300 likes | 437 Views
Design and Implementation of Digital Identification Systems. Lecture 9 &10. Outline. The need for digital identification systems Digital identification systems: design principles Digital identification systems: implementation considerations
E N D
Design and Implementation of Digital Identification Systems Lecture 9 &10 FIT3105 Semester 1 - 2008
Outline • The need for digital identification systems • Digital identification systems: design principles • Digital identification systems: implementation considerations • Architectures and technologies for digital identification systems • Digital identification systems and services • Attacks and protection of digital identification systems FIT3105 Semester 1 - 2008
Digital identification systems and IT security • It does not matter which area of IT security you will be working with you will deal with digital identification and authentication. • Digital identification systems (DIS) will not only support corporate and national security but also support network and information security. • Access to computer servers such as database servers, authentication servers (RADIUS servers), mail servers, banking account servers, government document servers, etc. • Access to important network components such as switches, bridges, routers, VPN server, load balancers, etc. FIT3105 Semester 1 - 2008
Digital ID systems and IT security • Access to computer servers such as chemical plant computer servers, missile control computer systems, weaponry information servers, etc. • Enterprise R&D sensitive information servers, national infrastructure information servers, etc. • Police department database servers, international trade and affair database servers, etc. FIT3105 Semester 1 - 2008
Design and implementation of DIS • Designing and implementing DIS is difficult and it requires sound knowledge of many related areas and good experiences with real systems. • A designer needs to know cryptography, smart card technology, biometrics, law, etc. • System analysis, costing, software development, etc. • Possible attacks to the system • Backup and disaster recovery, etc. FIT3105 Semester 1 - 2008
Digital identification system: design principles 1. Strong authentication • the system stores sensitive information therefore there is a need for strong authentication. • Stolen ids can be used to access to more sensitive information. 2. Strong encryption • the system stores and transmits sensitive information therefore there is a need for strong encryption. • Ids’ information is very sensitive and sometimes very critical. It must be encrypted with strong encryption. 3. Integrity • Modification of sensitive information should be detected and dealt with ASAP. 4. Extendibility • DIS is dynamic and should be designed to allow extendibility. FIT3105 Semester 1 - 2008
Digital identification system: design principles 5. Strong logging and record tracing • DIS is not only sensitive but also legally important in many cases. The system should be designed in a way that allows us to trace back any incident in the past quickly and reliably. 6. Availability • Unlike other systems DIS is supposed to be very highly available due to its critical information (especially national and international DIS used for security purposes) . 7. Efficiency • In most cases, the efficiency of DIS is extremely important when both security and time are critical. Therefore it is very important to design DIS with efficiency. 8. Costs • Changes made to DIS are very expensive and sometimes legally prohibited. The designer of a DIS should consider all costs involved in designing, implementing, maintaining, and updating the system. Other costs such as enrolment, user training, etc. should also be considered carefully. FIT3105 Semester 1 - 2008
Some key design questions The designers of a DIS are often faced with a number of important questions: • What will be the data? • What is the potential future use of the DIS? • Who will access the data of the DIS? • What level of security is required for a particular DIS? FIT3105 Semester 1 - 2008
Some key design questions • How will the system be upgraded to handle new technologies, requirements and features? • How will the system tell who has accessed a piece data in the system at a point in time in the past or why the system was modified (auditing)? • Can the data be efficiently retrieved anywhere any time by wired or wireless communications ? • What are the current costs and future ones? FIT3105 Semester 1 - 2008
Other design questions • What technologies are available now and are they standard? • The technologies used in designing and implementing a DIS affect the system performance, expandability, compatibility with other systems and availability to different users. • What needs to be considered in determining the overall cost of the identification system? • Total system cost can include: • identity proving process • verification processes • management costs • individual means such as ID cards, chips, tokens, etc • devices such as mart card readers and biometric devices • new software packages • infrastructure (networking, databases, new software applications) • users and personnel training FIT3105 Semester 1 - 2008
Design principles : strong authentication • Strong authentication: • Carefully design and choose authentication model that will be used for authorized access: • Strong authentication of users can be based on one-time passwords, smartcards, biometrics, and digital certificates. • Carefully design and choose authentication model that will be used for subsystems: • Subsystems which support the DIS have to be based on a strong authentication model such as Kerberos with dynamic keys. • Design strong authentication mechanisms for client-server based applications for accessing the DIS: • Eg: SSL should be considered as a good option with strong algorithms. FIT3105 Semester 1 - 2008
Design principles: strong encryption • Strong encryption: the designer of DIS needs to consider different encryption algorithms for different uses. • Encryption algorithms for storing data • Encryption algorithms for data transmission • Encryption algorithms for wireless access • Encryption algorithms for individual devices such as smart cards. FIT3105 Semester 1 - 2008
Design principles: integrity • Stored data should be consistent at all times. Any modification to data has to be automatically detected and dealt with. • Strong one-way has functions should be use when designing data integrity of DIS. • Keyed hash functions should be used after modification of data is necessarily done. • To verify an identification DIS should not use hashed values. FIT3105 Semester 1 - 2008
Design principles : extendibility • DIS is dynamic and the designer should consider the following questions carefully. • How will the system provide: • sufficient space for storing data in the main database? • sufficient space for storing data on the portable devices? • good performance with increasing number of users? • the same security level for additional levels of authorized access? • services without disruption when it is extended? FIT3105 Semester 1 - 2008
Design principles: strong logging and record tracing • DIS is a very sensitive system. Any access to the system should be recorded and the system should have mechanisms to trace back any activities. • Log files based on events with sufficient details of any access to any piece of data in the system. • Key based access controls • Uniquely individual keys • Group keys for group members’ access • Combination of individual and group keys for record tracking FIT3105 Semester 1 - 2008
Design principles: availability • The availability of DIS is critical. It can sometimes be a matter of life and death. • The designer has to come up with a highly available model. • If backup and duplication are used then information has to be 100% consistent. • Network availability is essential to continuously provide access. • Secure and efficient key management system should be in place to deal with key compromise, loss, or update. FIT3105 Semester 1 - 2008
Design principles: efficiency • The efficiency of DIS is also important. • Government organisations and large population DIS enterprises need to access to DIS efficiently. • Any update or change should not affect the system. • The design should provide the best and worst cases as guideline for personnel and users. • Eg: • data may need to be stored in a distributed system rather than a centralised system. • Faster devices may be needed to allow easy and fast data collection FIT3105 Semester 1 - 2008
Design principles : costs • DIS is expensive in many ways, therefore extra caution needs to be taken in designing a DIS. • low-cost portable devices may be the choice however, this may cause problem when new technologies are employed into the system. And the replacement of the cheap ones buy the more expensive and sophisticated ones can be very costly. • Biometrics can be a good choice for many DIS but it may be expensive. • Applications for DIS’ functions can also be expensive • Redesigning DIS can blow up the budgets (It has cost the British ID system 10.8 billions while it is still not fully operational yet.) FIT3105 Semester 1 - 2008
Implementation considerations • Strong Authentication: • All servers must register with authentication server(s) and have at least digital certificates or dynamic shared keys. • Strong key exchanged protocols must be used, for example: IKE, OAKLEY key exchanged protocol. • Clients must provide certificates on request for sensitive information (most info. From a DIS is sensitive). • Biometrics and secret keys or certificates must be used for human access controls • Dynamic keys and group keys should be used to provide stronger authentication and record tracking. (see Harry Ngo and Phu Dung Le’s publications for details) • The group key management can be used to control access of group of privileged people. • However, this makes it hard to trace incidents. Therefore we must use both group and dynamic keys. FIT3105 Semester 1 - 2008
Implementation considerations Strong encryption: Stored data is highly sensitive and strong encryption algorithms with good key size should be used AES or 3DES should be used rather than DES Sometimes double encryption should be used for storing and transmitting very sensitive information. Strong key exchanged protocols must be used, for example: IKE, OAKLEY key exchanged protocol. Clients and server communications must be encrypted (most info. From a DIS is sensitive). IPSec should be set up with tunnel mode between all nodes. SSL/TLS should be used to build DIS applications. Strong stream ciphers (RC4 or enhanced ciphers) without recycling random numbers should be used. FIT3105 Semester 1 - 2008 20
Implementation considerations • Integrity guarantee: • The implementation needs to consider the possibility of multiple database servers. However, we need to make sure stored data be consistent at all time. • Implement a good scheme for duplicating servers in real time and keep in mind that attacks can happen during temporary inconsistency. Time synchronisation is a very important factor. Distributed system should be used to allow servers to continue functioning in case of any server’s failure. • Use key hash functions (SHA-1or MD5 with secret key) to provide strong integrity for both data and software applications. This can help detect any modification. For example: an attacker can capture and modify a packet but cannot produce a correct hash value because she/he does not know the shared secret key. FIT3105 Semester 1 - 2008
Implementation considerations . Extendibility • DIS systems are dynamic and subject to changes of technologies and network updating. • New technologies are emerging and flaws in the old technologies could be found. Prepare a plan for hardware and software change. • Network updating is not avoidable. Prepare a plan for wireless and mobile communications to be used.
Implementation considerations • Availability • Implement multiple servers with strong backup and effective synchronisation method. • Allow both wired and wireless communications by setting up and configuring proper networks.
Implementation considerations • Efficiency: • Multicasting technique can be used for group services. • Minimise manual enrolment and sample-taking, but this can compromise the security.
Implementation considerations • Costs: budget should be reserved for many possible future works: • Costs of updating and maintaining the system can be out of budget and this will lead to security compromise. • New attacks are invented more frequently and finding a method to mitigate and prevent such attacks is not always costly. This often results in changes in the system and costs more.
Possible attacks on DIS 1. Buffer overflow attacks - (C, C++, Perl, etc. code attacks on string size and input validation) 2. Code injection attacks - (SQL injection – Web Input injection with commands) 3. Fake servers - fake servers to trap clients when real servers are down 4. Rouge Access points - unregistered access points to trap wireless users 5. Fake web services - it is possible to set fake URLs in a very short period of time without leaving any trace FIT3105 Semester 1 - 2008
Possible attacks on DIS 6. Hacking to gain the control of the server - attackers can hack into your systems by exploring bugs in your software or security holes in your system to get in your system 7. Password capturing and cracking - Spyware is on the rise and more tools for cracking passwords (and encrypted data are available). 8. Data transmission capturing and decoding - since DIS data is stored for a number of years, attackers can capture encrypted data during transmission and have enough time to break the encryption to get the real data. 9. Replay and denial of service attacks - attackers can carry the replay attack to make the system refuse any entry. They can also attack DIS servers or flood the system with many heavy chunks of data. FIT3105 Semester 1 - 2008
1. Multi-level authentication: users, services, servers 2. VPN with strong encryption 3. Anti-malware packages and intrusion detection and prevention systems 4. Proxy and firewalls 5. IPSec 6. Secure coding techniques 7. Audit controls with record tracking 8. SSL/TLS for network and internet applications Mitigations to possible attacks FIT3105 Semester 1 - 2008
Conclusion • DIS is one of the most sophisticated and expensive security systems therefore designers’ tasks are important and are often highly paid and respected. • Designers need to follow good methodology and have up-to-date knowledge of technologies in many areas. • The best way to learn how to design and implement DIS is to begin with corporate DIS first. • National and international DIS require many groups of people working together. • It takes a lot of time for the investigation of technologies before we can begin the design. • The design needs to be fine-tuned several times before it is implemented. • The final version should be verified and intensively analysed with all possible methods to minimise vulnerabilities. FIT3105 Semester 1 - 2008