How can cryptography protect confidentiality of information?

Confidentiality

Confidentiality protects sensitive information from unauthorized disclosure or intelligible interception. Cryptography and access control are used to protect confidentiality. The effort applied to protecting confidentiality depends on the sensitivity of the information and the likelihood of it being observed or intercepted.

Damage & Defense…

Network encryption can be applied at any level in the protocol stack. Applications can provide end-to-end encryption, but each application must be adapted to provide this service. Encryption at the transport layer is used frequently today. Virtual private networks [VPNs] can be used to establish secure channels of communication between two sites or between an end user and a site. [VPNs are covered in more detail in Chapter 5.] Encryption can be used at the OSI data-link layer, but doesn’t scale easily; every networking device in the communication pathway would have to participate in the encryption scheme. Datalink layer encryption is making a comeback in the area of wireless security, such as in IEEE 802.11. Physical security, meanwhile, is used to prevent unauthorized access to network ports or equipment rooms. One of the risks at the physical level is violation of access control through the attachment of promiscuous packet capture devices to the network, particularly with the widespread use of open source tools such as Ethereal [www.ethereal.com] and tcpdump [www.tcpdump.org] that permits nearly any host to become a packet decoder.

6.6.3 IP Encryption

In order to protect confidentiality of IPs, and provide a common markup syntax for IP design that is interoperable across different electronic design and automation [EDA] tools and hardware flows, the IEEE SA-Standards Board developed the P1735 standard [26]. This standard has been adopted by EDA and semiconductor companies and IP vendors. The P1735 standard provides recommended practices for using encryption in order to ensure confidentiality of IP. To support interoperability and broad adoption, it also specifies a common markup format to represent an encrypted IP. The markup format uses standard-specific variables, or pragmas, to identify and encapsulate different portions of the protected IP. It also uses these pragmas to conduct functions, such as specifying the encryption and digest algorithms.

The standard also provides mechanisms to support rights management and licensing. Together these regulatory guides enable IP authors to assert fine-grained access control. With the rights management functionality, an IP author can assert which output signals are accessible to the IP user when the EDA tool simulates the IP. The licensing functionality allows access to authorized users only, for example, companies that have paid for the rights to use the IP.

The basic workflow of the standard is shown in Fig. 6.12. The standard mandates AES–CBC [but allows for other blockciphers] and RSA [⩾2048] for symmetric and asymmetric encryption, respectively. For AES it recommends a keysize of 128 or 256. Note that while the tool may perform simulation, synthesis, and other processes on the IP, it never reveals the IP in its plaintext format to the IP user [26].

The current standard has unfortunately some cryptographic mistakes that have been exploited to recover the entire underlying plaintext of the encrypted IP without the knowledge of the key. The authors in [2] provide recommendation to address the limitations of the standard. Even if the limitations of IEEE-P1735 standards are addressed, the IP encryption scheme alone cannot address supply-chain issues like overproduction.

Reading Down and Writing Up

The concepts of reading down and writing up apply to Mandatory Access Control models such as Bell-LaPadula. Reading down occurs when a subject reads an object at a lower sensitivity level, such as a top secret subject reading a secret object. Figure 4.1 shows this action.

There are instances when a subject has information and passes that information up to an object, which has higher sensitivity than the subject has permission to access. This is called “writing up” because the subject does not see any other information contained within the object.

Writing up may seem counterintuitive. As we will see shortly, these rules protect confidentiality, often at the expense of integrity. Imagine a secret-cleared agent in the field uncovers a terrorist plot. The agent writes a report, which contains information that risks exceptionally grave damage to national security. The agent therefore labels the report top secret [writes up]. Figure 4.2 shows this action. The only difference between reading up and writing down is the direction that information is being passed. It is a subtle but important distinction for the CISSP® exam.

Note

The U.S. Central Intelligence Agency, or any other government clandestine organization, operates intelligence collection using the write up concept. Agents go out, collect small bits of intelligence data, and then send that data back to headquarters. Only at headquarters, once the data has been assembled and examined in its entirety, will the true usefulness and value of the data come forth. The sensitivity of the final object will be much higher than the level of access of any of the agents.

Digital Rights Management

Digital Rights Management [DRM] is one technology that is being used more and more to protect confidentiality. DRM is based on the concept of associating rights with documents or content. The principle is that only certain people have the rights to use certain content. It is the job of Digital Rights Management technologies to enforce these rights and ensure there are no violations.

Digital Rights Management technologies basically scramble content so that it can only be accessed by authorized parties. Only the appropriate users using the appropriate systems can descramble this content. This is the key for DRM. Not only does it have to be the appropriate user, it also has to be the appropriate system. Only that specific system knows how to unscramble the content. And the system doesn't allow anyone except authorized users access the content.

DRM is being seen all over nowadays. Many content management systems have DRM integrated into them. The systems not only store content but also perform DRM functions to prevent unauthorized access. If you store your content in one of these systems, it can only be read using the system. Even if you were able to access the content outside of the system, you would not be able to unscramble it. A lot of publicly available applications like iTunes use a form of DRM to prevent authorized accessing or sharing of content.

11.3.2.1.2 Privacy of information exchanged within LTE

LTE offers user data confidentiality, which is done at the PDCP protocol layer between UE and eNB. In addition, IPsec protocol is used to protect confidentiality of user data transferred between different entities in the network. More specifically, utilization of IPsec in the tunneling mode for the user plane data on X2 and S1 links is mandatory. In this regard, encrypting and decrypting of user data is handled at an eNB. In other words, to retrieve information from any node either within PSN or outside PSN, it is the eNB who initiates the tunneling procedure rather than the user. Therefore, eNB acts as a proxy server that receives encrypted user plane data, decrypts it then re-encrypts it using the key shared between user and the eNB and sends the encrypted data to the user. In this regard, eNB is potentially a point of privacy breach since it has access to all data. In addition, this procedure may not be acceptable for critical missions in which end-to-end security is required for first responders. Moreover, because of the preceding fact, it is absolutely critical that access to eNB in physical or digital fashion should be restricted only to authorized personnel.

13 Privacy and Confidentiality

For ethical reasons and in order to obtain high response rates and valid information, most health surveys closely guard the information provided by respondents. In some cases, the requirement to protect confidentiality is legislatively mandated. This is particularly important for health surveys, given the personal nature of the information collected. Confidentiality can also be protected by not releasing data that could identify a respondent. Most survey sponsors subject files that are to be released for public use to rigorous disclosure review. The risk for inadvertent disclosure has increased in recent years. It is no longer necessary to have access to large mainframe computers to utilize survey data, much of which are provided on the Internet or on CD-ROMs. In addition, databases not related to the survey data, but which can be used to identify individuals in the survey data files, are more available and more easily accessible.

It is the potential linking of survey data to these external databases that increases the risk of disclosure, and the risk increases with the amount of information that is available. The ability to link external data to survey responses presents an analytic breakthrough as the utility of survey data can be greatly increased through the appropriate linkages, however, this ability also greatly increases the risk of disclosure especially when the linkages are done in an uncontrolled and inappropriate way. The increased sensitivity to issues of privacy in many countries, especially as related to health care, is affecting how confidential data are being protected. There has been a decrease in the amount of data that can be released as public use files. Other mechanisms are being developed so that access to data can be maximized while protecting confidentiality. The use of special use agreements, licensing and research data centers are examples of these approaches [Journal of Official Statistics 1998].

Introduction

A wireless system uses an intrinsically open and unsecure radio channel for transmission of user signaling and traffic between the base station and mobile stations. As such, reliable and robust security and encryption procedures must be employed in order to protect confidentiality, privacy, and integrity of user traffic and credentials, and to prevent security breaches and theft of service in cellular networks.

This chapter describes the security aspects of the IEEE 802.16m standard. As shown in Figure 8-1 the security sub-layer of IEEE 802.16 is located between the MAC and the physical layers. The security functions provide users with privacy, authentication, and confidentiality by applying cryptographic transforms to MAC PDUs transported over the connections between the MS and the BS. In addition, the security sub-layer enables the operators to prevent unauthorized access to data transport services by securing the associated service flows across the network. The security sub-layer employs an authenticated client/server key management protocol in which the BS [the server] controls distribution of keying material to the MS [the client]. In addition, the basic security mechanisms are reinforced by adding digital-certificate-based MS device-authentication to the key management protocol. If, during capability negotiation, the MS indicates that it does not support the IEEE 802.16m security protocols, the authorization and key exchange procedures are skipped and the MS will not be provided with any service [except emergency services]. The privacy function has two component protocols: [1] an encapsulation protocol for securing packet data across the network, i.e., a set of cryptographic suites and the rules for applying those algorithms to a MAC PDU payload; and [2] a Key Management Protocol [PKM] providing the secure distribution of keying data from the BS to the MS. The MS and the BS can synchronize keying data via the key management protocol. The BS can use the protocol to enforce conditional access to network services, as well.

In IEEE 802.16m, the encryption of the user data is done after the MAC PDUs are generated. This marks a significant difference between IEEE 802.16m and 3GPP LTE, where the ciphering is performed in the PDCP sub-layer and prior to formation of the MAC PDUs. In this chapter the security functions of both standards are described to allow the readers to better understand the similarities and differences of security functions by drawing analogies [3,7–9]. Another important aspect of the IEEE 802.16m security relative to the legacy systems is the encryption of MAC management messages to protect the integrity of Layer 2 messaging and signaling over the air interface [1,2].

The Countermeasures Consultant

Organizations often recruit a countermeasures consultant to perform contract work. As a consumer, ask for copies of certificates of TSCM courses completed and a copy of the insurance policy for errors and omissions for TSCM services. What equipment is used? What techniques are employed for the cost? Are sweeps and meticulous physical inspections conducted for the quoted price? Watch for scare tactics. Is the consultant really a vendor trying to sell surveillance detection devices, or a PI claiming to be a TSCM specialist? Will the consultant protect confidentiality? The interviewer should request a review of past reports to clients. Were names deleted to protect confidentiality? These questions help to avoid hiring an unqualified “expert.” One practitioner offered clients debugging services and used an expensive piece of equipment to conduct sweeps. After hundreds of sweeps, he decided to have the equipment serviced. A service person discovered that the device was not working properly because it had no battery for one of its components. The surprised “expert” never realized a battery was required.

For a comprehensive countermeasures program, the competent consultant will be interested in sensitive information flow, storage, retrieval, and destruction. Extra cost will result from such an analysis, but it is often cost effective.

The employer should use a public telephone off the premises to contact the consultant in order not to alert a spy to impending countermeasures. An alerted spy may remove or turn off a bug or tap and the TSCM may be less effective.

Publisher Summary

This chapter examines the broad topic of data security in the cloud computing along with data protection methods and approaches. Cloud data security involves far more than simply data encryption. Network traffic to and from access points in the cloud should be encrypted for confidentiality, integrity, and ongoing availability. Information and data encryption should be used for data at rest to protect confidentiality and integrity. Whether encryption of data is performed at the granularity data elements, files, directories, or volumes can be complicated by many factors including performance and functionality. While the use of encryption is a key component for cloud security, even the most robust encryption is pointless if the keys are exposed or if encryption end-points are insecure. Customer or tenant control over these endpoints will vary depending on the service model and the deployment model. It is understandable that prospective cloud adopters would have security concerns around storing and processing sensitive data in a public or hybrid or even in a community cloud.

Open Government

The trend towards greater transparency and more open government, formalized as government-wide policy in 2009 obligating agencies to increase the amount and quality of information published online, [63] can alter expectations for the use and dissemination of information in federal information systems. Open government policy makes clear that favoring openness and public information dissemination should not abrogate security or privacy concerns that limit information disclosure to protect confidentiality or for other valid reasons. The expectation that agencies will make more information available online—even non-sensitive information—opens government programs and activities to greater public scrutiny, giving agency personnel addition incentive to ensure that their actions reflect effective practices and legal and regulatory compliance and the information documenting their activities is accurate. To date little of the information published by agencies in association with open government initiative is related to information security, and key security performance metrics included in annual reports to Congress on FISMA emphasize aggregate agency results rather than providing individual agency program details. Many agencies make their annual FISMA compliance assessments, inspector general findings, and other audit reports to OMB publicly available, but there is no central dashboard or other publicly available location for reviewing agency information security management information. Agency inspectors general assess their agencies’ information security programs in 127 attributes across eleven performance areas specified by OMB: risk management, configuration management, incident response and reporting, security training, plans of actions and milestones, remote access management, identity and access management, continuous monitoring management, contingency planning, contractor systems, and security capital planning [64]. The use of consistent program assessment metrics facilitates cross-agency comparisons and government-wide aggregation of security performance information by OMB and, where inspector general reports are made public, enables similar analysis by anyone interested in examining federal agency information security program performance.