INFORMATION SECURITY MANAGEMENT & SMALL SYSTEMS SECURITY IFIP - The International Federation for Information Processing IFIP was founded in 1960 under the auspices of UNESCO, following the First World Computer Congress held in Paris the previous year An umbrella organization for societies working in information processing, IFIP's aim is two-fold: to support information processing within its member countries and to encourage technology transfer to developing nations As its mission statement clearly states, IFIP's mission is to be the leading, truly international, apolitica! organization which encourages and assists in the development, exploitation and application of information technology for the benefit of ali people IFIP is a non-profitrnaking organization, run almost solely by 2500 volunteers It operates through a number oftechnical committees, which organize events and publications IFIP's events range from an international congress to local seminars, but the most important are: • The IFIP Worid Computer Congress, held every second year; • open conferences; • working conferences The flagship event is the IFIP World Computer Congress, at which both invited and contributed papers are presented Contributed papers are rigorously refereed and the rejection rate is high As with the Congress, participation in the open conferences is open to ali and papers may be invited or submitted Again, submitted papers are stringently refereed The working conferences are structured differently They are usually run by a working group and attendance is small and by invitation only Their purpose is to create an atrnosphere conducive to innovation and development Refereeing is less rigorous and papers are subjected to extensive group discussion Publications arising from IFIP events vary The papers presented at the IFIP World Computer Congress and at open conferences are published as conference proceedings, while the results of the working conferences are often published as collections of selected and edited papers Any national society whose primary activity is in information may apply to become a full member ofiFIP, although full membership is restricted to one society per country Full members are entitled to vote at the annual General Assembly, National societies preferring a less committed involvement may apply for associate or corresponding membership Associate members enjoy the same benefits as full members, but without voting rights Corresponding members are not represented in IFIP bodies Affiliated membership is open to non-national societies, and individual and honorary membership schemes are also offered INFORMATION SECURITY MANAGEMENT & SMALL SYSTEMS SECURITY IF/PTC11 WG11.1/WG11.2 Seventh Annual Working Conference on lnformation Security Management & Sma/1 Systems Security September 30-0ctober 1, 1999, Amsterdam, The Nether/ands Edited by Jan H.P Eloff Rand Afrikaans University South Africa Les Labuschagne Rand Afrikaans University South Africa Rossouw von Solms Port Elizabeth Technikon South Africa jan Verschuren Evaluation Centre for lnstrumentation and Security Techniques The Netherlands '' ~· SPRINGER SCIENCE+BUSINESS MEDIA, LLC Library of Congress Cataloging-in-Publication Data IFIP TC11 WG11.1/WG11.2 Working Conference on Infonnation Security Management & Small Systems Security (7th: 1999: Amsterdam, Netherlands) Infonnation security management & small systems security : IFIP TC11 WG11.1/WG11.2 Seventh Annual Working Conference on Infonnation Security Management & Small Systems Security, September 30-0ctober 1, 19991 edited by Jan H.P Eloff [et al.] Includes bibliographical references (p ) ISBN 978-1-4757-5483-4 ISBN 978-0-387-35575-7 (eBook) DOI 10.1007/978-0-387-35575-7 Computer security-Management Congresses I Eloff, Jan H.P II Title III Title: Infonnation security management and small systems security QA76.9.A251464 658' 0558-dc21 1999 99-40722 CIP Copyright© 1999 Springer Science+Business Media New York Originally published by Kluwer Academic Publishers in 1999 All rights reserved No part ofthis publication may be reproduced, stored in a retrieval system or transmitted in any fonn or by any means, mechanical, photo-copying, recording, or otherwise, without the prior written permission of the publisher, Springer Science+ Business Media, LLC Printed on acid-free paper CONTENTS Preface Vll Acknowledgements IX Part one - Reviewed papers A protocol improvement for High-bandwidth encryption using non-encrypting Smart Cards RODIGER WEIS Real-time Risk Analysis on the Internet: a prototype 11 H.S VENTER, L LABUSCHAGNE, J.H.P ELOFF A practica! approach to manage data communication security 29 P.H SAMWEL, MARCEL SPRUIT The Future of Australian & New Zealand Security Standard AS/NZS 4444? 41 MATTHEW W ARREN, BILL HUTCHINSON The Effective Utilization of Audit Logs in lnformation Security Management 51 WERNER OLIVIER, ROSSOUW VON SOLMS An approach to standardizing security analysis methods for virtual systems 63 ANN FRISINGER, LOVISE YNGSTROM Information Security at Top Level- Securometer® streamlines management information 75 ANDRE BUREN, BERT VAN DER MEER, ABBAS SHAHIM, WILLEM BARNHOORN, EDO ROOS LINDGREEN Risk analysis on Internet connection 89 MARCEL SPRUIT, P.H SAMWEL A Secure Station for Network Monitoring and Control V ASSILIS PREVELAKIS 103 Vl 10 Security aspects of a Java-servlet-based web-hosted e-mail system 117 ELEANOR HEPWORTH, ULRICH ULTES-NITSCHE 11 Time as an Aid to lmproving Security in Smart Cards 131 VINCENT CORDONNIER, ANTHONY WATSON, SERGIY NEMCHENKO 12 The Intranet Authorization Paradigm 145 MARK VANDENWAUVER, PAULASHLEY, GARYGASKELL 13 Predicting the Performance of Transactional Electronic Commerce Protocols 161 MATTHEW BERRY, ANDREW HUTCHISON, ELTON SAUL Part two - Invited papers 14 The Cyber-Posture ofthe National Information Infrastructure 179 WILLIS H W ARE 15 Principles oflris Recognition 205 MICHAELNEGIN, MACHIEL VANDERHARST 16 Designing a Secure System for Implementing Chip Cards in the Financial Services Industry 213 TERRY STANLEY 17 New models for the management of public key infrastructure and root certification authorities 221 STEPHEN WILSON 18 A Secure Electronic Commerce Environment: Onlywith "Smart Cards" 231 WILLIAM CAELLI Index of contributors 243 PREFACE The 7th Annual Working Conference of ISMSSS (lnformation Security Management and Small Systems Security), jointly presented by WG 11.1 and WG 11.2 of the International Federation for Information Processing {IFIP), focuses on various state-of-art concepts in the two relevant fields The conference focuses on technical, functional as well as managerial issues This working conference brings together researchers and practitioners of different disciplines, organisations, and countries, to discuss the latest developments in (amongst others) secure techniques for smart card technology, information security management issues, risk analysis, intranets, electronic commerce protocols, certification and accreditation and biometrics authentication We are fortunate to have attracted at least six highly acclaimed international speakers to present invited lectures, which will set the platform for the reviewed papers Invited speakers will talk on a broad spectrum of issues, all related to information security management and small system security issues These talks cover new perspectives on secure smart card systems, the role of BS7799 in certification, electronic commerce and smart cards, iris biometrics and many more AH papers presented at this conference were reviewed by a minimum of two international reviewers We wish to express our gratitude to all authors of papers and the international referee board We would also like to express our appreciation to the organising committee, chaired by Leon Strous, for aU their inputs and arrangements Finally, we would like to thank Les Labuschagne and Hein Venter for their contributions to this conference of WG 11.1 and WG 11.2, which was essential for its becoming a success WGll.l (lnformation Security Management) Chairman: Rossouw von Solms E-mail: rossouw@ml.petech.ac.za WG11.2 (Small Systems Security) Chairman: Jan Eloff E-mail: eloff@rkw.rau.ac.za ACKNOWLEDGEMENTS Organised by: IFIP TC -11 Working Group 11.1 (lnformation Security Management) and Working Group 11.2 (Smalt Systems Security) Supported and sponsored by: 1NO (The Netherlands Organisation for Applied Sciences) CMG Finance, Division Advanced Technology Concord Eracom ISACA NL chapter (lnformation Systems Audit & Control Association) NGI (Dutch Computer Society) NGI SIGIS (Special Interest Group on Information Security) NOREA (Dutch Association ofRegistered EDP-Auditors) Philips Crypto Sensar ISACA BeLux chapter NGI SIG EDP-Aidit Conference General Chair Jan Eloff, Rand Afrikaans University, South-Africa Rossouw von Solms, Port Elizabeth Technikon, South-Africa Programme Committee Jan Eloff, Rand Afrikaans University, South-Africa Rossouw von Solms, Port Elizabeth Technikon, South-Africa Rene Struik, Philips Crypto, The Netherlands Jan Verschuren, 1NO-TPD-Effi, The Netherlands Les Labuschagne, Rand Afrikaans University, South-Africa X Reviewers Beatson, Jobn, New Zealand Booysen, Hettie, South Africa Caelli, Bill, Australia Eloff, Jan, South Africa Eloff, Mariki, South Africa Gritzalis, Dimitris, Greece Janczewski, Lech, New Zealand Katsikas, Sokratis, Greece Labuschagne, Les, South Africa Longley, Dennis, Australia MacLaine, Piet, The Netherlands Pohl, Hartmut, Germany Posh, Reinhart, Austria Preneel, Bart, Belgium Smith, Elme, South Africa Van den Wauver, Mark, Belgium Verschuren, Jan, The Netherlands Von Solms, Basie, South Africa Von Solms, Rossouw, South Africa Warren, Matt, Australia Organising Committee Leon Strous, De Nederlandsche Bank, The Netherlands Wim Smith, TNO-FEL, The Netherlands Nelly van der Helm, TNO-FEL, The Netherlands PARTONE Reviewed Papers New modelsfor the management ofpublic key infrastructure and root certification authorities • • • • • 227 technology neutrality, yet allowing for the election of public key technologies where deemed preferable The infrastructure would grow from the bottom up As with ISO 9000, market forces would drive the uptake of third party assurance In closed groups or in the early stages of a certificate rollout, operators may choose to run without externa! assurance As their communities grow and their interactions become more widespread, market pressure will mount for CAs to obtain certification under ICAs The economics of externa! certification will be driven by the value added by third party assurance CAs would be free to "shop around" for ICAs, which would be expected to compete on the hasis of service, expertise in particular sectors, reputation, price and so on Certification would confer no special legal or legislated protection That is, we need not expect laws to be passed that give preferential treatment to certified CAs, yet demonstrated compliance with best practice, evidenced by a third party audit, is always a good defence against accusations of negligence Therefore this type of scheme brings generalised legal benefits without requiring specific legislation It "normalises" the liability question for higher CAs and the peak body, bringing more familiar principles to the fore Liability is well understood in any standards accreditation framework; the risk can even be insured away under errors & omissions policies (indeed, ISO/IEC Guide 65 requires certitying bodies to carry insurance) In product liability cases affecting ISO 9000 certified companies for instance, unless the auditor was derelict in their duties, they carry limited liability for the actions of the supplier In practice, liability tends to diminish as you go further up the certification/accreditation chain It is exceedingly rare for ISO 9000 certitying bodies or accreditation bodies to be sued It allows for fitness for purpose Just as totally different types of companies can come under the same ISO 9000 management system certification scheme, different CAs could follow their own procedures and membership rules, yet still benefit from PKI compliance A certificate chain extending from the user CA to the Root CA would signity compliance of the CA with its agreed Policies and Practices no matter what they are - and thus provide relying parties with assurance ofthe certificates' fitness for purpose It "normalises" the language used in PKI Relying parties, governments and insurers - to name just a few of the often bewildered parties at present - can now better understand the ro les of higher level CAs and the peak authority, because the relationships can be seen as conventional ones ofreview, audit, accreditation and so on 228 • 3.1 Information Security Management & Small Systems Security Finally, it helps to put 'trust' into perspective Trust is arguably one of the most problematic concepts in information security Some governments see PK.I oversight as equivalent to "legislating trust" But by emphasising fitness for purpose of certificates, PKI can be relieved from the burden of providing open-ended trust Rather, a certificate should only be seen as evidence that the holder has met the specific rules of some community they represent, and PK.I-compliance should only signify that a third party is satisfied that the rules are being properly applied Reducing the need for cross-certification Cross-certification is the practice of mutual recognition of two CA's certificates to an agreed level of confidence The formal outcome of crosscertification is a "cross certificate" which allows certificate chains beneath the respective CAs to be bi-directionally parsed by relying parties Legal and technical reviews are required of each others' Policies and Practices, their implementation and operational management, to lead to formal agreement that these are essentially equivalent Cross certification remains extremely rare, due to several problems: • it is a laborious, expensive procedure; • it does not "scale" for large numbers of CAs (for each pair of CAs which not share a common higher level CA, the entire cross certification procedure must be repeated); • cross-certificates are not supported by any current commercial off-theshelf Internet application, so relying parties cannot take practica} advantage of the process for processing transactions It is commonly believed that cross certification is necessary for effective international certificate-based electronic commerce, and so the problems described above are often seen as serious obstacles However, this is necessarily not the case As argued above, if certificates may be associated with membership of separate communities of interest, then their equivalence will usually be entirely moot Let us examine independence of certificates in more detail For Alice and Bob to 'trust' one another in an electronic commerce transaction, it is necessary for them to each have the ability to verify the other' s capacity to act This may necessitate knowing the personal identity of one or both More commonly in business, the capacity to act will have more to with credentials and/or position than personal identity Indeed, in many cases the identity of one or both parties might be suppressed for privacy or personal security reasons (for example, in consumer purchases, voting, legal decisions and police activities) New models for the management ofpublic key infrastructure and root certification authorities 229 Therefore it is reasonable for the parties' certificates to be issued from different CAs or PKis, and under completely different Certificate Policies and Practices The real need is not equivalence but rather the ability to verify the capacity to act in a particular transaction Note too that in business, it is common for Alice and Bob to act in quite different capacities For example, they might be a doctor and a patient, or a doctorand an insurance company, ora bank and a customer, ora supplier and a purchasing officer, ora taxpayer and an internat revenue department In ali such cases, if Alice and Bob are to secure their transactions using certificates, their certificates are not supposed to be equivalent Thus the problem of determining the validiţy of someone else's certificate is not the same as determining whether or not it is equivalent to your own certificate Conventionally, a certificate's validity is verified if it can be traced back to a trusted CA For a special purpose certificate, representing business credentials such as those indicated above, it is important that the certificate's issuer be independently certified, to show that the certificate is fit for its intended purpose Under the accreditation-based PKI, such independent certification is evidenced by the digital certificate issued by an ICA Therefore, for Alice and Bob to 'trust' one another, they need to trust the source of the credentials that underpin the transaction lf Alice is a doctor, then Bob may need to recognise the medical registration board that issued her certificate And ifBob is a public health official, then Alice may need to the govemment department that issued his certificate Such recognition may simply involve installing the respective issuers' public keys in Bob and Alice's transaction processing systems There is no need for a cross certificate, and, if Bob and Alice have different ro les, then there is actually no possibility of a cross-certificate CONCLUSIONS This new accreditation-based PKI modelleverages existing standards and mechanisms, bringing the realistic prospect of minimalist govemment involvement yet high levels of integrity and trust It would appear that national peak authorities can be established relatively easily wherever ISO 9000 or similar schemes are in place At the time of writing, discussions had commenced in Australia between the national PKI standards technical committee and the national accreditation body, to determine the best ISOIIEC scheme and to re-scope as required any of the PKI standards already in preparation A Secure Electronic Commerce Environment : Only with "Smart Cards" Professor William (Bill) J Caelli FACS, FTICA, MIEEE Head - School of Data Communications Faculty ofInformation Technology, Queensland University ofTechnology Key words: Smart cards, electronic commerce Abstract: There is growing move to rely upon penetration detection analysis schemes and add-on software processes and network security products to combat attacks on information systems used for the operation of global electronic business commerce systems These sub-systems and management procedures have taken the place of the development and deployment of solid information systems security and assurance technologies, particular at the computer security levels, both hardware and software This is most notable at the small, commodity systems level; those system largely used by small to medium size enterprises, both private and public, and by divisions of larger corporate and government and even defence units, as well as by individuals This paper presents the proposition that current commodity level systems not present the level of information assurance needed to create the necessary trust required for rapid and reliable uptake of electronic commerce systems, against a reliable, legal framework Indeed, it appears impossible to raise the level of security of these systems, both at client and server levels, without the addition of supplementary hardware and software systems that provide appropriate security services and mechanisms in a trusted systems environment capable of being independently assessed as being effective Smart cards, coupled with associated trustworthy reader/writer/terminal facilities, appear to be the most suitable method to create such necessary trust in electronic commerce facilities, providing a ''trusted path" between the user and the electronic commerce infrastructure However, it would appear that their usage may need to be legislated by Governments since without such "force of law" it appears unlikely that end-users or PC/server manufacturers J H P Eloff et al (eds.), Information Security Management & Small Systems Security © Springer Science+Business Media New York 1999 232 lnformation Security Management & Small Systems Security will voluntarily meet the cost, albeit small At the same time, however, the sound and secure integration of such sub-systems into commodity, commercial-off-the-shelf (COTS) systems is a subject of active research INTRODUCTION- GROWING THREATS TO "TRUST" IN ELECTRONIC COMMERCE SYSTEMS, PARTICULARLY AT THE RETAIL LEVEL Global electronic business bas been tbe "catcb-cry" of tbe last balf of tbe 1990s Tbe dimensions of tbe situation are best illustrated in terms of a triangle tbat incorporates tbe major entities involved, govemment, business Electronic CommerceParticipants and tbe individual In order for tbe systems to widely adopted, bowever, tbere bas to be trust in tbe overall operation of sucb scbemes and sucb trust could be fragile Indeed, tbere are signs already in tbe USA tbat early adoption of electronic business is being tempered, particularly at tbe retail transactions level, because of: • concems about privacy, including tbe protection of confidentiality of personal information at botb tbe client and server ends of tbe systems; • information assurance concems, in tbat confidence must exist in tbe ability of tbe systems to fulfill tbe electronic business transaction in A Secure Electronic Commerce Environment: On/y with "Smart Cards" 233 a safe, reliable and efficient manner, on a total "end-to-end" hasis; and • lack of confidence by both merchants and consumers in the overall financial sub-systems that support the "electronic shopping" experience Indeed, there have been a number of concerns of late in the USA in relation to: • "charge-backs" by consumers against web merchants in relation to credit card purchases; • unwillingness of web "surfers" to commit to purchase and to then finalize a transaction after preliminary perusal of a merchant's web site; and • overall performance of the Internet causing severe limitations to overall transaction performance Ali of this "micro-level" concern may be combined with a related "macro-level" concern related to "information warfare" and overall national "information assurance" Once the base economy of a nation becomes dependent upon electronic business activity, the risk assessment and management task takes on new dimensions These new dimensions go beyond individuals using home business PCs as electronic commerce terminals connected to an open and unprotected Internet as well as merchants and Government groups providing information servers, to the question of the overall protection of such nationally significant and criticat information infrastructures Once these infrastructures are in place and society becomes totally reliant upon them, then those very systems become targets in an information warfare scenario Questions then arise as to just who is responsible for the protection of such nationally significant structures against internat and externa} "cyber-attack" Newsweek magazine of the USA highlighted this concern on the front cover of its 31 May 1999 edition, under the main banner (NEWS-99) : "EXCLUSIVE: PLOTTING A CYBERWAR AGAINST MILOSEVIC" This article {VIST-99) went on to explain that under a secret proposal to President Clinton of the USA use of cyberwarfare tactics could be beneficiat through the use of "govemment hackers to tap into foreign banks" and thus possibly gain access to Mr Milesovic's banking accounts " The National Security Agency 's hackers would try to overcome today 's sophisticated 234 Informa/ion Security Management & Sma/1 Systems Security encryption software and firewal/s If they gained access, the hackers could almost anything they liked with Milesovic's cash " The article goes on, however, to point out that such a plan could really "backfire" if " confidence in the world banking system were undermined " However, such plans, even if somewhat ad-hoc and not fully considered, highlight the concerns that people feei in approaching the new worlds of electronic business, commerce and banking Altogether, they point to a need to carefully consider the bases upon which such national and international networks are created And not just the network components but also the actual computer systems at each end and within the network itself Together they caste doubt on the integrity of system software and allied sub-systems operating on computers attached to the Internet as clients and servers, a vital concern for global secure electronic commerce THE CURRENT ELECTRONIC BUSINESS ENVIRONMENT AT THE USER AND MERCHANT COMPUTER SYSTEM LEVEL Recently the "banking roundtable" in the USA set up a group to carefully examine again the security of the basic technology used for the provision of home and corporate banking services, particularly where these services are made available over the Internet Particular attention was seen to be urgently needed, not just on the network technologies involved, but more urgently on the connected commodity level computers used to provide the information A Secure Electronic Commerce Environment: Only with "Smart Cards" 235 services themselves at ali points in the service It must considered that even the larger server systems may themselves be based upon PC hardware technology, in terms of PC "motherboards", disk drives, etc Essentialiy, this USA financial group recognised that there are legitimate concerns as to whether or not commodity level computer systems based upon PC hardware and software, never realiy developed for such purposes, can be made suitable for such important societal activity Essentialiy, there are doubts in the minds of the USA's banking industry that such systems, without substantial modification, are suitable at ali for these purposes The absolute requirement, then, to augment the commodity computer system with higher trust and security technologies has also been acknowledged in the Congress of the USA For example, Senate Bill "S.1 059" (SENA-99) in the current 106th congress ( the military appropriations Bill) has a section ( Section 346) that is clearly entitled "Use of Smart Card Technology in the Department of Defense " Essentialiy the whole project is seen as a means of" enhancing readiness and improving business processes throughout the military departments " Section 347 of the same Bill goes on to support a "Study on Use of Smart Card as PKI Authentication Device Carrier for the Department of Defense " This ali supports the contention that even at the Governmental and military level there is growing awareness that "trust" in overali information systems and associated data networks must be enhanced weli above current commodity product levels As below, this comes at a time when actual shipments of commodity level PCs, seliing at retail levels in the USA at well below $, 1000 , seem set to increase yet again The important point is that, as Bill Gates pointed out in that same Newsweek edition of 31 May 1999 (GÂTE-99) " for most people at home and at work, the PC will remain the primary computing tool When the PC is at the center of a home network (probably connected to a broader network that will constantly monitor performance, update software and download device drivers and the like), it will be incredibly easy to administer, automatic in operation and maintenance-free " Indeed, a side box in the article predicts even further rises in PC shipments weli into 2000 and beyond with growth to 150 million units per annum predicted This article makes absolutely no mention at ali of any form of system integrity, information assurance, privacy or indeed any other form of security at ali This dependency upon unaltered PCs to perform critica} electronic commerce functions, with only software add-ins, including cryptographic sub-systems, that are downloaded from Internet web sites is a major concern 236 lnformation Security Management & Small Systems Security but one that bas been tacitly supported by recent advertisements For example, an advertisement in the June 1999 edition of Time magazine (Australian edition) presents the unadorned Intel Pentium processor as a solution to electronic commerce security The advertisement states {INTE99): "Is your e-business walking a tightrope ? The power of the Pentium III processor Your safety net in the Internet economy It 's a fact Doing business through the Internet exposes your company to viruses, unauthorised access, and potentially overwhelming network traffic loads Your safety net? The Intel Pentium III processor It has the power to run sophisticated compression, encryption and anti-virus software behind the scenes, without compromising peiformance So you work faster and safer And to add an even higher level of protection, each processor has a unique serial number to help protect your vital assets " Interestingly, the advertisement makes no mention at all of the most powerful feature of the Intel architecture; its "MULTICS" inspired segmentation and "ring" structures These provide the necessary hardware architectures needed to create highly secure operating systems, even those up to the highest "Al" trusted systems class in the USA TCSEC category However, their full power is simply turned off by current PC operating systems At present, particularly in the USA, Australia and elsewhere, but less so in Europe, the trend is to allow critical transactions to be initiated on home/business PCs, and even simple touch-pad telephones, using just specialised application software sub-systems, including software based encryption schemes and link-level encryption through the Secure Sockets Layer (SSL) for confidential transport of information across the Internet between client and server In most cases such software sub-systems are themselves even further sub-systems to commodity product Internet "Web browsers" that provide no security services at all within themselves, beyond possible integrity checks on down-loaded "byte-code applets" of Java language origin ( This fact is based on the consideration of the SSL scheme as being a separate "layer" in an OSI sense that is utilised by a higher "application layer" in the form ofthe browser.) A Secure Electronic Commerce Environment: Only with "Smart Cards" 237 STRONG LEGISLATION AT THE TRANSACTION AUTHORISATION TIME - NOT JUST AT ITS ACCEPTANCE In considering the levels of security and assurance needed to create trustworthy electronic business operations, information technology professionals need to be guided by appropriate legal obligations and, moreover, must take a prominent role in the formulation of those same legislative instruments At present there is worldwide trend to weaken the security requirements for the operation of electronic commerce systems Australia's "Electronic transactions" Bill, before the federal Govemment at June 1999, exemplifies this weakening of overall information security requirements when it comes to electronic commerce Essentially the Bill aims at making electronic transactions have the same status as those conducted in the more traditional paper-based way but, when it comes to the provision of security requirements, the Bill offers only vague and almost meaningless appeals to security that is considered pertinent and relevant given the situation Surprisingly this is the complete reverse to the paper world where hundreds of years of law have arisen covering ali aspects of the use of paper for transactions, even to the level of the type and colour of ink used to affix signatures, the use of notaries to verify affixation of signatures, and the like In other national jurisdictions, total emphasis is placed on the server's verification of a "digital signature", even down to the level of creating requirements for so-called "public key certificates" while absolutely no statements are made about the process of affixing such "digital signatures" to transactions Once again, this is a reversal of common legal practice and legislation where a body of law and regulations exists covering the affixation of signatures to documents and very little law exists in relation to the verification of those signatures in a "court-room" environment, e.g the use ofwitnesses, hand-writing experts, etc The USA' s State of Illinois in its "Electronic Commerce Security Act" of 24 August 1998 illustrates this vagueness in legislative instruments, contrasting markedly, for example with similar legislation in the car safety arena It states, in relation to digital signatures (ILLI-98), that a "qualified security procedure" is used where this procedure is ; "1 Commercially reasonable under the circumstances, applied by the relying party in a trustworthy manner, and 238 Information Security Management & Small Systems Security reasonably and in good faith re/ied upon by the relying party." Essentially such a digital signature, according to the Illinois Act must be such that the digital signature " can be used to objectively identify the person signing the electronic record " Simply, an unmodified PC cannot this in any way at all Similar problems to this occur at national, regional and international levels THE PC -NOTA SUITABLE VEHICLE FOR "SIGNING" A TRANSACTION ? The hardware and software base of a consumer PC is totally unsuitable for use in trustworthy electronic business operations There is simply no other way of expressing a fundamental point The PC's hardware and software, essentially developed in the early 1980s for a completely different purpose, was never seen as a trustworthy business transaction terminal This includes all PC hardware available at retail outlets as well as systems and generic software such as PC operating systems commonly used for home and small business purposes, such as Microsoft's Windows'95/98, Apple's MacOS, IBM's OS/2 as well as generic sub-systems often used to "host" electronic business operations, including WWW browsers These systems were not designed with computer security in mind but have been pressed into operation into application systems where individual privacy as well as transaction integrity and authenticity are vital aspects of business and govemmental operations In Australia, for example, the EFTPOS standards ( SA-2805 series) have clearly mandated a secure device ( PINPad) for the entry of identifying and authorizing data ( the user's PIN - Personal Identification Number) for credit and debit transactions at retail and other outlets These units have become mandatory "add-ons" to all "cash register" operations and such point-of-sale devices are themselves mostly based upon PC technology The problem is that, to management, information security is stiU a cost centre and as such, is an area that must be minimised It is not seen as a basic requirement as much as the information technology systems needed to provide corporate and govemment services A Secure Electronic Commerce Environment: On/y with "Smart Cards" 239 SMART CARD BASED SUB-SYSTEMS - KEY TO TOKEN BASED SECURITY IN ELECTRONIC COMMERCE Current legislation and draft legislation, particularly in Europe, has set some initial requirements for the provision of a safe environment for consumers to use in pursuing electronic business activities However, as would be expected, these legislative instruments are generalized and provide no real technical guidance as to appropriate security services and associated mechanisms to be employed There is general agreement emerging, based upon actual experience, that the use of a smart card as a "signing instrument" offers the best method for provision of a safe and secure digital signing or signature affixation environment However, while actual smart cards exist that are capable of performing digital signature and allied cryptographic and key management functions, it is their secure and reliable integration into the untrusted environment of the commodity PC that requires major attention and may still be the subject of further research activity It is assumed that users will be issued with an appropriate smart card alone, rather than any "super-smart" token, or other device that incorporates a complete computing environment incorporating display and data entry facilities The following table summarises the risks associated with each form of product used to provide such enhanced security services in a PC Technolog:y Risk Assessment e.g via Card activation, PIN/password requires entry of security critica! data on untrusted PC keyboard "Trojan horse" software sub-system may capture PIN/password Untrusted device driver Smart card reader/writer integrated As above into keyboard Smart card reader/writer integrated Some risk is alleviated IF separate an creates into separate keyboard component component encrypted/trusted "channel" between with isolation hardware the PC and the separate keyboard component Smart card reader/writer in simple form attached to PC keyboard port or seriaVparallel port 240 Information Security Management & Smal/ Systems Security Smart card reader/writer integrated into full "PINPad" device with separate display and keyboard connected via keyboard/serial/parallel port Fully integrated smart card subsystem as above plus trusted system driver set for PC Risk of "Trojan horse" device driver still exists ( e.g capture PIN/password, insert fraudulent transactions for processing by smart card, etc.) BUT such driver needs to possess channel crypto key Less risk and best solution at present Capture of activating PIN/password avoided BUT unprotected PC hardware/software could permit insertion of fraudulent transactions for processing Better solution and Minimizes insertion of "Trojan horse" software sub-systems capable of creating or passing on fraudulent transactions CONCLUSIONS Smart card, and allied token, technologies present the best possibility for meeting the trust requirements for national, regional and global electronic commerce assurance However, the is a great need for urgent research and development on the creation of "trusted pathways" between the user, the smart card token activation process and the electronic commerce terminal, usually a PC Without that trust being created, test and demonstrated, then the potential for massive litigation exists given the vague and indecisive state of legislation in this area REFERENCES GATE-99Gates, Bill "Why the PC Will Not Die." Newsweek, 31 May 1999 Pg 64 ILLI-98 The State of Illinois, USA "Illinois Electronic Commerce Security Act" 24 August 1998 1997 Illinois House Bill3180, Illinois 90th General Assembly 1997-98 Regular Session NEWS-99 Front Cover, Newsweek, 31 May 1999 A Secure Electronic Commerce Environment: Only with "Smart Cards" SENA-99 Senate ofthe United States of America Senate Bill S.1059, Sections 346-347 VIST -99 Vistica, G L "Cyberwar and Sabotage" Newsweek, 31 May 1999, Pg 38 241 INDEX OF CONTRIBUTORS Ashley, Paul Barnhoom, Willem Berry, Matthew Buren, Andre Caelli, William Cordonnier, Vincent Eloff, J.H.P Frisinger, Ann Gaskell, Garry Hepworth, Eleanor Hutchinson, Bill Hutchison, Andrew Labuschagne, Les Negin, Michael Nemchenko, Sergiy Olivier, Wemer Prevelakis, V assilis Roos Lindgreen, Edo Samwel, P H Saul, Elton Shahim, Abbas Spruit, Marcel Stanley, Terry Ultes-Nitsche, Ulrich V an der Harst, Machi el V an der Meer, Bert V andenwauver, Mark Venter, Hein Von Solms, Rossouw W are, Willis H W arren, Mathew Watson, Anthony W eis, Rudiger Wilson, Stephen Yngstrom, Louise 145 75 161 75 231 131 11 63 145 117 41 161 11 205 131 51 103 75 29,89 161 75 29,89 213 117 205 75 145 11 51 179 41 131 221 63 ... Netherlands) Infonnation security management & small systems security : IFIP TC11 WG11. 1 /WG11. 2 Seventh Annual Working Conference on Infonnation Security Management & Small Systems Security, September 30-0ctober... Congress Cataloging-in-Publication Data IFIP TC11 WG11. 1 /WG11. 2 Working Conference on Infonnation Security Management & Small Systems Security (7th: 1999: Amsterdam, Netherlands) Infonnation security. .. offered INFORMATION SECURITY MANAGEMENT & SMALL SYSTEMS SECURITY IF/PTC11 WG11. 1 /WG11. 2 Seventh Annual Working Conference on lnformation Security Management & Sma/1 Systems Security September 30-0ctober