Subject: Simson Garfinkel's article, part 3 of 3 If the encryption program is lost or if the key is forgotten, an encrypted message becomes useless. This characteristic of cryptography encourages many users to store both an encrypted and a plaintext version of their message, which dramatically reduces the security achieved from the encryption in the first place. An encryption program should be the most carefully guarded program on the system. A cracker/spy might modify the program so that it records all keys in a special file on the system, or so that it encrypts all files with the same key (known to the cracker), or with an easy-to-break algorithm rather than the advertised one. Management should regularly verify an encryption program to assure that it is providing its expected function, and only its expected function. Key Management Key management is the process by which cryptographic keys are decided upon and changed. For maximum security, keys (like passwords) should be randomly chosen combinations of letters and numbers. Keys should not be reused (that is, every message should be encrypted with a different key) and no written copy of the key should exist. Few computer users are able to adhere to such demanding protocols. Encryption as a defense against crackers If a database is stored in encrypted form, it becomes nearly impossible for a saboture guy to make fradulant entries unless the encryption key is known. This provides an excellent defense against crackers and sabatures who vandalize databases by creating fraudulent entries. On a legal accounting or medical records system, it is far more damaging to have a database unknowingly modified than destroyed. A destroyed database can be restored from backups; modifications to a database may require weeks or months to detect. Unfortunately, few database programs on the market use encryption for stored files. Some operating systems store user information, such as passwords, encrypted. As noted previously, when passwords are stored with a one-way encryption algorithm it is of little value to a cracker to steal the file which contains user passwords. The UNIX operating system is so confident in its encryption system that the password file is readable by all users of the system; to date, it does not appear that this confidence is misplaced. Encryption in practice In practice, there are several serviceable cryptography systems on the market: most of them use different cryptographic algorithms, which is both advantageous and disadvantagous to the end user. One advantage of the availability of many different cryptography systems is that secrecy of the encryption system adds to the security of the plaintext. This is a form of security through obscurity and should not be relied on, but its presence will slightly strengthen security. A disadvantage of the multitude of encryption systems is that the transmitter of an encrypted message must ensure that the proposed recipient knows which decryption algorithm to use and has a suitable program, in addition to knowing the decryption key. Public-key encryption In some cryptography systems a different key is used to encrypt a message than to decrypt it. Such systems are called ``public-key'' systems, because the encrypting key can be made public without (in theory) sacrificing the security of encrypted messages. There are several public key systems in existence; all of them have been broken with the exception of system devised by Rivest, Shamir and Adlerman called RSA. In RSA, the private key consists of two large prime numbers while the public key consists of the product of the two numbers. The system is considered to be secure because it is not possible, with today's computers and algorithms, to factor numbers several hundred digits in length. The problem with RSA is determining the size of the prime numbers to use: they must be large enough so that their product cannot be factored within a reasonable amount of time, yet small enough to be manipulated and transmitted by existing computers in a reasonable time frame. The problem is compounded by the fact that new factoring algorithm are being constantly developed, so a number which is long enough today may not be long enough next week. While the length of the public key can always be increased, messages encrypted with today's ``short'' keys may be decryptable with tomorrow's new algorithms and computers. Confidence in the encryption program A computer's cryptography program is one of the most rewarding targets for a Trojan horse. The very nature of a computer's cryptography program is that it requires absolute faith on the part of the user that the program is performing exactly the function which it claims to, but there are a number of very damaging in which a cryptography program can be modified without notice: The program could make a plaintext copy of everything it encrypts or decrypts without the user's knowledge. This copy could be hidden for the later retrieval by the cracker. The copy could even be encrypted with a different key. The program could keep a log of every time it encrypted or decrypted a file. Included in this log could be the time, user, filename, key and length of the encrypted or decrypted file. The program might use an encryption algorithm which has a hidden ``back door'' -- that is, a secret method to decrypt any cyphertext message with a second key. The program might have a ``time bomb'' in it so that, after a particular date, instead of decrypting cyphertext it prints a ransom note. The user would only be able to decrypt his file after obtaining a password from the author of the program, perhaps at a very high cost. (This is a form of computer extortion which will be further explored under ``subversion.'') Microcomputer Security Issues Beware of public domain software! Although there are many excellent programs in the public domain, there is are an increasing number of malicious Trojan Horses and computer viruses. Unless the source code of the program is carefully examined by a competent programmer, it is nearly impossible to test a public domain program for hidden and malicious functions. Even ``trying a'' program once may cause significant data loss -- especially if the microcomputer is equipped with a hard disk. Although the vast majority of public domain software is very useful and relatively reliable, the risks faced by the user are considerable and the trust required in the software absolute. Hobbyists can afford to risk their data for gains of using some public domain software; businesses and law practices cannot be so careless. The user of a microcomputer must back up his own files, not only to protect against accidental deletion or loss of data but also to protect against theft of equipment. Although no issue in microcomputer security is stressed more than backups, many users do not perform this routine chore. More than any other computer system, with a microcomputer physical security is vitally important because of the ease of stealing a microcomputer and the ease at which it can be resold. (It is rather difficult for a bugler to sell a stolen mainframe computer). Anti-theft devices must be installed on equipment containing hard disks, not only for the value of the equipment but also for the value of the data stored therein. Do not trust the microcomputer or its operating system to guard confidential documents stored on a hard disk. If a spy has physical access to the computer, he can physically remove the hard disk and read its contents on another machine. File encryption is another defense against this sort of data theft, but the installed encryption program should be regularly checked for signs of tampering (for example, the modification date or the size of the file having changed). Managing a secure computer Auditing Most security-conscious operating systems provide some sort of auditing system to record events such as invalid logon attempts or attempted file transfer of classified files. Typically, each log entry consists of a timestamp and a description of the event. One of the responsibility of site management is to read these ``security logs.'' Most operating systems keep records of the times that each user was logged on within the past year. A selective list of logons between 5pm and 8am can help detect unauthorized ``after-hours'' use of accounts by crackers, especially on computers equipped with modems. Some operating systems will notify a user when he logs in of the last time he logged in. Other systems will will notify a user of every time an unsuccessful login attempt is made on his account. Presented with this information, it is very easy one to discover when crackers are attempting (or have succeeded) to break into the system. Good auditing systems include the option to set software alarms which will notify management of suspicious activity. For example, an alarm might be sent to notify management whenever someone logs into the user administration account, or the first time that an account is accessed over a dialup. The security administrator could then verify that the account was used by those authorized to use it and not by crackers. Alarms Software alarms scan for suspicious activity and alert management when such activity is detected. These programs can be implemented as daily tasks which scan the security logs and isolate out questionable occurrences. Software alarms can be useful on insecure computers, such as desktop PCs, for altering management of security violations which the operating system cannot prevent. For example, it is possible to write a very simple program on a PC that would notify management whenever a system program, such as a text editor, spread sheet or utility program is modified or replaced. Such a program could detect a virus infection and could be used to isolate and destroy the virus before it became widespread. On larger computers, alarms can notify management of repeated failed logon attempts (indicating that a cracker it attempting to break into the computer) or repeated attempts by one user to read another user's files. It is important for management to test alarms regularly and not to become dependent on alarms to detect attempted violations of security; the first action by an experienced cracker after breaking into a system should be to disable or reset the software alarms so that the break in is hidden. Policy and Protocol The most secure protocol is useless if people do not follow it. A good protocol is one that is easy, if not automatic, to follow. For example, many university computer centers have adopted a policy that computer passwords are not given out over the telephone under any circumstances. Such a policy, if enforced, eliminates the possibility of a cracker telephoning management and, posing as a staff member, obtaining a user's password. Other policies include requiring users to change their passwords on a regular basis. Some computer systems allow policies such as this to be implemented automatically: After the same password has been used for a given period of time, the computer requires that the user change the password the next time the user logs in. Subversion Most incidents of data loss are due to employees rather than external agents. Many employees, by virtue of their position, are presented with ample opportunity to steal or corrupt data, use computer resources for personal gain or the benefit of a third party and generally wreak havoc. While computers make these actions easier, they are merely reflections of concerns already present in the businessplace. Traditional methods of employee screening coupled with sophisticated software alarms and backup systems can both minimize the impact of subversion and aid in its early detection. Cracking This section is intended to give some idea of how a cracker breaks into a computer. The intent is that, by giving a demonstration of how a cracker breaks into a computer system, the reader will gain insight into ways of preventing similar actions. The target system is actually irrevelent; the concepts presented apply to many on the market. Perhaps as the result of a random telephone search, the cracker has found the telephone number of a modem connected to a timesharing computer. Upon calling the computer's modem, the cracker is prompted to Logon. Different operating systems have different ways of logging in and perhaps the cracker is not familiar with this one. (The cracker's typing is lowercase for clarity.) He starts: hello RESTART The computer prints ``RESTART'' telling the cracker that ``hello'' is not the proper way to logon to the computer system. Some computer systems provide extensive help facilities in order to assist novice users in logging in, which are just as helpful to crackers as they are to novices. From trial and error, the cracker determines the proper way to logon to the system: help RESTART user RESTART login DMKLOG020E USERID MISSING OR INVALID The next task for the cracker is to determine a valid username and password combination. One way to do this is to try a lot of them. It is not very difficult to find a valid username from a list of common first and last names: login david DMKLOG053E DAVID NOT IN CP DIRECTORY login sally DMKLOG053E SALLY NOT IN CP DIRECTORY login cohen LOGIN FORMAT: LOGIN USERNAME,PASSWORD RESTART Once a valid username is found, the cracker tries passwords until he find one that works: login cohen,david DMKLOG050E PASSWORD INCORRECT - REINITIATE LOGON PROCEDURE login cohen,charles DMKLOG050E PASSWORD INCORRECT - REINITIATE LOGON PROCEDURE login cohen,sally LOGMSG - 15:40:23 +03 TUESDAY 06/24/86 WICC CMS 314 05/29 PRESS ENTER=> The basic flaw in this operating system is that it tells the cracker the difference between a (valid username,invalid password) pair and an (invalid username, invalid password) pair. For the invalid usernames, the system responded with the ``NOT IN CP DIRECTORY'' response, while for valid usernames the system asked for the user's PASSWORD. Some systems systems ask for a password regardless of whether or not the username provided by the cracker is valid. This features enhances security dramatically since the cracker never knows if a username he tries is valid or not. Suppose a cracker has to try an average of 20,000 names or words to find a correct username or password. Mathematically, on a system which does not inform the cracker when a username is correct the cracker may have to try upwards from 20,000 x 20,000 = 400,000,000 username/password combinations. On a system which tells the cracker when he has found a valid username the search is reduced to total of 20,000 + 20,000 = 40,000 tries. The difference is basically whether the password and the username can be guessed sequentially or must be guessed together. All it takes is patience to crack a system. One way to speed the process is to automate the username and password search: essentially, the cracker programs his computer to try repeatedly to log onto the target system. To find a username, the cracker can instruct his computer to cycle through a list of a few thousand first and last names. Once a username is found, the cracker programs his computer to search for passwords in a similar fashion. The cracker may also have a dictionary of the 30,000 most common english words, and try each of these as a password. Since people tend to pick first names, single characters, and common words as passwords, most passwords can be broken within a few thousand tries. If the cracker's computer can test one password every 5 seconds, ten thousand passwords can be tested in under 15 hours. (Hopefully by this time a software alarm would have disabled logins from the computer's modem, but few operating systems contain such provisions.) Finding one valid username/password combination on a system does not place the entire computer at the mercy of the cracker (unless it is a privileged account which he discovers), but it does give him a very strong basis from which to explore and then crack the rest of the accounts on the system. Some computers are more resistant to this sort of exploration than others. If the cracker gives up trying to penetrate the login server of the host, there are still many other ways to crack the system. He might telephone the computer operator and, pretending to be a member of the computer center's staff, ask for the operator's password. (Crackers have successfully used this method to break into numerous computer systems around the country.) Some crackers use their computers to search for other computers. A cracker will program his computer to randomly dial telephone numbers searching for AA modems. When the cracker's computer finds a modem answering, the phone number is recorded for later cracking. Automatically dialing modems can also be used to crack into long distance services such as MCI and Sprint by trying successive account numbers. Although it is theoretically possible to track a cracker back through his call, such action requires the assistance of the telephone utility. Utilities will not trace telephone calls unless ordered to do so by police who have, to date, been very hesitant about ordering such action. At a recent massive computer break in at Stanford University one research staffer communicated with a cracker over the computer for two hours while another staffer in the lab contacted police to arrange a trace; the police refused. Conclusion Computer security is a topic too large to cover fully in any publication, least of all in as short an introduction as this. In order to evaulate a security system it is necessary to think like a cracker or a subverter. After that, most other details follow. Glossary Backup (n.): A copy of information stored in a computer, to be used in the event that the original is destroyed. Back up (v.): To make a backup. break (v.): To gain access to computers or information thought to be secure. To break a cypher is to be able to decrypt any message encrypted with it. To break a computer is to log on to it without authorization. bit: One unit of memory storage. Either a ``0'' or a ``1.'' client: With reference to a computer network, the computer or program which requests data or a service. Confidence: The level of trust which can be placed in a computer system or program to perform the function which it is designed to do. Alternatively, the amount of protection offered by such a system. Cracker: A person who breaks into computers for fun. Encryption: The process of taking information and making it unreadable to those who are not in possession of a the decrypting key. MODEM: Modulator/Demodulator. A device used for sending computer information over a telephone line. Public key: A cryptography system which uses one key to encrypt a message and a second key to decrypt it. In a perfect public-key system it is not possible to decrypt a message without the second key. RSA: Rivest, Shamir and Adlerman. A popular public-key cryptography system. Trojan Horse: A program which claims to be performing one function while actually performing another. Sanitizing: Ensuring that confidential data has been removed from computer media before the media is disposed of. security logs: A recording of all events of a computer system pertinent to security. Security through obscurity: Security that arises from ignorance of operating procedures rather than first principles. server: With respect to a network, the computer or program which responds to requests from clients. smart card: a credit-card sized computer, used for user authentication. subversion: Attacks on a computer system's security from trusted individuals within the organization References and Credits For more information on computer security, see: The Codebreakers, by David Kahn, 1973. Available in abridged (by author) paperback. A signet Book from The New American Library, Inc, Bergenfield, NJ 07621. ISBN 0-451-08967-7. The Hut Six Story, by Gordon Welchman. Personal Computer Security Considerations, by the National Computer Security Center, NCSC-WA-002-85, December 1985, from the Government Printing Office. Special Publication 500-120 - Security of Personal Computer Systems: A Management Guide, January 1985, from the National Bureau of Standards. Some of the information presented in this article is the result of discussions on the ARPANET network ``Security'' mailing list and the Usenet network ``net.crypt'' newsgroup. Multics is a trademark of Honeywell. UNIX is a trademark of Bell Laboratories. VM/CMS is a trademark of International Business Machines (IBM).