|Information assurance powwow, Part 2|
In this two-part article on the IEEE Systems, Man, and Cybernetics Information Assurance Workshop, Larry Loeb takes a look at the evolution of Information Assurance (IA) and what it means from a security standpoint. Part 1 introduced the basic IA concepts, which are powerful and deserve more attention. Here in part 2, Larry describes a contextual view of the IA process, and goes on to describe some new research presented at the workshop.
The integrated IA model
INFOSEC was defined as "protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats." Quite a mouthful there.
IA is an extension of the scope of these concepts. The National Security Telecommunications and Information Systems Security Committee has defined IA as "[i]nformation operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities." This definition expands coverage, responsibilities, and accountability of security professionals to include proactive offensive activities along with traditional defensive measures.
IA is multidimensional and multidisciplinary, just like McCumber's INFOSEC model. The IA dimensions are information states, security services, security countermeasures, and time.
The IA model would now look like Figure 3 if one were to take a "snapshot" in time.
The first axis is information states. Information can be stored, processed, or transmitted. Remember that information may also co-exist in two states. A simple example of this is a message transmittal: Though in transmission, the original message is also in storage at the sending site.
The second axis is the five security services: availability, integrity, authentication, confidentiality, and non-repudiation.
Availability is defined as the timely and reliable access to information for authorized users. This may be thought of as the utility part of security services. It includes all the non-glamorous things like back-up power supplies, off-site capabilities, and the like. Insuring availability can drain other system security resources; but this is a risk mitigation decision.
Integrity means protection against unauthorized modification or destruction, and is a matter of degrees of trust. It also includes accuracy, relevance, and completeness -- all of which together define the robustness of a system.
Authentication establishes "the validity of a transmission, message, or originator, or a means of verifying an individual's authorizations to receive specific categories of information," according to the NSA's National Information Systems Security Glossary. Spoofing IP addresses has caused increased awareness in this area.
Confidentiality, according to the glossary, is "the assurance that information is not disclosed to unauthorized persons, processes, or devices." Seems simple enough to grasp.
Non-repudiation may not be as simple to understand. This is defined as "the assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data." In the non-IA world, this word has taken on a more sticky kind of meaning, specifically a legal term implying that neither side can back out of (repudiate) an agreed upon deal. In IA, it means an extension of the friend-or-foe identity classifications. It doesn't come with all the baggage of the commerce definition.
The third axis, security countermeasures, consist of technology, operations, and people.
Technology is the hardware, software, and firmware that make up a system or network. Stuff like firewalls and routers would be part of this element, which is constantly changing.
Operations include actual procedures performed by users, as well as what the system administrators impose on the system. Effects of software that can constrain things during specified system operations must be considered as well.
People are always a wild card, but can be characterized as the actions that people take. The relevant questions about the topic might be: Do the users follow the security policy? What happens when a new situation is introduced that is not covered by the policy?
And then, there is the fourth dimension of the model: time. In IA, time reminds us that everything we do is in a flux. Everything changes, all the time. As the model grows old, some seemingly essential elements of the original may have to be jettisoned or re-purposed due to ever-changing circumstances. In the last stages of a project, storage, confidentiality, and data availability would likely be more important than transmission or non-repudiation. New technology can greatly affect other dimensions of the model. Be ready to change when it is needed.
In summary, IA says that the interactions of the model's elements are just as important as, if not more important than, the components themselves. IA is real-time and dynamic, appreciating the "higher-order" effects of a framework change along with the obvious ones.
It's a process, not a product.
Anonymous, yet authenticated, communication
In general, this kind of information sharing is done to keep the identity separate from the data that is being contributed by a user. This is hard to do on a network because even if identifying headers are stripped out before the message is transmitted, the path that the message takes may be observed, thus compromising the anonymity. The design goals that the authors had in mind reflect these sorts of concerns. The goals are: anonymity of message author, anonymous communications paths, authentication of the source, integrity of the data, and privacy, as well as protection against user abuse.
Remailers have been the typical cypherpunk to this kind of anonymity need. A remailer is a message store-and-forward system that sends a message through a networked server with a different address than that of the sender. Improving on this is a type 1 remailer where messages are nested and encrypted, and sent through a path of specialized re-encrypting routers called "mixes." To defeat tracking, the message is delayed by a certain number of other messages before being sent out. Spammers can defeat this kind of system, and both traffic analysis and replay attacks are possible. To get around this, a type 2 remailer (or "mixmaster") uses padding, delay, and reordering along with type 1 techniques.
The model for communications
The authors also assume a public key infrastructure is up and working for the group, and that each domain will have a public/private key pair available to it. This allows for secure message transmittal, since each domain has another domain's public key available to it.
Each day, the central location generates a random 128-bit token, encrypts it with the domain's public key, and sends it to the domain. A hash of the token is also published daily, allowing each domain to verify it has the correct token active.
Key generation and encryption
The ENC-MSG must contain the index of the random number used in step 1c and the date so the recipient can reconstruct the key used for encryption in order to decrypt. The test in 1c will pass about 20 numbers on a 20,000-number CD, so that the CD does not have to be updated as often if that test were not there, even with group membership changing.
Decryption and authentication protocol
Input: Encrypted message file, ENC-MSG, Random number CD, Daily Token. Output: Either decrypted message or invalid message warning.
A domain will handle revocation rather simply. If decryption fails, the central location generates a 128-bit revocation token, and encrypts the token and a copy of the message using RK. The domain then alerts whatever revocation mechanism it has, which decides if the message is legitimate. If not, the revocation token is sent to the central location and the message is marked "revoked."
Should there be no trusted central authority location, users can generate their own secure token using a distributed threshold secret sharing scheme. If tokens are generated this way, all communications can be done between domains. An encrypted message is sent to the target domain directly, and is decrypted at the domain to check for authentication. If the receiving domain returns the revocation token, the sending domain revokes the message by returning the revocation token to the receiving domain.
IA as a discipline will most likely have as great an effect on the organizational use of information as its predecessor (INFOSEC) did. Developers in this area should appreciate what sorts of parameters are constrained by use of IA, and using its precepts to guide their modeling and abstracting of secured information systems