COMMERCIAL INFORMATION SECURITY, TIGER TEAMS AND ENCRYPTION By Randall K. Nichols President COMSEC Solutions 5953 Long Creek Drive Corpus Christi, TX 78414 Copyright 1997 All Rights Reserved Revision 8 14 May 1997 For Presentation 4 August 1997 at the E/C Conference Breakout Session 2, Arlington, VA, NCSA Hosting ABSTRACT This paper addresses a wide variety of commercial computer security issues and tenders solid countermeasures for protection. The author favors formation of Tiger Teams to identify security threats and weaknesses, the application of appropriate and wide communication of policies and standards to employees, and the use of encryption at multiple levels (communication and computer system) for effective threat countermeasure. Adherence to policies and standards must be enforced. To that end, companies need to monitor their information security programs via random computer surv- eillance audits. The result is a cost-effective recipe for commercial computer security. ACKNOWLEDGMENTS I would like to thank Dr. Gerhard D. Linz, Dr. Jules M. Price, Bob Reynard, Henry J. Siano, David L. Smith, Dr. George H. Foot, Dr. David H. Hamer, and ACA colleagues for their intelligent and helpful review of my paper. ROADMAP This paper is divided into three sections. The first section explores the need for commercial information and computer security. After a short introduction of "horror stories", the primary objectives and issues relating to information security are p resented. A section on customers and the trade- offs that must be considered is completed with a look at a hypothetical model for security engineering. A second section develops the concept and use of Tiger Teams to address information security issues and recommend solutions to exposed problems. Tiger teams work within boundaries. Their procedures are based on well known ISO standards accepted by companies worldwide. Of special note, is the section on penetration of computer systems. Klein's survey of password vulnerability is presented to show how easy it is to disrupt business information flow. The third section presents a skeleton framework for the use of cryptography as a major deterrent and cost-effective solution to information security challenges. An analysis of WEB security and countermeasures is considered. INTRODUCTION A two-page uncontrolled document entitled "User Computer Security Procedures and Backup Requirements," came to my desk for review and approval. After my initial reading, I was concerned with the brevity of the document and its limited focus on: 1) password control, 2) virus protection and 3) tape back-up schedules. In my opinion, the subject was too important not to be covered more thoroughly. The author of this proposed standard (a plant MIS Director) did not reference any of the documents that I knew were available to all users of our company computer systems. Most users could download separate documents through a company BBS covering INTERNET usage, E-mail, Encryption of sensitive but unclassified data, audit procedures, systems administration guidelines and file transfer policies applying to 1000's of networked PC's, a large Mainframe, several networked AS/400's, and dial-up connections. The push toward ISO 9000 systems was in place at many of the facilities. What bothered me was if all this material was available, why wasn't some of this material at least referenced in the procedure on my desk? I started looking for trends. My library research on policies and procedures at our headquarters and other plant facilities indicated a failure to alert our computer users of the need to approach computers not only as a company asset but as a potential risk for penetration by the technologically superior INFOWAR specialists that our modern society is currently breeding. I placed phone calls to our security department and key players in the various computer applications departments. What I found was even more disturbing. Policies were in place, ignored, and far behind the technology of computer systems that we were purchasing (in large numbers). Our company seemed to be using outside vendors to maintain technical proficiency. New systems were being installed at our locations with limited efforts at risk analysis or interrelationship analysis with existing systems. Computer security was not an expressed priority in purchasing decisions. Cost and delivery were the primary purchasing indicators, quality a secondary issue. Generally, security was not addressed. The Information Technology (IT) department answered only to the concerns of the headquarters users. In the last six years, six word processing packages were successively recommended as company standards. Several violations of company policy had been documented. The company E-mail system was shut-down by a playful hacker who used spamming techniques to lock up 16,000 computers for about two days. An arrogant employee destroyed about $100,000 worth of critical files, and when he was fired offered to assist the investigation team with his zipped disks to "save the company the money for data recovery." A laborer and his foreman abused the INTERNET gateway to make 1-900 calls via London to an Ohio "entertainment concern." Using what they thought was a secret connection, the perpetrators refused to pay for their communications and the company was left as the responsible party to the tune of $15,000. Both were reprimanded but kept their jobs for the right not to go to the newspapers and cause embarrassment to our image. The last shipment of "WORD" diskettes contained a virus that infected hundreds of PC's. [This did prompt a message from corporate IT that we must use virus scanning products.] Another dimension came to mind. We are in global competition with our competitors and regularly seek information to protect our market share and get the jump on new issues. Most of the corporate intelligence group uses portable PC's to link up with our resources at the various locations. They use their PC's on planes and in their hotels. What is amazing is that many of them are unfamiliar with encryption technology to protect the important communications that they possess. Unlike the government disclosure of sensitive or classified information is not a concern. Profit and strategic information value is at stake when marketing decisions must be made. Can we make the deal is the first concern. However, unlike the government, organization changes and management remuneration is held very closely to the vest. Encryption technology is used to protect this information as it is circulated to the various facilities, but not elsewhere. The above climate is unfortunately not unusual in large commercial concerns. The horror stories I hear at professional conferences confirm that commercial computer security is not a high priority. This is difficult to understand considering the explosive growth of new users on the INTERNET and the dollar volume (estimated at $500 MM in 1996 with growth up to $10 Billion by 2000) of business that is being conducted through the NET. The current crop of encryption products addresses the authentication, digital signature and computer fraud issues surrounding NET money. They are in use by a small percentage of the business community. Computer crime has become a major threat to business. According to FBI statistics, computer crime is the most expensive form of commercial crime - with an average of $450,000 per theft. It also represents a great risk to corporations. Estimates of the total dollar amount figure for computer theft are as high as $5 billion per year. [OREI] FIRST PRINCIPLES Every computer system is vulnerable to attack. Security policies and products may reduce the likelihood that an attack will actually be able to penetrate your systems defenses, or they may require an intruder to invest so much time and resources that it's just not worth it - but there is no such thing as a completely secure system. [OREI] There are four key concepts that appear in much of the literature regarding computer security: threats, vulnerabilities, attacks and countermeasures. A threat to a computer system is defined as any potential occurrence, malicious or otherwise that effects the computer resources. A vulnerability is a point where a system is susceptible to attack. An attack is a malicious exploitation of a computer system vulnerability to cause an existing threat to occur. Countermeasures are those actions or enactment's of safeguards to prevent threats to a computer system. [FCST] Vulnerabilities are classified as physical, natural, hardware, software, media, emanation, communications, and human. The human element is by far the weakest link. The second weakest link is the modem or telephone. Messages can be intercepted, misrouted, and forged. Communications lines connecting computers to each other, or connecting terminals to a central computer, can be tapped or physically damaged. There's a lot of variation in how easy it is to exploit different types of vulnerabilities. Tapping a cordless phone or a cellular mobile phone requires about $200 investment in a Radio Shack store. Logging onto a computer system that has "human" password protection is almost as easy. Tapping an encrypted fiber optics communications link or intercepting Van Eck electronic emanations from TEMPEST shielded equipment is very difficult, expensive and out of range except for a dedicated intelligence operation. Threats are generally classified as unintentional (due to negligence or ignorance) or intentional by an attacker (planned and malicious). Motivated attackers are usually backed up by computing horsepower, money, time, personnel and defined egress. There are five major categories of outside attackers: FIA's (Foreign Intelligence Agents), Terrorists, Criminals, Corporate Intelligence Teams, Hackers or Crackers. The newspapers have been full of stories about all five categories. Outside threats constitute about 20% of the security problem. 80% of all penetrations of computer security are accomplished by insiders. Along with the fired or disgruntled employee, political revenge types, we can add the coerced, greedy or power players. The most dangerous type of insider is the untrained or lazy. He/she doesn't change passwords, resists security restrictions, doesn't understand data protection and leaves information in plain view. [OREI] The most effective system attack is a combination of a strong outside strategy ( for example, breaking into competitors' files to steal their marketing plans) with access by an insider (for example, a marketing assistant who's has been bribed with force, money or sex to give away a password or steal reports). In order to understand the manner in which potential threats are addressed by computer security specialists, researchers have further generalized computer security system threats by their effects: 1) Disclosure, 2) Integrity, and 3) Denial of Service . Disclosure ("leaks") threats involve the dissemination of information to an individual by whom that information should not be seen. The vast majority of research and development in computer security since the 1960's has been focused on disclosure threats. One reason for this emphasis has been the importance governments have placed on countering this threat. Much of NSA's initial work in the security area was to protect against this type of threat. The Integrity threat involves any unauthorized alteration of information stored on a computer system or in transit between computer systems. A good example of this compromise might be for an ex-spouse (angry one) to access the spouse's TRW credit files to change the various codes making the spouse $100,000 behind in everything, with judgments, attachments and skip trace requirements. If you are the unfortunate victim of such an attack, try to convince your local grocer, whom you have been supporting for five years, that this is all a mistake, a computer mistake, of course. Try to sell your house. Try to buy a new house or rent a room. Try to cash a check with a new vendor. This is not a what-if scenario. INFOSEC warriors have used this form of attack very effectively. The Social Security Administration shut down their web site because they only required name, SSN and mother's maiden name as security indicators. Many existing databases have all of this information available. With a little information, anyone can read your entire financial history. Until recently, governments were concerned with the disclosure threat, and businesses were concerned with integrity. Actually, both types of environments are vulnerable to both types of threats depending on the their application. The Denial of Service (DOS) threat arises whenever access to computer system resources is intentionally blocked as a result of malicious actions taking by another user. The DOS may be permanently or strategically delayed. The latter case is referred to as "being stale." DOS has real meaning in the Wide World Web service. AOL recently changed its billing policy to a flat rate. The increased usage on the resources caused a DOS for entire sections of the country. DOS threats have not been researched very thoroughly except for use in DOD and satellite reconnaissance. Think of the consequences in Gulf War if the Iranians had a serious DOS capability to shut down U. S. communications systems controlling our birds. INFORMATION SECURITY OBJECTIVES To introduce cryptography, an understanding of issues related to information security in general is necessary. Information security manifests itself in many ways. Regardless who is involved, to one degree or another, all parties to a transaction must have confidence that certain objectives associated with informational security have been met. Table 1 lists some of these objectives. [MENE] Table 1 Information Security Objectives privacy or keeping information secret from confidentiality all but those who are authorized to see it. data integrity ensuring information has not been altered by unauthorized or unknown means entity authentication corroboration of the identity of an or identification entity (e.g., a person, a computer terminal, a credit card, etc.) message corroborating the source of the authentication information; also known as data origin authentication signature a means to bind information to an entity authorization conveyance, to another entity, of official sanction to do or be something validation a means to provide timeliness of authorization to use or manipulate information or resources access control restricting access to resources to privileged entities certification endorsement of information by a trusted entity timestamping recording the time of creation or existence of information witnessing verifying the creation or existence of information by an entity other than the creator receipt acknowledgment that information has been received confirmation acknowledgment that services have been provided ownership a means to provide an entity with the legal right to use or transfer a resource to others anonymity concealing the identity of an entity involved in some process non-repudiation preventing the denial of previous commitments or actions revocation retraction of certification or authorization HISTORICAL PRECEDENTS Computer security has historically been viewed as an unnecessary impediment to getting work done. Commercial enterprises seem to accept this attitude by committing limited resources for implementation. Estimates of the size of the computer security market represents a $3 - 8 billion a year opportunity. All the conventional sources seem to subscribe to the theory that the Internet will increase this opportunity above $10 billion by the year 2000. As you might expect, the U.S. Government drives much of the security market. Because of its special concern for classified information relating to national defense and intelligence, the U.S. Government has historically been the major force behind security research and technology. It is difficult to get hard numbers on government security spending because classified programs account for a large piece of the security market, and dollar figures for those classified programs are publicly unavailable. I suspect that about 50% of the market is government-related. It is clear to me that commercial activities in this market will eventually outstrip the government (hence the government's need for control on encryption products). The DOD, intelligence agencies and government contractors are big users of security products. More and more government requisitions specify security requirements along with operational requirements. The operating system must adhere to security levels specified in the "Orange Book," standard for trusted systems. Encryption in one form or another is or may be required to protect stored and transmitted data. The U.S. Government's COMSEC (communications security) program is administered by the NSA and NIST. The COMSEC Endorsement Program (CCEP) combines the experience of NSA and the leadership of industry in the telecommunications design, development, and high volume production to evaluate "high- grade" cryptographic products. The process is complex. To gain full certification of a new product takes upwards of 7 years. [OREI] describes most of the government COMSEC programs and details the so-called Orange Book. Many of our major manufacturing businesses do not involve national secrets. The closest they may come as a global concern is electronic funds transfer or EDI. The need for the computer security process is better understood when we think of it as protecting information. Information that is critical to our business must be protected. Any theft, compromise or integrity change to our company information is exactly the same as a criminal theft of company assets. We owe it to our shareholders, insurance and risk agents, our customers, our users, and our employees to provide more than adequate security for our Information. The concept of "reasonable safeguards" is having an impact on the users of our computer systems now; from a legal standpoint we must show the ability to provide a "standard of due care." CUSTOMERS AND SECURITY POLICY Customers are our most important assets. We must never forget that employees and management EXIST to support our customers. When this focus is reversed we have a condition called bankruptcy. But how should we define a computer security policy that best serves our customers? For starters, the reader can review three solid references [ATKI], [SANS] and [HUTT]. Of special interest in [ATKI] is his Chapter 5 covering the RFC 1244 Site Security Handbook from the Internet Task Force issued March 1996. [HUTT] provides literally dozens of checklists for the CIO to consider. [SANS] provides a poster for the innocent that has solid thinking behind it. Other references that have useful material but are severely outdated include: [MART], and [KRAU]. If your company does business internationally, Charles Franklin's "Business Guide," is a definite must read. [FRAN] The SANS organization has published some interesting and very understandable guidelines regarding computer security and site security philosophy. [SANS] Let me distill from the above references what I believe is the essence of computer information security policy. Ask yourself the following questions and then answer them. o What effect will there be on my companies reputation and financial stability if there is widespread dissemination that one or more of my sites has been "cracked" [ Consider the $10 MM business loss suffered by MCI when a college group hacked their new cards six weeks after their marketing push against ATT.] o What do my customers expect in the way of security for their business with my company? Will I lose them if they think we are not secure? o Is the security infrastructure valued added and consistent with business needs? o Are ISO guidelines in place, communicated and followed? o Is there a well-defined security awareness program? o Do we measure via surveillance audit the effectiveness of our policies? Let me add three more questions of my own. o Are Tiger Teams used to define the gap between security standards and are the required program actions to reduce that gap implemented? o How do you know that you have hired the right people for the implementation of your company security policy? o How do you define computer user 'trust' in the various departments. Next we need to think about the economic tradeoffs that occur naturally when we implement an effective security policy. TRADE-OFFS Usability. Socrates told us to know our own limitations. We should be aware of some natural tradeoffs that result when we implement security policies in an attempt to mitigate threats to our computer systems. First there is a negative direct relationship between usability and security. As security increases the usability of the computer systems are reduced. There is a natural conflict when the goals of information and resource sharing is combined with strict security controls. Retrofit. Since security is a relatively new concern and since technology is improving in hardware and software at a nonlinear rate, nearly all systems developed register insufficient attention to threats, vulnerabilities and potential attacks. In order to make an existing system secure, one is faced with the problem of retrofitting security into existing components, mechanisms and environments. This is especially true when operating systems interface with security kernels and protocols. Assurance. How do we prove that a system is secure? What assurance or body of evidence do we use to prove it. This is a difficult task. The three types of assurance mechanisms that have been used with some success are: 1) static test results, 2) dynamic field experiments, 3) formal methods and 4) Tiger Team investigation. The fourth method is aggressive and is recommended as the most practical. This approach is similar to the phrase "experience counts". Procedures and Mechanisms. The mitigation of threats on computer systems requires the integration of suitable procedures and/or mechanisms. These procedures and mechanisms range from management policies on facilities and operations to functional mechanisms designed into the computer system. Security Requirements. Why can't security be designed into computer systems based on suitable security requirements? Two reasons. Requirements identification in modern computer systems is non-trivial. The target is ever changing and potentially obsolete technically in a very short time. SECURITY ENGINEERING - A HYPOTHETICAL MODEL We may think of the commercial enterprise as made up of layers of resources as shown hypothetically for HAL 3000, Inc. in Figure 1: Figure 1 Hypothetical Enterprise Dependency Model The Enterprise HAL 3000 Enterprises, Inc. Organizations Key Suppliers: Raw Materials Manufacturing Divisions : Intermediate Products Consumer Divisions : Final Products Distribution Division: Transportation & Logistics Customers: External & Internal Products Raw Intermediate Final Special Quality Non Standard Business Processes Accounting General Services ISO Legal Public Relations Other Staff Functions Facilities Management Long Range Planning Labor Contracts Technology Components - the 'glue' for communications to/from internal and external customers Facilities Application Software Software Environment Implementation Hardware Communications Security Web Computer Networks - LANs, WANs etc. The optimal security approach for such a company would involve engineering the following security components at each layer of the enterprise: 1. Identify the computer and communication systems architecture links for HAL 3000's business organization, products, processes, facilities and technology components. 2. Identify the most likely threats, vulnerabilities and attacks on these computer or communication links. 3. Estimate the component risks and probability of hard dollar losses. 4. Prioritize the vulnerabilities within company resource constraints. 5. Identify and install appropriate safeguards The most effective safeguard is encryption and can be applied in various forms across most of these information links. 6. Apply the system security approach in a normal feedback loop [ steps 1 - 5 ] until the risks are acceptably low for the capital invested/ approved by HAL 3000 management. Both [HUTT] and [AMOR] discuss the process in detail. [HUTT] describes in detail the process of making risk evaluations for security processes. [AMOR] presents some of the famous disclosure models: Bell-Lapadula, Biba, Clark-Wilson Integrity and Millen's Resource Allocation. Interesting reading but of question able practicality for management. TIGER TEAMS AND GAP ANALYSIS The concept of using Tiger Teams is not new. They first emerged on the computer scene in the 1970's. Tiger Teams were government (mostly NSA) and Industry (IBM, RAND, CDC) sponsored teams of 'crackers' who attempted to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes. IBM spent $40 million to address computer security issues and Tiger Teams were an important part of finding security flaws in the company's own products. [DES was perfected using this method.] [ATTA], [BISB], [KARG] Tiger Teams were [and are] an effective way to find and fix security vulnerabilities. USAF Lieutenant General Lincoln D. Faurer, former Director of NSA, wrote that the efforts of the Tiger Teams resulted in two significant conclusions. [LDF ] Attempts to correct (patch) identified security vulnerabilities were not sufficient to prevent subsequent repenetrations. New Tiger teams often found security flaws not found by earlier Tiger Teams. One could not rely on the failure of a penetration effort to indicate that there were no exploitable security flaws. The only apparent means of guaranteeing the protection of system resources would be to design verifiable protection mechanisms into computer systems. Tiger teams served a useful function by identifying security flaws and demonstrating how easily these flaws could be exploited. This concept is exactly what we need for defining the aforementioned patch of commercial computer systems. Form a balanced team of 5 - 6 individuals (male and female) from either external or internal sources but in all cases unknown to the target computer site. [External sourcing requires attention to contract administration to protect the company against unexpected losses.] The skill level must be superior and the personalities must blend into the organizational structure. Insert the team during the summertime when many employees are on vacation and give them access to accounting, MIS, engineering, administrative and production departments. Extra temporary help is always accepted as long as political issues are not involved. The Tiger Team must limit their communications while at the target site. Tiger teams work 24 hours a day, using external and internal attacks to define the appropriate security levels at the site. Tiger Teams can be resourced readily in larger firms by internal means. Smaller companies may hire an outside trusted third party. NCSA in Carlisle, PA performs third party security audits. Computer security auditing is performed effectively and with absolute integrity. Nichols presented the following security improvement philosophy (Gap Analysis) governing Tiger Teams in 1995: o Define Standards and Acceptable Level of Computer Security. o Define Dollar Benefits to get to the standards. o Define the steps to eliminate the 'Gap'. o Make a schedule of these steps. o Prioritize these steps. o Identify the resources required to monitor the schedule. o Eliminate items not under the charter or control of the team. o Monitor and feedback to management continuous improvement. o The plan must be real and achievable. Short term and long term benefits must be presented. o Present a risk analysis if steps are not taken and site remains status quo. [The landmark paper on "Information Security Risk Management," by John M. Carroll, is published in [HUTT]. It details the cost- benefit analysis used by many Tiger Teams. o Plan additional vulnerability studies because new technology may obsolesce the solution. Tiger Teams are generally successful. But we are dealing with people and they don't always behave as expected. Table 2 shows some of the reasons why Tiger Teams have failed to meet their goals: Table 2 Why Tiger Teams Sometimes Fail To Meet Expectations Goals Unclear 55% Changing Objectives 55% Lack Of Accountability 51% Lack Of Management Support 49% Lack Of Role Clarity 47% Ineffective Leadership 45% Low Priority of Team 40% No-Team Based Pay 30% Mental Opt-Out 15% Cultural 10% These reasons are not surprising and can be avoided. Competent and trustworthy Tiger Teams not only expose the problems, provide the solutions for computer security issues, but they cut costs -big time! They use the best in technology, they are mobile, efficient, temporary, secret, professional and responsible. [NIC3] ISO STANDARDS Tiger Teams use well known standards to monitor their penetration effectiveness and the security philosophy of the commercial target. Appendix A summarizes cryptographic and security standards of practical interest. These facilitate widespread use of cryptographically sound techniques, and interoperability of systems and system components. The most well know standards are International Organization For Standardization (ISO), American National Standards Institute (ANSI), Federal Information Processing Standards (FIPS), Internet Request For Comments (RFCs) ad defacto Public Key Cryptography Standards (PKCS). Tables 8 -15 in Appendix A, present an overview of relevant standards . A complete description of these standards as well as information for their acquisition is found in [MENE] Chapter 15. PENETRATION OF COMPUTER SYSTEMS The landmark paper on penetration of computer systems was written by Dr. Mich E. Kabay of the NCSA and published in 1996. [HUTT] "Penetrating Computer Systems and Networks," describes well known techniques to attack computer systems. It also define s the appropriate countermeasures. This is an excellent paper and highly recommended. WINDOWS A large number of businesses today use the Unix operating system. Also, there are an ever growing number of businesses that are switching to Microsoft Windows in it's various flavors, i.e.. Win3.1, 3.11, Win95, and NT. Due to the capabilities of these operating systems, and speed of PC's, they can now run networks and have PC's doing the jobs that were done on mainframes. Security is even a greater concern on these type of systems, A system running DOS and windows can be very easily entered without need for passwords or any other tools. If access (Physical or otherwise) of the machine can be obtained it is possible t o bypass the config.sys and autoexec.bat files and start the computer by pressing f5 when booting up the system. Any devices that need drivers would not be available but you could still have access to the machine, for whatever purposes. One such concern on a system running Win3.1 or 3.11 is to change or delete the users password. By editing the System.ini file and changing the SCRNSAVE.EXE line this could be accomplished. On some of the systems, password(s) are placed in a file and in plain text with no encryption. On Win95 Log-in's the password can be easily be set for all employees, so everyone would remember (and everyone would have access to all machines) to nothing more than the Enter Key being pressed. Windows NT has a better system but is still vulnerable. Windows NT allows security auditing of almost every transaction either using the File Manager or the User Manager. The Directory Auditing dialog box is used to select valid and invalid file access. Under the User Manager, the administrator has the option to select audit policy based on success or failure of user events, login and logout, file access, rights violations and shutdowns. Windows NT stores its files in a format read only by an Event Viewer. It has a variety of selection criteria by category, user, and message type. Where Windows NT has a big security hole is its Registry File. You can seriously disable Windows NT, if you make inappropriate changes to the Registry when using the Registry editor. Too many corporations are relying totally on the security shipped with their Windows operating system. They need to address a secondary channel of security. It seems that Security and protection of the information on the computers in use today is the last thing thought of, and money spent in all other areas of hardware and software, until a crisis hits. PASSWORD VULNERABILITY In my opinion, the weakest link in the security chain is the password. It is estimated that more than 85% of all U.S. business, financial and personal records are stored in computer systems. We use passwords (keywords) to enter the maze of security levels to gain access to the various files, records, programs that affect our daily lives. These passwords are cryptographically treated after they are presented to the computer system and stored in that form. We live in an age of international - no boundary computer networks capable of performing huge amounts of coordinated work to breach the security of our computer systems and pry open the secrets of lives. But how secure are our systems by virtue of t heir encrypted passwords? What is the weak link of the cryptosystem - the algorithm, the key or the key management? (This analogy excludes "people" who are in a weak class of their own.) Daniel V. Klein of LoneWolf Systems, Pittsburgh, Pa. performed a study in 1989 using data from clients in both U.S. and Great Britain that would imply that the key (password) and its management is the weak link. He outlined some of the problems of current password security and demonstrated the ease with which individual accounts may be broken. [VACC] Although his study centered around the UNIX system, his results and conclusions were most general in nature and can not be ignored by users and system administrators of every type of computer system in the country. UNIX VULNERABILITY Let us forget for the moment that CPU speeds, computer architectures, and storage capabilities are more than 4 magnitudes of order faster and better in 1996 than what was available when Klein's work was performed in 1989. Klein was interested in the security of accounts and passwords on the UNIX system. Early Unix versions used a password encryption algorithm based on the M-209 U.S. Army cipher machine. The M-209 cipher machine and the concept of aperiodicity is discussed in detail in reference [NIC1]. On a PDP-11/70, each encryption took approximately 1.25 ms, so that it was possible to check 800 passwords per second. Armed with a dictionary of 250,000 words, crackers could compare encryption's with all those stored in the password file in a little more than 5 minutes. This was a security hole that could be (and was exploited) on government and non-government machines all over the country. After 1976, versions of UNIX, DES (Data Encryption Standard) was used to encrypt passwords. The user's password was used as the DES key, and the algorithm was used to encrypt a constant. The algorithm was iterated 25 times, with the results being an 11-character string plus a 2 character "salt." This method was more rigorous and difficult to decrypt. It was complicated through the introduction of one of 4,096 possible salt values and was slower to execute than its predecessor. On a VAX-II machine, a single encryption required about 280 ms, so that the determined cracker could only check about 3.6 encryption's per second. Checking the same 250,000 word dictionary would take 19 hours of CPU time. This reduced the "payoff ratio" for cracking a single password. Checking the passwords on a system with 50 accounts would take , on average, 40 CPU days because of the random selection of salt values practically guarantees that each user's password would be encrypted with a different salt, with no guarantee of success. In some cases, the salt is in the clear (for portability), and it is the first two bytes. This way it is possible to "port" userids to a different version on Unix without changing passwords (you just copy the relevant files in the new system). It should be noted that the Unix password migrated to the /etc/shadow file, is read-only, just for the "root', and without access for everybody else. Solaris works this way. The /etc/passwd file contains just a "place holder" entry. This way an attacker must definitely get to the root to get access to this file. In the last 5 years three developments have pushed the problem of password security back into the forefront: 1. CPU speeds are lightning fast and readily available as desktop workstations. Special boards can be made to optimize the password comparisons. With internetworking, many sites have hundreds of individual workstations connected together, and enter prising crackers are discovering that the "divide and conquer" algorithm can be extended to multiple processors, especially at night when those processors are not otherwise being used. 2. New implementations of the DES algorithm have been developed, so that the time it takes to encrypt a password and compare the encryption against the stored value in a password file has dropped below the 1ms mark. Our 250,000 word dictionary can be processed in less than 5 minutes and by dividing the work across multiple workstations, the time required to encrypt these words against all 4,096 salt values is less than an hour. DES has been put into hardware implementation and the time for encryption further reduced. This means the same dictionary can be cracked in only 1.5 seconds. 3. A study of passwords cracked showed that users did not readily choose tough passwords but ones that they could remember. Furthermore, surveys show that users is not concerned with system security but personal privacy. They are not aware that their terminals may become an entry point for a malicious cracker. COLLECTION Crackers have been using the same techniques for some time to acquire the password files on UNIX and VAX machines (all open system machines are susceptible): 1. They acquire a copy of the site's /etc/passwd file, either through an unprotected uucp link, well known holes in sendmail or via FTP or tfp or outright theft. 2. They apply the standard or sped up version of DES or the known password encryption algorithm to a collection of words, typically /usr/dict/words, plus some permutations on account and user names, and compare the encrypted results to those found in the purloined /etc/passwd file. 3. If a match is found (and often there are more than one), the cracker has access to the targeted machine. This modus operandi has been known for some time, defended against, but still presents a viable alternative for the 'bad guys' for more than 50 per cent of the computers on the market. KLEIN'S SURVEY Klein built up a database of approximately 15,000 entries from U.S. and Great Britain of /etc/passwd files in order to try to crack the passwords. Each of the account entries was tested by a number of intrusion strategies. The possible passwords that were tried were based on the users name or account number, taken from numerous dictionaries (including some containing foreign words, phrases, patterns of keys on the keyboard, and enumeration's) and from permutations and combinations of words in those dictionaries. After nearly 12 CPU-months of rather exhaustive testing, approximately 25 percent of the passwords have been guessed! 21 percent of the passwords (nearly 3000 passwords) were guessed in the first week and in the first 15 minute s of testing, 368 passwords (or 2.7 percent) had been cracked using what experience had shown would be the most fruitful line of attack (using the user or account names as passwords). These statistics are nothing less then frightening. On an average system with 50 accounts in the /etc/passwd file, one could expect the first account to be cracked in under two minutes, with 5 to 15 accounts being cracked by the end of the first day. Even though the root account might not be cracked, all it takes is one account being compromised for the cracker to have a toehold in the system. After that is done, any number of other well-known security loopholes ( many of which are published on the network) can be used to access or destroy any information on the machine. The results did not indicate what all the uncracked passwords were. Rather it showed that users are likely to use words that are familiar to them as their passwords. What new information it did provide, however, was the degree of vulnerability of the systems in question, as well as developing a basis for a proactive password checker. Passwords that can be derived from a dictionary are clearly a bad idea. There are hackers and companies in the business of developing this line of attack on computer systems. I recently downloaded some files in Russian from a site in Moscow that would indicate that others have known this principle too. SAFE PASSWORDS? Klein found three classes of 'safer' passwords. One class of more secure passwords was the word pair, where the password consists of two words, separated by a punctuation character. Compuserve uses this technique for their CIS network, but relies on too few punctuation marks to make this an effective deterrent to the clever cracker. Even considering words of only 3 - 5 lowercase characters, /usr/dict/words provide 3000 words for pairing. When a single intermediate punctuation character is introduced, the resulting sample size of 90,000,000 possible passwords is, in theory, rather daunting. Cipher text patterns carry through and are recognizable when using a known algorithm. The 'key space' that must be tested is substantially smaller with a smart dictionary of targeted information. A 'smart' brute force attack will be effective again st the fixed length of the password, especially if the number of salt values and/or the number of punctuation marks are limited. A second type of password introduces upper and lowercase characters into the password to raise the search set size to a magnitude that is more difficult to crack. The third safe password is one constructed from the initial letters of any easily remembered, but not common, phrase. For example, the phrase "UNIX is a trademark of Bell Laboratories" could give rise to the password UiatoBL. This essentially creates a password that is a random string of upper and lowercase letters. Exhaustively searching this list at 1,000 tests per second with only 7-character passwords would require about 32 CPU- years - a very difficult task. METHOD OF ATTACK A number of techniques were used on the accounts in order to determine whether the passwords used for them could be compromised. To speed up the testing, Klein grouped all passwords with the same salt value together. This way, one encryption per pas sword per salt value could be performed, with multiple string comparisons to test for matches. Rather than 15,000 accounts, the problem was reduced to 4,000 salt values. [VACC] The password tests were as follows: 1. Name Variations Try using the users name, initials, account name, and other relevant personal information as a possible password. All in all, up to 130 different passwords were tried, based on this information. For the account name klone with a user named "David V. Klein," some of the password tried were: klone, klone0, klone1, klone123, dvk, dvkdvk, dklein, Dklein, leinad, nielk, dvklein, danielk, DvkkD, DANIEL-KLEIN, (klone), KleinD, and so on. 2. Dictionaries Try using words from various dictionaries. These included lists of women's and men's names (some 16,000 in all); places (including permutations, so that "spain," "spanish," and "spaniard" would be considered); names of famous people; cartoons and cartoon characters; titles, characters and locations of films and science fiction stories; mythical creatures (garnered from Bullfinch's mythology and dictionaries of mythical beasts); sports (including team names, nicknames, and specialized ter ms); numbers both as numerals -"2001" and written out -"twelve"); strings of letters and numbers ("a", "aa," "aaa," and so on); Chinese syllables (from the Pinyin Romanization of Chinese, an international standard system of writing Chinese on an English keyboard); the King James Bible; biological terms; common and vulgar phrases (such as "ibmsux" and "deadhead"); keyboard patterns (such as "QWERTY", "asdf" and "zxcvbn"); abbreviations (such as "roygbiv" - the colors in the rainbow, and "ooottaf agvah" - a mnemonic for remembering the 12 cranial nerves); machine names (acquired from the /etc /hosts); characters, plays, and locations from Shakespeare; common Yiddish words; the names of asteroids; and a collection of words from various publish ed technical papers. 60,000 separate words were considered per user ( with the inter and intradictionary duplicates being discarded. 3. Permutations of Item 2 Try various permutations on the words from step 2. Make the first letter uppercase or a control character, make the entire word uppercase, reversing the word (with and without the capitalization), changing the letter o to the digit 0, so the word scholar becomes sch0lar, performing similar manipulations on letter z to digit 2, letter s to digit 5. Make the word plural, so dress becomes dresses. Add suffixes of -ed -er -ing to transform words like phase to phased. These 14 to 17 additional tests per word added another 1,000,000 words to the list of possible passwords that were tested for each user. 4. Capitalization Try various capitalization permutations on the words in step 2. This included all single-letter capitalization permutations (so that michael would be checked as mIchael, miChael, and so forth,) double letter capitalization (MicHael) and triple letter capitalization (MIchAel). This added 400,000 more words to be tested for single-letter, 1,500,000 for double-letter and 3,000,000 more words for three-letter capitalization checks. 5. Foreign Words Try foreign words on foreign language users. Klein used Chinese words on users with Chinese names. Klein made exhaustive one-,two-,three syllable word tests on all 398 Chinese symbols for about 16,158,404 additional tests. 6. Word Pairs. Try word pairs. The magnitude of this test was staggering. Klein simplified the test to include words three and four characters in length from usr/dict/words. The number of words was order of magnitude 10**7 X 4096 possible salt values. Klein used four linked DEC station 3100's to perform 3000 comparisons a second. The study ran for 20 CPU-months. The bulk of the effort was complete in the first 12 CPU- months. KLEIN's RESULTS The problem with using passwords that are derived directly from obvious words is that when users think "Hah, no one will ever guess this permutation," they are invariably wrong. Klein found a match on the "fylgjas," (guardian creature from Norse mythology. No matter what words or permutations thereof are chosen for a password, if they exist in some dictionary, they are susceptible to direct cracking. Table 3 shows the breakdown of passwords cracked in a sample size of 13,797 accounts. Klein suggests four solutions for the 'key challenge': 1) use a proactive password checker; 2) eradicate easy-to- guess passwords (the user dislikes this approach); 3) Assign passwords - nonsense words or random characters (the user dislike this approach also); and 4) use smart cards which respond to electronic challenges from the computer security system. TABLE 3 Passwords Cracked for Sample Set of 13,797 Accounts Type Dictionary Duplicates Search Number Percent Cost of Size Eliminated Size of of Benefit Password Matches Total Ratio ----------------------------------------------------------------- User/ Account 130+ - 130 368 2.7% 2.830 Name ----------------------------------------------------------------- Character Sequences 866 0 866 22 0.2% 0.025 ----------------------------------------------------------------- Numbers 450 23 427 9 0.1% 0.021 ----------------------------------------------------------------- Chinese 398 6 392 56 0.4% 0.143 ----------------------------------------------------------------- Place Names 665 37 628 82 0.6% 0.131 ----------------------------------------------------------------- Common 2,268 29 2,239 548 4.0% 0.245 Names ----------------------------------------------------------------- Female Names 4,955 675 4,280 161 1.2% 0.038 ----------------------------------------------------------------- Male Names 3,901 1,035 2,866 140 1.0% 0.049 ----------------------------------------------------------------- Uncomm- on 5,559 604 4,955 130 0.0% 0.026 Names ----------------------------------------------------------------- Myths and 1,357 111 1,246 66 0.5% 0.053 Legends ----------------------------------------------------------------- Shakes- pearean 650 177 473 11 0.1% 0.023 ----------------------------------------------------------------- Sports Terms 247 9 238 32 0.2% 0.134 ----------------------------------------------------------------- Science Fiction 772 81 691 59 0.4% 0.085 ----------------------------------------------------------------- Movies and Actors 118 19 99 12 0.1% 0.121 ----------------------------------------------------------------- Cartoons 133 41 92 9 0.1% 0.098 ----------------------------------------------------------------- Famous People 509 219 290 55 0.4% 0.190 ----------------------------------------------------------------- Phrases and Patterns 998 65 933 253 1.8% 0.271 ----------------------------------------------------------------- Surnames 160 127 33 9 0.1% 0.273 ----------------------------------------------------------------- Biology 59 1 58 1 0.0% 0.017 ----------------------------------------------------------------- /usr/ dict/ words 24,474 4,791 19,683 1,027 7.4% 0.052 ----------------------------------------------------------------- Machine Names 12,983 3,965 9,018 132 1.0% 0.015 ----------------------------------------------------------------- Mnemonics 14 0 14 2 0.0% 0.143 ----------------------------------------------------------------- King James Bible 13,062 5,537 7,525 83 0.6% 0.011 ----------------------------------------------------------------- Misc Words 8,146 4,934 3,212 54 0.4% 0.017 ----------------------------------------------------------------- Yiddish Words 69 13 56 0 0.0% 0.000 ----------------------------------------------------------------- Asteroids 3,459 1,052 2,407 19 0.1% 0.007 ----------------------------------------------------------------- Total 86,280 23,553 62,727 3,340 24.2% 0.053 Table Notes 1. The number of matches is the total number of matches given for the particular dictionary, irrespective of the number of permutations that user applied to it. 2. Duplicate names were eliminated. 3. In all cases, the cost/benefit ratio is the number of matches divided by the search size. The more words that needed to be tested for a match, the lower the cost /benefit ratio. 4. The dictionary used for user/account names checks naturally changed for each user. Up to 130 different permutations were tried for each. 5. Although monosyllabic Chinese passwords were tried for all users (with 12 matches) polysyllabic Chinese passwords were tried only for users with Chinese names. The percentage of matches was 8.0% - a greater hit ratio than any other method but the dictionary size is 16 X 10**6, though, and the cost/benefit ratio is infinitesimal. Klein's work is a professional success - if we are in the cracking business and a disheartening insight if you are in the security business. The total size of the dictionary was only 62,727 words (not counting various permutations). This is much smaller than the 250,000-word dictionary postulated at the beginning of this section. Yet armed with even this small dictionary, nearly 25% of the passwords were cracked. It is easy to see how a professional organization could increase the dictionary and funding on the machinery and up the cost/benefit ratio significantly. Table 4 shows the length of the cracked passwords. TABLE 4 Length Count Percentage ------------------------------------------------ 1 Character 4 0.1% ------------------------------------------------ 2 Characters 5 0.2% ------------------------------------------------ 3 Characters 66 2.0% ------------------------------------------------ 4 Characters 188 5.7% ------------------------------------------------ 5 Characters 317 9.5% ------------------------------------------------ 6 Characters 1160 34.7% ------------------------------------------------ 7 Characters 813 24.4% ------------------------------------------------ 8 Characters 780 23.4% ------------------------------------------------ The results of the word-pair tests are not included in either of the two tables. They represent another 0.4% of the passwords cracked in the sample. PENETRATION TESTS Tiger Teams don't stop at passwords attacks. They conduct a series of penetration tests on the computer networks and their communications links to identify vulnerabilities. They attack workstations, network mediums, servers, components, agents, databases, host connections and cross platform control, remote dialups, Internet access and Web sites. Tigers test the overall administration of the network. Frank Lyons' put together a list of 21 penetration tests that his Tiger Team uses to audit customer security networks. Table 5 summarizes his checklist. [LYON] Table 5 21 Network Penetration Tests 1. Password-Scanning Test. Scan files for user IDs and passwords in cleartext. 2. Trojan-Program Test. Scan for executable files with Trojan (anti-virus software) routines. 3. Key-Stroke Capture Test. Ensure that password-capturing programs are identified. 4. Network-Hijacking Test. Ensure that network transactions cannot be hijacked by an unauthorized source. 5. Password-Cracking Test. Determine whether users are picking good passwords. [See also section on Klein's brilliant work on password cracking.] 6. Socket-penetration Test. Determine whether open sockets are unsecured. 7. Network Diagnostic Test. Determine if any network traffic can be captured by an unauthorized source. 8. Brute-Force Sign-On Test. Discover if wardialer or numerous user ID/password combinations can be attempted without detection. 9. Dynamic SQL Access Test. Check if an unauthorized source may make direct access to the database. 10. Dial-Up Test verify. Ensure that all dial-up lines are properly secured. 11. Network-File-Access Test. Ensure that all mounted systems are secure. 12. Verbose-Mode Test. Determine whether key-stroke commands can be used to obtain unauthorized data. 13. Default Test. Determine if default IDs and passwords are installed. 14. Configuration Test. Check if security is properly enabled on network components. 15. Services Test. Check if file server has open-application services that are not properly authorized. 16. SNMP Test. Check if the Simple Network Management Protocol (SNMP) agent is properly secured. 17. Middleware Test. Ensure that middleware works in robust and secured manner. 18. Console Port Access Test. Confirm that console is secured. 19. External Firewall test. Make attempts to defeat the outside firewall. 20. Web-site Test. Determine whether the web server is properly secured. 21. External remote-Access Test. Ensure that remote access restricts the user to specific devices. There is a process known as encryption which represents a powerful and effective countermeasure to most computer intrusions. Multi-layered system encryption - software, hardware, network - forces penetrations to remain with the weakest link, i.e. people. What is encryption? CRYPTOGRAPHY, ENCRYPTION AND CRYPTANALYSIS Cryptography is the science of writing messages that no one except the intended receiver can read. Cryptanalysis is the science of reading them anyway. "Crypto" comes from the Greek 'krypte' meaning hidden or vault and "Graphy" comes from the Greek 'grafik' meaning writing. The words, characters or letters of the original intelligible message constitute the Plain Text. The words, characters or letters of the secret form of the message are called Cipher Text and together constitute a Cryptogram. Cryptograms are roughly divided into Ciphers and Codes. William F. Friedman defines a Cipher message as one produced by applying a method of cryptography to the individual letters of the plain text taken either singly or in groups of constant length. Practically every cipher message is the result of the joint application of a General System (or Algorithm) or method of treatment, which is invariable and a Specific Key which is variable, at the will of the correspondents and controls the exact steps followed under the general system. It is assumed that the general system is known by the correspondents and the cryptanalyst. [FRE1] A Code message is a cryptogram which has been produced by using a code book consisting of arbitrary combinations of letters, entire words, figures substituted for words, partial words, phrases, of plain text. Whereas a cipher system acts upon individual letters or definite groups taken as units, a code deals with entire words or phrases or even sentences taken as units. The process of converting plain text into cipher text is Encipherment or Encryption. The reverse process of reducing cipher text into plain text is Decipherment or Decryption . Cipher systems are divided into two classes: substitution and transposition. A Substitution cipher is a cryptogram in which the original letters of the plain text, taken either singly or in groups of constant length, have been replaced by other letters, figures, signs, or combination of them in accordance with a definite system and key. A Transposition cipher is a cryptogram in which the original letters of the plain text have merely been rearranged according to a definite system. Modern cipher systems use both substitution and transposition to protect sensitive messages. SUBSTITUTION AND TRANSPOSITION CIPHERS COMPARED The fundamental difference between substitution and transposition methods is that in the former the normal or conventional values of the letters of the plain text are changed, without any change in the relative positions of the letters in their original sequences, whereas in the latter only the relative positions of the letters of the plain text in the original sequences are changed, without any changes to the conventional values for the letters. Since the methods of encipherment are radically different in the two cases, the principles involved in the cryptanalyses of both types of ciphers are fundamentally different. Most readers are familiar in some form with the classical simple substitution cipher. SIMPLE SUBSTITUTION Probably the most popular amateur cipher is the simple substitution cipher. We see them in newspapers. Kids use them to fool teachers, lovers send them to each for special meetings, they have been used by the Masons, secret Greek societies and by fraternal organizations. Current gangs in the Southwest use them to do drug deals. They are found in literature like the Gold Bug by Edgar Allen Poe, and death threats by the infamous Zodiak killer in San Francisco in the late 1960's. All substitution ciphers have a common basis in mathematics and probability theory. The basic language of the cipher doesn't matter as long as it can be characterized mathematically. Mathematics is the common link for deciphering any language substitution cipher. Based on mathematical principles, we can identify the language of the cryptogram and then break open its contents. [NIC1] SIMPLE TRANSPOSITION Transposition ciphers have been defined as that type of cipher in which the elements or units of the plain text, whether one is dealing with individual letters or groups of letters, retain their original identities but undergo some change in their relative positions or sequences so that the message becomes unintelligible. The majority of transposition methods involve the use of a design or geometric figure, such as a square, rectangle, triangle, trapezoid, etc., in which the letters of the plain text are first inscribed or written into the design according to a previously agreed upon direction of writing and then transcribed or taken off according to another and different previously agreed-upon direction, to form the text of the cryptogram . FOUR BASIC OPERATIONS OF CRYPTANALYSIS William F. Friedman presents the fundamental operations for the solution of practically every cryptogram: (1) The determination of the language employed in the plain text version. (2) The determination of the general system of cryptography employed. (3) The reconstruction of the specific key in the case of a cipher system, or the reconstruction of, partial or complete, of the code book, in the case of a code system or both in the case of an enciphered code system. (4) The reconstruction or establishment of the plain text. In some cases, step (2) may precede step (1). This is the classical approach to cryptanalysis. It may be further reduced to: 1. Arrangement and rearrangement of data to disclose non- random characteristics or manifestations ( i.e. frequency counts, repetitions, patterns, symmetrical phenomena) 2. Recognition of the non random characteristics or manifestations when disclosed (via statistics or other techniques) 3. Explanation of non random characteristics when recognized. (by luck, intelligence, or perseverance) Much of the work is in determining the general system. In the final analysis, the solution of every cryptogram involving a form of substitution depends upon its reduction to mono- alphabetic terms, if it is not originally in those terms. [FRE1] OUTLINE OF CIPHER SOLUTION According to the Navy Department OP-20-G Course in Cryptanalysis, the solution of a substitution cipher generally progresses through the following stages: (a) Analysis of the cryptogram(s) (1) Preparation of a frequency table. (2) Search for repetitions. (3) Determination of the type of system used. (4) Preparation of a work sheet. (5) Preparation of individual alphabets (if more than one) (6) Tabulation of long repetitions and peculiar letter distributions. (b) Classification of vowels and consonants by a study of: (1) Frequencies (2) Spacing (3) Letter combinations (4) Repetitions (c) Identification of letters. (1) Breaking in or wedge process (2) Verification of assumptions. (3) Filling in good values throughout messages (4) Recovery of new values to complete the solution. (d) Reconstruction of the system. (1) Rebuilding the enciphering table. (2) Recovery of the key(s) used in the operation of the system. (3) Recovery of the key or keyword(s) used to construct the alphabet sequences. All steps above are to be done with orderly reasoning. It is not an exact mechanical process. [OP20] PURPOSE OF ENCRYPTION In a cryptosystem, plaintext is acted upon by a known algorithm (set of mathematical rules to determine the transformation process to cipher-text) and a key which controls the encryption / decryption algorithm to transform the data into ciphertext. In a system using a key, the message cannot be transformed without the key. Two types of key systems exist: symmetric or private key systems and asymmetric, or public key systems. In a symmetric system, the same key is used by sender and receiver, In an asymmetric system sender and receiver use different keys. The basic purpose of encryption (beyond pure enjoyment for some of us as in American Cryptogram Association (ACA) recreational cryptography) is to protect sensitive data from unauthorized disclosure. When computer systems are involved, this data can be data stored within the system or transmitted across insecure public carriers. A sender authorizes a transmission medium to carry a message to a receiver. The message is exposed during the transmittal and subject to possible eavesdropping and /or alteration. Any intruder who intercepts the message might be able to interrupt it or modify it (which includes possibly fabricating a false but authentic-looking message.) The availability of the message is affected if the intruder successfully interrupts the transmission. The confidentiality, or secrecy, of the message is affected when it is intercepted because the intruder can read it, know its intentions, plan countermeasures or modify the message for his own advantage. If the authentic-looking but false message is successfully substituted, then we have an integrity issues as well. Modern encryption methods are used to prevent the exposures previously defined and offer desirable features such as: Data Confidentiality, or Secrecy, since messages must be decrypted in order for information to be understood. Data Integrity because some algorithms additionally protect against forgery or tampering. Authentication of Message Originator, if the key has not been compromised and remains secret. Authentication of System User takes place by the user performing a cryptographic function with a unique cryptographic key. Electronic Certification and Digital Signature, using cryptographic algorithms to protect against unauthorized modification and forgery of electronic documents. Non-repudiation, using secret key where either the sender alone or only the sender and recipient can generate "signed" messages. This is very important in the making of electronic contracts. Recall Table 1 objectives, and it should be obvious that encryption represents a powerful countermeasure to computer intrusions. MODERN CRYPTOGRAPHY: PRIVATE AND PUBLIC CRYPTOGRAPHIC KEYS Classical Cryptography is the study of historical cryptography from the beginning of writing to 1976. Louis Kruh, Editor /Founder of the prestigious Journal Cryptologia reviewed Classical Cryptography Course, Volumes I and II, C- 74 and C-76, published by Aegean Park Press, Laguna Hills California, the most "outstanding contribution to the literature of cryptology" in 60 years. Both volumes concentrate on the cryptanalysis of classical ciphers of increasing levels of difficulty and complexity. Another excellent reference is "Decrypted Secrets: Methods and Maxims of Cryptology," by Dr. F. L. Bauer. [NIC1], [NIC2], [BAUE] The two basic types of encryption are substitution and transposition. Both types are applied to ciphers to increase their security. Most complex ciphers do not use either simple substitutions or permutations (transpositions), relying instead on a secret key (K) which controls a long sequence of complicated substitutions and permutations. The ciphertext message then depends on both the plaintext message and the key value, as demonstrated by equation 1: C = E(K, P) eq. 1 The key (K) modifies the specific encryption algorithm (E), which is then applied to transform the plaintext (P) into ciphertext (encrypted message) (C). Use of a key provides additional security because its value, as well as the encryption algorithm, is required in order to decrypt information. Two types of systems use keys: private key and public key systems. Private key systems (symmetric) use a single key to both encrypt and decrypt information. A separate key is needed for each pair of users. Security depends on protection and secrecy of the key. The best known private key system is the Data Encryption Standard, first introduced to the public in 1977. Public key systems, (asymmetric) or two-key, systems use a public and a private key. The public key is publicly known, even published, but the user must keep the private key completely secret. The best known public key system is the Rivest, Shamir, and Adelman (RSA) algorithm. In public key systems, the public and private keys are mathematically related. Messages may be encrypted with the public key, but only can be decrypted by the recipient using the private key. Great care must be exerted in protecting the keys because we always assume that the algorithm is known to a system perpetrator. DATA ENCRYPTION STANDARD (DES) DES is a private key 56-bit algorithm. The DES algorithm is published by the National Institute of Standards and Technology as Federal Information Processing Standard (FIPS) 46-2. It is the only published secret key system approved for protection of Federal unclassified information and adopted by American National Standards Institute (ANSI) for commercial applications. In 1986, the ISO organization recommended the use of DES as an international standard called DEA-1. The recommendation was with drawn soon after. DES is widely used in financial applications to protect trillions of dollars of electronic funds transfers weekly. The key is a sequence of 8 bytes, each containing 7 key bits and one parity bit; it is crucial that the key remain secret. DES uses substitution and transposition techniques applied alternatively. When DES encrypts a single block, the characters are scrambled 16 times ("rounds"), under control of the key, and this results in 64 bits of ciphertext. DES accommodates about 72 quadrillion key combinations. DES is embedded in many commercial products and is popular with both government agencies and private companies. NSA publishes a list of evaluated endorsed DES products (NEDESPL). [HUTT] In 1997, the NIST requested public comment on an Advanced Encryption Standard which must is stronger than DES (or Triple DES). See [SCHN] for a description of the Triple DES system. KEY DISTRIBUTION DRAWBACK A major problem with encryption is the secure distribution of encryption keys to multiple users across networks. Two parties using a secret key system have to agree on the key. Because it is not safe to transmit the key over the communication channel, the parties have to meet personally to agree on the key or exchange keys via a courier. There are vulnerabilities in both of these techniques. Alternatively, if the key itself is encrypted using a different (public key) algorithm, the key may be transmitted over a communications link. RIVEST, SHAMIR, AND ADLEMAN ALGORITHM (RSA) The best known public key algorithm is RSA. The keys are generated mathematically, in part by combining prime numbers. Each user has a public and a private key. Devised in 1978 at MIT, this system has 512 bit, and 1024 bit (in some commercial versions higher) keys and provides authentication in addition t o encryption. Typically, the sender encrypts his message using a secret-key algorithm. Next, the sender uses a public-key system to encrypt the secret key with the receiving party's public key. The sender transmits both the encrypted message and the encrypted key across the communication channel. The recipient decrypts the secret key first, by using his public key. Once the secret key has been decrypted, the recipient uses it to decrypt the main message. This type of cryptographic system is a hybrid. With public-key cryptography, any party can use any public key to send an encrypted message. However, that message can only be decrypted by a party having the corresponding private key. [HUTT] The RSA public-key encryption system relies upon the mathematics of modulo arithmetic. Both encryption and decryption are completed by raising numbers to a power modulo a number which is the product of two large primes. The two primes are kept secret and the system can be broken if the two primes are recovered by factoring, a process that has proven to be extremely difficult. No one has described any reliable way to attack the RSA system to this day, and many people have tried. [MENE], [SCHN] an d [WAYN] give detailed descriptions of the mathematics supporting RSA. CRYPTOGRAPHIC NETWORKS To form a cryptographic network, each network user should be provided with the same algorithm but with different keys so that messages sent by one node in the network can only be deciphered by the intended recipient node. Figures 2 to 6 show three different cryptographic networks. Each Kn represents a different key. Figure 2 A Fully Connected End-To-End Network --- K6 --- ---| 2 | <----------> | 4 |---- K4 | --- < --- | | K1 | K2 x K5 | | | K3 x | | --- - ----------> --- | ---| 1 | <-----------> | 3 | | --- --- | |---- < ---- > ------------- When end-to-end encryption is used, both the sender and receiver must be equipped with compatible hardware. After validating each other, the two units exchange encrypted data. Messages are encrypted by the sender and decrypted only at the final destination. Figure 3 A Link Encrypted Network --- K1 --- K2 --- K3 --- | 1 |<------->| 2 | <------> | 3 | <------> | 4 | --- --- --- --- Link encryption involves a series of nodes, each of which decrypts, reads, and then re-encrypts the message as it is transmitted through the network. With link encryption, both source and the destination remain private, and no synchronization of special equipment is required. However, more nodes = more possibilities of the message being intercepted and/ or modified. In a hybrid network, there is communication between a large number of secondary stations and a single main station all using separate master keys. A few stations intercommunicate with each other. Figure 4 A Hybrid Network --- K1 K5 --- | 2 | > -- --< | 6 | --- | | --- | | --- K2 --- K4 --- K6 --- | 1 | ------->| 3 | <-------> | 5 | <------- | 7 | --- --- --- --- | | --- | | --- | 4 | >--- --< | 8 | --- K3 K7 --- Figure 5 A Central Key Distribution Facility --- -------- | 2 | ----------- | --- | | x | | x K1 | | x | | --- | | | 1 | | | --- | | | | | | | | | | --- K2 | K3 --- | 4 | ------------------ | 3 | --- --- It would seem that it is preferable to use a public-key system for cryptography because of its versatility. It is slower than the equivalent private key cryptosystems by order of 10,000 times or more. The new t3-100 Cray machine can do 3 trillion operations a second! Think how that will effect cryptographic searches in the future. The hybrid system uses the best of both kinds of systems. The speed advantage of the private key cryptography is used for encrypting and trans- mitting. Public key transactions are for the smaller transmissions. A typical combination (for a hybrid) is to employ a public dual key for encryption and for the dist- ribution of the private keys and the private-key system for bulk data. The central key facility is useful when it is undesirable to entrust individual stations with control of cryptographic keys. Two stations wishing to communicate request a session key from the central station. The key generated at the central station is sent to both stations encrypted in each stations master key. The master key list is known only to the central station. [HUTT] IMPLEMENTATION CONSIDERATIONS Media. Cryptography can take place in software, hardware, or firmware. The least efficient and cheapest media is software. Configurations. In-line, off-line, embedded, and stand-alone are four different types of configurations, each with its own requirements, need to considered when implementing cryptosystems. 1. Inline. The communications equipment is external to the cryptosystem. The hand off occurs after encryption to the communications device. 2. Off-line. The source controls all encryption, storage, and communications facilities. 3. Embedded. Configurations may be off or on line. The main requirement is that the cryptographic module be embedded or contained within the computer and the interface with that computer. 4. Stand-alone. These require that the cryptographic module is separately enclosed outside of the host and physically secured. NIST FIP's 140-1 is entitled "Security Requirements in Cryptographic Modules," describes four levels of security ranging from commercial grade security to penetration/tamper resistant. ONE-TIME PAD The question of 'unbreakable' mathematical ciphers might be poised at this juncture. Lets look at the famous one-time pad and see what it offers. [NIC1] The one-time pad is truly an unbreakable cipher system. There are many descriptions of this cipher. One of the better descriptions is by Bruce Schneier. [SCHN] It consists of a non repetitive truly random key of letters or characters that is used just once. The key is written on special sheets of paper and glued together in a pad. The sender uses each key letter on the pad to encrypt exactly one plaintext letter or character. The receiver has an identical pad and uses the key on the pad, in turn, to decrypt each letter of the ciphertext. [SHAN] Each key is used exactly once and for only one message. The sender encrypts the message and destroys the pad's page. The receiver does the same thing after decrypting the message. New message - new page and new key letters/numbers -each time. The one-time pad is unbreakable both in theory and in practice. Interception of ciphertext does not help the cryptographer break this cipher. No matter how much ciphertext the analyst has available, or how much time he had to work on it, he could never solve it. [KAHN] The reason is that no pattern can be constructed for the key. The perfect randomness of the one time system nullifies any efforts to reconstruct the key or plain text via horizontal or lengthwise analysis, via cohesion, via reassembly (such as Kasiski or Kerckhoff's columns) via repeats or via internal framework erection. [KAHN], [NIC1], [SCHN] Brute force (trial and error) might bring out the true plaintext but it would also yield every other text of the same length, and there is no way to tell which is the right one. The worst of it is that the possible solutions increase as the message lengthens. Supposing the key were stolen, would this help to predict future keys? No, because a random key has no underling system to exploit. If it did, it would not be random. [KAHN] A random key sequence XOR ed with a non random plain text message produces a completely random ciphertext message and no amount of computing will change that. [SCHN] The one- time pad can be extended to encryption of binary data. Instead of letters, we use bits. [SCHN] FRESH KEY DRAWBACK The one- time pad has a drawback - the quantities of fresh key required. For military messages in the field (a fluid situation) a practical limit is reached. It is impossible to produce and distribute sufficient fresh key to the units. During WWII, the US Army's European theater HQ's transmitted, even before the Normandy invasion, 2 million five (5) letter code groups a day! It would have therefore, consumed 10 million letters of key every 24 hours -the equivalent of a shelf of 20 average books. [KAH1] , [FRAA] RANDOMNESS The real issue for the one-time pad, is that the keys must be truly random. Attacks against the one-time pad must be against the method used to generate the key itself. [SCHN] Pseudo- random number generators don't count; often they have non random properties. Reference [SCHN], Chapter 15, discusses in detail random sequence generators and stream cipher. I take exception to his remarks regarding keyboard latency measurement. People's typing patterns are anything but random (especially us two finger types). [SCHN] [MART] PRETTY GOOD PRIVACY (PGP) This system is a public-key system invented by Phillip Zimmermann and draws upon the International Data Encryption Algorithm (IDEA) and RSA algorithms. It has become by far the de facto standard for the Internet and public. NSA has not endorsed it. Amateurs swear by it. It appears to be out of the legal hassle mode. The most recent version is PGP Mail 4.5. Think of it as a tinkertoy. PRIVACY ENHANCED MAIL (PEM) A system that uses both message encryption and digital signatures, PEM encrypts messages and authenticates senders of E-mail. PEM was a child of DARPA and uses DES on the front-end for encryption and RSA for sender authentication. Trusted Information Systems introduced it commercially. The federally funded Clipper /Skipjack is now recommended as a substitute for PEM. [SCH1] KEY MANAGEMENT AND DISTRIBUTION Key management involves the secure generation, distribution, storage, journaling, and eventual disposal of encryption keys. The adequacy of key management is a significant factor in using encryption as a security method. Keys can be either distribute d via escorted courier, magnetic media, or via master keys that are then used to generate additional keys. Cryptographically protected data is dependent on the protection of the encryption keys. The entire system can be compromised by the theft, loss or compromising of a key. Standards for key management have been developed by ISO, ANSI, federal government and the American Banking Association. Key management is crucial to maintaining good, cost-effective, and secure communications between a large number of users. DIGITAL SIGNATURES AND NOTATIONS RSA (described previously) and Digital Signature Algorithm (DSA) are the best known digital signature algorithms. The latter was invented by NSA and approved for government use. NIST has supported the DSA algorithm. Both are tools for authenticating the user and origin of the message and the identity of the sender. A digital signature (a mathematical algorithm) is unforgeable, verifies the signer, is not reusable, cannot be repudiated and proves that the sender did not sign an altered document. DSA is based on the SHA (Secure Hashing Algorithm) and is described in FIPS PUB 180 "Secure Hash Standard." The DSA is based upon the T. El Gamal signature system and newer work by C. Schnorr. All these systems rely for their security on a problem known as the discrete log. This means that given a message m and a value a, it is easy to compute m**a mod p where p is a prime number. If you are given another value n, it is difficult and certainly infeasible to discover a value of a such that m**a mod p = n. That is, it is hard to take the discrete log of n. [SC90], [WAYN], [MENE] DISCRETE LOG SIGNATURE SCHEMES One of the more significant signature schemes uses the strength of the discrete log problem. Many of the digital cash systems on the Internet use this algorithm. No one knows an efficient way to reverse the computation g**a mod p if p is a large prim e, g is a generator, and a is an integer. Reversing the computation means receiving g**a mod p and determining a. [WAYN] provides a concise description of this system. The classic failure in many security systems comes when the attacker learns the password. (See Klein's attacks discussed in this paper.) The discrete log problem can also be used to provide "zero knowledge" to the attacker, even if he knows the password for a system. The system is also known as a challenge and response protocol. It is described in non confusing terms in [WAYN]. CARTE A MEMOIR (Memory Card) The French invented the smart card which contains a chip to process information in protected memory. They are used for access control and for end-to-end encryption schemes. CYBER NOTARIES The American Bar Association has developed rules for electronic notaries for commerce that incorporate digital signatures. Ben Wright of NCSA is the leading authority on this kind of commerce. KERBEROS Among the commercial authentication systems, the most popular is Kerberos. Developed at MIT, it verifies the user and incorporates unique session keys for client /server communications via a ticket-granting server. Scientific American described the system accurately and vividly in August 1994. Kerberos is described in [WAYN], [VACC], [ATKI], and [MENE] TEMPEST This program was established in 1950's to shield electronic equipment from electromagnetic radiations (Van Eck emissions) that could be intercepted and "read". TEMPEST is an evaluation program for electronic equipment. Electronic emanations are contained via a special shield. [VACC] and [AMOR] describe the Tempest program. CLIPPER/SKIPJACK CHIP CONTROVERSY REVISITED When separated from the government's proposed implementation of Clipper/Skipjack, the concept of key escrow cryptography does have applicability for commercial use. Business managers fear possible extortion by unsavory employees who would hold corporate data for ransom by withholding encryption keys. Key escrow cryptography could eliminate this problem, but in addition to the friction created by the government's proposed implementation, there appear to be too many vulnerabilities involved with the Clipper/Skipjack to make the system acceptable in its current form. STEGANOGRAPHY Peter Wayner presents a interesting look at another form of cryptography - called steganography. It is the study of hiding messages in the excess bits of GIF and WAV files. He advocates encryption the message first, then introducing the information i n the last one or two bits of a GIF file. There happens to be a lot of room in that type of file and the human eye or ear can not detect the minor introduction of about 1 bit in a byte. [WAYN] WEB SECURITY AND COUNTERMEASURES The Web represents a chaotic and exciting technology. It has become the security balancing act of the 90's. The Open User Recommended Solutions (OURS) consortium of 60 companies led by Bellcore and Phillips Petroleum Company published a tiered approach to commercial security in 1997. Their three step procedure is a bit more than a white paper and skewed toward the financial industry. It does have some interesting features. The OURS paper suggests that following procedure for the commercial user: 1) identify what its Web applications are for; 2) based on this stated use for a company Website, identify the crucial threats; and then 3) Map these threats to the appropriate protection technologies. The OURS group divided commerce on the Web into three basic application types - advertising, secure Internet/intranet (further subdivided into informational and transactional categories), and electronic commerce. OURS suggested that there were nine basic threats to Web Security (See Table 6) and that these threats could be countered by six safeguards. (See Table 7) A rather surprising result from the OURS analysis was that a minority of consortium members felt that encryption was not sufficient to stop Web threats but needed to be combined with protection against data destruction, interference, repudiation, and inadvertent misuse. At the same time the OURS report suggested that their secure links were under attack (80% of the responses) by data interception and hackers - both of which are countered very effectively by strong encryption algorithms. [OURS] Many of the OURS group felt that with the help of passwords and controlled access, encryption was the best security countermeasure. Users on commercial Web servers must be authenticated via encrypted passwords from the user. TABLE 6 Nine Basic Threats To Web Sites (OURS) 1. Data Destruction - Loss of data on Web Site through (accident or malice) and interception of traffic (encrypted and unencrypted) both going to/from the Web Site. 2. Interference- The intentional rerouting of traffic or the flooding of a local Web server with inappropriate traffic in an attempt to cripple or crash the server. 3 Modification/replacement- Altering of data on either the send or receive side of a Web transmission. The changes, whether they are accidental or not, can be difficult to detect in large transmissions. 4. Misrepresentation/false use of data- Offering false credentials, passwords, or other data. Also included is posting of a bogus or counterfeit home page to intercept or attract traffic away from its intended destination. 5. Repudiation- An after the fact denial that an on-line order or transaction took place. (Especially for 1-800 or 1-900 services.) 6. Inadvertent misuse- Accidental but inappropriate actions by approved users. 7. Unauthorized altering/downloading- Any writing, updating, copying, etc., performed by a person who has not been granted permission to conduct such activity. 8. Unauthorized transactions- Any use by a non approved party. 9. Unauthorized disclosure- Viewing of Web information by an individual not given explicit permission to have access to this information. TABLE 7 Six Best Weapons Against Security Threats (OURS) 1. User ID/ Authentication- Range from simple passwords and callback systems to secure one-time passwords and challenge response tokens (either hardware cards or software resident.) Usage: All web users. 2. Authorization - Network confirms identity, grants access. Typical approaches include access control lists, authorization certificates, and directory services. Usage: Secondary level protection to prevent data modification. 3. Integrity control- Aimed at the data not the user, the two key methods are encryption and message authen- tication, which can ensure that the message has not been altered on way to receiver but not reading by someone else. Usage: Excellent for validating secure Internet electronic commerce transactions. 4. Accountability- Web managers use various tools to monitor responsibility and ownership. Methods include audit trails, Web server logs, and receipts. Usage: Accountability is the backbone of enforceable and traceable security policies and practices. 5. Confidentiality- The keystone of most Web security policies. The technology is aimed at preventing unauthorized disclosure, or interception or both. Encryption is the central safeguard. This can mean end- to-end encryption on the network as well as layered encryption of files, protocols and secured links. Usage: These techniques are geared toward data content that must be held strictly off-limits to certain users. 6. Available controls- Protects the integrity of the Web site itself. Technology includes virus protection software and backup/redundancy features. Usage: Protection of Web and its associated data. Security decisions will only become tougher as companies continue to exploit the power of the Web. Electronic commerce will especially aggravate the difficulties of setting just the right security policy. Two possible challenges include the use of Select Electronic transactions (SET) and high level digital certification. CONCLUSIONS The need for computer security is increasing in the commercial arena. This need is especially great for firms doing business on the Internet or maintaining Web access. Tiger Teams are a cost-effective method of determining the vulnerabilities and level of real security of these commercial computer systems. For every attack there is a countermeasure. The most effective safeguard is encryption in layered formats. No safeguard will work unless it is part of a recognized system of international standards and procedures such as ISO 9000. As part of the security policy, a firm must use due care to monitor the results of efforts for the sake of its customers. APPENDICES A. International Standards - Cryptographic Techniques TABLE 8 ISO Standards for Generic Cryptographic Techniques ISO # Subject ------------------------------------------------- 8372 modes of operation for a 64-bit cipher 9796 signatures with message recovery (RSA) 9797 data integrity mechanism (MAC) 9798-1 entity authentication - introduction 9798-2 -- using symmetric encipherment 9798-3 -- using public-key techniques 9798-4 -- using keyed-one-way functions 9798-5 -- using zero-knowledge techniques 9979 register of cryptographic algorithms 10116 modes of operation for n-bit cipher 10118-1 hash functions - introduction 10118-2 --using block ciphers 10118-3 --customized algorithms 10118-4 --using modular arithmetic 11770-1 key management -- introduction 11770-2 --symmetric techniques 11770-3 --asymmetric techniques 13888-1 non-repudiation--introduction 13888-2 --symmetric techniques 13888-3 --asymmetric techniques 14888-1 signatures with appendix--introduction 14888-2 --identity-based mechanisms 14888-3 --certificate-based mechanisms ------------------------------------------------- TABLE 9 ANSI Encryption Standards and Banking Security Standards ANSI# Subject ------------------------------------------------- X3.92 data encryption standard (DEA) X3.106 data encryption algorithm (DEA) modes X9.8 PIN management and security X9.9 message authentication (wholesale) X9.17 key management (wholesale; symmetric) X9.19 message authentication (retail) X9.23 encryption of messages (wholesale) X9.24 key management (retail) X9.26 sign-on authentication (wholesale) X9.28 multi-center key management (wholesale) X9.30-1 digital signature algorithm (DSA) X9.30-2 secure hash algorithm (SHA) for DSA X9.31-1 RSA signature algorithm (RSA) X9.31-2 hashing algorithm for RSA X9.42 key management using Diffe-Hellman X9.45 attribute certificates and other controls X9.52 triple DES modes of operation X9.55 certificate extensions (v3) and CRLs X9.57 certificate management ------------------------------------------------- TABLE 10 ISO Banking Security Standards ISO # Subject ------------------------------------------------- 8730 message authentication - requirements (W) 8731-1 message authentication - CBC - MAC 8731-2 message authentication - MAA 8732 key management/symmetric (W) 9564 PIN management and security 9807 message authentication - (R) 10126 message encipherment (W) 10202-7 key management for smart cards 11131 sign-on authentication 11166-1 key management/asymmetric - overview 11166-2 key management using RSA 11568 key management (R), in 6 parts ------------------------------------------------- TABLE 11 ISO Security Architectures and Frameworks ISO # Subject ------------------------------------------------- 7498-2 OSI security architecture 9594-8 authentication framework (X.509) 10181 OSI security frameworks ------------------------------------------------- TABLE 12 U. S. Government Standards FIPS# Subject ------------------------------------------------- 46-2 DES 74 guidelines for using DES 81 DES modes of operation 112 password usage 113 data authentication (CBC-MAC) 140-1 cryptomodule security requirements 171 key management using X9.17 180-1 secure hash standard (SHA-1) 185 key escrow (Clipper & SKIPJACK) 186 digital signature standard (DSA) JJJ entity authentication (asymmetric) ___________________________________________________ TABLE 13 Selected Internet RFCs RFC # Subject ------------------------------------------------- 1319 MD2 hash function 1320 MD4 hash function 1321 MD5 hash function 1421 PEM - encryption, authentication 1422 PEM - certificates, key management 1423 PEM - algorithms, modes, identifiers 1424 PEM - key certification services 1508 generic security service API 1510 Kerberos V5 network authentication 1828 keyed MD5 as (MAC) 1847 security multiparts for MIME 1848 MIME object security services (MOSS) 1938 one-time password system -------------------------------------------------- TABLE 14 PCKS Specifications # Subject ------------------------------------------------- 1 RSA encryption standard 3 Diffie-Hellman key-agreement standard 5 Password-based encryption standard 6 extended-certificate syntax standard 7 Cryptographic message syntax standard 8 Private-key information syntax standard 9 Selected attribute types 10 Certification request syntax standard 11 Cryptographic token interface standard ------------------------------------------------- B. Trusted Information Systems Cryptography is big business. Trusted Information Systems (TIS) conducted a survey of companies making products that employ cryptography both within and outside the U.S. TIS identified 1372 products worldwide as 1/1/97. The detailed products listing and company contact information may be found at: http://www.tis.com/crypto/ REFERENCES [AMOR] Edward Amoroso, "Fundamentals of Computer Security Technology," Prentice Hall PTR, Upper Saddle River, NJ, 1994. [ATKI] Derek Atkins, et. al., "Internet Security: Professional Reference," New Riders Publishing, Indianapolis, IN., 1996. [ATTA] C. R. Attanasio, et. al., "Penetrating an Operating System: A Study of VM/370 Integrity, " IBM Systems Journal, Vol. 15, No. 1, 1974. [BAUE] F.L Bauer, "Decrypted Secrets: Methods and Maxims of Cryptology," Springer, Berlin, 1997. [BISB] R. Bisbey, G. Popek, and J. Carlstedt, "Protection Errors in Operating Systems," USC Information Sciences Institute, 1978. [EELL] Eells, Richard, and P. Nehemkis, "Corporate Intelligence and Espionage," Macmillian, London, 1984. [FCST] Edward Amoroso, "Fundamentals of Computer Security Technology," Prentice Hall, Englewood Cliffs, NJ, 1985. [FRAN] Franklin, Charles E. H., "Business Guide to Privacy and Data Protection Legislation," ICC Publishing, Kluwer Law International, The Hague, 1996. [FR1] Friedman, William F. and Callimahos, Lambros D., Military Cryptanalytics Part I - Volume 1, Aegean Park Press, Laguna Hills, CA, 1985. [HOFF] Hoffman, Lance J., editor, "Building In Big Brother: The Cryptographic Policy Debate," Springer-Verlag, N.Y.C., 1995. ( A useful and well balanced book of cryptographic resource materials. ) [HOF1] Hoffman, Lance. J., et. al.," Cryptography Policy," Communications of the ACM 37, 1994, pp. 109-17. [HOF3] Hoffman, L. J. (1990), ed. "Rogue Programs: Viruses, Worms, and Trojan Horses". Van Nostrand Reinhold (NY). ISBN 0-442-00454-0. xii+384. Index. [HUTT] Hutt, A. E., S. Bosworth & D. B. Hoyt, editors (1995). "Computer Security Handbook, Third Edition". John Wiley & Son (New York). ISBN 0-471-01907-0. [KAHN] Kahn, David, "The Codebreakers", Macmillan Publishing Co. , 1967. [KARG] P.A. Karger and Schell, R. R., "Multics Security Evaluation: Vulnerability Analysis, (ESD-TR-74-193), Electronics Systems Division, USAF, Hanscom Air Force Base, Bedford, MA, 1974 (NTIS:AD A001120) [KENN] Ellen Alderman and Caroline Kennedy, "The Right To Privacy," Alfred A. Knopf, New York, 1995 [KRAU] Leonard Krauss and Aileen Macgahan, "Computer Fraud and Countermeasures, Prentice Hall, New York, 1979. [LDF ] Lincoln D. Faurer, "Computer Security Goals of the Department of Defense," Computer Security Journal, Summer, 1984. [LYON] Frank Lyons, "A Network Security Review," Infosecurity Vol. 8, No. 2, News, March/ April, 1997. [MART] James Martin, "Security, Accuracy, Privacy in Computer Systems," Prentice Hall, New York, 1973. [MCCA] Vance McCarthy, "Web Security: How Much is Enough?", Datamation, Vol. 43, No. 1, January, 1997. [MENE] Alfred J. Menezes, P. C. van Oorschot, and S. A. Vanstone, " Handbook of Applied Cryptography," CRC, New York, 1997. [NIC1] Randall K. Nichols, "Classical Cryptography Course, Volume I," Aegean Park Press, C-74, Laguna Hills, Ca., 1996. ISBN:0-89412-263-0, 350 pg. [NIC2] Randall K. Nichols, "Classical Cryptography Course, Volume II," Aegean Park Press, C-76, Laguna Hills, Ca., 1997. ISBN:0-89412-264-9, 451 pg. [NIC3] Randall K. Nichols, "Keynote Speech: Effective Directions in Cryptography," ACA Convention, Portland Oregon, 1995. [NIST] PUBLIC-KEY CRYPTOGRAPHY, James Nechvatal Security Technology Group National Computer Systems Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 [OP20] "Course in Cryptanalysis," OP-20-G', Navy Department, Office of Chief of Naval Operations, Washington, 1941. [OREI] Deborah Russell and G.T. Gangemi Sr., "Computer Security Basics," O'Reilly & Associates, Inc., 1991. [OURS] Vance McCarthy, "Web Security: How Much is Enough?" Datamation, Volume 43, No. 1, January 1997. [RHEE] Rhee, Man Young, "Cryptography and Secure Comm- unications," McGraw Hill Co, 1994 [ROSL] Rose, L. J. (1994). "NetLaw: Your Rights in the Online World". Osborne/McGraw-Hill (New York). ISBN 0-07- 882077- 4. xx + 372. Index. [ROSN] Rosenblatt, K. S. (1995). "High-Technology Crime: Investigating Cases Involving Computers". KSK Publications (P.O. Box 934, San Jose, CA 95108-0934; tel. 408-296-7072). 603 pp + diskette. [SANS] M. D. Crabb, SANS, Bethesday, MD, 1997. [SC90] C. P. Schnorr, "Efficient signature generation for smart cards," In Advances in Cryptology- CRYPTO '89 Proceedings. Springer-Verlag, 1990. [SCHN] Schneier, Bruce, "Applied Cryptography: Protocols, Algorithms, and Source Code C," 2nd ed., John Wiley and Sons, 1995. [SCH1] Schneier, Bruce, "E-Mail Security," John Wiley and Sons, 1995. [SCH1] Schwartau, W. (1994). "Information Warfare: Chaos on the Electronic Superhighway". Thunder's Mouth Press (New York). ISBN 1-56025-080-1. 432 pp. Index. [SCH2] Schwartau, W. (1997). "Information Warfare" 2nd Edition. Thunder's Mouth Press (New York). 600 pp. Index. [SHAN] Shannon, C. E., "The Communication Theory of Secrecy Systems," Bell System Technical Journal, Vol 28 (October 1949). [SISI] Pierce, C.C., "Cryptoprivacy," Author/Publisher, Ventura Ca., 1995. [STIN] Stinson, D. R., "Cryptography, Theory and Practice," CRC Press, London, 1995. [VACC] Vacca, John, "Internet Security Secrets," IDG Books, New York, 1996. [VERN] Vernam, A. S., "Cipher Printing Telegraph Systems For Secret Wire and Radio Telegraphic Communications," J. of the IEEE, Vol 45, 109-115 (1926). [WAYN] Peter Wayner, "Disappearing Cryptography," Academic Press, New York, 1996. [WAY1] Peter Wayner, "Digital Cash: Commerce on the Net," AP Professional, New York, 1996. [WELS] Welsh, Dominic, "Codes and Cryptography," Oxford Science Publications, New York, 1993. [WOOD] Wood, C. C. (1994). "Information Security Policies Made Easy: A Comprehensive Set of Information Security Policies". Version 4. BASELINE Software (Sausalito, CA). ISBN 1-881585-01-8. 109 pp. Diskette available. ABOUT THE AUTHOR Randall K. Nichols has 32 years of foreign and domestic project experience in a wide variety of leadership roles in the consulting, engineering, construction, chemicals and raw metals industries. Mr. Nichols is president of COMSEC SOLUTIONS, a consulting firm specializing in cryptographic countermeasures applied to commercial computer security problems. Mr. Nichols has served as President (1994-1996) and Vice President (1992-1994) of the American Cryptogram Association (ACA), which since its formation in 1929, has been devoted to the pursuit of classical and recreational cryptography. Mr. Nichols is presently Aristocrats' Department Editor for ACA's bimonthly publication "The Cryptogram". Mr. Nichols also serves as Cryptology Section Leader for the National Computer Security Association, (NCSA) Compuserve Forum. He is considered an expert in the field of Classical Cryptography. Mr. Nichols is the author of the definitive textbooks "Classical Cryptography Course, Volumes I and II, published in 1996 and 1997 respectively. He has published papers on German, Russian, French, English cryptography and the famous ENIGMA cipher machine. Between 1995 - 1996, he taught a successful on-line Internet course in cryptography to 461 students. Mr. Nichols holds a BSCHE degree from Tulane University, New Orleans, LA. (1967), a MBA from University of Houston, Houston, TX (1970) and a MSCHE from Texas A & M University, Kingsville, TX (1991). In 1995, Mr. Nichols was awarded a 2'nd Degree Black Belt in Tae Kwon Do (Korean Karate) by the Moo Duk Kwan International and the American Korean Tae Kwon Do Associations. He teaches Tae Kwon Do Self-Defense and Rape-Defense courses in Corpus Christi, Texas in his spare time.