Security Architecture for Sensitive Information Systems

Securty Archtecture for Senstve Informaton Systems by Xanpng Wu BCS, MBA, MNC A Thess Submtted n Fulfllment of the Requrements for the Degree of Doctor of Phlosophy Faculty of Informaton Technology Monash Unversty Australa 2009

Abstract Protectng senstve nformaton s a growng concern around the globe. Securng crtcal data n all sectors, ncludng the busness, healthcare and mltary sectors, has become the frst prorty of senstve nformaton management. Falng to protect ths asset results n hgh costs and, more mportantly, can also result n lost customers and nvestor confdence and even threaten natonal securty. Senstve nformaton systems consst of three major components: communcaton channel, user nterface and senstve nformaton storage; the protecton of these three components equates to the protecton of senstve nformaton tself. Prevous research n ths area has been lmted due to the employment of long-term shared keys and publc keys. Currently, no complete securty soluton exsts to help protect senstve nformaton n the three components. Issues such as dynamc senstve nformaton ownershp, group authentcaton and authorzaton and prvacy protecton also create challenges for the protecton of senstve nformaton systems. The research descrbed n ths thess s based on dynamc key theory and group key theory to present a novel securty archtecture to enable senstve nformaton systems to overcome these challenges and meet the desred securty goals for the three major components. The proposed securty archtecture conssts of dynamc key management, userorented group key management, authentcaton and authorzaton management and I

senstve nformaton management, whch guarantee the securty of the three major components of senstve nformaton systems. Because of the lack of the assessment propertes of nformaton securty models, a new senstve nformaton securty model s also presented n ths thess to evaluate the effectveness of securty archtecture. Ths model proves that the securty archtecture satsfes the securty goals. It can also be used to assess other securty archtectures, and thus makes a valuable contrbuton to the feld of senstve nformaton systems securty. In summary, the proposed securty archtecture offers unque features necessary for the securty of senstve nformaton systems. It also overcomes the lmtatons assocated wth exstng securty approaches and enables the complete protecton of the three major components of senstve nformaton systems. II

Declaraton In accordance wth Monash Unversty Doctorate Regulaton 17 / Doctor of Phlosophy and Master of Phlosophy (MPhl) regulatons, the followng declaratons are made: I hereby declare that ths thess contans no materal whch has been accepted for the award of any other degree or dploma at any unversty or equvalent nsttuton and that, to the best of my knowledge and belef, ths thess contans no materal prevously publshed or wrtten by another person, expect where due reference s made n the text of the thess. Xanpng Wu 08 June 2009 III

Dedcatons Dedcated to my beloved wfe, Sha Na, to my parents, Pexue Wu and Xufen L and to the memory of grandpa IV

Acknowledgements Ths thess would not have been possble wthout the best efforts of many people. Frst of all, I would lke to gratefully acknowledge my supervsors, Prof Balasubramanam Srnvasan and Dr Phu Dung Le, for gvng me ths awe-nsprng opportunty to work on ths research. I am grateful for ther advce, encouragement and nvaluable techncal dscussons. I very much apprecate ther mmense help durng the research and for gvng valuable feedback durng the wrtng of ths thess. Wthout both of them, I would not have been able to complete ths thess. I would lke to specally express my grattude to Osama Dandash. I much apprecate hs fnancal ad to start my research lfe, and hs encouragement when I felt under pressure durng the research. I would also lke partcularly to acknowledge the contrbuton of Huy Hoang Ngo (Harry) and Dr Y Lng Wang (Tony) for encouragement, dscussons, branstormng and cheerng-up jokes, as well as other researchers Mnh Le Vet, Dr Alex Tze Hang Sm, Arun Man, Xya Fang, Mnh Duc Cao, Abdulah Almuhadeb, Dr Samar Zutsh and Huame Q n Central South Unversty. I am thankful for the fnancal support (scholarshp) from the Monash Research Graduate School. Specal thanks to Jule Semon n Monash College for gvng me the opportunty to teach; Nra Rahman n the Caulfeld Lbrary for thess wrtng advce; and other lbrary staff n resource fndng. I thank We Wu, Snow, Dorn, Ln Zhang for warm frendshp and support. V

I thank and acknowledge the proofreadng done by Megan Seen and my supervsors on thess drafts. I also acknowledge the admnstratve support from John Sedgwck, Carmen Maestr, Chrs Thomas, Mchelle Ketchen, Allson Mtchell, Jule Austn, Katherne Knght, Dana Sussman, Duke Fonas and Akamon Kunkongkapun. I cannot end wthout thankng my famly, on whose constant encouragement and love I have reled throughout my research n completng ths thess. Many thanks are due to my wfe, my soul mate, Sha Na, for her love, understandng, support, encouragement and her delcous Internet food. A mllon thanks are due to my parents and parents-n-law for ther endless love and support n my educatonal pursut. Thank you all for lettng me follow my dreams. VI

Table of Contents ABSTRACT... I DECLARATION... III DEDICATIONS... IV ACKNOWLEDGEMENTS... V 1. INTRODUCTION... 1 1.1. INFORMATION SYSTEMS... 1 1.2. SENSITIVE INFORMATION... 3 1.2.1. Characterstcs of Senstve Informaton... 4 1.2.2. Protecton of Senstve Informaton... 5 1.3. SECURITY AND LIMITATIONS OF SENSITIVE INFORMATION SYSTEMS... 6 1.3.1. Retrevng Senstve Informaton... 6 1.3.2. Securty Threats and Concerns of SIS... 7 1.4. MOTIVATIONS OF THE THESIS... 8 1.5. OBJECTIVES OF THE THESIS... 12 1.6. ORGANIZATION OF THE THESIS AND CONTRIBUTIONS... 13 1.6.1. Contrbutons of the Thess... 16 2. SECURITY ISSUES OF SENSITIVE INFORMATION SYSTEMS... 18 2.1. CRYPTOGRAPHIC SYSTEMS... 19 2.1.1. Symmetrc Cryptography... 20 2.1.2. Asymmetrc Cryptography... 24 2.1.3. Summary... 27 VII

2.2. SECURING COMMUNICATION CHANNEL... 27 2.2.1. Secure Communcaton n Uncast Channels... 28 2.2.2. Secure Communcaton n Multcast Channels... 38 2.2.3. Summary... 61 2.3. SECURING USER INTERFACE... 62 2.3.1. Proof by Knowledge... 62 2.3.2. Proof by Possesson... 70 2.3.3. Proof by Property... 73 2.3.4. Authentcaton versus Authorzaton... 75 2.3.5. Summary... 76 2.4. SECURING SENSITIVE INFORMATION STORAGE... 79 2.4.1. Dsk Encrypton... 79 2.4.2. Database Encrypton... 83 2.4.3. Summary... 87 2.5. THE CURRENT MODELS FOR INFORMATION SECURITY... 89 2.5.1. CIA Trad... 90 2.5.2. Parkeran Hexad... 92 2.5.3. Summary... 93 2.6. CONCLUSION... 94 3. SECURITY ARCHITECTURE FOR SENSITIVE INFORMATION SYSTEMS... 97 3.1. DYNAMIC KEY THEORY... 99 3.1.1. Cryptographc Propertes... 101 3.1.2. Dynamc Keys versus Symmetrc Cryptography... 104 3.1.3. Dynamc Keys versus Asymmetrc Cryptography... 107 3.2. SECURITY ARCHITECTURE... 110 3.2.1. Securty Archtecture Overvew... 110 VIII

3.2.2. Engaged Users... 113 3.2.3. Dynamc Key Management... 115 3.2.4. User-orented Group Key Management... 117 3.2.5. Authentcaton and Authorzaton Management... 118 3.2.6. Senstve Informaton Management... 119 3.2.7. Structure n SecureSIS... 122 3.2.8. Enttes Belongng... 123 3.2.9. Securty Agreement... 124 3.2.10. Goals of SecureSIS... 125 3.3. SENSITIVE INFORMATION SECURITY MODEL... 127 3.3.1. SecureSIS Pentad... 128 3.3.2. Authentcty & Authorty (AA)... 129 3.3.3. Integrty (IN)... 131 3.3.4. Non-repudaton (NR)... 132 3.3.5. Confdentalty (CO)... 133 3.3.6. Utlty (UT)... 134 3.3.7. Summary on the SecureSIS Pentad... 135 3.4. SUMMARY... 136 4. SECURITY ARCHITECTURE COMPONENTS... 138 4.1. DYNAMIC KEY MANAGEMENT... 139 4.1.1. Dynamc Key Agreement... 139 4.1.2. Securty Comparson... 141 4.2. USER-ORIENTED GROUP KEY MANAGEMENT... 142 4.2.1. Key Tree Structure... 143 4.2.2. UGKM Cryptographc Propertes... 146 4.2.3. Group Keys... 147 4.2.4. Member Jon... 148 IX

4.2.5. Member Leave... 154 4.2.6. Perodc Rekeyng Operaton... 157 4.2.7. Securty Comparson... 158 4.3. AUTHENTICATION AND AUTHORIZATION MANAGEMENT... 161 4.3.1. AAM Structure... 162 4.3.2. Intalzaton Protocol... 163 4.3.3. Logon Protocol... 164 4.3.4. AccessAuth Protocol... 166 4.3.5. Securty Comparson... 168 4.4. SENSITIVE INFORMATION MANAGEMENT... 171 4.4.1. SIM Structure... 172 4.4.2. Data Operaton... 174 4.4.3. Dynamc Membershp Operatons... 177 4.4.4. Securty Comparson... 180 4.5. SUMMARY... 182 5. SECURITY ANALYSIS AND DISCUSSION ON SECURESIS... 185 5.1. SECURITY OF DKM... 186 5.1.1. Dynamc Keys n DKM... 187 5.1.2. Summary... 189 5.2. SECURITY OF UGKM... 189 5.2.1. Group Key Secrecy... 190 5.2.2. Forward Secrecy... 192 5.2.3. Backward Secrecy... 194 5.2.4. Colluson Resstance... 195 5.2.5. Summary... 197 5.3. SECURITY OF AAM... 198 5.3.1. Introducton to the Sp Calculus... 198 X

5.3.2. Logon Protocol... 200 5.3.3. AccessAuth Protocol... 204 5.3.4. Summary... 207 5.4. SECURITY OF SIM... 208 5.4.1. Securty of Interchangng Senstve Informaton... 209 5.4.2. Securty of Senstve Informaton Storage... 210 5.4.3. Summary... 214 5.5. SECURESIS PANTED ASSESSMENT... 214 5.5.1. Authentcty & Authorty Dscusson... 215 5.5.2. Integrty Dscusson... 218 5.5.3. Non-repudaton Dscusson... 221 5.5.4. Confdentalty Dscusson... 223 5.5.5. Utlty Dscusson... 224 5.5.6. SecureSIS Goals Dscusson... 225 5.6. SUMMARY... 227 6. CONCLUSION AND FUTURE WORK... 230 6.1. REVISITING THE RESEARCH PROBLEM AND APPROACH... 231 6.2. CONTRIBUTIONS... 232 6.3. FUTURE WORK... 235 REFERENCES... 237 PUBLICATIONS... 258 XI

Lst of Fgures Fgure 1.1. The Archtecture of Generc Senstve Informaton System.... 7 Fgure 1.2. Overvew of Thess Structure.... 14 Fgure 2.1. The Comparson of ESP and AH Protected IP Packet.... 30 Fgure 2.2. SRTP Sesson Key Dervaton... 37 Fgure 2.3. CKDS (ING) Protocol.... 41 Fgure 2.4. GDH.1: An Example for Four Members.... 43 Fgure 2.5. GDH.2: An Example of Four Members.... 44 Fgure 2.6. GDH.3: An Example of Four Members.... 46 Fgure 2.7. LKH Key Tree.... 49 Fgure 2.8. LKH Member Jons the Group.... 50 Fgure 2.9. LKH Member Leaves the Group.... 51 Fgure 2.10. OFT Key Tree... 53 Fgure 2.11. OFT The Keys Known to a Group Member.... 54 Fgure 2.12. OFT Member Jon a Group.... 55 Fgure 2.13. OFT Member Leave a Group.... 56 Fgure 2.14. Subgroups and GSIs n Iolus Scheme.... 58 Fgure 2.15. EFS: Fle Encrypton.... 81 Fgure 2.16. EFS: Fle Decrypton.... 82 Fgure 2.17. Transparent Data Encrypton Herarchy.... 85 Fgure 2.18. TDE n Oracle Database.... 86 Fgure 2.19. CIA Trad... 91 Fgure 2.20. Parkeran Hexad.... 92 Fgure 3.1. Entropy of Dynamc and Long-term Keys.... 106 XII

Fgure 3.2. SecureSIS Core Component Overvew.... 110 Fgure 3.3. Tangble Conceptual Archtecture of SecureSIS.... 113 Fgure 3.4. DKM Key Generaton Flow.... 116 Fgure 3.5. AAM Process... 119 Fgure 3.6. Relatonshp between EI and EDK.... 121 Fgure 3.7. The Structure of SecureSIS.... 122 Fgure 3.8. SecureSIS Pentad... 129 Fgure 3.9. Senstve Informaton Integrty Trangle.... 131 Fgure 3.10. The Scope of Fve Atomc Elements.... 136 Fgure 4.1. Logcal Structure of UGKM.... 145 Fgure 4.2. User Jon Operatons.... 149 Fgure 4.3. Actve User Jon.... 150 Fgure 4.4. Passve User Jon Cluster.... 153 Fgure 4.5. User Leave Operatons.... 154 Fgure 4.6. Perodc Rekeyng Tmelne.... 158 Fgure 4.7. AccessAuth Protocol Logcal Flow.... 166 Fgure 4.8. Structure of a SIM Object.... 172 Fgure 4.9. Retrevng Senstve Informaton Flow Chart... 173 Fgure 4.10. Intal Status of SIM.... 174 Fgure 4.11. New Data Entry Status of SIM.... 175 Fgure 4.12. Data Update Status of SIM.... 176 Fgure 4.13. Data Deleton Status of SIM... 177 Fgure 4.14. Data Access Status of SIM.... 177 Fgure 4.15. Ownershp Change of Senstve Informaton.... 179 Fgure 5.1. The Organzaton of Securty Analyss and Dscusson.... 186 Fgure 5.2. Structure of the Logon Protocol.... 201 Fgure 5.3. Structure of the AccessAuth Protocol.... 205 XIII

Lst of Tables Table 1.1. Senstve Informaton Levels of Classfcaton n the U.S.... 3 Table 1.2. Senstve Informaton Vulnerabltes.... 7 Table 2.1. Symmetrc Keys Comparson.... 21 Table 2.2. Comparson of CKDS, GDH.1, GDH.2 and GDH.3.... 47 Table 2.3. Comparson of LKH and OFT.... 57 Table 2.4. Advantages and Dsadvantages of Multcast Communcaton Schemes.... 60 Table 2.5. Advantages and Dsadvantages of Knowledge, Possesson and Property Factors.... 78 Table 2.6. Advantages and Dsadvantages of Dsk Encrypton and Database Encrypton.... 88 Table 2.7. Problems n Senstve Informaton Securty.... 95 Table 3.1. Appled SecureSIS Pentad wth the Proposed SecureSIS.... 137 Table 4.1. Key Managements Comparson.... 141 Table 4.2. Securty Comparson of Group Key Management.... 159 Table 4.3. Securty Comparson of AAM to Kerberos and ts Successors.... 169 Table 4.4. Securty Comparson of SIM to other Approaches.... 181 Table 4.5. SecureSIS Components vs. Goals.... 184 XIV

Chapter 1 1. Introducton 1.1. Informaton Systems The use of nformaton has become a pervasve part of our daly lfe; we have become an nformaton socety [GoGo96]. Employees use nformaton to make personal choces and perform basc job functons; managers requre sgnfcant amounts of t for plannng, organzng and controllng; corporatons leverage t for strategc advantage. Snce the applcaton of computers n admnstratve nformaton processng began n 1954 [DaOl85], computers have become a key nstrument n the development of nformaton processng. The rapd development of nformaton technology (IT) has helped to frmly establsh the general atttude that nformaton systems 1 are a powerful nstrument for solvng problems. An nformaton system (IS) s an organzed set of components for collectng, transmttng, storng, and processng data n order to delver nformaton for acton [Zw97]. It supports operatons, management, and knowledge work n organzatons. The use of nformaton systems has ncreased due to economc and socal ssues. 1 In ths thess, we use the term of nformaton systems to represent computer-based nformaton systems. 1

The functons of nformaton systems nclude servces whch provde value to users or to other servces va messages, whch carry a meanng to users or servces. Also, as IT becomes more sophstcated, the avalablty of these servces and messages n organzatons grows and spreads. The avalablty of IT shfts people from conductng busness and communcaton n tradtonal to electronc ways. For example, people are able to access and manage ther own bank account va onlne bankng anytme and anywhere electroncally, rather than physcal bankng, n whch people have to wat n queues and undergo long verfcaton processes n order to gan servces. In addton, organzatons ssue electronc blls (e-blls) nstead of paper blls n order to reduce the costs of paper bll delvery. Recently, the use of nformaton systems has obtaned attenton due to ts hgh growth rate. An IDC (Internatonal Data Company) [L08] study n 2007 noted that Internet bankng n Chna had ncreased by 25.4% from the prevous year and moble bankng by 19.3%. The IDC study predcted that onlne bank and moble bankng markets from 2008 to 2012 would ncrease rapdly wth respectve compound annual growth rates of 23.1% and 24.9%. Also, WnterGreen Research and Markets [CuEu08] forecast analyss ndcates that the use of electronc medcal record (EMR) systems s antcpated to ncrease to a rate of 63% by 2013. The rapd growth of nformaton systems s not surprsng. Compared to tradtonal nformaton systems, the electronc nformaton systems offer mproved effcency, process control, servces and nformaton process [DaOl85, GoGo96, Zw97]. 2

1.2. Senstve Informaton The use of electronc nformaton n organzatons has rased problems. The mportance of nformaton protecton reaches to the corporate boardroom, because falure to protect electronc nformaton assets may result n lost customer and nvestor confdence. Accordng to Parker [Pa98], nformaton that has strategc value n organzatons should be protected. Ths ncludes market-senstve propretary nformaton, fnancal nformaton, trade secrets, medcal nformaton, mltary nformaton and human resources nformaton. Ths nformaton needs to be treated as senstve nformaton 2, that s, t needs to be recognzed as nformaton or knowledge that mght result n loss of an advantage or level of securty f dsclosed to others [Pu07]. Accordng to the U.S. government [Nc03], senstve nformaton s categorzed nto two classfcatons (shown n Table 1.1): non-classfed and classfed. Table 1.1. Senstve Informaton Levels of Classfcaton n the U.S. Nonclassfed Classfed Senstve Prvate Info Confdental Busness Info Restrcted Confdental Secret Top Secret Ultra Secret unauthorzed dsclosure could have a negatve effect on ts owner publc dsclosure may harm a busness publc dsclosure could have undesrable effects or do some harm unauthorzed dsclosure could damage natonal securty unauthorzed dsclosure could serously damage natonal securty unauthorzed dsclosure could severely damage natonal securty unauthorzed dsclosure could exstentally damage natonal securty, nternatonal stablty or wartme advantage 2 In ths thess, senstve nformaton refers to dgtal crtcal nformaton. 3

As argued by the U.S. government, loss, msuse, modfcaton or unauthorzed access to senstve nformaton can adversely affect the prvacy of an ndvdual, trade secrets of a busness or even the securty, nternal and foregn affars of a naton dependng on the level of senstvty and nature of the nformaton [Nc03]. 1.2.1. Characterstcs of Senstve Informaton Senstve nformaton has four prmary characterstcs [Pa98] that enables ts comprehenson: Knd the type of nformaton: for example, knowledge, descrptve, nstructve, expostory, factual, fctonal, monetary, artstc, accountng or another type. Representaton the presentaton of nformaton: for example, n graphc mages, coded symbols (dgtal text such as Uncode or ASCII code), dgtal sounds or vdeos. Form the structure of nformaton: for example, ts style, language, syntax, encodng (encrypton wth a secret key), format and sze. Medum the physcal manfestaton of nformaton: for example, electromagnetc pulses n space (rado waves) or electronc swtches n computers (dgtal sgnals). In addton, senstve nformaton has a number of other characterstcs 3 [LaBrHa85, Pa98, SoCh05] that help us determne the need for securty. Authentcty refers to the truthfulness of orgns, attrbutons, commtments, sncerty, devoton, and ntentons. 3 We hold over the other mportant characterstcs, based on CIA Trad [Pe08] (confdentalty, ntegrty and avalablty), Parkeran hexad [Pa98] and DoD [LaBrHa85], for later dscusson. Meanwhle, the Parkeran hexad adds three addtonal attrbutes to the three classc securty attrbutes: utlty, possesson or authorty and authentcty, and DoD adds Non-repudaton attrbute to CIA Trad. 4

Confdentalty ensures that nformaton s accessble only to those authorzed to have access. Possesson (authorty) refers to the ownershp or control of nformaton. Integrty-refers to the valdty, trustworthness and dependablty of nformaton. Utlty refers to the usefulness of nformaton. Non-repudaton refers to the un-denablty for enttes to perform actons on senstve nformaton. Avalablty refers to havng tmely access to nformaton. 1.2.2. Protecton of Senstve Informaton The Commttee on Natonal Securty Systems [Cn92] n the USA defnes nformaton securty as the protecton of nformaton systems aganst unauthorzed access to or modfcaton of nformaton, whether n storage, processng, or transt, and aganst the denal of servce to authorzed users or the provson of servce to unauthorzed users, ncludng those measures necessary to detect, document, and counter such threats. In ths sense, senstve nformaton s at rsk, as every senstve nformaton breach mpacts organzatons negatvely. Protectng senstve data s a growng concern for organzatons around the globe because of ts fnancal mplcatons; however data securty s also necesstated by strngent ndustry and government regulatons. Senstve nformaton requres three types of safeguards. In addton to techncal safeguards, to be secure, senstve nformaton also needs admnstratve safeguards. Ths s because, regardless of the technology used to lock or secure senstve nformaton, the way people work wth one another and wth nformaton ultmately has the greatest mpact on securty. Fnally, physcal safeguards need to be consdered. 5

Techncal safeguards address topcs such as authentcaton of users, audt logs, data ntegrty checks, and transmsson securty (encrypton), whle admnstratve safeguards address organzatonal controls such as polces and procedures, rsk analyss and tranng. Physcal safeguards cover ssues such as access to buldngs and workstatons (locks and keys), dsposal of computers and hard drves, and data backup and storage requrements. Techncal safeguards have become the focus of research for senstve nformaton protecton due to the ncreasng maturty of admnstratve and physcal safeguards. 1.3. Securty and Lmtatons of Senstve Informaton Systems The major reason behnd senstve nformaton system s (SIS) lack of securty s due to the nherent nature of IS whch requres nformaton collectng, processng, transmttng and storng n order to delver nformaton for acton. If nformaton were statc and statonery, securty would be less of an ssue. The major processes nvolved n retrevng senstve nformaton, and securty threats and concerns n SIS, are detaled as followng sectons. 1.3.1. Retrevng Senstve Informaton To descrbe the retreval process, we use a smple and generc archtecture as shown n Fgure 1.1. Frst of all, before the retreval process can be ntated, t s necessary to transform senstve nformaton nto a logcal vew, whch gves the vew of how nformaton s structured and organzed. Once the logcal vew of the senstve nformaton s defned, the nformaton manager can buld an ndex of the senstve nformaton. 6

Wth the senstve nformaton ndexed, the retrevng process can be ntated. The major components nvolved n the process are communcaton channel, user nterface and senstve nformaton storage. Frstly, a legal user specfes a user need va a user nterface, and the need s then processed to obtan the senstve nformaton from senstve nformaton storage through a communcaton channel. Fgure 1.1. The Archtecture of Generc Senstve Informaton System. 1.3.2. Securty Threats and Concerns of SIS The three major components nvolved n the acton of data retreval - communcaton channel, user nterface and senstve nformaton storage - are all potental targets for adversares wantng to beneft from securty weaknesses. Accordng to [ClW87, Pa98, SoCh05], securty threats and concerns are rased aganst the key aspects 4 of senstve nformaton, as shown n Table 1.2. Table 1.2. Senstve Informaton Vulnerabltes. Characterstcs Target Vulnerablty mpersonaton Authentcty user nterface guessng spoofng communcaton channel eavesdroppng Confdentalty nformaton storage nterceptng Possesson nformaton storage sesson hjackng communcaton channel falsfcaton Integrty nformaton storage forgery Utlty nformaton storage property damagng 5 4 Key aspects refer to characterstcs of senstve nformaton. 5 Property damagng means accdentally lost the encrypton key of encrypted the only copy of valuable nformaton. 7

As reported [We05], Brtsh hacker, Gary McKnnon, caused nearly US $1 mllon n damage due to breakng nto US Navy, US Army, NASA and Pentagon systems. Also, accordng to [Id08], US $3.2 bllon has been lost as a result of nternet dentty theft n 2007 n the Unted States alone. Wth Asa s onlne populaton rapdly ncreasng, the global fgure could easly be twce that n just a matter of years. These fgures ndcate the vulnerablty of SIS. The U.S. Department of Defense Scence Board has ssued a report Informaton Management for Net-Centrc Operatons [Ds07]. Ths report stresses the need for extraordnary effort on nformaton systems securty, because the threat to the nformaton system wll contnue to evolve as globalzaton and the nformaton revoluton force changes n structure and technology. The report goes on to state that whle the network approach and strategy enable new paradgms for sharng and usng nformaton, ths capablty also has the potental to sgnfcantly ncrease the naton s vulnerablty to nternal and external threats. It recommends an ncrease n current fundng, fundng for nformaton systems over future years n defense programs, and that the programs focus on nformaton assurance for the entre enterprse. 1.4. Motvatons of the Thess Wth the development of network technology, the use of the Internet has pervaded everyday lfe. It s used for many servces such as fle transfers, nternet payments, and vewng electronc documents. Meanwhle, the prolferaton of electroncallyaccessble nformaton has led to research and development n nformaton systems to help users search for, fetch and share relevant and meanngful nformaton. 8

The concept of nformaton s closely related to notons of constrant, communcaton, control, data, form, nstructon, knowledge, meanng, mental stmulus, pattern, percepton, and representaton. The concept has been developed rapdly n open network systems, typfed by the Internet, to provde suffcent convenence for users, especally to group users to manage nformaton for sharng, exchangng and usng. Advancement n nformaton systems promses dramatc leaps forward n our daly lfe, especally n stock markets, fnancal nsttutons, and medcal centres. For example, medcal centres employ electronc medcal record systems to share patents records from other hosptals to rapdly dagnose the patents, and fnancal advsors can respond quckly to fluctuatng stock markets by adoptng nformaton systems. Utlsng these emergng technologes, however, s not wthout problems. People start consderng ther senstve nformaton when t s transmtted through open networks; managers begn worryng about usng forged nformaton for busness plans; and corporatons worry about customer and nvestor confdence f they fal to protect senstve nformaton. Protectng senstve nformaton has consequently become a top prorty for organsatons of all szes. Despte ths prorty, the majorty of exstng electronc nformaton systems [BaF01, BhDe98, HoChWa07, MeIlKa00] focus on performance and precson of data retreval and nformaton management. A number of technques are employed to protect nformaton systems; however, n many cases, these technques are provng nadequate. For example, whle several nformaton systems [BeIsKu99, CaMSt99, GeGoMa98, GeIsKu00] use the add-ons securty features to provde nformaton confdentalty (whch allow users to share nformaton from a data meda whle 9

keepng ther channel prvate), these securty measures are nsuffcent. As Bard [Ba04] states, the prvate communcaton channel s breakable due to the long-term shared dentcal cryptographc keys. Also, wth the shared dentcal keys, adversares can break the securty of nformaton systems va eavesdroppng or nterceptng. Alternatvely, cryptography technques are employed to protect senstve nformaton storages rather than establshng prvate communcaton channels. These nformaton systems [Bo07, Hs08, Na05] depend on a long-term shared key to cpher all crtcal nformaton at rest (senstve nformaton storage). For example, IBM employs symmetrc keys n z/os to protect the senstve nformaton documents, and uses publc keys to wrap and unwrap the symmetrc data keys used to encrypt the documents. Wth ths technque, IBM clams that many documents can be generated usng dfferent encrypton keys [Bo07]. Smlar mechansms are also used for Oracle Database [Na05] and Mcrosoft SQL Server [Hs08], whch conduct crtcal nformaton protecton va long-term shared keys. The securty of the IBM mechansms reles on publc key nfrastructure; f the publc key pars are dsclosed, no matter how many dfferent encrypton keys are used to protect nformaton, the whole nformaton system wll be compromsed. In addton, the securty of Oracle and Mcrosoft mechansms depend on a long-term database master key; the senstve nformaton may be revealed f the database systems are breached. Securng the user nterface to prevent unauthorzed access to nformaton systems s another approach to protectng senstve nformaton n organzatons. Ths form of securty uses measures such as securty tokens, passwords or bometrc dentfers. Kerberos s a representatve authentcaton protocol whch allows ndvduals communcatng over a non-secure network to prove ther dentty to one another n a 10

secure manner. In the orgnal desgn of Kerberos, sesson keys exchange used longterm shared keys. Although researchers [Er03, HaMe01, SCh97] proposed the use of publc key cryptography to enhance securty for key exchange and authentcaton, the long-term shared key s stll a lmtaton of Kerberos-based nformaton systems [KoNeTs94]. In 2008, Cervesato et al. [CeJaSc08] ponted out that man-n-the-mddle attack can breach Kerberos-based nformaton systems. The exstng approaches all have a common lmtaton: the employment of longterm shared keys or publc keys. Among symmetrc key encrypton algorthms, only the one-tme pad can be proven [Sh49] to be secure aganst any adversary, regardless of the amount of computng power avalable. Also, there s no asymmetrc scheme wth the one-tme pad property, snce all asymmetrc schemes are susceptble to brute force key search attack [Ka67]. Therefore, once the keys are exposed, the protected SIS wll be compromsed. In addton to above securty threats and concerns relatng to communcaton channel, user nterface and senstve nformaton storage, the ownershp of senstve nformaton presents another securty concern. Ths concern evolves from smple organzatonal structure. A tradtonal approach to managng nformaton ownershp s to use access control [FeKuCh03]. However, ths approach does not allow for dynamc ownershp, whereby the owner of the nformaton s lkely to be changed, but the securty characterstcs of the nformaton must be mantaned. The lmtatons of exstng securty measures can be summarsed as follows: No proper authentcaton and authorzaton mechansms to conduct dynamc membershp of groups and ndvduals to share or access senstve nformaton. 11

No preventon of legal users accessng unauthorzed senstve nformaton aganst nternal securty threats. No proper crtcal nformaton storage protecton mechansm, whch thwarts securty threats of compromsng credentals of nformaton systems. No dealng wth dynamc nformaton ownershp. The above lmtatons n the exstng body of knowledge motvate our research n order to eradcate these weaknesses and develop approprate securty archtecture for SIS. 1.5. Objectves of the Thess Ths research ams to nvestgate the major securty ssues n current nformaton systems, analyze these problems and then develop novel generc securty archtecture for SIS. The objectves of ths thess are: To develop general securty archtecture for varous knds of SIS. Ths archtecture conssts of a number of components to protect senstve nformaton. It defnes characterstcs and nteractons among engagng enttes. To develop a senstve nformaton securty model to evaluate securty archtecture of SIS. To desgn practcal and secure authentcaton and authorzaton protocols 6 for ndvduals and group users to share senstve nformaton. The proposed protocols dscard the use of long-term shared keys to acheve hgh securty and tght access control. 6 It acheves securty by confrmng provenance & dentty. 12

To develop a new group key management component to handle dynamc nformaton ownershp and make senstve nformaton sharng more flexble and secure 7. To develop a key generaton management component to manage and delver cryptographc keys for engagng components and users. Ths component defnes key securty propertes to ensure that mnmum securty requrements are satsfed. To develop a new senstve nformaton management component for data storages 8. Ths component protects senstve nformaton when nformaton storage s compromsed. To perform formal securty analyss to llustrate that each proposed component has better securty than exstng approaches and to evaluate the archtecture usng the proposed nformaton securty model. 1.6. Organzaton of the Thess and Contrbutons Ths secton provdes an overvew of the research presented n the followng fve chapters. Fgure 1.2 provdes a dagrammatc overvew of the thess structure. The key contrbutons made by each chapter are descrbed n Secton 1.6.1. Chapter 2 provdes a crtcal analyss of prevous research for senstve nformaton protecton used n SIS. Two man bodes of research are dentfed and revewed: () securty protectons of the three major components n the process of senstve nformaton retrevng are studed and revewed; and () nformaton securty model s 7 It guarantees securty of communcaton. 8 It safeguards senstve nformaton storage. 13

revewed. Lmtatons n prevous research of securty SIS motvate us to do more research n ths thess. Fgure 1.2. Overvew of Thess Structure. Chapter 3 proposes formal securty archtecture for SIS, and also proposes an nformaton securty model to evaluate the securty archtecture for SIS. The archtecture ncludes four components to support the model s securty, later formalzed n Chapter 4. Chapter 4 detals four components of the proposed secure archtecture. In the frst secton, dynamc key theory s summarsed and defned formally, and then the cryptographc propertes of dynamc keys are dscussed. Fnally, we demonstrate how to apply the dynamc keys to other components (communcaton channel, user nterface and senstve nformaton storage) n order to protect senstve nformaton. 14

In the second secton, a new group key agreement s proposed whch emphaszes the prvacy of senstve nformaton owners. The agreement classfes group users nto two categores to protect prvacy of senstve nformaton whle reducng rekeyng complextes. We provde a number of algorthms for group member jonng and leavng. The agreement satsfes the securty of proposed archtecture. In the thrd secton, an authentcaton and authorzaton management component s ntroduced. The component conducts a sute of protocols to acheve hgh securty and tght access control to protect user nterface. Ths component adopts the proposed dynamc key management model and new group key arrangement to manage nformaton sharng securty, and to acheve flexblty of authentcaton between groups and ndvduals. In the fourth secton, a senstve nformaton management component s proposed. Ths component ntegrates dynamc keys of users or groups wth senstve nformaton to protect senstve nformaton storage. It precludes legal users accessng unauthorzed nformaton, and t also prevents nformaton leakage from compromsng senstve nformaton storage. Chapter 5 dscusses the substantve fndngs from the prevous chapters. The dscusson offers: () formal securty analyss of the four components; and () buldng and dscusson of the proposed senstve nformaton securty model. Chapter 6 concludes the thess by summarzng the man fndngs and contrbutons from the thess. Lmtatons of the research and routes for further work are presented. 15

1.6.1. Contrbutons of the Thess Ths thess makes a number of research contrbutons to state of the art n senstve nformaton protecton. These contrbutons are presented throughout the thess, as follows: A novel securty archtecture and senstve nformaton securty model for senstve nformaton s proposed n Chapter 3, and has been presented n Wu et al. [WuLeSr09]. The formal descrpton of dynamc key theory s talored n Chapter 4, and the cryptographc propertes of dynamc keys are gven and proved [NgWuLe09a, WuNgLe09]. A dynamc key generaton technque has been patented n Wu and Le [WuLe06]. A user-orented group key agreement [WuNgLe08b] s proposed n Chapter 4 n order to secure nformaton sharng and protect prvacy of ndvduals [ChWaWu06, NgWuLe08a]. A secure and flexble authentcaton & authorzaton management scheme [WuNgLe08a, WuNgLe09] s desgned n Chapter 4 to provde proper authentcaton and access control among ndvduals and groups [NgWuLe08b, NgWuLe09b]. Integratng dynamc keys wth senstve nformaton [WuLeSr08] s ntroduced n Chapter 4 to enhance securty of senstve nformaton storage. As a result of these developments, we clam that the proposed securty archtecture for SIS protects communcaton channel, user nterface and senstve nformaton storage. The archtecture provdes strong authentcaton and authorzaton mechansms to conduct dynamc membershp of groups and ndvduals to share or access senstve 16

nformaton. It also prevents legal users accessng unauthorzed senstve nformaton aganst nternal securty threats. The archtecture acheves strong protecton for senstve nformaton storage n order to overcome securty threats that compromse credentals of nformaton systems. Furthermore, t s able to handle dynamc nformaton ownershp. Fnally, the proposed archtecture acheves prvacy protecton and ncludes a feature to detect and prevent ntruson. 17

Chapter 2 2. Securty Issues of Senstve Informaton Systems Goals. Ths chapter contans revews of exstng approaches, man ssues and concepts relatng to senstve nformaton protecton. Accordng to the process of senstve nformaton retrevng, we dvde the study nto - the protecton of communcaton channel, user nterface and senstve nformaton storage - three related work areas. We argue that the securty threats and concerns of exstng approaches n the senstve nformaton systems are long-term shared dentcal cryptographc keys and publc keys. Also, there s no complete securty archtecture to help protect senstve nformaton n the retrevng process. Besdes, the securty assessment propertes of senstve nformaton are studed, we argue that the exstng senstve nformaton securty models lack of assessment propertes to assess the securty archtecture, and t fals to address prvacy concerns. In Secton 2.1, cryptographc systems (symmetrc cryptography n Secton 2.1.1 and asymmetrc cryptography n Secton 2.1.2) are revewed prmarly to help understand the followng dscusson. In Secton 2.2, exstng approaches for protectng communcaton channel (uncast channel n Secton 2.2.1 and multcast channel n Secton 2.2.2) are dscussed to fnd securty threats. In Secton 2.3, authentcaton 18

factors (knowledge n Secton 2.3.1, possesson n Secton 2.3.2 and property n Secton 2.3.3) n securng user nterface are revewed to dentfy the weaknesses of exstng approaches. In Secton 2.4, exstng cryptographc technques (dsk encrypton n Secton 2.4.1 and database encrypton n Secton 2.4.2) n protectng senstve nformaton storage are dscussed to dentfy the problems of protectng senstve nformaton at rest 9. In Secton 2.5, nformaton securty models are studed to determne the nsuffcency n senstve nformaton securty. Fnally, n Secton 2.6, we conclude ths chapter. 2.1. Cryptographc Systems Snce the early stages of human cvlzaton, there has been a need to protect senstve nformaton from fallng nto the wrong hands. To acheve such secrecy, manknd has reled on a branch of mathematcs known as cryptography, whch s the study of desgnng methods to securely transmt nformaton over non-secure channels [BrFo05]. One of the most mportant aspects of any cryptographc system s key management. Therefore, cryptographc key management s revewed n ths secton. Accordng to RFC2828 [Sh00], the key management refers to the process of handlng and controllng cryptographc keys and related materal (such as ntalzaton values) durng ther lfe cycle n a cryptographc system, ncludng orderng, generatng, dstrbutng, storng, loadng, escrowng, archvng, audtng, and destroyng the 9 Senstve nformaton at rest (Senstve nformaton storage) s a term that s used to refer to all data n computer storage whle excludng data that s traversng a network or temporarly resdng n computer memory to be read or updated [Bu06]. 19

materal. As such, cryptographc keys and related materal are the mportant element n key management. The keys are classfed as symmetrc and asymmetrc. 2.1.1. Symmetrc Cryptography A symmetrc key s a sngle cryptographc key (known as a secret key) that represents a shared secret between the sender and recpent. The key can be used to secure communcaton or derve other keys. Accordng to the Natonal Insttute of Standards and Technology (NIST) 10 [BaBaBu06], symmetrc keys are cataloged nto dfferent types, and lsted as followngs 11 : Master keys (long-term shared keys or statc keys) a master key s used to derve other symmetrc keys usng symmetrc cryptographc methods. A master key can be used over a longer perod of tme to derve (or re-derve) multple keys for the same or dfferent purposes. Sesson keys (ephemeral keys) a sesson key s a sngle-use symmetrc key used for encryptng all messages n one communcaton sesson. Normally, t nvolves key negotaton and dstrbuton. One-tme pad keys (OTP keys) an OTP key s a sngle-use symmetrc key (pad) as long as the plantext and used only once. No real-world mplementaton. Key wrappng keys (key encrypton keys) a key wrappng key s used to wrap (that s, encrypt) keyng materal that s to be protected and may be used to protect multple sets of keyng materals. The protected keyng materal s then transmtted or stored, or both. 10 NIST publshes Federal Informaton Processng Standards (FIPS) and NIST Recommendatons that specfy cryptographc technques for protectng senstve unclassfed nformaton. 11 Only used symmetrc key types n ths thess are lsted. 20

Authentcaton keys (tokens, credentals) an authentcaton key s used wth symmetrc key algorthms to provde assurance of the ntegrty and source of messages, communcaton sessons or stored data. Dynamc keys (one-tme keys) are used once and then dscarded, ether to authentcate or encrypt a message. Securty Comparson of Symmetrc Cryptographc Keys Among the defned symmetrc keys, key wrappng keys and authentcaton keys can be master keys, sesson keys or dynamc keys. We therefore compare long-term shared, sesson, one-tme pad and dynamc keys. Ths comparson s presented n Table 2.1. The comparson crtera s selected based on Forouzan and Fegan [FoFe03]. Table 2.1. Symmetrc Keys Comparson. Symmetrc Keys Long-term Keys Sesson Keys One-tme Pad (No real-world mplementaton) Dynamc Keys Keys Comparson Crteron Lfetme Dstrbuton Sync Storage Securty ndefnte publc key no one low sesson hybrd no zero moderate once physcal yes ndefnte hgh once publc key yes one hgh Key Lfetme refers to the length of tme the key can be used for encrypton. The lfetme of long-term shared keys s ndefnte, snce the lfetme depends on the securty polcy and key sze. Sesson keys, used for securng all messages n the one communcaton sesson, are also called ephemeral keys. Ther lfetmes are less than long-term shared keys. The one-tme pad and dynamc keys are used only once. 21

Among cryptographc keys, the one-tme pad and dynamc keys have the smallest lfetme. Key Dstrbuton refers to the process of exchangng shared secrets for encrypton. Strctly, long-term keys and secret dynamc keys employ publc key cryptography to exchange secrets n order to overcome symmetrc key dstrbuton problems. Sesson keys can be dstrbuted by usng a shared long-term key or a publc key startng at every communcaton sesson. A one-tme pad s normally exchanged va physcal devces. Dstrbutng very long one-tme pad keys s nconvenent and usually poses a sgnfcant securty rsk. The pad s essentally the encrypton key, but unlke keys for modern cphers, t must be extremely long and s consequently dffcult for humans to remember. Theoretcally, the more frequently keys are exchanged, the more secure they are, because the adversary has less cpher text to work wth for any gven key. On the other hand, the dstrbuton of keys delays the start of any exchange and places a burden on network capacty. Therefore, long-term keys and dynamc keys have advantages over others n key dstrbuton. Nevertheless, n term of securty, dynamc keys, unlke long-term keys, are used only once, and do not nvolve key dstrbuton (only once for ntal secret sharng). Dynamc keys are consequently more secure than long-term keys. Key Synchronzaton refers to the process of ensurng that the key for encrypton s the same for the two nvolved enttes. Because long-term keys are shared and sesson keys are dstrbuted for each transacton, these do not need key synchronzaton. However, for one-tme pad keys and dynamc keys, both need to synchronze the key n order to ensure communcaton between enttes. In ths regard, one tme pad keys 22

and dynamc keys are less convenent. Conversely, they do not need to synchronze keys before each transacton unless network falure occurs. Key Storage s a measure of space consumpton for storng keys. Long-term keys need only one key n an entty. Accordng to the nature of dynamc keys, dynamc keys are used only once, and generated based on a form of shared secret. Therefore, they also requre storage for only one key. Sesson keys are exchanged at begnnng of each transacton, so there s no need to store any sesson keys. One-tme pad keys requre an unknown amount of storage, because all the keys are stored once, and the number of keys depends on the securty polcy. The above comparson on the securty of symmetrc keys nformally shows that dynamc keys has advantages over other cryptographc keys n terms of key lfetme, key dstrbuton and key storage aspects, whch provde hgher securty. Symmetrc Cryptography Overvew Hstorcally, the frst people to clearly understand the prncples of cryptography and to elucdate the begnnngs of cryptanalyss were the Arabs [Ka67]. The Arabs studed the art of unscramblng secret messages wthout knowledge of the secret key. The frst modern symmetrc key system nventon, at the IBM Watson Research Lab n the 1960s under the leadershp of Horst Festel, s known as the Festel cpher [Fe73]. Later, a modfed verson of the cpher orgnally known as Lucfer was publshed n the Natonal Insttute of Standards and Technology (NIST). Lucfer became the Unted States Data Encrypton Standard (DES) [Nb88, Nb93]. DES has been n use for the last 20 years because of ts short key sze and reasonable securty. However, t s nowadays possble n certan cases to conduct a brute-force attack on the entre key 23

space. Bham and Shamr [BSh93] report the frst theoretcal attack on DES wth less complexty than brute force, and Matsu [Ma94] demonstrates the frst expermental cryptanalyss of DES usng lnear cryptanalyss. After that, DES was rewrtten as Trple DES (TDES ) [Nb99] to enhance ts securty. As TDES, the algorthm was beleved to be practcally secure, although there were theoretcal attacks [B96, Lu98a]. In recent years, TDES has been superseded by the Advanced Encrypton Standard (AES), whch was developed by Joan Daemen and Vncent Rjmen [DaR02, Nb01]. The standard uses the Rjndael block cpher, and specfes the key and block szes that must be used. It has been analyzed extensvely and s now used worldwde. It s fast for both software and hardware [ScWhWa00] and uses less memory. As a new encrypton standard, t s currently beng deployed on a large scale. However, despte ts acceptance, a theoretcal attack was announced by Ncolas Courtos and Josef Peprzyk to ndcate a potental weakness n the AES system [CoP02]. The frst successful attacks aganst AES mplementaton were sde-channel attacks [OsShTr06]. Beachng the AES system was only a matter of tme, as Shannon mathematcally proved that among symmetrc key encrypton algorthms, only the one-tme pad s secure aganst any attack. No other symmetrc cryptography s nformaton theoretcally secure [Sh49]. Moreover, one of most mportant drawbacks of symmetrc cryptography s key dstrbuton [Sa03]. 2.1.2. Asymmetrc Cryptography An asymmetrc key s a combnaton of two keys (known as publc keys) commonly referred to as publc and prvate keys. The publc key and the prvate key are a matched set. Accordng to NIST, the followng asymmetrc key types are gven: 24

Prvate key s a cryptographc key, used wth a publc key cryptographc algorthm, that s unquely assocated wth an entty and s not made publc. In an asymmetrc (publc) cryptosystem, the prvate key s assocated wth a publc key. Dependng on the algorthm, the prvate key may be used to: compute the correspondng publc key, compute a dgtal sgnature that may be verfed by the correspondng publc key, decrypt data that was encrypted by the correspondng publc key, compute a pece of common shared data, together wth other nformaton. Publc key s a cryptographc key used wth a publc key cryptographc algorthm that s unquely assocated wth an entty and that may be made publc. In an asymmetrc (publc) cryptosystem, the publc key s assocated wth a prvate key. The publc key may be known by anyone and, dependng on the algorthm, may be used to: verfy a dgtal sgnature that s sgned by the correspondng prvate key, encrypt data that can be decrypted by the correspondng prvate key, or compute a pece of shared data. Asymmetrc Cryptography Overvew To put t n a hstorcal perspectve, asymmetrc key systems were nvented n the late 1970s. The frst nventon of asymmetrc key algorthms was by James H. 25

Ells, Clfford Cocks, and Malcolm Wllamson at GCHQ 12 n the Unted Kngdom. The Unted States Natonal Securty Agency (NSA) also clams the frst contrbuton to asymmetrc key systems. The concept of asymmetrc cryptography was created by Dffe, Hellman and Merkle (DH) [DHe76b, He78]. Asymmetrc cryptography does not provde perfect secrecy" n the Shannon sense. However, from a practcal pont of vew, t solves key dstrbuton problem n symmetrc key systems. In the early day of publc key systems, Merkle nvented a publc key algorthm called the Knapsack algorthm and hs PhD thess [Me79] nfluenced future publc key systems. Rvest, Shamr, and Adleman [RShAd78] at MIT nvented RSA n 1977. RSA was the frst algorthm known to be sutable for sgnng as well as encrypton. It was beleved to be secure gven suffcently long keys and the use of up-to-date mplementaton. However, although RSA was wdely used n electronc commerce protocols, Peter Shor has shown that Shor's algorthm, when used wth a quantum computer, can break RSA. Other researchers [Bo99, Co97, W90] have also reported the possblty of breakng RSA due to ts short key sze. Another drecton for publc key systems was suggested by [Ko87] and [M86] based on the algebrac structure of ellptc curves over fnte felds, known as ellptc curve cryptography (ECC). Although no mathematcal proof of dffculty has been publshed for ECC, the U.S. NSA has endorsed ECC as recommended algorthms and allows ts use for senstve nformaton protecton up to the top secret category wth 386-bt keys. Lenstra and Verheul s [LeVe01] study ndcates that a 160-bt ECC key provdes the same securty as a 1024-bt RSA key. 12 GCHQ: Government Communcatons Headquarters; a Brtsh ntellgence agency responsble for provdng sgnals ntellgence (SIGINT) and nformaton assurance to the UK government. 26

Whle t would appear that the securty of ECC s stronger than that of Dffe- Hellman and RSA, ECC s stll n ts nfancy, and has not undergone the knd of testng that has been appled to RSA and DH. A number of researchers [LaMo08, WZu98] have proposed theoretcal means of breakng ECC. As Kahn [Ka67] states all asymmetrc schemes are susceptble to brute force key search attack. 2.1.3. Summary In Secton 2.1, cryptographc keys and hstorcal background of cryptographc systems were explored. The followng fndngs can be presented: Among all symmetrc cryptographc keys, dynamc keys provde stronger securty than others, comparable wth long-term, sesson and one-tme pad keys. Symmetrc keys nvolve key dstrbuton, whch mght compromse the securty of cryptographc systems. Asymmetrc cryptography s relatvely computatonally costly compared wth symmetrc cryptography. Asymmetrc cryptography s susceptble to brute force key search attacks. Ths secton has prmarly revewed cryptographc systems to help understand cryptographc approaches n senstve nformaton protecton. In the next three sectons we explan the employment of the cryptographc systems n securng communcaton channel, user nterface and senstve nformaton storage. 2.2. Securng Communcaton Channel In cryptography, a confdental channel s a way of transferrng data that s resstant to ntercepton, but not necessarly resstant to tamperng. Conversely, an authentc channel s a way of transferrng data that s resstant to tamperng but not necessarly 27

resstant to ntercepton [TKh92]. Intercepton and tamperng resstance s best developed through communcaton channel. In order to reach the ntercepton resstance goal, all communcaton s scrambled nto cphered text wth a predetermned key known to both enttes to prevent an eavesdropper from obtanng any useful nformaton. In order to acheve the tamperng resstance goal, a message n a communcaton s assembled usng a credental such as an ntegrty-check to prevent an adversary from tamperng wth the message. In ths secton, the dfferent approaches of securng communcaton channel are nvestgated, and ther pros and cons are evaluated. The nvestgaton s conducted by subdvdng communcaton channel nto uncast channel and multcast channel. 2.2.1. Secure Communcaton n Uncast Channels Wth the recent development of modern securty tools to secure bdrectonal communcaton between two enttes, many protocols, such as Internet Protocol Securty (IPsec) [At95], SEED 13 [LeLeYo05], Secure Sockets Layer (SSL), Transport Layer Securty (TLS) [DRe08, FrKaKo96] and Secure Real-tme Transport Protocol (SRTP) [LeNaNo07, OrMcBa04], have been proposed n the lterature to address the problems and challenges of a secure uncast communcaton channel. One of the most mportant factors n uncast communcaton channel protecton s the cryptographc key. The ssues of key dstrbuton and key type, therefore, determne the securty of the uncast communcaton channel. IPsec and SSL/TLS are the most famous, secure and wdely deployed among all the protocols for protectng data over nsecure networks. In addton, SRTP s a newly- 13 SEED, based on the Festel network and developed by the Korean Informaton Securty Agency, s used broadly throughout South Korean ndustry to replace 40 bt SSL. 28

proposed protocol for securng multmeda forms of senstve nformaton. SRTP provdes encrypton, message authentcaton and ntegrty and replay protecton for both uncast and multcast channels. We therefore nvestgate the use of the cryptographc key n IPsec, SSL/TLS and SRTP n the next secton. IPsec IPsec s a sute of protocols for protectng communcatons over Internet Protocol (IP) networks through the use of cryptographc securty servces. It supports networklevel peer authentcaton, data orgn authentcaton, data ntegrty, data confdentalty (encrypton), and replay protecton. IPsec uses the followng protocols to perform varous functons [Ho05, ThDoGl98]: Internet key exchange (IKE and IKEv2) to set up a Securty Assocaton (SA) by handlng negotaton of protocols and algorthms and to generate the encrypton and authentcaton keys to be used by IPsec. Authentcaton Header (AH) to provde connectonless ntegrty and data orgn authentcaton for IP datagrams and to provde protecton aganst replay attacks. Encapsulatng Securty Payload (ESP) to provde confdentalty, data ntegrty and data orgn authentcaton of IP packets and also to provde protecton aganst replay attacks. The dfference between AH and ESP s that an ESP packet ncludes encphered data and authentcaton nformaton whereas an AH packet only ncludes authentcaton nformaton. Ths s llustrated n Fgure 2.1. The encrypton algorthms used wth ESP can be DES, TDES or AES. 29

Fgure 2.1. The Comparson of ESP and AH Protected IP Packet. IPsec uses the concept of a securty assocaton (SA) as the bass for buldng securty functons nto IP. SA s the bundle of algorthms and parameters (such as keys) that s used to encrypt and authentcate a partcular flow n one drecton. Therefore, n normal b-drectonal traffc, the flows are secured by a par of SAs mantaned by an SA database (SADB). Snce the securty of IPsec provded by AH or ESP requres shared keys to perform authentcaton and/or confdentalty, the key dstrbuton and key type determne the partal securty of IPsec. As IPsec employs IKE or IKEv2 to set up a sesson secret (sesson key), the securty of IKE bundles the securty of IPsec. IKE or IKEv2 uses a Dffe-Hellman (DH) key exchange to set up a shared sesson key from whch cryptographc keys are derved. Publc key technques or, alternatvely, a pre-shared key, are used to mutually authentcate the communcatng partes. IKE/IKEv2 s a hybrd of the STS (Staton to Staton) [DOoW92], the Oakley [Or98] and SKEME (Versatle Secure Key Exchange Mechansm for Internet) [Kr96] protocols. IKE/IKEv2 operates nsde a framework defned by the Internet Securty 30

Assocaton and Key Management Protocol (ISAKMP) [MaScSc98] as ISAKMP provdes a framework to authentcate, exchange keys and eventually establsh securty assocatons. IKE has a close relatonshp wth ISAKMP, because ISAKMP typcally s used wth IKE for key exchange, although ISAKMP s desgned to support many dfferent key exchanges. Establshng an IPsec connecton requres two phases: ) Phase I: parameter negotaton phase. It uses publc key cryptography and runs a key management protocol to generate the ntal shared SA called ISAKMP SA or Phase I SA. The secret keys n the SA are assocated wth symmetrc cryptography to protect Phase II protocol n the key exchange phase. ) Phase II: key exchange phase. It s under the protecton of Phase I SA, and runs a key management protocol to generate more SAs called Phase II SA. Both phases are used to protect communcaton between communcaton enttes. Cryptographc keys play a key role n securng a uncast communcaton channel; hence, we wll further explore Phase II to show how to exchange the cryptographc key used n protectng data traffc. Suppose after Phase I, three secret keys ( K, K and d a K are used for dervng other keys, authentcatng messages and encryptng messages, e respectvely) are shared exclusvely between Intator (I) and Responder (R). The protocol s also called QUICK mode and s descrbed as follows: ) I wants to secure communcate wth R. Frst, I generates a nonce N, and I a token key usng authentcaton key K and sends to R: a 31

I R : HDR,{ SA, N, } K I I e where HDR represents ISAKMP header and prf ( K, SA, N ); I a I meanwhle prf s a pseudorandom functon (hash functon) [BeCaKr96]. ) After receved the message, R generates a nonce usng shared K and sends to I: a where prf ( K, SA, N, N ). R a I R R I : HDR,{ SA, N, } K R R e N and a new token key R ) After I verfes the message n ), a new token s generated and sent to R: I R : HDR,{ prf ( K, N, N )} K a I R e After three messages, a shared sesson key K prf ( K, N, N ) can be generated n two enttes by employng the dervng key Sesson d R I K and two other nonce. d It s notable that n IPsec, communcaton s protected by sesson keys. However, the securty of a sesson key s guaranteed by the long-term shared keys K e K, K and d a. Therefore, once the long-term keys (SA) are compromsed, all QUICK mode negotatons protected by SA are dsclosed. The securty of IPsec s under threat. As Perlman and Kaufman [PeKa01] ndcated, IPsec s vulnerable to dctonary attack, due to the pre-shared (n Phase I) long-term keys, and Ornagh and Valler [OrVa03] demonstrated t n a BlackHat conference. Moreover, n IPsec Phase I, the long-term shared secrets (keys) evolve nto key exchange protocol to generate sesson keys for Phase II. Accordng to nformaton entropy [Gr90], the uncertanty of key materals decreases when the use of the key 32

materals n generaton sesson keys s frequent. Ths leads to the key materals (that s, the long-term shared keys) beng exposed. SSL/TLS Transport Layer Securty (TLS) and ts predecessor, Secure Sockets Layer (SSL), are cryptographc protocols that provde securty and data ntegrty for uncast communcatons over nsecure networks. SSL protocol was orgnally developed by Netscape 14. When verson 2.0 was released t contaned a number of securty flaws whch ultmately led to the desgn of SSL verson 3.0. SSL s the bass for TLS verson 1.0. [Ka04]. Many leadng fnancal nsttutons have endorsed SSL for commerce over the Internet such as Vsa 15, MasterCard 16 and Amercan Express 17. SSL protocol allows mutual authentcaton between two enttes. It also allows both enttes to establsh an encrypted connecton, whch requres all nformaton sent between the enttes to be encrypted n order to provde a hgh degree of confdentalty. SSL uses a combnaton of asymmetrc and symmetrc cryptography. An asymmetrc key s used to perform mutual authentcaton and a symmetrc key s used to secure communcaton. SSL/TLS consst of the followng protocols [DRe08, FrKaKo96]: Handshake protocol s used to perform authentcaton and key exchanges. Change cpher spec protocol s used to ndcate that subsequent nformaton wll be protected under the agreement and keys. Alert protocol s used for sgnallng errors and sesson closure. 14 Netscape Communcatons Corporaton s commonly known as Netscape. It s an US computer servces company best known for ts web browser. 15 http://usa.vsa.com/merchants/rsk_management/onlne_transacton_safet.html 16 http://www.credtcardassst.com/mastercard/credtcards.html 17 http://www.amercanexpress.com/uk/legal/cs_securty.shtml 33

Applcaton data protocol transmts and receves scrambled nformaton. As dscussed n Secton 2.1.1 (cryptographc systems), key exchange s mportant n determnng the securty of a protocol. Therefore, we study handshake protocol n SSL/TLS n detal. When a SSL clent (C) and server (S) frst start communcatng, they agree on a protocol verson, select cryptographc algorthms, optonally authentcate each other, and use publc-key encrypton technques to generate shared secrets. These processes are performed n the handshake protocol, whch can be summarzed as follows: Suppose a pre-master secret, K master, s generated by the clent and encrypted under the publc key of the server, and sent the result to the server. By employng asymmetrc keys, the pre-master secret, K master, s thereby shared between two enttes for securng the followng messages. ) C sends a clent hello message to whch S must respond wth a server hello message. The clent hello and server hello conssts the followng attrbutes: Protocol Verson, Sesson ID, Cpher Sute, Compresson Method and a checksum appended to messages and used to verfy that the message contents have not been tampered. Addtonally, two random values are generated and exchanged: ClentHello random ( rnd C ) and ServerHello random( rnd ). S ) S sends ts certfcate to C whch s used to verfy wth a certfcaton authorty (CA). Followng the certfcate, S requests the certfcate of C. S then sends the server hello done message, ndcatng that the hello-message phase of the handshake s complete. 34

) After successful verfcaton, C sends a response to S usng asymmetrc cryptography. v) The key exchange message s now sent, and the content of that message depends on the publc key algorthm selected between the clent hello and the server hello. v) At ths pont, the handshake s complete and the C and S may begn to exchange applcaton layer data. After the handshake protocol, a sesson key s able to be produced by S and C, K h( K, h( K, rnd, rnd )) by combnng the master secret and two sesson master master C S random numbers. It s observable that the pre-shared master secret, K master, s dstrbuted by publc key systems. As dscussed n Secton 2.1.1 (asymmetrc cryptography), all asymmetrc schemes are susceptble to brute force key search attack, whch makes K master vulnerable. In addton, all sesson keys are generated from K master and the protecton aganst tamperng wth the SSL handshake protocol reles heavly on the secrecy of K master. That the master secret remans truly secret s mportant to the securty of SSL/TLS. However, n the protocol desgn, the usage of K nvolves multple master phases, such as certfcate verfy, fnshed and change cpher spec [WaSc96]. On the top of the above concerns, the SSL/TLS protocols suffer from dfferent types of flaws [MBrLa02]: dentcal cryptographc keys are used for message authentcaton and encrypton, and no protecton for the handshake, whch means that a man-n-the-mddle downgrade attack can go undetected. Although a new desgn of SSL/TLS overcomes a few flaws, as [Ba04, WaSc96] state, an attacker can use 35

plantext attacks to break SSL/TLS protocols due to the long-term shared dentcal cryptographc keys. SRTP SRTP, a profle of the Real-tme Transport Protocol (RTP) [ScCaFr03], s a secure real-tme protocol desgned to protect senstve nformaton n the form of multmeda (such as vdeo and voce) publshed n 2004. Its nventors clam that SRTP acheves hgh throughput and low packet expanson, and provdes sutable protecton for heterogeneous envronments (a hybrd of wred and wreless networks). They also pont out that IPsec or SSL/TLS could be used to protect RTP, but that these protocols lack dynamc allocaton of sessons and do not address the need for an asymmetrc cryptosystem. SRTP was developed to overcome these problems. Before usng SRTP to exchange any meda, cryptographc keys need to be exchanged. SRTP reles on an external key management protocol to set up the ntal master key. Two protocols specfcally desgned to be used wth SRTP are ZRTP (publshed n January 2009 [ZJoCa09]) and MIKEY (released n 2004 [ArCaL04]). Both provde the necessary keyng materal and management mechansms to mantan the securty of multmeda sessons. SRTP uses two types of keys, sesson keys and master keys, to secure multmeda communcatons. The master keys and other key materals n the cryptographc context are provded by key management protocols (ZRTP and MIKEY) external to SRTP. The sesson keys are derved n a cryptographcally-secure way from the master keys. SRTP also requres a natve dervaton algorthm to generate sesson keys to secure the communcaton. The securty of SRTP therefore reles on the securty of the SRTP key 36

dervaton algorthm and the master keys. Suppose the master keys K and other master keyng materals K are secure n SRTP. The SRTP key dervaton s llustrated m aster _ salt n Fgure 2.2. Fgure 2.2. SRTP Sesson Key Dervaton. SRTP uses a secure pseudorandom functon to generate encrypton ( K ), authentcaton ( K ) and salt ( K sesson _ auth sesson _ salt sesson _ encr ) sesson keys from the master key and master salt. Sesson key dervaton nvolves an 8-bt label (for example, 0x00, 0x01 and 0x02 labels for generatng encrypton, authentcaton and salt sesson keys respectvely), master salt and other keyng materals. If x label keyng m aterals K, then the sesson keys are generated as (, ) m aster _ salt prf ( K, x ). master As [GuSh07] pont out, the securty of the stream cpher-lke encrypton used n SRTP depends crtcally on the keystream never repeatng. Ths s also emphaszed several tmes n the specfcaton [OrMcBa04]. Therefore, the master key and master salt must be unque n each sesson n order to produce unque sesson keys. But, accordng to the Gupta and Shmatkov study, f the attacker ever succeeds n trckng an SRTP sesson nto re-usng prevously used key materal, the master key wll 37

repeat. Under these crcumstances, the confdentalty of senstve nformaton n multmeda form wll have been breached. In addton, as dscussed n IPsec and SSL/TLS, the master key s nvolved n sesson key dervaton. For multple sessons and wth the same sender nvolved, the sesson key may repeat. An adversary may consequently be able to reveal other sesson contexts. Also, by capturng enough packets and applyng cryptanalyss, the adversary s able to breach SRTP. Accordng to nformaton entropy, the uncertanty of the master key wll reach zero as t s used to generate sesson keys, snce t partcpates n sesson key dervaton. Ths secton has revewed and dscussed the securty of uncast communcaton n senstve nformaton systems. By nvestgatng - IPsec, SSL/TLS and SRTP - the most secure and wdely deployed uncast communcaton protocols, we found that among these protocols, a common securty drawback s the use of long-term shared keys. In the next secton we wll examne the securty of multcast communcaton n protectng communcaton channel. 2.2.2. Secure Communcaton n Multcast Channels As group-orented communcaton systems become more wdespread, senstve nformaton confdentalty s an ssue of growng mportance for group members. To acheve confdental communcaton n a multcast channel, cryptographc keys are employed to secure the multcasted contents. The keys (or the group key) must be shared only by group members. Therefore, group key management s mportant for secure multcast group communcaton. Almost all the schemes dscussed below use the noton of a central trusted authorty, called a group controller (GC). The GC s used 38

to generate, dstrbute and update cryptographc keyng materal for group members to ensure multcast securty through access control, data confdentalty and group authentcaton. Hstorcally, the frst use of group keys was n the Second World War. Group keys were sent to groups of agents by the Specal Operatons Executve. These group keys allowed all the agents n a partcular group to receve a sngle coded message [Ma99]. Modern group key management for senstve nformaton systems requres group keys to have a number of characterstcs: group key secrecy, backward secrecy, forward secrecy and group key ndependency. In addton, modern management also requres flexble and effcent rekeyng operatons and prvacy for group members [KPeTs04]. In order to fulfll these requrements, substantal research work has been carred out over the last decade. Projects nclude Conference Key Dstrbuton Systems (CKDS) [InTaWo82], Scalable Multcast Key Dstrbuton [Ba96], Group Key Management Protocol (GKMP) [HaMu97a, HaMu97b], Logcal Key Herarchy (LKH) [WoGoLa98, WoGoLa00], Kronos [SeKoJa00], Dstrbuted Logcal Key Herarchy [OhKeDa00], One-way Functon Tree (OFT) [ShMc03], Contrbutory Key Agreement [KPeTs04], VersaKey [WaCaSu99], Iolus [M97] and CLIQUES [StTsWa98]. Based on the way n whch the group key s formed, these group key management systems can be classfed nto three approaches: contrbutory (dstrbuted) key agreement, centralsed key dstrbuton and decentralzed key dstrbuton. 39

Contrbutory Key Agreement Contrbutory key agreement (also called dstrbuted key agreement) generates a group key va all group members unform contrbutons. These protocols are reslent to many types of attacks and are partcularly approprate for relatvely small collaboratve peer groups. Unlke most group key dstrbuton protocols, contrbutory group key agreement protocols offer strong securty propertes such as key ndependence and perfect forward secrecy. The frst contrbutory key agreement proposal, CKDS (also known as ING), was developed by Ingemarsson et al., and based on a publc key system (the Dffe- Hellman key exchange protocol [DHe76a]). Ths was followed by IDCKD [KoOh87], STR protocol [StStD88], Octopus Protocol [BeW98], Group Dffe-Hellman (GDH) key exchange schemes [StTsWa96, StTsWa00] and Tree-based Group DH Key Management (TGDH) [KPeTs04]. Zou and Ramamurthy [ZoRaMa05] pont out that these agreements are all prmarly dfferent varatons of n-party DH key exchange. We select the two most nfluental and promnent agreements, CKDS (ING) and GDH, for further nvestgaton. CKDS adopts the publc key dstrbuton system nvented by Dffe and Hellman to generate a conference key for any group of statons to share n order to guarantee nformaton securty n multcast communcaton systems. CKDS conssts of n 1 rounds; group members are arranged n a cycle (Fgure 2.3) and perform every round n synchronzaton. CKDS s llustrated n Fgure 2.3. 40

Fgure 2.3. CKDS (ING) Protocol.... The net key (group key) can be generated as R R m r m for group members, 1 where ndcates the sequental sendng message n a cycle, and s a prmtve element n the feld of ntegers modulo a prme number p. For example, f there are four members n a group, the net key can be generated n three rounds as follows: ) Each member generates a random number R and computes R m od p and passes t: m R m od p m 1 The state of ths round can be nstantated as: : R0 m od 0 1 1 m m p, m m : m od p 1 2 R 3,.., m m : m od p 3 0 R ) After receved the ntermedate key, each member uses the key to compute a new value wth the own R mod p. The state of ths round s: : R 0 R 3 m od 0 1 1 0 m m p, m m : m od p 1 2 RR R R 3 2,.., m m : m od p 3 0 ) In the last round, each member repeatedly uses the receved key wth ts own key to compute a new ntermedate value. The state of the fnal round s: 41

: R 0 R 2 R 3 m od 0 1 R R R 1 0 3 m m p, m m : m od p 1 2 R R R 3 1 2,.., m m : m od p 3 0 Therefore, after the fnal round, every member s n possesson of the net R0 R2 R3R key 4 mod p. From the example, t s observable that each member n the CKDS starts synchronously, and requres n 1 rounds to compute a net key. However, CKDS does not support dynamc membershp operatons, such as member jon and leave, and has a hgh computatonal cost due to the n 1 sequental modular exponentatons. In addton, the protocol falls nto the class of natural DH extensons as defned n [StTsWa96]. Because the protocol has no natural group leader, t s dffcult to use t as a foundaton for auxlary key agreement protocols [StTsWa00]. Furthermore, the CKDS only performs key dstrbuton wthout authentcaton. Thus, the securty of CKDS s breakable. GDH protocol conssts of three versons of the Group Dffe-Hellman key exchange schemes (GDH.1, GDH.2 and GDH.3) proposed by Stener et al. n 1996 and 2000 [StTsWa96, StTsWa00]. The key generated by all three versons for n group members R0.. Rn 1 s K, where s a prme number, and R s a random number of member. I. GDH.1 nvolves two stages ( n 1 rounds each): upflow and downflow. The upflow stage collects contrbutons from all group members. The downflow stage computes ntermedate values and forwards them. The group key dstrbuton protocol s defned as: Stage 1 (Upflow): Round ; [1, n 1] ( Rk k [1, j ]) m m :{ j [1, ]} 1 Stage 2 (Downflow): Round n 1 ; [1, n 1] 42

( Rk k [ j, n 1)) m m :{ j [1, n 1)} n n 1 R0.. Rn 1 Fnally, every member s n possesson of the group key K. Fgure 2.4 llustrates an example of GDH.1 wth four members. Fgure 2.4. GDH.1: An Example for Four Members. It s notable that GDH.1 has 2( n 1) rounds to compute the group key wth total exponentatons ( n 3) n 1. Authors clam that the drawback of GDH.1 s ts 2 relatvely large number of rounds. But on the other hand, GDH.1 protocol does not mpose the specal communcaton requrements, such as multcast, broadcast or synchronzaton, that CKDS does. II. GDH.2 reduces the number of rounds by collectng contrbutons from all members n upflow but broadcasts messages n stage 2. In the frst stage, the upflow protocol n GDH.1 s modfed by addng cardnal value R 1.. R. By the tme the upflow reaches m, the cardnal value becomes n R 1.. R n 1. Therefore, the group member m s the frst to compute the group key. Group member m also n n computes the last batch of ntermedate values and broadcasts these to other members. The group key dstrbuton protocol s defned as: Stage 1 (Upflow): Round ; [1, n 1] 43

( R K [1, ]) m m :{ j [1, 1]}, 1 ( K K j) R 1.. R Stage 2 (Broadcast): Round n ( RK k ) m m :{ [1, n]} n R0.. Rn 1 Fnally, every member s n possesson of group key K. Fgure 2.5 llustrates an example of GDH.2 wth four members. Fgure 2.5. GDH.2: An Example of Four Members. It can be observed from the defnton and the example that GDH.2 has n rounds whch has reduced n 1 rounds from GDH.1. But the total number of exponentatons remans the same as GDH.1. III. GDH.3 reduces the number of exponentatons and nvolves four stages. The frst stage s smlar to the upflow stage n GDH.1 and GDH.2 to collect contrbutons from all members wth n 2 rounds. In the second stage, m n broadcasts the 1 44

processed ntermedate key obtaned from stage 1 to all other members. In the thrd stage, every member extracts ts own share R and sends the result to m n 1. Fnally, the fourth stage, m n broadcasts recomputed values to members. After recevng 1 R0.. Rn 1 values from m n, every member can compute the group key K 1 group key dstrbuton protocol s defned as: Stage 1 (Upflow): Round ; [1, n 2]. The :{ } ( ( R K K [1, ]) m m 1 Stage 2 (Broadcast): Round n 1 m n 1 ( RK k [1, n 1]) m :{ } Stage 3 (Response): Round n m ( ( R K K [1, n 1]) K ) m :{ } n Stage 4 (Broadcast): Round n 1 ( RK k [1, n ] k ) m m :{ [1, n 1]} n R0.. Rn 1 Fnally, every member s n possesson of group key K. Fgure 2.6 llustrates an example of GDH.3 wth four members. It can be observed from the defnton and the example that GDH.3 has n 1 rounds (that s, t has ncreased one round from GDH.2). But the total number of exponentatons has reduced to 5n 6 from ( n 3) n 1 n GDH.1 and GDH.2 (as 2 ts authors clamed). In addton to group key generaton, all three versons of GDH provde rekeyng operatons. Ths s the process of changng the group key and supportng keys and 45

sendng them to group members. The group key must be updated when membershp changes due to jon or leave operatons. The purpose of key updatng s to enforce backward and forward secrecy. IV. GDH Member Jon. When a new member, m n 1 m generates a new random number, n ' R, and computes n, wants to jon a group, frst ' R n, and then sends the results to m n. After that, m 1 n generates ts own exponent 1 R n 1 and computes the new group key. Fnally, as n the normal protocol run, m n broadcasts 1 n ntermedate keys to other group members. The purpose of ths rekeyng operaton s to guarantee that GDH satsfes backward secrecy. Backward secrecy prevents new members from ganng the old group key and consequently accessng past group communcaton data. Fgure 2.6. GDH.3: An Example of Four Members. 46

V. GDH Member Leave. When a member, m, wshes to leave a group, p m frst n generates a new component ' R n and computes n 2 ntermedate keys, excludng keyng materals of m. Member p m then broadcasts ths key materal to other n members. Note that, snce ntermedate keys do not contan nformaton for the excluded m p m, p s unable to compute the new group key. The purpose of ths rekeyng operaton s to guarantee that GDH satsfes forward secrecy. Forward secrecy prevents leavng members from accessng future group communcaton. Contrbutory Key Agreement Summary. By nvestgatng the contrbutory key agreement n protectng multcast communcaton channel, and usng CKDS and GDH as representatves, a comparatve summary of CDKS, GDH.1, GDH.2 and GDH.3 s gven n Table 2.2. Table 2.2. Comparson of CKDS, GDH.1, GDH.2 and GDH.3. Protocol CDKS GDH.1 GDH.2 GDH.3 Rounds n 1 2( n 1) n n 1 Message Sent per m n 1 2 1 2 Message Receved per m n 1 2 2 3 2 Total EXPs n ( n 3) n 1 2 Specal Member no no n 1 Synchronzaton yes no Rekeyng Operaton no yes Group Key R 1... n 1 ( n 3) n 1 5n 6 2 m n 1 m and m n 2 It s notable that the securty of contrbutory key agreements reles on the securty of nondetermnstc polynomal tme (NP) problems [TaWe06]. It s also notable that contrbutory key agreements do not employ a Group Controller (GC) to manage 47

rekeyng operatons. From the table, t can be seen that GDH.3 has the best performance. However, GDH.3 depends on a specal member to perform rekeyng. Therefore, t s not sutable for large groups. Centralsed Group Key Management Centralsed key dstrbuton requres a GC (or a key dstrbuton centre (KDC)) to generate the group key and dstrbute the key to all group members. The earlest centralsed key dstrbuton was a star-shaped scheme n whch all group members adopted ther own secret keys to encrypt the group key wth the GC when a rekeyng event occured. Ths process was neffcent n terms of communcaton, although t provded both forward and backward confdentalty and ease of mplementaton. Accordng to Zou [ZoRaMa05], among all group key management protocols, the key tree scheme provdes a very powerful approach n centralsed group key management. Tree-based schemes have been ndependently proposed by several group researchers. The frst such scheme was the logcal key herarchy (LKH) proposed by Wallner et al. [WaHaAg97, WoGoLa98]. A scheme smlar to LKH was proposed by Caronn et al. [CaWaSu98] and Noubr [No98]. A more effcent scheme than LKH, based on the dea of a one-way functon tree (OFT), was proposed by Sherman et al. [ShMc03]. Among the centralsed key dstrbuton schemes, LKH and OFT are the most popular. LKH. In the LKH scheme, the assocated bnary tree s called a key tree. It s a vrtual tree (see Fgure 2.7). As dscussed early, the group controller (GC) mantans the multcast group n the key tree. All members of the group are assocated wth leaf nodes of the tree. The nodes n the tree are assgned keys. The key assgned to the root 48

node s called Traffc Encrypton Key (TEK). The key assgned to the other nodes s called the Key Encrypton Key (KEK). Fgure 2.7. LKH Key Tree. Each member n the key tree can recognse keys f there s a path from the member to the root. For example, m knows the set of keys { K, K, K, K }. Also, each 3 3 2 3 0 3 0 7 member holds a shared unque KEK (for example, m holds K ), only known between 3 3 the member and the GC (KDC). The GC generates new group keys and dstrbutes these to all group members when a member jons or leaves. I. LKH Member Jon. Suppose a current group conssts of members m to m, and 0 6 that member m s about to jon the group (see Fgure 2.8). After m s 7 7 authentcated by the GC, the GC, to ensure backward secrecy, decdes the locaton n the tree for m 7 and updates all the keys from the parent of the jonng member m to the root for backward secrecy. Frst, the GC generates a new set of keys 7 49

and uncasts these to m. The GC then multcast nternal keys to 7 ' ' ' 6 7 4 7 0 7 { K, K, K } other affected members. The rekeyng messages are: ' ' ' : {,, } 7 6 7 4 7 0 7 7 G C m K K K K ' ' ' 6 6 7 4 7 0 7 6 7 G C { m } : { K, K, K } K ' ' 4 5 4 7 0 7 4 7 G C { m, m } : { K, K } K ' 1 2 3 4 0 7 0 3 G C { m, m, m, m } : { K } K Fgure 2.8. LKH Member Jons the Group. In addton, suppose that m s to jon the group and that all slots are occuped. 8 In ths stuaton, node m becomes an nternal node, m 0 0. A new level s thus 8 establshed and more members can be allocated. II. LKH Member Leave. When a member m wshes to leave the group, all the keys 3 that m 3 knows and shares wth other members need to be changed to ensure 50

forward secrecy. The GC changes these keys from the bottom up. Fgure 2.9 llustrates the rekeyng operaton. Fgure 2.9. LKH Member Leaves the Group. Because m knows the set of keys 3 { K, K, K }, these keys need to be 2 3 0 3 0 7 regenerated by the GC and multcast to affected members. The rekeyng messages are: ' ' ' 2 2 3 0 3 0 7 2 3 G C { m } : { K, K, K } K ' ' 0 1 0 3 0 7 0 3 G C { m, m } : { K, K } K ' 4 5 6 7 0 7 4 7 G C { m, m, m, m } : { K } K It s observable that the computatonal cost of the rekeyng operaton s logarthmc to the sze of the group. Thus, the number of keys that needs to be changed n member jon and leave operatons s log( n ), where n s the number of members n the multcast group. Also, ths scheme requres a relable multcast nfrastructure, and t s scalable 51

for large group sze. The LKH has been slghtly mproved n terms of performance by the VersaKey framework [WaCaSu99] and LKH+ [HaHa99]. OFT. In a one-way functon tree scheme, the assocated bnary tree s the same as for LKH. The scheme assumes that there s a secure uncast channel between the GC and each group member. The man advantage of OFT over LKH s that t allows group members to compute group keys locally to reduce the communcaton and computaton cost. In an OFT, the GC mantans a logcal key tree and the group members are assgned at leaf nodes (Fgure 2.10). Each node assocates wth multple keys; the KEK s a shared node secret K (an unblnded node key) between group members and the GC whle the blnded node secret s the result of applyng K g ( K ), where _ g (.) s a bk one-way functon. The node secret of the root s the group key, TEK. The GC computes the node secrets and blnd node keys of all nodes n a bottom-up manner, begnnng wth the leaf nodes, level by level up to the root, by applyng a mxng functon f (.) (for example, XOR). 52

Fgure 2.10. OFT Key Tree. The securty of the system depends on the fact that each member knows the unblnded node keys on the path from ts node to the root, and knows the blnded node keys that are sblngs on ts path to the root, and no other blnded nor unblnded keys. The purpose of blnded and unblnded keys s to allow group members to compute hgher-level keys from lower-level keys n order to reduce the number of rekeyng operatons conducted by the GC. Fgure 2.11 shows an example of an OFT key tree, hghlghtng the blnded and unblnded keys that are known to a partcular group member m. 3 53

Fgure 2.11. OFT The Keys Known to a Group Member. I. OFT Member Jon. Suppose a current group conssts of members m to m, and 0 6 that member m 7 s about to jon the group (see Fgure 2.12). After authentcaton wth the GC, the GC sends the blnded keys to m that t s supposed to know: 7 G C m : { K, K, K } K 7 6 _ bk 4 5 _ bk 0 3 _ bk 7 The GC then sends the blnded key of the new member, m 7 the same parent node:, to the member wth G C m : { K } K 6 7 _ bk 6 Last, the GC broadcasts all changed blnded node keys to other affected members to ensure backward secrecy: G C { m, m } : { K ' } K 4 5 6 7 _ bk 4 5 G C { m, m, m, m } : { K ' } K 0 1 2 3 4 7 _ bk 0 3 54

Fgure 2.12. OFT Member Jon a Group. Each member n the group s therefore able to recompute the new group key from tself to the root. II. OFT Member Leave. Suppose that the member assocated wth the leaf m wants 3 to leave the group. When the member assocated wth the leaf m leaves the group 3 (Fgure 2.13), the member assgned to the sblng of m s reassgned to the parent 3 of m and gven a new leaf key value. The new values of the blnded node keys 3 that have changed are broadcast securely to the approprate subgroups n order to ensure all current group members can recompute any keys that have changed as a result of the membershp change. The message sent for rekeyng operaton can be brefly gven: G C m : { K ' } K 2 3 _ bk 2 G C { m, m } : { K ' } K 0 1 2 3 _ bk 0 1 55

G C { m, m, m, m } : { K ' } K 4 5 6 7 0 3 _ bk 4 7 Fgure 2.13. OFT Member Leave a Group. The process requres the GC to multcast log n (balanced tree) key updates, whch 2 s the heght of the key tree. The major contrbuton of the OFT scheme s that t allows members to compute keys locally n order to reduce rekeyng complextes. However, accordng to Horng and Ku et al.[ho02, KuCh03], OFT s vulnerable to colluson attacks. Centralsed Key Dstrbuton Summary. The two centralsed key dstrbuton schemes dscussed, OFT and LKH, acheve smlar performance; however, OFT offers two advantages: OFT reduces computaton costs by allowng group members to perform local calculatons to derve hgher level keys. OFT reduces the number of messages requred on a key update to log n. 2 56

Table 2.3 outlnes the characterstcs of the LKH and OFT schemes. OFT slghtly outperforms LKH, but n terms of securty, OFT s constraned by the lmtatons of ts orgnal desgn. Also, as all centralzed key dstrbuton schemes employ a group controller to recompute new group keys for members, ths can pose a challenge for large groups wth frequent rekeyng operatons. Moreover, sngle-pont falure s the bggest drawback for such schemes n the case of a GC falure. Table 2.3. Comparson of LKH and OFT. Scheme LKH OFT Number of Member Keys log n 2 log n 2 2 Number of Rekeyng Message 2 log n log n 2 2 Computaton Cost 2 O((log n ) ) O(log n ) 2 Vulnerable to Colluson no yes Group Controller yes yes Decentralzed Group Key Management Decentralzed group key management s used to mnmze the problems of centralzed key dstrbuton schemes, such as sngle-pont falure. Under a decentralzed system, key management s dvded among herarchcally-structured managers, each wth a small subgroup controller, n an attempt to concentrate the work n a sngle entty. The earlest soluton for decentralzed key dstrbuton was a core-based tree [Ba96]. Further research followed, such as Iolus [M97], MARKS [Br99], Kronos [SeKoJa00] and IGKMP [HaCaMo00]. Among these, the Iolus archtecture s the most referenced scheme [ZoRaMa05]. It employs a multlayered management structure, and the scheme s dscussed n detals n the followng: Iolus s a hgh-level nfrastructure for secure multcast. It dvdes a large group nto a number of subgroups. When a member jons or leaves a group, only the key of the 2 57

subgroup to whch the member belongs needs to be changed, whle the keys of all other subgroups reman the same. Iolus reles on relay nodes for rekeyng operatons. The archtecture s llustrated n Fgure 2.14. Fgure 2.14. Subgroups and GSIs n Iolus Scheme. In Iolus, each subgroup has a controller named the group securty agent (GSA) or group securty ntermedates (GSI). Every subgroup has ts own ndependent key K. The GSI of the root subgroup s called the group securty controller (GSC). A GSI s a brdge between ts parent subgroup and ts own subgroup, and t holds both subgroup keys (for example, GSI 2 holds K and K ). Because each subgroup uses a dfferent 1 2 key, the GSIs are responsble for translatng data from one key to another and delverng t to other GSIs as approprate. I. Iolus Member Jon. When a member wants to jon the group, the GSI generates a new subgroup key and sends t to the member va a secure uncast channel. Then the GSI jons the next hghest subgroup n the herarchy. 58

II. Iolus Member Leave. When a member leaves the group, the GSI generates a new subgroup key and dstrbutes the key to all remanng subgroup members. Should the member be the only member n the GSI, the GSI needs to contact ts parent subgroup and remove tself from the secure dstrbuton tree. The major benefts of usng a secure dstrbuton tree are twofold. Frst, ths archtecture localzes the effect of group membershp changes to one subgroup. Second, t overcomes the sngle-pont falure effect. Should one GSI experence a system falure or securty breach, only the breached subgroup loses servces. The other subgroups contnue to functon. Despte ts advantages, Iolus suffers from several drawbacks [MoRaRo99]. The Mayer and Rao survey ponts out that Iolus requres a substantal resource overhead to manage a multcast group. Also, f the GSC fals, many of subgroups are cut off from each other. Decentralzed key dstrbuton schemes, such as Iolus, are therefore not sutable for large groups. In addton, the performance of such schemes s a challenge for multcast communcaton. Ths secton (2.2.2) has revewed and dscussed the securty of multcast communcaton n senstve nformaton systems. By nvestgatng the exstng approaches (contrbutory, centralzed and decentralzed key agreement), we found that each key agreement has ts own advantages and dsadvantage (Table 2.4), and none of them s fulflled the securty requrements of senstve nformaton systems, such as prvacy protecton. In the next secton, we wll summarze the securty threats and concerns of exstng approaches to protect communcaton channel n senstve nformaton systems.. 59

Table 2.4. Advantages and Dsadvantages of Multcast Communcaton Schemes. Contrbutory key agreement Centralzed key dstrbuton Decentralzed key dstrbuton Advantages does not requre a GC strongly colluson resstant large group orentaton scalable colluson resstant operatonally effcent membershp change does not affect the entre group operatonally effcent not scalable small group orentaton; not lkelhood of sngle pont falure communcaton expensve Dsadvantages sutable for a large group sngle membershp change affects the entre group no consderaton of prvacy protecton sngle membershp change affects the entre group no consderaton of prvacy protecton weak colluson resstance no consderaton of prvacy protecton uncast securty on group key dstrbuton operaton effcency uncast securty on group key dstrbuton uncast securty on group key dstrbuton 60

2.2.3. Summary In Secton 2.2, we nvestgated secure communcaton n uncast and multcast channels. Havng revewed ssues relatng to securng uncast communcaton channel, a number of conclusons can be made: The use of long-term shared keys and publc keys renders uncast communcaton channels vulnerable; hence they are not sutable for senstve nformaton protecton. Therefore, there s no proper approach to protect senstve nformaton n uncast communcaton channel. The use of long-term shared keys and publc keys s the drawback whch renders communcaton channel vulnerable. Also, a number of conclusons for securng multcast communcaton channel can be made by revewng multcast approaches: Securng multcast communcaton channel approaches focus on rekeyng operatons (performances) n the group communcaton. Contrbutory key agreement s not sutable for a large group even though t s flexble n terms of membershp changes. It does not rely on a group controller. Centralzed key dstrbuton suffers from the rekeyng complextes assocated wth large groups. Decentralzed key dstrbuton has large communcaton overheads. No multcast communcaton solutons exst that ensure prvacy protecton for group members and confdentalty for senstve nformaton systems. No unambguous nstructons on group key dstrbuton to ndvduals. 61

Therefore, no proper approach helps protect senstve nformaton n multcast communcaton channel. The lack of prvacy protecton for group members and confdentalty for senstve nformaton systems s drawback whch threatens multcast communcaton channel. In next secton, we wll nvestgate the extant techncal approaches n protectng user nterface. 2.3. Securng User Interface The common securty mechansm to protect user nterface n senstve nformaton systems s authentcaton. Authentcaton s the process of confrmng or denyng a user s clamed dentty, whch can be proved by knowledge, possesson and property [Me02]. It can be accomplshed by usng one or more of the followng valdaton approaches: a knowledge factor 18 (somethng users know), a possesson factor (somethng users have) or a bometrcs factor (somethng users are). In ths secton, we examne and revew dfferent authentcaton factors, analyse ther advantages and dsadvantages, and ndcate the common problems facng each factor. We fnsh ths secton by dstngushng authentcaton from the closely related term authorzaton. 2.3.1. Proof by Knowledge When usng a knowledge factor for authentcaton, an entty proves ts dentty by provdng knowledge of some secret nformaton such as a password or a cryptographc key. Ths nformaton may ether be statc or dynamcally changng over tme. Generally speakng, statc nformaton s used to mplement weak authentcaton 18 A factor s a pece of nformaton used to authentcate or verfy a person's dentty for securty purposes. 62

mechansms, whereas dynamc nformaton s used when mplementng strong authentcaton mechansms. Statc Informaton Intally, plan passwords were used to authentcate two communcaton enttes by comparng them. However, t s possble for an adversary to guess a plan password [FeKa90, MoTh79]. In order to solve ths problem, a plan password can be run through a one-way hash functon, whch would convert t nto a random lookng sequence of bytes. Nevertheless, the password database tself could stll be vulnerable. Despte ths weakness, ths method of protecton s stll beng used to ths day, prmarly for UNIX systems [FeKa90]. In 1992, Bellovn and Merrtt [BeMe92] ntroduced encrypton key exchange (EKE 19 ) protocol, whch generates a sesson key between two authentcated enttes to prevent guessng attacks. The EKE protocol was very nfluental and became the bass for much future work n ths area, such as DH-EKE, SPEKE and A-EKE [BeMe93, Ja96a, Lu98b, Pa97, StTsWa95, Wu98]. The EKE protocol operates as follows: Assume that two enttes, A and B, wsh to establsh a secret (an authentcated sesson key). Intally, both enttes share a password, say P, and agree wth a base and a modulus for dscrete exponentaton: R ) A pcks a random number, R, and calculates { A mod } P. A then sends A the result, together wth the dentfer of A, to B R A A B : A,{ mod } P 19 EKE s password authentcaton protocol, whch can be categorzed nto ether statc nformaton or dynamcally changng nformaton secton. In ths thess, we regard t as both. 63

) Upon recept, B pcks a random number, R R, and calculates B m od. R Because B knows P as well, B uses P to decpher{{ A mod } P} ~ P and A B calculate R R m od. B then derves a sesson key K from the result, sesson perhaps by selectng certan bts as agreed. Fnally, B generates a random challenge challenge, and sends ths to A. B R B B A : { m od } P,{ challenge } K B B sesson ) After A uses P to understand R B mod, A s then able to calculate K. sesson It, n turn, s used to decpher {{ challenge } K } ~ K. Lastly, A B sesson sesson generates ts own random challenge, challenge, and sends ths to B. A A B :{ challenge, challenge } K A B sesson v) Upon recept, B decphers {{ challenge, challenge } K } ~ K and A B sesson sesson verfes challenge. B then sends B B A :{ challenge } K challenge back. A A sesson v) Lastly, A decphers and verfes that the challenge matches the orgnal. Despte the nterest create by the EKE protocol, these protocols have not been proven secure and ther conjectured securty s based on heurstc arguments [GeL06]. Gennaro and Lndell consder that the frst rgorous treatment of the problem was provded by Halev and Krawczyk [HaKr99]. They actually consdered an asymmetrc hybrd model to provde a password-based soluton. But further examnaton of the rsks of password authentcaton protocols [CoDWa04], revealed that three types of attacks could compromse ther securty: techncal attacks, dscovery attacks and socal 64

engneerng attacks [BKl95, De89]. To counter these types of attacks, t s suggested of a need for password and system rules, and tranng and awareness. Dynamcally-changng Informaton The dea behnd usng dynamcally-changng nformaton n authentcaton by a proof by knowledge s that each authentcaton process uses a unque pece of secret nformaton once only. The secret nformaton s not re-used. Consequently, f an adversary eavesdrops on an authentcaton process and obtans the relevant nformaton, the adversary s not able to use the nformaton n a replay attack. The nformaton wll not be vald a second tme. The use of dynamcally-changng nformaton s not a new dea. Transacton authentcaton numbers (TANs) [Op96] have been n use for some onlne bankng servces as a form of sngle use passwords to authorze fnancal transactons for a long tme. A TAN s a pece of authentcaton nformaton that can be used n a transacton. For example, a bank randomly creates a set of unque TANs for a user and delvers the set to the user securely. To perform a transacton, the user enters the request and "sgns" the transacton by enterng an unused TAN. The bank verfes the TAN submtted aganst the lst of TANs ssued to the user. If t s a match, the transacton s processed. If t s not a match, the transacton s rejected. When the number of authentcaton processes or transactons s exhausted, the management of TANs wll become dffcult, snce t s not scalable. Therefore, the use of cryptographc technques [HaAt94] s necessary to solve the scalablty problem. The followng dscusson gves a bref overvew of current approaches. 65

One-tme Password (OTP) Schemes. As ts name mples, an OTP scheme employs a password can only be used once. Tradtonally, statc secret nformaton can more easly be breached than dynamc nformaton by an adversary gven enough attempts and tme. By constantly alterng the secret nformaton ths rsk can be reduced. The OTP schemes are very smlar to TANs; however, the major dfference s that, unlke the TAN schemes, the OTP schemes generate the secret nformaton dynamcally and determnstcally, and they are scalable. Generally speakng, there are three types of OTPs. The frst type uses a mathematcal algorthm to generate a new password based on the prevous password. Ths type was orgnally proposed by Lesle Lamport n the early 1980s [La81]. In hs scheme, two enttes start wth an ntal seed (say s ). A one-way functon F s then used to generate a sequence of OTPs: F ( s), F ( F ( s)), F ( F ( F ( s )))... as many tmes as necessary. If an nfnte sequence of OTPs s needed, a new seed s ' can be chosen after the s s exhausted. The scheme was developed at Bell Communcaton Research (Bellcore), now Telcorda Technologes 20, called S/KEY [Ha94]. It uses a cryptographc hash functon as a one-way functon to generate dynamc secret nformaton. Haller [Ha94] stated that the S/KEY scheme does not protect a network eavesdropper from ganng access to prvate nformaton, but clamed that the S/KEY scheme s not vulnerable to eavesdroppng / replay attacks. In 1996, Mtchell and Chen [MCh96] commented and proved that the scheme faled to provde ths property. A smlar system called One-Tme Passwords n Everythng (OPIE) [McAtMe95] was derved from S/KEY and was clamed...to secure a system aganst replay attacks. A number of offlne OTPs technques [LZh04, RuWr02] were also 20 http://www.telcorda.com/ 66

proposed to enhance the securty of such systems. However, all these schemes were vulnerable to phshng attacks [RoSa05]. Such systems were also breakable due to sharng long-term secret nformaton [KuLeSr05]. The second type of OTP scheme s based on tme synchronzaton between two enttes. It usually relates to physcal hardware tokens that generate an OTP va an accurate clock and synchronze wth the clock on the authentcaton entty. The RSA SecurID tokens 21 are the most wdely-deployed OTP system n use today. Generally speakng, each SecurID token contans a cryptographc processor that generates an authentcaton code at fxed ntervals (usually 30 or 60 seconds) usng the bult-n clock and an encoded random 64-bt secret key that encrypts the code wth the key. The token offers a level of protecton aganst password replay attacks, but t fals to provde adequate protecton aganst man n-the-mddle attacks. At the RSA Conference n February of 2005, a lve demonstraton was conducted to defeat an RSA SecurID OTP Token [Tu07]. The last type of OTP scheme agan uses a mathematcal algorthm, but the new password s based on a challenge and a counter nstead of beng based on a prevous password. The challenge type of OTP requres a user to provde a tme-synchronzed challenge to be properly authentcated. Ths knd of authentcaton wll be dscussed n detal n the next secton. Challenge Responses (CR) Mechansms. OTP schemes use one-way authentcaton. They are smple and straghtforward; an entty provdes a pece of synchronzed authentcaton nformaton to another entty for valdaton. In contrast, CR mechansms requre both enttes to nteract (but not to be synchronzed) and they nvolve two-way 21 http://www.rsa.com/ 67

authentcaton, whereby both enttes must each convnce the other that they know the shared secret (the password), wthout ths secret ever beng transmtted n open networks. The frst use of cryptography to acheve authentcaton was descrbed by Festel [Fe70] and appled to a network context by Branstad [Br73]. Dffe and Hellman [DHe76a] and Kent [Ke77] developed t n more depth, and Needham and Schroeder [NeSc78] devsed and mproved the protocols. The Needham-Schroeder protocol ams to establsh a sesson key between two enttes on a network, performed as follows: Assume that two enttes, A and B, wsh to establsh a connecton and that S s a server trusted by both enttes. Intally, both enttes share a secret key wth the server, say K AS and K BS. ) A sends a message to S, requestng communcaton wth B; meanwhle nonce challenge n ensures the message s fresh. A ) Once receved, S generates under K. BS A S : A, B, n A K and sends t back to A copy encrypted AB S A :{ n, K, B,{ K, A} K } K A AB AB BS AS ) Upon recept, A forwards the key to B, thus authentcatng the data. A B :{ K, A} K v) B then generates the nonce challenge n, and sends t to A to show t has the B key K. AB AB B A :{ n } K B AB BS 68

v) Last, A performs a smple operaton on the nonce n, and sends t back to B verfy that the same key K s held wth A. AB A B :{ n 1} K The protocol s vulnerable to a replay attack. If an adversary records one run of ths protocol, and then subsequently learns the value of B K AB AB, the adversary can then replay the message () to B n whch B s unable to tell freshness of the key. Ths flaw s fxed n the Kerberos protocol [ChGeRu90, StNeSc88] by the ncluson of a tmestamp. The Kerberos protocol uses a Key Dstrbuted Centre to authentcate users, and t dstrbutes sesson keys to both users and servers. In the orgnal desgn of Kerberos, sesson keys exchange used long-term shared keys. Kerberos has major drawbacks [KoNeTs94]: It depends on long-term symmetrc encrypton keys to generate sesson keys for key exchange. It requres clock synchronzaton among all enttes. It requres contnuous avalablty of a central server. Because the secret keys for all users are stored on the central server, a compromse of that server wll compromse all users' secret keys. Although the use of asymmetrc cryptography [Er03, HaMe01, SCh97] has been proposed to overcome these drawbacks, all asymmetrc cryptography s susceptble to brute force key search attacks [Ka67]. One example of a more sophstcated CR mechansm s zero-knowledge password proof (ZKPP) 22. Ths s an nteractve method 22 ZKPP s not used n the cryptographc lterature. In fact, t does not have much n common wth Zeroknowledge proofs. It s a specal knd of zero-knowledge proof of knowledge that addresses the lmted sze of passwords. 69

for one entty to prove to another entty that t knows the password wthout revealng that password. The frst protocol to demonstrate ZKPP authentcaton was the EKE protocol (dscussed n Secton 2.2.1 statc nformaton). ZKPP was later used as the bass for a new protocol named the secure remote password (SRP) protocol [Wu98], SRP combnes technques of zero-knowledge proofs [BeGoGo88] wth asymmetrc key exchange protocols. As clamed, t has a number of desrable propertes: It allows a user to authentcate tself to a server. It s resstant to dctonary attacks mounted by an eavesdropper. It does not requre a trusted thrd party. However, as Wu [Wu98] mentoned, SRP has some securty threats. These nclude key materals dstrbuton va open networks and the possblty of an napproprate password choce compromsng securty. However, by usng such knds of protocols, a sender can prove knowledge of a secret whle revealng no nformaton of the secret. It s possble, and lkely, that zero-knowledge protocols wll become more mportant and wdely used n the future [Op01]. 2.3.2. Proof by Possesson In a proof by possesson, an entty proves ts dentty by provng ownershp of some physcal token, such as smart cards, USB tokens, magnetc strpe cards or dentfcaton cards. The token s used n addton to or n place of a password. It acts as an electronc key to access nformaton; some may store cryptographc keys and even crtcal nformaton of users. Proof by possesson s most frequently used for hard token and smart cards authentcaton. 70

Hard Token Authentcaton Hard token authentcaton s a form of authentcaton that requres somethng users have. These tokens are programmed to generate and dsplay new passwords at certan tme ntervals. In order to access a system, an entty must provde the password dsplayed on the token, whch s the somethng users have authentcaton factor. The algorthms of generatng credentals are the four types earler dscussed n proof by knowledge (Secton 2.2.1): statc password, dynamcally-changng password (OPT), asynchronous password and challenge response [Op01]. The securty of token authentcaton s guaranteed by a constantly-changng password. The frequency of change makes t dffcult for an adversary to use a password to gan malcous access. Even f the adversary successfully steals a password, by the tme the adversary enters t nto the system, the password wll have already changed. Because the mechansm of generatng credentals reles on the frst factor (that s, proof by knowledge), t suffers the same securty threats and concerns. Smart Cards The best-known example of proof by possesson s smart card authentcaton, whch s based on a credt card-szed plastc card embedded wth an ntegrated crcut chp. Subscrber Identty Module (SIM) cards are a smart card used n moble phones to authentcate users wth servce centres. Smart cards provde not only memory capacty, but also computatonal capablty [CoBr93, WaZhZh06]. The smart card chp was nvented by German rocket scentst Helmut Gröttrup and hs colleague Jürgen Dethloff n 1968; the patent was fnally approved n 1982. The frst mass use of the cards was for payment n French pay phones, startng n 1983. 71

The second use was wth the ntegraton of mcrochps nto all French debt cards completed n 1992. The major boom n smart card use came n the 1990s, wth the ntroducton of the smart-card-based SIM used n GSM moble phone equpment n Europe. Smart cards are hghly secure by desgn. Should unauthorzed users try to tamper wth the contaned data, a securty mechansm wll destroy all nformaton stored n the card. Smart card authentcaton can utlze ths securty mechansm to store a user s senstve data. Some smart cards have separate cryptographc coprocessors that support dfferent algorthms such as RSA, ECC and trple-des. Smart cards contan unque features that brng many benefts for users [IsSu01]. Smart cards provde a portable, easy-to-use form factor that many are famlar wth usng. Smart cards are also capable of processng, and not just storng, nformaton. Also, secret key nformaton s stored tamperproof on the card. Secret key operatons are performed drectly on the card; hence, no spy attacks on the secrets are possble. Moreover, hgh securty s acheved when runnng cryptographc operatons n the cards. Smart cards have been advertsed as sutable for personal dentfcaton tasks, because they are engneered to be tamper resstant. The embedded chp of a smart card usually mplements some cryptographc algorthm. The securty of smart card-based authentcaton reles on the securty of smart cards, and also on the secret of the cryptographc algorthm, the keys stored, and the access control nsde the smart card all of whch can become the targets of attackers. Chan [Ch97] revewed technques to attack smart cards. He reported that logcal attacks are possble (based on the fact that electrcally-erasable programmable read 72

only memory (EEPROM) wrte operatons can be mpacted va unusual voltages and temperatures) and that data can be trapped by rasng or droppng the suppled voltage to the mcrocontroller. Ths process, known as dfferental power analyss, s also reported by Ross and Markus [AnKu96]. Another problem s that smart cards can be physcally dsassembled by usng acd, abrasves, or some other technque to obtan drect, unrestrcted access to the on-board mcroprocessor. Although such technques obvously nvolve a farly hgh rsk of permanent damage to the chp, they permt much more detaled nformaton (for example, photomcrographs of encrypton hardware) to be extracted. Smart cards authentcaton therefore suffers securty threats when the physcal cards are lost or stolen. 2.3.3. Proof by Property In a proof by property (nherence) authentcaton process, an entty proves ts dentty by provng bometrc characterstcs. The bometrc characterstcs are measured and compared wth a reference pattern. The bometrcs offers greater securty and convenence than tradtonal methods of personal recognton. In some applcatons, bometrcs can replace or supplement the exstng technology. Formally, the bometrcs verfcaton can be descrbed as follows [JaRoPr04]: B, f S ( X, X ) t 1 Bo p ( ID, X ) Bo B, otherw se 2 (2.1) For the entty, gven an nput feature X Bo, extracted from the bometrc data, and a clamed dentty ID, t s possble to determne f ( ID, X ) belongs to class B Bo 1 (genune) or B (mposturous). Functon S measures the smlarty between 2 X and Bo 73

X p ; t s a predefned threshold. It s notable that bometrc measurements of the same entty taken at dfferent tmes are almost never dentcal; thus the need for a threshold. Bometrc characterstcs can be dvded n two man classes: physologcal trats, whch are related to the shape of the body, such as fngerprnts, retnal pattern, DNA sequence and hand geometry, and behavoural trats, whch are related to the behavour of a person, such as a sgnature, keystroke dynamcs and voce. Accordng to Prabhakar & Pankant et al., [PrPaJa03], any trat can serve as a bometrc characterstc as long as t satsfes the followng crtera: Unversalty each person should have the characterstc. Dstnctveness any two persons should be suffcently dfferent n terms of the characterstc. Permanence the characterstc should not vary over a perod of tme. Collectblty the characterstc should be quanttatvely measurable. Hstorcally, the frst physologcal bometrc characterstcs were fngerprnts. A fngerprnt s an mpresson of the frcton rdges of all parts of the fnger. It s the oldest form of bometrc verfcaton, and also the best example of a proof by property. Persan offcal and physcan Rashd-al-Dn Hamadan comments on usng fngerprnts to dentfy people n Chna: "Experence shows that no two ndvduals have fngers exactly alke [Co03]. The frst behavoural bometrc characterstc to be used and s stll wdely used today s the sgnature. Although sgnatures requre contact wth a wrtng nstrument and an effort on the part of the user, they are accepted n government, legal and commercal transactons as a method of verfcaton. 74

Bometrcs as a commercal, modern technology has been around snce the early 1970s when the frst commercally-avalable devce was brought to market. Shearson Haml, a Wall Street company, nstalled a fnger-measurement devce to serve as a tme-keepng and montorng applcaton [WoOrH02]. Snce then, bometrcs has mproved tremendously n ease of use and dversty of applcatons. The advancement of bometrcs has been drven by low-cost ncreased computng power, better algorthms and the cheaper storage mechansms avalable today [WoOrH02]. The fundamental operaton of a bometrcs authentcaton mechansm follows bometrcs acquston, bometrcs classfcaton and bometrcs matchng [DuJuKo02]. Smlarly to the many nterestng and powerful developments of technology, there are also concerns about bometrcs. The bggest concern s the fact that once a fngerprnt or other bometrc source has been compromsed, t s compromsed for lfe. Also, nose n sensed data can result n a user beng ncorrectly rejected (for example, n the case of a fngerprnt wth a scar or a voce altered by a cold). Moreover, prvacy s another concern; how bometrcs, once s collected, can be protected. 2.3.4. Authentcaton versus Authorzaton Authentcaton s the process of verfyng that credentals are genune. Authorzaton s the process of checkng f a valdated user s permtted to access a partcular resource. More precsely, as defned n Khare [Kh06], authentcaton s the process of verfyng that a clam made by a subject should be treated as actng on behalf of a gven prncpal (for example, person, computer or smart card), whle authorzaton s the process of verfyng that an authentcated subject has the authorty to perform a certan operaton. Therefore, authentcaton heads authorzaton. Also, 75

authorzaton cannot occur wthout authentcaton. Consequently, the terms authentcaton and authorzaton are frequently used together. 2.3.5. Summary In Secton 2.3, the role of authentcaton factors (knowledge, possesson and property) n protectng user nterface n senstve nformaton systems were nvestgated and the relatonshp between authentcaton and authorzaton was dscussed. The knowledge factor 23 was nvestgated from a techncal perspectve, whle possesson and property factors were brefly revewed. The followng fndngs can be presented from the exstng lterature: Protocols (such as EKE and ts successor) that use statc nformaton (such as passwords) provde weak authentcaton. Protocols (such as OTP, CR and ZKP) that use dynamc nformaton can provde strong authentcaton. Despte ths, extant technques cannot secure user nterface n senstve nformaton systems, due to the employment of long-term shared and publc keys. Lost or stolen physcal devces are the bggest concern relatng to the possesson factor. The property factor can be permanently compromsed. No group authentcaton and authorzaton protocols to protect senstve nformaton systems and handle dynamc membershp. Table 2.5 presents a comparson of the three factors. The table lsts the advantages and dsadvantages of proof by knowledge, possesson and property. From the 23 The knowledge factor was revewed soundly n terms of ts techncal aspects because the other two factors relate to hardware-based technology. 76

comparson, t can be seen that no sngle factor satsfes the securty requrements of senstve nformaton systems. Also, by nvestgatng the extant authentcaton approaches n senstve nformaton systems, there s no proper technque to protect user nterface n the process of senstve nformaton retrevng. Moreover, the extant authentcaton approaches are not able to manage dynamc group member authentcaton and authorzaton whle allowng ndvduals to share ther senstve nformaton wthout sacrfcng prvacy. Therefore, a new and proper authentcaton and authorzaton approach s requred. In the next secton, we wll thoroughly examne the exstng approaches n senstve nformaton storage protecton. 77

Table 2.5. Advantages and Dsadvantages of Knowledge, Possesson and Property Factors. Advantages Dsadvantages Knowledge Possesson Property smple admnstraton stronger user authentcaton mechansm strong authentcaton (dynamc stronger user authentcaton convenent (password always at changng nformaton) mechansm hand) nexpensve method of user hard to duplcate authentcaton cannot be shared or forgotten more expensve than more expensve than knowledge knowledge factor factor possblty of lost or stolen accuracy concern (nose n sensed devces bometrc data) relatvely weak securty extra devce extra devce extra dependency on software and management matters: need to hardware ssue hard tokens or smart compromsed for lfe card, and track prvacy concerns 78

2.4. Securng Senstve Informaton Storage Protecton of crtcal data n senstve nformaton systems nvolves three components: communcaton channel, user nterface and senstve nformaton storage. Prevous sectons have reported on approaches to communcaton channel and user nterface protecton mechansms. In ths secton, the technques of senstve nformaton storage protecton are revewed. Accordng to an Enterprse Strategy Group (ESG) estmaton, annual senstve nformaton growth reaches 50-60% for many organzatons [Wh09]. Ensurng the securty of senstve data at rest s thus a worthwhle endeavour. Clark et al. [ClChCh08] suggest that cryptographc technques for senstve nformaton storage protecton can be dvded nto two categores: dsk encrypton and database encrypton. In the followng sectons, these two storage protecton technques are nvestgated. 2.4.1. Dsk Encrypton Dsk encrypton s a specal case of data-at-rest protecton where the storage meda s a sector-addressable devce, such as a hard dsk or a flash card. Two hgh-level terms descrbe mplementatons of dsk encrypton: Full dsk encrypton (FDE) or whole dsk encrypton encrypts every bt of data on a dsk. Ths encrypton s performed through software such as PGPDsk from PGP Corporaton [Pg08], BtLocker Drve Encrypton from Mcrosoft Corporaton [Hy08] or McAfee Endpont Encrypton (Safeboot Devce Encrypton) [Mc07]. The encrypton s usually performed on a sector-by-sector bass. A flter drver s loaded nto memory at bootup, encrypts every fle as t s 79

wrtten to dsk and decrypts any fle and data that s moved off the dsk. The process s transparent to end users. Flesystem level encrypton (FLE) or fle or folder encrypton s a form of dsk encrypton where ndvdual fles or drectores are encrypted by the fle system tself. Alternatvely a thrd-party software package, such as Encryptng Fle System (EFS) for Mcrosoft Wndows [Co06], IBM Encrypton Faclty for z/os [Bo07] or EVFS for HP-UX (Encrypted Vrtual Fle System) [Hp07] may perform the encrypton. FDE does not replace FLE, because FDE generally uses the same long-term key for encryptng the whole dsk and all data are decpherable when the system runs. Although some FDE solutons use multple keys for encryptng dfferent parttons, f an adversary gans access to the computer at run tme, the adversary has access to all fles. In contrast, FLE allows dfferent keys for dfferent folders. An adversary s thus prevented from extractng nformaton from stll-encrypted fles and folders. In addton, most FDE schemes are vulnerable to a cold-boot attack, n whch encrypton keys can be stolen by cold-bootng a machne already runnng an operatng system, then dumpng the contents of memory before the data dsappears [HaScHe08]. Overall, for senstve nformaton protecton, FLE offers greater relatve securty than FDE and among the FLE software, the EFS and IBM encrypton facltes are the most secure and wdely deployed. These wll now be dscussed n more detal. Encryptng Fle System (EFS) EFS s a fle system drver that provdes securty for Mcrosoft Wndows (2000 or later). It enables fles to be transparently encrypted onto Wndows NT fle systems to 80

protect confdental data from attackers wth physcal access to the computer. The EFS employs a bulk symmetrc key, known as the Fle Encrypton Key (FEK), wth symmetrc algorthms, such as AES and TDES, to secure senstve nformaton. The FEK s encrypted wth a publc key that s assocated wth the user who encrypted the fle. Ths encrypted FEK s stored n the fle header. Ths mechansm can be descrbed as follows, and s llustrated n Fgure 2.15 and 2.16. Fgure 2.15. EFS: Fle Encrypton. Encryptng a Fle wth EFS. When a user encrypts an exstng fle, the followng process occurs: ) A fle encrypton key (FEK) s randomly generated. ) A data decrypton feld (DDF) s created to contan the encrypted FEK. ) The exstng fle s encrypted by the FEK usng AES, 3DES, or DESX algorthms, dependng on the verson of the operatng system and the effectve securty polcy. v) The FEK s encrypted by the publc key of the user. v) The encrypted FEK s added to the header of the fle (DDF). 81

Fgure 2.16. EFS: Fle Decrypton. Decryptng a Fle wth EFS. When a user decrypts an encrypted fle, the followng process occurs: ) The fle system retreves the DDF from the fle. ) EFS retreves the prvate key of the user to decrypt the DDF and obtan the FEK. ) EFS uses the obtaned FEK to decrypt the fle. It s notable that the securty of EFS reles on the securty of the asymmetrc cryptosystem. As dscussed on Secton 2.1, asymmetrc cryptography suffers from brute force key search attacks; therefore, once the user s breached, the senstve nformaton s dsclosed. In addton, the method of usng EFS n the MS Wndows famly leads to securty concerns, because an adversary can log n as that user (or recovery agent) and gan access to the RSA prvate key whch can decrypt all fles 24. IBM Encrypton Faclty The IBM encrypton faclty for z/os, frst ntroduced n 2005, s a host-based software soluton desgned to encrypt senstve data before transferrng t to tape for archval purposes or busness partner exchange,. The encrypton servces feature s 24 http://home.eunet.no/pnordahl/ntpasswd/ 82

smlar to EFS n that t supports TDES trple-length keys or 128-bt AES keys n z/os to protect the senstve nformaton. In addton, IBM uses RSA keys to wrap and unwrap the AES and TDES data keys to encrypt the fle. Wth ths technque, IBM clams that many fles can be generated usng dfferent encrypton keys. However, the problem wth ths soluton s that ts securty reles on an asymmetrc key nfrastructure. If the publc key pars are dsclosed, no matter how many dfferent encrypton keys are used to protect data, the whole data system wll be compromsed. 2.4.2. Database Encrypton A database s a structured collecton of records or data that s stored n a computer system. Based on a database model (such as a relatonal, herarchcal or object model), the structure s acheved by organzng the data. The relatonal model (as seen n Mcrosoft SQL Server or Oracle Database) s the most common today. Because securty has become a major ssue n recent years, many commercal database vendors provde bult-n encrypton mechansms. Data s encoded natvely nto the tables and decphered "on the fly" when a query comes n. Most relatonal database management systems (RDMS) conduct database securty by applyng database encrypton that uses cryptographc keys to encpher the senstve data [Gu06]. The securty of the RDMS therefore reles on the securty of the cryptographc keys, and the key management n database management systems plays an mportant role n senstve nformaton protecton. Key Management n SQL Server SQL Server uses encrypton keys to help secure data and credentals stored n a server database. In SQL Server, encrypton keys nclude a combnaton of symmetrc 83

and asymmetrc keys that are used to protect senstve data. The symmetrc key (database encrypton key DEK) s randomly generated for each user at the frst start of the servce and s stored n SQL Server. The DEK s protected by a par of asymmetrc keys created by the operatng system. The prvate key of the asymmetrc key par s secured by a symmetrc key (database master key DMK), whch s under protecton of the servce master key (SMK). At the root of the cryptographc key herarchy s the Wndows Data Protecton Applcaton Programmng Interface (DPAPI), whch secures the key herarchy at the machne level and s used to protect the servce master key (SMK) for the database server nstance [Hs08]. Ths archtecture of key management s named transparent data encrypton (TDE). TDE s a new encrypton feature ntroduced n Mcrosoft SQL Server 2008, and s desgned to provde protecton for the entre database at rest wthout affectng exstng applcatons. Fgure 2.17 shows the full encrypton herarchy. It s notable that the securty of SQL Server reles on the securty of DPAPI. The mechansm of encryptng data s same as EFS. The breaches of DPAPI result n operatng systems beng compromsed. The dsclosure of DMK compromses all senstve nformaton n the database. The exposure of a DEK leads to the leakage of senstve nformaton. In other words, the use of long-term keys causes the possblty of a securty breach n SQL Server. In addton, such archtecture does not stress the prvlege of the database admnstrator, who s able to access all user data. In short, n SQL Server, the prvacy of users cannot be guaranteed. 84

Fgure 2.17. Transparent Data Encrypton Herarchy. Key Management n Oracle Database Unlke SQL Server where database admnstrators (DBAs) have total prvleges and are able to access all data, Oracle Database [Na05] supports lmted parttonng of DBA prvleges, systems operator (SYSOPER) and all DBA prvleges (SYSDBA). However, the parttonng does not solve the root cause of the DBA prvlege problem. Oracle Database also provdes advanced securty transparent data encrypton (TDE) 25. TDE provdes bult-n key management and complete transparency for encrypton of senstve applcaton data. TDE encrypts data before t s wrtten to dsk and decrypts data before t s returned to the applcaton. The key management n Oracle Database s llustrated n Fgure 2.18. TDE generates an encrypton key randomly, called table key K table, to secure table columns. If there s more than one column n a sngle table, the same key s used for all columns. Each table key s stored 25 Oracle uses the same term as SQL Server. 85

n the Oracle data dctonary and s encrypted usng the TDE master encrypton key (MEK). The MEK s stored outsde the database, usng Oracle Wallet and a hardware securty module such as a smart card. Fgure 2.18. TDE n Oracle Database. It s observable that the securty of Oracle has been mproved theoretcally compared to SQL Server, because Oracle employs table keys to encpher each table whereas SQL Server uses one DEK to secure all senstve data of one user. However, the securty of Oracle Database s smlar to SQL Server, whch reles on the securty of the MEK. In other words, a breach of the MEK exposes all senstve nformaton n the database. The MEK s stored n Oracle Wallet, and, as dscussed n Secton 2.2.2 proof by possesson, hardware securty modules, such as smart cards, can be lost or stolen. Also, damage to the hardware securty module can cause the loss of senstve nformaton. 86

2.4.3. Summary In Secton 2.3, protectng senstve nformaton at rest was nvestgated by categorzng dsk encrypton and database encrypton. Havng revewed the lterature on senstve nformaton storage protecton, the followng fndngs can be presented: The securty of dsk encrypton reles on long-term asymmetrc or symmetrc keys. Once these keys are compromsed, the senstve nformaton n the dsk s dsclosed. The securty of database encrypton reles on a number of long-term symmetrc and asymmetrc keys. The compromse of the master encrypton key results n exposure of all senstve data. The DBA n database encrypton has full prvleges and can access all nformaton n the database, whch can lead to a breach of senstve nformaton systems. Nether dsk encrypton nor database encrypton can ensure prvacy protecton. The pros and cons of dsk and database encrypton for senstve nformaton storage protecton are presented n Table 2.6. From the table, t can be seen that nether technque can ensure prvacy protecton, and also that the securty of both reles on long-term keys and publc keys. Also, none of the exstng approaches to protectng nformaton storage can manage dynamc ownershp of senstve nformaton (for example, n the case that a user loses the asymmetrc key n z/os or that the ownershp of senstve nformaton s changed n a database). Therefore, a new technque n senstve nformaton storage protecton s necessary. 87

Table 2.6. Advantages and Dsadvantages of Dsk Encrypton and Database Encrypton. Advantages Dsadvantages Dsk Encrypton transparent data encrypton varous authentcaton processes avalable to secure the dsk password, such as hard token, soft token and pass phrase securty reles on long-term keys one key for all senstve nformaton corrupted unque recovery key loses the utlty of senstve nformaton ncrease n data access tmes lack of prvacy protecton dsk admnstrator has full prvleges of the dsk Database Encrypton weak prvacy protecton transparent data encrypton dfferent tables can be encrypted wth dfferent keys securty reles on long-term keys key management has to be sophstcated requres tght ntegraton wth the database DBA has full prvleges of the database 88

2.5. The Current Models for Informaton Securty In the prevous sectons (2.2 securng communcaton channel, 2.3 securng user nterface and 2.4 securng senstve nformaton storage), the extant techncal approaches n protectng senstve nformaton have been nvestgated. In ths secton, accordng to Secton 1.2.1 (characterstcs of senstve nformaton 26 ), we revew the exstng nformaton securty models 27 used as securty assessment of senstve nformaton systems. Accordng to the dscusson n Secton 1.2 (senstve nformaton), senstve nformaton systems nhert the propertes of nformaton systems. Avalablty s thus an essental prncple for both nformaton systems and senstve nformaton systems. The avalablty attrbute s not necessary n the securty assessment of senstve nformaton systems as t s already ncluded n nformaton systems. Moreover, for senstve nformaton, the attrbutes such as confdentalty, ntegrty, authentcty, authorty and possesson are more mportant than the attrbute of avalablty, snce the loss of the avalablty does not harm senstve nformaton tself. Therefore, the securty assessment propertes for senstve nformaton systems are Authentcty, Authorty, INtegrty (IN), Non-Repudaton (NR), COnfdentalty (CO) and UTlty (UT). Moreover, as dscussed n Secton 2.3.4 (authentcaton versus authorzaton), the term of authentcaton and authorzaton s always used together. We thus dscuss authentcty and authorty (AA) together for senstve nformaton systems. 26 Characterstcs of senstve nformaton are authentcty, confdentalty, possesson (authorty), ntegrty, non-repudaton, utlty and avalablty. 27 A securty model s a framework that can be used to gude the desgn of a senstve nformaton system or to evaluate the securty of a senstve nformaton system. 89

As hstorcal aspects of nformaton securty models, the tradtonal model, the CIA (confdentalty, ntegrty and avalablty) Trad [Cn92, Pe08], has been used as the prncple of nformaton securty snce computers were ntroduced. Usng the CIA Trad as a foundaton, many groups have proposed securty frameworks for nformaton securty, ncludng the Organsaton for Economc Cooperaton and Development (OECD) [Oe92]. The frameworks nclude the Generally Accepted System Securty Prncples (GASSP) [Po99], developed by the Internatonal Informaton Securty Foundaton (I 2 SF) Sponsored Commttee, and the Brtsh Code of Practce proposed by the UK Department of Trade and Industry (DTI) [BS93]. Wth the development of IT, a new type of model was requred. The US Department of Defence (DoD) recognzed the lmtaton of the CIA Trad by addng two addtonal elements (authentcty and non-repudaton). The Trusted Computer System Evaluaton Crtera [LaBrHa85] (commonly known as the Orange Book), became...one of the most renowned publcaton on computer securty, and has had a profound nfluence n encouragng computer manufacturers to nclude securty n ther products for many years sad Parker [Pa98]. He also argued the shortcomngs of the CIA foundaton of nformaton securty and proposed a new model, named the Parkeran Hexad, by addng three extra elements (utlty, authentcty and possesson). In the followng secton, two profound and wdely deployed nformaton securty models - the CIA Trad and Parkeran Hexad - are dscussed. 2.5.1. CIA Trad For over twenty years nformaton securty has held confdentalty, ntegrty and avalablty (known as the CIA Trad; shown n Fgure 2.19) as ts core prncples. 90

Fgure 2.19. CIA Trad. Confdentalty s the property of preventng dsclosure of nformaton to unauthorzed ndvduals or systems, such as a credt card transacton on the Internet and personal medcal records n healthcare. Integrty ensures that data s an accurate and unchanged representaton of the orgnal secure nformaton, such as transacton contnuty and completeness n the busness. Avalablty ensures that the nformaton concerned s readly accessble to the authorsed vewer at all tmes, such as preventng denal-of-servce attacks n Internet bankng systems. Whle the CIA model was approprate when computng envronments were smple, t s not suted to larger and more complex systems such as those assocated wth electronc busness (e-busness), electronc medcal record (EMR) systems and electronc government (e-gov). As recognsed by the US DoD, non-repudaton and authentcty characterstcs of current nformaton development were not ncluded n the CIA model. Nor dd the CIA model address another current area of concern: nformaton possesson. For example, makng unauthorzed copes of copyrghted software consttutes theft, but does not breach the tenets of the CIA model, and the ssue s one of possesson rather than a loss of confdentalty, ntegrty and avalablty [Pa98]. 91

2.5.2. Parkeran Hexad Because of the lmtatons of the CIA Trad, the Parkeran Hexad (see Fgure 2.20) was proposed by Donn B. Parker. Incorporatng sx elements of nformaton securty, the Parkeran Hexad adds three addtonal attrbutes to the CIA Trad. The sx elements are: Confdentalty the lmted observaton and dsclosure of knowledge. Possesson the holdng, control and ablty to use nformaton. Integrty the completeness, wholeness and readablty of nformaton and qualty beng unchanged from a prevous state. Authentcty the valdty, conformance and genuneness of nformaton. Avalablty the usablty of nformaton for a purpose. Utlty the usefulness of nformaton for a purpose. Fgure 2.20. Parkeran Hexad. The Parkeran Hexad s non-overlappng. Ths means each prncple (attrbute) s absolutely necessary to ensure that securty s mantaned. However, the prncple can 92

be relatonally lnked to each of the three components of the tradtonal CIA model. The new model can also be used to evaluate the securty of nformaton systems. However, t has lmtatons. Lke the CIA Trad, the Parkeran Hexad also lacks a nonrepudaton attrbute (where, n the case of Internet bankng transactons, a legal entty denes the actons n such systems). Another concern s that prvacy s not addressed by the Parkeran Hexad. Prvacy may be mpled by confdentalty, but prvacy goes beyond confdentalty. The senstve nformaton of users must be protected, and the protecton s just part of prvacy. Protecton also requres users to manage ther nformaton, such as delegatng permsson on partally-senstve nformaton, n order to protect assets. For example, n a healthcare system, a patent should be able to control hs or her senstve medcal nformaton n terms of authorzng who can access the nformaton and what nformaton can be retreved. In ths regard, the Parkeran Hexad fals to address nformaton authorty. 2.5.3. Summary In Secton 2.5, nformaton securty models were nvestgated for senstve nformaton systems evaluaton. As a result of revewng the CIA Trad and the Parkeran Hexad, the followng fndngs can be presented: The CIA Trad s not sutable for modern nformaton systems. The Parkeran Hexad fals to address prvacy concerns, and t s not sutable for modern senstve nformaton systems, snce the lack of assessment propertes (non-repudaton and authorty). 93

As a result of these fndngs, t would appear that a new securty model s requred for senstve nformaton assessment. The new model should contan the attrbutes of authentcty, authorty (AA), ntegrty (IN), non-repudaton (NR), confdentalty (CO) and utlty (UT). Avalablty s not essental for senstve nformaton securty assessment, because, n an extreme scenaro, such as natonal threats, the property of avalablty of senstve nformaton can be constraned for the publc. 2.6. Concluson In ths chapter, we nvestgated exstng technques to protect senstve nformaton through the three components of senstve nformaton systems communcaton channel, user nterface and senstve nformaton storage. The securty ssues and concerns are hghlghted n Table 2.7. The table summarzes the problems and challenges of senstve nformaton protecton wth the current approaches. From the lterature, t s apparent that the exstng approaches are techncally not able to protect senstve nformaton. For example, IPsec and SSL/TLL (Secton 2.2.1) cannot protect senstve nformaton at rest whle multcast communcaton (GDH, LKH and Iolus) (Secton 2.2.2) can only secure multcast communcaton. Challenge response (CR) mechansms, smart cards and bometrcs (Secton 2.3) cannot guarantee the securty of communcaton channel and senstve nformaton storage whle encryptng fle systems and database approaches (Secton 2.4) do not guarantee the securty of communcaton channel. 94

Senstve Informaton Storage User Interface Communcaton Channel Multcast Uncast Table 2.7. Problems n Senstve Informaton Securty. Securty Problems and Challenges Master key secrecy (long-term shared key) Sesson key dstrbuton Publc key secrecy Prvacy protecton Group key uncast secrecy (long-term shared key) Group authentcaton and authorzaton Long-term shared key (knowledge factor) Prvacy and accuracy concerns (property factor) Lfetme compromse (possesson factor) Encrypton key secrecy (long-term shared key) Publc key secrecy Prvacy protecton Dynamc senstve nformaton ownershp Group access prvlege management ssue Moreover, n addton to the above lmtatons, each approach can only address one partcular securty aspect. The lack of a complete archtecture for protectng senstve nformaton therefore results n an ad hoc, rather than an ntegrated, approach. However, the employment of long-term keys and publc keys constrans the securty of exstng approaches. Issues, such as group senstve nformaton sharng (communcaton channel), group authentcaton and authorzaton (user nterface), senstve nformaton ownershp (senstve nformaton storage) and prvacy protecton 95

(three components) also create challenges for the protecton of senstve nformaton systems. Ths chapter has also examned nformaton securty models for the securty assessment of senstve nformaton systems. Due to ther lack of assessment propertes, the exstng models, such as the CIA Trad and the Parkeran Hexad, are suted nether to evaluatng the securty of senstve nformaton systems nor to gudng the desgn of senstve nformaton archtecture. In response to these lmtatons, we therefore propose a novel securty archtecture for senstve nformaton systems (presented n Chapter 3) to tackle the problems and challenges. In addton, due to the lack of assessment propertes wthn the exstng nformaton securty models, a novel senstve nformaton securty model s also presented n Chapter 3 to assess the proposed securty archtecture. 96

Chapter 3 3. Securty Archtecture for Senstve Informaton Systems Goals. Based on the prevous dscusson of the drawbacks of exstng approaches n senstve nformaton protecton, we concluded that the employment of long-term shared keys and publc keys results n securty threats and concerns n senstve nformaton systems. Ths s because the entropy (uncertanty) of the keys decreases when the keys are nvolved n frequent communcaton; they face a greater rsk of exposure. In addton, we also concluded, n Chapter 2, that the ssues of prvacy protecton, senstve nformaton ownershp, dynamc senstve nformaton sharng and group authentcaton and authorzaton create challenges for the protecton of senstve nformaton systems. More mportantly, currently, no complete soluton exsts to help protect senstve nformaton n the three components of communcaton channel, user nterface and senstve nformaton storage. The securty comparson of symmetrc keys n Secton 2.1.1 has shown that dynamc keys provde stronger securty than long-term shared, sesson, or one-tme pad keys. Therefore, n ths chapter we formally propose and defne a new securty 97

archtecture as a complete soluton for the protecton of senstve nformaton systems. The archtecture features dynamc keys to elmnate the securty threats and concerns caused by the employment of long-term shared keys and publc keys. To ntroduce the securty archtecture, ths chapter starts by defnng and verfyng dynamc keys and ther propertes (Secton 3.1.1). It then moves on to analyse longterm shared keys (Secton 3.1.2) and publc keys (Secton 3.1.3) n order to formally argue for the employment of dynamc keys n the securty archtecture. The arguments show that dynamc keys provde stronger securty than long-term shared keys and publc keys n senstve nformaton protecton. Usng the arguments, dynamc key theory s appled n the securty archtecture (Secton 3.2.3) to protect senstve nformaton. By combnng the dynamc keys, a new group key agreement s proposed and defned formally (Secton 3.2.4) to tackle the ssues such as group senstve nformaton sharng and prvacy protectons. In the proposed securty archtecture, a new group authentcaton and authorzaton approach (Secton 3.2.5) and a new senstve nformaton at rest protecton approach (Secton 3.2.6) are also defned to protect user nterface and senstve nformaton storage n order to solve the dynamc membershp, senstve nformaton ownershp and group access prvlege management ssues n senstve nformaton systems. Subsequently, a number of defntons are gven to descrbe the components of the securty archtecture and relatonshps among the components. We state the securty goals of the securty archtecture n order to show the securty expectatons for the proposed archtecture. In Secton 3.3, we propose a novel senstve nformaton securty model that compensates for the lack of assessment propertes n the CIA Trad and the Parkeran Hexad. (We later buld the model n Chapter 5 to assess whether the 98

proposed securty archtecture satsfes the goals after the securty statements of each component have been verfed and proved.) The chapter concludes wth Secton 3.4. 3.1. Dynamc Key Theory A dynamc key s a sngle-use symmetrc key used for generatng tokens and encryptng messages n one communcaton flow. Each key s a nonce, whch stands for number used once [AnAn01]. The use of dynamc keys ntroduces complcatons, such as key synchronzaton, n cryptographc systems. However, t also helps wth some problems, such as reducng key dstrbuton and enhancng key securty. There are three prmary reasons for the use of dynamc keys n senstve nformaton protecton. Frst, securng senstve nformaton by usng long-term symmetrc keys makes SIS more vulnerable to adversares. In contrast, usng dynamc keys makes attacks more dffcult. Second, most sound encrypton algorthms requre cryptographc keys to be dstrbuted securely before encpherng takes place. However, key dstrbuton s one of the weaknesses of symmetrc key algorthms. Although asymmetrc key algorthms do not requre key dstrbuton, they are, n general, slow and susceptble to brute force key search attack. Ths stuaton can be mproved by usng asymmetrc key algorthms once only to dstrbute an encrypted secret. Dynamc keys can then be generated based on the secret and other key materals. Ths process can mprove the overall securty consderably. Last, but not least, securty tokens (as dscussed n Secton 2.3.1) can be generated by ether long-term symmetrc keys or nonce dynamc 99

keys. Even though both methods generate varatonal tokens every tme, the dynamc key method s more dffcult to break than the long-term key method 28. In accordance wth the prmary reasons for usng dynamc keys n senstve nformaton protecton, t s necessary to have an unambguous and formal defnton. In addton, the dea of dynamc keys s derved from TAN [Op96] and ts successors mentoned n Secton 2.3.1. Therefore, the noton of a one-way functon [Me96] s used for reference. Ths s defned as... a functon f such that for each x n the doman of f, t s easy to compute f ( x ); but for essentally all y n the range of f, t s computatonally nfeasble to fnd any x such that y f ( x). Formally, a functon * * f :{0,1} {0,1} s one way f, and only f, f s polynomal tme computable, and for any probablstc polynomal tme algorthm A, the probablty that A successfully nverts f ( x ), for random Therefore, dynamc keys can be defned as follows: x {0,1} x, s neglgble [TaWe06]. R Defnton 3.1 (Dynamc Keys) Dynamc keys DK { dk N } are synchronously offlne generated by a specal one-way functon f (.) n two enttes P and Q based on a form of pre-shared secret ( s ). Concsely: where DK { f ( forms of s) } (3.1) x, y( x y), ( f ( x) f ( y)) (3.2) 28 Due to the lmtatons of long-term shard keys, once the key s compromsed, the securty of the generated token s breached. 100

The specal one-way functon dynamc key generaton scheme [Ku05, KuLeSr05, LZh04, RuWr02] has been proposed. However, the formal proofs have never been gven; consequently, havng formally defned dynamc keys, the cryptographc propertes of dynamc keys are dscussed and proved n the next secton. 3.1.1. Cryptographc Propertes One of the most mportant securty requrements of dynamc keys theory s key freshness. Ths means a generated dynamc key must be guaranteed to be new and able to be used only once. Furthermore, a dynamc key should be known only to nvolved enttes. Therefore, four mportant securty propertes of dynamc keys (dynamc key secrecy, former key secrecy, key collson resstance and key consstency) are gven based on Defnton 3.1 as follows: Suppose that a set of dynamc keys s generated n tmes and the sequence of successve dynamc keys s DK { dk, dk,..., dk } 1 2 n and f (.) s a specal one-way functon to generate DK. The propertes are: Theorem 3.1 (Dynamc Key Secrecy) Dynamc key secrecy guarantees that t s computatonally nfeasble for an adversary to dscover any dynamc key, dk DK. Proof: From the defnton t s apparent that the key generaton algorthm s a oneway functon. The dynamc key generaton functon therefore nherts the propertes of the one-way functon wth the consequence that for any probablstc polynomal tme algorthm A, the probablty that A successfully nverts f ( x ), for 101

random x {0,1} x, s neglgble. Thus, t s computatonally nfeasble for an R adversary to dscover any dynamc key. Theorem 3.2 (Former Key Secrecy) Former key secrecy ensures that an adversary, who knows a contguous subset of used dynamc keys (say { dk, dk... dk } 0 1 ), cannot dscover any subsequent dynamc keys dk, where j dk s the newest generated and j j. Proof: Assumng n dynamc keys, let B denote the event of selectng a dynamc key from dynamc key ( dk ). Notce that n B form a partton of the sample 1 space for the experment of selectng a dynamc key. Let A denote the event that the selected dynamc key s compromsed. Therefore, based on Bayes rule, the probablty that dk s compromsed s j Pr ( B A) j Pr ( B ) Pr ( A B ) n 1 j Pr ( B ) Pr ( A B ) j. Accordng to the argument n the proof of Theorem 1, t s computatonally nfeasble for an adversary to dscover any dynamc key. In other words, gven a fresh dynamc key dk j, the probablty of ths key beng compromsed s Pr A B, and Pr ( B A) 0. Even f a contguous subset of used dynamc ( ) 0 j j keys becomes known, the securty of subsequent fresh keys wll not be affected. 102

Theorem 3.3 (Key Collson Resstance) Key collson resstance means that gven a dynamc key generaton algorthm, f (.), and two ntal seeds, S X and S Y ( S S ), the probablty of key collson s neglgble. X Y Proof: Let be the probablty of dynamc key collson wth two dfferent ntal seeds. The probablty of no key collson can then be characterzed by a Posson y Dstrbuton 29 [Sc94]: Pr ( y ) e, y 0,1, 2.... Where y 0, no key collson y! 0 event can occur and we have Pr (0) e e. Snce f ( x) s a specal one-way 0! functon, then the probablty of Pr (0) converges towards 1 and 0. The value s neglgble and completes the proof. Theorem 3.4 (Key Consstency) Key consstency guarantees to produce sequental, consstent, dynamc keys DK, f gven the same f (.) and an ntal seed. Proof: Gven the same f (.) and an ntal seed, two enttes P and Q can generate one set of dynamc keys. Let B denote the event of havng dstnct ntal seeds for two enttes. B s the complement of B, whch has same ntal seeds for both enttes. Let A denote the event of producng the same output under f (.) Theorem 3, the probablty of the two dstnct nputs,. From S and S X Y, and the f (.) producng the same output s neglgble. The probablty of producng the same output by a gven f (.) and two dstnct seeds therefore converges towards 0. 29 In probablty theory and statstcs, the Posson dstrbuton s a dscrete probablty dstrbuton that expresses the probablty of a number of events occurrng n a fxed perod of tme f these events occur wth a known average rate and ndependently of the tme snce the last event. 103

Hence: Pr ( B A) 0 Snce B s the complement of B, accordng to addtve and multplcatve rules of probablty, we have: and Therefore, we have: Pr ( A) Pr ( AB ) Pr ( A B ) Pr( AB) Pr( B) Pr( A B) It follows that: Pr ( B A) 1 Pr ( B A) Pr ( B A) 1 Therefore, gven the same seeds and f (.), the two enttes can generate the same set of dynamc keys. Ths secton dscussed the cryptographc propertes of dynamc keys. Usng these propertes, the next secton wll argue that dynamc keys provde stronger securty than other symmetrc keys. 3.1.2. Dynamc Keys versus Symmetrc Cryptography Suppose that G (.) s a dynamc key generaton algorthm and t satsfes dynamc key cryptographc propertes. Let DK { dk, dk,... dk } 1 2 n be the sequence of successve dynamc keys wth m bts length; ts key space s then 2 m. Also, as was proved n Theorem 3.3, the probablty of dynamc key collson s neglgble. Therefore an adversary must traverse the whole key space to determne the current dynamc key. In 104

other words, the probablty of fndng the key s 1. Ths verdct supports Theorem m 2 3.1, whch demonstrates t s computatonally nfeasble to dscover a dynamc key. Moreover, the ntal seed, S or S, never partcpates n the nformaton transacton. X Y In ths case, the uncertanty or entropy 30 of the seeds ( seed ) length length =log(2 s ts length because ) 31. Hence, an adversary who knows a contguous subset of used dynamc keys (say{ dk, dk... dk } 0 1 ) cannot dscover any subsequence dynamc keys. Ths argument supports Theorem 3.2. In addton to the above dscusson, as dscussed n Secton 2.1.1 and 2.3.1, a onetme pad has the same securty level as dynamc keys. However, the dstrbuton of the one-tme pad s nconvenent and usually poses a sgnfcant securty rsk. Also, unlke modern cphers, the pad length must be extremely long and the number of pads must be large. One tme pads are rarely employed n modern senstve nformaton systems. More to the pont, the dfference between sesson keys and long-term shared keys s ther lfetmes. In terms of nformaton theory, entropy of sesson keys and long-term shared keys s the same f, and only f, the key length s same. Also, the entropy of keys declnes when the keys are nvolved n communcaton. We therefore dscuss long-term shared keys and dynamc keys n some detal. By combnng dynamc key cryptographc propertes, the followng result can be gven. 30 Entropy (refers to Shannon entropy) s a measure of the dffculty n guessng a random varable. It s measured n Shannon bts. For example, a random 10-letter Englsh text has estmated entropy of around 10 15 Shannon bts, meanng that on average, t has 26 possble combnatons, and ts Shannon bt s 10 10 H (26 ) log(26 ) 15. 31 In ths thess, log nvarably means log to the base 2. 105

Theorem 3.5 Dynamc keys are more secure than long-term shared keys to protect communcaton or senstve nformaton. Proof: Let K be key space for dynamc or long-term keys. Owng to dynamc key cryptographc propertes and ther features, by observng K dk, the uncertanty s represented by H ( K dk ); thus, the entropy of any new dynamc key s: H ( K dk ) log(2 ) m m For the long-term key K k, assume the key sze s l (normally, l m). When the long-term key s fresh, the uncertanty of the key s: H ( K k ) l However, after usng the key n tmes, the uncertanty of the key s reduced to: H ( K k ) log (2 n) The entropy of long-term keys and dynamc keys s llustrated n Fgure 3.1. l Fgure 3.1. Entropy of Dynamc and Long-term Keys. 106

l m As shown n Fgure 3.1, n the case that l s greater than m, after 2 2 tmes 32 the entropy of the long-term key s the same as the dynamc key, and after l 2 1tmes the entropy of the long-term key s zero. In the case of l m, the entropy of the long-term key declnes by nvolvng n communcaton. However, n both cases, the entropy of dynamc keys remans the same at value m. Therefore, dynamc keys are more secure than a long-term key and are better able to protect communcaton or senstve nformaton. Ths secton has argued fresh dynamc keys provde stronger securty than longterm keys, ncludng sesson keys. The next secton wll compare dynamc keys to asymmetrc keys to show that asymmetrc cryptography s nsecure n senstve nformaton protecton. 3.1.3. Dynamc Keys versus Asymmetrc Cryptography Accordng to Theorem 3.5, as the long-term keys are repeatedly used, the entropy of the keys converges towards 0; that s, l n 2 1 0 H ( K k ) dn 0. However, the entropy of the dynamc keys remans the same due to the sngle-use nature and cryptographc propertes of dynamc keys. Therefore, a corollary can be nduced. Corollary 3.1 If, and only f, F( X ) s a functon of X, the entropy of H ( F ( X ) X ) s zero. 32 The entropy of the long-term shared key s H ( K k ) log (2 l n), after usng the key n tmes. l m Therefore, after the use of the key 2 2 tmes, the entropy of the long-term shared key s l l m m H ( K k ) log (2 (2 2 )) log (2 ) m. The entropy s the same as dynamc key. H ( K dk ) log(2 ) m. m 107

Proof: Based on condtonal nformaton entropy [Gr90], we have: and, for X and F( X ) wth outcomes x H ( F ( X ) X ) H ( F ( X ), X ) H ( X ) X and f ( x ) F ( X ), accordng to the defnton of nformaton entropy n H ( X ) Pr ( x ) log Pr ( x ), we have: 1 n n H ( F ( X ) X ) Pr ( f ( x ), x ) log Pr ( f ( x ), x ) Pr ( x ) log Pr ( x ) 1 1 and, followng the multplcatve rule of probablty [Sc94], we have: n H ( F ( X ) X ) Pr ( f ( x ) x ) Pr ( x ) log Pr ( f ( x ) x ) Pr ( x ) 1 n 1 Pr ( x ) log Pr ( x ) Snce f ( x ) s a functon of mappng x to f ( x ), hence, by gvng x, the probablty of workng out that f ( x ) s 1, such that Pr ( f ( x ) x ) 1. Therefore we have: It follows that: n n H ( F ( X ) X ) Pr ( x ) log Pr ( x ) Pr ( x ) log Pr ( x ) 1 1 H ( F ( X ) X ) 0 Therefore, f F( X ) s a functon of X, the entropy of H ( F ( X ) X ) s zero, and the proof s completed. The corollary proves that a cryptosystem provdes only computatonal securty. Thus, t can be extended to the followng statement. 108

Theorem 3.6 Asymmetrc cryptography n protectng senstve nformaton s nsecure. Proof: Suppose C s cpher text and M s plan text n an asymmetrc cryptosystem. If f s the decrypton functon, we have: f ( C ) M Snce H ( F ( X ) X ) 0, let X C, F ( X ) f ( X ) H ( f ( C ) C ) 0, we have: Therefore, H ( M C ) 0. In other words, all the uncertanty of the plan text s stored n the cpher text, whch s known. The proof s completed. From Corollary 3.1 and Theorem 3.6 t can be concluded that an asymmetrc cryptosystem provdes only computatonal securty. That s, gven suffcent tme and resources, any asymmetrc cryptosystem s breakable. However, the securty of usng dynamc keys does not rely on cryptographc functons, but on ther cryptographc propertes. Secton 3.1.2 has dentfed that dynamc keys provde stronger securty than long-term shared keys or sesson keys, and ths secton has proved that asymmetrc keys are nsecure n senstve nformaton protecton. Therefore, n the next secton, we wll present a novel securty archtecture for senstve nformaton systems by applyng dynamc key theory. 109

3.2. Securty Archtecture We have prevously dscussed that dynamc keys provde stronger securty than longterm shared keys and publc keys n senstve nformaton protecton. Therefore, n ths secton, we apply dynamc keys theory to propose a novel securty archtecture. To present the securty archtecture, ths secton starts wth an overvew of the archtecture and then gves a formal descrpton of the archtecture. Followng that, engaged users and each component are defned formally. Fnally, the expected securty goals of the archtecture are formalzed n Secton 3.2.10. 3.2.1. Securty Archtecture Overvew Securty archtecture (SecureSIS) conssts of four tangble components (Fgure 3.2): dynamc key management (DKM), user-orented group key management (UGKM), authentcaton and authorzaton management (AAM) and senstve nformaton management (SIM), and two ntangble components: securty agreement (SA) and securty goals (Goals). DKM s the securty foundaton of SecureSIS. It manages dynamc keys for other components to secure communcaton channel, user nterface and senstve nformaton storage n the process of senstve nformaton retrevng. Fgure 3.2. SecureSIS Core Component Overvew. 110

In SecureSIS, two sets of dynamc keys are employed for engagng users (U) to protect ther senstve nformaton and prvacy. One s dynamc data key set DK, X whch s used to ntegrate wth (encrypt) senstve nformaton at rest. Another s dynamc communcaton key set DK Y, whch s used to secure communcaton and generate tokens for authentcaton. In addton, there s no senstve nformaton at rest for tangble components. Hence, only one set of dynamc keys (component dynamc keys) conducts the securty of communcaton channel among components. UGKM s a membershp management n SecureSIS. It s a novel hybrd group key management approach to govern dynamc membershp and protect user prvacy and multcast communcaton secrecy. Together wth DKM, uncast communcaton channel for ndvduals and multcast communcaton channel for group members are protected. AAM manages authentcaton and authorzaton for ndvduals and group members to protect user nterface. The employment of DKM and UGKM makes the AAM secure and flexble to deal wth group authorzaton, ndvdual prvacy protecton. SIM uses dynamc data keys to ntegrate wth senstve nformaton at rest n order to protect senstve nformaton storage. It guarantees the breach of SIS does not have negatve mpact on the securty of senstve nformaton tself. Also, SIM manages senstve nformaton ownershp by applyng UGKM to ensure the utlty of senstve nformaton. SA component guarantees the securty of senstve nformaton n SecureSIS, f, and only f the senstve nformaton satsfes the agreement. 111

SG component s securty expectatons of SecureSIS. Accordng to the process of senstve nformaton retrevng, ths component conssts of user nterface s goal, communcaton channel s goal and senstve nformaton storage s goal. In order to protect senstve nformaton (called I), the securty archtecture, SecureSIS, can be characterzed as follows: Defnton 3.2 (SecureSIS) Securty archtecture s defned as a unon of the followng sets: SecureSIS [U, AAM, UGKM, SIM, DKM, SA, Goals] (3.3) where, ) U s a set composed of engaged users who requre senstve nformaton I. ) AAM s a set of authentcaton and authorzaton management objects for verfyng U and allowng U to delegate authorzaton n order to protect user nterface. ) UGKM s a user-orented group key management object for provdng secure communcaton channel n order to secure I sharng among subsets of U. v) SIM s a set of senstve nformaton management objects for protectng senstve nformaton storage. v) DKM s a set of dynamc key management objects for provdng and managng dynamc keys of U, AAM, UGKM and SIM. v) SA stands for the securty agreement assocated wth I. It s a notonal nner relatonshp between U and I. v) Goals represents securty goals of archtecture regardng I protecton. 112

To llustrate the conceptual archtecture based on the defnton of SecureSIS, AAM, UGKM, SIM and DKM can be thought as tangble objects to protect I. These objects are therefore components of SecureSIS archtecture. In addton, SA and Goals are ntangble, thus, the tangble conceptual archtecture s llustrated n Fgure 3.3. Fgure 3.3. Tangble Conceptual Archtecture of SecureSIS. 3.2.2. Engaged Users The set of engaged users, U, s a key component n SecureSIS. Every user owns or shares senstve nformaton. To protect senstve nformaton, the securty of each sngle user needs to be scrutnzed. In order to protect the prvacy of each ndvdual, U s classfed nto two categores: passve users,, and actve users,. Formally: Defnton 3.3 (Users U) U s a duple [, ], where: ) s a set of passve users n the system, that s nert and nfrequently jons and leaves the system. In SecureSIS, does not share ts own senstve nformaton wth others, but accesses the senstve nformaton of. 113

) s a set of actve users n the system, that s vgorously and frequently jons and leaves the system. In SecureSIS, needs to share senstve nformaton wth therefore, t needs hgh prvacy protecton. Meanwhle, by a request, can be transformed nto and: (3.4) In SecureSIS, U s able to send acton requests, AR = {Create, Delete, Retreve, Append, Modfy}, to create, collate, annotate, modfy, dssemnate, use and delete authorzed senstve nformaton. Also, s able to send a transformaton request, TR = {Tran_Req}, to transform ts state from a passve user to an actve user n order to mange senstve nformaton, such as n the case of healthcare system, a doctor (passve user) can send TR to be a patent (actve user) to share hs/her medcal records wth other doctors (passve users), and vce versa. To protect the senstve nformaton, U needs to have the followng propertes: For every user, TR s a request to transform a user from one category to another., TR( ), and vce versa (3.5) For every user, an AR allows U to take control of managng senstve nformaton. The predcate s true f the U has prvlege to access I. u U, AR ( I I, a AC TIO N ) true ff u has perm sson a of I (3.6) j j Ths secton defned engagng users nto passve users and actve users, also the propertes of engagng users were gven. The next secton, DKM component s formalzed. 114

3.2.3. Dynamc Key Management In ths thess, dynamc key management s proposed so that dynamc key theory safeguardng can be appled to communcaton channel, user nterface and senstve nformaton storage n order to keep senstve nformaton I secure wthn SecureSIS. The securty archtecture employs two sets of dynamc keys for U and one set of dynamc keys for each component of SecureSIS. The reason for the employment of two sets of dynamc keys s that dynamc data keys are only used to ntegrate nto senstve nformaton at rest (encrypton), and dynamc communcaton keys are used only for token generaton and commnaton protecton. The two sets of dynamc keys are ndependent. Accordng to the sngle-use nature and cryptographc propertes of dynamc keys, the breach of one set of dynamc keys does not compromse the securty of SecureSIS. Formally: Defnton 3.4 (Dynamc Key Management DKM) Dynamc keys management s a quadruple [DK, DK, CDK, G (.) ], X Y where: ) DK s a set composed of dynamc data keys { dk } of users for X X securng senstve nformaton storage. Gven un U, the dynamc data key set for user u s: n ) DKY DK { dk. u } (3.7) X X n s a set composed of dynamc communcaton keys of users for protectng user nterface and communcaton channel. Gven un U, the dynamc communcaton key set for user u s: n 115

D K { dk. u } (3.8) Y Yj n ) CDK s a set composed of dynamc keys of each components for securng communcaton between DKM and AAM & SIM. Gven aam AAM, dkm D K M and sm SIM, the component dynamc key m k n set for aam, dkm and sm s {. } m k n m cdk aam, { cdk. sm } and j n { cdk. dkm }, respectvely. l k v) G (.) s a dynamc key generaton scheme. It generates dynamc keys synchronously wth U and other components n SecureSIS. Note that DKM generates dynamc keys synchronously wth all nvolved enttes, and there s no key dstrbuton between users and the DKM entty. There s one mportant excepton: when users communcate wth other components such as aam m AAM and sm n SIM, a dkm k DKM generates correspondng dynamc keys of the users and securely transmts to the nvolved components 33. DKM s llustrated n Fgure 3.4. The fgure shows that the relatonshp of dynamc key sets and key generaton scheme s not nvertble. Fgure 3.4. DKM Key Generaton Flow. Ths secton defned the component of DKM. The next secton wll defne UGKM. 33 Detals see Sectons 4.2, 4.3 and 4.4. 116

3.2.4. User-orented Group Key Management Every user n SecureSIS s managed va ths component, and t apples a herarchcal structure to secure multcast communcaton channel. The frst key tree has been suggested n [WaHaAg97] for centralzed group key dstrbuton systems. As dscussed n Chapter 2, centralzed group key management s large group orented, scalable and operaton effcent, thus, ths component adopts and extends the key tree T. It s a top-down structure and conssts of a root, subgroups ( SG ), clusters ( C ) and leaves (assocated wth users U ). The passve users are ntally aggregated nto clusters, at the upper level, called subgroups. Each cluster selects one of ts members as the cluster leader to be the representatve. The actve users cannot jon clusters, but vrtual clusters. Each vrtual cluster s a vrtual contaner to accommodate nvolved and. When an actve user jons, a member (passve user) of a closed cluster forms a vrtual cluster under the same subgroup node. The member (passve user) s called vrtual leader for the vrtual cluster. Formally: The component s characterzed as follows: T { root} SG C U (3.9) Defnton 3.5 (User-orented Group Key Management UGKM) Userorented group key management s a septuple [,, C, VC, L, VL, Alg ( U ) ] where: ) VC (vrtual cluster) s a set composed of vrtual contaners to accommodate nvolved and. An actve user can only jon (belong to) one vrtual 117

cluster; however, a passve user can belong to a subset of vrtual clusters, such that,,! vc VC : vc j j, at least one vc : vc j j j N (3.10) ) L (leader) s a set composed of leaders L for authentcaton as representatves of clusters, used n AAM. ) VL (vrtual leader) s a set composed of vrtual leaders L for constructng vrtual clusters and managng key operatons. v) Alg ( U ) operatons. s a sute of algorthms that manages U jon and leave rekeyng Ths secton defned the UGKM component, t delneated an actve user can only belong to one vrtual cluster, and only passve users can jon clusters. Therefore, the prvacy of actve users s protected. In the next secton, AAM wll be defned by usng DKM and UGKM to protect user nterface. 3.2.5. Authentcaton and Authorzaton Management Authentcaton and authorzaton are two nterrelated concepts that form the securty component of user nterface. Ths component conducts securty by co-operatng wth UGKM and DKM. It can be characterzed as follows: Defnton 3.6 (Authentcaton and Authorzaton Management AAM) Authentcaton and authorzaton management s a quadruple [U, EID, Proto,v(u,ed )], j where: 118

) EID s a set composed of encphered denttes for all regstered users U. ) Proto s a set composed of protocols for authentcatng the legtmacy of U and allowng U to delegate authorzaton n SecureSIS. ) v( u, ed ) s a verfcaton functon that assocates a Boolean value wth a user u j U and an encphered dentty ed the legtmacy of a user u wth regard to the EID. Such checkng defnes ed. j In Fgure 3.5, U verfes tself to an aam m AAM n order to gan permsson to execute a partcular protocol. The protocol s performed f, and only f, the form of encphered denttes matches correspondng denttes; otherwse, the process s termnated. Fgure 3.5. AAM Process. Ths secton defned the AAM component to protect user nterface. In the next secton, the SIM component wll be defned to protect senstve nformaton at rest. 3.2.6. Senstve Informaton Management One of the most mportant technologcal challenges that SIS facng today s keepng senstve content secure when t s shared among nternal and external enttes. In ths 119

component, dynamc keys are used to ntegrate wth senstve nformaton I n order to help guard aganst the unauthorzed dsclosure of I. The senstve nformaton I s stored n a form of cpher (encrypted senstve nformaton, named EI), n another words, no plantext s kept n SecureSIS. Also, each I s encrypted by a dfferent dynamc data key, and all these dynamc data keys are encrypted by current dynamc data key (encrypted dynamc data keys, named EDK). Therefore, only the owner of senstve nformaton possesses the correct and latest dynamc data key. The prvacy of owner thus s mantaned n SecureSIS. In addton, the usefulness of senstve nformaton at rest s a challenge as well for SIS. Snce senstve nformaton must reman ts usefulness, then t s useful for users. In the case of an emergency crcumstance, the cryptographc key s lost. The form of the senstve nformaton s useless. Therefore, to overcome these challenges, the SIM component s formally characterzed as follows: Defnton 3.7 (Senstve Informaton System SIM) Senstve nformaton management s a quadruple [RI,CI,EL, f(i)], where: ) RI s a set composed of ndces for collected crtcal nformaton I. ) CI s a unon of sets of encrypted senstve nformaton (EI) and encrypted dynamc data keys (EDK), CI EDK EI (3.11) where, EI s produced usng dynamc data keys of senstve nformaton owner u, n EI { I } dk. u, I I (3.12) j X n j, j 120

and, EDK s generated usng current dynamc data keys of senstve nformaton owner to encrypt the keys used to encpher the nformaton. It can be symbolzed as: EDK {{ dk. u } dk. u, h( EI )}, EI EI (3.13) X n XC n j j, j Meanwhle, dk. u s a current dynamc data key of u XC n n. It s specfed n order to encrypt and decrypt the dynamc data keys (EDK). The encrypted keys are stored n the header of EI. The relatonshp s llustrated n Fgure 3.6. In addton, h ( E I ) j s used to ensure ntegrty of senstve nformaton I j. Fgure 3.6. Relatonshp between EI and EDK. ) EL stands for emergency lst; a set of relatonshp objects O. Each o O contans a user u U, a nomnated cluster cn C, an allocated audtng cluster ca C and an encrypted dynamc data key. At the cost of trggerng an automatc audt, EL s used n an emergency to gan access to senstve nformaton I of users that would normally be naccessble. (3.14) EL u, c, c,{ dk. u } K n a XC com bne * where K combne s a combnaton key of leaders l n and l a, whch represent cluster cn and c a respectvely: K h( h( n, dk. l ), h( a, dk. l )) (3.15) com bne Yj n Yk a 121

v) f(i) s a symmetrc cryptographc functon that employs dynamc data key dk. u to encpher/decpher senstve data I and dynamc data keys. X j Ths secton defned the SIM component to protect senstve nformaton at rest. It also consdered emergency stuatons, such as the loss of cryptographc key and the change of senstve nformaton ownershp. In the next secton, the structure of SecureSIS s gven to show the relatonshp of four tangble components. 3.2.7. Structure n SecureSIS SecureSIS s splt nto several admnstratve areas. Each area has a local secure group controller (LSGC) assocated wth a subgroup ( sg SG ) to manage I sharng and accessng. The controllers together consttute a multcast group (UGKM) that mantans group key consstency by exchangng group nformaton dynamcally and securely. The structure of SecureSIS s shown n Fgure 3.7. Fgure 3.7. The Structure of SecureSIS. A LSGC comprses an object of AAM, DKM and SIM, respectvely. Formally: LSGC = {aam AAM, dkm DKM, sm SIM} (3.16) m n k 122

3.2.8. Enttes Belongng Accordng to Equaton 3.10, t can be seen that an actve user vrtual cluster whle a passve user n belongs only one can jon multple vrtual clusters. The n reason behnd ths s that actve users share senstve nformaton wth passve users. For prvacy reasons, actve users only belong to vrtual clusters, and only one actve user s allowed n one vrtual cluster. However, passve users can belong to multple clusters and vrtual clusters. Ths ensures that senstve nformaton of the actve user s secure and not dsclose to other actve users. Precsely:,! vc VC : vc ( c C ), c j j k k, at least one vc VC c C : vc c j k j k k N (3.10A) ( un In addton to senstve nformaton, each crtcal nformaton object has an owner U or a group of users { u u U } ) and the object s fully controlled by the owner. Precsely: I I, u U : u : I j j u : I : AR ( I,*) true j j (3.17) Meanwhle, : stands for possesson and * s a wldcard for acton request. In the scenaro of that senstve nformaton owner permanently leaves the system, the senstve nformaton s orphan senstve nformaton, referrng to EL (Equaton 3.14), new ownershp 34 s assgned to the orphan nformaton. Precsely: I ( u ( u : I )) c : I j j n j (3.18) 34 The ownershp wll be assgned to the nomnated cluster; detals n Chapter 4. 123

Ths secton clarfed the entty belongngs. In the next secton, one of the ntangble components (SA) wll be defned to show the relatonshp between senstve nformaton and users. 3.2.9. Securty Agreement In SecureSIS, the securty agreement s the contract that governs the relatonshps between senstve nformaton I and owners (U) n a secured transacton (for example, nformaton accessng and sharng). The securty agreement classfes senstve nformaton nto a number of levels followng nformaton classfcaton 35, and then assgns access rules to each nformaton object. Formally: Defnton 3.8 (Securty Agreement SA) Let SR be a set of securty rules (for example ACCEPT, DENY and NEGOTIATE). A securty agreement s a trple, [I,UL, ], where: ) I s a set of senstve nformaton objects labelled wth nformaton securty classfcaton. ) UL s a set of user lsts and each lst conssts of a number of users. ) : I UL SA s securty agreement mappng. v) SA:ACCEPT s a access control flag that allows senstve nformaton to be dsclosed. v) SA:DENY s a access control flag that restrcts users from accessng senstve nformaton. 35 Ths refers to Table 1.1. Senstve nformaton levels of classfcaton n the US. 124

v) SA:NEGOTIATE s an access control flag. Intally, t lmts users (as n DENY) and then allows users to negotate wth owners of senstve nformaton to request permsson. It s defned that each crtcal nformaton object has securty rules (SR), and every securty rule s assgned to a number of UL. Users n the lst of NEGOTIATE are allowed to request permssons of accessng and sharng senstve nformaton from nformaton owners. In ths secton, the agreement has been defned for SecureSIS. In the next secton, the securty expectatons wll be attempted to gve n order to ensure the proposed SecureSIS satsfes the securty requrements of senstve nformaton. 3.2.10. Goals of SecureSIS When desgnng securty archtecture for SIS, senstve nformaton protecton s the prmary consderaton. Senstve nformaton must be stored safely (senstve nformaton storage), transmtted securely (communcaton channel) and made avalable only to authentcated and authorzed (user nterface) users. Such desres can be defned as goals of SecureSIS. Formally: Goals { UIG, CCG, SISG} (3.19) User Interface s Goal (UIG): Senstve nformaton must only be dsclosed to legtmate users wth proper permssons and genune SIS. Precsely: u U I I ( u C anp rove u to SecureSIS j u CanProve AR ( I,*) true to SecureSIS ) u : I j j (3.20) u U ( SecureSIS CanProve Genune to u ) (3.21) 125

The Equaton 3.20 mples that u must be able to prove to SecureSIS that t s a legtmate user, and also u must be able to prove that u can have prvleged access to nformaton I j. Accordng to Defnton 3.7, senstve nformaton s encphered wth dynamc data keys of owners. Therefore, wthout proper prvleges to nformaton I j, u cannot understand the nformaton, even though u has the nformaton form of e j EI. I j n the Communcaton Channel s Goal (CCG): Senstve nformaton must be dentcally mantaned durng transmsson va open networks. u U I I ( ff u : I u C anv erfy I s G enune) (3.22) j j j I I ( SecureSIS C anverfy I s G enune) (3.23) j Equaton 3.22 ndcates that f, and only f, u satsfes Equaton 3.20, u s able to verfy the authentcty of receved I j able to prove and verfy that receved nformaton, I j j. On the other hand (Equaton 3.23), SecureSIS s, s genune. Senstve Informaton Storage s Goal (SISG): Senstve nformaton must be stored securely and satsfy the requrement that only prvleged users can understand and retreve the nformaton. E I E I u U ( ff u : E I u C anu nderstand I ) (3.24) j j j 126

Accordng to Equaton 3.6, the predcate s true only f u has prvlege to Because senstve nformaton s stored as cpher form 36, Equaton 3.6 s transformed nto: u U, AR ( EI EI, a AC TIO N ) true ff u has perm sson a of E I (3.25) j j Senstve nformaton n storage s consequently only dsclosed and understandable to legtmate u wth proper permssons. Ths secton attempted to gve the securty expectatons of SecureSIS. In the next secton, a novel senstve nformaton securty model wll be presented n order to tackle the lack of assessment propertes n exstng nformaton securty models. I j. 3.3. Senstve Informaton Securty Model The defned securty archtecture should express the means for senstve nformaton protecton. As the models dscussed n Secton 2.5 the CIA trad and the Parkeran hexad have lmtatons, they are not a vald bass for senstve nformaton protecton. In ths secton, a comprehensve new nformaton securty model s presented that solves the problems of the exstng models. Fve core elements dscussed and argued whch are all essental to senstve nformaton securty: authentcty and authorty, ntegrty, non-repudaton, utlty and confdentalty, are used to replace the CIA trad and Parkeran hexad n the new securty model. By defnng the new securty model, we ntroduce the logc assocated wth each atomc element to evaluate SecureSIS. In addton, the proposed securty model can be used as a gude for desgnng SIS. 36 Refers to Equaton 3.12. 127

3.3.1. SecureSIS Pentad The SecureSIS pentad s a set of fve elements of nformaton securty wth attrbutes: authentcty & authorty (AA), ntegrty (IN), non-repudaton (NR), confdentalty (CO), and utlty (UT). These attrbutes of senstve nformaton are atomc n that they are not broken down nto further consttuents and they are non-overlappng n that they refer to unque aspects of nformaton. Any nformaton securty breach can be descrbed as affectng one or more of these fundamental attrbutes of nformaton. Formally: Defnton 3.9 (SecureSIS pentad) The SecureSIS pentad s a senstve nformaton securty model. It comprses fve elements to guarantee the securty of senstve nformaton. where: SecureSIS pentad = {AA,IN, NR,CO, UT} (3.26) ) AA s the act of confrmng provenance and dentty as genune and the act of delegatng shared nformaton. It measures the securty of verfcaton of ndvduals and group users. It also measures the securty of access control n terms of prvacy protecton of ndvduals. In short, the use of AA s the measurement of user nterface and senstve nformaton storage. ) IN refers to the valdty of data. It measures the securty of communcaton channel. ) NR s an atomc element measurng that a user n a dspute cannot repudate, or refute the valdty of what has done n the system. 128

v) CO s the property of preventng dsclosure of nformaton to unauthorzed ndvduals or group users n SIS. It s an overall measurement of communcaton channel, user nterface and senstve nformaton storage. v) UT means usefulness for accessng and sharng senstve nformaton to authorzed users. It measures the usefulness of senstve nformaton when ts ownershp s changed or when owners of crtcal nformaton lose the decrypton key or n an emergency. The SecureSIS pentad s used to evaluate the securty of SIS as a bass of assessment. It s appled to SecureSIS n order to valdate ts securty n ths thess. To buld a model, the fve securty attrbutes are used to satsfy the Goals of SecureSIS. The relatonshp of the SecureSIS pentad to SecureSIS s shown n Fgure 3.8. Fgure 3.8. SecureSIS Pentad. 3.3.2. Authentcty & Authorty (AA) In nformaton securty, authentcaton s the process of verfyng a clam made by an entty, whle authorzaton s the process of verfyng that an authentcated entty has the authorty to perform a certan operaton. Authentcaton, therefore, must precede 129

authorzaton. Snce authorzaton cannot occur wthout authentcaton, thus, to assess the securty of SIS, authentcty and authorty are both defned n the SecureSIS pentad Authentcaton s defned n relaton to message authentcaton and entty authentcaton. Message authentcaton provdes the dentty of the sender P of a message to a gven recpent Q. Entty authentcaton provdes an dentfcaton of an entty n a communcaton. An mportant dfference between these two types of authentcaton s that message authentcaton s not lmted to a certan tme perod, whle entty authentcaton s lmted to the duraton of the communcaton over nterval[ t, t ]. Therefore, to acheve proper message authentcaton, the requrement 0 1 must be satsfed as follows: For entty authentcaton, precsely: P Q : I, token I I, P : I : Q beleves P sad I (3.27) t1 t0 P clam s to Q dt Q beleves P (3.28) Authorzaton s the concept of allowng only permtted users access to resources. More formally, authorzaton s a process that protects senstve resources by only allowng a granted authorty to use them. In other words, unauthorzed access s restrcted. Precsely: ff Q : A R ( I,*) false I I, P : I : Q : I (3.29) 37 Authentcty and authorty determne the securty of user nterface n SIS. The combnaton of Equatons 3.20 to 3.25 descrbes that senstve nformaton must only 37 : means t s not the case of :. 130

be dsclosed to genune SIS and legtmate users wth proper permssons. As one of SecureSIS goals, AA s able to be appled to evaluate UIG 38. 3.3.3. Integrty (IN) The ntegrty of crtcal nformaton prevents an unauthorzed user from alterng the asset n a communcaton channel or senstve nformaton storage. It s completeness, wholeness and readablty of senstve nformaton and qualty unchanged from a prevous state [Pa98]. Concsely, t s the assurance that senstve nformaton s consstent, correct, and accessble (shown as Fgure 3.9). Fgure 3.9. Senstve Informaton Integrty Trangle. Accordng to [ClW87, Pa98], senstve nformaton ntegrty s essental to SIS, and s able to promse nformaton consstency and accuracy; thus, t s defned n the SecureSIS pentad. In order to acheve senstve nformaton ntegrty, any senstve nformaton transmtted between enttes va communcaton channel must be consstent. It s also compulsory for SIS that senstve nformaton be kept correctly n senstve nformaton storage. Formally: 38 UIG refers to user nterface s goal. 131

P Q : I I I, Q receves I Q beleves I I ' ' (3.30) P : I I I, (3.31) P beleves I Integrty ensures the securty of two components n the senstve nformaton retreval process mentoned n Chapter 1 39. The Equatons above emphasze the goal of CCG 40 and SISG 41 ; thus IN can be used to assess the goals partally. 3.3.4. Non-repudaton (NR) Non-repudaton s the property that bnds an entty to senstve nformaton. A complete non-repudaton servce must ensure both non-repudaton of orgn and nonrepudaton of recept [Zh01]. It s an essental element for SIS due to the lmtatons of usng the CIA trad and the Parkeran hexad dscussed n Chapter 2. Non-repudaton dffers from authentcaton. The former provdes evdence of an dentty that can be shown to an adjudcator, whle the latter assures only that the recpent s convnced of the dentty of the sender. In addton, non-repudaton of recept ensures the sender has evdence that the recpent receved prevously-sent nformaton. For the purpose of securng SIS to acheve non-repudaton, any transacton occurrng n SIS needs to be verfed and dentfed, comprsng actons n senstve nformaton storage and transactons va communcaton channel. Also, t s mandatory that non-repudaton of recept must be sent to the sender and recpent along wth the evdence for the prevous transacton. Ths b-drectonal non-repudaton s named n SecureSIS pentad as mutual non-repudaton. Formally: 39 Refers to Fgure 1.1 and Secton 1.3.1. 40 CCG refers to communcaton channel s goal. 41 SISG refers to senstve nformaton storage s goal. 132

P beleves fresh( sgn ), P sees Q perform s an acton w th a sgn P beleves Q perform s the acton w th the sgn vce versa (3.32) Mutual non-repudaton nvolves all three components of the senstve nformaton retreval process. It guarantees undenable proof of entty actons n SIS. Equaton 3.32 s thus able to apprase the goals of SecureSIS. 3.3.5. Confdentalty (CO) Confdentalty preserves authorzed restrctons on senstve nformaton access and dsclosure. Breaches of confdentalty nvolve authentcty, authorty, ntegrty and non-repudaton. Consequently, t s the most mportant property among the SecureSIS pentad. Conceptually, confdentalty covers two propertes: senstve nformaton confdentalty and prvacy. Senstve nformaton confdentalty ensures that crtcal nformaton s not made avalable or dsclosed to unauthorzed users whle prvacy ensures that ndvduals control or nfluence ther own senstve nformaton. For SIS, crtcal nformaton must only be dsclosed or accessble to authorzed users (same as Equatons 3.29, 3.30 and 3.31) and nformaton owners must have fne-gran control over ther assets. Formally: P authorzes Q I I, P : I Q : AR ( I,*) false Q : AR ( I,*) true (3.33) Confdentalty measures the securty of all three components communcaton channel, user nterface and senstve nformaton storage. It also covers prvacy or secrecy of nformaton owners. In addton, the scope of confdentalty overlaps AA 133

and IN. Consequently t can be used to evaluate the securty of SIS and to assess the goals of SecureSIS. 3.3.6. Utlty (UT) Utlty s the property that ndcates the usefulness of senstve nformaton. Whle t s not one of the core prncples of the CIA trad, nevertheless t s a core prncple of senstve nformaton securty. In the scenaro of senstve nformaton ownershp change or a lost unque encrypton key, the senstve nformaton s stll avalable, but n a form that s not useful. Whle the nformaton s authentcty and authorty, ntegrty and non-repudaton are unaffected, and ts confdentalty s greatly mproved, the nformaton cannot be used. Therefore, utlty s essental and s ncluded n the SecureSIS pentad to measure the usefulness of senstve nformaton. In the nterests of achevng senstve nformaton utlty n SIS, a change of senstve nformaton ownershp must not affect the usefulness of senstve nformaton. In an emergency, where the owner of senstve nformaton s unable to manage the asset, the usefulness of senstve nformaton must not be compromsed. Formally: I I, P : I orphan I P authorzes Q Q : I (3.34) I I, P : I em ergency P, Q : I (3.35) Utlty does not measure the securty of communcaton channel, user nterface and senstve nformaton storage, but t does mpact securty. Wthout the property of senstve nformaton utlty, the goals of communcaton channel, user nterface and senstve nformaton storage cannot be reached. Senstve nformaton utlty s therefore used as a baselne securty assessment. 134

3.3.7. Summary on the SecureSIS Pentad The SecureSIS pentad conssts of fve atomc elements. It s mportant to dentfy the dfferences between these elements. Frst, authentcty deals wth entty verfcaton whle authorty governs the legtmate enttes that have permsson to perform certan operatons. Therefore both are combned as AA and used to assess the securty of restrcted, senstve or valuable nformaton n SIS. IN also deals wth the ntrnsc condton of nformaton but t does not nvolve the meanng of nformaton. In contrast, AA s concerned wth genuneness and control of nformaton. NR handles the evdence of enttes for an adjudcator, whle AA addresses the credentals of enttes. CO deals wth dsclosure of senstve nformaton, whereas AA s more concerned wth the process of preventng dsclosure. Last, but not least, UT s a baselne securty assessment, snce wthout usefulness, all other propertes are valueless. Determnng the approprate securty by applyng the fve elements depends on the four prmary characterstcs of nformaton 42. The fve elements are unque and ndependent, and often requre dfferent securty controls. For example, mantanng the IN of senstve nformaton does not necessarly mean that the nformaton s vald; t only ndcates the nformaton s wholeness and completeness. Senstve nformaton can be nvald (that s, lackng authentcty), but t can be dentcal to the orgnal, and thus possess IN. Smlarly, mantanng the NR of senstve nformaton does not necessarly mantan ts AA, and vce versa, as they are two dfferent elements. Wth the excepton of CO, the elements can be volated wthout affectng the other elements. CO s an excepton because the loss of CO can have a negatve mpact on 42 Prmary characterstcs refer to knd, representaton, form and medum. See Secton 1.2.1. 135

the other elements. The dsclosure of senstve nformaton makes IN, AA and NR nvald, whereas UT remans the same. In contrast, the loss of UT can mprove CO because the form of senstve nformaton becomes useless. The scope of the fve atomc elements s llustrated n Fgure 3.10. The fgure shows UT as a baselne; wth UT assured, the securty of SIS can be guaranteed. The fgure also shows how the scope of CO overlaps IN, NR and AA. Fgure 3.10. The Scope of Fve Atomc Elements. 3.4. Summary In ths chapter, dynamc key theory has been formalzed, and ts cryptographc propertes have been proved. Also, t has proved that dynamc keys provde stronger securty than long-term shared keys and publc keys. Therefore, SecureSIS s presented by applyng dynamc key theory to govern crtcal nformaton n three phases: communcaton channel, user nterface and senstve nformaton storage. It has clamed that the proposed archtecture employs followng technques to overcome the securty threats and concerns: The use of two sets of dynamc keys to protect senstve nformaton n the process of senstve nformaton retrevng. 136

The use of the proposed user-orented group key management to deal wth dynamc nformaton ownershps, and to overcome confdentalty and ntegrty threats. The use of the proposed authentcaton & authorzaton management to conduct dynamc membershp of groups and ndvduals to share or access senstve nformaton n order to handle authentcty and authorty concerns. The use of the proposed senstve nformaton management to protect senstve nformaton at rest n order to thwart securty threats of compromsng credentals of SIS. In addton to the proposed archtecture, a securty model - the SecureSIS pentad - was proposed to evaluate SecureSIS. It conssts of fve atomc elements that can be used to assess the securty of the proposed securty archtecture. The model s able to evaluate the securty of SecureSIS as shown n Table 3.1. Table 3.1. Appled SecureSIS Pentad wth the Proposed SecureSIS. Components of Senstve Goals of SecureSIS SecureSIS Pentad Informaton System (Secton 3.2.10) Elements Baselne User Interface UIG AA,NR,CO Communcaton Channel CCG IN,NR,CO UT Senstve Informaton Storage SISG IN,NR,CO In the followng chapter, each tangble object - DKM, UGKM, AAM and SIM - of SecureSIS s developed. The SecureSIS pentad s used as a gude to maxmze the securty of senstve nformaton n SIS. 137

Chapter 4 4. Securty Archtecture Components Goals. In chapter 2, the techncal background of ths thess was examned. In chapter 3, the lmtatons of employng long-term shared keys and publc keys n SIS to protect senstve nformaton necesstated the formalsaton of dynamc key theory. The cryptographc propertes of dynamc keys provde stronger securty than other keys. The SecureSIS archtecture was consequently defned formally by applyng dynamc key theory together wth the expected securty goals. The SecureSIS pentad (a senstve nformaton securty model) was also proposed n order to assess the securty of SecureSIS and gude n the desgn of securty archtecture. In ths chapter, we elaborate on all four tangble components of SecureSIS, Dynamc Key Management (DKM), User-orented Key Management (UGKM), Authentcaton and Authorzaton Management (AAM) and Senstve Informaton Management (SIM), guded by the SecureSIS pentad. In addton to gvng a comprehensve understandng of the proposed SecureSIS, we demonstrate how to use dynamc key theory n DKM (Secton 4.1), and then apply t to UGKM (Secton 4.2), AAM (Secton 4.3) and SIM (Secton 4.4) to reach the securty goals of 138

communcaton channel, user nterface, and senstve nformaton storage. The chapter concludes n secton 4.5. 4.1. Dynamc Key Management In cryptography, dynamc key management s related to the generaton, storage, synchronzaton, safeguardng, replacement and use of keys. Approprate and successful dynamc key management s crtcal to the securty of SIS. Therefore, the securty of dynamc key management leads the securty of senstve nformaton systems. In ths secton, by applyng dynamc key theory to SecureSIS, a securty agreement s addressed for all enttes n SecureSIS. The secton fnshes wth a summary of desred cryptographc propertes. 4.1.1. Dynamc Key Agreement The cryptographc propertes of dynamc keys help wth securty enhancement when protectng senstve nformaton. Each entty n SecureSIS must have shared dynamc key sets. The ntal seeds and dynamc keys generaton schemes take place n the functon f (.). In ths thess, the use and management of dynamc keys are emphaszed. Defnton 3.4 shows two sets of dynamc keys employed (dynamc data key set DK and dynamc communcaton key set DK ) to conduct the securty of SecureSIS. X Y DK X s a set composed of dynamc data keys for securng senstve nformaton storage. DK s a set composed of dynamc communcaton keys for protectng Y communcaton channel and user nterface. Note that to users. Snce nvolved tangble objects, such as aam DK and DK are only appled X Y m AAM, dkm DKM and k 139

sm n SIM, do not possess senstve nformaton, component dynamc keys ( CDK ) are used for protectng communcaton channel among these enttes. As dscussed n Secton 3.2.7, SecureSIS conducts the securty of SIS va local secure group controllers (LSGC). Each LSGC admnsters senstve nformaton n and outbound, and conssts of objects aam, dkm and sm. Also, all LSGC form a m k n multcast group 43 to mantan group keys consstency. Meanwhle, dynamc key sets of users are synchronzed among DKM. Therefore, once a user has shared key sets wth SecureSIS and successfully regstered 44, the user can jon any local admnstraton. In order to make good use of dynamc key propertes, the followng agreements apply: For users, a user sharng mean that the user has regstered and s legtmate. DK and DK wth SecureSIS does not necessarly X Y For users, dynamc data keys do not nvolved n any communcaton. The keys are strctly used to wrap and unwrap senstve nformaton only. For both users and tangble objects, dynamc communcaton keys are used to generate securty tokens and encpher communcatons. For objects, dynamc communcaton keys of users are generated va DKM, and transmtted securely va dynamc communcaton keys of objects. For both users and objects, a network falure caused by asynchronous dynamc communcaton keys wll trgger a network fault heal event [NgWuLe09a]. The event can be performed va negotatng dynamc key counters 45 { Yj j N }. 43 The multcast group s dscussed n Secton 4.2 UGKM. 44 User regstraton - see Secton 4.3.2 ntalzaton protocol. 45 Negotatng dynamc key counters can be performed va pervous successful dynamc communcaton key and current counter j. 140

4.1.2. Securty Comparson In ths secton (4.1), dynamc key management was ntroduced based on Defnton 3.4. By applyng the nature of dynamc keys 46, f the agreements (Secton 4.1.1) are followed, the securty of the proposed archtecture s guaranteed. The proposed dynamc key management provde stronger securty than other exstng approaches n senstve nformaton protecton, and comparable wth communcaton channel (uncast and multcast), user nterface and senstve nformaton storage protecton. Ths comparson s presented n Table 4.1. The comparson crtera are selected based on the dscusson n Chapter 2. Crtera Key Type Table 4.1. Key Managements Comparson. Key Management Approaches Communcaton Channel Senstve User Informaton Uncast Multcast Interface Storage group long-term long-term long-term long-term publc publc DKM dynamc Key Dstrbuton yes yes yes/no yes/ no no moderate Key Lfetme ndefnte ndefnte ndefnte once ndefnte Securty Breach Detecton no no no no yes Key Type refers to the type of keys employed n key managements. As dscussed n Chapter 2, long-term (master) and publc keys are manly adopted n extant approaches of senstve nformaton protecton. However, n the proposed securty archtecture, dynamc keys are adopted to n DKM. DKM has the advantage over others due to the nature of dynamc keys. 46 The nformal securty comparson wth other symmetrc keys was presented n Secton 2.1.1, and formal dscusson (proof) on securty comparson wth symmetrc and asymmetrc keys was conducted n Secton 3.1.2 and 3.1.3. 141

Key Dstrbuton refers to the process of exchangng shared secrets for encrypton. Accordng to the dscusson n Secton 2.1.1, long-term shared keys nvolve key dstrbuton, but not publc and dynamc keys. Therefore, the rsk of publc and dynamc keys compromsng s reduced. Key Lfetme refers to the length of tme the key can be used for encrypton. As dscussed and compared n Secton 2.1.1 (Table 2.1), dynamc key s used only once, whch make the key management stronger comparable wth others. Securty Breach Detecton refers to the ablty of key managements n detectng the breach of senstve nformaton systems. As dscussed n Secton 2.2, 2.3 and 2.4, when the cryptographc keys (long-term shared and publc keys) are breached, the senstve nformaton wll be dsclosed. In DKM, dynamc keys are employed, and each key s used only once. Any attempt to reuse an nvalded dynamc key can therefore be detected. Also, two sets of dynamc keys can guarantee that the breach of one set of dynamc keys does not compromse the securty of senstve nformaton systems (DKM) 47. The proposed DKM has advantages over other key managements (dscussed n Chapter 2) n terms of key type, key dstrbuton, key lfetme and securty breach detecton. In followng sectons, the detals of the use of DKM are ntroduced. 4.2. User-orented Group Key Management Along wth the popularty of group-orented communcaton systems, senstve nformaton sharng has brought substantal convenence for users. However, senstve nformaton confdentalty s rsng as an mportant ssue for group members. To 47 The formal proof s conducted n Secton 5.1.1. 142

acheve confdentalty n group (multcast) communcaton, group key management for senstve nformaton systems requres key secrecy, backward secrecy and forward secrecy. In addton, t also requres flexble and effcent rekeyng operatons. Prvacy for users n senstve nformaton systems remans a challenge for group key management. In ths secton, user-orented group key management (UGKM) s formally ntroduced. A securty comparson s then conducted to show the advantages of the proposed group key management. 4.2.1. Key Tree Structure As dscussed n Secton 2.2.2, snce the drawbacks of the exstng multcast communcaton channel approaches. The UGKM scheme (defned n Defnton 3.5) must guarantee prvacy protecton for group members and confdentalty for senstve nformaton systems. It must also be sutable for groups wth a large number of members. In order to protect the prvacy of ndvduals n senstve nformaton systems, UGKM categorzes group members U nto actve users 48 and passve users. Also, several new concepts are ntroduced. Meanwhle, each vrtual cluster s formed by a passve user as a leader, and each vrtual cluster s able to contan only one actve user but one, or more than one, passve user. In addton, n accordance wth Equaton 3.9 (key tree) and Defnton 3.5, UGKM s a two-ter hybrd group key management that focuses on prvacy protecton and confdentalty of senstve nformaton. Fgure 4.1 depcts the logcal structure of 48 Actve & passve users refer to Defnton 3.3. 143

UGKM. It s dvded nto two levels: the passve user level and the actve user level. The passve user level conssts only of passve users who partcpate n senstve nformaton sharng and accessng of other actve users. As mentoned n Equaton 3.5, f a passve user wants to share ts senstve nformaton, the user must transform nto an actve user. The actve user level employs a group key tree dstrbuton scheme; t s formed by one actve user and several passve users. Meanwhle, one passve user s promoted to leader to construct a vrtual cluster. As defned n Defnton 3.5 (Equaton 3.10), each vrtual cluster has only one actve user, and a passve user can belong to multple vrtual clusters. The key management of ths level s conducted by a contrbutory group key management scheme. Accordng to the structure n SecureSIS 49, each LSGC assocates wth a subgroup to manage senstve nformaton sharng, and also all LSGC together consttute a multcast group UGKM. Moreover, each LSGC conssts of an object from AAM, DKM, and SIM. Therefore, each LSGC can smultaneously perform as a key server, an authentcaton and authorzaton server and senstve nformaton server. 49 The structure refers to Secton 3.2.7. 144

Fgure 4.1. Logcal Structure of UGKM. UGKM s presented as tree-based group key management. However, when a jons the system, one of j wll reconstruct a dynamc vrtual cluster under the subgroup. The logcal structure of UGKM can be bult n two steps: ) Durng the group ntaton phase, a key tree s set up for the passve user level. Passve members are assgned nto ths level. ) After the passve user level ntalzaton s completed, actve users are assgned nto the actve user level and a key rng s bult for each actve user. Meanwhle, a leader s selected from the passve users and assgned to the vrtual cluster. In ths secton, the key structure of UGKM was presented. In the next secton, the securty propertes of UGKM wll be gven. 145

4.2.2. UGKM Cryptographc Propertes A comprehensve group key agreement soluton must handle adjustments to group secrets subsequent to all membershp change operatons n the underlyng group communcaton system. In order to guarantee the securty of multcastng content, the proposed UGKM must have desred propertes. As dscussed n Secton 3.1.1, key freshness s one of the most mportant requrements of dynamc keys management. Key freshness also apples to group key management as well together wth followng propertes extended from Km and Perrg et al. [KPeTs04]: Group Key Secrecy guarantees that t s computatonally nfeasble for a passve adversary to dscover any group key. Forward Secrecy guarantees that a passve adversary who knows a contguous subset of prevous group keys cannot dscover subsequent group keys. Backward Secrecy guarantees that a passve adversary who knows a contguous subset of group keys cannot dscover precedng group keys. Key Independence guarantees that a passve adversary who knows any proper subset of group keys cannot dscover any other group key. Snce the proposed UGKM s a hybrd group key management scheme, the passve user level employs group key tree management whle the actve user level adopts contrbutory group key management. The followng notable features are assocated wth all protocols: Each passve group member receves a group key. The key s computed and dstrbuted under the same protocol. 146

Each actve group member contrbutes an equal secret to a group key (vrtual cluster key). The key s computed as a functon of all current group members secrets. For actve group members, each secret s prvate and s never revealed to other members. All protocol messages are sequence-numbered. Ths secton gave the securty propertes of group keys. Next secton, the generaton of group keys n UGKM wll be dscussed. 4.2.3. Group Keys Group keys are used to secure communcatons n SIS. The proposed hybrd group key management adopts contrbutory and group key tree agreements. Therefore, two algorthms are needed to generate group keys. For a passve user, group key tree management s appled, and a LSGC generates random group keys for members. However, for an actve user, contrbutory key management s appled. As defned 50, actve users can only belong to vrtual clusters. Thus, the algorthm for generatng a key for a vrtual cluster requres all nvolved enttes to contrbute ther secrets. Moreover, referrng to the dynamc key agreement, each ndvdual has two sets of dynamc keys. One feature of dynamc communcaton keys, dk D K Yj Y, s used as contrbuted secrets. The vrtual cluster key generaton algorthm s descrbed n more detal as follows: 50 It refers to Defnton 3.5. 147

Assume a vrtual cluster vcn VC conssts of one actve user and m-1 passve users (say vc {, nvolved } n m ), and f ( x ) s the specal one way functon used n dynamc key management. ) All users n vc form a network topology and n large prme number p to all members n vc. ) Every user u vc contrbutes a secret (. ) m od n Yj ) n s a leader and dstrbutes a n s f dk u p to the leader. gathers key materals and broadcasts ntermedate values to other group n users dependng on the network topology n order to make all users u vc generate a vrtual cluster key K f ( s... s ) mod p. vc 1 m Ths secton presented a vrtual cluster key generaton algorthm for UGKM. In the next secton, member key operatons, such as jon and leave, wll be dscussed. n 4.2.4. Member Jon Jon s the procedure nvoked by a user who wshes to become a member of a multcast group. In SecureSIS, users are categorzed nto passve and actve users. Also, actve users can only jon vrtual clusters. Therefore, there are three scenaros: an actve user jons the system, a passve user jons a cluster and a passve user jons an exstng vrtual cluster. These scenaros are llustrated n Fgure 4.2. 148

Fgure 4.2. User Jon Operatons. Actve User Jons. When an actve user ( n Fgure 4.3) wshes to jon the group, t 1 apples the actve user level key dstrbuton agreement. Accordng to Defnton 3.5, t does not need backward secrecy and the jon procedure starts wth an actve user jon request. ) Frst, contacts a LSGC, and the LSGC forwards the request to AAM for 1 authentcaton 51 va a secure uncast channel. Precsely: LSGC :{ Actve _ user _ jon _ request} 1 ) After successful verfcaton, one of the passve users (say ) s selected as 1 a leader. Then constructs a dynamc vrtual cluster vc VC 1 that connects all relevant members (say, and ). 2 1 3 51 Authentcaton & authorzaton wll be dscussed n Secton 4.3, n member jon secton, message communcaton s dscussed. 149

) All members of Fgure 4.3. Actve User Jon. vc then start to contrbute secrets and generate a vrtual cluster key. The key s synchronzed wth a LSGC for sharng senstve nformaton among members based on vrtual cluster key generaton algorthm 52. Precsely: leader ( ) L SG C : { K } dk. 1 vrtual _ cluster Yj 1 52 It refers Secton 4.2.4. 150

When an actve user jons, a new vrtual cluster s created and a vrtual cluster key s contrbuted by all group members. Also, a passve user s chosen as the leader of the created vrtual cluster. The passve user (leader) has all relevant group keys (for example, has subgroup1 key 1 K and root K ). Furthermore, the LSGC subgroup1 root knows the new vrtual cluster key. Consequently, the rekeyng operaton does not take place. In other words, an actve user jon acton does not affect whole group, and the vrtual cluster leader takes responsblty for senstve nformaton forwardng. Passve User Jons Cluster. When a passve user (for example, n Fgure 4.4) 4 wants to jon the group, t apples the passve user level key dstrbuton agreement. Backward secrecy must be guaranteed to prevent the new member from accessng prevous group communcatons. The jon procedure starts wth passve user jon request: ) Frst, contacts the nearby LSGC, and the LSGC forwards the request to 4 AAM for authentcaton va a secure uncast channel. Precsely: LSGC :{ Passve _ user _ jon _ request} 4 ) After successful verfcaton, the LSGC updates group keys for backward secrecy (for example, s assgned to cluster 2, c 53 ). Precsely: 4 2 c, k 2, L SG C : { Jon _ key _ update} j k j c, LSG C : { K, K, K } K 2 new _ root new _ subgroup 2 new _ cluster 2 cluster 2 LSG C : { K, K, K } dk. 4 new _ root new _ subgroup 2 new _ cluster 2 Yj 4 53 c refers to Secton 3.2.4 (Equaton 3.9). 2 151

When a passve user jons the group, t trggers a group key tree management scheme and a rekeyng operaton s ncurred. However, as dscussed n Chapter 2 (Secton 2.2.1 and 2.2.2), n order to overcome the securty threats of long-term shared secrets between ndvdual members and the system, n UGKM, dynamc communcaton keys are used for replacng the long-term shared keys to secure communcaton channel. The same process apples to passve users jonng multple and vrtual clusters. Passve User Jons Exstng Vrtual Cluster. If a passve user ( n Fgure 4.3) wants to jon an exstng vrtual cluster vc n, t needs to apply contrbutory group key management. For backward secrecy, the old vrtual cluster key must be replaced wth new contrbuted key: ) Frst, contacts the nearby LSGC and the LSGC forwards the request to m AAM for authentcaton va a secure uncast channel. Precsely: LSG C :{ Passve _ user _ jon _ vrtual _ cluster _ request} m ) After successful verfcaton, a new vrtual cluster key s generated by the leader and m va the vrtual cluster key generaton algorthm. For example, t shfts one bt of the former vrtual cluster key and the contrbuted secret of. Precsely: m s f ( dk. ) m Yj m m K f ( h( cyclc bt shft of ( K )) s ) new _ vrtual _ cluster vrtual _ cluster m 152

Fgure 4.4. Passve User Jon Cluster. ) Once the new vrtual cluster key s generated the leader broadcasts the 1 new keys n the vrtual cluster and nforms the LSGC. Precsely: u vc, leader ( ) u : { K } K n 1 new _ vrtual _ cluster vrtual _ cluster leader ( ) L SG C : { K } dk. 1 new _ vrtual _ cluster Yj 1 153

No matter whether the jonng user s actve or passve, f the user wshes to jon a vrtual cluster, contrbutory group key management s appled. Therefore, no rekeyng operaton occurs. To protect the prvacy of actve users, when a passve user wants to jon an exstng vrtual cluster, the passve user needs access permsson from the actve user n the vrtual cluster. These detals are dscussed n Secton 4.3. 4.2.5. Member Leave Leave s the operaton nvoked by a group member who wshes to leave the multcast group. Smlar to the jon operaton, there are three scenaros for the member leave operaton: an actve user leaves the system, a passve user leaves the system or a passve user leaves an exstng vrtual cluster. These scenaros are llustrated n Fgure 4.5. Fgure 4.5. User Leave Operatons. Actve User Leaves. Suppose an actve user ( n Fgure 4.3) wants to leave the 1 system. It does not need forward secrecy, because vrtual clusters are contaners for 154

actve users (Defnton 3.5). When the actve user leaves, the vrtual cluster s destroyed. The leave procedure starts wth actve user leave request. vcn VC ) Frst, sends a leave request to the vrtual cluster leader (say ), and the 1 1 leader forward the request to the LSGC to remove the vrtual cluster. Precsely: :{ Actve _ user _ leave _ request } 1 1 LSGC :{ Actve _ user _ leave _ request} 1 ) The leader then broadcasts to all members that the vrtual cluster has been nvaldated and s no longer avalable and that the vrtual cluster key wll be removed from each member. Precsely: u vc, u : { vrtual _ cluster _ nvald } K n 1 vrtual _ cluster The concept of vrtual clusters focuses on actve users. Each vrtual cluster has only one actve user and t s the exstence of the actve user that determnes the vrtual cluster. Vrtual clusters allow actve users to frequently vst ther senstve nformaton and share ther nformaton wth authorzed passve users. When the actve user leaves the vrtual cluster, the cluster s destroyed. Passve User Leaves Cluster. If a passve user (for example, n Fgure 4.4) wants 4 to leave cluster 2 (say c 2 ), t needs to apply a passve user level key dstrbuton agreement. Forward secrecy must be guaranteed to prevent the leavng user from accessng future group communcatons. The leave operaton begns wth a passve user leave request. ) Frst, sends a leave request to the LSGC. Precsely: 4 155

LSGC :{ Passve _ user _ leave _ request} 4 ) Upon recept, the LSGC trggers a key update for other group members and uncasts new group keys to cluster c users. Precsely: 2 c, k 2, LSG C :{ G roup _ key _ update} k c, LSG C : { K, K, K } dk. 2 new _ root new _ subgroup 2 new _ cluster Yj When a passve user leaves a cluster, t trggers a group key tree management scheme and a rekeyng operaton takes place. For forward secrecy, the new group keys are uncast to the nvolved cluster members n c va dynamc communcaton 2 keys to secure key materals. The securty of UGKM s therefore guaranteed. Passve User Leaves Exstng Vrtual Cluster. If a passve user (for example, n 3 Fgure 4.3) wants to leave the vrtual cluster vc n, the vrtual cluster wll not be destroyed (whch s the case should an actve member leave). However, to ensure backward secrecy, the vrtual cluster key needs to be updated. Ths acton does not affect other group members. ) Frst, sends a leave request to the leader. removes from the 3 1 1 3 vc member lst and then updates LSGC. Precsely: n :{ Passve _ user _ leave _ vrtual _ cluster _ request } 3 1 LSG C :{ vc } 1 n 3 ) The LSGC then trggers the vrtual cluster key generaton algorthm to generate a new vrtual cluster keys wth exstng members n vc. n 156

Passve users leavng several vrtual clusters at the same tme follow the procedure for ths algorthm. However, when the passve user wants to leave the system, the procedure wll apply group key tree management. Because the passve user does not provde senstve nformaton for vrtual cluster members, the passve user does not have any mpact on the vrtual cluster. For forward secrecy, only a new vrtual cluster key s requred. Ths secton ntroduced member leave operatons for passve and actve users n UGKM. From a securty aspect, group keys are threatened f no rekeyng operaton occurs n a partcular perod. The next secton therefore ntroduces perodc rekeyng operatons to overcome ths securty threat. 4.2.6. Perodc Rekeyng Operaton The perodc rekeyng operaton s a process to renew group keys n the system for securty purposes. It does not relate to ether jon or leave key operatons. After a perod of tme, the group keys become vulnerable to key compromse and cryptanalyss attacks. Ths operaton helps the system to reduce those rsks. Because actve users know vrtual cluster keys rather than group keys the perodc rekeyng operaton apples to passve users only. It also employs group key tree management. For example, f the last rekeyng operaton 54 occurred at tme t and a passve user has a lfe cycle [ t, t ], then t 1 2 1 t t 2, as llustrated n Fgure 4.6. Let t 0 be the tme perod for the securty parameter dependng on securty levels (requrements). The perodc rekeyng algorthm s shown below: ) When the last rekeyng operaton occurred, the LSGC marks the tme as t. 54 Last rekeyng event refers to a passve user jon or leave operaton. 157

) The LSGC montors whether t 2 t t 0 ; f so t trggers a rekeyng operaton. ) The LSGC then updates t to t t ( t t t ). If t t, the LSGC repeats 0 0 2 step ). Fgure 4.6. Perodc Rekeyng Tmelne. 4.2.7. Securty Comparson In ths secton (4.2), the UGKM key tree was ntroduced based on Defnton 3.5. Its cryptographc propertes were also dscussed, together wth four notable features. The group key generaton algorthm and the rekeyng operaton were then ntroduced for UGKM. Meanwhle, all unque long-term shared keys between ndvduals and group key servers were replaced by dynamc communcaton keys; hence the securty of a multcastng group s better than that of groups 55 whch conduct the securty of communcaton channel based on a long-term shared key. Group members (users) are dvded nto two categores: passve users, who do not share ther senstve nformaton but access the nformaton of others; and actve users, who share senstve nformaton wth passve users. Also, each actve user, when combned wth passve users, constructs a vrtual cluster. Ths prevents actve users from accessng the senstve nformaton of other actve users. These features of 55 Securty s dscussed n detal n Chapter 5. 158

UGKM guarantee the prvacy of each actve user. Although performance s not one of major desgn goals of the archtecture, ths s also mproved because actve users jonng the system and passve users jonng exstng vrtual clusters do not trgger rekeyng operatons. The securty features n tree-based group key dstrbuton, contrbutory group key dstrbuton and UGKM are shown n Table 4.2. The comparson crtera s based on the cryptographc key requred for uncast, the cryptographc key requred for multcast, the securty of the rekeyng operaton and the securty of prvacy of ndvduals. Table 4.2. Securty Comparson of Group Key Management. Tree-based Group Key Contrbutory Group Key Passve Users UGKM Actve Users Uncast key Multcast key Prvacy Protecton long-term shared key group key no long-term shared key contrbutory key no dynamc key group key vrtual cluster key yes The Uncast Key s a cryptographc key n group key management that s used to secure the launch of nformaton packets to a sngle destnaton. When a group key server uncasts new group keys or nformaton to a user, a long-term shared key s employed to secure the communcaton n tree-based group key and contrbutory group key management. However, for our proposed UGKM, only dynamc keys are used. As shown n Table 4.1, UGKM provdes more secure uncast communcaton than others. The Multcast Key s a cryptographc key n group key management that protects the delvery of nformaton to a group of destnatons. For tree-based group key management, a random key (group key) s used to protect senstve nformaton. Snce the key s used untl a rekeyng operaton occurs, and the lfetme of a group key s that 159

of a sesson key, the securty of group keys s equvalent to sesson keys. For contrbutory group key management, a contrbutory key s generated among all group members. Thus, the securty of the key s weakened, and the securty of keys les between the securty of long-term shared keys and the securty of sesson keys. As defned n UGKM, actve users nomnate group members 56 and each member contrbutes a dynamc key to form a vrtual cluster key. Also, the lfetme of a vrtual cluster s much less than the lfetme of normal groups. Therefore, the securty of a UGKM vrtual cluster key les between the securty of sesson keys and the securty of dynamc keys. Prvacy Protecton s the ablty of ndvduals n group key management to seclude or reveal ther own senstve nformaton selectvely. As dscussed n Chapter 2 that nether tree-based nor contrbutory group key managements consder prvacy protecton for ndvduals. All members share nformaton securely, and ndvduals cannot manage ther own senstve nformaton n systems. However, UGKM employs vrtual clusters to secure the senstve nformaton of actve users, and allows only one actve user n one vrtual cluster. Compared to other key management schemes, UGKM provdes greater prvacy protecton. As dscussed n ths secton, the proposed hybrd UGKM solved the prvacy problem by adoptng contrbutory key agreement, and also solved the scalablty problem of contrbutory key agreement by usng tree-based group key management. Also, by applyng dynamc key theory to UGKM for uncast communcaton, t enhanced the securty of UGKM. Therefore, uncast communcaton channel and 56 Nomnatng members are dscussed n detals n Secton 4.4. 160

multcast communcaton channel are fully protected. The next secton wll ntroduce AAM for the protecton of user nterface. 4.3. Authentcaton and Authorzaton Management Confdentalty s the most crucal requrement n securty for senstve nformaton systems. Confdentalty relates to the authentcaton and authorzaton processes that are responsble for the securty of user nterface. These processes guarantee that senstve nformaton s only accessed by ntended authorzed users. Currently, a number of approaches dscussed n Secton 2.3 (authentcate and authorze users n senstve nformaton systems). These approaches are not suffcently flexble to allow users to negotate for access control of the resource. Nor do they focus on the prvacy of the nformaton owner, especally n health and mltary nformaton systems. Another problem s that these approaches do not provde verfcaton for group members. Although group key management s a soluton to provde secure authentcaton for group members, the approaches do not possess the ablty to delegate access control for and from users n senstve nformaton systems. As mentoned, these approaches have a common lmtaton of employng long-term shared keys. Therefore, once the keys are exposed, a senstve nformaton system wll be compromsed. In ths secton, a formal authentcaton and authorzaton management scheme s ntroduced. Ths scheme allows users to authentcate themselves to have fne-gran control over portons of ther records. It focuses on prvacy protecton and offers secure authentcaton and flexble authorzaton for ndvduals and group members. 161

Last, the proposed authentcaton and authorzaton management s compared wth others to show ts securty advantages. 4.3.1. AAM Structure As defned n Secton 3.2.7, each LSGC conssts of an object of AAM, SIM 57 and DKM. Meanwhle, the AAM object manages and performs system verfcaton and access control. It allows a user or group users to share or access senstve nformaton of others. Also, t allows users to have fne-gran control over delegatng access to portons of ther nformaton to others. Referrng to Fgure 3.5, the logcal workflow of AAM can be descrbed as follows: ) U (a user or group of users) requests senstve nformaton of other U (a user or group of users) from a LSGC. ) After successful verfcaton, the LSGC processes the request based on the securty agreement (SA) 58 of senstve nformaton. In the SA:NEGOTIATE scenaro, a partcular protocol 59 s appled to U n order to retreve the senstve nformaton. As defned n Secton 3.2.5, Proto conssts of Intalzaton, Logon and AccessAuth, a sute of protocols 60. Intalzaton protocol s a prelmnary settng for all users who are regstered n the system. Logon protocol s a procedure used when a user wants to jon the system. It s notable that jonng a system s dfferent from jonng a group. Before a user can jon a group, the user must be authentcated to the system. In other words, wthout successfully verfyng wth the system, a user cannot 57 SIM wll be ntroduced n next secton. 58 The Securty Agreement refers to Defnton 3.8. 59 The protocol refers to Secton 4.3.4. 60 Refer to Defnton 3.6. 162

jon a group. The AccessAuth protocol s an authentcaton process for users or group users delegatng ther senstve nformaton. 4.3.2. Intalzaton Protocol For every user regstered n the system, the LSGC generates a unque random dentty assocated wth the user. Separate from dynamc keys management, the unque dentty generaton takes place only n the LSGC. Gven aam AAM (an authentcaton and authorzaton management object) and dkm DKM (a dynamc key management object), the protocol s descrbed as follows: ) A user u U regsters wth the system. ) dkm generates a unque random dentty d for the user u and two unque random secrets. (The two unque secrets are secretly dstrbuted to the user u for generatng dynamc communcaton keys and dynamc data keys.) ) dkm uses the hash value of the frst dynamc communcaton key and ndex of the user to encpher the unque number as ed. Precsely: { } (,. ) (4.1) Y 0 1 ED I d h dk u Meanwhle, the generaton of d can be vared dependng on the securty requrement. As suggested, mult-factor authentcaton provdes stronger securty for user nterface. Therefore, we suggest that the d can be formed by a combnaton of a bometrcs factor (fngerprnt, rs or DNA sequence 61 ), a possesson factor (smart card or token) or a knowledge factor (passwords). 61 Deoxyrbonuclec acd (DNA) [Sa88] s a nuclec acd that contans the genetc nstructons used n the development and functonng of all known lvng organsms and some vruses. 163

Two unque random secrets could also be generated by the combnaton of the three factors. When multple factors are combned to generate d and secrets, AAM can guarantee that only genune users wll jon the system. AAM also guarantees nonrepudaton, as users wll not be able to deny system actvty. In addton, because generated wth mult factors of user u, and the objects, the d s d s only stored n one of DKM d can be consdered as the sgnature of user u. For a hgher securty requrement, d and ed can be stored separately. Then the EDI can be denoted precsely: Yj (4.2) 1 ED I { d } h(, dk. u ) Meanwhle, j s an ndex of a correspondng dynamc communcaton key of user u. Ths means that when a user leaves the group, the EDI needs to be updated by regeneratng t wth a current dynamc communcaton key of the user u. In other words, when a passve user leaves a cluster algorthm or an actve user leave algorthm s nvoked, an EDI update event wll be trggered n order to synchronze ndex j wth a user for the next logon to the senstve nformaton system. 4.3.3. Logon Protocol Logon protocol s used as a frst securty sheld to protect senstve nformaton systems. Once a user successfully verfes wth a LSGC, the user s able to request and jon a group. In other words, before jonng a group, a user must be authentcated as a legtmate user. The protocol s depcted as follows: ) When a user sends a request to aam AAM. 164

u U, u aam :{ logon _ request, h(, dk. u )} dk. u ;, j Y ( j 1) Yj * ) aam then requests a dynamc communcaton key of the user from dkm. Note that the communcaton between aam and dkm takes place nternally, although component dynamc keys are used to prevent nternal attacks. aam dkm :{ key _ request, } cdk. aam dkm aam :{ dk. u } cdk. aam, l Yj l 1 l ) After understandng the receved packet, aam uses h(, dk ) as a key Y ( j 1) K to decpher ed. If, and only f, the encphered value s same as d, then the user s legtmate, and the user can make further requests, such as to jon a group or to access senstve nformaton. Note that, for a hgh securty requrement, d can be stored n a dfferent place. Then aam needs to send the decphered value to verfy d. v( u, ed ) d { ed } ~ K? true : false j v) Subsequently, aam sends back a challenge to verfy tself to the user. aam u : { logon _ request, h( logon _ request, dk. u )} dk. u Yj Y ( j 1) v) When the user leaves the system, the current dynamc communcaton key of the user s used to generate a new key ( ) new ' ed to replace the old K ' h(, dk. u ) Y j n, and produce a ed, where n s a natural number, ndcatng the number of messages performed by the user n the system. ed ' {{ ed } ~ K } K ' 165

4.3.4. AccessAuth Protocol The AccessAuth protocol offers an authentcaton and authorzaton mechansm for senstve nformaton sharng among groups and users. It enables prvacy protecton whereby owners can take full control of ther senstve nformaton. The protocol also manages group-to-group, group-to-ndvdual, ndvdual-to-ndvdual and ndvdualto-group authentcaton and authorzaton. The mechansm s llustrated n Fgure 4.7. Fgure 4.7. AccessAuth Protocol Logcal Flow. Before depctng the protocol, partcpant classfcaton s gven to clarfy that partcpant p and p can be ether a group or an ndvdual. Formally: m n Defnton 4.1 (Partcpant Classfcaton PC) PC s a trple, [P,T, ] a set of partcpant objects and T s an enumeraton of { sngle, group } : P T s the partcpant classfcaton mappng., where P s, and When the classfcaton type s T : sngle, P acts as an ndvdual user P U. When type st : group, P s representatve of a cluster c C VC where P L VL. In other words, P s a leader of c (a cluster or a vrtual cluster). Gven p, p P (that m n s, two partcpants), In I (the nformaton object of p ), aam AAM n (the authentcaton and authorzaton object) and dkm DKM (a dynamc key management 166

object.), suppose pm wants to share or access senstve nformaton I belongng to n p. n The protocol s descrbed as follows: ) p generates a token = m ( 1) h( I _ request, dk. p ) n Y j m and sends t together wth a request to the LSGC. Note that f pm has the status of T : group, the pm wll be the representatve (leader) of a group: ) After understandng the request p L SG C : { I _ request, } dk. p m n Yj m I n _ request and verfyng the token, aam n the LSGC checks for permsson based on the securty agreement 62 of I. n If p m s on the lst of SA:DENY on I n, the request s rejected. In the opposte case, f pm s the owner of the request nformaton or on the lst of SA:ACCEPT, the process moves to step v. If nether of the above stuatons exst, p s on the lst of SA:NEGOTIATE. When p s assgned m n to a group, the request s forwarded to p n ncludng the new token ' = h( I _ request, dk. p ) that was generated wth a dynamc n Y ( 1) n communcaton key of p. Precsely: n dkm aam : { dk. p, dk. p } cdk. aam Y ( j 1) n Yj n l L SG C ( aam ) p : { I _ request, '} dk. p n n Yj n ) After obtanng the token and query from aam, p can delegate permssons n on each selectve porton of nformaton accordng to the query and generate a new token " = ( ' _,. ) h I response dk p. Ths token s sent back n the n Yj n response message to aam to be cphered by the next dynamc key. Note that 62 Securty agreement refers to Defnton 3.8. 167

because I ' _ response I _ request, p n has full control of ts own senstve n nformaton: n p L SG C : { I ' _ response, "} dk. p n n Y ( j 1) n v) When aam receves and verfes the token " from p n, pm s able to retreve the senstve data I based on I '_ n n response. If pm has the status of T : sngle, the senstve nformaton wll be uncast to p m : Otherwse, when L SG C p : { I, h( I, dk. p )} dk. p pm m n n Yj m Y ( j 1) m has the status of T : group, the senstve nformaton s multcast to the group where p m c m and encrypted by the group key (ether a cluster key or a vrtual cluster key): u c ; L SG C u : { I, h( I, K )} K m n n cm _ O r _ vcm cm _ O r _ vcm 4.3.5. Securty Comparson In ths secton (4.3), a novel authentcaton and authorzaton management usng a dynamc key-based UGKM s proposed to handle the securty of user nterface. The approach conssts of Intalzaton, Logon and AccessAuth protocols. A number of factors enhance the securty of authentcaton. Frst, the use of dynamc keys n the authentcaton and authorzaton mechansm mproves the securty of SecureSIS. AAM also acheves group-to-group, group-to-ndvdual, ndvdual-togroup and ndvdual-to-ndvdual verfcaton. The use of UGKM gves the proposed AAM the ablty to handle dynamc member authentcaton. The securty features of UGKM enable prvacy protecton of each ndvdual and the AAM allows senstve nformaton owners to take full control on ther assets by delegatng access 168

permssons. These strengths of our proposed AAM are detaled n Table 4.3 and compared to Kerberos and ts successors based on the dscusson n Chapter 2. Table 4.3. Securty Comparson of AAM to Kerberos and ts Successors. Comparson Crteron Kerberos & ts Successors AAM Authentcaton Factors one or multple multple Processng clock synchronzaton & avalablty Requrement of central server no Group Authentcaton no yes Prvacy Protecton no yes Access Negotaton no yes Credentals Lfetme predefned lfetme one message Key Dstrbuton shared sesson key no Trust central server/ certfcate authorty self Keys long-term shared key, sesson key and publc keys. dynamc keys The table above summarzes the advantages of AAM aganst Kerberos and ts successors [Er03, HaMe01, NeYuHa05]. It lsts the features of AAM such as authentcaton factors, group authentcaton, prvacy protecton, access negotaton and keys. The securty aspects of processng requrement, credentals lfetme, key dstrbuton and trust are further dscussed below: Processng Requrement. As dscussed n Chapter 2, Kerberos and ts successors requre clock synchronzaton among all enttes n order to avod replay attacks. However, AAM employs dynamc keys and s mmune to replay attacks due to the nature of dynamc keys whch use each key only once. In addton, whle Kerberos requres the contnuous avalablty of a central server, AAM does not because the LSGCs all form a multcastng group to mantan the consstency of group keys and other key materals. Should one LSGC fal, the authentcaton process can take place remotely. 169

Credentals Lfetme. In Kerberos and ts successors, credentals have a pre-defned lfetme; a user can have one credental for one tme perod. However, n AAM, all credentals (tokens) are used only once. Therefore, n order to perform actons, only genune user has a legtmate credental. Key Dstrbuton. As descrbed n Chapter 2, sesson keys are used n Kerberos to guarantee the securty of nformaton systems. Sesson key dstrbuton s always nvolved. The securty of such Kerberos-based nformaton systems can therefore be compromsed. AAM uses dynamc keys to conduct ts securty. Because of ts cryptographc propertes, no key dstrbuton s necessary. In ths regard, the securty of AAM s better than Kerberos. Trust. To use Kerberos, a trusted central server s necessary. All users need to request a credental to access nformaton. However, n AAM, the combnaton of the use of a dynamc key and the challenge response mechansm 63 solves the trust problem because only genune enttes can produce a nonce token or key. The propertes of dynamc keys guarantee that each entty only needs to trust ts own dynamc keys. In ths secton, AAM has been presented to protect user nterface n SIS. By comparng t wth other wdely-used authentcaton technques, AAM has been shown to provde stronger securty and flexble access control. It can also deal wth group authentcaton and authorzaton. In the next secton, by applyng DKM and UGKM, the management of senstve nformaton at rest wll be ntroduced. 63 The challenge response mechansm was dscussed n Chapter 2. The use of challenge response refers to logon protocol. 170

4.4. Senstve Informaton Management Protectng senstve nformaton s a growng concern for everyone around the world. Falng to protect senstve nformaton may result n hgh costs, such as losng customers n busness and affectng nvestor confdence. Emergng technologes ensure that senstve nformaton protecton s vulnerable to securty threats. Especally n regard to protectng senstve nformaton storage, falure to secure the storage results n all senstve nformaton at rest beng dsclosed completely. In other words, no matter the sophstcaton of the securty technques employed, as soon as a breach of senstve nformaton storage occurs, senstve nformaton s dsclosed. A number of approaches (dscussed n Chapter 2) have been proposed to protect senstve nformaton storage. However, the majorty of solutons consst of preventon of unauthorzed alteraton of storage, preventon of unauthorzed readng of storage areas and encrypton of senstve nformaton. The use of long-term shared keys or publc keys s a common technque for the above approaches; unfortunately, these keys have lmtatons. A better alternatve s the use of dynamc keys that can elmnate the securty threats assocated wth employng long-term shared keys or publc keys. In ths secton, we examne two approaches (database encrypton and dsk encrypton) used by exstng nformaton systems n protectng senstve nformaton. By hghlghtng securty concerns, senstve nformaton management s ntroduced formally accordng to Defnton 3.7 (SIM). It ntegrates the dynamc data keys of users wth senstve nformaton. The secton fnshes wth a securty comparson of SIM to other approaches to nformally show the securty of SIM. 171

4.4.1. SIM Structure Senstve nformaton management objects contan encrypted senstve nformaton and other supportve nformaton. Each record or fle of a user s encphered wth dfferent dynamc data keys (Defnton 3.7). Lettng. c u of a SIM object sm SIM s llustrated as n Fgure 4.8. j C I be an object of CI, the structure Fgure 4.8. Structure of a SIM Object. In regard to the archtecture of SecureSIS, several admnstraton areas form a multcast group (UGKM) and each area s managed by a LSGC assocated wth a subgroup sg SG. Also, RI, defned n SIM, s a set of ndexes for collected senstve nformaton. The senstve nformaton of a user can therefore be stored n dfferent SIM objects. In other words, fragmented senstve nformaton of a user can be transferred from dfferent geographc locatons and located by RI. In addton, senstve nformaton s encphered by dfferent dynamc data keys. Therefore, no encrypton and decrypton acton s requred between LSGCs whle fragmented nformaton needs to be transferred. Fgure 4.9 depcts a scenaro n whch 172

a user u has encrypted senstve nformaton stored n three SIM objects (three n LSGCs). Fgure 4.9. Retrevng Senstve Informaton Flow Chart Suppose user u (actve user n a vrtual cluster or n a cluster) has senstve n n n nformaton stored n SIM objects sm, 1 sm and sm. Currently u has joned a k n n LSGC whch contans a sm object. However, the senstve nformaton c. u n 1 k n sm object s requred. The retrevng senstve nformaton flow s descrbed as n follows: ) u requests c. u from LSGC ( sm ). n k n 1 ) Snce all LSGC consttute a multcast group, RI wll return the locaton of c. u. k n 173

) Wth the owner s permsson, LSGC ( sm n ) uncasts the senstve nformaton 64 to u ths procedure refers to AccessAuth protocol step v n (Secton 4.3.4). 4.4.2. Data Operaton The defnton of SIM shows there s no unprocessed plan nformaton stored n the system. To descrbe the process of securng and managng senstve nformaton n SIM, an example s llustrated wth a user un U who owns senstve nformaton I a, I and I b c I. Let c CI be stored nformaton for the user u. Frst of n all, before the encpherng, each data operaton, such as data entry and data update, trggers SIM to buld an ndex (RI) of the nformaton for fast locatng over large volumes of data. Then the senstve nformaton s encphered and stored. The example shows how the dynamc data keys are used to ntegrate wth senstve nformaton I. Intal Stage, assume u has only nformaton I n a, and based on SIM defnton, the encphered data s stored n a SIM object. Before t takes place, u needs to apply n Intalzaton protocol wth an AAM object. Then u has two sets keys: dynamc data n keys and dynamc communcaton keys n order to manpulate senstve nformaton. The ntal c for u s shown n Fgure 4.10. n { I } dk a X { dk. u } dk X n X c Fgure 4.10. Intal Status of SIM. 64 The senstve nformaton c. u refers to Secton 4.3.4, where I c. u. k n n k n 174

Data Entry refers to user u n havng new crtcal nformaton that needs to be processed and stored n the system. In ths operaton, t s assumed that u needs to n process I and later I. The change of c s shown n Fgure 4.11. b c { I } dk { I } dk { I } dk a X a X a X { I } dk { I } dk b X ( 1) b X ( 1) { I } dk c X ( 2 ) { dk } dk { dk } dk { dk } dk X X X X ( 1) X X ( 2 ) { dk } dk { dk } dk X ( 1) X ( 1) X ( 1) X ( 2 ) { dk } dk X ( 2 ) X ( 2 ) Fgure 4.11. New Data Entry Status of SIM. c When a data entry event occurs, the followng procedures take place. In Fgure 4.11, s used to emphasze that the change of EDK and EI. Wthout symbol, no change has occurred. ) f u s not n the system, the user needs to authentcate wth the system va n the Logon protocol and jon a group. ) u sends senstve nformaton I to the system. n b u L SG C : { I, h( I, dk. u )} dk. u n b b Y ( j 1) n Yj n ) The senstve nformaton I wll be ndexed and then encphered wth the b current dynamc data key of the user. sm c : { I } dk b X ( 1) v) Fnally, all data keys wll be rewrapped wth the current data key. 175

Data Update refers to the manpulaton of nformaton to brng crtcal data up to date. In ths scenaro, t s assumed that the user wants to update I b to I *. The procedure s b descrbed as follows and the change of c s shown n Fgure 4.12. ) u needs to authentcate wth the system va the Logon protocol and jon a n group. ) Once successful log nto a group (cluster or vrtual cluster), u requests I n b va AccessAuth protocol. Meanwhle, I { I } dk { dk } dk n b X ( 1) X ( 1) X ( 2 ). ) After the senstve nformaton update, the update wll nvoke the data entry procedure. { I } dk { I } dk a X a X * b X ( 1) b X ( 3 ) { I } dk { I } dk { I } dk { I } dk c X ( 2 ) c X ( 2 ) { dk } dk { dk } dk X X ( 2 ) X X ( 3 ) { dk } dk { dk } dk X ( 1) X ( 2 ) X ( 3 ) X ( 3 ) { dk } dk { dk } dk X ( 2 ) X ( 2 ) X ( 2 ) X ( 3 ) c Fgure 4.12. Data Update Status of SIM. Data Deleton s an operaton nvolvng data erasure. When u wants to erase the n senstve nformaton I a shown n Fgure 4.13:, the procedure s lsted as follows and the change of c s ) u needs to authentcate wth the system va the Logon protocol and jon a n group. ) Once successfully logged nto a LSGC, u sends the request by usng the n AccessAuth protocol for step ) only. 176

) The LSGC removes the senstve nformaton and correlatve encrypted data key based on the request. v) The remanng dynamc data keys wll be rewrapped by the current dynamc data key of the user u. n { I } dk a * * b X ( 3 ) b X ( 3 ) { I } dk { I } dk { I } dk { I } dk c X ( 2 ) c X ( 2 ) { dk } dk X X X ( 3 ) { dk } dk { dk } dk X ( 3 ) X ( 3 ) X ( 3 ) X ( 4 ) { dk } dk { dk } dk X ( 2 ) X ( 3 ) X ( 2 ) X ( 4 ) c Fgure 4.13. Data Deleton Status of SIM. Data Retreval. Data retreval s a smple process n whch u apples the AccessAuth n protocol to fetch the crtcal data wthout modfcaton. No data needs to be re-ndexed and encphered. Only dynamc data keys need to be rewrapped. The change of c s shown n Fgure 4.14. * * b X ( 3 ) b X ( 3 ) { I } dk { I } dk { I } dk { I } dk c X ( 2 ) c X ( 2 ) { dk } dk { dk } dk X ( 3 ) X ( 4 ) X ( 3 ) X ( 5 ) { dk } dk { dk } dk X ( 2 ) X ( 4 ) X ( 2 ) X ( 5 ) c Fgure 4.14. Data Access Status of SIM. 4.4.3. Dynamc Membershp Operatons When a user regsters wth the system, the user must agree and choose a trusted partcpant, ether a joned cluster or a nomnated cluster. The chosen partcpant wll be added to the emergency lst (EL). Ths confdentalty overrdes rule allows an authentcated cluster n an emergency to gan access to senstve nformaton of users 177

whch would normally be naccessble. The rule also solves the problem of nformaton accessblty when a user permanently leaves the system. In other words, dynamc ownershp of senstve nformaton s provded. Meanwhle, the mantenance of the lst EL 65 s mportant. EL Update s an operaton that updates the new nomnated cluster cn C or encrypted dynamc data keys to a relatonshp object o O. There are two events to trgger EL update. Frst, when a user requests a change of the nomnated trust cluster, the system wll allocate a new audt cluster and generate a new combnaton key by leaders of the new nomnated cluster and the allocated audt cluster. Second, when the dynamc communcaton keys of the leaders are changed, the encrypted user dynamc data keys wll be updated. The EL update operaton ensures the lst s up-to-date n order for t to be used for authentcaton n emergency access stuatons or when the user permanently leaves. Emergency Access. Emergency access s necessary when a user s not able to authentcate wth the system and the user has authorzed the nomnated cluster as a trust partcpant. In an emergency crcumstance, the user s senstve nformaton can be accessed va the attendant audt cluster. Gven c C VC as a nomnated cluster for user u U n n and ca C as an audt cluster, we have l c and l c as a leader of correspondng clusters. For an n n a a emergency access, the procedure s descrbed as follows: ) An emergency access event occurs. ) The leader of the nomnated cluster sends a request to the system together wth a token h n dk ( 1) (,. l ). n Y j n 65 Defnton of EL refers to Defnton 3.7. 178

l L SG C : { request,, h( request,, dk. l )} dk. l n n n Y ( j 1) n Yj n ) The system looks at the EL and sends a request to the correspondng audt cluster n order to have a response and a token h( a, dk. l ). a Yj a L SG C l : { request, h( request, dk. l )} dk. l a Y ( j 1) a Yj a l L SG C : { response,, h ( response, dk. l )} dk. l a a a Yj a Y ( j 1) a v) After the system gathers two tokens from the nomnated and audt clusters, the system wll recover user u dynamc data key and encpher t wth the n dynamc communcaton key of l n. The senstve nformaton of user u wll n then be sent to the nomnated cluster c n. L SG C l : { I } dk. u,{ dk. u } dk. u,{ dk. u } dk. l n n X n X n XC n XC n Xj n User Permanently Leaves. When a user permanently leaves the system, the user ether removes selected owned senstve nformaton or leaves t as orphan nformaton. When orphan nformaton exsts n the system, the nomnated cluster takes control of the nformaton. The procedure s the same as n the emergency access procedure steps -. The last step s to use the dynamc data key of the leader l n to encpher the leavng user s dynamc data keys. The change s shown n Fgure 4.15. Suppose user u n owns senstve nformaton I n. After u permanently leaves the system wthout removng I n n, the ownershp wll be changed to nomnated cluster c n. { I } dk. u { I } dk. u n X n n X n { dk. u } dk. u { dk. u } dk. l X n XC n X n XC n c Fgure 4.15. Ownershp Change of Senstve Informaton. 179

4.4.4. Securty Comparson In ths secton (4.4), senstve nformaton management s proposed based on Defnton 3.7. Ths management scheme ntegrates dynamc data keys wth the senstve nformaton of users n order to protect senstve nformaton storage. It also proves a sute of data operatons, consstng of data entry, data update, data deleton and data retreval to manpulate senstve nformaton among group users. Moreover, the proposed component supports dynamc membershp, whch allows an authentcated cluster n an emergency to gan access to the senstve nformaton of users whch would normally be naccessble. The scheme also supports dynamc ownershp, whch allows an authentcated cluster to take control of orphan senstve nformaton created when the owner permanently leaves the system. Because a dynamc data key encrypts only one record or fle n the system, the securty of senstve nformaton s maxmzed, even should senstve nformaton storage be breached. Also, by adoptng dynamc keys n SIM, the prvacy of senstve nformaton owners has been protected, because the owner manages assets wth a current dynamc data key. Table 4.4 shows the securty features of the proposed SIM compared to other exstng securty mechansms for protectng senstve nformaton storage. 180

Table 4.4. Securty Comparson of SIM to other Approaches. Comparson Crteron Database Dsk Encrypton Encrypton (SQL) (IBM z/os) SIM Securty Technque multlevel securty to classfy nformaton dfferent keys to encrypt senstve fles ntegrates dynamc keys wth senstve nformaton Securty Key Type long-term shared symmetrc and dynamc keys key asymmetrc keys Prvacy Protecton no yes yes Dynamc Ownershp no no yes Securty Technque. Usng a database approach, Mcrosoft SQL employs multlevel securty to separate nformaton based on ts securty classfcaton. The technque s effectve because not all data are vsble to all users. However, the technque does not prevent nternal attacks n the case of a database manager havng permsson to vew all nformaton. Usng a cryptography approach, IBM uses dfferent symmetrc keys to secure fles and wrap the keys by users asymmetrc keys. The technque mproves upon the securty of the database approach, but a breach of the asymmetrc key leads to the dsclosure of senstve nformaton. Usng a SIM approach, dynamc keys are used ntegrated wth senstve nformaton. Because of dynamc and former key secrecy, the securty of the SIM approach s better than that of the cryptographc approach. Prvacy Protecton. As mentoned n the dscusson on securty technques, the database approach s susceptble to nternal attacks and does not protect the prvacy of senstve nformaton owners. In other words, an adversary wth hgher prvleges s able to oversee the senstve nformaton of others. In contrast, the cryptography and 181

SIM approaches both provde a prvacy protecton mechansm by usng dfferent keys to encrypt senstve nformaton. Even a number of compromsed encrypton keys do not threaten all the senstve nformaton of a user. Dynamc Ownershp. Database and cryptography approaches do not take dynamc ownershp nto consderaton. In contrast, the SIM approach provdes dynamc ownershp and membershp operatons to deal wth emergency stuatons and the occurrence of orphan nformaton n the system. 4.5. Summary In ths chapter, four tangble components of SecureSIS were proposed and formally descrbed. A securty comparson for each component wth exstng technques was made. The comparsons show that the proposed securty archtecture (the four tangble components) s able to overcome the securty concerns and mnmse the threats to communcaton channel, user nterface and senstve nformaton storage. In order to desgn the four components, the SecureSIS pentad was used as a gude. The proposed four components have contrbuted the followng achevements: DKM-based UGKM enhances the securty of SecureSIS and t allows senstve nformaton sharng among group members whle protectng the prvacy of ndvduals. AAM provdes multfactor authentcaton and acheves hgh securty and tght access control among ndvduals and group members based on DKM and UGKM. It also gves flexblty to senstve nformaton owners whle protectng ther prvacy. 182

SIM ntegrates dynamc keys wth crtcal nformaton to protect senstve nformaton. It guarantees that a breach of the credentals of one user cannot compromse the securty of other users. The use of DKM, UGKM and AAM n SIM s able to solve dynamc nformaton ownershps problem. The use of two sets of dynamc keys n SecureSIS s able to acheve ntruson detecton and preventon based on ther cryptographc propertes. Goals Dscusson on SecureSIS. Senstve nformaton protecton s the frst prorty of SecureSIS. The proposed four components of SecureSIS satsfy the goals of SecureSIS, whereby only legtmate users wth proper permssons are able to access senstve nformaton; transmtted senstve nformaton s dentcally mantaned among nvolved enttes; and only prvleged users are able to understand and access senstve nformaton. UIG s satsfed by AAM. The use of dynamc communcaton keys and multfactor authentcaton can guarantee that only genune users and systems are able to understand requests and responses and generate dentcal tokens offlne. Authentcty and authorty are thus guaranteed, and Equatons. 3.20 and 3.21 are met. CCG s satsfed by DKM and UGKM. By usng dynamc communcaton keys and vrtual cluster keys, senstve nformaton s dstrbuted securely among group users. Usng the cryptographc propertes of dynamc keys and the AccessAuth protocol, all messages are embedded n a unque token to guarantee nformaton ntegrty, and hence, Equatons. 3.22 and 3.23 are met. 183

SISG s satsfed by SIM. The combnaton of UGKM and AAM used n SIM ensures that not only can prvleged users understand and retreve nformaton, but also n emergency crcumstances, dynamc nformaton ownershp s enabled. In addton, the use of dynamc data keys guarantees the secure storage of senstve nformaton. Equaton 3.24 s therefore met. Informally, by applyng the SecureSIS pentad, the desgn of the four components satsfes the goals of SecureSIS (shown n Table 4.5). Table 4.5. SecureSIS Components vs. Goals. Goals of SecureSIS (Secton 3.2.10) Components (Defnton 3.2) SeucreSIS Pentad (Defnton 3.9) UIG AAM,DKM,UGKM AA,NR,CO CCG DKM, UGKM IN,NR,CO UT SISG SIM, DKM,UGKM IN,NR,CO In the followng chapter, the formal securty of each component s dscussed, and then the SecureSIS pentad model s bult to evaluate the securty of SecureSIS n order to prove that the proposed securty archtecture satsfes the goals of SecureSIS. 184

Chapter 5 5. Securty Analyss and Dscusson on SecureSIS Goals. In the prevous chapter, four tangble components of SecureSIS were proposed and descrbed formally n order to demonstrate ther role n protectng communcaton channel, user nterface and senstve nformaton storage of senstve nformaton systems. The components have also been compared, nformally, wth exstng mechansms n term of securty. In ths chapter, a formal and thorough securty analyss and dscusson of the four components are gven. Informaton theory and probablty theory are used to demonstrate the securty of DKM (Secton 5.1), UGKM (Secton 5.2) n protectng communcaton channel, and the securty of SIM (Secton 5.4) n protectng senstve nformaton storage; Sp calculus s adopted to evaluate the securty of AAM (Secton 5.3) n protectng user nterface. Based on these results, we buld the SecureSIS pentad model 66 n Secton 5.5 to assess the securty of SecureSIS n order to show that the proposed securty archtecture satsfes authentcty and authorty, ntegrty, nonrepudaton, confdentalty and utlty securty propertes. Wth these propertes, the 66 The SecureSIS pentad s defned n Secton 3.3.1. 185

securty goals of SecureSIS (Secton 3.2.10) are met (dscussed n Secton 5.5.6). The organzaton of ths chapter s llustrated n Fgure 5.1 as a sgnpost to show the securty analyss and dscusson logc n ths chapter. The chapter concludes n Secton 5.6. Fgure 5.1. The Organzaton of Securty Analyss and Dscusson. 5.1. Securty of DKM DKM handles the securty of senstve nformaton systems by employng dynamc key theory. It adopts two sets of dynamc keys to protect the senstve nformaton of users. It also employs one set of dynamc keys to secure communcaton between components should other components (such as AAM, SIM or UGKM) requre the dynamc communcaton keys of users n order to process user requests. DKM has the dynamc key cryptographc propertes of dynamc key secrecy (Theorem 3.1), former key secrecy (Theorem 3.2), key collson resstance (Theorem 3.3) and key consstency (Theorem 3.4) features. These propertes guarantee the securty of SecureSIS. 186

The use of the cryptographc propertes of dynamc keys to provde a securty foundaton to support the securty of DKM s dscussed n Secton 5.1.1. The secton fnshes wth a summary restatng the contrbuton of dynamc keys to SecureSIS. 5.1.1. Dynamc Keys n DKM Defnton 3.4 (DKM) n Secton 3.2.3 and the Dynamc Key Agreement n Secton 4.1.1 demonstrate that two sets of dynamc keys are necessary to ensure securty when protectng the senstve nformaton of users. Theorems 3.5 and 3.6 prove that the use of dynamc keys mproves the securty of senstve nformaton systems. Dynamc keys offer more securty than long-term keys and, n comparson, asymmetrc cryptosystems are nsecure. Therefore, dynamc keys are adopted rather than long-term shared keys and publc keys. The dynamc communcaton key set { dk j } protects communcaton channel and user nterface, whle the dynamc Yj data key set { dk } secures senstve nformaton storage. X Because dynamc keys possess dynamc key secrecy, former key secrecy and key collson resstance propertes, a corollary can be made. Corollary 5.1 Because SecureSIS uses two sets of dynamc keys, even f one set of dynamc keys were to be dsclosed, the securty of the proposed system would not be compromsed. Proof: Based on mutual nformaton 67, Pr ( A; B ) I ( A; B ) Pr ( A; B ) log( ), f Pr ( A) P ( B ) A DK X and B DK, then we have: Y 67 Mutual nformaton s a measure of the amount of nformaton can be obtaned about one by observng another [Gr90]. 187

Pr ( D K ; D K ) X Y I ( D K ; D K ) Pr ( D K ; D K ) log( ) X Y X Y Pr ( D K ) P ( D K ) (5.1) and, accordng to key collson resstance, the probablty of dynamc keys collson s neglgble. In other words, generated two sets of dynamc keys wth two ndependent unque seeds guarantee that X DK s ndependent of DK. Hence, X Y accordng to probablty theory, f, and only f A and B are ndependent, wll P( A; B) P( A) P( B), thus: If that s the case, then: P( DK ; DK ) P( DK ) P( DK ) (5.2) X Y X Y Pr ( D K ; D K ) X Y I ( D K ; D K ) Pr ( D K ; D K ) log( ) 0 X Y X Y Pr ( D K ) P ( D K ) (5.3) whch s equvalent to sayng that one dsclosed set of dynamc keys cannot reveal X Y Y any nformaton about another set of dynamc keys. Because a set of dynamc keys has no mpact on another set of dynamc keys n DKM, a corollary can be clamed. Corollary 5.2 The use of two sets of dynamc keys n SecureSIS can acheve ntruson detecton and preventon. Proof: Let A denote an adversary. By observng network traffc, A obtans a subset of used dynamc keys and a number of used tokens. Accordng to dynamc key secrecy and former key secrecy, new dynamc keys are computatonally nfeasble based on obtaned keys and tokens. Should A try to penetrate the system wth obtaned nformaton, the acton wll be detected mmedately, because dynamc keys can only be used once. In addton, although the actons of 188

A compromse one set of dynamc keys, because of Corollary 5.1, the other set of dynamc keys wll stll be secure and unaffected. The securty of the senstve nformaton s mantaned and the proof s complete. 5.1.2. Summary Based on the mathematcal proofs and dscusson already presented n ths thess, the use of dynamc keys has the followng securty factors to contrbute n SecureSIS: Dynamc keys have dynamc key secrecy, former key secrecy, key colluson resstance and key consstency propertes. Dynamc keys are more secure than long-term shared keys and sesson keys, and more convenent than a one-tme pad. Accordng to Corollary 3.1, asymmetrc keys are not suffcently secure to protect senstve nformaton. The breach of one set of dynamc keys does not compromse the securty of SecureSIS. The use of two sets of dynamc keys n SecureSIS acheves ntruson detecton and preventon. 5.2. Securty of UGKM The securty of UGKM s enhanced by the use of dynamc keys. The prvacy protecton of ndvduals n UGKM s also enhanced by categorzng group members nto passve users and actve users. In ths secton, a comprehensve dscusson on the securty of UGKM s presented. As descrbed n Secton 4.2, the proposed UGKM s a two-ter hybrd group key management approach. The passve user ter apples key tree 189

group key management. Ths form of securty has been dscussed and evaluated by [KPeTs04, StTsWa98, WaHaAg97, WaLe05, WoGoLa00]. In the next secton the cryptographc propertes of group key management are dscussed n order to guarantee the securty of multcastng contents. Group key secrecy s dscussed n Secton 5.2.1, followed by forward and backward secrecy and key ndependence n Sectons 5.2.2, 5.2.3 and 5.2.4 respectvely. Colluson resstance s delberated n Secton 5.2.5. The summary restates the contrbutons of the proposed UGKM. 5.2.1. Group Key Secrecy Group key secrecy, as defned n Secton 4.2.2, renders the dscovery of any group key computatonally nfeasble for a passve adversary. In UGKM, group keys are generated by the key server (DKM) randomly n the passve user ter; ths guarantees group key secrecy. However, n the actve user ter, as defned, all actve users belong to vrtual clusters, and contrbutory group key management s appled to secure multcastng crtcal contents. The dscusson n Secton 4.2.3 on group keys gves an algorthm that generates vrtual cluster keys for all nvolved members; a corollary can now be devsed to show that UGKM also has a group key secrecy feature. Corollary 5.3 The contrbuted vrtual cluster key s computatonal nfeasble. Proof: Assume a vrtual cluster vcn VC conssts of one actve user (Defnton m 4) and n-1 passve users vc VC, vc {, nvolved }. The vrtual cluster n n m key K s formed by contrbutng the ntermedate key (. ) m od vc dynamc communcaton key) of each user u vc n k f dk u p Yj (the. Let K and IK be vrtual cluster 190

keys and ntermedate key spaces respectvely. Then, f an adversary obtans all ntermedate keys IK { k }, the probablty of breachng the contrbuted K vc s: Thus we have: Pr ( K IK ) Pr ( K K ; IK k ) Pr ( K K ; IK k )... vc Pr ( K K ; IK k ) vc 1 vc 2 n (5.4) n vc (5.5) 1 Pr ( K IK ) Pr ( K K ; IK k ) Accordng to probablty theory, Pr( A; B) Pr( A B) Pr( B), so: n vc (5.6) 1 Pr ( K IK ) Pr ( K K IK k ) Pr ( IK k ) The contrbuted secret dk. u has all the cryptographc propertes of dynamc keys Yj and the specal functon f (.) has the property of x, y( x y), f ( x) f ( y) (Defnton 3.1). Therefore, the probablty of generatng each ntermedate key k f ( dk. u ) m od p Yj s 1 p. In other words, the generated ntermedate key s unformly dstrbuted over the nterval[0, p 1], and we have: Combned wth (5.6), we have: 1 Pr ( IK k ) (5.7) p n 1 Pr ( K IK ) Pr ( K K IK k ) vc p (5.8) 1 Also, because K f ( k... k ) mod p, so: vc 1 n 1 P r ( K IK ) P r ( K f ( k... k ) IK k ) p n 1 n (5.9) 1 191

There are n ntermedate keys n vc, so, gven an ntermedate key, the probablty n of guessng K k... k s 1. 1 n n 1 P r ( K k... k IK k ) (5.10) 1 n n However, when the specal one-way functon f (.) s appled, ths makes t harder for an adversary to work out the K f ( k... k ), so: vc 1 n 1 P r ( K f ( k... k ) IK k ) (5.11) 1 n n Thus, combnng (5.9) and (5.11), we have: Pr ( K IK ) n 1 1 1 p n p (5.12) 1 Because the large prme number p s the key space of K vc, the maxmum securty of Pr ( K IK ) s 1, thus: p The contrbuted vrtual cluster key Pr ( K IK ) K vc 1 (5.13) p s therefore unformly dstrbuted over the nterval [0, p - 1 ]. The contrbuted vrtual cluster key s computatonally nfeasble; the proof s complete. 5.2.2. Forward Secrecy Forward secrecy, as defned n UGKM cryptographc propertes (Secton 4.2.2), guarantees that knowledge of a contguous subset of old group keys wll not enable the dscovery of any subsequent group keys. In other words, forward secrecy prevents 192

users who have left the group from accessng future group communcaton. Forward secrecy s demonstrated n the actve user ter by the member leave operaton (descrbed n Secton 4.2.5). In the actve user leave operaton, each vrtual cluster has only one actve user and the exstence of the actve user determnes the exstence of the vrtual cluster. When the actve user leaves the vrtual cluster, the cluster s destroyed. Operatons nvolvng actve users consequently do not need forward secrecy. However, when a passve user leaves an exstng vrtual cluster, forward secrecy s necessary. As descrbed n Secton 4.2.5, a corollary can be made. Corollary 5.4 Forward secrecy s guaranteed n vrtual clusters. Proof: Suppose s a former vrtual cluster member. Whenever a leavng event n occurs as a result of a passve user leavng an exstng vrtual cluster operaton, a new K s refreshed, and all keys known to leavng member wll be changed vc n accordngly. The probablty of knowng the new K s: n vc Pr ( new K K ) (5.14) vc Accordng to Corollary 5.4, vrtual cluster keys are unformly dstrbuted. The old K and new K vc vc are therefore ndependent and we have: vc Pr ( new K, K ) Pr ( new K ) Pr ( K ) (5.15) vc vc vc vc Snce P( A; B) P( A B) P( B), then (5.14) can be wrtten as: Takng (5.15) nto (5.16): Pr ( new K K ) vc vc Pr ( new K, K ) vc vc (5.16) Pr ( K ) vc 193

Therefore, the probablty of knowng the old Pr ( new K K ) Pr ( new K ) (5.17) vc vc vc K vc and beng able to use t to fnd the new K vc s the same as fndng the new K vc. In other words, has the same level of n nformaton of the new vrtual cluster key as an adversary. Forward secrecy s satsfed n operatons nvolvng vrtual clusters; the proof s complete. 5.2.3. Backward Secrecy Backward secrecy, as defned n UGKM cryptographc propertes (Secton 4.2.2), ensures that a new member who knows the current group key cannot derve any prevous group key. In other words, backward secrecy prevents new jonng users from accessng prevous group content. Backward secrecy s acheved n the actve user ter through the member jon operaton (descrbed n Secton 4.2.4). In the actve user jon operaton, when an actve user jons the group, a new vrtual cluster s created and consequently there are no prevous vrtual cluster keys to be taken nto consderaton; n ths stuaton, backward secrecy s not a concern. However, when a passve user jons an exstng vrtual cluster operaton, backward secrecy needs to be consdered. As descrbed n Secton 4.2.4, a corollary can be made. Corollary 5.5 Backward secrecy s guaranteed n vrtual clusters. Proof: Suppose s a new member about to jon a vrtual cluster. When a passve n user jons an exstng vrtual cluster operaton, a new the old the old K s: K s contrbuted by and vc n K wll be updated for all exstng members. The probablty of knowng vc n vc Pr ( old K new K ) (5.18) vc vc 194

Accordng to Corollary 5.3, vrtual cluster keys are unformly dstrbuted. Because the old K and the new K vc vc are ndependent, we have: Pr ( old K, new K ) Pr ( old K ) Pr ( new K ) (5.19) vc vc vc vc Snce P( A; B) P( A B) P( B), (5.18) can be wrtten as: Pr ( old K new K ) and, takng (5.19) nto (5.20): vc vc Pr ( old K, new K ) vc vc (5.20) Pr ( new K ) vc Pr ( old K new K ) Pr ( old K ) (5.21) vc vc vc The probablty of usng the new K vc to fnd old K vc s therefore the same as fndng the old K vc. In other words, cannot use the new n K to gan access to prevous vc group content, and an adversary s n the same stuaton. Backward secrecy s guaranteed n vrtual clusters; the proof s complete. 5.2.4. Colluson Resstance Colluson attack refers to a stuaton where any set of departng members work together to regan the current group key by applyng the old keyng materals known by them. Colluson resstance n UGKM ensures that prevous vrtual cluster passve users cannot collude and determne the current vrtual cluster keys. The prvacy of current actve users of the vrtual cluster s protected because the prevous vrtual cluster users cannot collude to dentfy the current key. Therefore, a colluson resstance corollary for UGKM can be made. Corollary 5.6 UGKM acheves colluson resstance. 195

Proof: Suppose a vrtual cluster vcn VC and k prevous passve users 68 want to collude to dentfy the new vrtual cluster key of vc. Let every,1 k hold n key materals (such as ntermedate keys descrbed n Secton 4.2.3), and denote ths as k..the uncertanty of the new vrtual cluster key for k prevous passve materals users s: H ( new K k. ) k (5.22) vc m aterals 1 Accordng to the chan rule of nformaton entropy, (5.22) can be transformed nto the equaton: k k k (5.23) H ( k., new K ) H ( k. ) H ( new K k. ) m aterals vc m aterals vc m aterals 1 1 1 Because prevous passve users know ther key materals, the uncertanty of ther key materals s: k m aterals (5.24) 1 H ( k. ) 0 and the uncertanty of the new cluster key and ther key materals s: k m aterals vc vc (5.25) 1 H ( k., new K ) H ( new K ) Then, takng (5.24) and (5.25) nto (5.23) we have: k (5.26) H ( new K k. ) H ( new K ) vc m aterals vc 1 68 Accordng to the actve user leave operaton, when an actve user leaves a vrtual cluster, the vrtual cluster s destroyed. Colluson attack s therefore not a securty concern for stuatons nvolvng actve users. 196

The uncertanty of knowng the new vrtual cluster key through former key materals of k passve users s same as the uncertanty of the new vrtual cluster key. Accordng to Corollary 5.4, forward secrecy s guaranteed n vrtual clusters and the new vrtual cluster key s secure. An adversary can no more gan access to the current vrtual cluster key than can the k prevous passve users; the proof s complete. 5.2.5. Summary Ths secton formally proved the securty of UGKM followng on from the dscusson n Secton 4.2.2. The proposed UGKM has the followng securty factors to contrbute to SecureSIS: Group key secrecy s satsfed by provng that the contrbuted vrtual cluster key s unformly dstrbuted over the key space. It s computatonally nfeasble. Forward secrecy s satsfed by provng that a prevous passve user, knowng a contguous subset of old vrtual cluster keys, cannot gan nformaton concernng any subsequent vrtual cluster keys. Backward secrecy s satsfed by verfyng that a user, knowng a contguous subset of vrtual cluster keys, cannot gan nformaton concernng the precedng vrtual cluster keys. Colluson resstance s acheved by certfyng that a number of prevous passve users cannot collude to fnd subsequent vrtual cluster keys. Ths secton has used mathematcal proofs to show the sutablty of UGKM for ncluson n the SecureSIS archtecture. The next secton presents an evaluaton of AAM for the same purpose. 197

5.3. Securty of AAM The proposed AAM manages the securty of SecureSIS by adoptng DKM and UGKM to protect user nterface. It allows users to authentcate themselves to have fne-gran control over portons of ther crtcal nformaton. AAM offers secure authentcaton and flexble authorzaton for ndvduals and group members. AAM conssts of an Intalzaton protocol, a Logon protocol and the AccessAuth protocol. The latter two protocols nvolve senstve nformaton transmsson. Therefore, n ths secton, the Logon and AccessAuth protocols are examned to show the securty n user nterface protecton. The secton fnshes by restatng the contrbutons of the proposed AAM to SecureSIS. In order to verfy the securty of each protocol, Sp calculus[ab99, AbGo97] s used to evaluate the securty of AAM. The approach s to test that a process P( x) does not leak the nput x f a second process Q cannot dstngush runnng n parallel wth P( M ) from runnng n parallel wth P( N ), for every M and N. In other words, P( M ) and P( N) are ndstngushable for the process Q. To start verfyng the securty of AAM by Sp calculus, the features of the Sp calculus are essental. 5.3.1. Introducton to the Sp Calculus In ths secton, we brefly ntroduce the Sp calculus [Ab99] syntax and semantcs. In the Sp calculus, the smplcty of the calculus les n the dual role that names play as communcaton channels and varables. Lettng x and y range over varables, we assume that C s a set composed of publc communcaton channels { c C} and V xy 198

s a set of prvate communcaton channels { v V} establshed between enttes x and y. Sp calculus has followng process constructs: Concurrency wrtten P Q, behaves as processes P and Q runnng n parallel. Communcaton the basc computaton and synchronsaton mechansm n the Sp calculus s nteracton, n whch a term N s communcated from an output process to an nput process va a named channel, c xy xy or v. xy An output process, c N. P, xy ndcates that term N s communcated on channel c and then process P runs. xy An nput process, c ( x ). P, descrbes a process watng for a term N xy that was sent on a communcaton channel named proceedng as P. c xy before Replcaton wrtten!p, behaves as an nfnte number of copes of P runnng n parallel. Match wrtten [ M s N ] P, behaves as P provded that terms M and N are the same, otherwse the process stalls. Encrypton wrtten { M} K, represents the cpher text obtaned by encryptng the term M under the shared key K usng a symmetrc algorthm. Decrypton wrtten case L of { x} K n P, attempts to decrypt the term L wth the shared key K. If L s a cpher text of the form { M} K, then the process behaves as P[ M / x] 69, otherwse the process stalls. 69 Ths denotes the outcome of replacng each free occurrence of x n process P wth the term M. 199

Restrcton wrtten ( vn) P, makes a new prvate name n, whch may occue n P, and then behaves as P. The basc securty property of Sp calculus s secrecy, whch s based on the ndstngushablty of processes. By usng ths property to evaluate the securty of cryptographc protocols, a few addtonal notons need to be presented: Reducton relaton wrtten, s defned as the least relaton closed under a set of reducton rules. The man reducton rule that captures the ablty of processes to communcate through channels s: c N. P c ( x). Q P Q[ N / x] xy xy (5.27) Reacton relaton wrtten P P ', ndcates that there s a reacton amongst the sub-processes of P, f P can perform a computaton step, followng whch t s now P '. 5.3.2. Logon Protocol In order to nvestgate the Logon protocol, the protocol needs to be frst abstracted nto Sp calculus. Fgure 5.2 depcts the structure of the protocol, and nformally, the protocol s wrtten as follows: ) u aam : { logon _ req, h(, dk. u )} dk. u Y ( j 1) Yj on c, c C. ua ua ) aam dkm :{ key _ req, } cdk. aam on v, v V. ) dkm aam : { dk. u } cdk. aam on Yj l 1 v, v V. l da ad da ad v) aam u : { logon _ req, h( logon _ req, dk. u )} dk. u Yj Y ( j 1) on c, c C. au au 200

Fgure 5.2. Structure of the Logon Protocol. It s assumed there are n users and each user has a publc nput channel. Informally, an nstance of the protocol s determned by a choce of nvolved enttes. More formally, an nstance s a trple [w, t, I] such that w and t are enttes, such as users and SecureSIS component objects, and I s a message. Moreover, F s an abstracton representng the behavours of any enttes after recept of the message from the protocol. Meanwhle, messages between aam and dkm occur n prvate communcaton channels (steps and ). The proof s the same as the publc communcaton channels steps and v. Therefore, n ths dscusson, the proof of messages and v s gven. In the Sp calculus descrpton of the Logon protocol, gven an nstance (w, t, I), the followng process corresponds to the role of users and the LSGC (AAM and DKM). Send c {logon req,h(w,dk.u )}dk.u c (x ).case x of _ w, t wt Y(j -1) w Yj w tw cpher cpher {x, H (y )}dk.u n let (x, y ) = y n p Y(j+1) w nonce p [ x s logon_req ][ y s dk. u ] n F nonce Yj w (5.28) 201

The process Send descrbes one entty (users) processng an output message ) n w, t parallel wth an nput message v). It s a process parametersed by enttes w and t. Formally, we vew Send as a functon that map enttes w and t to processes, called w, t abstractons, and treat w and t on the left of as bound parameters. For the process Recv, t descrbes one entty (LSGC) processng an nput message v) n parallel wth t an output message ). 1 1 1 ( ). {, ( )}. (, ) t w t cpher cpher p Yj w nonce p R ecv c y case y of x H y dk u n let x y y 1 nonce Y ( j 1) w n [ x s w][ y s dk. u ] c { logon_ req, h( logon _ req, dk. u )} dk. u tw Yj w Y ( j 1) w (5.29) The processes Sys( I... I ) descrbes the whole protocol (message and v) wth 1 m m nstances. The channels c wt and c are publc channels. The processes send a logon tw request under the dynamc communcaton key dk.u and receve LSGC challenge Yj w nformaton under the dynamc communcaton key dk. u. Besdes, (. ) Y ( j 1) w Yj w ( vdk. u ) Y ( j 1) w vdk u and acheve the effect that only entty w and t have the dynamc communcaton keys. Let be m way composton P... P, and 1 m P x 1.. m x ( vdk. u )( vdk. u ) Yj w x Y ( j 1) w x ( vdk. u )...( vdk. u )( vdk. u )...( vdk. u ) stand for 1 ( 1) 1 ( 1) we Yj w Yj wm Y j w Y j wm have: Sys( I... I ) ( c )( c )( vdk. u )( vdk. u ){ ( Send! Recv )} (5.30) 1 m wt tw Yj wx Y ( j 1) wx x 1.. m wx, tx tx The replcaton of the recevng processes! R ecv x 1.. m tx means that every entty s ready to play the role of recever n any number of runs of the protocol n parallel. Therefore, the protocol can be smultaneous, even though same entty may be nvolved 202

n many nstances. We now examne one nstance of the protocol. Let be structural equvalence by combnng Equatons 5.28 and 5.29, we have Equaton 5.30 rewrtten as: Sys ( vdk. u )( vdk. u ) c ( y ). case y of Yj w Y ( j 1) w w t cpher cpher 1 1 1 1 p Yj w nonce p nonce Y ( j 1) w { x, H ( y )} dk. u n let ( x, y ) y n ( x s w)( y s dk. u ) c {logon _ req,h(w,dk.u )}dk.u w t Y(j -1) w Yj w c (x ).case x of { x, H (y )}dk.u n let (x, y ) = y tw cpher cpher p Y(j+1) w nonce p n ( x s logon_req )( y s dk. u ) n F nonce Yj w c { logon_ req, h ( logon _ req, dk. u )} dk. u tw Yj w Y ( j 1) w (5.31) Based on the reacton relaton and reducton relaton rules (Equaton 5.27), Sys ( vdk. u )( vdk. u ) F ( logon _ req, h( logon _ req, dk. u ), Yj w Y ( j 1) w Yj w h( w,dk.u )) Y(j -1) w F ( logon _ req, h( logon _ req, dk. u ), h( w, dk.u )) Yj w Y(j -1) w (5.32) The processes have not revealed the nformaton of logon_req and tokens. In the Logon protocol, the tokens are generated wth the dynamc communcaton keys of users. Accordng to the cryptographc propertes of dynamc keys (dscussed n Secton 3.1 and Theorem 3.5), the dynamc communcaton keys of users are equvalent to random numbers as well as the tokens. Consequently, a specfcaton s gven by revsng the protocol. Send c {logon req, random }dk.u _ spec ( w, t ) wt Yj w c (x ).case x of {x, random }dk.u tw cpher cpher Y(j+1) w n [ x s logon_req ] n F (5.33) R ecv c ( y ). case y of { x, random} dk. u n [ x s w] spec ( t ) wt cpher cpher Yj w (5.34) c { logon_ req, random} dk. u tw Y ( j 1) w 203

Sys( I... I ) ( c )( c )( vdk. u )( vdk. u ) 1 m spec wt tw Yj wx Y ( j 1) wx { ( Send! Recv )} x 1... m spec ( wx, tx ) spec ( tx ) (5.35) After applyng reacton relaton and reducton relaton rules, we have Sys F ( logon _ req, random, random ) spec. Ths s equvalent to Sys (noted as Sys( I... I ) Sys( I... I ) 1 m 1 m spec ). In other words, Sys( I... I ) and 1 m 1 Sys( I... I ) are m spec ndstngushable to an adversary. Thus ths protocol has two mportant propertes as proved: Authentcty: entty B always apples F to the message that entty A sends, and an adversary cannot cause entty B to apply F to other messages. In other words, for any message. Sys( I... I ) Sys( I... I ) 1 m 1 m spec Secrecy: The message cannot be read n transt from entty A to entty B, f, and only f F does not reveal the message, then the whole protocol does not reveal the message. 5.3.3. AccessAuth Protocol The AccessAuth protocol s desgned to perform dentty verfcaton and access control management that allows ndvduals and group users to share senstve nformaton. Smlar to the Logon protocol, the AccessAuth protocol needs to be nformally transformed nto the followng (the structure of the protocol s depcted n Fgure 5.3): ) p L SG C : { I _ req, h( I _ req, dk. p )} dk. p m n n Y ( j 1) m Yj m on c ml ) L SG C p : { I _ req, h( I _ req, dk. p )} dk. p n n n Y ( 1) n Yj n on c Ln ) p L SG C : { I ' _ res, h( I ' _ res, dk. p )} dk. p on c n n n Yj n Y ( j 1) n nl 204

v) L SG C p : { I, h( I, dk. p )} dk. p m n n Yj m Y ( j 1) m on c Lm Fgure 5.3. Structure of the AccessAuth Protocol. Meanwhle, c, c, c and c ml Ln nl Lm are publc communcaton channels among partcpants and the LSGC. In the Sp calculus descrpton of the AccessAuth protocol, gven an nstance (w, t, I), the followng process corresponds to the role of partcpants and the LSGC (AAM and DKM). Send c {I _ req, h(i _ req, dk.p )}dk.p w, t wl t t Y(j -1) w Yj w c (x ).case x of {x, H (y )}dk.p n Lw cpher cpher t p Y(j+1) w let (x, y ) = y n [ x s I ][ y s dk. p ] n F t nonce p t t nonce Yj w (5.36) 1 2 1 2 2 ( ). {, ( )}. (, ) t Lt cpher cpher t p Yj t t nonce p R ecv c y case y of x H y dk p n let x y y n 1 2 t nonce Y ( a 1) t [ x s request ][ y s dk. p ] c { I ' _ res, h( I ' _ res, dk. p )} dk. p tl t t Yj t Y ( j 1) t (5.37) The sendng and recevng processes are descrbed n detal n AAM. The LSGC controls the forwardng and assemblng of messages among partcpants. The LSGC s the same for all nstances. 205

1 1 1 1 1 ( ). {, ( )}. w L cpher cpher t p Yj w t nonce p LSG C c z case z of x H y dk p n let (x, y ) = y n [ x s request ][ y s dk. p ]. c 1 1 t nonce Y ( a 1) w Lt { I _ req, h( I _ req, dk. p )} dk. p t t Y ( 1) t Yj t (5.38) 3 3 3 3 3 {, ( )}. tl cpher cpher t p Y ( j 1) t t nonce p c ( w ). case w of x H y dk p n let(x, y ) = y n [ x s response][ y s dk. p ]. c { I, h ( I, dk. p )} dk. p 3 3 t nonce Ya t Lw t t Yj w Y ( j 1) w Sys( I... I ) ( vdk. p )( vdk. p ) 1 m Yj x Y ( j 1) x { Send ( I )! LSGC! Recv )} x 1... m wx, tx x tx (5.39) The replcaton of the server! LSGC and the recevng processes! Recv means that every partcpant s ready to play the role of recever n any number of runs of the protocol n parallel. By combnng Equatons 5.36, 5.37 and 5.38, we have Equaton 5.39 rewrtten as: Sys ( vdk. p ) case {I _req,h(i _req,dk.p )}dk.p Yj w t t Y(j -1) w Yj w 1 1 1 1 1 t p Yj w t nonce p of { x, H ( y )} dk. p n let (x, y ) = y n ( vdk. p ) case { I _ req, h( I _ req, dk. p )} dk. p Yj t t t Y ( 1) t Yj t t 1 2 1 2 t p Yj t t nonce of { x, H ( y )} dk. p n let ( x, y ) y (vdk.p )case { I ' _ res, h( I ' _ res, dk. p )} dk. p Y ( j 1) t t t Yj t Y ( j 1) t 2 p n (5.40) 3 3 3 3 3 t p Y ( j 1) t t nonce p of { x, H ( y )} dk. p n let(x, y ) = y n ( vdk. p ) case { I, h( I, dk. p )} dk. p Y ( j 1) w t t Yj w Y ( j 1) w of {x, H (y )}dk.p n let (x, y t p Y(j+1) w t nonce ) = y n F p Based on the reacton relaton and reducton relaton rules (Equaton 5.27), we have: Sys ( vdk. p )( vdk. p )( vdk. p ) Yj w Y ( j 1) w Yj t ( vdk. p ) F ( I _ req, I _ req, I ' _ res, I ) Y ( j 1) t t t t t F ( I _ req, I _ req, I ' _ res, I ) t t t t (5.41) Thus the processes have no dsclosure of the crtcal nformaton I t and ts ntermedate values I _ req and I '_ res. In the protocol, dynamc communcaton t t 206

keys are employed n formng tokens. In accordance wth the cryptographc propertes of dynamc keys, a specfcaton s devsed as follows: Send c {I _req,random}dk.p c (x ).case x spec ( w, t ) wl t Yj w Lw cpher cpher of {x,random}dk.p n [ x s I ] n F t Y(j+1) w t t (5.42) 1 ( ). {, )}. spec ( t ) Lt cpher cpher t Yj t R ecv c y case y of x random dk p (5.43) n [ x s request] c { I ' _ res, random} dk. p 1 t tl t Y ( j 1) t 1 ( ). {, }. spec w L cpher cpher t Yj w L SG C c z case z of x random dk p n [ x s request ]. c { I _ req, random} dk. p 1 t Lt t Yj t 3 ( ). {, }. tl cpher cpher t Y ( j 1) t c w case w of x random dk p n [ x s response]. c { I, random} dk. p 3 t Lw t Y ( j 1) w (5.44) Sys( I... I ) ( vdk. p )( vdk. p ) 1 m spec Yj x Y ( j 1) x { ( Send ( I )! LSG C! Recv )} x 1.. m spec ( wx, tx ) x spec spec ( x ) (5.45) After applyng the reducton relaton rules, we have 1 1 Sys( I... I ) Sys( I... I ) m m spec other words, Sys( I... I ) and Sys( I... I ) 1 m 1 m spec are ndstngushable to an adversary. Thus, smlar to the Logon protocol, the AccessAuth protocol also has two mportant propertes: Authentcty: Sys( I... I ) Sys( I... I ) for any message. 1 m 1 m spec Secrecy: Sys( I... I ) Sys( I... I ) 1 m 1 m spec f F ( message) F ( random) for any message.. In 5.3.4. Summary Ths secton formally dscussed the securty of AAM by usng Sp calculus. It proved that by usng dynamc keys, Logon and AccessAuth protocols the proposed AAM does 207

not leak any senstve nformaton, and senstve nformaton and random numbers are ndstngushable to an adversary. Also, both the Logon and AccessAuth protocols have authentcty and secrecy propertes. The proposed AAM thus has the followng securty factors to contrbute to SecureSIS: Logon and AccessAuth protocols are secure; they do not reveal senstve nformaton n transt between enttes. AAM has authentcty and secrecy propertes. 5.4. Securty of SIM The securty of SIM s conducted by two sets of dynamc keys. The frst set of dynamc keys (dynamc communcaton keys) s a securty sheld that s used to protect communcaton channel 70 and user nterface 71. The second set of dynamc keys (dynamc data keys) s the securty core of SIM. Ths set only protects senstve nformaton storage and ntegrates wth senstve nformaton stored n cpher form; t s never nvolved n the protecton of communcaton channel and user nterface. Accordng to Tpton and Krause [TKr07], data nterchange and storage present a major problem for the management of securty nformaton. Therefore, n ths secton, the securty of nterchangng senstve nformaton s examned n Secton 5.4.1 and s followed by a dscusson on the securty of senstve nformaton storage n SIM. The contrbutons are restated n the summary. 70 Communcaton channel s dscussed n UGKM and AAM. 71 User nterface s dscussed n AAM. 208

5.4.1. Securty of Interchangng Senstve Informaton As descrbed n Secton 4.4 on SIM, senstve nformaton s stored n a form of cphers, and the cphers (senstve nformaton) can be kept n multple SIM objects. The nformaton nterchange occurs when data operatons (Secton 4.4.2) are trggered. Referrng to Fgure 4.9, suppose u jons an LSGC (SIM object, denoted n 1 LSGC ) and wants to manage ts senstve nformaton c. u, whch s located n another LSGC (denoted 2 LSGC k n ). Informally, the message flow can be redescrbed as follows by combnng Secton 4.3.4 (the AAM AccessAuth protocol) and Secton 4.4.1 (the SIM structure): ) ) 1 :{ _, ( _,. )}. n n n Y ( j 1) n Yj n u LSG C I req h I req dk u dk u 2 LSG C u :{ c. u, h( c. u, dk. u )} dk. u n k n k n Yj n Y ( j 1) n The 1 LSGC n the message flow refers to the group u joned, whle the n 2 LSGC represents the locaton of the senstve nformaton c. u. Accordng to Defnton 3.7 (Equatons 3.11, 3.12 and 3.13), c. u can be expanded nto { I } dk. u,{{ dk. u } dk. u, h({ I } dk. u )}. Intutvely, senstve nformaton I s k X n X n XC n k X n k protected n transt between the user and the k n k 1 LSGC and the n 2 LSGC by the dynamc data key and the dynamc communcaton key. Hence, we can make a corollary: Corollary 5.7 (Weak Securty) Senstve nformaton nterchange s secure n SIM. Poof: Accordng to the Sp calculus proof n AAM, the AccessAuth protocol does not reveal senstve nformaton n transt among enttes. The c. u s thus secure, k n 209

and an adversary cannot dstngush between nformaton c. u number; the proof s complete. k n and a random Accordng to the weak securty corollary and the cryptographc propertes of dynamc keys, t s presumed that by usng dynamc data keys n SIM, a strong securty n nformaton nterchange can be acheved, we can thus make a corollary. Corollary 5.8 (Strong Securty) Even though communcaton channel s breached, Senstve nformaton nterchange s stll secure n SIM. Proof: Suppose an adversary A breaches the communcaton channel and A understands the communcaton key and has the content of messages (say c. u ). Accordng to Corollary 5.1, the compromsed dynamc communcaton key does not affect any dynamc data key. The content c. u s under the protecton of the dynamc data key. In addton, dynamc key secrecy guarantees that t s computatonally nfeasble to fnd dynamc keys. Therefore, the content c. u k n k k n n s secure; the proof s complete. 5.4.2. Securty of Senstve Informaton Storage The securty aspect of most concern n SIM s senstve nformaton securty. Defnton 3.7, SIM data operaton and dynamc membershp operaton, offers the followng securty features: Every data entry operaton yelds dfferent EI. Every transacton trggers EDK updates. Any data altered results n a new EI and a new set of EDK. Only the owner of senstve data has the correct dynamc key to decpher the data. 210

Only n an emergency crcumstance s a nomnated cluster, overseen by an audtng cluster, able to access the senstve nformaton of users. Any orphan senstve nformaton s managed by a nomnated cluster overseen by an audtng cluster. Intutvely, because the above facts protect senstve nformaton n storage, t would appear that senstve nformaton s secure and protected, even should the storage be breached. Therefore, a corollary can be made. Corollary 5.9 The breach of senstve nformaton storage does not threaten the securty of senstve nformaton. Proof: Suppose an adversary A breaches the securty of senstve nformaton storage. In other words, A has access to all of senstve nformaton I n the form of cpher CI but lacks the keys to decpher CI. Accordng to Defnton 3.7, we note: A CI (5.46) Thus, the probablty of revealng senstve nformaton through the gven CIfor A s: Pr( I CI ) (5.47) Let M, C and K denote plan text, cpher text and an encrypton key set respectvely. Symbols + and are symmetrc encpher and decpher operatons. We have: C M K M C K (5.48) Accordng to condtonal probablty rules, (5.47) s rewrtten: Pr ( I, C I ) Pr ( I C I ) (5.49) Pr ( C I ) 211

Snce (5.46), then the probablty of revealng CI s one for A, Pr ( CI ) 1, then: Drawng on Defnton 3.7 and applyng t to (5.48): Pr ( I CI ) Pr ( I, CI ) (5.50) Pr ( I CI ) Pr ( I, CI ) Pr ( CI DK, CI ) (5.51) Thus, the probablty of revealng senstve nformaton through a gven CI to A s the probablty of knowng all dynamc data key set DK : X Pr ( I CI ) Pr ( DK X ) (5.52) Accordng to Theorems 3.1, 3.2 and 3.3, the probablty of A knowng the set of dynamc keys s zero. In other words, the dynamc keys are nfeasble to compute. Thus: Pr ( I CI ) Pr ( DK X ) 0 (5.53) Hence, although senstve nformaton storage s breached, senstve nformaton s X stll secure and protected; the proof s complete. Snce the securty of senstve nformaton storage s guaranteed by above proof, a strong clam s made. Corollary 5.10 Even f the securty of one user s breached n SIM, the securty of other users and senstve nformaton wll not be compromsed. Proof: Suppose that S s a sample space possessng encphered senstve nformaton. Events B, B,... B partton S, and we have B 1 2 n 1 B 2... B S. Due n to SIM securty features, the occurrence of events B and B are ndependent. j Therefore, BB j for any par and j, where denotes a null set. 212

Let B denote the event that dsclosed nformaton comes from j user u j Pr B, where 1, 2,... n U and ( ) 0. Let A denote the event that the senstve nformaton s compromsed. Accordng to the condtonal probablty of compromsed nformaton Apply Bayes law, we have: B gven event A s one: j Pr ( B A) 1 (5.54) j Pr ( B A) j Pr ( B ) Pr ( A B ) n 1 j Pr(B )Pr ( A B ) j (5.55) and, take (5.54) nto (5.55), thus: n Pr ( B ) Pr ( A B ) Pr(B )Pr ( A B ) (5.56) j j 1 and, expand (5.56): Pr ( B ) Pr ( A B ) Pr(B )Pr ( A B ) Pr(B )Pr ( A B ) j j...+ 1 1 2 2 Pr(B )Pr ( A B ) Pr(B )Pr ( A B )...+ j j j 1 j 1 Pr(B )Pr ( A B ) Pr(B )Pr ( A B ) n 1 n 1 n n (5.57) and then: Pr(B )Pr ( A B )... Pr(B )Pr ( A B ) Pr(B )Pr ( A B )... 1 1 j 1 j 1 j 1 j 1 Pr(B )Pr ( A B ) 0 n n (5.58) Snce, Pr ( B ) 0, where 1, 2,..., n, then condtonal probablty of compromsng senstve nformaton of others s zero. We have: Pr ( A B )... Pr ( A B ) Pr ( A B )... Pr ( A B ) 0 (5.59) 1 j 1 j 1 n 213

Therefore, even when one user s compromsed n SIM, the probablty of breachng other senstve nformaton s zero; the proof s complete. 5.4.3. Summary Ths secton has proved that the proposed SIM offers secure senstve nformaton nterchange and senstve nformaton storage by gvng Corollares 5.7, 5.8, 5.9 and 5.10. The corollares show that senstve nformaton n a cpher form s secure n transt among enttes. Also, senstve nformaton tself s secure and protected n storage. The use of the two sets of dynamc keys n SIM contrbutes the followng securty features: Weak securty: senstve nformaton nterchange s secure n SIM. Strong securty: Even should a communcaton channel be breached, senstve nformaton nterchange s stll secure n SIM The breach of senstve nformaton storage does not threaten the securty of senstve nformaton. If the securty of one user s breached n SIM, the securty of other users s not compromsed; nor s other senstve nformaton threatened. In other words, f senstve nformaton storage s compromsed, and also one or more users are breached, the senstve nformaton of others n SIM s stll secure and protected. 5.5. SecureSIS Panted Assessment In ths secton, we buld the SecureSIS pentad model to evaluate the securty of the proposed securty archtecture for senstve nformaton systems. The fve elements of the SecureSIS pentad are dscussed and proved to show that the proposed SecureSIS 214

satsfes the securty requrements of the SecureSIS pentad model and the securty goals of communcaton channel, user nterface and senstve nformaton storage. 5.5.1. Authentcty & Authorty Dscusson AAM offers authentcty and authorty (dscussed n the securty of AAM (Secton 5.3)). In summary, an adversary cannot dstngush ( 1) { I, h( I, dk )} dk. p a a Y Y n from { random, random} random by snffng networks. The communcaton between users and the LSGC s secure. In other words, an adversary can have no knowledge of conversatons between enttes, and only legtmate users and genune enttes are able to understand conversatons. Accordng to the requrements of AAM (Equatons 3.27, 3.28 and 3.29), a number of proofs can be gven to show that SecureSIS has the property of AAM n protectng senstve nformaton. Axom 5.1 For any message I I, entty Q beleves entty P sad I n SecureSIS. Proof: Suppose a user u P and LSGC be the entty Q : U sends a request to an LSGC. Let u be the entty u L SG C : { I _ req, h( I _ req, dk. u )} dk. u (5.60) Y ( j 1) Yj Then: P : I _ req, h( I _ req, dk. u ) (5.61) Y ( j 1) Theorem 3.4, key consstency property of dynamc keys, states that both enttes have a correlatve dynamc communcaton key. So: Q sees I _ req, h( I _ req, dk. u ) Y ( j 1) (5.62) 215

Accordng to the proof of securty of AAM, an adversary cannot dstngush between meanngful messages and random messages. The cryptographc propertes of dynamc keys (Theorems 3.1, 3.2 and 3.3) also contrbute to message securty. Consequently, the message s secure: Then: Q beleves I _ req, h ( I _ req, dk. u ) Y ( j 1) Q com putes new token h ( I _ req, dk. u ) (5.63) Y ( j 1) (5.64) If the new token s the same as Q beleves h ( I _ req, dk. u ), combnng (5.61) Y ( j 1) and (5.62), we have: P Q : I, token I I, P : I : Q beleves P sad I (5.65) Therefore, Equaton 3.27 s satsfed n SecureSIS, and the proof s complete. Axom 5.2 Entty Q beleves the clam of entty P durng tme nterval [ t, t ] 0 1 n SecureSIS. Proof: Suppose a user u and the LSGC be the entty Q : U wants to logn to an LSGC. Let u be the entty P u L SG C : { logon _ req, h (, dk. u )} dk. u (5.66) Y ( j 1) Yj Accordng to Axom 5.1: Q beleves logon _ req, h (, dk. u ) Y ( j 1) (5.67) 216

The entty Q uses h(, dk. u ) as a key to decpher Y ( j 1) ed 72. If, and only f, the value s the same as the unque d then s the entty P genune as clamed: Q beleves P (5.68) However, accordng to AAM and DKM, the trust of P s only avalable for one message. Lettng t denote the tme of processng a message, then we have: t1 t0 P clam s to Q dt Q beleves P (5.69) Therefore Equaton 3.28 s satsfed n SecureSIS, and the proof s complete. The securty of authentcty takes advantage of the propertes of dynamc keys. The same dynamc key cannot be used for authentcaton twce. If the same key s used twce, an ntruson detecton mechansm (Corollary 5.2) wll be trggered. Also, as suggested, the unque d can be generated from bometrcs, such as a fngerprnt, DNA or an rs to further enhance the securty of SecureSIS. Axom 5.3 Entty Q possesses senstve nformaton I of entty P, f and only f, the predcate AR ( I,*) s true n SecureSIS. Proof: Assumng the AccessAuth protocol, and lettng entty Q have full permsson to I, then: Q : AR( I,*) true (5.70) Accordng to the propertes of engagng users (Equatons 3.6 and 3.17): Q : I (5.71) Applyng the summaton rule: 72 Refer to Defnton 3.6 and detals n Secton 4.3. 217

Applyng not operaton: Then: (5.72) N N Q : AR ( I,*) true Q : I (5.73) N N Q : ( AR ( I,*) true) ( Q : I ) Thus: (5.74) N N AR ( I,*) false Q : I ff Q : A R ( I,*) false I I, P : I : Q : I (5.75) Therefore Equaton 3.29 s satsfed n SecureSIS, and the proof s complete. The Axom 5.3 s also ndcated n SIM component, assume user u has permsson n to access only senstve nformaton I of user u. Then, u a m n sees message { I, h( I, dk. p )} dk. p. Accordng to defnton of SIM, n n Yj n Y ( j 1) n. Therefore I s avalable for u a n. However, say I s b I { I } dk. u { dk. u } dk. u n a X m X m Yj n unauthorzed senstve nformaton for although u has the key dk. u from prevous transacton 73. n X m u, u cannot understand { I } dk. u n n ( ), b X x m 5.5.2. Integrty Dscusson Integrty deals wth the ntrnsc condton of senstve nformaton. In SecureSIS, the use of the hash functon ensures senstve nformaton ntegrty. When the data s 73 It apples cryptographc propertes of dynamc keys. 218

changed, the hash functon yelds a dfferent result. In SecureSIS, every assembled message has a fresh token to guarantee the senstve nformaton ntegrty property n communcaton channel. SecureSIS also guarantees that senstve nformaton s secure when n storage. We conclude the followng axoms. Axom 5.4 Entty Q beleves receved senstve nformaton from entty P s dentcally mantaned va communcaton channel n SecureSIS. Proof: Assume all message communcatons such that P Q : { I, h( I, dk. p )} dk. p n the AccessAuth protocol. n n Yj m Y ( j 1) m Accordng to Axom 5.1: Q beleves I, h ( I, dk. p ) (5.76) n n Yj m For group users Q { Q... Q } 1 n sharng senstve nformaton, accordng to the proof of securty of UGKM and Axom 5.1: Q... Q beleve I, h ( I, dk. p ) (5.77) 1 n n n Yj m Lettng the segment of message I ' n I n, then: ' Q beleves Q receves I (5.78) n Accordng to Theorem 3.4, enttes Q and P have dentcal sets of dynamc communcaton keys, so: ' n Yj m Q : h( I, dk. p ) (5.79) When comparng wth the receved token, f, and only f, both are the same, then: Q beleves I ' n I (5.80) n 219

The entty Q therefore beleves that I has not been malcously or accdentally n altered 74. Thus, combnng (5.78) wth (5.80), we have: P Q : I I I, Q receves I Q beleves I I ' ' Thus Equaton 3.30 s satsfed n SecureSIS, and the proof s complete. (5.81) Axom 5.5 Entty P beleves possessed senstve nformaton I s genune n senstve nformaton storage and secure n SecureSIS. Proof: Accordng to Defnton 3.7, for entty P possessng senstve nformaton I, we have: P : I (5.82) Senstve nformaton I s stored n a form of a cpher c : c { I} dk. P { dk. P, h({ I} dk. P )} dk. P (5.83) X X X XC Accordng to the cryptographc propertes of dynamc keys and UGKM: P beleves SIM : c (5.84) and: P beleves SIM sees h({ I } dk. P ) { I} dk. P (5.85) The entty P s able to compute a new hash value of { I} dk. P to compare wth h({ I} dk. P ), f, and only f, the values are matched. Then: X X P beleves SIM beleves I (5.86) X X 74 Malcous alterng means an adversary alters or forges senstve nformaton. Accdental alterng ndcates a network transmsson error or a data storage crash. 220

Accordng to the dscussons on the securty of SIM (Corollares 5.7, 5.8, 5.9 and 5.10): P beleves I (5.87) Therefore, n SecureSIS, for any senstve nformaton stored, we have: P : I I I, (5.88) P beleves I Thus Equaton 3.31 s satsfed n SecureSIS, and the proof s complete. 5.5.3. Non-repudaton Dscusson Non-repudaton s acheved n AAM through the use of dynamc keys. When a user sends a request to share the senstve nformaton of others, or the user gves permsson for others to access the user s senstve nformaton, a token needs to be generated and sent to the LSGCs. The token s constructed by a unque dynamc key, known only to the user and system. Ths knowledge ensures the user s unable to deny ssung permssons or sendng requests. In addton, the token s dynamcally generated based on the user s dynamc communcaton key and s only used once. The token thus eradcates the securty threat of snffng attacks. In addton, as descrbed, when a user regsters wth the system, a unque secure ID d s generated based on the securty levels by ether bometrcs or a secure random number. Therefore, the user has a lawful dentty n the system to be representatve of the user, and the d s encphered by the combnaton of a dynamc communcaton key and ts ndex value. Whenever a user wshes to logon to the system, only the correct combnaton s able to verfy the legtmacy of the user. Based on the securty of DKM and former key secrecy, t s computatonally nfeasble to dscover any 221

dynamc key; thus, the d s consdered as a sgnature of the user n the system to acheve hgh assurance. Therefore, an axom can be gven. Axom 5.6 Entty P beleves actons performed by entty Q wth sgnature n SecureSIS. Proof: Because of the Intalzaton and Logon protocols, we know the d of entty Q has never been nvolved n any transactons va ether publc channels or prvate channels. Meanwhle, P denotes the LSGC. Thus: Q beleves fresh( d ) P beleves fresh( d ) (5.89) Also, only the genune entty Q has the correct dynamc communcaton key. Q generates a correct token and sends to P. Accordng to Axoms 5.1, 5.2 and 5.4: Takng the token nto Equaton 4.2 to have a fresh d s same as the lawful dentty n system: P beleves Q sad token (5.90) d, f, and only f, the fresh P beleves Q (5.91) Because all actons performed by Q n SecureSIS can be seen by P and, accordng to securty of AAM: P sees Q performs actons wth token (5.92) Then, combnng (5.89), (5.91) and (5.92) and lettng tokens denote wth sgns, we have: P beleves fresh ( token ), P sees Q perform s an acto n w th a token P beleves Q perform s the acton w th the token (5.93) 222

Only the legtmate entty Q can have a token to generate a fresh sgnature, and only legtmate entty Q has a correct dynamc communcaton key set. Accordng to Theorems 3.1, 3.2, and 3.3, all generated tokens by Q are secure. Therefore, a token s equvalent to a sgnature: Takng (5.94) nto (5.93): token sgn (5.94) P beleves fresh( sgn ), P sees Q perform s an acton w th a sgn P beleves Q perform s the acton w th the sgn vce versa (5.95) Therefore Equaton 3.32 s satsfed n SecureSIS, and the proof s complete. 5.5.4. Confdentalty Dscusson Confdentalty s the property of preventng dsclosure of senstve nformaton to unauthorzed ndvduals or group of users n SecureSIS. Confdentalty emphaszes the secrecy of communcaton channel, user nterface and senstve nformaton storage. The confdentalty of senstve nformaton s guaranteed by relyng on the securty of AAM to protect user nterface, the securty of UGKM and DKM to secure communcaton channel and the securty of SIM to defend senstve nformaton storage. As suggested n Secton 3.3.5, confdentalty relates not only the securty of the above three components, but also to the prvacy or secrecy of senstve nformaton owners. Thus, n addton to Axoms 5.1-5.6, the prvacy of owners of senstve nformaton should be protected. In other words, senstve nformaton owners should have fne-gran control over ther assets. 223

Axom 5.7 Entty P, the owner of senstve nformaton, has full control of ts assets n SecureSIS. Proof: Suppose entty Q wants to access the senstve nformaton I I of entty P. Accordng to the securty of AAM and SIM, ntally, entty Q has no knowledge of I and also has no permssons relatng to I. Precsely: I I, P : I Q : AR ( I,*) false (5.96) Accordng to the securty of the AccessAuth protocol, entty Q cannot dstngush communcaton among enttes. Also, the securty of DKM and UGKM guarantees that the sgnature s nfeasble to compute (Theorem 3.1). Moreover, accordng to the securty of SIM, wthout proper permssons, entty Q cannot understand the form of the senstve nformaton, even though Q s able to obtan the cpher form. Thus entty Q must request permsson from the owner P n order to have access to senstve nformaton I. Combned wth (5.96), we have: P authorzes Q I I, P : I Q : AR ( I,*) false, Q : AR ( I,*) true (5.97) Therefore Equaton 3.33 s satsfed n SecureSIS, and the proof s complete. 5.5.5. Utlty Dscusson Utlty Utlty relates to nformaton usefulness. It s a baselne for the other four elements (dscussed n Secton 3.3.7). Utlty mpacts dynamc membershp and emergency stuatons. The proposed SecureSIS employs UGKM to handle nformaton sharng. UGKM enables a partcular segment of nformaton to be avalable to group of users. If the segment of senstve nformaton belongs to a group of users, the 224

dynamc data keys of the leader of the group are used to secure the data, thus enablng all group users to access the nformaton. In addton, when a data owner permanently leaves the system, the ownershp of data wll be assgned to the leader of the nomnated cluster. At tmes, a data owner may not be able to provde a key to retreve nformaton, and the nformaton may be requred urgently (perhaps for medcal reasons). Ths lack of access represents a breach of utlty; the nformaton s controlled, ntegral and authentc but the nformaton s not useful n ts naccessble form. In SIM, the use of EL solves the problem. EL contans the nomnated cluster cn C, an allocated audtng cluster ca C and an encrypted dynamc data key that enables access to the senstve nformaton of users normally naccessble. Ths feature guarantees the usefulness of nformaton. Thus Equatons 3.34 and 3.35 are satsfed n SecureSIS. 5.5.6. SecureSIS Goals Dscusson Based on the proofs of Axoms 5.1-5.7 and the dscusson on utlty, the proposed securty archtecture satsfes the crtera of the SecureSIS pentad. Meetng these crtera ensures that SecureSIS has authentcty and authorty, non-repudaton, ntegrty, confdentalty and utlty propertes to protect senstve nformaton. By usng the theorems, corollares and axoms already presented, n ths secton, we prove that SecureSIS also meets ts ntended goals. Proof of User Interface s Goal. User nterface s protected by a combnaton of AAM, DKM and UGKM. Accordng to the dscusson on AAM, any user u U can prove u to SecureSIS by adoptng dynamc communcaton keys securely (Axoms 225

5.1 and 5.2). Also, for any senstve nformaton I I, f the user u provdes proof to SecureSIS wth full permsson to I, then the user u possesses the nformaton (Axom 5.3). In addton, n the dscusson on CO, axom 5.7 stated that f user u possesses the nformaton, then u has full control of t. Moreover, the dscusson of NR mentons the Logon protocol n AAM, whch guarantees that, as long as there s a correlated token (sgnature), SecureSIS wll beleve that the acton s performed by user u. Thus we have: u U I I ( u C anp rove u to SecureSIS j u CanProve AR ( I,*) true to SecureSIS ) u : I j j (5.98) Furthermore, as was dscussed n the Logon protocol on AAM (Secton 4.3.4) a challenge-response message s returned by usng the dynamc communcaton key of user u to generate a token n order to verfy the genuneness of SecureSIS. Accordng to the cryptographc propertes of dynamc keys and the securty of AAM, we have: u U ( SecureSIS CanProve Genune to u ) (5.99) Thus Equatons 3.20 and 3.21 are proved ensurng that senstve nformaton s only dsclosed to legtmate users wth proper permssons and genune SecureSIS. Proof of Communcaton Channel s Goal. The securty of communcaton channel s managed by the use of dynamc communcaton keys (DKM) and group keys (UGKM). As dscussed n Secton 3.3.3 on IN, t ensures that u U beleves receved senstve nformaton s dentcally mantaned n transt (Axom 5.4). u U I I ( ff u : I u C anv erfy I s G enune) (5.100) j j j 226

Usng the AccessAuth protocol, every message among enttes s assembled wth a unque token. Because of the features of DKM and UGKM, the keys needed to protect communcaton are secure. Every message receved by SecureSIS can then be verfed. Consequently, we have: I I ( SecureSIS C anverfy I s G enune) (5.101) j Thus Equatons 3.22 and 3.23 are proved and ensure that senstve nformaton s j dentcally mantaned durng transmsson va open networks n SecureSIS. Proof of Senstve Informaton Storage s Goal. The securty of senstve nformaton storage s attaned by SIM partcpatng wth DKM and UGKM. As dscussed n Secton 3.3.3 on IN, u U beleves possessed senstve nformaton s genune n senstve nformaton storage (Axom 5.5). We have: EI EI u U ( ff u : EI u C anu nderstand EI ) (5.102) j j j Accordng to the dscusson on CO and NR (Axoms 5.6 and 5.7), f u U possesses the nformaton, the user has full control of t. In other words, the user can decpher EI. Hence we have: j E I E I u U ( ff u : E I u C anu nderstand I ) (5.103) j j j Thus Equaton 3.24 s proved and ensures that senstve nformaton s stored securely and only prvleged users can understand and retreve senstve nformaton n SecureSIS. 5.6. Summary In ths chapter, the securty aspects of the four components of SecureSIS were formally proved and dscussed accordng to the descrpton of Chapter 4. The 227

SecureSIS pentad model was bult based on Defnton 3.9 n Chapter 3 to evaluate the securty characterstcs of senstve nformaton n SecureSIS. The evaluaton shows the proposed securty archtecture satsfes the securty requrements of senstve nformaton. Accordng to the SecureSIS pentad evaluaton, SecureSIS meets the user nterface s goal, communcaton channel s goal and senstve nformaton storage s goal. The dscusson and mathematcal proofs demonstrate that the proposed securty archtecture makes the followng contrbutons to the protecton of senstve nformaton: The use of dynamc keys n SecureSIS ensures greater securty than the longterm shared symmetrc keys and the asymmetrc keys of prevous securty models. The use of two sets of dynamc keys n SecureSIS guarantees that: DKM acheves prvacy protecton and senstve nformaton systems ntruson detecton and preventon. UGKM satsfes group key secrecy, forward secrecy, backward secrecy and colluson resstblty. AAM ensures authentcty and secrecy, and also ensures that an adversary cannot dstngush between senstve nformaton and random text n transt between enttes. SIM has senstve nformaton nterchange secrecy and senstve nformaton storage secrecy propertes. By evaluatng SecureSIS aganst the SecureSIS pentad model, we demonstrated that n SecureSIS the characterstc(s) of: 228

authentcty and authorty ensure that senstve nformaton s securely shared ether among a group of users or can be retreved by ndvduals, ntegrty ensures that senstve nformaton s dentcally mantaned n communcaton and n storage, non-repudaton guarantees that enttes are unable to deny performng actons on senstve nformaton, confdentalty ensures senstve nformaton n any form s protected and secure, and utlty ensures that, n any crcumstance, senstve nformaton s useful. The theorems, corollares and axoms presented n ths chapter have also demonstrated that SecureSIS meets ts ntended goals: Senstve nformaton s only dsclosed to legtmate users wth proper permssons and genune SecureSIS (the user nterface s goal). Senstve nformaton s dentcally mantaned durng transmsson va open networks (the communcaton channel s goal). Senstve nformaton s stored securely and only prvleged users can understand and retreve the nformaton (the senstve nformaton storage s goal). 229

Chapter 6 6. Concluson and Future Work Goals. Ths thess has nvestgated senstve nformaton securty n SIS. The lmtatons of extant securty approaches (caused by the employment of long-term shared and publc keys) and the resultng ssues relatng to dynamc senstve nformaton ownershp, group authentcaton and authorzaton and prvacy protecton motvated us to propose a new securty archtecture. SecureSIS elmnates the lmtatons and ssues of current approaches by applyng dynamc key and group key theores. In addton to the new securty archtecture, a new senstve nformaton securty model, the SecureSIS pentad, was also proposed n ths thess. Ths model overcomes the lack of the assessment propertes of extant nformaton securty models. The SecureSIS pentad also demonstrates that SecureSIS meets ts securty goals. In ths chapter, the ams and methodology of the research are revewed n Secton 6.1. The contrbutons offered over the prevous fve chapters are restated n Secton 6.2. Fnally, future work possbltes are dentfed n Secton 6.3. 230

6.1. Revstng the Research Problem and Approach Protectng senstve nformaton s a growng concern around the globe. Securng crtcal data n all sectors, ncludng the busness, healthcare and mltary sectors, has become the frst prorty of senstve nformaton management. Falng to protect ths asset results n hgh costs and, more mportantly, can also result n lost customers and nvestor confdence and even threaten natonal securty. The purpose of ths research was to develop a securty archtecture able to protect senstve nformaton systems. Senstve nformaton systems consst of three components: communcaton channel, user nterface and senstve nformaton storage; the protecton of these three components equates to the protecton of senstve nformaton tself. As dscussed n Chapter 2, prevous research n ths area has been lmted. After assessng the state of pror research, the objectves of ths research were defned as follows: To develop a general securty archtecture for varous knds of senstve nformaton systems that enables the protecton of the three components communcaton channel, user nterface and senstve nformaton storage. The archtecture should be able to: handle dynamc membershp of groups and ndvduals and enable the approprate sharng or accessng of senstve nformaton, prevent legal users accessng unauthorzed senstve nformaton to prevent nternal securty threats, manage dynamc ownershp of senstve nformaton, and govern the securty of nformaton storage should the senstve nformaton system be breached. 231

To develop methodologcal recommendatons for securty evaluaton of senstve nformaton systems. To acheve these ams, a research methodology was structured on a three-stage process: development of a formal archtecture, component desgn, and securty dscusson and assessment. Development of a formal archtecture (Chapter 3): a new securty archtecture for senstve nformaton systems (SecureSIS) was formally proposed as the frst step n protectng the three major components (communcaton channel, user nterface and senstve nformaton storage) and to acheve the securty goals of the securty archtecture. A senstve nformaton securty model (SecureSIS pentad) was suggested to assess the securty of the proposed archtecture. Component desgn (Chapter 4): as per the proposed and defned formal archtecture (SecureSIS), each component was desgned and guded by the proposed SecureSIS pentad model. Securty dscusson and assessment (Chapter 5): a securty dscusson on each desgned component was formally conducted, and then the proposed senstve nformaton securty model was bult to assess the proposed archtecture and to prove that the securty goals were met. 6.2. Contrbutons Ths research contrbutes to the development of the body of knowledge surroundng senstve nformaton protecton. Its contrbutons nclude the followng: Formal defnton and cryptographc propertes proofs of dynamc keys 232

Ths thess offered a frst formal defnton of dynamc keys (Defnton 3.1) wth the followng proved cryptographc propertes: dynamc key secrecy (Theorem 3.1), former key secrecy (Theorem 3.2), key collson resstance (Theorem 3.3) and key consstency (Theorem 3.4). These theorems were used to prove the correctness of two presumptons (Theorem 3.5 and 3.6) n senstve nformaton protecton: ) that dynamc keys are more secure than long-term shared keys; and ) that, compared wth dynamc keys, asymmetrc keys are nsecure. The formal defnton and the cryptographc propertes can also be used as a gude to desgn new dynamc key generaton algorthms. More mportantly, the formal defnton gves a dstnct semantc noton to dstngush dynamc keys from other cryptographc keys, such as sesson keys, one-tme pad and long-term keys. A new proposed securty archtecture for senstve nformaton systems Ths thess proposed a novel securty archtecture, SecureSIS, to overcome the securty threats and concerns of senstve nformaton systems n the components of communcaton channel, user nterface and senstve nformaton storage. The archtecture can be appled to securty applcatons all sectors, ncludng the busness, healthcare and mltary sectors, to protect senstve nformaton. A new proposed senstve nformaton securty model for senstve nformaton systems Ths thess proposed a new senstve nformaton securty model, the SecureSIS pentad, to assess the securty of SecureSIS. The SecureSIS pentad can also be used to assess other securty archtectures, thus makng a valuable contrbuton to the feld of senstve nformaton system securty. 233

Development of dynamc key management (DKM) Ths thess developed a dynamc key management approach (dscussed n Secton 5.1.1) that employs two sets of dynamc keys (dynamc data keys and dynamc communcaton keys) to guarantee the securty of senstve nformaton. Usng ths approach, even f one set of dynamc keys were to be compromsed, the securty of SecureSIS would not be breached. Ths approach s also able to detect and prevent ntruson n senstve nformaton systems. Development of user-orented group key management (UGKM) Ths thess developed a hybrd group key agreement (UGKM) to deal wth dynamc group membershp n senstve nformaton sharng and prvacy protecton. The agreement adopts the propertes of dynamc keys to guarantee the securty of senstve nformaton n transt among enttes (communcaton channel). The agreement enables group key secrecy (Secton 5.2.1), forward secrecy (Secton 5.2.2), backward secrecy (Secton 5.2.3) and colluson resstance (Secton 5.2.4). Development of authentcaton and authorzaton management (AAM) Ths thess developed an authentcaton and authorzaton management approach to protect user nterface. AAM acheves hgh securty and tght access control when dealng wth dynamc membershp of groups and ndvduals that share or access senstve nformaton. AAM enables dynamc ownershp of senstve nformaton, flexble access control and strong dentty verfcaton. Desgn of senstve nformaton management (SIM) 234

Ths thess appled DKM and UGKM to desgn a new approach for the protecton of senstve nformaton at rest. SIM ntegrates dynamc keys wth senstve nformaton stored n the form of a cpher to avod leakng senstve nformaton n the case of unauthorzed access. SIM guarantees that senstve nformaton nterchange s secure should the communcaton channel and user nterface components be compromsed. That s, a breach of senstve nformaton storage wll not threaten the securty of senstve nformaton, and the securty of other users and senstve nformaton wll not be compromsed should the securty of some users be breached. 6.3. Future Work Ths research has opened up avenues for further work. These nclude ) nvestgaton nto the use of dynamc keys for ntruson preventon and detecton; ) the desgn and development of new dynamc key algorthms; and ) the ameloraton of the senstve nformaton securty model (SecureSIS pentad). Ths thess has presented a securty archtecture that overcomes the lmtatons of exstng securty approaches n protectng senstve nformaton. The archtecture has also demonstrated the feature of ntruson preventon and detecton by the employment of two sets of dynamc keys. Ths mechansm has yet to be studed formally and systematcally. It could be further nvestgated and proposed as a new component for SecureSIS. We have begun some work n ths drecton [DaWuWa08, WuLeSr09]. Another drecton for future research could nvolve the desgn of new cryptographc algorthms n order to enhance the securty of senstve nformaton systems. Ths current research has enabled the formal defnton of dynamc keys and regulated the 235

cryptographc propertes of dynamc keys. Future work mght nvolve the testng of these defntons to further demonstrate ther approprateness when gudng the desgn of new dynamc key generaton algorthms. We have desgned one realzaton (a dynamc key generaton algorthm) and t s beng patented [WuLe06]. The usefulness of the SecureSIS pentad n assessng other securty archtectures also needs to be frmly establshed. Where possble, we suggest the adopton of methodologes smlar to those used n the earler studes that evaluated the CIA Trad and the Parkeran Hexad, but wth the substtuton of the SecureSIS pentad. A comparson of the results would yeld nsght and enable further fnetunng of the SecureSIS pentad. In concluson, SecureSIS overcomes the lmtatons assocated wth exstng securty approaches and enables the complete protecton of the three components of senstve nformaton systems. The results from our study are both a catalyst and a justfcaton for further research n ths area to ncrease the body of scentfc knowledge concernng senstve nformaton protecton. 236

References [Ab99] [AbGo97] [AnKu96] [AnAn01] Abad, M. (1999). Secrecy by typng n securty protocols. Journal of the ACM,Vol. 46 (5), pp. 749-786. Abad, M., and Gordon, A. D. (1997). A calculus for cryptographc protocols: the sp calculus. In Proceedngs of the Computer and Communcatons Securty, pp. 36-47. Anderson, R., and Kuhn, M. (1996). Tamper Resstance - a Cautonary Note. In Proceedngs of the 2nd Usenx Workshop on Electronc Commerce, pp. 1. Anderson, R. J., and Anderson, R. (2001). Securty Engneerng: A Gude to Buldng Dependable Dstrbuted Systems John Wley & Sons. [ArCaL04] Arkko, J., Carrara, E., Lndholm, F., Naslund, M., and Norrman, K. (2004). MIKEY: Multmeda Internet KEYng (No. RFC 3830): Network Workng Group, The Internet Engneerng Task Force. [At95] [BaF01] [Ba96] [Ba04] Atknson, R. (1995). Securty Archtecture for the Internet Protocol (No. RFC 1825): Network Workng Group, The Internet Engneerng Task Force. Bacon, C. J., and Ftzgerald, B. (2001). A systemc framework for the feld of nformaton systems. ACM SIGMIS Database Vol. 32 (2), pp. 46-67. Ballarde, T. (1996). Scalable Multcast Key Dstrbuton (No. RFC 1949): Network Workng Group, The Internet Engneerng Task Force. Bard, G. V. (2004). The vulnerablty of ssl to chosen-plantext attack (No. 2004/111): Cryptology eprnt Archve. 237

[BaBaBu06] Barker, E., Barker, W., Burr, W., Polk, W., and Smd, M. (2006). Recommendaton for Key Management. The Natonal Insttute of Standards and Technology. [BeW98] [BeIsKu99] [BeCaKr96] [BeMe92] [BeMe93] Becker, K., and Wlle, U. (1998). Communcaton Complexty of Group Key Dstrbuton. In Proceedngs of the 5th ACM Conference on Computer and Communcatons Securty pp. 1-6. Bemel, A., Isha, Y., Kushlevtz, E., and Malkn, T. (1999). One-way Functons are Essental for Sngle-Server Prvate Informaton Retreval. In Proceedngs of the 31st Annual ACM Symposum on Theory of Computng, pp. 89-98. Bellare, M., Canett, R., and Krawczyk, H. (1996). Pseudorandom functons revsted: the cascade constructon and ts concrete securty. In Proceedngs of the 37th Annual Symposum on Foundatons of Computer Scence pp. 514-523. Bellovn, S. M., and Merrtt, M. (1992). Encrypted Key Exchange: Password-Based Protocols Secure Aganst Dctonary Attacks. In Proceedngs of the IEEE Symposum on Research n Securty and Prvacy, pp. 72-84. Bellovn, S. M., and Merrtt, M. (1993). Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Aganst Dctonary Attacks and Password Fle Compromse. In Proceedngs of the 1st ACM Conference on Computer and Communcaton Securty, pp. 244-250. [BeGoGo88] Ben-Or, M., Goldrech, O., Goldwasser, S., Håstad, J., Klan, J., Mcal, S., et al. (1988). Everythng Provable s Provable n Zero-Knowledge. In Proceedngs of the 8th Annual Internatonal Cryptology Conference on Advances n Cryptology, pp. 37-56. [BhDe98] [B96] Bhata, S. K., and Deogun, J. S. (1998). Conceptual clusterng n nformaton retreval. IEEE Transactons on Systems, Man, and Cybernetcs,Vol. 28 (3), pp. 427-436. Bham, E. (1996). How to Forge DES-Encrypted Messages n 2 28 Steps (No. CS 884): Technon-Israel Insttute of Technology. 238

[BSh93] [BKl95] [Bo99] [Bo07] [Br73] [Br99] [BrFo05] [BS93] [Bu06] [CaMSt99] Bham, E., and Shamr, A. (1993). Dfferental Cryptanalyss of the Data Encrypton Standard New York. Sprnger-Verlag. Bshopa, M., and Klen, D. V. (1995). Improvng System Securty va Proactve Password Checkng. Computers and Securty,Vol. 14 (3), pp. 233 249. Boneh, D. (1999). Twenty Years of Attacks on the RSA Cryptosystem. Notces of the AMS,Vol. 46 (2), pp. 203-213. Boyd, G. (2007). IBM Encrypton Faclty for z/os. Retreved 28 Aprl, 2008, from ftp://ftp.software.bm.com/common/ss/rep_sp/n/zsd01450 USEN/ZSD01450USEN.pdf Branstad, D. K. (1973). Securty aspects of computer networks. In Proceedngs of the AIAA Computer Network Systems Conference, pp. 73. Brscoe, B. (1999). MARKS: Zero Sde Effect Multcast Key Management usng Arbtrarly Revealed Key Sequences. In Proceedngs of the 1st Internatonal Workshop on Networked Group Communcaton, pp. 301-320. Bruen, A. A., and Forcnto, M. A. (2005). Cryptography, Informaton Theory, and Error-Correcton: a Handbook for the 21st Century. Wley-Interscence. BSI. (1993). Code of Practce for Informaton Securty Management (CoP) (No. PD 0003): Brtsh Standards Insttute. Burg, T. (2006). Data at rest encrypton on the NonStop platform. SunTUG Retreved 31 March 2009, from http://www.suntug.org/ Artcles/2006-06_comForte_data-at-rest_Encrypton.pdf Cachn, C., Mcal, S., and Stadler, M. (1999). Computatonally Prvate Informaton Retreval wth Polylogarthmc Communcaton In Advances n Cryptology Vol. 1592/1999, pp. 402-414: Sprnger Berln / Hedelberg. 239

[CaWaSu98] Caronn, G., Waldvogel, M., Sun, D., and Plattner, B. (1998). Effcent communcaton for large and dynamc multcast groups. In Proceedngs of the 7th IEEE Internatonal Workshop on Enablng Technologes: Infrastruture for Collaboratve Enterprses, pp. 376-383. [CeJaSc08] Cervesato, I., Jaggard, A. D., Scedrov, A., Tsay, J.-K., Chrstopher, and Walstad. (2008). Breakng and fxng publc-key Kerberos. Informaton and Computaton Vol. 206 (2-4), pp. 402-424. [ChGeRu90] Champne, G. A., Danel E. Geer, J., and Ruh, W. N. (1990). Project Athena as a dstrbuted computer system. Computer,Vol. 23 (9), pp. 40-51. [Ch97] Chan, S. C. C. (1997). An overvew of smart card securty. Break IC Retreved 22 December, 2008, from http://www.break-c.com/topcs/ attack-mcrocontroller.asp [ChWaWu06] Chen, Y. J., Wang, Y. L., Wu, X. P., and Le, P. D. (2006). The Desgn of Cluster-based Group Key Management System n Wreless Networks. In Proceedngs of the Internatonal Conference on Communcaton Technology, pp. 1-4. [ClChCh08] Clark, C., Chaffn, L., Chuvakn, A., Foge, S., Schller, C., Paladno, S., et al. (2008). InfoSecurty 2008 Threat Analyss Burlngton, Massachusetts,USA. Syngress Publshng, Inc. [ClW87] [Cn92] Clark, D. D., and Wlson, D. R. (1987). A comparson of commercal and mltary computer securty polces. In Proceedngs of the IEEE Symposum on Securty and Prvacy pp. 184-194. CNSS. (1992). Natonal Tranng Program for Informaton Systems Securty (INFOSEC) Professonals, Natonal Securty Telecommuncatons and Informaton Systems Securty Commttee. [Co03] Cole, S. A. (2003). SUSPECT IDENTITIES: A Hstory of Fngerprntng and Crmnal Identfcaton. Harvard Unversty Press. [CoDWa04] Conkln, A., Detrch, G., and Walz, D. (2004). Password-Based Authentcaton: A System Perspectve. In Proceedngs of the 37th Annual Hawa Internatonal Conference on System Scences, pp. 1-10. 240

[CoBr93] [Co97] [Co06] [CoP02] [CuEu08] [DaR02] Cooke, J. C., and Brewster, R. L. (1993). The Use of Smart Cards n Personal Communcaton Systems Securty. In Proceedngs of the 4th IEE Conference on Telecommuncatons, pp. 246-251. Coppersmth, D. (1997). Small Solutons to Polynomal Equatons, and Low Exponent RSA Vulnerabltes. Journal of Cryptology,Vol. 10 (4), pp. 233-260. Coro, C. (2006). Frst Look: New Securty Features n Wndows Vsta. TechNet Magazne Retreved 2 January, 2009, from http://technet.mcrosoft.com/en-us/magazne/cc160980.aspx Courtos, N. T., and Peprzyk, J. (2002). Cryptanalyss of Block Cphers wth Overdefned Systems of Equatons. In Advances n Cryptology, Vol. 2501, pp. 267-287: Sprnger Berln / Hedelberg. Curtss, E. T., and Eusts, S. (2008). Physcan Offce Electronc Medcal Record Market Strateges Shares, and Forecasts 2007 to 2013. Ireland: WnterGreen Research, Inc. Daemen, J., and Rjmen, V. (2002). The Desgn of Rjndael: AES- The Advanced Encrypton Standard Berln Hedelbery. Spnger-Verlag. [DaWuWa08] Dandash, O., Wu, X. P., Wang, Y. L., Le, P. D., and Srnvasan, B. (2008). Securty Analyss for Internet Bankng Models. Specal Issue of the Internatonal Journal of Computer and Informaton Scence,Vol. 9 (2), pp. 1-10. [DaOl85] [De89] [DRe08] Davs, G. B., and Olson, M. H. (1985). Management Informaton Systems: Conceptual Foundatons, Structure, and Development New York. Mcgraw-Hll. Dehnad, K. (1989). A smple way of mprovng the logn securty. Computers and Securty,Vol. 8 (7), pp. 607-611. Derks, T., and Rescorla, E. (2008). The Transport Layer Securty (TLS) Protocol (V1.2) (No. RFC 5246): Network Workng Group, The Internet Engneerng Task Force. 241

[DHe76a] [DHe76b] Dffe, W., and Hellman, M. (1976). Multuser Cryptographc Technques. In Proceedngs of the Natonal Computer Conference, pp. 109-112. Dffe, W., and Hellman, M. (1976). New drectons n cryptography. IEEE Transactons on Informaton Theory,Vol. 22 (6), pp. 644-654. [DOoW92] Dffe, W., Oorschot, P. C. V., and Wener, M. J. (1992). Authentcaton and Authentcated Key Exchanges. Desgns, Codes and Cryptography,Vol. 2 (2), pp. 107-125. [Ds07] DSB. (2007). Informaton Management for Net-Centrc Operatons. Washngton, D. C.: Offce of the Under Secretary of Defense For Acquston. Technology, and Logstcs. [DuJuKo02] Dugelay, J. L., Junqua, J. C., Kotropoulos, C., Kuhn, R., Perronnn, F., and Ptas, I. (2002). Recent advances n bometrc person authentcaton. In Proceedngs of the IEEE conference on Acoustcs, Speech, and Sgnal Processng, pp. 4060-4063. [Er03] [Fe70] [Fe73] Erdem, O. M. (2003). Hgh-speed ECC based Kerberos Authentcaton Protocol for Wreless Applcatons. In Proceedngs of the IEEE Global Telecommuncatons Conference, pp. 1440-1444. Festel, H. (1970). Cryptographc codng for data-bank prvacy (No. RC 2827). Yorktown Heghts, New York: Internatonal Busness Machnes Corporaton. Festel, H. (1973). Cryptography and Computer Prvacy. Scentfc Amercan,Vol. 228 (5), pp. 15-23. [FeKa90] Feldmeer, D. C., and Karn, P. R. (1990). UNIX Password Securty - Ten Years Later. In Proceedngs of the Advances n Cryptology, pp. 44-63. [FeKuCh03] Ferraolo, D. F., Kuhn, D. R., and Chandramoul, R. (2003). Role- Based Access Control Norwood,USA. Artech House Publshers. 242

[FoFe03] [FrKaKo96] [GeL06] Forouzan, B. A., and Fegan, S. C. (2003). Data Communcatons and Networkng. McGraw-Hll Scence/Engneerng/Math. Freer, A. O., Karlton, P., and Kocher, P. C. (1996). The SSL Protocol (V3.0): Transport Layer Securty Workng Group. Gennaro, R., and Lndell, Y. (2006). A framework for password-based authentcated key exchange. ACM Transactons on Informaton and System Securty,Vol. 9 (2), pp. 181-234. [GeGoMa98] Gertner, Y., Goldwasser, S., and Malkn, T. (1998). A Random Server Model for Prvate Informaton Retreval In Randomzaton and Approxmaton Technques n Computer Scence, Vol. 1518/1998, pp. 200-217: Sprnger Berln / Hedelberg. [GeIsKu00] [GoGo96] [Gr90] [Gu06] [GuSh07] Gertner, Y., Isha, Y., Kushlevtz, E., and Malkn, T. (2000). Protectng data prvacy n prvate nformaton retreval schemes. Journal of Computer and System Scences Vol. 60 (3), pp. 592-629. Gordon, S. R., and Gordon, J. R. (1996). Informaton Systems: A Management Approach Orlando, Florda. The Dryden Press, Harcourt Brace College Publshers. Gray, R. M. (1990). Entropy and Informaton Theory New York. Spnger-Verlag. Gumaraes, M. (2006). New challenges n teachng database securty. In Proceedngs of the 3rd annual conference on Informaton securty currculum development, pp. 64-67. Gupta, P., and Shmatkov, V. (2007). Securty Analyss of Voce-over- IP Protocols. In Proceedngs of the 20th IEEE Computer Securty Foundatons Symposum, pp. 49-63. [HaScHe08] Halderman, J. A., Schoen, S. D., Hennger, N., Clarkson, W., Paul, W., Calandrno, J. A., et al. (2008). Lest We Remember: Cold Boot Attacks on Encrypton Keys. In Proceedngs of the 17th USENIX Securty Symposum, pp. 45-60. 243

[HaKr99] [Ha94] [HaAt94] [HaMe01] Halev, S., and Krawczyk, H. (1999). Publc-key cryptography and password protocols. ACM Transactons on Informaton and System Securty,Vol. 2 (3), pp. 230-268. Haller, N. (1994). The S/KEY One-Tme Password System. In Proceedngs of the ISOC Symposum on Network and Dstrbuted System Securty, pp. 151-157. Haller, N., and Atknson, R. (1994). On Internet Authentcaton (No. RFC 1704): Network Workng Group, The Internet Engneerng Task Force. Harbtter, A., and Menascé, D. A. (2001). The performance of publc key-enabled kerberos authentcaton n moble computng applcatons. In Proceedngs of the 8th ACM conference on Computer and Communcatons Securty pp. 78-85. [HaCaMo00] Hardjono, T., Can, B., and Monga, I. (2000). Intra-Doman Grouop Key Management Protocol: Network Workng Group, The Internet Engneerng Task Force. [HaHa99] [HaMu97a] [HaMu97b] [He78] Harney, H., and Harder, E. (1999). Logcal Key Herarchy Protocol: Network Workng Group, The Internet Engneerng Task Force. Harney, H., and Muckenhrn, C. (1997). Group Key Management Protocol (GKMP) Archtecture (No. RFC 2094): Network Workng Group, The Internet Engneerng Task Force. Harney, H., and Muckenhrn, C. (1997). Group Key Management Protocol (GKMP) Specfcaton (No. RFC 2093): Network Workng Group, The Internet Engneerng Task Force. Hellman, M. E. (1978). An Overvew of Publc Key Cryptography. IEEE Communcaton Socety Magazne,Vol. 16 (6), pp. 24-32. [Ho05] Hoffman, P. (2005). Cryptographc Sutes for IPsec (No. RFC 4308): Network Workng Group, The Internet Engneerng Task Force. 244

[HoChWa07] Hong, W.-S., Chen, S.-J., Wang, L.-H., and Chen, S.-M. (2007). A new approach for fuzzy nformaton retreval based on weghted powermean averagng operators. Computers & Mathematcs wth Applcatons Vol. 53 (12), pp. 1800-1819. [Ho02] [Hp07] [Hs08] [Hy08] [Id08] Horng, G. (2002). Cryptanalyss of A Key Management Scheme for Secure Multcast Communcatons. IEICE Transactons on Communcatons Vol. E85-B (5), pp. 1050-1051. HP. (2007). Encrypted Volume and Fle System v1.0 (EVFS v1.0) Admnstrator's Gude HP-UX 11 v2 Update 2 (No. 5991-7466): Hewlett-Packard Development Company. Hsueh, S. (2008). Database Encrypton n SQL Server 2008 Enterprse Edton. SQL Server Techncal Artcle Retreved 28 Aprl, 2008, from http://msdn2.mcrosoft.com/en-us/lbrary/cc278098(sql.100).aspx Hynes, B. (2008). Advances n BtLocker Drve Encrypton. TechNet Magazne, (6). IDTheftProtect. (2008). ID THEFT PROTECT:News and Revews. Global: BoxSentry and Internet Identty jon forces to fght onlne fraud Retreved 23 February, 2009, from http://www.d-theftprotect.com/ news.php?news_d=261 [InTaWo82] Ingemarsson, I., Tang, D. T., and Wong, C. K. (1982). A Conference Key Dstrbuton System. IEEE Transactons on Informaton Theory,Vol. 28 (5), pp. 714-720. [IsSu01] [Ja96a] [JaRoPr04] Ismad, A., and Sukam, Y. B. (2001). Smart Card- An Alternatve to Password Authentcaton: SANS Securty Essentals. Jablon, D. P. (1996). Strong password-only authentcated key exchange. ACM SIGCOMM Computer Communcaton Revew,Vol. 26 (5), pp. 5-26. Jan, A. K., Ross, A., and Prabhakar, S. (2004). An ntroducton to bometrc recognton. IEEE Transactons on Crcuts and Systems for Vdeo Technology,Vol. 14 (1), pp. 4-20. 245

[Ka04] [Ka67] [Ke77] Kaeo, M. (2004). Desgnng Network Securty Indanapols, Indana, USA. Csco Press. Kahn, D. (1967). The Codebreakers:The Story of Secret Wrtng New York. Macmllan Pub Co. Kent, S. T. (1977). Encrypton-based protecton for nteractve user/computer communcaton. In Proceedngs of the 5th symposum on Data communcatons, pp. 5.7-5.13. [Kh06] Khare, R. (2006). Network Securty and Ethcal Hackng Beckngton,UK. Lunver Press. [KPeTs04] [Ko87] Km, Y., Perrg, A., and Tsudk, G. (2004). Tree-based group key agreement. ACM Transactons on Informaton and System Securty,Vol. 7 (1), pp. 60-96. Kobltz, N. (1987). Ellptc curve cryptosystems. Mathematcs of Computaton,Vol. 48 (1), pp. 203 209. [KoNeTs94] Kohl, J. T., Neuman, B. C., and T'so, T. Y. (1994). The Evoluton of the Kerberos Authentcaton System. In Proceedngs of the Dstrbuted Open Systems, pp. 78-94. [KoOh87] [Kr96] [KuCh03] Koyama, K., and Ohta, K. (1987). Identty-based Conference Key Dstrbuton Systems. In Proceedngs of the Theory and Applcatons of Cryptographc Technques on Advances n Cryptology, pp. 175-184. Krawczyk, H. (1996). SKEME: A Versatle Secure Key Exchange Mechansm for Internet. In Proceedngs of the Symposum on Network and Dstrbuted System Securty, pp. 114-127. Ku, W. C., and Chen, S. M. (2003). An mproved key management scheme for large dynamc groups usng one-way functon trees. In Proceedngs of the Internatonal Conference on Parallel Processng Workshops, pp. 391-396. 246

[Ku05] [KuLeSr05] Kungpsdan, S. (2005). Modellng, Desgn, and Analyss of Secure Moble Payment Systems, PhD Thess, Monash Unversty, Melbourne, Australa. Kungpsdan, S., Le, P. D., and Srnvasan, B. (2005). A Lmted-Used Key Generaton Scheme for Internet Transactons. Lecture Notes n Computer Scence,Vol. 3325, pp. 302-316. [La81] Lamport, L. (1981). Password authentcaton wth nsecure communcaton. Communcatons of the ACM Vol. 24 (11), pp. 770-772. [LaBrHa85] Latham, D. C., Brand, S. L., Hammonds, G., Tasker, P. S., Edwards, D. J., and Schell, R. R. (1985). Department of Defense Trusted Computer System Evaluaton Crtera, DoD 5200.28, US Natonal Securty Insttute. [LaMo08] Lavasan, A., and Mohammad, R. (2008). Implementng a feasble attack aganst ECC2K-130 certcom challenge. ACM Communcatons n Computer Algebra,Vol. 42 (1), pp. 61-62. [LeLeYo05] Lee, H. J., Lee, S. J., Yoon, J. H., Cheon, D. H., and Lee, J. I. (2005). The SEED Encrypton Algorthm (No. RFC 4009): Network Workng Group, The Internet Engneerng Task Force. [LeNaNo07] Lehtovrta, V., Naslund, M., and Norman, K. (2007). Integrty Transform Carryng Roll-Over Counter for the Secure Real-tme Transport Protocol (SRTP) (No. RFC 4771): Network Workng Group, The Internet Engneerng Task Force. [LeVe01] Lenstra, A. K., and Verheul, E. R. (2001). Selectng cryptographc key szes. Journal of Cryptology,Vol. 14 (4), pp. 255 293. [L08] L, Q. (2008). Chna: ebankng IT Solutons Market 2008-2012 Forecast and Analyss. Retreved 25 August, 2008, from http://www.marketresearch.com/product/dsplay.asp?productd=186988 4&xs=r&SID=35378328-424089109-459063949&curr=USD&kw=& vew=abs 247

[LZh04] [Lu98a] [Lu98b] [Ma99] [Ma94] L, Y., and Zhang, X. (2004). A Securty-Enhanced One-Tme Payment Scheme for Credt Card. In Proceedngs of the 14th Internatonal Workshop on Research Issues on Data Engneerng: Web Servces for E-Commerce and E-Government Applcatons, pp. 40-47. Lucks, S. (1998). Attackng Trple Encrypton. In Fast Software Encrypton, Vol. 1372, pp. 239-253: Sprnger Berln / Hedelberg. Lucks, S. (1998). Open key exchange: How to defeat dctonary attacks wthout encryptng publc keys. In Proceedngs of the Workshop on Securty Protocols, pp. 79-90. Marks, L. (1999). Between Slk and Cyande:A Codemaker's War, 1941-1945. HarperCollns. Matsu, M. (1994). The Frst Expermental Cryptanalyss of the Data Encrypton Standard. In Advances n Cryptology, Vol. 839, pp. 1-11: Sprnger Berln / Hedelberg. [MaScSc98] Maughan, D., Schertler, M., Schneder, M., and Turner, J. (1998). Internet Securty Assocaton and Key Management Protocol (ISAKMP) (No. RFC 2408): Network Workng Group, The Internet Engneerng Task Force. [Mc07] McAfee. (2007). McAfee Endpont Encrypton: McAfee, Inc. [McAtMe95] McDonald, D. L., Atknson, R. J., and Metz, C. (1995). One tme passwords n everythng (OPIE): experences wth buldng and usng stronger authentcaton. In Proceedngs of the 5th conference on USENIX UNIX Securty Symposum, pp. 16-27. [MeIlKa00] Mena, E., Illarramend, A., Kashyap, V., and Sheth, A. P. (2000). OBSERVER: An Approach for Query Processng n Global Informaton Systems Based on Interoperaton Across Pre-Exstng Ontologes Dstrbuted and Parallel Databases,Vol. 8 (2), pp. 223-271. [Me96] Menezes, A. (1996). Handbook of Appled Cryptography. CRC Press. 248

[Me79] [Me02] [MBrLa02] [M86] [MCh96] [M97] [MoTh79] Merkle, R. C. (1979). Secrecy, Authentcaton, and Publc Key Systems, PhD Thess, Stanford Unversty, Calforna, Unted States. Meyers, R. A. (2002). Encyclopeda of Physcal Scence and Technology the Unversty of Mchgan. Academc Press. Mchel, A. D., Brunessaux, S., Lakshmeshwar, S., Bosselaers, A., and Parknson, D. (2002). Investgatons about SSL: MATRA Systèmes & Informaton, NOKIA Research Centre, K.U.Leuven Research & Development and Brtsh Telecommuncatons. Mller, V. S. (1986). Use of ellptc curves n cryptography. In Proceedngs of the Advances n cryptology, pp. 417-426. Mtchell, C. J., and Chen, L. (1996). Comments on the S/KEY user authentcaton scheme. ACM SIGOPS Operatng Systems Revew,Vol. 30 (4), pp. 12-16. Mttra, S. (1997). Iolus: A framework for scalable secure multcastng. In Proceedngs of the ACM SIGCOMM, pp. 277-288. Morrs, R., and Thompson, K. (1979). Password securty: a case hstory. Communcatons of ACM,Vol. 22 (11), pp. 594-597. [MoRaRo99] Moyer, M. J., Rao, J. R., and Rohatg, P. (1999). A survey of securty ssues n multcast communcatons. IEEE Network Vol. 13 (6), pp. 12-23. [Na05] [Nb88] [Nb93] Nanda, A. (2005, 28 Aprl 2008). Encrypt Your Data Assets:Buld a flexble nfrastructure to protect senstve data. Oracle Magazne. Natonal.Bureau.of.Standards. (1988). Data Encrypton Standard (DES). FIPS PUB 46-1, U.S. Department of Commerce & Natonal Insttute of Standards and Technology, Federal Informaton Processng Standards Publcatons. Natonal.Bureau.of.Standards. (1993). Data Encrypton Standard (DES). FIPS PUB 46-2, U.S. Department of Commerce & Natonal Insttute of 249

Standards and Technology, Federal Informaton Processng Standards Publcatons. [Nb99] Natonal.Bureau.of.Standards. (1999). Data Encrypton Standard (DES). FIPS PUB 46-3, U.S. Department of Commerce & Natonal Insttute of Standards and Technology, Federal Informaton Processng Standards Publcatons. [Nb01] Natonal.Bureau.of.Standards. (2001). Advanced Encrypton Standard(AES). FIPS PUB 197, U.S. Department of Commerce & Natonal Insttute of Standards and Technology, Federal Informaton Processng Standards Publcatons. [Nc03] [NeSc78] NCSTSD. (2003). Classfed Natonal Securty Informaton: Fnal Rule. 183, Natonal Archves and Records Admnstraton, Federal Regster. Needham, R. M., and Schroeder, M. D. (1978). Usng encrypton for authentcaton n large networks of computers. Communcatons of the ACM,Vol. 21 (12), pp. 993-999. [NeYuHa05] Neuman, C., Yu, T., Hartman, S., and Raeburn, K. (2005). The Kerberos Network Authentcaton Servce (V5) (No. RFC 4120): Network Workng Group, The Internet Engneerng Task Force. [NgWuLe08a] Ngo, H. H., Wu, X. P., and Le, P. D. (2008). A Group authentcaton model for wreless network servces based on group key management. In Proceedngs of the Internatonal Conference on Enterprse Informaton Systems, pp. 182-188. [NgWuLe08b] Ngo, H. H., Wu, X. P., Le, P. D., and Wlson, C. (2008). A Method for Authentcaton Servces n Wreless Networks. In Proceedngs of the 14th Amercas Conference on Informaton Systems, pp. 1-9. [NgWuLe09a] Ngo, H. H., Wu, X. P., Le, P. D., and Wlson, C. (2009). Dynamc Key Cryptographc and Applcatons. To Appear for Journal of Informaton System Securty. [NgWuLe09b] Ngo, H. H., Wu, X. P., Le, P. D., and Wlson, C. (2009). Package-Role Based Authorzaton Control Model for Wreless Network Servces. In 250

Proceedngs of the 4th Internatonal Conference on Avalablty, Relablty and Securty, pp. 475-480. [No98] Noubr, G. (1998). Multcast securty: Performance Optmsaton of Interner Protocol Va Satellte (No. 20): European Space Agency. [Oe92] OECD. (1992). Organzaton for Economc Cooperaton and Development (OECD) Gudelnes for the Securty of Informaton Systems: Organzaton for Economc Cooperaton and Development. [Op96] Opplger, R. (1996). Authentcaton Systems for Secure Networks Norwood, MA, USA. Artech House Publshers. [Op01] Opplger, R. (2001). Internet and Intranet Securty Norwood, MA, USA. Artech House Publshers. [OrMcBa04] Oran, D., McGrew, D., Baugher, M., Naslund, M., Carrara, E., Norman, K., et al. (2004). The Secure Real-tme Transport Protocol (SRTP) (No. RFC 3711): Network Workng Group, The Internet Engneerng Task Force. [Or98] [OrVa03] [OsShTr06] [Pa98] [Pa97] Orman, H. (1998). The OAKLEY Key Determnaton Protocol (No. RFC 2412): Network Workng Group, The Internet Engneerng Task Force. Ornagh, A., and Valler, M. (2003). Man n the mddle attacks Las Vegas, NV,USA: Black Hat. Osvk, D. A., Shamr, A., and Tromer, E. (2006). Cache Attacks and Countermeasures: The Case of AES. In Topcs n Cryptology CT-RSA 2006, Vol. 3860, pp. 1-20: Sprnger Berln / Hedelberg. Parker, D. B. (1998). Fghtng Computer Crme: A new Framework for Protectng Informaton New York. Wley Computer Publshng, John Wley & Sons, Inc. Patel, S. (1997). Number theoretc attacks on secure password schemes. In Proceedngs of the IEEE Symposum on Securty and Prvacy, pp. 236-247. 251

[PeKa01] [Pe08] [Pg08] [Po99] [PrPaJa03] [Pu07] [RShAd78] [RoSa05] Perlman, R., and Kaufman, C. (2001). Analyss of the IPSec Key Exchange Standard. In Proceedngs of the 10th IEEE Internatonal Workshops on Enablng Technologes: Infrastructure for Collaboratve Enterprses, 2001, pp. 150-156. Perrn, C. (2008). The CIA prncple. IT Securty Retreved 12 January, 2009, from http://blogs.techrepublc.com.com/securty/?p=488 PGP.Corporaton. (2008). PGP Whole Dsk Encrypton 9.9: PGP Corporaton. Poore, R. S. (1999). Generally Accepted System Securty Prncples (GASSP) Verson 2.0: The Insttute of Internal Audtors. Prabhakar, S., Pankant, S., and Jan, A. K. (2003). Bometrc recognton: Securty and prvacy concerns. IEEE Securty Prvacy (1), 33-42. Purpura, P. (2007). Securty and Loss Preventon: An Introducton New York. Butterworth-Henemann,Oxford. Rvest, R., Shamr, A., and Adleman, L. (1978). A method for obtanng dgtal sgnatures and publc-key cryptosystems. Communcatons of the ACM,Vol. 21 (2), pp. 120-126. Robertson, S., and Salmond, T. (2005). Phshng attack targets one-tme passwords:scratch t and weep. The Regster Retreved 4 November, 2007, from http://www.theregster.co.uk/2005/10/12/outlaw_phshng/ [OhKeDa00] Rodeh, O., Brman, K. P., and Dolev, D. (2000). Optmzed Group Rekey for Group Communcaton Systems. In Proceedngs of the Network and Dstrbuted System Securty, pp. 39-48. [RuWr02] [Sa88] Rubn, A. D., and Wrght, R. N. (2002). Off-Lne Generaton of Lmted-Use Credt Card Numbers. In Proceedngs of the 5th Internatonal Conference on Fnancal Cryptography, pp. 196-209. Saenger, W. (1988). Prncples of Nuclec Acd Structure New York. Sprnger. 252

[Sa03] [Sc94] Salomon, D. (2003). Data Prvacy and Securty New York. Sprnger- Verlag. Scheaffer, R. L. (1994). Introducton to Probablty and Its Applcatons Washngton. Wadsworth Publshng Company, Duxbury Press. [ScWhWa00] Schneer, B., Kelsey, J., Whtng, D., Wagner, D., Hall, C., Ferguson, N., et al. (2000). The Twofsh Team's Fnal Comments on AES Selecton: AES Round 2 publc comment. [ScCaFr03] Schulzrnne, H., Casner, S., Frederck, R., and Jacobson, V. (2003). RTP: A Transport Protocol for Real-Tme Applcatons (No. RFC 3550): Network Workng Group, The Internet Engneerng Task Force. [SeKoJa00] [Sh49] [ShMc03] [Sh00] [SCh97] [SoCh05] [StStD88] Seta, S., Koussh, S., and Jajoda, S. (2000). Kronos: A scalable Group Re-Keyng Approach for Secure Multcast. In Proceedngs of the IEEE Symposum on Securty and Prvacy, pp. 215-228. Shannon, C. (1949). Communcaton Theory of Secrecy Systems. Bell System Techncal Journal,Vol. 28 (4), pp. 656-715. Sherman, A. T., and McGrew, D. A. (2003). Key Establshment n Large Dynamc Groups Usng One-Way Functon Trees. IEEE Transactons on Software Engneerng,Vol. 29 (5), pp. 444-458. Shrey, R. (2000). Internet Securty Glossary (No. RFC 2828): Network Workng Group, The Internet Engneerng Task Force. Srbu, M., and Chuang, J. (1997). Dstrbuted authentcaton n Kerberos usng publc key cryptography. In Proceedngs of the Network and Dstrbuted System Securty, pp. 134-141. Solomon, M. G., and Chapple, M. (2005). Informaton Securty Illumnated Sudbury. Jones and Bartlett Publshers,Inc. Steer, D. G., Strawczynsk, L., Dffe, W., and Wener, M. J. (1988). A Secure Audo Teleconference System. In Proceedngs of the 8th Annual Internatonal Cryptology Conference on Advances n Cryptology, pp. 520-528. 253

[StNeSc88] [StTsWa95] [StTsWa96] [StTsWa98] [StTsWa00] [TaWe06] Stener, J., Neuman, C., and Schller, J. I. (1988). Kerberos: An Authentcaton Servce for Open Network Systems. In Proceedngs of the Wnter 1988 Usenx Conference, pp. 191-200. Stener, M., Tsudk, G., and Wadner, M. (1995). Refnement and extenson of encrypted key exchange. ACM SIGOPS Operatng Systems Revew,Vol. 29 (3), pp. 22-30. Stener, M., Tsudk, G., and Wadner, M. (1996). Dffe-Hellman Key Dstrbuton Extended to Group Communcaton. In Proceedngs of the 3rd ACM Conference on Computer and Communcatons Securty, pp. 31-37. Stener, M., Tsudk, G., and Wadner, M. (1998). CLIQUES: A New Approach to Group Key Agreement. In Proceedngs of the 18th Internatonal Dstrbuted Computng Systems, pp. 380-387. Stener, M., Tsudk, G., and Wadner, M. (2000). Key Agreement n Dynamc Peer Groups. IEEE Transactons on Parallel and Dstrbuted Systems,Vol. 11 (8), pp. 769-780. Talbot, J., and Welsh, D. (2006). Complexty and Cryptography-An Introducton New York. Cambrdge Unversty Press. [ThDoGl98] Thayer, R., and Glenn, N. D. R. (1998). IP Securty Document Roadmap (No. RFC 2411): Network Workng Group, The Internet Engneerng Task Force. [TKh92] [TKr07] [Tu07] Tenar, M., and Khakhar, D. (1992). Informaton network and data communcaton Espoo, Fnland. Amsterdam, Elsever Scence Pub. Co. Tpton, H. F., and Krause, M. (2007). Informaton Securty Management Handbook New York, USA. CRC Press, Taylor & Francs Group. Tubn, G. (2007). The Perfect Storm:Man n the Mddle Phshng Kts, Weak Authentcaton and Organzed Onlne Crmnals (No. 021807): Protectng Onlne Identty, TrCpher. 254

[WaSc96] Wagner, D., and Schneer, B. (1996). Analyss of the SSL 3.0 protocol. In Proceedngs of the 2nd USENIX Workshop on Electronc Commerce, pp. 4-17. [WaCaSu99] Waldvogel, M., Caronn, G., Sun, D., Weler, N., and Plattner, B. (1999). The VersaKey Framework: Versatle Group Key Management. IEEE Journal on Selected Areas n Communcatons Vol. 17 (9), pp. 1614-1631. [WaHaAg97] Wallner, D. M., Harder, E. J., and Agee, R. C. (1997). Key Management for Multcast: Issues and Archtectures (No. RFC 2627): Network Workng Group, The Internet Engneerng Task Force. [WaZhZh06] Wang, X., Zhang, J., Zhang, W., and Khan, M. K. (2006). Securty Improvement on the Tmestamp-based Password Authentcaton Scheme Usng Smart Cards. In Proceedngs of the IEEE Internatonal Conference on Engneerng of Intellgent Systems, pp. 1-3. [WaLe05] [We05] Wang, Y., and Le, P. D. (2005). Scalable mult-subgroup key management n wreless networks. Internatonal Journal of Computer Scence and Network Securty,Vol. 5 (11), pp. 95-106. Webb, A. (2005). Brton arrested n mltary hackng Computer expert faces extradton. Retreved 2 Sep, 2008, from http://www.access mylbrary.com/coms2/summary_0286-17055599_itm [Wh09] Whtehouse, L. (2009). Storage n 2009: Data protecton. Retreved 6 January, 2009, from http://searchstorage.techtarget.com.au/artcles/ 28252-Storage-n-2-9-Data-protecton [W90] [WZu98] Wener, M. J. (1990). Cryptanalyss of Short RSASecret Exponents. IEEE Transactons on Informaton Theory,Vol. 36 (3), pp. 553-558. Wener, M. J., and Zuccherato, R. J. (1998). Faster Attacks on Ellptc Curve Cryptosystems. In Proceedngs of the Selected Areas n Cryptography, pp. 190-200. [WoGoLa98] Wong, C. K., Gouda, M., and Lam, S. S. (1998). Secure Group Communcatons Usng Key Graphs. In Proceedngs of the ACM Specal Interest Group on Data Communcaton, pp. 68-79. 255

[WoGoLa00] Wong, C. K., Gouda, M., and Lam, S. S. (2000). Secure Group Communcatons Usng Key Graphs. IEEE/ACM Transactons on Networkng,Vol. 8 (1), pp. 16-30. [WoOrH02] Woodward.Jr., J. D., Orlans, N. M., and Hggns, P. T. (2002). Bometrcs: Identty Assurance n the Informaton Age Berkeley, Calforna, USA. McGraw-Hll Osborne Meda. [Wu98] [WuLe06] Wu, T. (1998). The Secure Remote Password Protocol. In Proceedngs of the Internet Socety Symposum on Network and Dstrbuted System Securty, pp. 97 111. Wu, X. P., and Le, P. D. (2006) A Dynamc key Generaton Scheme and Symmetrc Cryptography. Chna Patent No. 200710175938.7. S. I. P. Offce. [WuLeSr08] Wu, X. P., Le, P. D., and Srnvasan, B. (2008). Dynamc Keys Based Senstve Informaton System. In Proceedngs of the 9th Internatonal Conference for Young Computer Scentsts, pp. 1895-1901. [WuLeSr09] Wu, X. P., Le, P. D., and Srnvasan, B. (2009). Securty Archtecture for Senstve Informaton Systems. In Convergence and Hybrd Informaton Technologes. Venna, Austra: IN-TECH. [WuNgLe08a] Wu, X. P., Ngo, H. H., Le, P. D., and Srnvasan, B. (2008). Novel Authentcaton Protocol for Senstve Informaton Systems Usng Dynamc Key Based Group Key Management. In Proceedngs of the Internatonal Conference on Convergence and Hybrd Informaton Technology (ICCIT 2008), pp. 1113-1119. [WuNgLe08b] Wu, X. P., Ngo, H. H., Le, P. D., and Srnvasan, B. (2008). A Novel Group Key Management Scheme for Prvacy Protecton Senstve Informaton Systems. In Proceedngs of the Internatonal Conference on Securty and Management, pp. 93-99. [WuNgLe09] Wu, X. P., Ngo, H. H., Le, P. D., and Srnvasan, B. (2009). Novel Authentcaton & Authorzaton Management for Senstve Informaton Prvacy Protecton Usng Dynamc Key Based Group Key Management. Internatonal Journal of Computer Scence & Applcatons, Vol. 6 (3), pp. 57-74. 256

[Zh01] [ZJoCa09] Zhou, J. (2001). Non-repudaton n Electronc Commerce Norwoord, MA, USA. Artech House Publshers. Zmmermann., P., Johnston, A., and Callas, J. (2009). ZRTP: Meda Path Key Agreement for Secure RTP (No. Draft 13): Network Workng Group, The Internet Engneerng Task Force. [ZoRaMa05] Zou, X., Ramamurthy, B., and Maglveras, S. S. (2005). Secure Group Communcatons over Data Networks New York, USA. Sprnger Scence/Busness Meda, Inc. [Zw97] Zwass, V. (1997). Foundatons of Informaton Systems New York. Irwn/McGraw-Hll Companes, Inc. 257

Publcatons Patent Wu, X. P., and Le, P. D. (2006) A Dynamc Key Generaton Scheme and Symmetrc Cryptography. Chna Patent No. 200710175938.7. S. I. P. Offce. Book Chapters Wu, X. P., Le, P. D., and Srnvasan, B. (2009). Proposal: Securty Archtecture for Senstve Informaton Systems. To Appear for Book: Convergence and Hybrd Informaton Technologes. Venna, Austra: IN-TECH. Wu, X. P., Le, P. D., and Srnvasan, B. (2009). Securty Archtecture for Senstve Informaton Systems. Submtted to Convergence and Hybrd Informaton Technologes. Venna, Austra: IN-TECH. Journal Wu, X. P., Ngo, H. H., Le, P. D., and Srnvasan, B. (2009). Novel Authentcaton & Authorzaton Management for Senstve Informaton Prvacy Protecton Usng Dynamc Key Based Group Key Management. Internatonal Journal of Computer Scence & Applcatons, Vol. 6 (3), pp. 57-74. Dandash, O., Wu, X. P., Wang, Y. L., Le, P. D., and Srnvasan, B. (2008). Securty Analyss for Internet Bankng Models. Specal Issue of the Internatonal Journal of Computer and Informaton Scence,Vol. 9(2), pp. 1-10. Ngo, H. H., Wu, X. P., Le, P. D., and Wlson, C. (2009). Dynamc Key Cryptographc and Applcatons. To Appear for Journal of Informaton System Securty. 258

Ngo, H. H., Wu, X., Le, P. D., and Srnvasan, B. (2009). An Authentcaton and Authorzaton Model for Wreless Network Servces. Submtted to IEEE Transactons on Systems, Man, and Cybernetcs (SMC). Conferences Wu, X. P., Ngo, H. H., Le, P. D., and Srnvasan, B. (2008). A Novel Group Key Management Scheme for Prvacy Protecton Senstve Informaton Systems. In Proceedngs of the 2008 Internatonal Conference on Securty and Management (SAM'08), pp. 93-99. Wu, X. P., Ngo, H. H., Le, P. D., and Srnvasan, B. (2008). Novel Authentcaton Protocol for Senstve Informaton Systems Usng Dynamc Key Based Group Key Management. In Proceedngs of the 2008 Internatonal Conference on Convergence and Hybrd Informaton Technology (ICCIT 2008), pp. 1113-1119. Wu, X. P., Le, P. D., and Srnvasan, B. (2008). Dynamc Keys Based Senstve Informaton System. In Proceedngs of the 9th Internatonal Conference for Young Computer Scentsts, pp. 1895-1901. Wu, X. P., Ngo, H. H., Le, P. D., and Srnvasan, B. (2008). Desgn & Implementaton of a Secure Senstve Informaton System for Wreless Moble Devces. In Proceedngs of the Australasan Telecommuncaton Networks and Applcatons Conference, pp. 45-50. Ngo, H. H., Wu, X. P., and Le, P. D. (2008). A Group Authentcaton Model for Wreless Network Servces based on Group Key Management. In Proceedngs of the Internatonal Conference on Enterprse Informaton Systems (ICEI08), pp. 182-188. 259

Ngo, H. H., Wu, X. P., Le, P. D., and Wlson, C. (2008). A Method for Authentcaton Servces n Wreless Networks. In Proceedngs of the 14th Amercas Conference on Informaton Systems (AMCIS'08), pp. 1-9. Ngo, H. H., Wu, X. P., Le, P. D., and Wlson, C. (2009). Package-Role Based Authorzaton Control Model for Wreless Network Servces. In Proceedngs of the 4th Internatonal Conference on Avalablty, Relablty and Securty (ARES 2009). Chen, Y. J., Wang, Y. L., Wu, X. P., and Le, P. D. (2006). The Desgn of Clusterbased Group Key Management System n Wreless Networks. Internatonal Conference on Communcaton Technology (ICCT '06) pp. 1-4. 260