Title: Application Cryptography
1Application Cryptography
- Jeff Stapleton
- CTO, Innove
- jeff.stapleton_at_innove.com
- Chair, X9F4 working group
- President Founder, Information Assurance
Consortium - jeff.stapleton_at_infoassurance.org
2Agenda
- Brief history of cryptography
- Review of the OSI stack
- Application Cryptography
- IT risks and the use of cryptography
- Business risks
- IT security risks
- Case studies
- Audit and Assessment
- Summary
3History of Cryptography
- 3500 B.C. Sumerian standard cuneiform first
written language - 3000 B.C. Egyptian standard hieroglyphics
- 1900 B.C. Egyptian non-standard hieroglyphic
substitution cipher - 500 B.C. Hebrew ATBASH substitution cipher
- 400 B.C. Greek scytale considered
transposition cipher - 50 B.C. Julius Caesar substitution cipher
- 1587 A.D. Medieval Vigenère polyalphabetic
substitution cipher - 1790 A.D. Thomas Jefferson wheel (US Army in WW
I) - 1845 A.D. Morse Code
- 1918 A.D. German Enigma Machine (WW II)
- 1937 A.D. Navaho Code Talkers (WW II)
- 1949 A.D. Shannon modern One Time Pad (OTP)
- 1968 A.D. Data Encryption Standard (IBM)
- 1976 A.D. Diffie-Hellman public key agreement
- 1977 A.D. RSA public key cryptography
- 1985 A.D. Elliptic Curve Cryptography (ECC)
- 2001 A.D. Advanced Encryption Standard
(Rijndael)
3,908 Years of Technology
4OSI Reference Model
- ISO Open Systems Interconnection (OSI)
(7) Application Layer
Application Layer (7)
S/MIME
(6) Presentation Layer
Presentation Layer (6)
DKIM
(5) Session Layer
Session Layer (5)
TLS (SSL)
(4) Transport Layer
Transport Layer (4)
(3) Network Layer
Network Layer (3)
IPsec
(2) Link Layer
Link Layer (2)
Link Encryptor
(1) Physical Layer
Physical Layer (1)
5Basic IT Risks
No Cryptography Protection Methods
1011001011101011
Wireless
- Vulnerabilities
- Network
- Wireless
- Memory
- Bus
- Emissions
- Storage
- Media
Programs Data
Programs Data
Programs Data
1011001011101011
32G USB
Memory
Storage
Networks
6Key Management Risk
Cryptography Protection Methods
1011001011101011
Wireless
- Vulnerabilities
- Network
- Wireless
- Memory
- Bus
- Emissions
- Storage
- Media
- Keys
Cryptographic Keys
Cryptography
Programs Data
Cryptography
1011001011101011
32G USB
Memory
Storage
Networks
7Managed Risk
Tramper Resistant Security Module (TRSM)
1011001011101011
Wireless
- Vulnerabilities
- Network
- Wireless
- Memory
- Bus
- Emissions
- Storage
- Media
- Keys
Cryptographic Keys
Cryptography
Programs Data
Cryptography
1011001011101011
32G USB
Networks
Memory
Storage
TRSM
8Business Risks
- Receiving non-authenticated data
- Data origination issue
- Sending non-authenticated data
- Phishing attacks
- Processing non-verified data
- Data integrity issue
- Exposing sensitive data
- Unauthorized access to information
- Storing non-verifiable data
- Unable to link integrity to a reliable clock
- Relying on non-verifiable software
- Change control applet issues
- Relying on non-verifiable logs
- Unable to synchronize logs due to unreliable clock
- All of these Risks
- can be addressed
- via
- Application
- Cryptography
- Encryption
- Key Management
- Digital Signatures
- PKI
- Trusted Time Stamp
9IT Security Issues
- IT Reliance is a major Business Risk
- Defense in depth IT Layer(s) Process Layer
Critical need for Application Cryptography
(8) Process Layer
(7) Application Layer
S/MIME authentication, confidentiality
integrity between email users
(6) Presentation Layer
DKIM authentication integrity between two
email servers (spam killer)
(5) Session Layer
(4) Transport Layer
TLS authentication, confidentiality integrity
between end points
(3) Network Layer
IPsec authentication, confidentiality
integrity between end points
(2) Link Layer
Link Encryptors confidentiality between two end
points
(1) Physical Layer
Note IT key management is often a killer issue
10Case Study PIN
- Financial Institution issues card PIN to
cardholder - Cardholder inserts card and enters PIN at ATM
- ATM encrypts PIN
- ATM transmits data encrypted PIN to Acquirer
- Acquirer translates PIN to network key
- Acquirer transmits data encrypted PIN to
Network - Network translates PIN to Issuer key
- Network transmits data encrypted PIN to Issuer
- OK transmitted back to ATM for cash dispersal
PIN
PIN
PIN
PIN
PIN
OK
OK
OK
Cardholder
ATM
Acquirer FI
Issuer FI
11Case Study Biometrics
- Financial Institution issues card to cardholder
enrolls Cardholder - Financial institution submits biometric to
Verifier - Cardholder inserts card and enters biometric at
ATM - ATM protects biometric
- ATM transmits data protected biometric to
Acquirer - Acquirer protects biometric
- Acquirer transmits data protected biometric to
Verifier - Verifier validates biometric transmits data to
Issuer - OK transmitted back to ATM for cash dispersal
Match
OK
OK
OK
Verifier
Cardholder
ATM
Acquirer FI
Issuer FI
12Case Study Healthcare
- Pharmacies established joint Data Mining
company to process prescriptions information for
resale to pharmaceutical companies - Consumer X at pharmacies A, C and D and Y at
pharmacy F - Ability to match up prescription purchases for
X and guarantee anonymity regardless of payment
method - Pharmacies use a common keyed hash to obfuscate
PII - Data Miner matches up keyed hash
- One key component held by Data Miner, another
held by Law Firm ability to change hash key
periodically
A
D
Person X Prescription 1
Person X Prescription 2
Data Mining
B
E
Pharmacy
Pharmacy
Consumer
Consumer
C
F
Person X Prescription 1
Person Y Prescription N
13Standards and Compliance
- American National Standards Institute (ANSI)
- US standards body representative to ISO
- Technical Committee 68 Financial Services
- Accredited Standards Committee X9
- ANSI accredited for the Financial Industry
- US Technical Advisory Group (TAG) to ISO TC68
- X9 American National Standards (short list)
- PIN
- Key Management
- PKI
- Biometrics
- Trusted Time Stamps
- Wireless (work in progress)
14Audit and Assessments
- X9 standards approach
- Requirements
- Technology specification to meet Requirements
- Control Objectives to validate compliance with
Requirements - Evaluation Criteria to verify compliance with
Control Objectives - Audit language vetted by AICPA
- TG-3 PIN Compliance (mandated by Pulse, Star,
NYCE) - ANS X9.79 PKI Webtrust for CA (mandated by
Microsoft) - Similar approach
- ANS X9.84 Biometrics
- ANS X9.95 Trusted Time Stamps
- Revised X9.49 Remote Access Mutual
Authentication - Draft X9.111 Penetration Testing
- Draft X9.112 Wireless Security
15Summary
- Cryptography
- Mature (4th millennium) technology
- Constantly improving
- Information Technology (IT)
- Reviewed IT risks
- Reviewed IT security issues
- Business Issues
- Reviewed Business risks
- Application cryptography case studies
- Conclusion
- No one hardware or software product can satisfy
all business needs, why should we expect one
cryptography solution? - Application cryptography solutions must meet
business needs