Please Note: The following is a draft working paper. It has been prepared by a working group of the Black Forest Group and is under review and revision. It has not yet been approved as an official document of the BFG. Comments and suggestions on the paper will be gratefully appreciated.
05/01/97
The Black Forest Group (BFG) is a member
sponsored forum of some of
the largest corporations in the world as well as consultants and members
from academia. The Black Forest Group fosters the exchange of ideas, experiences,
and directions among user organizations, vendors, commercial businesses,
as well as academic and research organizations in the area of information
technology. The BFG has recently identified the security of computer mediated
communications as a critical need both for the internal protection of essential
business processes and the protection of individuals who plan to use the
global information infrastructure.
These security needs cannot be met by technical innovation alone: Government
support for basic initiatives must be sought by all users and organizations.
Support for requisite commercial, public, and political services must be
expanded or created, or governments'--guidelines and regulations--will
impede or restrict any possibility of automated, scaleable, even viable
electronic commerce. Black Forest's underlying concern with all security
services is that they ultimately provide the end-user with the protections
and accountabilities required to be successful in a global, electronically
connected, computer environment. This success will require the ability
to accurately manage the choice-- to share or not to share-- information
at levels of resolution previously not experienced by most end-users.
The Black Forest Group sees the following 15 top level problems in the
global interconnected computing environment.
1. Lack of an International Authentication Framework:
An authentication framework with the following properties will be required
for electronic commerce: A) It provides (at least on trusted clients) a
strong authentication path between user and server. That is, there exists
a strong mechanism both for initial user log-on and establishing a user
client-server session, passing sufficient evidence preserved from the initial
log-on to the server so that the server can authenticate user identity
as well. B) Authentication needs a clear distinction between authentication
of the client ("what machine are you?" and authentication of
the user ("who is using this machine?"). C) Authentication needs
a framework to accommodate heterogeneous technologies and to make access
control conditional upon the technologies employed.
2. Trusted Workstation: End-users will
not long accept insecure and compromise-able devices from which to perform
their electronic transactions. However, there are very limited choices
for end-users on interconnected networks when choosing a workstation to
trust. Where one does ones work is important. However, in this day of home
and traveling office, the platform from which one operates has as much
to do with the confidence given to a end-user authentication, as any other
factor. Thus, an independently evaluated and trustable workstation of known
configuration from which the end-user performs work is an essential component
for work.
3. Lack of enforceable Accountability Services:
The current lack of enforceable Accountability Services with strong integrity
is a significant problem in networked environments. Since accountability
services without a verifiable level of integrity are worse than no accountability
at all, considerable attention needs to be focused upon the design and
provision of Accountability Services at the network level. The business
need is to be able to associate selected actions, at the system, network,
and application level to the individual responsible for that action. This
must include a degree of confidence acceptable in any court of law, so
that liability for errors or malfeasance can be assessed. It should be
noted that legal liability in civil cases requires only a reasonable likelihood
while criminal law requires a high degree of certainty. Black Forest Group
is not searching for a logically infallible system of controls, only enough
to give users of the interconnected networks a reasonable chance to establish
liability where liability exists.
4. There is no secure commercial offering for
a Software Registry Service: Currently, there is no Software
Registry Service for end-users to consult. The primary need to be met by
this service permits subscribers to determine (using digital signature
technology, or the like) whether a purportedly *branded* software component
(transmitted code, DLL, etc) is, in fact, from the business entity claimed.
The core need is this: Concern C receives software + verification evidence
(today), purportedly from vendor V. Concern C sends the evidence to a software
registry, which validates the evidence ("the software you got with
this evidence really is from V") and the registry is willing to (in
effect) bond the correctness of the reply. The proposed service clearly
needs as a prerequisite communications security between vendor and registry.
A second problem exists:
5. Inability to know the source of electronically
(or even physically) distributed software: Currently, there
is no way for end-users, companies or individuals, to know the source of
electronically (or even physically) distributed software. This is due to
the fact that Certificate Attributes such that quality of confidence (or
source) as part of the key do not exist.
6. There is no International Public Key Infrastructure:
A critical requirement for electronic commerce is that A) some basis must
exist for trusting the authenticity of a user's public key (i.e., that
it really belongs to the entity claimed to be associated with it. Thus,
distribution, registry, and scalability re-emerge as issues.)
7. Lack of a International Network Security Architecture:
Today there is increased effort in creating, distributing, and employing
security services across national boundaries due to the lack of a National
Network Security Architecture. Yet, if development of the solution to this
problem set is not coordinated, solutions could be "individually secure"
but refuse to work together, negating the benefits true electronic commerce.
For inter-connectivity to exist in an increasingly protected environment,
an architecture is required. Here an architecture is nothing more than
an enumeration of the interfaces between independent components, a precise,
testable specification of those interfaces and the data exchange protocols
to be executed via the interfaces, and a description of the intended semantics
(meaning) of the protocols. Components that conform to the architecture
will then work together securely as a larger unit. The architecture must
accommodate heterogeneously-trusted components, and where appropriate,
involve frameworks that can accommodate multiple technologies built to
different interfaces or wire protocols.
8. Lack of an International Civil Cryptography
Framework: Today's end-users of cryptography, especially businesses,
find themselves unable to obtain readily available, scale-able and deploy-able
commercial cryptographic software as there is no a) International Civil
Cryptography Framework responsive to individual, business, law enforcement,
and government concerns. An extensible framework should accommodate the
use of exportable cryptographic algorithms (both symmetric and public key)
as well as standard protocols (up to and including electronic commerce
protocols). The framework should accommodate the employment of heterogeneous
technologies. The framework should support and actively protect the privacy
and civil rights of all who use it.
9. Voluntary Key Management Infrastructure:
Recognizing the liability in managing the privacy of electronic information
or in managing its integrity, the Black Forest Group recognizes that optional
Key Recovery services may be useful, especially for record retention and
data archiving, as well as for legal and liability requirements. However,
previous and current proposals to mandate any particular body for key escrow
or key backup seem very short-sighted, especially in an environment where
government key escrow methods have been deemed less than secure. Because
of the end-users' and company's need for reliable and trusted key management,
the Group recognizes optional escrow infrastructure as a possible requirement.
It is an essential requirement that a concern must be able to choose from
one of a variety of international escrow agents while preserving inter-operability
among concerns choosing different agents, and allowing the construction
of a liability assumption (tracking) model that works for individuals,
business, and governments in the recovery of information.
10. The lack of commercially available comprehensive
Access Controls: Today Access Controls (ACs) are too limiting
and difficult to administer comprehensively. The safe administration of
confidential information inside large facilities has become problematic.
11. Improved Discretionary Access Controls:
There is a need for Improved Discretionary Access Controls (DACs). Most
current access control designs result in Access Controls that are hard
to manage and interpret. ACs are "security programs" for a given
object: Their "language" should be carefully and thoughtfully
designed. Users should be able to name principals from their "address
book".
12. Closed User Group Safeguards: While
the technologies for maintaining Closed User Group Safeguards have been
known for years, these technologies need to be made commercially available,
and easy to use. The need here is the following: Suppose multiple concerns
are sharing an on-line service. One wants confidence that the service has
the following property: Leakage of data or one customer influencing another
is under highly controlled circumstances, i.e. not fragile in the face
of operator error (and certainly not in face of other customer activity
with the service). It is noted that this seems to require the use of some
kind of non-discretionary access control. Example: If I set an AC to "everybody
can access" in this operational context, it should not really mean
"everybody", it should mean "everybody in my closed group".
13. Support for the notion of a Trusted Session:
This problem goes beyond mere authentication. First level of confidence
is confidence that a client-server session does not (within reasonable
and perhaps configurable limits) persist when user logs out. Support for
*absentee* session is desirable but server must know that the user is absent
(extension of single-machine *batch processing* capability). A second level
of trust must be support for a *trusted transaction,* i.e. that user (and
not malicious software *stealing* the session or modifying messages) has
generated particular messages. Intuitively, the first level involves confidence
that *Bill is still there*. The second involves confidence that *Bill saw
or generated and approves of this request.*
14. International Independent Evaluations:
Even with the technology and infrastructure in place, most end-users and
companies do not use Independent Evaluations. When one begins to use a
software service making security claims (e.g., closed user group safeguards)
we have two problems: A) How does the customer know that the claims are
true? B) for that matter, how does the provider -- even assuming complete
honesty of intent -- know that the claims are true? Or have enough confidence
to be willing to make the claims? It seems clear that an infrastructure
for evaluation based upon sound evaluation technology (by sound we mean
*based on valid principles* in addition to *objectively repeatable* apply).
15. System and Application Protection:
It is highly desirable for system software of all varieties, from PC operating
systems to network system software, to take advantage of existing CPU architectural
support for System and Application Protection. That personal computers
have not taken advantage of provided support for the last twenty years
is a historical accident, and it is high time to recover from it. The environments
in which applications are run, and the increasing dependence of business-critical
processes on selected applications, now justify their encapsulation as
protected subsystems. The ability to encapsulate selected applications
in their own virtual environment has become even more critical with the
arrival of *download and execute* architectures (e.g., Java, ActiveX, etc.).
The Black Forest Group, not a research group itself, wishes to acknowledge
the original work of many other organizations who are working on these
problems. The BFG wishes to support these efforts and to further the discussion
on these topics. Also, the BFG recognizes these areas as being of interest
to many individuals and organizations internationally. The Group recommends
detailed study of these concerns to all international and national bodies
with responsibility for making contributions to the formulation of a interoperable
set of solutions.
Copyright (c) 1997 The Black Forest Group
All Rights Reserved
#####
View this pages's StatTrax user access statistics