Assignment 2

Semester 2 2002

Total Marks: 85 marks

Gavin Longmuir – n2804948

Answers in RED

Question 1 (6 marks)

Bob and Alice have the RSA key pairs (KB_private,KB_public) and (KA_private,KA_public) respectively. Explain the cryptographic protocols, using a suitable notation, used by both Bob and Alice when:

Let M1 = P₁, P₂, .., P_n, where each P_i is constant sized block of the original message – the block size is dependent on the public key modulus of KB_public with padding added to P_n.

(i) Alice wants to send message M1 to Bob in a confidential manner (i.e. she wants to ensure that Bob is the only person who can read it). (1 mark)

For each block P_i Alice calculates C_i = E^[RSA]KB_public(P_i), to give C1. Alice then sends the concatenated encrypted C1 message to Bob. Bob can decrypt the message by calculating P_i = D^[RSA]KB_private(C_i), to give M1. Only the holder of the key KB_private can successfully decrypt the message, thus Alice is ensured that only Bob can read the message.

(ii) Bob wants Alice to send message M2 and he wants to be sure that it is an authentic message from Alice (i.e. he wants to ensure Alice digitally-signed the message). (2 marks)

For each block P_i Alice calculates C_i = E^[RSA]KA_private(P_i), to give C2. Alice then sends the concatenated encrypted C2 message to Bob. Bob can decrypt the message by calculating P_i = D^[RSA]KA_public(C_i), to give M2. Only the holder of the key KA_private could encrypt the message, thus Bob is assured that only Alice could have sent the message.

Alternately Alice could have generated a Hash of the message M2 and then encrypted that with her private key. C[H2] = E^[RSA]KA_private(H[M2]). Alice then sends the M1 and C[H2] to Bob. Bob calculates his own Hash of the received message, at the same time decrypting Alice’s encrypted version. Only the holder of the key KA_private could encrypt the hash value, and if both hashes match then Bob is assured that only Alice could have sent the message, and it wasn’t changed in transit.

(iii) Alice wants to send message M3 to Bob in a confidential manner (encrypted) and she wants to ensure that Bob knows it is an authentic message from Alice (digitally-signed). (3 marks)

Alice generates a Hash of the message M3 and then encrypts that with her private key. C[H3] = E^[RSA]KA_private(H[M3]). For each block P_i of M3 Alice calculates C_i = E^[RSA]KB_public(P_i), to give C3. Alice then sends the concatenated encrypted C3 message along with C[H3] to Bob. Only the holder of the key KB_private can successfully decrypt the message, thus Alice is ensured that only Bob can read the message. Bob can decrypt the message by calculating P_i = D^[RSA]KB_private(C_i), to give M3. Bob calculates his own Hash of the received message, at the same time decrypting Alice’s encrypted version. Only the holder of the key KA_private could encrypt the hash value, and if both hashes match then Bob is assured that only Alice could have sent the message, and it wasn’t changed in transit.

Question 2 (9 marks)

(a) (i) Give an example of a situation where it would be best to use a stream cipher to encrypt for confidentiality.

(1 mark)

A stream cipher would be ideal to provide confidentiality as a telephone (or FAX) scrambler. A shared private key (greater or equal to the message length), would be required by each party. Key distribution would have to be done by external means.

(ii) Explain why a stream cipher is better-suited to your situation than a symmetric block cipher or a public-key cipher. (2 marks)

A stream cipher would allow fast or high-speed encryption, which is suitable for large data flows in a low error transmission medium – it’s essential that the data transmission rate be maintained. Synchronisation issues to be addressed above the encryption layer – at the application layer (not the session or presentation layer).

(b) (i) Give an example of a situation where it would be best to use a symmetric block cipher to encrypt for confidentiality. (1 mark)

A symmetric block cipher would be used in an environment that requires high-speed data transmission with low error propagation, and large amounts of data. An example would be miliary aircraft signals. All parties involved must have a copy of the shared secret.

(ii) Explain why a symmetric block cipher is better-suited to your situation than a stream cipher or a public-key cipher.

(2 marks)

In a miliary environment you would not wish to have public-keys known by the enemy. Within a squadron each aircraft could have a shared secret before leaving on a ‘mission’ – thus easy key management, with little or no requirement for key eschew. If individual shared keys were to be used then a network of n users would require n (n – 1) / 2 keys. A CD of random data could be the basis of the shared secret. Captured keys would be useless, as they would only have value in ‘real time’. Encrypted positional information would be continuously broadcast between all squadron members (and possibility with ‘mission control’). All members of the secure communications system can use the shared secret key. Thus anyone with possession of the secret key can encrypt or decrypt messages within the communications system – this means anyone in the system can decrypt any message within the communications system not just messages for them. Stream ciphers would be unsuitable for this scenario as synchronisation of key stream would be hard maintain over unreliable transmission medium.

(c) (i) Give an example of a situation where it would be best to use a public key cipher to encrypt for confidentiality. (1 mark)

A user wishing to pay for goods electronically (EFTPOS) at a random merchant would be using a public key cipher. The cardholder uses their credit card at the merchants EFTPOS terminal. Transaction data is presented to the merchants’ financial agent where details are sent to the card issuer for verification, which results in either an accept or a reject message based on authentication issues or on policy issues (no funds available). Asymmetric ciphers provide a means of user authentication, and are used to provide assurance in the establishment of session keys used in the transactions.

(ii) Explain why a public key cipher is better-suited to your situation than a stream cipher or a symmetric block cipher.

(2 marks)

The users public key is given out to any entity wishing to communicate with the cardholder. Giving out the cardholders’ public key does not compromise security. While the bulk of the data exchanged during an EFTPOS transition is encrypted via a stream cipher (due to lesser processing over-heads). Cardholder identification and authentication is achieved via a public key scheme, as it is very likely that neither the cardholder nor the merchant know each other. The card issuer signs the cardholders’ public key and this is stored along with the public key of the card issuer and validity period of both keys on the card. If the merchants’ financial agent trusts the card issuer, then they also trust the certificate that the card issuer verified. Symmetric and stream ciphers are unable to provide this ability mainly due to the non-deterministic number of keys that would be required, and managed.

Question 3 (40 marks total)

The Distance Education University (DEU) has 10000 currently enrolled students who are physically located throughout the world. The DEU has a centralised Web repository which it uses to disseminate lecture materials, etc to its students. Lectures are delivered by a variety of means (depending on agreements with the regional offices). The DEU has five regional offices (New York , Los Angeles , London , Singapore , Sydney) whose job is to organise tutorials and workshops for the students. Each regional office has a number (10 to 15) of local area offices that actually run the tutorials and workshops. (For example, Sydney office has local area offices at Brisbane, Melbourne, Sydney, Perth, Rockhampton, Adelaide, Melbourne, Darwin, Hobart, Wellington NZ.)

The current method of examining students is not working well, and the university has asked Exams Section to provide an outline for a new exams procedure. The DEU wants to examine students at the local area offices, where the students need to physically attend the office. The DEU understands that they need a secure system to do this using public key cryptography.

As you are employed by the DEU Exams Section, you have been asked to come up with a plan for a workable system which will ensure a fair and accountable examination process for all concerned. The examination process is as follows:

· Exams Section obtains the exam papers from DEU academics.

· Exams Section distributes the exam papers to the centres.

· The centres run the examination under normal exam conditions (i.e. identity check of student, time limit, no talking, no notes taken into exam room, etc).

· The centres return the students' papers to Exams Section for marking.

· Exams Section returns the exam papers to DEU academics for marking.

· DEU academics enter marks into the DEU centralised system, which is available to all students.

· Students may wish to query their result. Provision should be made to enable students to formally request a reassessment of their exam paper marking.

Your outline plan should include:

(a) To provide management direction and support for security of your proposed system, draft an outline for an examination system security policy (use Lecture 7, Slides 40-42 as a guideline) to your draft. (one page – 10 marks)

The DEU needs an information security policy for the new proposed examinations security infrastructure. The policy (a formal specification of management direction) defines a framework of the information management system to be implemented. This policy will then be published and distributed to all academics, employees and students of DEU. Issues that will require operation compliance are stated within this policy.

Legislative requirements will have to be meet in each country that DEU has local area offices in. For example each country has differing laws with respect to digital signatures, information privacy and may have formal PKI certification requirements. Encryption standards differ, and in some countries usage is illegal.

Administrive requirements; academics, staff, and students must have a clear understanding of the basic informational security guidelines of CIA – which should already be refected in manual informational procedures within DEU and it’s examination section. This must be formalised in the DEU general terms and conditions, which should also state disciplinary actions that will be undertaken for failing to comply by the rules. The rules should also state end user and privileged access policies to the central server and supporting systems of the proposed infrastructure. Confidentiality of information should be ensured – records should only be accessed under appropriate circumstances. Training and education of user responsibilities should reinforce this message.

This leads onto requirement for personnel security and the need to know requirements to access the system, in other words not every staff member needs to access the information system. Also physical access should not qualify an entity to access privileged components of the system. Suitable physical perimeters should protect components of the system at all locations. These countermeasures to tampering and theft (the most common of threats) should be appropriately in proportion to the components ‘value’ within the system.

It is likely that there will be a failure in the system at a critical juncture of the new examination process. Continuity plans need to be in place and exercised – not just for hardware, software, and communication components, but also of a more environmental nature such as flood, power failure, and bomb threats. Equipment maintenance and disposal requirements need to be addressed. In addition if outside support engineers are needed then an escorted/supervised access policy will be utilised. An outline of the media security policy is also essential.

As the examinations information security system is going to be based on PKI technologies. Logical and physical staff access to key components must be safeguarded. System integrity is maintained – malicious code should be prevented and new code should be evaluated in a non-production environment, this is really just an adjunct to the requirement for a formal change-control processes. Key management must also be tackled. There should be key establishment guidelines, a key distribution policy, and user education in use of PINs or passphrases. Additional key validity periods need to be established, along with a methodology for the suspension, revoking, and destruction (logically and physically) of keys.

Lastly a review process of the security policy is needed to ensure the policies effectiveness. Factors that should also feed into this are, changes to technology, and growth or decline of the core business – distance education.

(b) Outline your proposed PKI system including:

· a diagram of the trust model (allow for the fact that the DEU expects to have three more regional offices and double the number of current students within twelve months)

· brief description of entities at each level (one page – 10 marks)

Figure 1: Proposed PKI trust model for DEU examination section

The proposed PKI trust model for the DEU examination section security infrastructure will be hierarchical, with four tiers of authorisation. It is designed to allow for future expansion and utilises local resources within the management of the entire PKI.

At the top of the structure is the root CA or Policy Approving Authority (PAA) that sets the overall policy guidelines, and certifies authority entities below in the hierarchy. The PAA would be located at the central office, and would be managed under the strictest guidelines of the entire PKI.

The Policy Certificate Authorities (PCA), would be based at each regional centre and would set the policies for all CAs within its control. PCAs can also authorise the creation of new local offices as long as it fits into it’s policy framework. The PCA is where local PKI escrow, privacy, or encryption policies could be applied; for example the Iranian office would only be able to issue 40-bit certificates, or what are the required items to get the one hundred points of identification required for initial registration.

Each regional office and the local braches will have a CA, which certifies an entity’s identification, after ensuring that authorisation at the administrative level to do such has been done, for example the student has payed their fees or is eligible to undertake the course. The CA is also responsible for the bulk of key management, most importantly the management of the CRL. A Registration Authority (RA) is co-located with the CA. The RA is responsible for establishing the surely of the end users credentials – their identity. The RA could also be roving and/or easily duplicated to cope for the initially large registrations that occur at the beginning of each semester.
(c) A summary outlining your suggested examination process using your proposed PKI. (one page – 10 marks)

The implementation of the security schema is best described for each step of the proposed examination process. It is assumed that users (academics, staff, and students) are already enrolled within the PKI.

1. Examination section obtains the examination papers from EDU academics. EDU academics would post the electronic version of the examination paper to the Examination section via the centralised web repository. As part of the posting procedure the academics private key would sign it. Identification would be by strong authentication utilising a smart card, which contains the academics signed public key along with their private key. Thus the examination section is ensured that only the authorised entity submits the examination papers.

2. Exams Section distributes the exam papers to the centres. After confirming that the examination paper was indeed sourced by the authorised academic (via the digital signature), the electronic examination paper is made available to all regional and local offices from the central web repository, these would be signed by a special identifying certificate for the current examination period. Regional and local offices would have to verify access via smart card identification.

3. The centres run the examination under normal exam conditions (i.e. identity check of student, time limit, no talking, no notes taken into exam room, etc). A smart card that was issued to each student as their student card contains additional identification details, which can be, utilised they the examination invigilators. A unique barcode on each examination booklet is additional linked to each student sitting the examination on entry to the room. The number of booklets initially allocated would be dependent of the topic, additional booklets would be distributed on request during the examination, but requiring supplementary the identification via the smart card.

4. The centres return the students' papers to Exams Section for marking. With the supplementary mapping of booklets to students, an electronically graphical scan (PDF) of each student paper is made and is associated with the students’ identity. This electronic version of the student papers is stored locally as a contingency, all physical papers are manually sent to the DEU examination section by secure couriers.

5. Exams Section returns the exam papers to DEU academics for marking. On recept of the student examination papers, a verification of each booklet is done to ensure authenticity of the papers, if papers do not arrive or is unable to be validated then the electronically stored version at the local area office is requested – this is of course sent electronically utilising the public key infrastructure. All the papers are then shipped to the marking academic by secure couriers. Again, if a paper goes astray or is damaged the electronic version could be made available.

6. DEU academics enter marks into the DEU centralised system, which is available to all students. The marking academic is able to enter student results into the centralised web repository, with two fold identifying information – their student number, and the unique booklet identification (bar)code. As part of the posting procedure the academics private key would sign it. Identification would be by strong authentication utilising a smart card. Thus the examination section is ensured that only the authorised entity submits the examination marks. On completion the examination booklets are returned to the examination section by secure couriers.

7. Students may wish to query their result. Provision should be made to enable students to formally request a reassessment of their exam paper marking. Students are able to view their results from the central web repository when formally released – the level of authentication required will simply the student number and course code posted as part of the query (simple [password] authentication could also be implemented if required by policy). Students are also able to request a reassessment of their examination result via the same mechanism, but rules enforcing this policy must be displayed along with warnings of possible disciplinary actions for trivial or excessive abuse of such a facility. Both the physical and electronic versions of the papers are kept for some pre-defined period before they are destroyed.

(d) Show how your proposal satisfies your information security policy in (a) and ensures a secure, fair and efficient examination system for each of the following groups (in your description for each group, specify the security services delivered by your system):

· the DEU

· the students

· Exams Section

· the regional offices

· the local area offices

(one page – 10 marks)

The security services provided by the security policy and solution to the DEU is that it facilitates the requirement to provide a secure and fair examination system to a large number of local area offices. It is achieved within the management of the DEU and the policies are an adjunct to the overall DEU management policies.

The new security solution provides the student with a mechanism to ensure that their submitted paper is in fact the one marked or reassessed. A contingency to lost or damaged completed student papers is provided. Students are also informed of possible disciplinary actions for misbehaviour.

The examination section is able to satisfy itself they are truly receiving the correct papers from the academics, and then able to dispatch these papers securely to the examination centers in an efficient manner. They are ensured of receiving and dispatching the correct student papers for marking. Newer contingency mechanisms allow for the recovery of damaged or lost papers. They also have a new information security policy to support these processes within the whole of the DEU.

The regional offices are able to receive and authenticate examination papers in good time and arrange for secure physical distribution to the smaller area offices. They also maintain the regional CRL.

The local area offices are able to receive and authenticate the examination papers, and securely print them locally. The student identity check for the examination is enhanced by the use of the students’ smart card, which is also verified against the regional offices CRL in real-time. The local area examination staff also maps the answer booklets to each sitting student via a unique barcode on top of all the other written checks done previously. An assurance to loss or damage to the papers back to the examination center a electronic version is created and stored. The security policy in addition ensures that privacy and integrity is maintained.
Question 4 (10 marks)

In a medical information system that controls access to patient records and prescription files:

doctors may read from and write to patient records and prescription files,
nurses may read from and write to prescription files only but should learn nothing about the contents of patient records.

In your opinion, which security model is most appropriate for this policy ? Should this policy be strictly adhered to, or is it reasonable to make adjustments ? Explain and justify your opinion.

(one page – 10 marks)

Of the three formal security models presented in ITN582, the Bell – LaPadula confidentiality model fits the client requirements. It is a mandatory access control model, which is governed by strict rules for subjects to access objects, discretionary access can also be provided on a ‘need to know’ requirement.

While the Bell – LaPadula model is military based, it is concerned with confidentiality of information and assumes integrity of the subjects. Integrity within the Medical profession is considered with great esteem, and it assumed that alternative processes are put into place to prevent malicious software (such as anti-virus/trojan software and formal software quality control). Minimal changes will be required to the model.

Formal policies for the information system would be as defined by the clients requirements (listed above). These policies should also be applicable not only to computer security but to physical and procedural security within the organisation.

For implementation of this model as the clients information system, subjects are to be defined as users and processes (such as printing, and billing) and could have multiple security classifications. A modified course security hierarchy will be created with entries of Doctors and Nurses (the former being higher in the classification pecking order). To meet requirements two main objects will defined, the datasets of Patients and Prescriptions, each containing many sub-objects. Patients classified as Doctors, and Prescriptions classified as Nurses.

A user would therefore be created with either of the following category sets:

(Doctors {Patients, Prescriptions})
(Nurses {Prescriptions})

The model defines four access attributes or levels (it is unclear if all such levels would be required for clients information system):

execute (neither observation or alteration)
read (observation with no alteration)
append (alteration with no observation)
write (both observation and alteration)

Enforcement of the model is done by the level function. With the assumption that the security of the system starts in a guaranteed state, the system will not create a security breach based on the following axioms:

simple security-property (also known as no read up), subject cannot access information which it is not cleared to. Example: UserB classified (Nurses {Prescriptions}) cannot read Patients.
(star) *-property (also known as no write down), subjects cannot move information from an object with a higher classification to a lower classification. Example: UserA classified (Doctors {Patients, Prescriptions}) cannot move information in Patients to Prescriptions (at least electronically).
discretionary security-property, an additional access control matrix is provided exceptional and restrict access. Example: UserB classified (Nurses {Prescriptions}) maybe given access to a sub-object within Patients on a need to know basis.

At the system implementation of the system a number of basic requirements will need to be available:

functions to alter current access (the transition between a subjects current access on an object state and the next state).
functions to change the maximum level of an object, and to set the current usage level of an object.
functions to add and remove access attributes from the access matrix, this will have to be defined by the clients own policy on discretionary access which is currently unknown.
functions to create or remove an object within the object hierarchy. Additional policies will need to be defined if finer grained control is desired (such as limiting users cleared to Nurses to only last 12 months of Prescriptions information).

Question 5 (20 marks)

(i) With regards to an organisation’s IT security, distinguish between a vulnerability, a threat and a control.

(one page – 6 marks)

Firstly we require some very basic definitions in the context of Threat Risk Assessment (TRA) and Risk Management:

Vulnerability – open to attack or damage.
Threat – a source of danger or harm.
Control – a mechanism used to regulate or influence an outcome.
Security Risk – a qualitative estimation of potential harm to an asset.

Threats exploit vulnerabilities, which increase security risks exposing assets and increasing potential impacts.

Controls protect against threats, which reduce security risks.

The security risks show a need for a security requirement that is enforced by the controls.

When undertaking an TRA a organisation needs to identify the assets which it is trying to protect, then recognise threats to those assets. These threats take advantage of vulnerabilities in the environment to realise it aim. A qualitative estimation is made of the likelihood of the threat occurring and consequences if realised. This creates an evaluated list of risks that could be categorised from extreme to very low. These create the security requirements – prioritisation strives for sensible resource allocation. Treatment or countermeasures to a threat become controls, which are planned and implemented.

(ii) Major security threats in data security are identified in Lecture 1 as concerns over interruption, interception, modification and fabrication (THREATS). In Lecture 4 we discussed how cryptology can preserve confidentiality, integrity and availability of data (PROPERTIES). Discuss how each of the THREATS and each of the PROPERTIES relate to each other.

(one page – 8 marks)

A threat is a source of danger or harm. A threat can be physical or logical, and externally or internally based; it can be categorised into three main classes: deliberate, accidental or environmental (including the ‘natural’ events). The four threat types identified above all have their focus on deliberate acts against information security.

The properties or goals of an information system are:

Confidentiality – restricted and authorised access.

Integrity – ensuring that information is accurate and complete.

Availability – information being accessible and usable.

Non-repudiation – prevents the denial of a previous information flow.

Authenticity – assurance that a resource truly what it claims to be.

Interruption threats effect the information system property of availability – Deliberate (DDoS attack), Accidental (Operator Misconfiguration), Environmental (Flood).

Interception threats effect the confidentiality property of the information system – Deliberate (Man-in-the-Middle Attack), Accidental (Backup media is lost).

Modification threats effect the integrity property of the information system – Deliberate (Hackism website defacement), Accidental (unapproved information made available before substantiation).

Fabrication threats effect the information system goal of authenticity – Deliberate (DNS website hijacking).

Cryptographic mechanisms provide controls to safeguard the information system properties of Confidentiality, Integrity, Non-repudiation, and Authenticity. It does not prevent threats against availability.

(iii) A lecturer wishes to set an assignment for the class such that:

· the lecturer does not know the identity of an individual assignment’s author, and

· the lecturer needs to be assured that the assignment was submitted by a student enrolled in that unit.

Describe and justify a protocol to distribute ID numbers from the lecturer to students enrolled in that unit so that each student can submit an assignment that satisfies the above requirements.

(one page – 6 marks)

Let L be the lecturers submission server, A be the trusted third party, S be any student s₁ to s_n. ie n students in course.

Lecturers system creates numbers ID₁ to ID_m, where m is >= n, which will be the student submission keys, also has shared trusted key with trusted third party A.

1: L è A: L, A, {N_L, ID₁, .., ID_m}K_LA

2: A è L: A, L, N_L

The lecturer is assured that the numbers ID₁ to ID_m, have successfully been delivered to A and are readable, and that nobody else was able to see them.

More assumptions

The trusted third party system randomly selects ID_i values and remembers that information in an allocation table. The trusted third party has a list on students that are enrolled in the course.

Each student must have a unique shared key with the trusted third party.

The student can summit numerous times.

Key establishment protocol between student and lecturers system:

1: S è A: S, A, L, {N_S}K_SA

2: A è S: A, S, {ID_i, N_S}K_SA, {ID_i, S}K_LA

The student is confident that the allocated submission key came from a valid source.

3: S è L: S, L, {ID_i, S}K_LA

4: L è S: L, S, {N_L^/}ID_i

5: S è L: S, L, {N_L^/ – 1}ID_i

Both the lecturers system and the student both know the newly shared key. The student has proved to the lectures system that they know the key.

ID_i is now the established submission key.

A modified version could be implemented with public key usage of all entities instead of share private keys, in which case we can assume that each private key listed above is really a session key.

Referencing your sources

If you use material from a Web site, it needs to be properly acknowledged. Where you have made use of the material, cite the source of the material using an appropriate referencing style (see below) and include a list of references at the end of your report.

There are various ways of setting out references / bibliographies. One style is the Author-Date (HARVARD) referencing style. Read the article Bibliographic & Electronic Resources: Citations & Referencing for more information. Use the Harvard style in your report. Note that is not sufficient to only have a list of references at the end of your report - materials must be cited in your text.