ebook img

Security without Obscurity: A Guide to Cryptographic Architectures PDF

206 Pages·2018·5.505 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Security without Obscurity: A Guide to Cryptographic Architectures

Security without Obscurity Security without Obscurity A Guide to Cryptographic Architectures J. J. Stapleton Published in 2019 by CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2019 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10  9  8  7  6  5  4  3  2  1 International Standard Book Number-13: 978-0-8153-9641-3 (hardback) This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www. copyright.com (www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at www.taylorandfrancis.com and the CRC Press Web site at www.crcpress.com Contents Preface ...............................................................................................................vii Author .................................................................................................................ix 1. Introduction ...........................................................................................1 1.1 Book Organization ............................................................................2 1.2 B ook Applicability .............................................................................3 1.3 Network Cartoons .............................................................................4 1.4 Cryptography Lexicon .......................................................................7 1.5 Industry Standards ..........................................................................12 2. Cryptography Basics ............................................................................17 2.1 E ncryption ......................................................................................18 2.2 Hash Functions ...............................................................................20 2.3 Integrity and Authentication ...........................................................21 2.4 Non-Repudiation ............................................................................23 2.5 Tokenization ....................................................................................28 3. Cryptographic Keys .............................................................................33 3.1 Symmetric Keys ...............................................................................33 3.2 A symmetric Keys ............................................................................42 3.3 Certificates and PKI ........................................................................47 3.4 Certificate Validation ......................................................................48 4. Authentication Protocols ......................................................................51 4.1 Domain Name System Security (DNSSEC) ....................................51 4.2 D omain Keys Identified Mail (DKIM) ...........................................55 4.3 Security Assertion Markup Language (SAML) ................................56 4.4 Open Authorization (OAUTH).......................................................59 4.5 Password and PIN Verification ........................................................60 4.6 O ne-Time Password (OTP) .............................................................63 5. Encryption Protocols ............................................................................65 5.1 Transport Layer Security (TLS) .......................................................65 5.2 Internet Protocol Security (IPsec) ....................................................67 v vi ◾ Contents 5.3 Secure Shell (SSH) ...........................................................................68 5.4 P retty Good Privacy (OpenPGP) ....................................................70 5.5 Password and Personal Identification Number Encryption ..............71 6. Architectures ........................................................................................75 6.1 Application Architecture .................................................................75 6.2 Network Architecture ......................................................................80 6.3 Information Architecture .................................................................83 6.4 Cryptographic Architecture .............................................................86 6.5 Cryptographic Inventory .................................................................92 7. Risk Management .................................................................................99 7.1 Facility Security .............................................................................102 7.2 System Security .............................................................................104 7.3 C ryptographic Modules .................................................................105 7.4 K ey Management ..........................................................................111 7.5 D ata Management .........................................................................118 8. Security Assessments ..........................................................................123 8.1 Documentation .............................................................................124 8.2 I nterviews ......................................................................................128 8.3 T esting ...........................................................................................130 8.4 A nalysis .........................................................................................132 8.5 Reporting ......................................................................................134 9. Illustrations ........................................................................................139 9.1 Hypothetical Mobile Transaction ..................................................139 9.2 EMV Payment Cards ....................................................................141 9.3 Secure Electronic Transactions (SET) ............................................146 9.4 A TM Remote Key Load (RKL) .....................................................149 9.5 D atabase Encryption (DBE) ..........................................................152 Annex Quick References .............................................................................155 Bibliography ................................................................................................183 Index ...........................................................................................................189 Preface This is the third book in the Security without Obscurity series. The first installment was my first book done on my very own. Previously, I had written articles and chapters for other peoples’ books but not my own. The second book came about because of my collaboration with Clay Epstein and our decision to write a book together, and inadvertently created the series. At that time, I had no particular plans for a third book. The genesis for this book had several origins. First, during my career, many times I have had to ferret out the cryptographic details for products, applications, and networks. From a crypto perspective, under- standing the journalistic questions: who, what, why, where, when, and how is a critical aspect of information security. Too often the information is difficult to ascertain; misinformation and disinformation are not helpful. For example, ven- dors or service providers might be reluctant to reveal details, developers might have unreliable data, or product specifications are obsolete. Further, vendors and service providers undergo mergers and acquisitions. Knowledge is often lost when employees or contractors depart. Product lines might be decommissioned and no longer supported. Products might not be updated and run with aging software. Product documentation might be dated or contain mis- takes. Marketing sometimes makes unsubstantiated claims that are difficult to verify. Second, the ability to conduct a security assessment in a reluctant or adversarial situation requires a set of skills that can only be learned by experience. However, there are dependable processes that can provide consistent results. Over the years, things to do and things not to do are included in lessons learned. These same pro- cesses work just as well for enthusiastic conditions. This book has an entire chapter on performing risk assessments. Third, I published the article Cryptographic Architectures: Missing in Action in the July 2017 ISSA Journal. The article was on the journal cover, and it was repub- lished in the Best Articles of 2017 in the January 2018 ISSA Journal. However, there was so much that I could have discussed, but a six-page article can only pro- vide a limited amount of information. I provided the article to my publisher, and he agreed the topic would make another good book. vii viii ◾ Preface On another note, the ISSA article and this book refer to simple applications or network diagrams as cartoons. I personally credit Don Provencher* a former col- league at Bank of America, coining the term “cartoon” when referring to simplistic diagrams. Don was extremely knowledgeable about network architectures and was able to educate even me. We all miss you, Don. In the first book, I mentioned my long-term participation with X9 standards. My participation and chairing the X9F4 workgroup endures to this day. The X9F4 program of work continues to grow with new standards and technical reports. Meanwhile, I continue to have a day job, work on X9 standards, and write this book. All of this with the loving support from my wife, Linda, and everyone still likes her best. * www.legacy.com/obituaries/timesunion-albany/obituary.aspx?pid=186270529 Author J. J. Stapleton has been involved with cryptography, public key infrastructure (PKI), key management, and numerous other information security technologies since 1989 when he attended his first Accredited Standards Committee X9 work- group meeting. He has continued his X9 membership across many employers and has been chair of the X9F4 cryptographic protocol and application security work- group since 1998. ◾ Jeff began as a software engineer at Citi Information Resources in 1982 when he was still working on his bachelors of science in computer science from the University of Missouri–St. Louis (UMSL). ◾ Jeff continued his career as a developer at MasterCard in 1984, managed developers on card payments applications, and began working on his mas- ters of science in computer science from the University of Missouri–Rolla (UMR, now renamed Missouri Science and Technology). He also began his long-term X9 affiliation. Jeff was assigned the design and development of a key management service (KMS) for the MasterCard network Banknet. The KMS was literally 24 hour from going live in production when a strategic decision to replace the then current IBM Series/1 minicomputers with a to-be-determined platform delayed the KMS proj- ect. He was able to take advantage of the experience by writing his thesis: Network Key Management in a Large Distributed Network, J. J. Stapleton, 1992, a thesis presented to the faculty of the Graduate School of UMR approved by Daniel C. St. Clair, Chaman L. Sabharwal, and James Hahn. He actively participated in the development of the X9 technical guideline TG-3 personal identification number (PIN) Security Compliance Guideline (renum- bered as technical report TR-39). The guideline provides evaluation criteria based on industry standards (X9.8 and X9.24) that defined security requirements for handling PINs and associated cryptographic keys. TG-3 was adopted by many payment networks for a biennial security assessment for interoperability. ix

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.