Please Note: The following is a draft working paper. It has been prepared by a working group of the Black Forest Group and is under review and revision. It has not yet been approved as an official document of the BFG. Comments and suggestions on the paper will be gratefully appreciated.


The Black Forest Group

Top Level Security Issues

For a Global System of Interconnected Computers

The Black Forest Group (BFG) is a member sponsored forum of some of the largest corporations in the world as well as consultants and members from academia. The Black Forest Group fosters the exchange of ideas, experiences, and directions among user organizations, vendors, commercial businesses, as well as academic and research organizations in the area of information technology. The BFG has recently identified the security of computer mediated communications as a critical need both for the internal protection of essential business processes and the protection of individuals who plan to use the global information infrastructure.

These security needs cannot be met by technical innovation alone: Government support for basic initiatives must be sought by all users and organizations. Support for requisite commercial, public, and political services must be expanded or created, or governments'--guidelines and regulations--will impede or restrict any possibility of automated, scaleable, even viable electronic commerce. Black Forest's underlying concern with all security services is that they ultimately provide the end-user with the protections and accountabilities required to be successful in a global, electronically connected, computer environment. This success will require the ability to accurately manage the choice-- to share or not to share-- information at levels of resolution previously not experienced by most end-users.

The Black Forest Group sees the following 15 top level problems in the global interconnected computing environment.

1. Lack of an International Authentication Framework: An authentication framework with the following properties will be required for electronic commerce: A) It provides (at least on trusted clients) a strong authentication path between user and server. That is, there exists a strong mechanism both for initial user log-on and establishing a user client-server session, passing sufficient evidence preserved from the initial log-on to the server so that the server can authenticate user identity as well. B) Authentication needs a clear distinction between authentication of the client ("what machine are you?" and authentication of the user ("who is using this machine?"). C) Authentication needs a framework to accommodate heterogeneous technologies and to make access control conditional upon the technologies employed.

2. Trusted Workstation: End-users will not long accept insecure and compromise-able devices from which to perform their electronic transactions. However, there are very limited choices for end-users on interconnected networks when choosing a workstation to trust. Where one does ones work is important. However, in this day of home and traveling office, the platform from which one operates has as much to do with the confidence given to a end-user authentication, as any other factor. Thus, an independently evaluated and trustable workstation of known configuration from which the end-user performs work is an essential component for work.

3. Lack of enforceable Accountability Services: The current lack of enforceable Accountability Services with strong integrity is a significant problem in networked environments. Since accountability services without a verifiable level of integrity are worse than no accountability at all, considerable attention needs to be focused upon the design and provision of Accountability Services at the network level. The business need is to be able to associate selected actions, at the system, network, and application level to the individual responsible for that action. This must include a degree of confidence acceptable in any court of law, so that liability for errors or malfeasance can be assessed. It should be noted that legal liability in civil cases requires only a reasonable likelihood while criminal law requires a high degree of certainty. Black Forest Group is not searching for a logically infallible system of controls, only enough to give users of the interconnected networks a reasonable chance to establish liability where liability exists.

4. There is no secure commercial offering for a Software Registry Service: Currently, there is no Software Registry Service for end-users to consult. The primary need to be met by this service permits subscribers to determine (using digital signature technology, or the like) whether a purportedly *branded* software component (transmitted code, DLL, etc) is, in fact, from the business entity claimed. The core need is this: Concern C receives software + verification evidence (today), purportedly from vendor V. Concern C sends the evidence to a software registry, which validates the evidence ("the software you got with this evidence really is from V") and the registry is willing to (in effect) bond the correctness of the reply. The proposed service clearly needs as a prerequisite communications security between vendor and registry. A second problem exists:

5. Inability to know the source of electronically (or even physically) distributed software: Currently, there is no way for end-users, companies or individuals, to know the source of electronically (or even physically) distributed software. This is due to the fact that Certificate Attributes such that quality of confidence (or source) as part of the key do not exist.

6. There is no International Public Key Infrastructure: A critical requirement for electronic commerce is that A) some basis must exist for trusting the authenticity of a user's public key (i.e., that it really belongs to the entity claimed to be associated with it. Thus, distribution, registry, and scalability re-emerge as issues.)

7. Lack of a International Network Security Architecture: Today there is increased effort in creating, distributing, and employing security services across national boundaries due to the lack of a National Network Security Architecture. Yet, if development of the solution to this problem set is not coordinated, solutions could be "individually secure" but refuse to work together, negating the benefits true electronic commerce. For inter-connectivity to exist in an increasingly protected environment, an architecture is required. Here an architecture is nothing more than an enumeration of the interfaces between independent components, a precise, testable specification of those interfaces and the data exchange protocols to be executed via the interfaces, and a description of the intended semantics (meaning) of the protocols. Components that conform to the architecture will then work together securely as a larger unit. The architecture must accommodate heterogeneously-trusted components, and where appropriate, involve frameworks that can accommodate multiple technologies built to different interfaces or wire protocols.

8. Lack of an International Civil Cryptography Framework: Today's end-users of cryptography, especially businesses, find themselves unable to obtain readily available, scale-able and deploy-able commercial cryptographic software as there is no a) International Civil Cryptography Framework responsive to individual, business, law enforcement, and government concerns. An extensible framework should accommodate the use of exportable cryptographic algorithms (both symmetric and public key) as well as standard protocols (up to and including electronic commerce protocols). The framework should accommodate the employment of heterogeneous technologies. The framework should support and actively protect the privacy and civil rights of all who use it.

9. Voluntary Key Management Infrastructure: Recognizing the liability in managing the privacy of electronic information or in managing its integrity, the Black Forest Group recognizes that optional Key Recovery services may be useful, especially for record retention and data archiving, as well as for legal and liability requirements. However, previous and current proposals to mandate any particular body for key escrow or key backup seem very short-sighted, especially in an environment where government key escrow methods have been deemed less than secure. Because of the end-users' and company's need for reliable and trusted key management, the Group recognizes optional escrow infrastructure as a possible requirement. It is an essential requirement that a concern must be able to choose from one of a variety of international escrow agents while preserving inter-operability among concerns choosing different agents, and allowing the construction of a liability assumption (tracking) model that works for individuals, business, and governments in the recovery of information.

10. The lack of commercially available comprehensive Access Controls: Today Access Controls (ACs) are too limiting and difficult to administer comprehensively. The safe administration of confidential information inside large facilities has become problematic.

11. Improved Discretionary Access Controls: There is a need for Improved Discretionary Access Controls (DACs). Most current access control designs result in Access Controls that are hard to manage and interpret. ACs are "security programs" for a given object: Their "language" should be carefully and thoughtfully designed. Users should be able to name principals from their "address book".

12. Closed User Group Safeguards: While the technologies for maintaining Closed User Group Safeguards have been known for years, these technologies need to be made commercially available, and easy to use. The need here is the following: Suppose multiple concerns are sharing an on-line service. One wants confidence that the service has the following property: Leakage of data or one customer influencing another is under highly controlled circumstances, i.e. not fragile in the face of operator error (and certainly not in face of other customer activity with the service). It is noted that this seems to require the use of some kind of non-discretionary access control. Example: If I set an AC to "everybody can access" in this operational context, it should not really mean "everybody", it should mean "everybody in my closed group".

13. Support for the notion of a Trusted Session: This problem goes beyond mere authentication. First level of confidence is confidence that a client-server session does not (within reasonable and perhaps configurable limits) persist when user logs out. Support for *absentee* session is desirable but server must know that the user is absent (extension of single-machine *batch processing* capability). A second level of trust must be support for a *trusted transaction,* i.e. that user (and not malicious software *stealing* the session or modifying messages) has generated particular messages. Intuitively, the first level involves confidence that *Bill is still there*. The second involves confidence that *Bill saw or generated and approves of this request.*

14. International Independent Evaluations: Even with the technology and infrastructure in place, most end-users and companies do not use Independent Evaluations. When one begins to use a software service making security claims (e.g., closed user group safeguards) we have two problems: A) How does the customer know that the claims are true? B) for that matter, how does the provider -- even assuming complete honesty of intent -- know that the claims are true? Or have enough confidence to be willing to make the claims? It seems clear that an infrastructure for evaluation based upon sound evaluation technology (by sound we mean *based on valid principles* in addition to *objectively repeatable* apply).

15. System and Application Protection: It is highly desirable for system software of all varieties, from PC operating systems to network system software, to take advantage of existing CPU architectural support for System and Application Protection. That personal computers have not taken advantage of provided support for the last twenty years is a historical accident, and it is high time to recover from it. The environments in which applications are run, and the increasing dependence of business-critical processes on selected applications, now justify their encapsulation as protected subsystems. The ability to encapsulate selected applications in their own virtual environment has become even more critical with the arrival of *download and execute* architectures (e.g., Java, ActiveX, etc.).

The Black Forest Group, not a research group itself, wishes to acknowledge the original work of many other organizations who are working on these problems. The BFG wishes to support these efforts and to further the discussion on these topics. Also, the BFG recognizes these areas as being of interest to many individuals and organizations internationally. The Group recommends detailed study of these concerns to all international and national bodies with responsibility for making contributions to the formulation of a interoperable set of solutions.

Copyright (c) 1997 The Black Forest Group

All Rights Reserved


View this pages's StatTrax user access statistics