Pelmorex NAADS Alert Message Security using digital signatures



Similar documents
National Public Alerting System

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

How To Protect A Web Application From Attack From A Trusted Environment

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Digital Signing without the Headaches

Securing your Online Data Transfer with SSL


New York State Federal/State Employment Tax (FSET) Handbook for Software Developers

Payment authorization Payment capture Table 1.3 SET Transaction Types

How To Protect Your Credit Card Information From Being Stolen

The New PCI Requirement: Application Firewall vs. Code Review

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Security within a development lifecycle. Enhancing product security through development process improvement

PROTECT YOURSELF AND YOUR IDENTITY CHASE IDENTITY THEFT TOOL KIT

Guideline on Debit or Credit Cards Usage

Certify your Software Integrity with thawte Code Signing Certificates

Reclaiming your identity

Visa Debit ecommerce merchant acceptance. Frequently asked questions and flowchart

This Working Paper provides an introduction to the web services security standards.

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

What is an SSL Certificate?

Where every interaction matters.

PROTECT YOURSELF AND YOUR IDENTITY. Chase Identity Theft Tool Kit

Internet Security Seminar

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

10 Things Every Web Application Firewall Should Provide Share this ebook

Information Security Field Guide to Identifying Phishing and Scams

Address Information. USPS Web Tools Application Programming Interface User s Guide. Document Version 4.0 (2/01/2015)

Payment Card Industry Self-Assessment Questionnaire

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Frequently Asked Questions

Web Services Trust and XML Security Standards

SSL/TLS: The Ugly Truth

Identity Theft Assistance Kit A self-help guide to protecting yourself and your identity

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

A multi-layered approach to payment card security.

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Executable Integrity Verification

How To Spot & Prevent Fraudulent Credit Card Activity

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Business Mobile App User Guide

Miami University. Payment Card Data Security Policy

How To Protect Your Cardholder Data From Fraud

Signature policy for TUPAS Witnessed Signed Document

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

SonicWALL PCI 1.1 Implementation Guide

OpenLDAP Oracle Enterprise Gateway Integration Guide

Closing Wireless Loopholes for PCI Compliance and Security

Configuring TCP/IP Port & Firewall Monitoring With Sentry-go Quick & Plus! monitors

Security Policy JUNE 1, SalesNOW. Security Policy v v

544 Computer and Network Security

Registry of Service Providers

The need for a secure & trusted payment instrument in e-commerce. Ali AlMeshal

Qiong Liu, Reihaneh Safavi Naini and Nicholas Paul Sheppard Australasian Information Security Workshop Presented by An In seok

Exploring ADSS Server Signing Services

Application Intrusion Detection

WHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users

Franchise Data Compromise Trends and Cardholder. December, 2010

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

SmarterMeasure Inbound Single Sign On (SSO) Version 1.3 Copyright 2010 SmarterServices, LLC / SmarterServices.com PO Box , Deatsville, AL 36022

FormFire Application and IT Security. White Paper

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

When visiting online banking's sign-on page, your browser establishes a secure session with our server.

>

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

PCI Data Security Standard 3.0

Financial Crime Report

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

Intro to Firewalls. Summary

Payment Card Industry (PCI) Terminal Software Security. Best Practices

An Introduction to CODE SIGNING

Your security is our priority

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Elavon Payment Gateway MCC 6012 Recipient Information User Guide

PICKPOCKETING MWALLETS. A guide to looting mobile financial services

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Introduction to Online Payment Processing and PayPal Payment Solutions

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Regular Payments to your ISA

Security Issues In Cloud Computing and Countermeasures

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

DEA's New Proposed Regulations For E-Prescribing

CODE SIGNING. Why Developers Need to Digitally Sign Code and Applications entrust.com

Ease-E-Club Client Management Software by Computerease

Merchant Account Service

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Visa global Compromised Account

OXY GEN GROUP. pay. payment solutions

Intrusion Detection in AlienVault

Architecture Overview

IDENTITY THEFT VICTIMS: IMMEDIATE STEPS

Transcription:

Pelmorex NAADS Alert Message Security using digital signatures Issued March 17, 2010

NAADS Security Page 2 of 13 Table of Contents Introduction...3 Additional Message Security...3 End to End security provided by additional implementation...4 Solution Details...7 Sample Messages...9 Unsigned CAP Message...9 Signed CAP Message with NAADS signature...10 Signed CAP Message with issuer and NAADS signature...11 Table of Figures Figure 1 - Digital signature elements...4 Figure 2 - New security solution Additional security...6 Figure 3 - Overall data flow...8 Figure 4 Validating a signed message...8

NAADS Security Page 3 of 13 Introduction This document outlines the additional security mechanisms to the NAADS system to allow verification of the source of Alert Messages prior to on-air broadcasting by Last Mile Distributors (LMD). Feedback and suggestions for improvement are encouraged from interested parties and should be sent to: Attn: Paul Temple Pelmorex Communications Inc. 2655 Bristol Circle Oakville, ON L6H 7W1 Email: publicalerting@pelmorex.com Phone: 905-829-1159 ext. 1271 Fax: 905-829-5800 The additional mechanisms are based on CAP, OASIS and XML standards and not tied to any vendor specific or custom solutions. Additional Message Security The additional message security will provide the following: 1. For any Alert issuer to stamp a specific Alert Message as a valid Message issued by their organization. 2. For any LMD to confirm (before processing any Message) that this is a valid Alert Message from NAADS system and also a valid Message from the issuing organization. The additional security being added to NAADS consists of adding up to two digital signatures when an Alert Message is issued. The first signature will be from the Alert issuer and the second signature from the NAADS system. When an Alert is received, the Last Mile Distributor has the option of checking either or both of the signatures to validate that the Alert did originate from NAADS system (i.e. not tampered in internet transmission after issuing) and also validate that the original Alert Message from the issuer is genuine and intact (no change has been made to the content that was provided by the issuer in any form Digital signatures are included in the CAP 1.2 specification and utilize the XML-Sig 1 standard. Digital signatures are used world-wide to secure access to documents and web transmissions. The XML-Sig standard identifies the various elements of the signature as below. 1 Refer http://www.w3.org/tr/xmldsig-core/ for the XML-Sig standard

NAADS Security Page 4 of 13 Figure 1 - Digital signature elements For implementation of the digital signature, the OASIS Digital signing service standard 2 will be used both by NAADS and all participating Alert issuing organizations. OASIS-DSS defines a standard for a XML based service that can be maintained by any issuing organization/naads to apply digital signature to a submitted XML Message and to validate such a digitally signed Message. The LMD s that choose to validate the digital signatures will need to validate against the NAADS/Issuer DSS. The OASIS-DSS standard was derived by the OASIS technical committee and included collaboration with major IT security vendors such as Entrust, IONA, NIST, webmethods, TIBCO. The Universal Postal Union has implemented DSS within its Electrical Post Mark system. Commercial OASIS-DSS solutions are provided by companies like ARX, Ascertia and Thales. An open-source implementation is found in the Sirius open source implementation package. The XML-Sig standard also provides Signature ID property (that will be set by NAADS and issuers in their respective signatures) which can be used by XQuery/XSLT to include as well as exclude specific signatures. This allows for both independent verification of the signatures and for independent generation of two signatures. With this feature, the system provides the flexibility for Last Mile Distributors to ignore digital signatures, if they so choose. End to End security provided by additional implementation The end to end security for the whole NAADS system is provided by the above solution using the following industry standard security concepts: 1. Securing the communication channel using https. 2. Authentication/authorization provided through user name/password and infrastructure security. 3. Authenticity/Non-repudiation through digital signing of Alert Messages 2 Refer http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss for the OASIS-DSS standard

NAADS Security Page 5 of 13 The first two security measures from the list above are already implemented. The third feature will add additional security to the Alert dissemination as can be seen from Figure-3 in the next page. The digital signature adds another layer of security to the authentication/authorization. Even if a hacker fraudulently gains access to NAADS Alert interface through a compromised username/password and HTTPS secure connection the additional step of signing the Alert will thwart their ability to issue any malicious Alert. Injection between NAADS issuing and NAADS dissemination Before dissemination, NAADS validates a signed Message with the Issuer certification system for signature. This will identify tampered Messages and reject them.

NAADS Security Page 6 of 13 Figure 2 - New security solution Additional security

NAADS Security Page 7 of 13 At the LMD end, the system protects against hackers spoofing to be NAADS and delivering Messages. This is no longer a risk as LMDs can check the second, i.e. NAADS signature to verify if it is from the NAADS system and reject it if otherwise. This can protect the LMD against any one injecting at the input of their own facility/system (even redistribution if they want to check the signature downstream in their operation). In addition, we encourage LMDs to also check the Issuer signature where it is included as a means to ensure the message itself is genuine and intact In this way the LMD can verify the issuer signature to double confirm if the original Alert Message has been modified/tampered at any point in the overall system. Solution Details The data flow for the overall solution is as follows (Refer to Figure 4 in next page) 1. Issuer creates Alert Message through the NAADS user interface (1 in drawing) 2. Issuer submits Alert Message for signing through the NAADS user interface to the DSS of their organization. The Message is signed and the issuer then submits it to NAADS central processing through the NAADS user interface (2 & 3) 3. NAADS central processing receives the Message. (4) 4. NAADS validates the signature by verifying against the issuer DSS (5 & 6). This guarantees no tampering in transmission. If the signature is not validated the Alert Message will be rejected and the issuer notified. 5. NAADS central processing adds its own signature using NAADS DSS (7 & 8) 6. Alert Message which has two signatures is delivered by various mechanisms to LMD (9&10). If issuer has no signing DSS, only NAADS signature will be appended to the Message. 7. LMD verifies the Message is sent by NAADS by validating NAADS digital signature against NAADS DSS. (11&12) This verifies that Message is not tampered in transmission from NAADS to LMD. If this is valid, then LMD can further validate that original Alert is not modified or tampered in any way from the original issuing source by validating the issuer s signature against the issuing organization DSS. (13 &14). For both these validations, the LMDs will need to form XML based http requests (following the OASIS-DSS standard) to the NAADS/Issuer DSS to get the signatures validated. 8. Once both validations are successful, the LMD can process the actual Alert Message. If the Message was signed only by NAADS, LMD will validate against NAADS DSS only. 9. LMD s that prefer to not process signatures can filter out both signatures using XQuery/XSLT. The data flows for the validation part of the OASIS-DSS standard which mandates a service 3 that can validate signatures is shown in Figure 5. 3 Refer http://www.oasis-open.org/committees/download.php/22721/isse-dss-fullfinal-b.pdf for implementation of web service for digital signatures.

NAADS Security Page 8 of 13 Figure 3 - Overall data flow Figure 4 Validating a signed message

NAADS Security Page 9 of 13 Sample Messages This section shows three sample CAP-CP Alert Messages. One unsigned Message as a reference Same Message with Issuer signature Same Message with Issuer + NAADS signature Unsigned CAP Message <?xml version="1.0" encoding="utf-8"?> <Alert xmlns="urn:oasis:names:tc:emergency:cap:1.2" xmlns:xsi="http://www.w3.org/2001/xmlschemainstance" xsi:schemalocation="urn:oasis:names:tc:emergency:cap:1.2 http://docs.oasis-open.org/emergency/cap/v1.2/cap-v1.2.xsd"> <identifier>3bedc4ee50e642e395be690f38cb5123</identifier> <sender>testsender@pelmorex.com</sender> <sent>2009-12-03t16:09:00-00:00</sent> <status>actual</status> <msgtype>alert</msgtype> <source>ptinaadsfeedsocketsvc, NAADSFeed-dev01</source> <scope>public</scope> <code>profile:cap-cp:0.3</code> <info> <language>en-ca</language> <category>met</category> <event>thunderstorm</event> <responsetype>shelter</responsetype> <urgency>immediate</urgency> <severity>extreme</severity> <certainty>observed</certainty> <eventcode> <valuename>profile:cap-cp:event:0.3</valuename> <value>thunderstorm</value> </eventcode> <effective>2009-12-03t16:09:00-00:00</effective> <expires>2009-12-10t16:09:00-00:00</expires> <sendername>pelmorex</sendername> <description>thunderstorm Alert for Halton Region. This Message is a sample and is not a real Alert.</description> <area> <areadesc>halton Regional Municipality</areaDesc> <geocode> <valuename>profile:cap-cp:location:0.3</valuename> <value>3524</value> </geocode> </area> </info> </Alert>

NAADS Security Page 10 of 13 Signed CAP Message with NAADS signature <?xml version="1.0" encoding="utf-8"?> <Alert xmlns="urn:oasis:names:tc:emergency:cap:1.2" xmlns:xsi="http://www.w3.org/2001/xmlschemainstance" xsi:schemalocation="urn:oasis:names:tc:emergency:cap:1.2 http://docs.oasis-open.org/emergency/cap/v1.2/cap-v1.2.xsd"> <identifier>3bedc4ee50e642e395be690f38cb5123</identifier> <sender>testsender@pelmorex.com</sender> <sent>2009-12-03t16:09:00-00:00</sent> <status>actual</status> <msgtype>alert</msgtype> <source>ptinaadsfeedsocketsvc, NAADSFeed-dev01</source> <scope>public</scope> <code>profile:cap-cp:0.3</code> <info> <language>en-ca</language> <category>met</category> <event>thunderstorm</event> <responsetype>shelter</responsetype> <urgency>immediate</urgency> <severity>extreme</severity> <certainty>observed</certainty> <eventcode> <valuename>profile:cap-cp:event:0.3</valuename> <value>thunderstorm</value> </eventcode> <effective>2009-12-03t16:09:00-00:00</effective> <expires>2009-12-10t16:09:00-00:00</expires> <sendername>pelmorex</sendername> <description>thunderstorm Alert for Halton Region. This Message is a sample and is not a real Alert.</description> <area> <areadesc>halton Regional Municipality</areaDesc> <geocode> <valuename>profile:cap-cp:location:0.3</valuename> <value>3524</value> </geocode> </area> </info> <Signature xmlns=http://www.w3.org/2000/09/xmldsig# ID= NAADSSignature > <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n- 20010315#WithComments"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#dsa-sha1"/> NAADS Signature LMD to validate against NAADS DSS

NAADS Security Page 11 of 13 <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/ xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#sha1"/> <DigestValue>uooqbWYa5VCqcJCbuymBKqm17vY=</DigestValue> </Reference> </SignedInfo> <SignatureValue> KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew== </SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P> /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxe Eu0ImbzRMqzVDZkVG9xD7nN1kuFw== </P> <Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q> <G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/ XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA== </G> <Y>qV38IqrWJG0V/ mzqvrvi1ohw9zj84ndc4jo8p0axi1gb6d+475yhmjsc/ BrIVC58W3ydbkK+Ri4OKbaRZlYeRA== </Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature> </Alert> Signed CAP Message with issuer and NAADS signature <?xml version="1.0" encoding="utf-8"?> <Alert xmlns="urn:oasis:names:tc:emergency:cap:1.2" xmlns:xsi="http://www.w3.org/2001/xmlschemainstance" xsi:schemalocation="urn:oasis:names:tc:emergency:cap:1.2 http://docs.oasis-open.org/emergency/cap/v1.2/cap-v1.2.xsd"> <identifier>3bedc4ee50e642e395be690f38cb5123</identifier> <sender>testsender@pelmorex.com</sender> <sent>2009-12-03t16:09:00-00:00</sent> <status>actual</status> <msgtype>alert</msgtype> <source>ptinaadsfeedsocketsvc, NAADSFeed-dev01</source> <scope>public</scope> <code>profile:cap-cp:0.3</code> <info>

NAADS Security Page 12 of 13 <language>en-ca</language> <category>met</category> <event>thunderstorm</event> <responsetype>shelter</responsetype> <urgency>immediate</urgency> <severity>extreme</severity> <certainty>observed</certainty> <eventcode> <valuename>profile:cap-cp:event:0.3</valuename> <value>thunderstorm</value> </eventcode> <effective>2009-12-03t16:09:00-00:00</effective> <expires>2009-12-10t16:09:00-00:00</expires> <sendername>pelmorex</sendername> <description>thunderstorm Alert for Halton Region. This Message is a sample and is not a real Alert.</description> <area> <areadesc>halton Regional Municipality</areaDesc> <geocode> <valuename>profile:cap-cp:location:0.3</valuename> <value>3524</value> </geocode> </area> </info> <Signature xmlns=http://www.w3.org/2000/09/xmldsig# ID= IssuerSignature > <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n- 20010315#WithComments"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#dsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/ xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#sha1"/> <DigestValue>uooqbWYa5VCqcJCbuymBKqm17vY=</DigestValue> </Reference> </SignedInfo> <SignatureValue> KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew== </SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P> /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxe Eu0ImbzRMqzVDZkVG9xD7nN1kuFw== </P> Issuer Signature LMD to validate against Issuer DSS

NAADS Security Page 13 of 13 <Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q> <G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/ XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA== </G> <Y>qV38IqrWJG0V/ mzqvrvi1ohw9zj84ndc4jo8p0axi1gb6d+475yhmjsc/ BrIVC58W3ydbkK+Ri4OKbaRZlYeRA== </Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature> <Signature xmlns=http://www.w3.org/2000/09/xmldsig# ID= NAADSSignature > <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n- 20010315#WithComments"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#dsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/ xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#sha1"/> <DigestValue>uooqbWYa5VCqcJCbuymBKqm17vY=</DigestValue> </Reference> </SignedInfo> <SignatureValue> KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew== </SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P> /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxe Eu0ImbzRMqzVDZkVG9xD7nN1kuFw== </P> <Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q> <G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/ XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA== </G> <Y>qV38IqrWJG0V/mZQvRVi1OHw9Zj84nDC4jO8P0axi1gb6d+475yhMjSc/BrIVC58W3ydbkK+Ri4OKba RZlYeRA== </Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature></Alert> **** End of Document **** NAADS Signature LMD to validate against NAADS DSS

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information