National Institute of Standards and Technology bolsters active content security, advanced encryption standard.
A fast-moving squad of government and industry computer security experts is preparing to swing into action. This computer-security-expert assist team is structured to support federal government agencies by providing ways to protect information technology systems and networks. The team’s core will be industry members who are proficient in identifying and alleviating complex information system and infrastructure vulnerabilities.
Parallel to the formation of this team, research in mobile agent and active code content is being conducted to assist federal agencies in understanding both the pitfalls and benefits of their use. Mobile agents and active code are strings of software that can function semi-autonomously and are platform independent—able to hop from platform to platform—and can be configured to execute tasks and reproduce themselves.
Mobile agents are software threads that can move around a network gathering information. They can be configured to collaborate and share information with each other, which means they can acquire information about areas of a network that they have never visited. Companies now sell software that enables configuring agents to search for specific types of information.
“There are obvious mobile agent security risks,” says Edward A. Roback, chief of the Information Technology Laboratory Computer Security Division. The division’s parent, the U.S. Commerce Department’s National Institute of Standards and Technology (NIST), Gaithersburg, Maryland, advises federal agencies on computer security issues. On the risk side is the possibility of a malicious host attacking visiting agents, agents attacking other agents or agents attacking the host. “Conversely,” Roback continues, “it may also be possible to use mobile agent code for protection—transmitting and propagating software patches or providing a self-healing network capability.” However, the possibility of using mobile agents and active code for offensive network attack operations casts an aura of urgency and secrecy over the research effort.
At the nexus of security technology development by industry and academia for application to federal agency networks, Roback’s division will be responsible for the new computer-security-expert assist team. He is shaping the unit to delve into organizational issues affecting security at various federal agencies. This action is in response to a mandate from the U.S. Office of Management and Budget (OMB).
The new team, Roback says, is being formed to assess all aspects of organizational security. NIST received an additional $3 million last fiscal year for security projects, and the division is assembling the team from industry to begin operations. This team is being configured to meet specific agency demands and to determine whether each organization is effectively protecting information systems and networks. Part of the effort involves ensuring proper policies, procedures and training programs as well as disseminating information on methodology and software patches to protect the infrastructure. In addition, the team will identify high-risk programs and determine whether an agency is following OMB security policy.
Organizations that are in the process of implementing or are using new technologies must be on guard, Roback points out. Mobile agents and active code content represent only one category of new technology that could bring unforeseen vulnerabilities. However, active content is especially worrisome, he explains, because it can carry out or trigger actions automatically without a person directly or knowingly invoking the actions. This can be particularly insidious because of the inherent vulnerabilities in active content technologies.
Federal departments and agencies should develop a policy regarding active content, Roback insists. Active content technologies span a broad range of products and services and involve various computing environments including desktop, workstation and server. The vulnerabilities of mobile code and active content also extend to interpreted e-mail formats that have embedded code or bear executable attachments. The division’s research in this area is part of its statutory responsibility to advise federal agencies, he assures.
Division researchers are working with the National Security Agency (NSA) to evaluate the use of mobile agents to perform network security testing. This effort focuses on restricting mobile agents’ capabilities on a host using digitally signed passports and employing mobile agent technology to enhance intrusion detection systems. In addition to a cooperative research agreement with The Boeing Company, the division is working with a number of other mobile agent research groups to build a secure mobile agent architecture, Roback clarifies.
With 13 members and a budget of approximately $14 million, the division provides a steady flow of security information to federal agencies through bulletins and special publications. Topics include analyses of intrusion detection systems, operating system security, security implications of active content, hacking standards and mobile agent security, Roback offers. Other publications address post branch exchange security, incident-handling guidance and public key infrastructure essentials.
In conjunction with the Federal Chief Information Officer Council, the division has issued an information technology security handbook along with an assessment framework. Roback cites the division’s work on risk management guidance and in the Federal Computer Security Program Managers Forum to help facilitate sharing security information among agencies. This forum meets approximately every month and also maintains virtual contact through a steady flow of e-mail. This approach allows federal managers to draw upon the experience and expertise of their colleagues.
The division also is working with the General Services Administration on smart card technology. In addition to a myriad of other applications, smart cards can be used for security by holding cryptographic keys and access control authorization, Roback notes. The widespread implementation of smart card technology can serve to foster government security applications, he reveals.
“We look at new technologies to see what is being fielded, what risks may be involved and what security measures an agency should undertake,” Roback acknowledges. “Many new technologies present both hazards and advantages. There are also ways to use new technologies to improve security, and we advise agencies on this.”
Funding from the Defense Advanced Research Projects Agency and a number of other agencies is expected to help finance the division’s mobile code research. “Whenever it makes sense to get involved, the division also works with technology developers in industry.
“Our worldview is that the more secure U.S. products become, the more competitive they are,” Roback proclaims. This vision is behind the division’s work with industry and government in security research and in developing standards by working on a volunteer basis with industry consensus standards bodies and with various consortia. Division scientists also provide a strong cryptographic program in concert with the NSA and other partners in government and the broad cryptographic community.
In one high priority project, the division recently led a worldwide quest for an advanced encryption standard (AES). A number of organizations participated in a competitive process to produce a strong information encryption formula. AES is designed to protect nonclassified but sensitive data in federal computer systems. Each candidate algorithm was required to support block-cipher key sizes of 128, 192 and 256 bits. As an example, for a 128-bit key size, there are 340,000,000,000,000,000,000,000, 000,000,000,000,000 (340 followed by 36 zeros) possible keys.
The new encryption standard was needed to replace the aging data encryption standard (DES) and the Triple DES variant. NIST adopted DES in 1977 as a federal information-processing standard for government agencies to use to protect sensitive, unclassified information. DES also has become ubiquitous in the financial services community. The selection of AES is likely to affect millions of consumers and businesses.
The Commerce Department recently announced Rijndael as the winner of the three-year NIST contest to find a new data encryption formula (SIGNAL, April, page 44). Belgian cryptographers developed the winning formula, but mathematicians in 12 nations worked on developing advanced encoding methods during the contest. NIST invited the global cryptographic community to “attack” the proposed new encryption formulas in an effort to break the codes. Each one was evaluated for security, speed and versatility. NIST managed the AES competition with considerable private-sector cooperation, Roback says.
Another NIST priority is the Computer Security Resource Center. It embodies NIST’s work in developing, prototyping, testing and implementing security standards and procedures. The center is tailored to increase security measures and create more robust architectures. The content of the resource center is coordinated with the Federal Chief Information Officer Council’s Security Committee.
The division’s Cryptographic Module Validation Program provides documented testing methodology for conformance testing through a defined set of security requirements. These requirements are in the Federal Information Processing Standard (FIPS)-140. This standard goes beyond AES and DES “to the next layer of the onion beyond the core algorithm standard with things like how well the keys are protected, the actual security of the cryptographic module, which can be hardware or software,” Roback divulges. “Whatever it takes to ensure network security is where division research is directed.”
Additional information on the Information Technology Laboratory Computer Security Division’s work in progress is available on the World Wide Web at http://csrc.nist.gov/publications/drafts.html.