Information Security: The Big Picture – Part VI

Trang 1

Information Security:

The Big Picture – Part VI

Stephen Fried

Trang 2

Certificates

• Certificates match an identity with a

public key

• Similar to a driver’s license or passport

• Validated by a Certificate Authority

• Certificates have many uses

– Encryption – Authentication – Verification

Most of us have either a drivers license or a passport These are official government documents that

match an external representation of yourself (in this case, your picture) with an official recognition

of your identity, for example a government or state seal By using one of these documents you are

reasonably able to prove your identity to someone (OK, many of us had fake drivers licenses when

we were kids, but let’s ignore those for now.)

There is an equivalent concept in the information security world It’s called a “certificate.” A

certificate is a small piece of code that matches an external representation of yourself (in this case

your public key) with an official recognition of your identity So, for example, you might have a

certificate that says “Public Key 12345 belongs to Alice Smith.” Like the Motor Vehicle Agency in

the real world, there is an agency that certifies certificates in the computer world It’s called a

Certificate Authority, or CA A CA is a group or agency that certifies and manages collections of

certificates for use in encryption and verification purposes We’ll talk more about Certificate

Authorities in the next slide

There are many uses for certificates, and more are being found every day Essentially, every time

you need access to someone’s public key, you can look up that person in the CA’s registry to get

their key And because the CA is supposed to validate the identity of the person before certifying

their key, you can be reasonably assured that the key is legitimate for that person Likewise, when

you get a key and certificate from someone you can look them up in the CA to see if the key you got

is indeed the legitimate key for that person

Trang 3

X.509

• ISO Authentication Framework

• Provides for authentication across networks

• Binds unique name for a user to public key

• Provides structure for public key certificates

• Contains identifying info

– version, algorithm, CA name, valid dates, etc.

If the world is moving toward the use of certificates, there must be some formal standard for

specifying the use and format of certificates There is, and it’s called the ISO Authentication

Framework, more commonly known as the X.509 protocols The X.509 standard provides the

framework for handling authentication across systems and networks

X.509 also defines a structure that public key certificates must follow in order to be universally

accepted There are three primary pieces of information contained in an X.509 certificate The first is

called the Distinguished Name, or DN The DN is a unique name assigned to each user The second

is the user’s public key Finally, the third important piece of information contained in an X.509

certificate is the digital signature of the Certificate Authority that has issued and certified the

certificate Without these three vital pieces of information, the certificate is useless in an

authentication or repudiation sense

These are not the only pieces of information contained in a certificate A valid certificate also

contains the version number of the certificate There have been several versions of the X.509 format

The current version is version 3 There is also an identifier to indicate the encryption and signature

algorithm used to sign the certificate Without knowing what algorithm was used to sign the

certificate there is no way of verifying the signature

A certificate also contains validation dates These are the dates that the certificate was issued and the

date it expires Applications should always check to make sure a certificate it is using or accepting is

still valid

Trang 4

Certificate Issues

• Multiple CAs

• CA Trust

Like everything else in the information security world, the use of certificates is not as clean and easy

as you might first think This slide will describe some of the issues you may need to be concerned

with before you begin using certificates

The first, and most important fact is that there is no single Certificate Authority for everyone Maybe

someday there will be, but for now we must deal with the fact that there will be multiple CAs for a

long time to come There can also be many different forms of CAs You may have a CA run by your

employer that certifies keys for your business dealings, you may have a second CA run by your bank

that certifies your keys for handling Internet purchases, and you may have a third CA run by your

brokerage for your stock trading account Consider the situation as similar to the credit card industry

today You probably have more than one credit card and you use each for different types of

purchases However, the credit card industry is mature enough that you can pretty much be assured

that whatever card you use, it will most likely be accepted by any merchant Of course, there are still

the odd cards that are used for specialty applications For example, the card issued by your wholesale

grocery club probably won’t be accepted for the purchase of an airline ticket By and large, most of

the major cards are accepted everywhere

Unfortunately, the CA industry is not that mature For now, each CA must issue and manage its own

certificates So, for instance, you generally can not assume that the key managed by your business

CA will be recognized by your bank’s CA and vice versa The good news is that the situation is

changing slowly We are beginning to see small alliances of CAs that will trust each other’s

certificates For instance, two companies that do a lot of work together might instruct their respective

CAs to accept and trust certificates from either of the companies In this way, a person from

Company A can send a certificate to a person in Company B The person in Company B will look up

the certificate in Company B’s CA Company B’s CA will recognize that the certificate was issued

by Company A and, since it trusts Company A’s authority to issue certificate, sends back a reply to

Trang 5

Certificate Issues

• Certificate chaining

• Certificate revocation

• The Public Key Infrastructure

Certificate chaining is another issue that must be dealt with To show an example of certificate chaining, imagine that

HiTech, Inc., a PC manufacturing company, wants to set up their own in-house CA Unfortunately, none of the

software in use at HiTech will recognize HiTech as a CA So, they contract with CertCo, a commercial Certificate

Authority, to set up the HiTech CA In order to allow applications to recognize the HiTech CA automatically, they

chain their certificates to CertCo So, when a HiTech user tries to verify a certificate issued by the HiTech CA, it will

not initially trust it However, if it starts going up the CA chain it will see that the issuing CA for HiTech is CertCo

Now there’s a name it can trust! I could probably go further, but I think you get the idea Although this is a bit of a

contrived example, certificate and CA chaining can be a practical solution in situations where technical, geographic,

organizational, or legal restrictions prevent the use of a single CA for everybody

As people begin to use certificates more and more, there will be a need to revoke certificates People will move, change

names, job functions, have their certificates stolen, and so on, and the certificates associated with their former roles will

need to be revoked and replaced with new certificates This process is called certificate revocation In theory,

certificate revocation should be easy, but in actually it’s very hard A large part of this is that the Certificate Authority

“industry” (for lack of a better term) is still in its infancy

Some of you may be old enough to remember back when credit cards were first coming into widespread use When you

went to a merchant and handed them your card, they didn’t swipe it through a reader and wait for a reply from credit

card central to see if your card was valid or not In those days, each merchant had a little booklet full of thousands of

invalid or revoked card numbers They would look up your number in the book and if it was there it meant your card

was invalid If your number wasn’t there it meant the card was OK and they would continue to process your charge It

was a large, manual, painful system for both the merchant and the customer, but it worked because new technology

hadn’t yet been developed to automate the transaction Well, Certificate Authority technology is in the same stage of

development as credit card books were in There are many processes that are difficult, manual, and sometimes painful

to go through, but eventually, somebody will develop technology that will tie it all together Let’s just hope that day

comes sooner, rather than later

Finally, a last word about encryption and certificates All the things we have discussed in the last few slides – the

encryption, certificates, certificate authorities, trust, chaining, revocation, etc – are all part of a concept called the

Public Key Infrastructure, or PKI PKI is a concept used to describe all the processes, policies, procedures and

Trang 6

• Check with legal counsel before

importing or exporting your encryption

technology

If you plan to use encryption globally for your business you should be aware that many countries,

including the United States, restrict the use of encryption technology in some form or another The

term “encryption technology” is somewhat vague and is interpreted differently by different

countries, but it usually means either hardware or software that can be used to encrypt information

for storage or transmission

The restrictions usually fall into one of three categories

First is import Some countries restrict the importation of encryption technology This means you

can’t bring encryption devices or software into the country without some sort of license or permit

from the government Some countries do not allow any encryption at all to be imported

The second area is export Some countries restrict the export of encryption technology out of the

country The US is among these, but recent changes in the export laws have relaxed the restrictions

somewhat

The final area is called domestic use Some countries restrict the use of encryption within its

borders, either by its citizens or by non-resident foreign nationals

As stated before, the laws and regulations change from country to country, they often change without

notice, and understanding the various laws takes a lot of skill and education If you are planning to

use or distribute any product or service that uses encryption you should always consult an attorney

Trang 7

Privacy

• “The right to be left alone”

• Interpreted differently in different countries

• Is often mandated by law

• Is often expected on the Internet

• Personal privacy vs corporate privacy

• Companies should have a “privacy policy”

for customer information

• Individuals should expect one

Privacy means many things to many people Supreme Court Justice Louis Brandeis once stated that “privacy is

the right to be left alone.” However, that is just one facet of privacy Generally, privacy is the expectation that

personal information about yourself (for example your physical characteristics, your friends, your medical

information, or your political beliefs, etc.) are your property and the decision as to whether anyone else has the

right to know that information should be yours and yours alone

Privacy is also interpreted differently in different legal systems In the United States, the right to privacy is not

explicitly granted in the Constitution, but court cases and legal precedents have given US citizens certain

specific rights to privacy In other countries, privacy is an explicit right given to the people by their

governments Unfortunately, however, there are still some countries where citizens have no right to privacy at

all

There is also a difference in your privacy rights when you are acting as an employee of a company Although

you may have privacy protection under your country’s laws, many companies specifically tell their employees

that within their roles as employees they have no privacy The company may have the right to examine your

work, your e-mail, your phone conversations, or anything else you may do as an employee of the company You

should check with your employer to see what your company’s policy is

Whether or not a specific country or company affords its people privacy rights, privacy is something citizens of

the Internet have come to expect in many of the transactions that occur every day, particularly when dealing

with business or financial transactions As you wander through the Internet, you leave little traces of yourself

and your travels at every site you visit However, there are many services available which will allow you to

retain some of your privacy on the internet Anonymous remailers will alter your e-mail so that the recipient will

not know who it was sent by And Web anonymizers will strip out all identifying information from your browser

transmissions so that web sites you visit can not identify you

Over the past few years, the concept of a “privacy policy” has come into existence A privacy policy tells

customers or associates of a company how that company will use personal information about them Privacy

policies vary from company to company, but most deal with collection of personal information, giving or selling

of that information to other companies, and giving the customer the option of correcting or removing their

information from the company’s databases As the concept becomes more and more prevalent, customers will

Trang 8

OECD Privacy Guidelines

• “Guidelines on the Protection of Privacy and

Transborder Flows of Personal Data”

• Regulate collection and flow of personal

information between EU countries

• Provides that member countries must conform to

existing privacy laws

– Extends to those exchanging personal data with

member countries

• “Personal Data” means any information relating to

an identified or identifiable individual

In response to the growing concern over privacy on the web, and the apparent lack of care that many

organizations take to protect the privacy of their customers and employees, the Organization for Economic

Cooperation and Development (OECD) developed the “Guidelines on the Protection of Privacy and

Transborder Flows of Personal Data,” more commonly known as the EU (for the European Union) Privacy

Directive The Privacy Directive was one of the first organized international attempts to make protection of

personal information a matter of law and subject to legal, and more importantly, economic penalties for failure

to afford such protections The guidelines were originally developed in 1980 and became fully effective in the

fall of 1998

The overall principle of the Guidelines is that organizations must regulate the collection and flow of personal

information about people This includes protecting the information within an organization and particularly when

transferring the information between EU countries and between EU Members and non-EU members The

Guidelines state that EU member countries must abide by existing national and international privacy laws This

also extends to non-member countries that need to exchange personal data with member countries

The EU Guidelines center around the concept of “Personal Data.” This is also often referred to as Personally

Identifiable Information (PII) Personal Data is any information that relates to an identified person, or that can

easily lead to the identification of an unknown person Thus, information such as “half the people in this group

have a rare disease” is not necessarily considered Personal Data, whereas “John, Mary, and Sue have a rare

disease” would be considered personally identifiable information Another example would be to say that the

statement “the person living at 123 Main Street is a Communist” contains personal data, because even though a

specific person was not named, if there is only one person living at 123 Main Street you’ve pretty much got

them pegged

The Privacy Directive states that member countries must take all reasonable and appropriate steps to ensure that

transborder flows of personal information are uninterrupted and secure They must permit free flow to countries

who comply with the guidelines, but they may restrict certain types of data In addition, member countries must

avoid developing laws that would create obstacles to transborder flows of personal data that are overly

excessive They must provide the means by which individuals can enforce their privacy rights and ensure that

there is no unfair discrimination against the subjects of data collection

Trang 9

OECD Privacy Directive Principles

The Privacy Directives have 8 distinct principles that EU members must abide by

The Collection Limitation Principle states that there should be no limits to the collection of personal data, any

such data should be obtained by lawful and fair means and, where appropriate, with the consent of the data

subject

The Data Quality Principle states that personal Data should be relevant to the purposes for which it is to be

used and should be accurate, complete, and kept up-to-date

The Purpose Specification Principle states that the purposes for which personal data are collected should be

specified not later than at the time the data is collected In addition, subsequent use should be limited to the

fulfillment of those purposes

The Use Limitation Principle states that personal data should not be disclosed, made available or otherwise

used for purposes other than those specified without the consent of the data subject or by authority of law

The Security Safeguard Principle states that personal data should be protected by reasonable security

safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure

The Openness Principle states that there should be a general policy of openness about developments, practices

and policies with respect to personal data Means should be readily available of establishing the existence and

nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data

controller

The Individual Participation Principle states that an individual should have the right to find out if there is

personal data collected about them, to obtain this information at a reasonable charge, to appeal any denial of

access to such information, and to challenge data relating to him and, if successful, to have the data erased,

rectified, completed, or amended

The Accountability Principle states that a data controller should be accountable for complying with measures

which are related to the other principles

Trang 10

Privacy’s “Safe Harbor”

• US approach is different from the EU

approach

• Concerns with “adequacy” standard

• Organizations within the “Safe Harbor”

would be presumed “adequate”

• Organizations can come within Safe

Harbor by self-certification

While the OECD guidelines work fine for members of the European Union, it does not necessarily

coincide with practices in other parts of the world, particularly in the US The US approach to

privacy is markedly different from the EU In the US, citizens have an expectation of privacy in

many circumstances and that expectation has been upheld by several landmark court cases

However, the US does not have a national privacy law as do many European countries Privacy laws

are mostly left up to the various states to implement, making national enforcement next to

impossible The end result is that different organizations in the US treat privacy differently

Unfortunately, the OECD guidelines specify that member states should not transfer personal data to

any country that does not provide an adequate level of privacy protection Since there is no

standardization of privacy policies in the US, most US companies technically would not pass this

adequacy standard It is for this reason that the US Department of Commerce began discussions with

the European Commission to create a “safe harbor” for US companies that choose to voluntarily

adhere to certain privacy principles

According to the proposal, organizations within the safe harbor would have a presumption of

adequacy, and transfers from the European Community to them could continue Organizations could

come within the safe harbor by self-certifying that they adhere to certain privacy principles

According to the safe harbor proponents, the proposal has several advantages First, they provide for

adequate privacy protection for European citizens They also reflect the US views on privacy and

allow for relevant US legislation and public interest requirements Finally, it provides a predictable

and cost-effective framework for the private sector

The Safe Harbor principles have been in discussion for over a year and talks have stalled several

times If passed, it would open up a large opportunity for US companies that are now threatened with

an inability to share information with their European counterparts

Trang 11

Privacy Organizations

• TRUSTe (www.truste.org)

• EPIC (www.epic.org)

• Privacy Alliance (www.privacyalliance.org)

• EFF (www.eff.org)

There are may organizations that are concerned with privacy issues, both in the on-line and off-line worlds This

slide lists several of them, although there are others Information about these organizations was taken primarily

from each organization’s web site

TRUSTe is an independent, non-profit privacy organization whose mission is to build users' trust and

confidence on the Internet and, in doing so, accelerate growth of the Internet industry A cornerstone of the

TRUSTe privacy program is the branded online seal, or "trustmark." TRUSTe awards the seal to web sites that

adhere to established privacy principles and agree to comply with their oversight and consumer resolution

process A displayed trustmark signifies to online users that the web site will openly share, at a minimum, what

personal information is being gathered, how it will be used, with whom it will be shared, and whether the user

has an option to control its dissemination Based on such disclosure, users can make informed decisions about

whether or not to release their personally identifiable information (e.g credit card numbers) to the web site

The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C It

was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the

First Amendment, and constitutional values

The Online Privacy Alliance is a cross-industry coalition of more than 80 global companies and associations

committed to promoting the privacy of individuals online The Alliance is an ad hoc organization Its sole

purpose is to work over the coming year to define privacy policy for the new electronic medium and to foster an

online environment that respects consumer privacy Alliance supporters include some of the biggest names in

e-commerce, as well as smaller start-up ventures and companies not routinely associated with cyberspace The

group's stated mission is to lead and support self-regulatory initiatives that create an environment of trust and

that foster the protection of individuals' privacy online and in electronic commerce

The Electronic Frontier Foundation (EFF) is a non-profit, non-partisan organization working in the public

interest to protect fundamental civil liberties, including privacy and freedom of expression, in the arena of

computers and the Internet EFF was founded in 1990, and is based in San Francisco, California, with offices in

Washington, DC, and New York City The Electronic Frontier Foundation has been established to help civilize

the electronic frontier; to make it truly useful and beneficial not just to a technical elite, but to everyone

Trang 12

• World Wide Web Security

• Information Secrecy & Privacy

• Identification and Access Control

• Programmatic Security

• Conclusion

Identification and Access Control are two fundamental concepts in information security In this

section we will examine both concepts, discuss their differences and relationships, and look at

various methods for handling both in a real-world environment

Trang 13

Identity: Who Are You?

• Identification – describing who you are

• Authentication – proving you are who you say you are

• Authorization – determining where you can go

A large part of information security is based on being able to identify yourself, proving that identity, and then using that identity to enable you to

access the systems, information, and resources you need

Identification is the process of describing who you are In real life you may have many different identities Depending on the situation, a typical

person might have the following identities.

• Angela Marie Smith – the name on her passport

• Angie Smith – The name her friends call her

• A M Smith – The name on her business card

• 135-35-1275 – Her Social Security number (I just made this up, by the way)

• asmith – All one word, her user ID on her computer

And so on All these identifiers can be used to describe the same person How do you tell them apart And how do you keep from confusing one

Angela Smith from another? The answer is in the concept of authentication

Authentication is the process of taking an identifier and combining it with some piece of information that is unique to the identifier and that only

the one person associated with that identifier would know The most common type of authentication is the password When you log into a computer

you give it an identifier For this example we will use the identifier asmith The computer has a listing for asmith but it needs some way of verifying

you are really asmith before letting you in So, it then asks you for a password You give it one, and the computer checks that password against the

one it has stored for asmith If they match, it knows that you are asmith and it knows this with a pretty high degree of certainty because you know

asmith’s password.

There are many other forms of authentication used in our every day lives When you call the customer service number at a bank, you may be asked

to provide your mother’s maiden name or your Social Security number Many secret clubs have a secret code word or handshake to prove the user

belongs in the club No matter what form the authentication takes, they all serve to prove the identity of the person.

Once you know who someone is, and you have reasonably proven they are who they say they are, you need some way to tell you where they can go

in your system or service and what they can do there The process of describing these restrictions is called authorization For example, you may

want to keep your research people out of the accounting group’s files You instruct the computer to place a little marker tag on the files the

accounting group users indicating that the research department is not authorized to see those files When someone in your research department logs

into the computer and is authenticated, their ID will be tagged as belonging to the research department If they try to access the accounting files, the

computer will compare the two tags and see that the research ID is not authorized for accounting files, so the computer will not allow this user to see

them This is a simplified example and authorization schemes can get quite complex.

Trang 14

Password Problems

• Passwords are easy to guess

• People choose bad

passwords

• Dictionary attacks

• How to choose good

passwords

Passwords have been around as long as people have needed to prove who they are Passwords work because

they are easy for people to understand Unfortunately, because people want them to be easy to remember, they

usually pick passwords that are easy to guess How many of you use passwords or PIN numbers that are based

on your name, your spouse’s name, your dog’s name, your birthday, anniversary date, etc? We use these because

we can remember them However, all a potential attacker needs to do is find out some basic information about

you (which is not that difficult to do) and start trying to guess your password from there In addition, many

people use simple, ordinary words as passwords So all an attacker needs to do is use a process called a

dictionary attack A dictionary attack takes a dictionary and systematically tries every word in that dictionary

trying to guess the password Since people tend to use simple words, dictionary attacks are incredibly successful

So how do you stop dictionary attacks? The best way is to use a password that is difficult to guess Use the

maximum number of characters for your password that your system will allow Use numbers or special

characters, such as ampersands, asterisks, parentheses, etc Replace letters with numbers, for example use a ‘3’

instead of an ‘E’, use a dollar sign instead of an “S,” and so on Anything you can do to make the process of

guessing your password more difficult is a good thing

You should also change your password regularly If you change your password often, you are more likely to

notice if someone else has changed it Also, passwords that change regularly trip up attackers that are using your

password without your knowledge

Never give out your password to anyone, not even your friends or co-workers If you absolutely must give it to

someone, like a help desk or support technician, be sure to change it immediately )as soon as they are done

doing whatever it is that they need your password for)

A good rule of thumb for passwords is this: Passwords are like a toothbrush – Use it daily, change it regularly,

and don’t share it with a friend

There are some other, more advanced alternatives to passwords, and they will be covered in the next slide

Trang 15

Three Types of Authentication

• Something you know

Over the past several years, there have been some technologies that have sought to replace simple

passwords for authentication There are three characteristics, or factors, that are generally accepted

for authentication

The first is something you know This is where simple passwords come in A password or PIN

number is something that you alone know in relation to your identity If this is all you rely on for

authentication, it is called one-factor authentication.

Two-factor authentication combines something you know with something you have The

“something you know” is your password or PIN The “something you have” is usually a small device

called a token or a smartcard The token generates some form of random digit or character sequence

that is unique for each user A smartcard is a small credit card that has built-in memory and a

processor to generate password information Two-factor authentication is much more reliable than

single factor authentication because you must have physical possession of the token device in order

for the system to work Physically stealing something is much more difficult than just guessing a

password You will probably notice the device is gone, whereas you will never notice your password

missing

Two factor authentication can also substitute something you are for the something you have The

“something you are” is usually a unique physical characteristic you have, such as a fingerprint, retina

pattern, or palm print These characteristics are called “biometrics.” Even better than the token

device, biometrics are extremely hard to steal or duplicate However, the uses of biometric

technology in commercial applications is still in its infancy You can be sure this is an area that will

be maturing dramatically over the next several years

If you combine all three areas – something you know, something you have, and something you are –

it’s called three-factor authentication You will very rarely see all three factors used for

authentication, but it can be found in some military and government situations where absolute

Trang 16

In the early days of computing, each system handled user authentication itself When a user logged

in, the system took the user ID and password and processed it locally This worked fine for awhile,

however it quickly became unmanageable when users started accessing more than one system and

these systems became networked together Also, with the advent of stronger forms of user

authentication beyond simple passwords, more advanced authentication protocols were needed

The four protocols listed on this slide represent the most common protocols in use today They will

be discussed in detail in the following slides

Trang 17

Password Authentication

Protocol (PAP)

• Automated identification and

authentication of remote entity

• Uses static, replayable password

• Used by most network devices

• Weak authentication

The Password Authentication Protocol (PAP) was one of the first protocols in widespread use and

is one of the most basic PAP uses a static password for authentication and it provides that password

whenever it is requested The PAP protocol is supported on many types of network devices,

particularly older devices that have not yet implemented one of the newer authentication protocols

One of the basic problems with PAP is that the password never changes and it is sent to the

authentication device in the clear over the network If an attacker learns the password for the device

(which is generally easy to do) they will be able to replay that password to authenticate their own

device In general, PAP is seen as a weak protocol

Trang 18

Challenge Handshake Authentication Protocol (CHAP)

• Similar to PAP but uses stronger

authentication process

• Uses non-replayable,

challenge-response dialog to verify identity

• Used by many communications devices

(e.g routers) to authenticate remote

entity before linking two networks

together

• Used by many remote access servers

A stronger authentication protocol than PAP is the Challenge Handshake Authentication Protocol

(CHAP) CHAP uses a process known as challenge-response In challenge-response systems, a

server issues a “challenge” to the client, usually in the form of a number or code sequence The client

then uses that challenge as part of some algorithm or process to develop a response The client then

sends the response back to the server The server analyzes the response to determine if it is the

correct response for that particular challenge If it is correct, the authentication is confirmed If it is

incorrect, the authentication is rejected

Challenge-response systems are stronger than straight password systems because they require the

server and client to have knowledge of each other or a common knowledge of a shared secret Unless

both sides of the connection work properly, using the proper information, the user can not be

authenticated

Tiêu đề	Information Security: The Big Picture – Part VI
Tác giả	Stephen Fried
Trường học	SANS Institute
Chuyên ngành	Information Security
Thể loại	essays
Năm xuất bản	2000

Định dạng
Số trang	37
Dung lượng	662,18 KB