of the computer that manages the public keys. The
administrator of the computer managing the public keys
“certifies” that the public key you want to use has not been
tampered with by attaching its own digital signature to your
document. Thus, when A ‘signs’ a document by encrypting the hash
of the message with A’s private key, the trust third party, the
‘Certification Authority’ (CA) will encrypt its own digital
signature to certify that A’s public key in fact belongs to A. To
decrypt A’s encrypted hash, B will have to retrieve A’s public
key, check to see if it is the correct key by retrieving the CA’s
public key and decrypting the CA’s certificate for A (this
process will compare A’s public key with the public key the CA
says it issued to A). After B has confirmed that A’s public key
is the correct public key, B can then decrypt A’s digital
signatures. There can also be heirarchies of notaries, where one
level is responsible for certifying the public keys of the
certifiers one level below.

Public key certificates

The public key certificate has a number of fields in it. They
include the following:

1.   Subject (J. Doe)
2.   Public key numbers
3.   Public key algorithm
 (there are a number of public key algorithms. It is important to
 identify which one is being used to make it possible to know how
 to use the public key numbers.
4.   Certificate expiry date
 (public key certificates have time limits, after which new keys
 are issued and certified)
5.   Certification Authority (Big Company or Government Office)
6.   Certificate Serial Number.

The Certification Authority makes a hash of the above information
and encrypts the hash using its private key. Users obtain the
CA’s public key, decrypt the hash to ensure that the certificate
information has not been altered, then uses the public key
numbers found in the certificate. (The algorithm used to produce
the hash of a message can be part of the certificate or can be
communicated in other ways.)

Generally, the computer will do all of the steps of encryption
without the user being aware that these steps are taking place.
Ultimately, encryption will be as easy as clicking on a box in a
dialogue box asking whether the user wants to encrypt or decrypt
a message.

Key escrow

Escrow means a third party holding something not to be released
until specific conditions are met. It is commonly used in the
phrase “key escrow encryption”, which in turn refers to special
encryption technologies such as the Clipper Chip (for use in
telephones) and Capstone Chip (for use in computers). Both of
these chips use the Skipjack encryption algorithm and include a
‘Law Enforcement Access Field’ (LEAF). When U.S. law enforcement
agencies wish to decrypt an encrypted communication that uses a
device with a Clipper or Capstone Chip in it, they can obtain the
unique identifier for that chip (held in the LEAF). The
encryption key for that chip is in two parts, one held by the
U.S. National Institute of Standards and Technology (NIST), which
is part of the U.S. Dept. of Commerce, the other held by the
Treasury Department. These agencies are not to turn over the two
parts of the encryption keys unless a court warrant authorizes
them to. Once the two parts are put together, it becomes possible
to decrypt the messages. NIST has established Clipper and
Capstone Chips as voluntary standards for U.S. federal government
agencies,, thereby encouraging them but not requiring them to use
this technology. This is called NIST’s 1994 Escrow Encryption
Standard (EES).

Firewalls and Gateways
The purpose of firewalls and gateways is to make it possible to
connect a computer with confidential information on it to another
network which is not confidential and where the various users are
not known to the first network.

Basically, a firewall is an access control, which controls who on
a given network is permitted to send information to other
networks, and who from the outside world is permitted to send
information to that given network. Generally, the access depends
on the user having been given the necessary privileges. Access by
an approved user is then obtained by the user providing the
necessary information, such as the user’s network address, user
ID and password.

Generally, firewalls are configured to protect against
unauthenticated interactive logins from the "outside" world.
This, more than anything, helps prevent vandals from logging into
machines on your network. Normally if a user queries a system to
find out who or what is connected to that system, all
workstations or servers connected to the network would be
identified. A firewall ensures that when a query is made in a
public network, that the connection to the organization’s network
will not be made known in the response to the query, except to
authorized users.


Some firewalls permit only e-mail traffic through them, thereby
protecting the network against any attacks other than attacks
against the e-mail service. Other firewalls provide less strict
protections, and block only those services that are known to be
problems. More elaborate firewalls block traffic from the outside
to the inside, but permit users on the inside to communicate
freely with the outside.

Firewalls are also important since they can provide a single
"choke point" where security and audit can be imposed. Thus, the
firewall can act as an effective "phone tap" and tracing tool.

Firewalls cannot protect against attacks that do not go through
the firewall. Users have been known, however, to bypass firewalls
by installing a modem into their PC to allow remote dial-in.

Firewalls cannot protect very well against things like viruses.
There are too many ways of encoding binary files for transfer
over networks, and too many viruses to try to search for them
all. In other words, a firewall cannot replace security-
consciousness on the part of users.

In general, a firewall cannot protect against a data-driven
attack — attacks in which something is mailed or copied to an
internal host where it is then executed.

A secure gateway (or Trusted Guard) goes beyond the function of a
firewall in that not only does it act as a firewall but has added
features involving looking into each packet of information
passing through it to or from an authorized user to ensure that
no unauthorized information is enclosed in the packet. Current
technology limits this to e-mail or EDI because specific
information would reside in a specific format in a specific
location. Artificial Intelligence must become much more advanced
before this feature would be able to address general
communications packets. An unsecure gateway may be thought of
simply as an access point to a computer system.

Hacking (examples of vulnerability and attacks)
(much of the information below is drawn from “Network
Confidential”, Joe Flower, New Scientist, October 1994, p. 27)

Any person who attempts to enter a computer or communications
network without authorization is known as a hacker. Before
personal computers became popular, “hackers” were known as
“phreaks,” persons who attempted unauthorized use of telephone
networks. At that time, “hackers” simply referred to persons who
spent a lot of time working with computers, generally with no
formal training in the computer operations they were running
(there was no implication of illicit behaviour in the word).

The basic source of network vulnerability is that if a computer
is attached to a wire, anything else that can connect to that
wire can connect to that computer. Thus, if a computer is
attached to a telephone wire, it is potentially attached to every
telephone wire in the world. Getting to the computer is one
problem, getting into the computer is a separate challenge. There
are many different ways to get to a computer that is connected to
a telephone line.

Trying to figure out which computer to go to can be done in a
number of ways. One way is to assemble lists of people who
participate in any of the Internet discussion groups. It is
simple to capture the the login identifiers (the electronic
“address”) of everyone participating in the discussion. A program
called “Finger” can then be used to gather details about the
persons attached to the address, such as the user’s real name,
and, if the person is using a computer service and it is a
personal account, Finger can find other information associated
with the account, such as the home phone number and address.

If a person wants to take part in a discussion group, it will be
necessary to type in the person’s ID and password, which is
transmitted unencrypted through dozens of different computers
until they arrives at the computer where the discussion is
actually hosted. Hackers can sneak into one of dozens of
computers (Internet “nodes”) “and set up a “sniffer” program that
examines the address header accompanying each message that passes
through the node. The sniffer copies the login ID, searches the
message for anything that looks like a password, and sends the
lists of login IDs and passwords back to the hacker. There are
also programs which can track everyone who reads particular
newsgroups or conferences, even if they never contributed to
them. So if a person even glances at a controversial discussion
group out of one-time-only curiousity, the person could be
recorded on a list somewhere.

Once a hacker identifies a target, the hacker will try to enter
the system. The hacker can try to obtain a password in a number
of ways, such as by tricking persons into revealing their codes,
by finding passwords in trash bins, or by using automatic dialers
to discover passwords. Dialers work by randomly generating
possible passwords until the correct one is found. Generally, the
dialers only work on relatively simple passwords.

Many computers comprise three separate systems: the mini-computer
(and the data and programs stored there); the local area network
(and the file servers located there); and the organization’s
mainframe computers. Most end-users need to get at applications
on all three systems. (Increasingly, for reasons of security,
license requirements and quality and productivity control, it is
desirable to make software available on a central computer or to
distribute it to users from a central computer.) There is little
or no correspondence between security on one system and another.
“The only way to assign access levels system-wide is for the
network manager to go in and do so on a user-by-user basis – a
full-time career even in a mid-sized organization.” On any
system, there will always be a person with access rights to
instal and alter the security software itself. This is known as
the ‘systems administrator’ who has ‘super-user’ rights. Thus,
hackers frequently seek to obtain ‘super-user’ rights.

Typically, there are two ways that hackers attempt to circumvent
an access control package: they either alter the AUTOEXEC.BAT
file or CONFIG.SYS files (which launch the security program) or
start the workstation from a system disk in the A drive (thus
bypassing the security system on the network or mainframe; using
the A drive this assumes the individual is physically present
with the computer). Once entered through the A drive, it is
possible to switch to the C drive to gain access to the network.
Some organizations take away disk drives from individual
workstations to prevent this problem. It is also possible to add
hardware to the workstation that prevent starting the computer
from the A drive, but the hardware costs hundreds of dollars each
and are notorious for causing conflicts with other PC components.
Another approach is to program the computer not to start from the
A drive.

Most access control programs generate and store audit trails.
However, the audit trail is not a deterent for persons who use
another user’s name, easily done if a person walks away from
their machine while they are logged on (a common practice). To
guard against this, most access control packages lock the
computer after a period of inactivity and require a password to
reactivate the computer. Passwords are frequently easy to guess,
or to discover.

Hash (see encryption)

Integrity
(see authentication and authorization) Integrity of information
means the information is accurate, complete and dependable. It is
especially important to prove that a message sent from A to B has
not been altered during transmission; that is, that the integrity
of the message has been maintained.

Internet
An international network of computer systems which originally
started out as a network of university and military research
computers in the USA and which has rapidly grown to a worldwide
network of unknown numbers of computers and networks. It was
originally funded by the U.S. Department of Defence’s Advanced
Research Projects Agency (ARPA). The network was originally
called ARPANET. Eventually, the military part of the network
(MILNET) was split off and the remaining part of ARPANET was
decommissioned in 1990. However, its functionality continued
under the National Science Foundation’s NSFNET, which became a
prominent backbone of the Internet. Because the Internet is a
“network of networks”, major networks within the overall Internet
are called “backbones” of the Internet.

World Wide Web is an information (data, sound, graphics, etc)
search and retrieval service which allows a user to select key-
words or phrases and then provides all matching information
locations on the Internet.

FTP (file transfer protocol), allows one to transfer files to and
from any computer linked to the Internet.

TELNET allows oneself to be teleported (so to speak) to a
specific computer somewhere on the Internet and then to use that
computer as if one where a user on site rather than an Internet
user somewhere else in the world.

The Gopher service is a text search and retrieval service for the
Internet, first developed at the University of Minnesota (whose
sports team name is the Golden Gophers). It will go to multiple
sites to search for particular subjects being sought. It finds
the sources and tells you where the sources are. You then have to
go each location to retrieve the information. World Wide Web
provides a graphical user interface, search and retrieval of text
and other kinds of electronic information, provides lists of
sources, links files (hypertext) so you can go directly from one
to another related file, and takes you directly to the source
where the file is located.

Legacy System
An computer system using old technology which, for some reason,
cannot immediately be updated or replaced. Consequently,
provision must be made for it within the current or proposed IT
system.



Non-repudiation
Proof that a message was sent by a particular person at a
particular time, without being altered since being sent. This
proof should be verifiable by any third party at any time.
Without non-repudiation, persons could deny having sent certain
messages, which could cause important problems, particularly in
financial transactions. Thus, an essential part of any signature
(digital or otherwise) is the difficulty that a person would have
in repudiating what appears to be his or her signature.

Sensitive Information
There are two kinds of government information: sensitive and non-
sensitive. There are two types of sensitive information:
classified and designated. Classified information is information
whose disclosure could harm the national interest and designated
information is information whose disclosure could cause other
kinds of harm. All other information is non-classified and non-
designated.

Classified and designated information is divided into three
categories reflecting the seriousness of harm that could result
if the information is disclosed. For classified information, the
three categories are Top Secret, Secret and Confidential. For
designated information the three categories are extremely
sensitive, particularly sensitive and low-sensitive for
designated information (sometimes called Protected C, B and A,
respectively). The primary guide for determining whether
information should be classified or designated is by referring to
the various provisions of the Access to Information Act and the
Privacy Act. The Security Policy provides an Invasion of Privacy
test to determine which level of sensitivity should be given to
particular kinds of personal information. The Security Policy
also states that one of its fundamental principles is the “need-
to-know” principle: classified and designated information should
only be disclosed to individuals who have a legislated right to
access the information or who have a need to access the
information to perform their public service duties.

Smart cards (see advanced card technologies)

TEMPEST
One security officer has suggested that TEMPEST is an acronym for
Transient Electro-Magnetic Pulse and Emissions Suppression
Testing. Computers and keyboards give off electromagnetic and
acoustic emanations which can be heard or monitored using
appropriate equipment, and from the sounds or signals it can be
determined what information is being communicated. TEMPEST refers
to the tests to see where this might be a particular problem.
Generally, it would only be a problem where there is a strong
likelihood that the information being communicated is of special
interest to those few people (or countries) with the necessary
equipment and staff resources to try to intercept such signals
and sounds.

Tokens
(see advanced card technologies)Anything that can be used to
identify the user. A smart card is a token. Some encryption
devices, because they contain a mathematical formula or number
which is unique to that device, can be a token.

Value Added Networks (VANs)
A third party communications network which arbitrates the flow of
messages (usually commercial) between parties. The services
provided typically include receiving, storing and forwarding
messages on behalf of a party. VANs are generally used to
overcome communications difficulties resulting from different
time zones, communications protocols, technologies and to reduce
the need for one party to establish large numbers of direct
connections to other parties. A party can simply direct all its
commercial partner to direct their messages to one location: its
VAN.

Virus
A Trojan Horse that attaches itself to legitimate programs in a
computer system and reproduces itself. Viruses have a mission
component, a trigger component and a self-propagating component.
They can damage a system simply by filling the memory due to
having too many reproduced copies or requiring the system to do
too many reproduction commands.

Trojan Horse: A computer program with an apparently or actually
useful function that contains additional, hidden functions that
operate once inside the computer system. Generally, Trojan Horses
refer to hidden operations that cause damage to computer systems
or that compromise the security of the system.

Worm: A program that creates a complete copy of itself. Unlike a
virus, a worm does not need to attach to a host program. Like a
virus, a worm may access, alter, destroy, or consume system
resources using the rights and privileges of its host program or
user.

Bacteria (see virus, Trojan Horse, worm, bugs): A sub-class of
viri; malicious software that does not attach itself specifically
to other programs, does not use network resources, but still has
a damaging effect.

Logic bombs: A computer program that triggers an unauthorized act
when particular circumstances on the system occur. For example,
an individual working on a payroll program could instruct the
computer to delete the hard drive when that individual’s name no
longer appears on the payroll.

Time-Bomb: A computer program that triggers an unauthorized act
at a particular time. A Time-Bomb is one kind of Logic Bomb. Many
viruses include time-bombs so that damage is caused to stored
data on a given date.

Bugs: A defect in a computer program. Most computer programs have
bugs and most of the time spent developing a program is spent
finding and eliminating the bugs.