NEWS AT SEI
This article was originally published in News at SEI on: March 1, 2003
Have you ever received a CD-ROM in the mail, either at home, to be used on your home computer, or at the office, to be used on one of your company’s systems? How do you know it came from the company shown on the CD and not from someone else? Also, how can you even determine that the CD is from where it claims to be from and that its contents are what was intended?
The answer is that in most cases, you can’t. The CD by itself is just a collection of bits whose origin and ordering cannot be easily determined. Given that CD burners and blank CDs are inexpensive and creating CD artwork is straightforward, it seems that someday, somewhere, somebody will use this technique to send a faked CD to someone as part of an attempt to break into their computers and even their network. Maybe it’s already happened.
Let’s take this scenario a little further. Now that you know that creating fake CDs is possible, what could you do to verify the authenticity of a CD the next time you receive one?
You could visit the Web site of the organization that created the CD to see if the files are also available there as a download. If they are, you could do a bit-for-bit comparison between the files from the web site and the files on the CD. You’d know that the CD is from that organization and its contents are valid if the comparisons match.
Unfortunately, the Web site for most organizations doesn’t help you verify the information stored there or on the CD. You are now faced with the dilemma of not installing either the CD or Web-based version and running the risk of being hacked, or installing one of them and hoping that the contents are valid. This is a hard choice to make.
The issues you face here are authentication and integrity. You need to authenticate the CD’s producer and verify the integrity of the CD’s contents. Authentication and integrity are two of the fundamental tenets of computer security.
First, let’s consider authentication. How does one entity prove itself to another? With most computer-based applications, a login and password pair provides proof of identity. You’ve used these often to log in to your computer or to access a network email or merchant account.
We know from experience that the traditional login and password scheme is weak because it can be easily compromised. Even with strong passwords (i.e., passwords created using letters, numbers, and punctuation) electronic eavesdropping—called sniffing—can capture them.
This type of password is called reusable because you use it over and over. The personal identification number that you use at an automated teller machine is another type of reusable password.
An alternative to reusable passwords is one-time passwords. One-time passwords expire after the first time they’re used. Even if they’re captured, they’re no good.
One-time passwords virtually eliminate the eavesdropping problem. However, they add complexity that has a cost. For example, how do you know which one-time password you should use next? Perhaps you carry a list with you and cross off the ones you’ve used. That’s not very safe because a list could be stolen. Also, what happens when you’re out of the office and you’ve just used your last one-time password? How do you get more?
Another alternative is biometrics. According to Webopedia (an online dictionary found at http://www.webopedia.com), biometrics is an authentication technique that relies "on measurable physical characteristics that can be automatically checked. Examples include computer analysis of fingerprints or speech." Though biometrics is in its more formative stages, usage is expected to grow significantly as more products come to the marketplace.
Imagine then that your computer has a fingerprint scanner. You’d place your index finger into the scanner and the computer would then analyze it to determine who you are. Based on your identity, you’d then be authorized to do your work.
Unfortunately, even biometric techniques aren’t foolproof. To use a fictional example from Hollywood, in the James Bond film “Never Say Never Again,” SPECTRE defeated the retinal scan used to secure the nuclear missiles by implanting a different eye into one of their agents. Someday this fiction may become fact!
What’s the answer? The solution you choose means accepting a tradeoff between threats and the level of complexity and cost that you’re willing to accept. For some computers, the login and password scheme is appropriate, but for others, even the most sophisticated biometric techniques may not be enough.
Consider this: what would you be willing to accept as the authentication scheme so that you could use your home computer to vote for a United States presidential candidate in the next election? In light of what happened in the 2000 elections, many have been thinking about this problem and have proposed solutions. Would a login and password be good enough? How about using a credit card-sized device and a reader with your computer? When you swipe this card through the reader and provide a passphrase (a sentence, for example), only the correct combination would authenticate your identity and thereby allow you to vote. Are you comfortable with this scheme? What happens when someone loses their card or forgets their passphrase? Is this method any better than simply signing the voting register as most of us do now? These are all good questions without easy answers.
Authentication is a significant issue when it comes to security, computer and otherwise. There’s no practical, inexpensive, and hard-to-foil scheme just yet, but research continues and new products are being developed and used. There’s certainly a need, and need usually leads to a technological breakthrough. For now, logins that use one-time passwords and biometrics are the best practices.
Next, let’s think about integrity. How do you determine that a collection of information - a file for example - is what was intended by its author? The answer here is called a checksum. As defined again in Webopedia, a checksum is “a simple error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message. The receiving station then applies the same formula to the message and checks to make sure the accompanying numerical value is the same. If not, the receiver can assume that the message has been garbled.”
To create a checksum, you’d look at all of the bits in a message and do some mathematics on them. For example, you could add them together. Unfortunately, a scheme that simple isn’t very effective in determining if something has changed, because many different combinations of bits can give the same sum when added together.
The point is that not just any old checksum scheme will do. The mathematics used in the checksum computation must be sufficiently complex so that it is virtually impossible to find two files that have the same checksum value. Only with such a scheme can you determine if a file has been changed.
Integrity is another significant security issue, again both computer-related and otherwise. Knowing that information has changed is essential to e-commerce and other businesses that use the Internet to exchange information. Fortunately, there are checksum products available in the marketplace that can detect changes as small as a single bit no matter the size of the information being checked.
So let’s go back to the original problem of trusting the CD we got in the mail. One candidate solution to this problem is called digital signatures. Digital signatures contain authentication information so that you know who created the content and integrity information (checksums) so that you can verify that the content hasn’t changed. Had the organization that made the CD digitally signed every file on that CD, you would have been able to determine that the CD came from them and that the files contained what they intended. You would have been able to install its contents and sleep well that night!
There are many products available that create and use digital signatures. Some are free and some are commercial. Examples are Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME). While their specifics differ, both use digital signatures to authenticate and verify information.
Digital signatures go a long way toward answering the question, Can you prove it? when verifying the authenticity and integrity of information. With today’s technology, the security of tasks such as verifying electronic mail and making purchases through the Internet can be significantly improved. When the technology matures so that additional biometric attributes convey an even higher degree of confidence for authentication purposes, you can expect these technologies to be widely used.
There may come a day when you no longer need a credit card or driver’s license to make a purchase or even identify yourself at the airport ticket counter. Your fingerprint and a glance into a retinal scanner may be all it takes to prove who you are!
About the Author
Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center® is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.
This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.