1. Introduction

There are technical and other imperatives leading organisations to use the Internet to carry data which were once only carried over private and secure inter office links.

At the same time there are increasing legal and more clearly outlined ethical reasons for organisations to provide strict security for much of this information.

The world wide web protocols have been developed and software created to enable excellent levels of security. Assuming an organisation has control over the servers on which its Intranet is run, then a private certification authority can be created to provide a basic authentication service on which much of the Internet security is built.

In this paper, these legal ethical and technical imperatives are outlined in the next section. The current trend toward Intranets is outlined in section 3. In section 4 we briefly outline current network security measures and some threats to Intranet security. Public key cryptography and X.509 certificates are briefly described in section 5 and followed in section 6 by the options available to an organisation for the choice of certification authority.

2. The security imperatives

In this section, we give some legal, ethical and technical reasons for improving the security of information put on and carried over the Internet.

2.1 Privacy

The international context in which Australian privacy laws were framed sheds some light on the purpose of these laws. The Australian Privacy Act 1989 was passed 10 years after the OECD guidelines for privacy were accepted.

2.1.1 The OECD guidelines for privacy of personal data

The Universal Declaration of Human Rights, Article 12 provides in part:-

"No one shall be subjected to arbitrary interference with his privacy ... Everyone has the right to the protection of law against such interference or attacks."

Prior to 1980, the OECD foresaw national privacy regulations could affect international trade for this and other reasons, international guide-lines on privacy were developed.

In September 1980 the OECD council

·      Adopted privacy guide-lines

·      Suggested "Basic Principles of National Application"

·      Recommended

nations should not create "... in the name of privacy protection, unjustified obstacles of trans border flows of personal data." [1]

 

The 8 privacy principles are:

1.    Collection limitation - lawful and open means to be used;

2.    Data quality - only data relevant for the purpose of collection be collected, it must be up to date, accurate and complete;

3.    Purpose specification - the purpose for collection must be disclosed and the data be used only for that purpose;

4.    Use limitation - third party disclosure of personal data requires the consent of the subject of the data, there may be exceptions to this principle for law enforcement;

5.    Security safeguard - data must be protected against loss, destruction, unauthorised use, access and modification;

6.    Openness - the subject can determine the whereabouts, use and purpose of personal data relating to the subject;

7.    Individual participation - the subject can know data exists, have timely access, know the reasons for secrecy and challenge the truth of data about the subject;

8.    Accountability - the collector is accountable for compliance with these principles.

2.1.2 Australian Privacy Act 1988

The Australian Privacy Act 1988 created the Federal Privacy Commission. The Act adopted the OECD guide-lines for Australian Federal public service bodies.

State rights prevented the acts application to state governments.

Perhaps financial and constitutional considerations also prevented its application to private enterprise in general. But the need for privacy against excessive information collection and cross matching lead to some jurisdiction over private corporations.

The act extended the reach of the privacy commissioner to any person or organisation collecting tax file numbers. At the same time many organisations were required to collect these numbers as a normal part of business operation[2].

Perhaps this was politically possible because the tax file number provisions were a fall back from the unacceptable Australia Card proposal. The tax file number privacy provisions increased the burden on business and addressed some privacy concerns.

Credit reporting agencies are now also covered by Federal privacy laws.

From time to time, when poor business practice is revealed, there are calls to extend the reach of the privacy act.

The OECD Principle number 5, the security safeguard principle as reflected in the Australian Privacy Principles give us our legal and some would say ethical justification for certain security measures being applied to certain of the data held by our organisations. In the next subsection, the OECD guidelines for security will be examined in order to allow us to refine a little further our ideas on the need for security.

2.2 Security

The OECD used the same procedures to develop Security guide-lines.

The Honourable Justice Michael Kirby chaired both committees while they developed the guidelines, both the privacy group and the security group.

Its harder to see the why OECD stepped in to make security guide-lines.

Perhaps it is again because EEC was forging ahead and there was a risk EEC laws may affect international trade [5].

In the case of privacy, some European countries have strict privacy protecting laws, in order that such laws not be used as protectionist shields, the OECD guide-lines if applied should give moral force to the argument that such trade barriers must be removed. In the case of information systems security, the law in Europe is not as well developed as the privacy laws. The most important of the stated reasons for the security guidelines is, in my opinion, that with increased flow of data through ever less secure networks, there is need for security guidelines to better protect privacy.

In any case there are many instances of trans border computer security related problems, viruses, theft and data trespass, fraud etc. Reason enough for an international organisation to get involved.

2.2.1 The security guide-lines

Formulation of the OECD Guidelines for the security of information systems began in January 1991. The final draft appeared in September 1992 and was adopted by the council of the OECD in November 1992.[5]

The documentation for the guidelines is in three parts:

      A recommendation by the Council of the OECD that nations establish measures to reflect the principles concerning the security of information systems, consult on standards, disseminate the principles and review them every 5 years;

      Guide-lines for the security of information systems which have the objective of protecting from failures of confidentiality, availability and integrity (CAI) within information systems by ensuring they conform to 9 principles;

      An Explanatory memorandum amplifying the 9 principles.

The objectives of information security are defined as being the three objectives CAI:

A)  confidentiality - only those authorised have access (the threats are theft of data, loss of privacy; the solutions are closed systems or cryptographic data protection)

B)  availability - access is available as and when needed (the threats are primarily physical events like floods and fires; the solution is back-up);

C)  integrity - information is not modified except as it should be (the threat is fraud and error the solution is good authentication of identity and well designed fault free systems).

 

The nine security principles set down by the OECD are:

1      Accountability - everyone (owners, providers, users) is in part responsible, all must know how much and for what, they must be accountable for security (CAI);

2      Awareness - everyone should know as much as possible about the security measures in place;

3      Ethics - the rights and legitimate interests of others must be respected;

4      Multi-disciplinary - technical, administrative, organisational, operational, commercial, educational and legal issues must be considered;

5      Proportionality - the benefits must match or exceed costs;

6      Integration - information systems security measures should integrate with each other and the organisations procedures;

7      Timeliness - all should respond in a timely manner to breaches in security;

8      Reassessment - measures should be reassessed periodically;

9      Democracy - security and the systems to provide it should not infringe on the democratic aims of free information flow.

 

2.2.2 Application in Australia

The OECD guidelines on information security are too new, it may take 9 years again for a legislative response.

The OECD council recommendation explicitly takes federal country constitutions into account and recognises the difficulty they may have so our states can delay progress again.

The most useful principle, in my opinion, is number 5, the proportionality principle. One can use it to limit the use of technology. Only as much as is justified by the value of the potential data loss, need be used.

So much for legal and ethical reasons for security, the technical reasons follow.

2.3 The Internet and Intranet security needs

There is growing use of the Internet for the provision of strategic business services. The  Internet was developed for the provision and dissemination of public information as quickly and conveniently as possible. It developed as a research tool, disseminating academic research.

Electronic Commerce, the provision of a range of value moving transactions on the Internet means security (confidentiality and integrity at least) must be provided on the Internet.

Even if an organisation is not using the Internet for electronic commerce, the Internet is a very cheap and convenient global data communication network [3]. Organisations are replacing private network links with public network (Internet) links in some parts of their network. So some purely internal business transactions are now moving over public links.

The third technical issue leading to increased information security measures is quite technical and may be ignored on first reading. Replacing leased lines with their zero marginal cost of transmitting an extra bit, with packet switched public network lines, like those on the Internet, leads to a reduction in the amount of data padding, so opening up the opportunity for traffic flow confidentiality problems in modern networks.

In the next section we take a closer look at the trends in corporate networking with greater use being made of the Internet.

3 The trend in networking

The figure below shows the form of the network for a large organisation one with two large offices, each served by a local area network. The traffic between these two offices warrants the organisation purchasing and installing a dedicated link between the two networks. This link, being private, can be simply secured preventing eaves dropping and other types of unauthorised access.

The organisation shown has some staff who work in small or home offices (SOHO). Some of these are directly connected to an office LAN, others connect to the Internet, then access the organisation via public lines.

In our sample network, the organisation supports inter-organisation systems via the Internet. It also services a number of its clients directly through the Internet.

 

Figure 1 Internet based client server computing

 

4. Current security measures and threats

General information security is too broad to be considered in this paper. We will focus on two matters, the confidentiality of data in transit and the problem of integrity, specifically the authentication problem. In order to ensure only authorised people can change the data, we must know who our users are.

The solution to the authentication problem has been by passwords. Thus access to data is restricted to users logged on to the system., when a user logs on, they must provide a user name and matching password. The problem of eavesdroppers collecting passwords has been addressed in the older networked systems (Netware and NT both encrypt passwords prior to moving them on the network). Many newer WWW based systems and systems like telnet (a virtual terminal system) move passwords in clear form. Passwords have been found to be a problem if each of many systems want the password entered. Single password systems with system provided authentication is difficult to achieve unless the organisation restricts the range of suppliers of server computers systems.

These password systems address only the problem of servers which need to identify clients. What of the dual problem, how does a user or client know that the confidential information being sent to a server is in fact being sent to the server claimed? Password systems don’t required servers to identify themselves. This identification is essential in the Internet.

So these are the threats made worse by the current trend in networking:

·      Impersonation:

·      of clients,

·      of servers,

·      Passive electronic eaves dropping,

·      Modification of information in transit,

·      Traffic analysis,

·      Denial of service.

 

The problems of traffic analysis and denial of service in Internet based systems are still open questions. The other threats will be addressed in the next two sections.

5. Public key cryptography and certificates

There are two technologies available to address the greater vulnerability posed by the Internet. These are public key crypto-systems [7] and certificates [4] [10].

Public key crypto-systems are crypto systems, that is schemes for scrambling messages, such that the information required to scramble a message, the public key, can be just that, made public. The scheme is described in the diagram below. Note that an organisation whishing to receive confidential information creates a secret key and a public key. The public key is put in a publicly accessible directory. A second organisation sending confidential information to the first, looks up the public key of the first, encrypts the message using the public key and sends the cipher-text in what may be an insecure channel. An eavesdropper doesn’t have access to the first organisations secret key, so can’t de-cipher the message. The intended recipient, the first organisation, can use the secret key to decipher the message.[7] [4]

 

Figure 2 Securing an insecure channel
with a public key system

 

Public key crypto systems can also be used to generate digital signatures. The diagram below depicts such a scheme[7] [4].

 

Figure 3 Digital signature with
a public key system

 

In practice, public key systems and more familiar secret key crypto systems are used together to achieve confidential communications. The identity of the corresponding party is assured by using public key signature systems. This more complex arrangement is known as an X.509 certificate system. It is named after the international standard X.509.

Rather than use a public directory to distribute public keys, organisations can submit a public key and the name of a computer or server in a message to a third party called a certificate authority (CA). The certificate authority will undertake checks to ensure this really is a message from the organisation and will if satisfied, sign this message. The new signed message is called an X.509 certificate.

 

Figure 4 The issue and use of an
X.509 certificate

 

In use, this scheme works as follows. An organisation, often a third party, sets up a certificate authority (CA) with appropriate software and rules of operation. The CA creates a public key and a certificate (lets call this CA cert). This CA cert is made widely available, for example, each copy of the world wide web viewing program from Netscape includes a number of such certificates from many organisations, including AT&T, RSA and even Netscape. Here in Australia, we might expect Australia Post and others to set up a CA [10].

An organisation wishing to collect credit card numbers over the Internet could set up a secure server, generate a certificate request (a message with the server name and the servers public key) and send the request to the CA. The CA will follow the verification procedures and sign the certificate request. Then return this signed message to the server (lets call this a site certificate) [8].

Given the previous two steps occurred some time in the past. From time to time, if a client wants to view some information from the secure server or send some confidential information to the secure server, each time this happens, the client requests a site certificate from the secure server, this is sent, the client checks the signature on the site certificate by using the public key in the CA cert. If the site certificate is valid, the client and the secure server agree an a scheme for secure communication and exchange confidential information.

The CA is running a business and makes a charge for its service, checking identity and to some extent guaranteeing it. Not all organisations will want to pay for these services, nor trust the existing CAs. In the next section we outline some options for CAs.

6. Options for certificate authorities

Netscape Navigator Version 4.6 ships with the following certificate authority certificates installed:

·      VeriSign Class 4 Primary CA,

·      Bellsign CA,

·      Thawte Consulting, Cape Town,

·      VeriSign Class 3 Primary CA,

·      GTE CyberTrust Root CA,

·      RSA Secure Server CA,

·      UPS,

·      and others.

 

From this list you will see that some organisation run more than one CA, each with a different level of trust [8]. Each of the CAs listed above maintains a page on the web listing details of the service provided. Typical costs are $US350 - $US1,300 per annum per server [9]. The CA will maintain what is known as the Certificate Revocation List (CRL). This ongoing operating cost may lead some organisation to use commercial services.

Though we have focused on server certificates, the world wide web security protocol SSL, also supports client certificates. These replace user names and passwords as identification systems. The CAs provide client certificates for about $US15 per annum per person [9].

Public key systems can be used to secure email and telnet services too.

Thus organisation may choose to create private CAs. There is CA software available from:

·      Netscape,[6]

·      X509.com,[10]

·      Microsoft,

·      and others.

 

With a private CA, the organisation chooses the level of proof of identity appropriate and may be able to better control costs.

The task of operating CRL may, in a large organisation, be onerous. In a small organisation or one that only uses server site certificates, the task of operating a CA can be a minor part of the whole network management task.

7. Recommendations

If an organisation plans to use the Internet for more than the distribution of  public information, for example:

·      selling,

·      collecting monetary value from credit and debit cards

·      collecting personal information,

·      customer confidential communications,

Then the confidentiality of the information transferred and the identity of the servers collecting this information must be protected using secure servers with site certificates. Organisations running such servers should consider running a private certificate authority.

8. References

[1]....Information privacy principles, The office of the Australian Government Privacy Commissioner; pp 1-6.

 

[2] Caelli, W. J.; et al (1989) Implications of the tax file number legislation for computer professionals in The Australian Computer Journal Volume 22 Number 1 February 1990 pp 11-20.

 

[3] Cronin, Mary J. (1996) Global advantage in the Internet : from corporate connectivity to international competitiveness, Van Nostrand Reinhold.

 

 [4] Kaufman, Charlie, Perlman, Radia and Speciner, Mike (1995) Network security : private communication in a public world, Prentice Hall PTR.

 

[5] Kirby, M. K.; (1992) OECD guidelines for the security of computer stored & transmitted information in Information Security Management Conference AIC Conferences December 1992, Sydney.

 

[6] Netscape Communications Corporation (1996) Server Central Product Platforms at URL http://home.netscape.com/comprod/ server_central/product/pricing/index.html accessed August 27, 1999 see the table for NETSCAPE CERTIFICATE SERVER.

 

[7] Salomaa, Arto (1990) Public-Key Cryptography, Springer-Verlag, EATCS Monographs on Theoretical Computer Science Volume 23.

 

[8] VeriSign (1999) VeriSign, Inc. at URL http://www. verisign.com/ accessed August 27, 1999.

 

[9] VeriSign (1996) Secure Server Digital ID Prices at URL http://www.verisign.com /server/prod/compare.html accessed August 27, 1999. See also [8].

 

[10] Xcert Software Inc. (1996) Welcome to - Xcert Software Inc. at URL http://www. x509.com/ accessed August 27, 1999.