Introduction

This document is an attempt to formulate basic reasoning behind security technologies, we should employ. It is not trying to analyse the actual techniques used and tries to stay away from technology comparisons.

I apologize for some of the analogies that may sound infantile. The reason for this is two-fold: it may help to explain the concept to a non-technical reader, but also, I found that using simple analogies may sometimes expose holes in our thinking.

Why use security systems

It is quite obvious that any security system has a cost, not only in terms of cash, but also – more significantly – in terms of workload and inconvenience – sometimes loss of privacy. Putting a padlock on the gate means that we have to unlock it to get in. Some modern technologies can minimise the effort (for instance a fingerprint reader instead of the padlock), but the general principle does not go away.

In general there may be two reasons why we don’t want someone to steal stuff from us:

  1. We would miss it if it is gone
  2. We don’t want someone else to have it
The first reason usually dominates for THINGS. The second reason tends to be more important for INFORMATION. We could use a short-cut term SAFETY for the first reason and PRIVACY for the second. While we are on the subject – there is one more reason we would rather not have strangers break into our home – it is all the pain, the mess and the clean-up work that an event like this may cause – independently of anything they may or may not steal. That is a NUISANCE element. IT security follows the same logic. While the weight put on SAFETY, PRIVACY and NUISANCE may be different here, the logic remains the same.

3.0 Different problems

3.1 Safety

In the IT world we have a comfort of being able to copy our valuables – with the copy having exactly the same value as the original. This makes the logic simple – a well organised backup and archiving solution can guarantee that we should never lose anything that we would miss.

3.2 Privacy

Here the problem is much more serious. We all keep a lot of data we would never want others to see. We may even keep other people’s data and it is our responsibility to protect those. The solutions are complicated, because data are only of any value if they are accessible – under some conditions – to some persons, for some reason, at some times etc. Fast and convenient authorized access to the data has a heavy bearing on efficiency – hence the widely publicised security breaches – authorized users copying data into unprotected media, laptops, writing passwords on the wall – all of this to allow us to work faster.

3.3 Nuisance

The nuisance cost in IT is enormous. Any security breach has a potential damage and there is simply no way to avoid the work needed to establish what we lost. Part of this, in a well organised system may be easy – like an inventory in a well run office – just checking if all the paper clips are where they should be and we are done. We replace all the missing ones from our backup, no problem.

It gets tougher from now on. We need to check if no paper clip has an extra bend in it. We need to check if there is no extra paper clip that wasn’t there before, if we find one – we need to check what it could do to us… we may have to check if it didn’t do something already.

Now we come to the really difficult bit – one of the paper clips has a special shape developed over the years. It can open the door of our other office. The paper clip is here – but – did they see it? Did they make a copy? How are we to know? What happens if they did? There is also another paper clip here – it is our revolutionary new super paper clip that we were just about to patent. Is it possible that the intruder took a picture?

The real nuisance is that probably none of this happened – but probably is not good enough – we still need to do the work before it is too late. I will not talk about the NUISANCE element any more here – it is present and, while there are many technologies and systems to minimise the work required – the real aim of the good security system is to never let us get to that point.

4 Data Safety

The solution here is a good backup and archival system. The systems like this exist and the differences are mainly technological. A good system is easy to define – if we know that we can recover our data, the system works. From then on – the differences between the systems will be limited to the cost, required man-power and training, reliability, speed, convenience.

5 Data Privacy – the heart of the problem

Here is where the problem – and the solution – lie. The system that allows the right person to access the right data at the right time and in the right manner and prevents all other access will simply get rid of all the other issues.

The system needs to be tough and reliable, it should allow plenty of control and manageability, but at the same time it must be easy and fast to use. IT security systems rely on the user’s cooperation (do not write your PIN on your bank card) – if they are too difficult to use, they fail (if your PIN was 48 digits long, you would probably write is somewhere). In the rest of this paper I will concentrate on requirements of a data privacy solution.

6 Authentication

In fact – when we get to the bottom of it – the problem is reduced one way or the other to authentication. Once we decided who should have access to the data the problem is how do we tell who is who. Of course, there are still some technical and administrative issues, but they really are easily resolved (such as: how do we actually stop unauthorized access, how do we control authorized access – like a proper revocation system etc.)

6.1 Multi-Factor Authentication

It is quite well accepted by now that authentication based on a single ‘factor’ (like a PIN or password) is weak and no proper security system should rely on it alone. It is customary to classify authentication factors into three categories:

  1. Something that you know (like password)
  2. Something that you have (like a smart card)
  3. Something that you are (like a fingerprint)
The role of thumb is that requiring two out of three factors (from different categories) provides a sensible security balance for most applications. There is a nice logic to this – a bank card and a PIN that you remember is secure. However if you write your PIN on a piece of paper , this piece of paper is now in the same category as your card – something you HAVE – so the security is lost.

There are other interesting examples: a password protected CD is fine as long as you have it. But if you send it by post to somebody – you are left with a one factor authentication. Also – a fingerprint on its own is just a one-factor authentication. Adding a face scan to it does not help (although a physical card that you keep would)

As these examples show, we are dealing with a dynamic system – authentication is not automatically good or bad – it changes depending on situation. In practice this means that authentication, just like all other things we depend on, needs redundancy. A two-factor authentication may be good enough until one factor is lost (your bank card is stolen – so you do not HAVE it – you are now protected by a single factor – your PIN). So – we should have a system that remains at least two-factor in most situations – or we should have something else beyond a multi-factor authentication.

Before I get to this – here is one misconception pushed quite a bit by some people who have a commercial interest in doing so and by other who simply don’t know any better: When we talk about something you KNOW – this really should not be just ANYTHING. Nobody would accept that something you HAVE could be a pair of shoes – there are few other people who have that.

By the same token you would not accept something you ARE to be ‘human’ (although one could argue that the number is a bit smaller here than it is for shoes) or even ‘white female’. However – we hear quite often that the fact that the data can only be read by a specific piece of software that is a secret and you need to know it to understand the data is an additional protection – well… it isn’t.

A secret shared by an undetermined number of other people who you don’t know is NO secret.

6.2 Beyond Multi-Factor Authentication

6.2.1 Time dependent access
A time lock on a safe adds to its security considerably. There is no reason why the same technique should not be used for authentication. If we can restrict time of the day when authentication works, we improve security.

What is even more interesting, we can decide WHEN the authentication should start working and when it should stop working – it is like a bank card operator who enables your PIN after you confirmed in person that you received both the card and the PIN. The same operator may disable your PIN after you report a stolen card. None of this is applicable to something like a password protected CD though.
6.2.2 Something Somebody Else knows/has/is
The multi-factor authentication gets much stronger if it involves more than one person – there are widely used examples of this: two signatures required on some cheques, safes with dual locks, where two keys from two people are required…

Having your authentication confirmed by a third party is a quite popular way of making authentication system more secure.
6.2.3 Penalty systems
We have to accept that in the multi-factor system some of the factors are weak (on their own) – like a PIN or a password. This exposes the system to a brute force attack (there are only few thousands of possible four digit PIN numbers and one MUST be right – and I would be really surprised if half of the existing PIN numbers were not between 1931 and 1981 or something like this – just 50 combinations.

In fact the ability of users to change the PIN number is a convenience and not a security measure) One well accepted way of defending against the brute force attack is a penalty system – ‘three strikes and you’re out’ sort of thing. This is a simple and effective security measure. You enter three wrong PINs and you have to talk to your bank in person. The problem is that this only works if you are interacting with a secure and intelligent system – like an ATM. A penalty system cannot be used for a password protected CD – we simply don’t have any control over where it will be read. While on the subject – many systems apply a slightly gentler, but still quite effective ‘penalty’ – they simply take very long to say NO (while they say YES immediately). This means that the correct authentication is fast, but an automatic system that tries all possible combination will take ages to run – as all failures will take forever. Of course – this system is also no good for something like a password protected CD.

7 Authenticated – Now what?

7.1 Authorization

While authentication is the core of the security system the work does not end here. Once we decided that we know who we are dealing with we now have to determine what we should allow them to do. The authorization is the system that allows us to take these decisions. There are plenty of implementations and there are plenty of terrible examples of what happens if this is missing. A person authenticates themselves to the system and then copies the whole database to a CD, which consequently gets lost.

7.2 Access to data

Once the authentication and authorization steps are done the user can access data. There are two elements to it:

  1. ‘Physical’ access – the ability to read the bits
  2. ‘Logical’ access – the ability to ‘interpret’ it
By interpretation I don’t mean any ‘deep’ understanding – it is simply a basic understanding of how the bits that we are reading translate into numbers or text.

Physical access to data is handled simply by authorization tools – like file permissions, access control systems etc. Logical access depends on how the file is encoded and if it is encrypted. Of course if there is no encryption, then there are only few popular ways of encoding the file and it is not worth discussing.
7.2.1 Encryption
There is enough literature on different encryption algorithms and in fact, we can simply assume here that we use strong encryption and that the data cannot be practically decrypted without a proper key. We can assume that no brute force attack is feasible and anything else would still take too long for the data to be of any value. So – the remaining question is where we put the key.

There are different solutions for this for different scenarios (a private/public key system means that the private key is something that you HAVE). It looks like we are where we started – we are authenticated and authorized, but we still need stuff to get to our data. Actually – this is true and not true – yes, we do and this is not the last time, but some of the authentication and authorization that we achieved in the process can be used to help. If a strong authorization system is in place than the key needed to decrypt the data should be available to us at that point.

8 Can we protect data better?

As the Encryption section suggested – after doing all the authentication and authorization the data would still be useless without a key. And the authentication and authorization gives us access to the key.

Well, then – there is no strong reason to hide the data behind all these walls if the only way we can read the data is by going through this process anyway.

So – this way we can properly protect data on a CD and not worry if it gets lost. The key to the data is available on a remote server, subject to full authentication and authorization. What is more, the key may not be available at all until the sender of the CD obtains a reliable confirmation that the encrypted data are in the right hands. The access to the data (even if we don’t know where they are, and maybe especially when we don’t know) can be disabled in seconds, access can be time controlled, monitored and audited. Data do not need to be uniform in security terms – access may be granted to a part of the data and refused to another part. And all of this can be done remotely, without worrying about the location of the data. (although – the usual procedure would be – if we don’t know who has the data, we keep it locked).

Using strong encryption for all of this means that there is really no danger of someone reading the data without us knowing. Using strong and secure authentication and authorization means that there is not a great chance that somebody will pretend to be somebody else in order to gain access.

Security Concepts – Richard Zybert – Zybert Computing – 22nd November 2007