X-Message-Number: 528 Date: Tue, 5 Nov 91 12:22:27 PST From: Subject: Re: cryonics: #523 - #524 Cr#524 raises the issue of Alcor security. I strongly suggest that this be followed up with all seriousness. I specifically suggest that all sensitive source documents (paper media) be kept in an extremely secure environment under lock, key and guard. For everyday access this information should be "on-line" (electronic media), but encrypted. If a password system is used to gain access to the decryption key, care must be taken that they cannot be easily discovered. There are "cracker" programs that can be run that try all passwords--starting with common ones, continuing with all words in the dictionary and finally all letter combinations. If the program can discover a password in less than some time period that seems reasonable based on the security arrangements, that password should be changed. Passwords should be changed periodically in any case. Another tactic is to have the decryption program refuse to execute for 8 hours after more than, say, five bad passwords have been tried in succession. Also, it would be helpfull if "digital signature" technology were used to provide authentication of "on-line" documents (where appropriate). I suggest using the RSA algorithm--both for encryption and authentication. The RSA algorithm uses two independent keys--one for encryption, and a completely different one for decryption. To communicate a confidential message, the recipient publishes the encryption key, so that anyone may send him a confidential message. He keeps the decryption key secret--so that only he may decrypt messages encrypted with the published key. For authentication via digital signature, the sender publishes a decryption key but keeps the encryption key secret. The digital signature is generated by encrypting either the entire document--or some "check-sum" thereof--using the secret encryption key. Anyone can then decrypt the signature using the published decryption key. Such decryption would only work if the signature had been encrypted using the secret encryption key known only to the sender. If the signature decrypts to what it's supposed to, using the alleged sender's published key, then the alleged sender must be the actual sender. Alcor must be concerned not only with confidential information being stolen by spies, but with agents provocateurs deliberately falsifying Alcor's documents. They might do this in order to incriminate ("frame") Alcor, to sabotage Alcor's operations for harrasment purposes, or simply to steal the estate of a suspension member (remember the Dick Jones affair!). The RSA algorithm should provide protection even from someone with resources such as the NSA ("No Such Agency"). The weak link would then be physical security. Unencrypted data should therefore never be written to disk, but should exist temporarily in RAM only. At least, any such data on disk must be truly erased after each use. Removing the directory entry is not sufficient. Another advantage of the RSA algorithm is that the keys are short enough (roughly 80 base-36 digits--which is equivalent to 124 base 10 digits, and is generally considered sufficient) that they can be kept offline and entered by hand using a keyboard. Only the most trusted personnel should have access to the secret keys. It should not be necessary for an officeworker to know a key in order to work with encrypted data. A trusted person should be able to enter the key once at the start of a job to be completed by a less trusted officeworker. It should not then be possible for the officeworker to decrypt files not related to the authorized task. One tactic to accomplish this would be to provide a different set of keys--for both confidentiality and authentication--for each suspension member or other logically separate business function. Generally, confidential information should be shared on a strictly "need to know" basis. Finally, the security arrangements must be tested against attempts to bypass them. Such attempts should occur at random times by authorized persons--perhaps paid professionals--without the knowledge of those responsible for day-to-day operations. Security procedures should be changed as necessary based on the results of the "audit by fire." If such a security system is not put in place, there will come a time when Alcor will wish it had been. TANSTAAFL. --alan () [ FYI: Both the extropians mailing list () and LiberNet () recently posted messages about an RSA-based public key encryption email system called PGP (Pretty Good Protection). I have not used it myself, but FYI I have placed those messages in file 528.1 so that you can retrieve them by sending email to me with the "Subject" line "CRYOMSG 528.1". Of course, if you want to get really paranoid, there are plenty of opportunities. A recent issue of a USENET publication called "Computer Underground Digest" mentioned a demonstration of "TEMPEST technology (picking up the radio waves from a monitor, and being able to display what's being typed up to 1.5 miles away)," so shielding of all monitors may be on the agenda of the most security minded. (Please let me know if this story about TEMPEST technology is just somebody's joke.) And don't forget the worst security threat of all, being so secure that no useful work can get done any more! :-) - KQB ] Rate This Message: http://www.cryonet.org/cgi-bin/rate.cgi?msg=528