TABLE OF CONTENTS

   

LIST OF TABLES

      

      

1.1  System Functions

1. Data archiving, query and access capabilities using object-oriented technologies.
2. Multimedia (text, voice, video) data exchange (one-to-one and one-to-many) via Internet electronic mail.
3. Text sharing, and editing/display capabilities, with simultaneous voice exchange via Internet.
4. Videoconferencing via the Internet.
5. Functions in 2-4 above via remote access (modems and satellite).
6. Internet Web access, publishing, editing, and display capabilities.
7. Best practices security for the above transactions, including firewalls and Common Object Request Broker Architecture (CORBA) 2.0 secure object management methodologies.

1.2  Hardware

1. A Windows NT server.
2. Modem connection to remote clients to the Windows NT server.
3. A Mail List Manager (Major domo).
4. LAN line backbone.
5. Local client IBM-compatible PCs.
6. Sun SPARCstation-5 local client and ICN CALS Repository workstation.
7. A Xyplex Maxserver 6220 Remote Router and an NEC N6450 Digital Service Unit (DSU) link to the Internet and DoD systems.
8. A Cisco 3000 Router and DataTel DCP 3080 Channel Service Unit/Digital Service Unit (CSU/DSU) local connection to the Corporate Wide Area Network (WAN) and the Internet.

1.3  Software

1. PKINet rolling code generation/authentication software.
2. Checkpoint Firewall-1 software.
3. Smart agent firewall and accessory application software (under development in the Knowledge Interchange Format (KIF) and Cyc languages).
4. Solaris 2.4, Linux, and Microsoft NT 3.51 operating system software.
5. Oracle 7.1.4 database query software.
6. Expersoft X­Shell and Iona Orbix object request broker (ORB) software.
7. MOREPlus multimedia database access software.
8. Netscape Web Browser software for Internet access.
9. Samba Internet file sharing software.
10. Java Internet compatible object oriented executable language software.
11. CUSeeMe videoconferencing software.
12. Powwow document and voice file sharing (one-to-many) groupware.
13. Elementrix Password One-Time Pad secure E­Mail software.
14. Pretty Good Privacy (PGP) text and voice encryption software.

The distribution of the software among the hardware devices is summarized in Tables 1.3­1 through 1.3­5.

      

Computer security for the ICN, Internet, National Information Infrastructure (NII), and Global Information Infrastructure (GII) for use in EC/EDI are all related topics. Computer security in this context is jointly determined by a combination of national and international standards, available technologies, industry offerings of these technologies, financial community and public acceptance of security capabilities, and, of course, Government interests, including security, defense, law enforcement, and social policy administration issues from tax collection to social security administration. Security policies and technologies are still in a state of great flux, so computer security mechanisms relevant to CALS are not likely to be well-defined in the very near future. Rather, they are likely to evolve through a life-cycle as implied in the description of CALS as a continuous "life-cycle" approach to program development and support.

2.1  International and Internet Computer Security Programs

The security needs required by the ITSEC international commercial computer security recommendations are fundamental, and essentially mirror those required of DoD and CALS systems as well (Reitenspiess, 1993):  

1. Confidentiality,
2. Access control,
3. Integrity,
4. Authentication,
5. Availability,
6. Non-repudiation, and
7. Security management.

We focus in this document on overall security management, with emphasis on access control and authentication, which herein include coverage of the topics of confidentiality, integrity, availability, and non-repudiation.

Various means of meeting these security goals were attempted through development of computer security standards by Government and professional organizations (reviewed in McGillivary, 1994a,b). However, the rapid development of the Internet, and its even more rapidly expanding international and multimedia capabilities have placed security of the global information infrastructure in the hands of the Internet Engineering Task Force, which issues standards on security using a comment and response process similar to those of other organizations. Security measures for the present Internet are well reviewed in Schiller (1995), and standards may be found in Coyo (1995). The next generation Internet Protocol, IPng, contains several advances in the way it handles security that are noteworthy. The forthcoming IPng security advances are discussed below in the last section dealing with the ICN Life­cycle Security Plan, which includes plans for inclusion of these methods in the ICN as they become available.

2.2  Department of Defense and Federal Computer Security Programs

      

3.1  CALS EDI/ICN Information Security Policy

To meet MIL-STD­1840C requirements, a CALS security policy has been suggested that calls for two interacting security mechanisms:  1) universal labeling, using both DoD security labels and those appropriate for commercial data, and 2) a protocol for relating data object security access labels with user access rights (ibid., 1995). While DoD security labels are clear, there is no universal agreement on specific commercial data type labels; it is sufficient, however, to simply permit these other types of labels to be constructed, beginning with "Proprietary," "Copyrighted," and similar concepts that can be added as needed. For the information that is likely to be exchanged via the CALS network, encryption security mechanisms discussed below help to minimize the need to belabor this point further. We will adopt the MIL­STD­1840C concept that it is the user's responsibility to select the level of information security for information exchanged across the ICN. In the case of CALS and the ICN, this security is principally achieved by encryption methods readily selectable as ICN GUI options.

The suggested CALS data object access label model is an "Is Below" (ibid., 1995). This is a type of role-based model that can be made as specific as necessary while allowing flexibility. We propose to implement this type of direct, simple, role-based data access model using object technology methods, which call for unique universal object labeling under the CORBA 2.0 object technology standard specifications formulated by the Object Management Group (OMG) in 1994. The "Is Below" model is not considered to be completely secure on an open system network because the possibility of spoofing can exist; however, it is generally considered adequate, and the easiest to organize and maintain. In part, this is because the relationship of data objects at different levels of access control can be mathematically defined, and thus rapidly validated.

The method required by the MIL-STD is thus not incompatible with current object management methods we propose, with one exception. The method for digital signature specification called for is that meeting National Institute for Standards and Technology (NIST) standards calling for use of the DoD Fortezza card encryption and hash algorithms, described in greater detail below (and in McGillivary, 1994a,b, and 1995a,b). It has been argued that this method is required because of the pseudo random method encryption keys use to encrypt messages; use of a digital signature standard provides an additional authentication check on the sender. If truly random encryption is used, decryption by pseudo random algorithm spoofing and guessing methods, that have recently developed as an important and available means to permit loss of computer communication security (e.g., Goldberg and Wagner, 1996; Schneier, 1996), become invalid. And the need for a digital signature may be considered redundant, and indeed, a security risk, as the digital signature itself is made using what some consider weak encryption algorithms (discussed further below). However, as a choice of encryption mechanisms must be provided in the ICN, and truly random quantum encryption methods are not available yet for all multimedia data types, methods permitting use of the U.S. federal Digital Signature Standard will be provided as an option for use where required or desired.

Beyond this, security policy will involve the points that follow below, as specified in the DoD TAFIM (DoD, 1994), and as proposed for the Generally accepted Computer Security Principles (GSSP) now under development as guidelines for international computer network security (Parker, 1995). The so-called pervasive GSSP principles are included in Table 3.1-1 for reference, and are all addressed in the following ICN security policies. Specifically we follow generally accepted security principles that call for the inclusion in computer security systems of 1) firewalls, 2) password sniffer-checking software, 3) single-use passwords, 4) virus­checking software, 5) intrusion detection and audit control software, 6) information encryption capabilities, 7) encryption of all time stamp data, 8) encryption of router diagnostic software, 9) disabling Internet Protocol (IP) address release in E-Mail functions for inappropriate service requests, 10) disabling of single superuser capabilities, 11) use of CORBA 2 compliant object technology software for centralized database security management, 12) uninterrupted power supply and replicate server backup systems, 13) vulnerability assessment, and 14) periodic security policy reviews.

3.2  Risk Analysis

3.3  Risk Management Plan

3.3.1  Access Control Management Plan

3.3.1.1  Access Control Policy and Role-based Access

Within the DoD Multi­level Information Systems Security Initiative (MISSI) program, four tiers of security access occur (ICE, 1995):

Most ICN users will only want to access information; however, ICN users wishing to post or update materials composing the ICN will be provided with a "second-tier" access role that will allow them to join mail lists or user groups by additionally registering for these services. Notices or other information can be posted or exchanged via these ICN forums without an additional password, although this will be provided as an ICN webmaster option. If ICN users wish to post material directly to the main ICN web page, they must forward it to the ICN Webmaster, who constitutes a "third-tier" access role. The system security officer(s) is the "fourth-tier" access role. Use of the Fortezza program technology (described below) has been judged sufficient to cover up to "Secret" levels of security by DoD officials (Constance, 1995a), so discussion of "multi-level" security roles is considered unnecessary as Fortezza security will be provided, and no information of a higher security level than "Secret" is anticipated for the ICN.

3.3.1.2  Passwords and PCMCIA Cards

A second ICN password encryption option will be the Power One-Time Pad (POTP) Secure Mail software (Elementrix Co., New York, NY) (Trowbridge, 1995a). Most encryption algorithms, including the federal Digital Signature Standard (DSS), RSA, and PGP, use pseudo random number generators for encryption keys (c.f. Plumb, 1994). This poses serious security concerns (c.f. Goldberg and Wagner, 1996). We prefer POTP Secure Mail software for ICN access control and encrypted password and data distribution because it uses truly random one-time symmetric encryption compatible with all hypermedia data, including video and Virtual Reality Modeling Language (VRML). Although this method encrypts an entire message, it may be considered to obviate the need for a separate digital signature. POTP Secure Mail software costs approximately $50-100, available for trial from the Elementrix web page, URL:http://draco.centerline.com:8080/~franl/crypto/one-time-pad.html

Two additional password encryption options are available to accommodate users wishing to make use of the U.S. federal DSS. One ICN password encryption option will use a commercial product, Crypto SmartDisc (Fisher International Systems), which uses DES and DSS on a 3.5" disk with a proprietary-design embedded circuit board. SmartDisc runs on standard computer drives, and is required on both ends of a transaction. It costs approximately $100; however, as of November 1995, the U.S. Post Office will distribute some cards free to the public for trial use (Sikorovsky, 1995e). Some of these cards can be made available for ICN registrants. We offer password encryption using the SmartDisc simply because it is likely to be a popular commercial method that ICN users may wish to employ.

Fortezza technology is the U.S. Government's solution to single-use password access and Digital Signature Standard capabilities for security up to the "Secret" level (Adams, 1994c; Constance, 1995a). Full Fortezza technology capability will be an option for password encryption on the ICN web page GUI screen in the first year. To provide this option, we will access the Fortezza technology from a PC-card reader accessory, the standard Government method. Fortezza operability on the ICN user side will be the users responsibility, as this capability is provided mainly for DoD or defense-related users who have access to this capability. The availability of both Netscape and Oracle software with Fortezza capabilities should make ICN users readily able to use Fortezza methods if so desired (Sikorovsky, 1995h).

3.3.1.3  Other Access Control Options

Other devices are more similar to the PCMCIA card in providing encryption capabilities as well. The PersonaCard 100 is National Semiconductors' PCMCIA contribution (Brown, 1994). The AX-400 (Information Resource Engineering, Baltimore, MD) is a secure PCMCIA modem that has been adopted for use by the Secret Service (Masud, 1995b), performing both authentication and encryption using the federally approved algorithms. CryptoCom (Western DataCom, Cleveland, OH) is a 28.8Kbit/s encrypting "pocket" modem that is used by the Internal Revenue Service and Department of Energy (DOE). It uses a small keypad for Personal Identification Number (PIN) entry and works with callback host security software (Masud, 1994). CardSecrets PC Card (Mobius Encryption Technologies, Toronto) is similar in providing U.S. Government-approved encryption, but also provides a choice of Rivest-Shamir-Adelman (RSA) and elliptic curve encryption algorithms (Menke, et al., 1995). This may be useful for the cautious:  the elliptic algorithms are statistically considerably more secure than the RSA algorithm, of which they are a variant (Demytko, 1993).

In summary, for the ICN access control, the method of choice among password generation/encryption options depends upon whether there is a need to include encryption of additional data as part of the access process. For most situations that CALS users would face, the Pretty Good Privacy algorithms, available as Internet freeware, are adequate for password and message encryption. This both reduces costs and provides considerable security for ICN users, but is useful only for text and voice messages. For multimedia data, the Power One-Time Pad Secure Mail option is the preferred method of generating single use encrypted passwords while also providing full multimedia message encryption capabilities. This avoids the need for other password control software (c.f. Rothke, 1995). To comply with Government regulations, Fortezza technology is available to provide similar capabilities, with perhaps weaker encryption. These methods of access control are important because single-use passwords are perhaps the greatest single step that can be taken to improve and assure computer security. A second key part of access controls and overall system security is the firewall.

3.3.1.4  Firewalls

Firewalls can be as simple as a screened router acting as a packet filter that refuses packets with specified addresses, protocols, or ports. Additional security is provided by the fact that only the router has an IP address, rather than each user having his own. Ideally, the router should also keep a record of its actions, perform dynamic packet filtering and routing (i.e., respond on-the-fly to reconfiguration by other rules), verify packet protocols by looking at the protocol messages are using, not just at the ports they are coming from, and finally, authenticate logons, possible via an independent server (Roberts, 1995; Trowbridge, 1995b). Router-based firewalls have problems screening certain network protocols:  FTP, DNS (Domain Name System), and X11 (UNIX windowing). Of these, a screened router firewall can deal with incoming FTP files by accepting only FTP files from specified ports or passing files to another server with a cut-down secure version of FTP, while DNS files can be ported in via a dual-server (public and private) arrangement. Protocols in X11 are usually simply rejected unless specifically unblocked (Bryan, 1995).

A more secure firewall is obtained by putting all security programs on one device, known as a bastion firewall, optimally a workstation. The bastion need only have a very limited operating system, with just the commands needed to pass information and no others. But it is often useful to include other security software as well. A bastion firewall can then include additional security software, not only anti-virus software, but also anti-password-sniffing software. The evolution of anti-virus software vendors into firewall vendors is not surprising; a good provider of sophisticated anti-virus and anti-virus activity scanning software, Norman Data Defense Systems, now provides much of the U.S. federal firewall software (Sikorovsky, 1995a). Norman's firewall software includes an additional security feature as well:  it scans all documents it deals with for specific words and syntax to prevent data passage - in or out of a network - of materials that are restricted. This additional security, termed type enforcement, is also provided by Sidewinder (Secure Computing Co., Roseville, MN), and provides an additional mechanism for protecting sensitive information, e.g., anything with the names of executives or products still under development (ibid., 1995b). Products such as Sidewinder include user identification and authentication as an essential part of their firewall activity, and provide real-time intrusion notification to security managers.

The need for firewalls to protect against spoofing of information packet IP addresses came to wider attention when it was discovered this was the method used by Kevin Mitnick to access the San Diego supercomputer facility (Power, 1995b). Firewalls by vendors such as Livingston Enterprises (Pleasanton, CA) provide such protection, which has become an essential feature of most commercial firewall products. The use of Kerberos protocols for authentication in a firewall has also been developed (see Cheswick and Bellovin, 1994b; Cobb, 1995). Authentication does not necessarily protect against tunneling, however. Tunneling is where one protocol is nested inside another and information is passed from the inside of an organization to the outside by an insider. To minimize this type of insider security breach, a third type of firewall, a circuit-level firewall, can be constructed to specifically monitor only outgoing packets and can be configured to indicate where problems of this sort arise (ibid., 1994b).

Encryption is also becoming more popular as a standard part of a firewall. The LAN Guardian Protector (Uunet Technologies, Falls Church, VA) provides an encryption chip as part of its firewall system; files routed there as requested or preconfigured are encrypted before passage by the firewall, with the chip providing the speed needed for on-the-fly encryption (Johnson, 1995). To facilitate security management, a growing trend in firewalls is the inclusion of flexible GUI management interfaces such as those found in FireWall-1 (CheckPoint Software Technologies, Lexington, MA), a firewall system selected to work with Sun workstations (Burnette, 1994; Dawson, 1995). Firewalls are also available for mobile users (e.g., EagleNomad from Raptor Systems, Waltham, MA:  Masud, 1995a), and more are appearing on the market as wireless becomes more popular.

Useful web pages and Internet forums such as Firewalls and the Firewalls Digest are readily available for assistance and for the latest information in setting up a firewall. On the Internet one can find freeware called "Screend" for packet-layer firewall construction, and application layer firewall freeware "Socks," and the Trusted Information Systems "Firewall Toolkit," all of which are useful (Bryan, 1995). Commercial firewall software does not come cheap, and freeware is risky unless expertly configured or highly restricted. Where information security is critical for applications such as routine FTP transfers from miscellaneous sites, a commercial firewall may well be necessary. For most CALS-related users, firewall freeware can be combined with anti­password sniffing and virus-checking software, and with the inclusion of authentication and encryption capabilities, sufficient security should be provided. If funds are available, FireWall­1 (CheckPoint Software Technologies, Lexington, MA) appears to be the preferred Government and commercial firewall that could be used for the ICN.

3.3.1.5  Firewall Security Testing and Intrusion Detection Systems

The DoD Defense Information Systems Agency (DISA) Center for Information Systems Security (CISS) Countermeasures Department maintains an Automated Systems Security Incident Support Team (ASSIST) which has a Vulnerability Assessment Program (VAAP), for security testing of DoD-related computer networks. We can request ASSIST perform an ICN VAAP as a firewall/intrusion detection systems check.

To provide an intrusion detection system, we will include the COURTNEY software on the firewall (http://ciac.llnl.gov/ciac.ToolsUnixNetMon.html#Courtney). When installed, COURTNEY alerts a system manager that someone is running SATAN on the system (Sikorovsky, 1995b). Most other intrusion detection software is proprietary and costly if purchased independently of firewall software. However, DoD efforts continue to focus on refining intrusion detection software through the use of artificial intelligence (Brewin, 1995). The Air Force's Distributed Intrusion Detection System (DIDS) continues to evolve in this regard (Constance, 1995b). Likewise, within DISA, the Center for Information Systems Security (CISS) has been given enhanced visibility and funding following a move to the Global Command Center, where its ASSIST personnel provide continuous system intrusion detection and response capabilities (Grimm, 1995). Both these groups have formed closer ties with academic and professional computer security organizations in the past year. From this association, software they are developing should become available for CALS and ICN applications relatively soon. Until readily usable intrusion detection shareware or freeware is available, we recommend using audit tracking software in the FireWall-1 firewall software (CheckPoint Software Technologies, Lexington, MA), if funds permit.

3.3.2  Authentication Management Plan

3.3.2.1  DoD Methods:  Fortezza Card and the Digital Signature Standard

The next generation Fortezza cards, available in 1996, will thus have the ability to switch among user-specified algorithms. It is presently unclear whether they will include the capability to use a family of encryption algorithms switched off in random sequence as has been recommended to improve security (Schneier, 1994). And while the change in Government policy regarding the Fortezza card improves selection among encryption algorithms, the problem of escrowed key management remains. Within the Government, a new system is being implemented for secure electronic distribution of encryption keys. The National Security Agency (NSA) is "Tier 0" in the key management system, as the source of keys which are distributed by an electronic keyring program, initiated by GTE, to the successively lower tiers:  the DoD hubs, bases, ships, and "warriors" (Adams, 1995a). This system is automatically employed by all Fortezza card users.

Federal encryption key management for the public sector was originally designed with the keys to be held by the Justice Department, to be released only under subpoena in accord with existing wiretap laws (Sessions, 1992). But the possibility of misuse of this scheme and uneasiness with Government management have delayed the so-called Public Key Infrastructure (PKI) (Power, 1995a). NIST efforts to mount a PKI program to use Fortezza cards to provide for a DSS collapsed in an era of budget cuts, in part due to the unpopularity of the Clipper and Capstone algorithms NIST proposed (Power, 1995c,d). But the need for a DSS remains, if only for the Federal Electronic Commerce Acquisition Team (FECAT) to use the Government electronic commerce scheme they envision in accord with the Presidential Mandate that electronic commerce be in place by 1997 (ibid., 1994; 1995a). Efforts by the FBI to promote DSS escrow methods (Munro, 1995b) are faltering due to the international nature of the Internet; meanwhile commercial, and public sector "half measures" are being suggested.

3.3.2.2  DoD Authentication Methods for the Public Sector

3.3.2.3  Commercial Off-The Shelf (COTS) Authentication Methods

A second problem deals with access rights by the Government to authentication information, and the related issue of privacy. As previously proposed, the Government could know where and when all access to the escrowed keys occurred even if it did not decrypt messages. A key escrow scheme for digital signatures that permits authentication but keeps the identity of the signer secret from the authentication authority has been suggested that addresses this problem. This so­called blind signature was proposed long ago (Chaum, 1983), but has only recently been attempted (Carmenisch, et al., 1994; Horster, et al., 1994). Both the initial and subsequent attempts at blind signatures have, in their turn, been demonstrated as flawed (Harn, 1995), thus a blind signature method does not yet appear to exist. This is of particular concern given the possibility of compromise or collusion of the authenticating authority in reading encrypted messages (Deutschland, 1995). This is so because message handling protocols refer to messages by their signatures, so-called signature nesting, as in service requests, including audit trails.

Storage of data with nested signatures in public key cryptosystems, including that of the widely used RSA algorithm, permits key spoof attacks, where a bogus message and a bogus key give the same signature as the real key and message; signatures may thus be compromised (Christianson and Low, 1995). The possibility that this might occur would perhaps seem remote were it not for a spate of cases in recent years where secrecy of Government­held computer systems and files has been compromised, from agencies as diverse as the Federal Bureau of Investigation, Central Intelligence Agency, DoD, and Internal Revenue Service, to name only a few. To counter this possibility, it is necessary to include only the public key of the signer within the body of the "nested signature"; this is sufficient to remove the possibility of a key spoofing attack (ibid., 1995). Previously developed access control and authentication methods for distributed systems can then be successfully put in place (c.f. Low and Christianson, 1994).

If the commercial DSS process is carried out as described above, and if signatures are authenticated by some proposed shared verification schemes (c.f. Harn, 1995), it has been shown that inclusion of a digital signature must still accompany more than a single piece of information used in the shared verification/authentication process to avoid the possibility of signature forging; i.e., it must appear with all objects transmitted (Horster, et al., 1995).

With proper attention to such methodical "fine points," shared authentication methods are presumably possible without the risk of compromise. It is noteworthy that cryptologists are only now developing formal logic mechanisms which appear at the present time to be secure - but such proposals are very recent, and it would be unwise to proceed until at least some further discussion and consideration of these proposed mechanisms has been developed. Meanwhile, Government policies on key escrow and authentication mechanisms remain to be formalized.

Official adoption of the practices described above (or similar ones) by key escrow agencies can be considered critical if truly blind digital signatures and secure distributed authentication are desired. The ability of the Government to perform key spoofing attacks to decrypt messages by key spoof attacks on nested signatures is then prevented. This may be considered a liability from the point of view of law enforcement agencies, which suggests development and adoption of truly blind signatures may be unlikely to be emphasized as official U.S. security policy for the National Information Infrastructure. But as part of the Global Information Infrastructure (GII), the issue is likely to arise because of the differences in U.S. and European privacy laws. In Europe, the development by the European Union of Secure Hyper-G (Flohr, 1995), and of the Secure Local Area Network Environment (SELANE)/AKI system proposed by the European Institute for System Security is clear evidence that the U.S. DSS is internationally unacceptable for secure authentication.

While we will provide the DSS for authentication, and because secure Hyper-G and the SELANE/AKI system are not yet in place, we therefore chose to use the authentication included in the Power One-Time Password Secure Mail software (Elementrix Co., New York, NY) that is also used for one-time password generation, as described above (Trowbridge, 1995c). Because this system uses truly random encryption, the passwords can be assumed to have the same security as a digital signature. As an alternative, we will also provide as an authentication option using the Crypto SmartDisc's 3.5" disk (Fischer, Co.) with DSS, which employs only the DSS portion of Fortezza technology. While this is not expensive (approximately $100), users would be required to possess their own systems for this method. Commercial browser authentication methods, such as those attempted without success to date by Netscape and others, despite recent security "fixes," still appear too great a security risk (c.f. URL http://www.c2.org/remail/by-www.html) for use by the ICN.

3.3.3  Hacker and Espionage Risk Management Plan

1. Installation of SATAN and COURTNEY freeware as part of the firewall software.
2. Securing router diagnostic software by encryption.
3. Use of anti-spamming software in the firewall software suite to reduce denial of service threats.
4. Disabling of single superuser capabilities.
5. Use of intrusion detection and audit tracking software as part of the firewall software suite.
6. Request of a Vulnerability Awareness Assessment Program (VAAP) examination of potential CALS/ICN system security weaknesses by the DoD Defense Information System Agency's Computer Information System Security office.

3.3.3.1  SATAN and COURTNEY

3.3.3.2  Router Security

Router makers are now including security auditing software as part of their product, as in the case of the inclusion of "Netstalker" router security software installed on Network Systems Company's (Minneapolis, MN) routers (Roberts, 1995). This software works with the company's "NetSentry" firewall software, and includes audit trail and real-time alert capabilities, but at a cost of $5,000. A similar router security product, the Defender Security Server, a server authentication software package from Digital Pathways (Mountainview, CA) that works with Novell NetWare and Microsoft Windows NT, uses a two-challenge response system to make sure users are who they say they are, and have not just intercepted access to a line. Cost for this software is $2,000 and up. A new technology that continually verifies the user's identify has been patented, but is not yet available (Lang, 1995). In the absence of reasonably inexpensive router protection systems, routers are still an easy target for hackers and espionage. Unsubstantiated claims such as "our router is hacker­proof because only it has an IP address," (Anon., 1995c), can only be viewed as marketing hype. We will investigate reinstalling router diagnostic software in an encrypted form to minimize router diagnostic spoofing as a means of illicit access to the ICN. This will be a goal of an improved security for the ICN by the end of next year.

3.3.3.3  Anti-spamming Software

3.3.3.4  Disabling Single Superuser Capabilities

3.3.3.5  Intrusion Detection/Audit Tracking Software

3.3.3.6  Vulnerability Assessment

3.3.4  Virus Risk Management Plan

Sophisticated search engine software can assist in looking for virus-like code, but virus encryption and high-level computer viruses can complicate matters (Magruder, 1994). A few simple, specific steps can be taken to modify virus-checking programs to improve their effectiveness for detection of Surrogate File Viruses (SFV) and Corresponding File Viruses (CFV) in firewall software such as inclusion of a program to abet a file integrity checker to detect a SFV to see if a corresponding Common Object Model (COM) file already exists in the current directory (a cause for suspicion of a CFV) (ibid., 1994). Other types of viruses are also becoming risks; for example, the capability of encoding viruses in graphics as unused color bits that could easily escape detection has been noted (Walton, 1995).

In the recent months, two new types of viruses have been spread over the Internet. In one case, the virus was an entirely new type, a macro virus written in Word Basic that infects Microsoft Word 6.0 documents rather than programs, and can be distributed in these documents over Internet to both PC and Mac machines; the second case was a virus that attacked executable directories and evaded virus-checking software by mutating with every infection (Alexander, 1995). Other viruses are said to reside in icons, activated by clicking on a web page somewhere in cyberspace.

The combination of agent technology and the Java executable language (or "virus implementation language" according to William Cheswick, in Wallich, 1995) increases the likelihood of security difficulties of this sort (Dibbell, 1995; Wallich, 1995). Indeed, the only difference between existing commercial agents written in Telescript language for General Magic Co., and "wild" viruses, both of which replicate across networks, is that the Telescript agents interact only with specific other control agents that must be resident, and Telescript has encryption-protected instructions inhibiting them from accidentally subverting control of a host machine (Dibbell, 1995). As agents become more popular in the future, security issues they involve will, along with those posed by Java, be important to monitor.

For now, the best methods are to install anti-virus software as part of server firewalls, and to use network management security software that monitors for virus-like activity and has the capacity to take appropriate actions when this form of intrusion is detected. It should be noted that real­time detection of virus activity is still widely considered problematic (c.f. Ladkin and Thimbleby, 1994). When smart agents are further developed, it should be possible to use them to monitor Internet sites where new virus data and anti-virus software updates are available. The most readily available virus shareware designed specifically for the detection of viruses potentially spread across the Internet is McAfee Associates (Santa Clara, CA, Phone 408­988­3832) WebScan ($45), which complements its other products, VirusShield and VirusScan (Leach, 1995). WebScan checks all E-Mail and documents downloaded over the Internet to assure they are not virus-infected by connecting to major browsers and intercepting and scanning the download and alerting the user if a problem is detected before allowing the download to proceed. It does not itself clean files, but can interface with other products if this is desired. It works with Mosaic, Netcom's Netcruiser, and Netscape's Navigator, and methods are underway to permit it to work with Microsoft's Internet Explorer. This software is available as on-line shareware, and will be sufficient for initial implementation. Later, DCN/ICN implementations will use smart agents to detect and eradicate new viruses.

3.3.5  Insider Risk Management Plan

3.3.6  Disasters and Systems Failure Risk Management Plan

3.4  Contingency Plan

3.4.1  In-House Contingency Response Plan

If these actions produce additional suspicion of a potential system security breach, we will review contingency procedures outlined in the "What To Do If Your Site Has Been Compromised" web page (Savage, 1995), at:  

http://www.cis.ohio-state.edu/hypertext/faq/usenet/computer-security/compromise-faq/faq.html.

If compromise seems likely, we will contact appropriate monitoring authorities, listed below.

3.4.2  External Assistance Contingency Response Plan

An Internet Engineering Task Force (IETF) security working group was begun in April 1994, and may also be contacted regarding contingency incident response; it merely provides a standardized information form for use by incident team responders and vendors. (See Table 3.4.2-1 for the Internet URL for the IETF's Incident Reporting form.) We will provide this form to the DISA ASSIST Team and/or other external advisors in case of a CALS/ICN computer security contingency.

Perhaps the best known of the FIRST teams is the Advanced Research Projects Agency-funded Computer Emergency Response Team (CERT), at Carnegie Mellon University. CERT recently announced it was "swamped" with work, however, and pending additional funding, wish to be considered a last resort for real emergencies (Sikorovsky, 1995c). If required, we could follow the CERT contact procedures in case of a contingency outlined in Fithen and Fraser (1994). Other no-cost contingency response options include the Federal Bureau of Investigation's National Computer Crime Squad, whose Computer Analysis and Response (CART) team offers assistance if computers are suspected to have been used to commit a crime (theft, espionage, fraud, etc.).

In addition to these groups, there are non­Governmental computer incident, advisory, and response groups that include the National Computer Security Association (NCSA), ASIS (the American Society for Industrial Security), and the ACM and IEEE professional society interest groups on this subject. Additional information on references to assistance might be sought from the National Computer Security Center (NCSC) computer system, called DOCKMASTER, which integrates all federal computer security information, including that for DoD and other agencies. (NCSC does not itself assist in response to incidents, however.)

Additional contacts may check vendor web pages for problems/fixes, the newsgroup news:alt.security.index, or ASIS (the American Society for Industrial Security).

3.5  Disaster Recovery Plan

      

4.1  Secure E-Mail, Voice-Mail, Multimedia E-Mail, and Teleconferencing

The Pretty Good Privacy (PGP) program provided by Phil Zimmerman freely over Internet since 1991 is widely used for secure E­Mail of text and voice data (Barrus, 1995). The only problem is that the NSA has objected to it, arresting Zimmerman, who is still charged with its export in violation of U.S. national security laws (Noor, 1995; Winder, 1995). PGP is based on the well­known public key RSA algorithm, and two others, MD5, an algorithm developed by Ronald Rivest in 1992, and IDEA, the International Data Encryption Algorithm, a fast private key algorithm with a long (128-bit) key developed by Xue Lai and James Massey (Barrus, 1995). The E-Mail message is first encrypted with IDEA using a random session key, then the session key is RSA encrypted with the public key of the person the message is being sent to, and finally, MD5 is used to hash the message, so that if it is altered en route, this will be apparent. Thus, PGP combines fast private key encryption with convenient public key encryption.

In one configuration, PGP can be used to encrypt only the signature of a message, not the message itself, which can be useful. Under this protocol, the message is still run through a so­called radix-64 program that converts it to ASCII only characters accepted exclusively by many E­Mail systems. Without the key the message, though unencrypted, will still be illegible (Stallings, 1994). With earlier versions of PGP, there was a problem of what to do if the key password is lost, but options in the latest version ameliorate this problem (Ubois, 1995). Although PGP can presently handle only text and voice E­Mail, a version that will handle all MIME multimedia objects is nearly complete (URL http://www.c2.org/remail/by-www.html). We will make this method an option for secure multimedia data transmission as soon as it is available.

Whereas PGP is based on person-to-person security, another alternative, Privacy Enhanced Mail (PEM), was configured according to Internet protocols to provide secure E-Mail authenticated in a hierarchical manner (Kent, 1993). PGP requires users be "introduced"; software for this is available that was developed by M. Graff (Iowa State University). The software works with common E­Mail software, and there is an MIT version of PGP that works with World Wide Web server software to store public keys for use when needed by PGP (Schiller and Atkins, 1995). But how does the user authenticate that the public key from browser software really belongs to the person to whom the user wants to send a message? In PGP, this is done by any trusted third party also signing the message to build a "web of trust." The problem with this lies in the lack of specification for assurance of verification by the third party. This contrasts with PEM where authentication is strictly hierarchical and specified by the Internet Privacy and Security Research Group, which uses authentication service of the Internet Society as a Policy Certificate Authority (PCA). In order for this to work, however, the mailer (or its company) must be registered with the PCA (and in the case of a company, have a system in place for issuing the mailer a key). The latter requirement has meant that to date this system is not widely in use, although available.

PEM is a standard that specifies use of triple­DES for message encryption, DES or RSA for session key encryption, and MD5 for hashing. Riordan's Internet Privacy Enhanced Mail (RIPEM) is the actual software implementation of this standard, which is distributed by the RSA Corporation (Trowbridge, 1995a). Like PGP, RIPEM is export-restricted. A key difference between RIPEM and PGP is that in PGP people can sign using another person's key, whereas RIPEM is more for the business environment, where authentication of the key comes from a network server, not an individual. PEM also disallows sending of encrypted messages that are not signed, which PGP does not (ibid., 1995a). Anyone can check on a PEM message's authentication, making PEM messages subject to traffic analysis not possible with PGP­encrypted messages, which do provide anonymous messaging.

Another difference between PEM and PGP is the efficacy of contingency recovery procedures. If compromised, PEM allows immediate and universal notification of a public key change. Such universal notification is not possible with PGP, which permits issuance of a revocation certificate, but has no way to provide this to all holders of a users public key (Trowbridge, 1995). On the other hand, refusal of PGP messages (due perhaps to a dropped or non­ASCII character) can pose a security risk because it is possible to intercept and fake a refusal. In this case, however, the address will be incorrect. To address this problem, PGP software can be made to monitor incoming address consistency, at an as yet undetermined reduction in implementation speed (Weeks, Cain and Sanderson, 1995).

RIPEM presently has an advantage in being somewhat more user friendly than PGP. One important issue is character set compatibility. PEM as implemented in IPv6 will work with ASCII and non­ASCII characters. Previously available PGP software required ASCII­only characters, although this is likely to be corrected in the near future. Another ease­of­use issue is user name. In PGP, users choose their own; with PEM, the address is for X.500 protocol, is assigned, and may not even be printable, much less rememberable. Also, with PGP users have to run everything through the program to get a digital signature, which is inconvenient and slow; the ability to disable the program is therefore required as an option which must often be used (Weeks, Cain and Sanderson, 1995).

As an alternative to PEM and PGP, a recent commercial secure E­Mail product, TEDSecure (TriTeal Corp.), is user-friendly, GUI-oriented encryption software compatible with Microsoft Mail, and intended for the UNIX platforms used by many Government agencies. To facilitate Government use, TEDSecure uses the same algorithms as the Fortezza card - and costs about the same ($200) (O'Hara, 1995a). Transmission of E-Mail secured by PEM/RIPEM will be possible in the ICN for those wishing to use it for hierarchical E-Mail distribution. [Recalling that it cannot be considered as secure as PGP because it uses triple encryption, which as explained earlier, tends to confer a security risk rather than an advantage (c.f. Kaliski and Robshaw, 1996).]

Now suppose the user wants to send voice-mail? Zimmerman has just released PGPfone for Macintosh, which works with a SoundBlaster card and 14.4 modem (Ubois, 1995). Another such product, also compatible with a SoundBlaster card and modem, is made by Nautilus (ftp://miyako.dorm.duke.edu/mjp; retrieve text file README_MPJ). Like PGP, it is also export­restricted. For secure teleconferencing, things get more complicated; secure audio teleconferencing methods have been developed, but not yet implemented (Ayanoglu, 1995).

      

5.1  Possible Future Access Controls:  New Encryption Methods

5.2  Possible Future Access Controls:  Biometric Methods

Other pattern recognition-based access control/authentication methods have been proposed that use digital video cameras or other computer accessories. Such methods include pattern recognition of fingerprints (using small pads or similarly customized smartcards) (Dichristina and Kirschner, 1996), or patterns in the iris of the eye, which are held to differ more among individuals than fingerprints (Anon., 1994b).

However unlikely in reality, both iris and fingerprint scanning methods are subject to hi­tech spoofing methods of the sort used in B­grade spy movies ­ the fake contact lens or fingerprint. For CALS-related applications, such threats are of little risk, yet these access control methods nonetheless seem unlikely, as does a DOE-funded access control system based on the spatial recognition of the 3D shape of a user's entire hand (DOE/ER-0654, 1995), which remains under development.

By contrast with the methods above, some high tech security solutions appear to offer broad utility in the future. Much work has been done to implement facial feature construction and recognition software (c.f. Javidi, 1995; Mukherjee, 1995; and, Psaltis and Mok, 1995). Facial recognition constitutes a major effort in Japan as part of research at the national Electrotechnical Laboratory (ETL) undertaken by Dr. Kazuyo Tanaka, using facial models developed by Dr. Hiroshi Harashima (Myers, 1995). Similar work has been undertaken at the MIT Media Lab by Alexander Pentland, which has been tested for security applications (Schwartz, 1995). These methods seem to work well to uniquely determine bone structural components, independent of whether someone has just had a haircut or a shave. However, error rates are still somewhat problematical. Thus, rather than use this method for assuring the identity of ordinary users, facial recognition has been tested by British Telecom, the U.S. Army, and the White House as a means of recognizing exceptional individuals, such as known terrorists and criminals (e.g., in a crowd). For such uses, error rates are less troublesome than for access control, but for wider utility the facial pattern recognition software might be profitably incorporated with other access control technologies in the future.

To overcome problems with pattern recognition of facial bone structure, while yet making use of the advanced software developed, more recent methods target infrared patterns of heat release from an individual's face. Facial heat flux patterns are held to be highly unique and relatively impossible to spoof, as they are determined by the fractal growth patterns of blood vessels, which differ greatly even between identical twins. Although the problem of errors in this method has not yet been sufficiently addressed, and a small digital video camera is required, the cost of these cameras is little more than most other access control security solutions. This method may, therefore, hold the greatest promise for future access control and authentication methodologies.

5.3  Security and the Migration to Object-Oriented Software