Re: NCipher Takes Hardware Security To Network Level
Jerrold Leichter [EMAIL PROTECTED] writes: There was also an effort in England that produced a verified chip. Quite impressive, actually - but I don't know if anyone actually wanted the chip they (designed and) verified. The Viper. Because it needed to be formally verifiable, they had to leave out most of the things that people are used to in modern CPUs and that make writing an OS easy, leading to a vaguely early-60s level of CPU architecture that probably would have been unpleasant to program for for anyone used to modern CPUs, and requiring expensive custom development of almost everything from scratch (you can't run Linux on that one). Eventually the project went into a meltdown over what was actually done (for example is verifying a set of 4-bit slices the same as verifying a 32-bit CPU?) and the legal battles lead to the demise of the company that was to exploit it commercially (there's a lot more to it than that including a fair bit of politics, that's a cut-down version to save space). Very few real efforts were made to actually produce a provably correct OS. There were actually quite a few efforts, starting in the 1970s, some of which went on much longer than the 9-year VAX VMM effort. PSOS - SAT - LOCK - SMG (it may be called something else again now) has been going for about 25 years. However, this is a really complex topic (way too much to cover here), so I'll cheat a bit and refer anyone who's really that interested in the problems that people ran into to Chapter 4 of Cryptographic Security Architecture Design and Verification to save me having to paraphrase 40 pages of text here. The point of my post wasn't to start yet another round of formal-methods bashing, but to point to an example of measuring what we know how to measure even if there are strong indicators that this isn't the best way to do it. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
Anton Stiglic [EMAIL PROTECTED] writes: But the problem is how can people who know nothing about security evaluate which vendor is most committed to security? For the moment, FIPS 140 and CC type certifications seem to be the only means for these people... Yeah, it's largely a case of looking where the light is. An extreme example of this is the use of formal methods for high-assurance systems, as required by FIPS 140-2 level 4. Why is it in there? Because FIPS 140-1 had it there at the highest levels. Why was it in there? Because the CC has it in there at the highest levels. Why was it in there? Because the ITSEC had it in there at the highest levels. Why was it in there? Because the Orange Book ('85) had it in there at the highest levels. Why was it in there? Because the proto-Orange Book ('83) had it in there at the highest levels. Why was it in there? Because in the 1970s some mathematicians hypothesised that it might be possible to prove properties of complex programs/systems in the same way that they proved basic mathematical theorems. (Aside: This is starting to sound like that apocryphal Why are railway tracks spaced X units apart saga). To continue: At what point in that progression did people realise that this wasn't a very practical way to build a secure system? Some time in the late 1970s to early 1980s, when they actually tried to reduce the theory into practice. There were quite a number of papers being published even before the first proto-Orange Book appeared which indicated that this approach was going to be extremely problematic, with problems... well, insert the standard shopping list here. So why is this stuff still present in the very latest certification requirements? Because we're measuring what we know how to measure, whether it makes sense to evaluate security in that way or not. This is probably why penetrate-and-patch is still the most widely-used approach to securing systems. Maybe the solution to the problem is to figure out how to make penetrate-and-patch more rigorous and effective... Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
- Original Message - From: Ian Grigg [EMAIL PROTECTED] Sent: Saturday, October 11, 2003 1:22 PM Subject: Re: NCipher Takes Hardware Security To Network Level Is there any reason to believe that people who know nothing about security can actually evaluate questions about security? Actually, there are reasons to believe that they won't be able to, just as I would not be qualified to evaluate the functionality of a sewage pump (except from the perspective of it seems to work). And, independant assessors are generally subvertable by special interests (mostly, the large incumbents encourage independant assessors to raise barriers to keep out low cost providers). Hence, Peter's points. This is a very normal economic pattern, in fact, it is the expected result. I take the counter view, assuming that a independent assessor can be found that is truly independent, that assessor helps the small companies _more_ than the larger ones. To make a pointed example I will use a current situation (which I am active in). Trust Laboratories is a software assurance firm, whose first service is the assurance of PKCS #11 modules. From the marketting perspective the large incumbents (e.g. nCipher which started this conversation) have little incentive to seek such assurances, they already have a solid lock on the market, and the brand recognition to keep it that way. The small companies though have a much stronger incentive, with an assurance they can hint and in some cases maybe even outright claim technological superiority over the encumbents, giving them a strong road into the market. The only purpose the encumbents have for such assurances is combatting the small companies assurances (not that I wouldn't love to have nCipher as a customer, I think it would lend a great deal of credibility to the assurance, as well as solidifying their marketshare against the under-developed technologies). So, right now, I'd say the answer to that question is that there is no way for someone who knows nothing about security to objectively evaluate a security product. That will likely always be the case. In order to judge what level of security is required they simply must have some knowledge of security. Otherwise it is very much like asking John Smith what Ian Grigg's favorite food is, (a typical) John Smith simply does not have the knowledge to give a useful answer. Joe Trust Laboratories Changing Software Development http://www.trustlaboratories.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] The problem is that what we really need to be able to evaluate is how committed a vendor is to creating a truly secure product. [...] I agree 100% with what you said. Your 3 group classification seems accurate. But the problem is how can people who know nothing about security evaluate which vendor is most committed to security? For the moment, FIPS 140 and CC type certifications seem to be the only means for these people... Unfortunately these are still to general and don't always give you an accurate measurement of how dedicated to security the vendor was... This seems to be a big open-problem in practical security! --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
Anton Stiglic wrote: - Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] The problem is that what we really need to be able to evaluate is how committed a vendor is to creating a truly secure product. [...] I agree 100% with what you said. Your 3 group classification seems accurate. But the problem is how can people who know nothing about security evaluate which vendor is most committed to security? (I am guessing you mean, in some sort of objective sense.) Is there any reason to believe that people who know nothing about security can actually evaluate questions about security? It's often been said that security is an inverted product. (I'm scratching to think of the proper economic term here.) That is, with security, you can measure easily when it is letting the good stuff through, but you don't know when and if and how well it is stopping the bad stuff *. The classical answer to difficult to evaluate products is to concentrate on brand, or independant assessors. But, brands are based on revenues, not on the underlying product. Hence widespread confusion as to whether Microsoft delivers secure product - the brand gets in the way of any objective assessment. And, independant assessors are generally subvertable by special interests (mostly, the large incumbents encourage independant assessors to raise barriers to keep out low cost providers). Hence, Peter's points. This is a very normal economic pattern, in fact, it is the expected result. So, right now, I'd say the answer to that question is that there is no way for someone who knows nothing about security to objectively evaluate a security product. iang * In contrast, someone who knows little about cars, can objectively evaluate a car. They can take it for a test drive and see if it feels right. Using it is proving it. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
I wrote: Peter (I define myself to be A BIT CYNICAL about all this). Since it could appear that I'm gratuitously bashing FIPS 140 (or certification processes in general) here, I should clarify: As with all attempts at one- size-fits-all solutions, one size doesn't quite fit all. You can break the people getting the certification down into three classes: Group 1: Vendors who really care about security, and go well beyond the FIPS 140 requirements anyway. Group 2: Vendors who are generally interested in security, and will polish up their product to meet the FIPS 140 requirements. Group 3: Vendors who want government contracts and see getting to their goal as being a penetration exercise on the certification process. Over time, the certification has been moving from being a value-add performed only by vendors who really care to being a You must be at least this high to ride the government-contract gravy train ticket check. During this progression, group 1 membership has remained more or less constant (they've been building secure products for years, with or without the certification), group 2 has grown slowly (mostly for hardware vendors doing level 2-3 stuff), and everything else sort of ends up in group 3 (no-one wants to miss the gravy train). Of the three groups, only group 2 really benefit from the certification requirements. Group 1 is frequently hindered by them because the vendors' security systems and models are far more sophisticated than the FIPS 140 ones, but to get your certification you have to show that it's only at the FIPS 140 level (this situation is a bit like the short story that's been circulating for some years in which systems engineers lobotomise a HAL 9000 so that it can run COBOL and JCL as the market requires). Group 3 just sees it as a paperwork-production exercise, shipping exactly the same product as before, only now they're allowed to sell it to government departments. The problem is that what we really need to be able to evaluate is how committed a vendor is to creating a truly secure product. Saying You won't get government contracts until you can fill in the checkboxes seems to be providing entirely the wrong motivation. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
I was asked by someone to anonymously forward the following reply to Joshua Hill to the list. (Second time in a week, and on the same topic!) If you reply, please don't put my name in the reply -- this isn't my comment. -- The government will still buy your encryption devices (FIPS-140 certified) That will greatly depend on the sophistication of the agency concerned. The US Forest Service (for example) may not have the level understanding of the FIPS 140-2 standard that the US Navy has. The last time we delt with the Navy, they barely knew what FIPS 140 was, weren't aware there were multiple levels, and when informed of this had no idea what level they should be using. All they were interested in was checking the box that said Must be FIPS certified. -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] If you think that's scary, look at Microsoft's CryptoAPI for Windows XP FIPS 140 certification. As with physical security certifications like BS 7799, you start by defining your security perimeter, defining everything inside it to be SECURE, and ignoring everything outside it. Microsoft defined their perimeter as the case of the PC. Everything inside the PC is defined to be SECURE. Everything outside is ignored. I believe that is typical of most software crypto modules that are FIPS 140 certified, isn't it? It classifies the module as multi-chip standalone. This is why you get requirements of the type that it should run on Windows in single-user mode, which I take to mean have only an admin account. This prevents privilege escalation attacks (regular user to root) that are easily done. I think this is reasonable, since you really are relying on the OS and the PC for the security of the module. More scary to me is stuff like DSSENH does not provide persistent storage of keys. While it is possible to store keys in the file system, this functionality is outside the scope of this validation. This is where Microsoft's CSPs do the dirty work, and use what is called the Data Protection API (DPAPI) to somehow safeguard keys somewhere in your system. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
Anton Stiglic [EMAIL PROTECTED] writes: This is why you get requirements of the type that it should run on Windows in single-user mode, which I take to mean have only an admin account. This prevents privilege escalation attacks (regular user to root) that are easily done. I think this is reasonable, since you really are relying on the OS and the PC for the security of the module. Uhh, so you're avoiding privilege escalation attacks by having everyone run as root, from which you couldn't escalate if you wanted to. This doesn't strike me as a very secure way to do things (and it would still get MSDOS certified, because you've now turned your machine into a DOS box protection-wise). More scary to me is stuff like DSSENH does not provide persistent storage of keys. While it is possible to store keys in the file system, this functionality is outside the scope of this validation. That's the Define the bits that we can easily get away with to be secure and ignore the rest approach that I commented on. It was actually part of a posting to another list where I was poking fun at BS 7799: -- Snip -- Some years ago I witnessed a BS 7799 security certification being done. For those of you who aren't familiar with this, it's ISO 9000 for security. It went something like this: First, we define the region from the rug in the corner to Dave's desk to the pot-plant on the right to be... SECURE. Everything inside this region is by definition SECURE. Everything outside the region is none of our concern. Access to the server room from the SECURE area is by locked door. The keys are on a hook on the wall, but since the hook is outside the SECURE area, we don't have to worry about that. Now we need to produce a lot of paperwork. I'll help you with this, it should only take a few weeks. Congratulations, you now have a BS 7799-certified SECURE facility. Here's my bill. In other words they didn't change anything at all in their insecure (except in the eyes of BS 7799) work area. The whole certification process was an exercise in meeting the certification requirements purely through the production of paperwork. -- Snip -- The SECURE facility has since been decomissioned, so I guess it's safe to talk about it now. Incidentally, almost everyone knew where the key was because the room in question had the best air-conditioning in the building (it was packed full of servers and networking gear), so it became quite popular in the summer with the sysadmins, who'd find various reasons to do extended amounts of work in there. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 11:07 AM Subject: Re: NCipher Takes Hardware Security To Network Level Anton Stiglic [EMAIL PROTECTED] writes: This is why you get requirements of the type that it should run on Windows in single-user mode, which I take to mean have only an admin account. This prevents privilege escalation attacks (regular user to root) that are easily done. I think this is reasonable, since you really are relying on the OS and the PC for the security of the module. Uhh, so you're avoiding privilege escalation attacks by having everyone run as root, from which you couldn't escalate if you wanted to. This doesn't strike me as a very secure way to do things (and it would still get MSDOS certified, because you've now turned your machine into a DOS box protection-wise). Did you read the security policy of Netscape Security Module? Basically, if you want to get the configuration that is FIPS 140 certified, you need to install the module on a PC and add tamper resistant seals over appropriate interfaces, junctions and fasteners of all doors and covers in the enclosure of the PC, so that you can't open the cover without the fact being physically noticeable. I suggest adding some duct tape in strategic positions for additional security :). By reasonable I mean in the framework of having a general purpose software cryptographic library be certified FIPS. I'm not saying I find this secure. When I see a software library being certified FIPS 140, I say to myself it must implement the cryptographic algorithms in a descent way, has a descent random number generator, and stuff like that. I don`t care much about the physical boundary that they artificially determine. If I want high security, I will go with hardware. At the end of the line, what you want to protect is your secret keys, and if you don't have a tamper resistant hardware (that zeroizes your secrets when someone tries to poke at it) to do that it is difficult if not impossible. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NCipher Takes Hardware Security To Network Level
http://www.crn.com/Components/printArticle.asp?ArticleID=44909 CRN -- Print This Article NCipher Takes Hardware Security To Network Level By Charlene O'Hanlon CRN 9:35 AM EST Mon., Oct. 06, 2003 NCipher Monday unveiled a network-level version of its nShield Hardware Security Module, a device that sits in front of a server and holds all of the cryptographic information that would otherwise be housed in the server, said Richard Moulds, vice president of marketing at nCipher. The device offers a higher level of security protection, said Moulds. All of the cryptography that would have been on the server moves to our box, and an SSL connection goes into the box separate from the server so even if a hacker broke into the server, he couldn't get to the cryptography on the box, he said. NetHSM, in contrast, sits on a network and offers multiple servers the same level of cryptography protection that before was offered only to one server per box. Before, one HSM per server was a relatively expensive proposition and, frankly, it was not the easiest thing to manage because of the high level of security, Moulds said. NetHSM is cheaper because companies aren't buying one box per server anymore; it's easier to manage; and it works with a virtually unlimited number of servers because it is four times faster than the fastest HSM. NetHSM offers full FIPS 140-2 Level 3 validation. The nature of NetHSM makes it a good fit for companies in need of extreme security, such as SSL and Web services, PKI and certificate services, 3-D secure and online payment processing, XML and document signing services and secure appliance solutions, according to the company. Moulds hopes NetHSM will open the door to systems integrators and consultants who previously had not considered entering the security realm. This is something they can get their heads around; it's a way to add security without having to fool around with boxes, he said. NetHSM, available Monday, lists for $30,000, which includes one server connection. Additional server connections are $5,000 each. That compares to the cost of nShield HSM, which lists for $5,000 to $25,000 depending on functionality. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
--- begin forwarded text Status: U Date: Mon, 06 Oct 2003 12:40:41 -0400 From: Somebody To: R. A. Hettinga [EMAIL PROTECTED] Subject: Re: NCipher Takes Hardware Security To Network Level Don't identify me, since I'm not sure what parts of my NDA are still in force now that they've announced it. It's really pretty clever. All the expensive key-management is moved off to their centralized server. As each low-cost HSM (the things that go into your server) comes up, it sends its card identity to the server. The server responds with the necessary keys, sent in 3DES (maybe AES? I forget details). Their cards can now be fairly simple accelerators, and need less key protection, less NVRAM, etc. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NCipher Takes Hardware Security To Network Level
In fact, if you're clever, you can manage to not trouble yourself to get the key-management, etc. certified, getting only the simple, symmetric-cipher stuff run through the process. You can, but that doesn't mean that it's ok. Key management is explicitly covered under FIPS 140-2. If you have an underlying FIPS 140-2 module doing the basic low level crypto, and then have (crypto based) key management performed outside the module boundary, the larger system is not a FIPS 140-2 module, FIPS 140-2 compliant, or appropriate for the protection of sensitive but unclassified information within a federal agency without a separate FIPS 140-2 validation of the larger module. The government will still buy your encryption devices (FIPS-140 certified) That will greatly depend on the sophistication of the agency concerned. The US Forest Service (for example) may not have the level understanding of the FIPS 140-2 standard that the US Navy has. Josh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]