 |
 |
|
||
![Back to [32]](../all_the_pictures/arrow_left.jpg){kind=icon} [33]
INFOSEC Engineering
EMERGENCY MODE (E-Mode): Survivability of Public Key Cryptographic Services Position Paper for ARPA San Diego Workshop on Information Survivability (IS) 2/12-13/97
Clark Weissman
1. ISSUE
Future information systems will be more dependent on Public Key Cryptography (PKC) for a number of critical services -- Identification & Authentication (I&A), Confidentiality, Integrity, Non-Repudiation, and Trust. These services are dependent on PKC survivability, which is vulnerable to attack against the central Public Key Server (PKS), e.g., X500 server. Redundancy of the PKS provides an approach for Information Survivability, but what architecture assures continuity without complexity of normal operation, e.g., key database update synchrony? What large-scale system experience exists to suggest a working redundancy strategy? Will the redundancy scheme during E-Mode invalidate normal access policies before and after E-Mode?
The DoD operates the BLACKER cryptographic overlay of the Defense Information System Network (DISN), a large distributed classified network system; an excellent study environment.
2. BLACKER LESSONS
The BLACKER system consists of a central Access Control Center (ACC), a central Key Distribution Center (KDC), and thousands of BLACKER Front End (BFE) cryptographic units that front end host computers in the net. The collective components act as a system, which has been evaluated at A1 TCSEC (Orange Book). Though based on symmetric key distribution, BLACKER has addressed survivability of the loss of the ACC and KDC via redundancy. Redundancy is maintained at two architectural levels: redundant ACCs and KDCs; and BFE key caches.
2.1 ACC and KDC Redundancy
Communities of Interest (COIs) are formed by DoD entities into BLACKER Domains based on their administrative policies. Each Domain has one or more ACCs and KDCs to service the BFEs in the Domain. They also perform BLACKER gateway services to other Domains. That is, two BFEs in different Domains establish a cryptographic connection by first obtaining permission from their respective local ACCs and keys coordinated by their local KDCs.
Database updates to ACC and/or KDC are synchronized among all Domain ACCs and KDC using two-phase commit write logic. Furthermore, each database is frequently cryptograhically integrity checkpointed. This redundancy enables restart rollback to a known secure state either from the local or remotely stored database. Today's hardware makes economical sense to add a third level of redundancy, mirrored disks.
2.2 BFE Key Cache
As a DoD system, BLACKER satisfies both Mandatory Access Control (MAC) and Discretionary Access Control (DAC) policies simultaneously. As a formally verified system, these access policies must hold (i.e., be provably correct) during normal and E-Mode operation. One cannot loosen policy during E-Mode, as transition back to normal operation will be difficult, impossible, or vulnerable to spoof attacks that expose the vulnerability. BLACKER connection keys combine MAC keys and DAC keys through which access policies are provably maintained across E-Mode.
As crypto connections are established by the BFE, the keys are stored locally in a cache in a manner similar to page caching algorithms. Should the ACC or KDC become unavailable, all existing connections are maintained, and new connections can be established from the key cache. Since a BFE can cache up to 1000 connections, and 50,000 in a domain, the most frequent sites will be available throughout the emergency. Some new host connections may not be established during E-Mode if the keys are not cached.
3. SUMMARY
The redundant BLACKER architecture provides a high degree of node connectivity and information survivability during emergency, degraded system operation. The BLACKER experience should be studied and lessons learned applied to survivability of PKC-based systems.
Clark Weissman is an independent security consultant with over 40 years in large systems security design and management. He was the BLACKER security architect, the leader of the STRATCOM secure FDDI backbone to DODIIS. He managed the UNISYS R&D security staff that contributed much to the current security literature. Earlier, he developed the ADEPT-50 system for DARPA, used at AF Data Services Center, CIA HQ, and Marine Tactical Information Processing Intelligence (TIPI) system, that was the first trusted system with a formal mathematical policy model, subsequently known as the "Simple Security Condition." He invented the Flaw Hypothesis Methodology (FHM) for Penetration Analysis, and contributed to the Orange Book (cited in the Foreword). He is a founding father of INFOSEC. He is active in ACM, IEEE, and government committees, having served three tours for the National Academy of Sciences on export controls. He has won three major "Best Paper" awards from FJCC, SJCC, and IEEE on operating systems and security. This broad background in R&D, security, formal systems, DoD real systems is all relevant to IS. [33] |
