What pure or applied technical measures can be taken to protect the Internet against future forms of attack? Author: Richard Kay Email: Rich@driveout.demon.co.uk Phone: +44 121 331 5440 Postal: Faculty of Engineering, University of Central England, Perry Barr, Birmingham B42 2SU, UK 1. Abstract This paper proposes an evolving and layered approach to solving the stated problem based on a combination of authentication techniques and payment protocol developments. The solution proposed involves Internet Service Providers agreeing amongst themselves to restrict access to new services based on a secure authentication protocol, possibly involving accounted micropayments. This enables the identification of users such that it becomes possible to trace and prosecute misusers and for money to be handled securely, effectively and at low cost over the Internet. The most innovative aspects of this paper concern the combination of approaches and the payment protocol proposed. 2. Contents 1. Abstract 2. Contents 3. glossary 4. Introduction 5. Contractual agreements between ISPs and users 6. Portable embedded systems and public-key authentication 7. The recording of context or was he or she present ? 8. Using accounted transactions as a security guarantor 9. The MRS as an Internet-based payments system 10. Conclusion 11. References 3. Glossary AUP - Acceptable Use Policy. A statement by an ISP of the acceptable and unacceptable network uses which users of their service are expected to agree to and accept, as a condition of provision of network services. DNS - Domain Name System (1). A naming system involving hierarchical delegation of network-naming authority to ensure unique names within a network. Names formed using this system consist of a sequence of components with the largest entity at the right hand side, e.g. the domain name uce.ac.uk is used for the University of Central England (UCE) which is part of the Academic Community (AC) subdomain of the UK top level Internet domain. ISP - Internet Service Provider. In this paper this term is used to mean an organisation which provides end users with access to the Internet. LETSystem - (2). A non-hierarchical double-entry account-based payment system used to record payments between participants and the status of their accounts with each other. As all accounts start at zero and external money does not technically enter or leave the system all accounts within a LETSystem at any given time will add up to zero. MRS - Multi-Registry System (3). An Internet-based design for automating account-based transactions between distributed accounts involving multiple payment systems, currencies and para- currencies such as airmiles, loyalty points, barter currencies and LETSystems etc. UBE - Unsolicited Bulk Email often known as spam. Email messages sent in bulk to recipients who have neither requested messages from the originators, nor consented to receive messages relevant to the contents of such. 4. Introduction Computer crime and terrorism, as with other hostile actions, are primarily social phenomena and are likely to have mainly social solutions assisted using appropriate technical means. A particular issue with Internet security includes the ease with which operations which may be illegal in one country can be moved to or established in countries with favourable legislation. The solutions proposed in this paper recognise this difficulty as given, and will not require government action or special legislation other than to remove legislated barriers to the development of appropriate technical means, e.g. in the field of encryption. This paper assumes the enforcement through the civil courts of appropriate contractual obligations between Internet Service Providers and their users to be feasible. In the case of physical defence and security, the zenith of the bastion approach historically occurred with the elaborate armour and fortifications of the Middle Ages. Since then, with the growing sophistication of possible methods of physical attack, the primary emphasis of defence has been based upon the probability of being able to identify and carry out retributive measures against likely attackers, which increase the probable cost of attacks to more than the advantages likely to be gained. This paper is based on the consideration that a similar change of emphasis is likely to take place in relation to strategies appropriate to the defence of Internet-based systems. While host- based and personal approaches to information-asset security against hostile actions are unlikely rapidly to become irrelevant, these are expected, however, to become a less significant part of the overall mix. This paper is therefore particularly concerned with the issue which affects Internet security resulting from the extent to which it can be used anonymously, and the extent to which it can be used for hostile purposes without the perpetrator being easily identifiable. No single security measure, taken on its own, is likely ever to be able completely to resist all conceivable forms of attack. For this reason practical security is likely to involve a layered approach. For example the use of smart cards in storing digital cash or digitally signing payments is likely to be accepted where the cost of attack is greater than the maximum advantage an attacker might gain. This is likely to place practical limits on the sizes of transaction which will be carried out through such means with transactions over particular limits requiring more intensive checks; transactions of greater amounts are likely to require further supportive evidence of the intentions and identities of the parties involved. One of the most difficult classes of attack to counter involve those carried out by an insider. Possibly the most difficult class involves a conspiracy of insiders (e.g. as caused the BCCI bank failure). Those devising means of countering such attacks will try to prevent any individuals having much information or insider access to more than 1 or 2 layers of a multilayered approach. For example, a bank might want to prevent those servicing the transaction recording parts of an ATM system to have no access to the networking encryption parts of the same system and vice versa. 5. Contractual agreements between ISPs and Internet users All known Internet Service Providers (ISPs) have acceptable use policies (AUP) to which they expect their users to agree before they will give these users access to the Internet or Internet- based services. This is not something that has arisen by chance. For the Internet to be able to carry out its technical functions ISPs require peering and backbone-access contractual agreements with each other. These agreements have resulted in the ISPs having to impose conditions upon their users as part of the contract resulting in provision of access. The implications of this are demonstrated, albeit to a limited extent, in the sense that ISPs will refuse mail connections (4) with other ISPs who adopt a friendly or even a neutral approach to customers and users who originate unsolicited bulk email (UBE). This implies that ISPs will need increasingly to impose access conditions upon their users in order to be able to provide connections to certain Internet services. Those like myself who are in receipt of frequent UBE might well question the effectiveness of this. While the measures against UBE are clearly not yet completely effective, given the very substantial differences in delivery cost between UBE and other forms of direct marketing, it would appear that without the measures already in place to counter this threat resulting in increases to the total costs to perpetrators of this form of misuse, the Internet mail service would have ceased to be useful for many purposes to many users some time ago. An examination of the contents of UBE suggests a changing pattern. A year or more ago it was very common for UBE to contain pointers to web sites being advertised. This is no longer the case, presumably because pressure within the ISP community results in rapid termination of service to these web sites as soon as a related UBE operation is detected. This is demonstrated by the fact that any valid return addresses (without which UBE can have no conceivable financial motive) now used by senders of UBE almost exclusively involve relatively inefficient non- Internet based forms of communication. My conclusion from this analysis is that contractual agreements between Internet Service Providers and each other and between ISPs and their customers or users are feasible to enable the construction of networked applications of greater value than could otherwise be obtained. The logical development of this implies the initial encouragement and later enforced use of stronger authentication methods to restrict network access to identified users. The possibilities which this mechanism might enable make other associated technical Internet security solutions more fully scalable. It is unlikely that ISPs will want to remove access to existing users who are unable to invest in or adopt new methods or techniques. They might decide, however, to require improved security in respect of new Internet services or services provided at lower cost to the user. 6. Portable embedded systems and public-key authentication This approach involves the adoption of a standardised means of authenticating Internet users and their automated agents based on the embedded applications of public-key digital signature technology e.g. within credit-card sized smart cards or similar devices. Current commonly-used automated methods of authenticating individuals or software agents leave much to be desired. Passwords and PIN numbers are too easily lost, handled insecurely, forgotten and stolen. Proposed methods involving biometrics e.g. though voice or fingerprint recognition, while having attracted much research interest in recent years, are either considered too intrusive (e.g. retinal scanning) or result in too many false positives (i.e. impersonations being accepted as genuine) or false negatives (i.e. genuine users being rejected as impersonators) or suffer some combination of these disadvantages. The weaknesses of an unencrypted password-based system within a public electronic environment were demonstrated some years ago with the introduction of electronic remote-control key-code access to vehicle security systems. This development was very soon followed by the criminal use of scanners in car parks so these keys could be recorded and mimicked and illegal access gained. Similar weaknesses are attributed to all plaintext password transmission systems over the Internet or local area networks. There are, however, clearly advantages in security systems being able to identify or authenticate users where public channels are required for the exchange of the messages involved in authenticating the user to the system or the system to the user or authenticating both to each other. One approach to this requirement is known as the one-time pad, where the authenticating and authenticated systems hold a secret set of codes or passwords which may only be used once, typically requiring that each password is used once only and in the correct sequence. However this and most other approaches suffer from the drawback that secrets must be shared between the authenticated and authenticating systems. This results in further technical and organisational problems concerned with key management. The most promising approach to these problems is known as public key encryption. With this technology keys are created in matched pairs, with each pair comprising a private and a public key. The public key can be safely disclosed and used to verify messages signed using the private key, because the private key cannot be deduced from knowledge of the associated public key. The advantage of this approach is that it does not require any secrets to be shared or held by anyone other than the person or party who has most to gain by keeping the private key secure. The technical barriers to widespread adoption of this technology are rapidly being overcome. It is not easy to keep a private key stored on a floppy disk or PC very securely when it has to be processed using a program on a PC. These operational procedures are therefore unlikely to be adopted by most PC users. However when: a. a private key can be held on a credit-card sized smart device with an embedded processor such that: b. messages can be transferred to this device, encrypted and signed on this device and exported from it in such a manner that the private key never leaves this device, c. the key is not easily obtained by anything external to this card and d. only one copy of this private key is ever available, then security of digital signatures based upon such devices and transmitted to other systems depends upon fewer uncertainties than exist with traditional PIN, key or password-based systems. Using devices of this kind the security of the signatures created using them will depend upon: a. The technical difficulties of breaking the encryption algorithms used, either through an exhaustive key search involving trying all possible key combinations or through weaknesses or trapdoors in the public-key algorithm. b. The difficulties of subverting the process by which keys are created and issued such that another copy of the private key can be used by an attacker. This depends upon an attacker having privileged access to the card manufacturing and issuing system. c. The difficulties of obtaining information leading to discovery of secret keys by physically or electrically probing and analysing the smart card devices themselves. This kind of attack requires that the attacker have access to the card and might also involve expensive equipment and skills which are highly specialised (5). d. The ability of attackers to steal the smart encryption card, together with PIN numbers or passwords needed to activate such, and use these in furtherance of an attack prior to the legitimate owner discovering this loss and repudiating the compromised keys. e. The ability of attackers to coerce the users of smart cards to make signatures or decrypt information using these against their will. f. The ability of persons or systems verifying digital signatures to establish that the public key associated with signatures and used in this verification process genuinely belongs to the party using the private key and has not been timed out or repudiated. g. The ability of attackers to subvert the systems used to verify these signatures. It goes without saying that none of the attacks described above are likely to be made if there is a high enough associated cost (e.g. using a brute force keysearch) or if it carries sufficient risk of the attacker being detected to make the likely benefits obtained from an attack not worthwhile. While it is unlikely that any embedded public-key smart-card based authentication system can be devised which can completely eliminate any risk of the above weaknesses (or other weaknesses which might exist but have not been considered) the approach described above reduces substantially the problems associated with password or PIN based systems which are currently in general use. and suffers none of the disadvantages of biometric based systems. The widespread adoption of this system is held back: a. by the absence of agreement on the standards to be adopted, partly due to rapidly advancing technology and b. by the effects of legislated obstructions to the export of encryption technology. It is considered very likely that both of these difficulties will be substantially overcome within the next five years or so; for example very widespread adoption of this technology might require certain price points to be reached e.g. 1 US Dollar for the cards and 20 US Dollars for the card read/write interfaces. Some reliability problems have also been reported with contact based cards which are thought to have been overcome with contactless cards. It is also thought likely that the relative strengths of this technology, in comparison with currently used methods of authentication, are sufficiently advantageous that digitally signed transactions using smart card technology will be in common use for signing payment transactions and gaining system and network access by 2005. This technological development is thought to be a prerequisite for more secure Internet access and mass acceptance of low cost payment technology described below. 7. The recording of context: was he or she really present ? For transactions requiring a greater degree of confidence in the identity of the originator some use is likely of automated methods involving the recording of context and potentially involving automated analysis of this supporting information. In the off-line world the security of most transactions depends upon the existence of a considerable wealth of potential evidence being associable with the movements of individuals. This arises through the general nature of the world in which we live, our interactions with this world and the ability of human observation, automatic recordings and forensic and other investigations to record, analyse and make sense of this evidence. For example, it may be easy to steal or forge a credit card and copy magnetic stripe data on conventional cards, but using this token, however insecure its technical basis, to carry out fraudulent transactions involves a greater risk. For example, ordering goods by credit card requires delivery of these goods to the address recorded against the credit card or the presence of the individual at the ordering point. Ordering theatre tickets involving credit card payment involves the user of these tickets being in a known place at a known time after the transaction is initiated. Buying fuel or clothes using plastic is likely to result in the video recording of the person obtaining these items on a shop security system. When a major crime such as murder is investigated the detectives might collect, organise and sift through tens of thousands of minor details and observations associated with the movements of anyone who was in the area or might be connected in any other way, however peripherally, to the crime. Use of the Internet by a criminal can make collection of this kind of supplementary or background evidence by law enforcers more difficult, because an electronically mediated action can originate from anywhere and associated computer records, such as exist, might in some cases be deliberately falsified, corrupted or deleted. In situations where the risk of crime exists or is high, however, contextual information associated with particular electronic transactions can be automatically recorded and secured from further tampering e.g. through use of write-only media which is subsequently taken off line and secured. This contextual information is likely to include live recordings of question and answer interactive voice and video sessions etc. in order to record associated trails of evidence which might be available for verifying the identity of parties to certain Internet-based transactions if and when this needs to be investigated in the event of disputes. These records might also be associated with supporting information collected using digital signatures, biometric scans and PINs or passwords etc. For an example of how this might work, ATM cash machines are now routinely being equipped with video recording equipment. A further defence of this kind might result in a series of more sophisticated attacks, with more advanced countermeasures against these attacks, e.g.: a. An attacker might obscure the video camera. Detection of such an event might result in cards inserted being retained by the ATM with no payout. b. An attacker might wear a mask to blank their face either partially or entirely. A pattern recognition program might be able to detect the absence of a full human face and sound an alarm in the shopping centre security office or local police station etc. This would require less sophisticated pattern analysis and recognition than would be needed positively to identify a known face. c. An attacker who was aware of this might wear a mask to look like another person who might be recognised, hoping that automated real-time analysis and recognition activities are not adequate to recognise specific faces prior to the payment being made, such that later analysis of the recording might lead the authorities to other suspects. d. An attacker who believes that the pattern recognition capabilities of the ATM system or services to which the ATM was connected is capable of recognising the account holder might wear a mask or makeup etc. to make their face resemble that of the person from whom they have stolen a card and PIN. The fact that attack d. is conceivable does not make having a video camera in an ATM machine any less worthwhile, as it greatly raises the technical difficulty and cost to the attacker, perhaps to the point where such attacks might begin to cost more than any advantage which can be gained. It should also be noted that methods like this, of obtaining context information associated with the kinds of transaction increasingly likely to take place on-line over the Internet, do not require that such context be recorded with every single transaction. The fact that a proportion of ATM machines are equipped with video recording facilities and automated facial recognition might act as a sufficient deterrent to ATM user impersonation even if this proportion is small, so long as someone considering this impersonation does not know and has no method of detecting which ATM machines are so equipped. 8. Using accounted payments as a security guarantor The introduction of ubiquitous and low-cost transaction technology for account-based payments based on the author's MRS proposal (3) will make it feasible for those providing on-line services to require a very small account-based financial transaction as an entry protocol before allowing access. The requirement for an account-based financial transaction before another kind of on-line transaction can be facilitated helps to guarantee the identity of the initiator, because when money is at stake people will behave carefully. This is perhaps the best guarantee against the security lapses which typically occur through users or operators feeling no personal degree of responsibility and accountability for the integrity and security of the system they are using or operating. The existence of this protocol between an ISP and their user will give other ISPs the degree of confidence needed to handle this user's traffic, knowing that the home ISP of this user can identify them through an audit trail. For an example of how payments improve on-line security, in my own university work environment there was a noticeable reduction in the frequency of student users forgetting their passwords, following the introduction of a system which ensured that a password could only be used to gain access to one login session at a time and that a small fee is charged for the reissue of a password. There has been some speculation in the past (6) that the dominant method of Internet-mediated payments will in future involve anonymous transactions, where it is proposed that the payee might know that payment has been cleared but has no indication of the identity of the payer. It has further been proposed that such systems might enable payments to be aggregated and executed sufficiently anonymously to enable the open on-line finance of assassination services. These would in theory be paid for by multiple anonymous sponsors and provided for by anonymous contractors known on the net through the combination of a unique encryption key, associated alias and reputation. It is understood also that the cryptographic analysis of such payment services is credible to those with sufficient expertise to carry this analysis out. If true, however, this does not change anything if the analysis of other bases of the payment system involved in the perpetration of such crimes demonstrates one or more of these bases to be flawed. A wider analysis of such payment systems imply these not to be financially credible because their existence could never be politically viable. For a payment in any currency to be accepted the person accepting it has to believe that others will exchange goods and services for it. How can we know that the money we accept is not forged ? Whatever type of currency is involved this question is answered by reference to some authority; there will inevitably be some party, institution or group acting as its guarantor, by being willing to exchange it either for something else of value or some other accepted form of money. However, no- one will be willing to undertake this role if acceptance of a form of money implicates one as an accessory to a serious crime financed using this payment system and which this payment system made possible. Even if the guarantors of transactions involving a payment system were to locate themselves in countries with different laws, no country can afford to be associated with the sponsorship or underwriting of assassination and terrorism. Locating a currency guarantee operation offshore might escape the laws of a country determined to protect the lives of its citizens but, as the recent history of responses to state-supported terrorism demonstrates, this will not protect its operators or operations from aerial bombardment and other forms of military attack. Within the current financial system the only payments which do not leave an audit trail appear to involve either small amounts of physical notes and coins or those concerned with tax evasion and money laundering. For this reason all banks are nowadays expected to report all cash transactions above certain limits. As no on-line technology associated with anonymous digital forms of cash is likely to be able to prevent aggregation of payments for criminal purposes this also suggests that Internet-based digital-cash systems are unlikely ever to be fully anonymous to the extent describe above, even if they are allowed to provide limited degrees of privacy in practice. Financial institutions know that the reputation of their money depends upon the integrity of their organisation and operations. For this reason the initiative to create an Internet-based anonymous digital-cash payment system which would enable on-line pornography providers to provide services paid for without risk of customer credit-card payment repudiation failed when the backer pulled out (6). The analysis of transaction security in relation to associated participant contextual information further supports the conclusion that Internet payments must inevitably result in some kind of an audit trail. If we accept this to be the case the question of how Internet payments will be handled in future depends upon the cost-effectiveness and practicality of the payment system design. The main criticism of conventionally-cleared account-based payments is that the cost of clearing these makes their use for small payments impractical. The LETSystem (2) provides a payment system design for which the security considerations of on-line transactions differ significantly from those associated with the direct use of conventional money. This design is compatible with conventional money in that use of low-cost LETSystem micropayments using an automated MRS network (3) might be combined with a conventional currency, in the sense that LETSystem participants might contract to clear their LETSystem accounts at regular intervals in exchange for conventional money. 9. The MRS as an Internet-based payments system For a payment system to become universal it must offer sufficient advantages over existing methods to be widely adopted. This payment system will require the following properties: a. It will need to be sufficiently secure to handle systems which are linked to conventional money such that someone accepting payments using this method in exchange for goods and services can be confident that these payments will be convertible, in time, into conventional money. b. Use of it will need to be cheap enough to make its use for transactions of low value sufficiently attractive. For example, those providing information or services though web sites are unable to sell information articles or services for a few pence or cents or small fractions of such to each of a large number of customers. Another example might be that some people will want to charge those sending them electronic mail a small amount of money before they will accept it in order to raise the cost of mail delivery for direct marketing operations to something comparable to the cost of the attention of the person receiving this information. c. It will need to be flexible enough in order to be able to handle payments denominated in a wide variety of conventional, trade and community currencies, e.g. US Dollars, Saudi Rials, Coventry UK LETSystem points, air miles, Sainsbury UK supermarket loyalty points, Comox Valley BC Canada community way credits (7) etc. d. It will ultimately need to be scalable enough to be able to handle hundreds of payments per day for everyone on planet earth who uses money. The MRS protocol design (3) allows for all of the above requirements. MRS security arises through the use of a conventional double-entry bookkeeping protocol and the requirement that a separate audit trail record is made of each transaction, ensuring that every transaction is stored in at least 3 locations on at least 2 (more typically 3) geographically separated servers. This will be supplemented through the requirement for digital signatures to be associated with transactions as discussed above, and through the need to store associated contextual information (e.g. video and audio records) for transactions of over a certain size. Payments of various sizes directly carried out and aggregated using LETSystems and later cleared into conventional money will allow payers a repudiation period (prior to clearance into conventional money), while the signature and recorded context will give payees sufficient confidence that payer repudiation is unlikely and might be legitimately counter- challenged. This protocol will be cheap to operate because every routine and operational aspect of it can be automated, except for operations concerned with user registration and issue of smart cards. There might also be some expenses for payees involved in challenging payment repudiation and some for payers in checking account statements in order to decide when to repudiate a payment. However, all of these exceptional costs already arise in the conventional economy e.g. as might be associated with account statement vigilance, and occasional cheque cancellation and civil-court actions to obtain payment refused following provision of services. As with the Internet itself the proposed MRS network has no single point of failure or control. The MRS payment protocol is flexible enough to handle any kind of accountable currency and is scalable enough to handle any number of users and any likely number of transactions. It achieves this through the use of an Internet DNS-based (1) naming convention for naming: a. the registries through which users are registered on the network, b. the payment systems which are in use between users and c. the servers used to handle relevant payments. This will enable any payment to be made between any 2 users of any currency or accountable point recording system without naming or routing ambiguities. Any number of servers might also be involved in providing access to the accounting operations, audit trail recording and providing access to copies of public keys verifiable through being signed by trusted third parties, such that any of the potentially millions of payment systems within this network might be able to handle millions of accounts. The capacity of a payment system, which might be distributed over very many transaction servers, is likely to be limited by the capacity of the clustering arrangement for the audit-trail recording service associated with a particular payment system or currency. This might be considered as a single point of failure, but it applies only to a single payment system. This arises through the need to be able to audit a payment system as a coherent entity. The MRS network as a whole is designed to handle very many such systems, any of which could potentially fail without having a significant effect on the others. One consequence of this is that payments are likely to be required between users of different currencies or payment systems who do not have accounts on the same system. To make the overall system fully scalable, some of the payment systems used within this network will therefore be concerned with the automated clearing of these "foreign exchange" type payments involving transactions with payers and payees who use accounts involving different currencies and payment systems. 10. Conclusion The growing difficulties of securing Internet services against anonymous and coordinated attacks are likely to result in ISPs establishing more highly coordinated forms of defence. These will arise, partly through formal contractual obligations between ISPs to trace and respond to misuse, and partly through technical protocols which will enable these contractual obligations to be met. This is likely to change the relationship between ISPs and Internet users, with the ISPs requiring stronger authentication and audit protocols for newer and lower-cost Internet services, so that ISPs will be able to identify more positively who their users are. The user-authentication protocols likely to be adopted will also enable the development of a fully-scalable, low-cost, secure and ubiquitous Internet-based payments network, capable of handling any number of payments, currencies and settlement systems. 11. References (1) DNS: The Domain Name System P. Mockapetris IETF RFC1101 ftp://ftp.isi.edu/in-notes/rfc1101.txt (2) The LETSystem home page Michael Linton http://www.gmlets.u-net.com/ (3) The Multi Registry System Richard Kay http://www.driveout.demon.co.uk/mrs2.html (4) Mail Abuse Prevention System Paul Vixie http://maps.vix.com/ (5) Tamper Resistance - a Cautionary Note Ross Anderson, Markus Kuhn http://www.cl.cam.ac.uk/users/rja14/tamper.html (6) A Market Model For Digital Bearer Instrument Underwriting Robert Hettinga http://www.philodox.com/modelpaper.html (7) Community Way Projects Michael Linton, Ernie Yacub http://www.ratical.org/communityway/index.html Picture Attachments: File: affidp1 (1).jpg File: affidp2 (1).jpg File: affidp3 (1).jpg