X-Message-Number: 528
Date: Tue, 5 Nov 91 12:22:27 PST
From: 
Subject: Re:  cryonics: #523 - #524

Cr#524 raises the issue of Alcor security.  I strongly suggest that
this be followed up with all seriousness.  

I specifically suggest that all sensitive source documents (paper
media) be kept in an extremely secure environment under lock, key and
guard.  For everyday access this information should be "on-line"
(electronic media), but encrypted.  If a password system is used to
gain access to the decryption key, care must be taken that they cannot
be easily discovered.  There are "cracker" programs that can be run
that try all passwords--starting with common ones, continuing with all
words in the dictionary and finally all letter combinations.  If the
program can discover a password in less than some time period that
seems reasonable based on the security arrangements, that password
should be changed.  Passwords should be changed periodically in any
case.  Another tactic is to have the decryption program refuse to execute
for 8 hours after more than, say, five bad passwords have been tried in
succession.  

Also, it would be helpfull if "digital signature" technology were used
to provide authentication of "on-line" documents (where appropriate).
I suggest using the RSA algorithm--both for encryption and
authentication.  The RSA algorithm uses two independent keys--one for
encryption, and a completely different one for decryption.  To
communicate a confidential message, the recipient publishes the
encryption key, so that anyone may send him a confidential message.  He
keeps the decryption key secret--so that only he may decrypt messages
encrypted with the published key. 

For authentication via digital signature, the sender publishes a
decryption key but keeps the encryption key secret.  The digital
signature is generated by encrypting either the entire document--or
some "check-sum" thereof--using the secret encryption key.  Anyone can
then decrypt the signature using the published decryption key.  Such
decryption would only work if the signature had been encrypted using
the secret encryption key known only to the sender.  If the signature
decrypts to what it's supposed to, using the alleged sender's published
key, then the alleged sender must be the actual sender.

Alcor must be concerned not only with confidential information being
stolen by spies, but with agents provocateurs deliberately falsifying
Alcor's documents.  They might do this in order to incriminate ("frame")
Alcor, to sabotage Alcor's operations for harrasment purposes, or simply to
steal the estate of a suspension member (remember the Dick Jones
affair!).

The RSA algorithm should provide protection even from someone with
resources such as the NSA ("No Such Agency").  The weak link would then
be physical security.  Unencrypted data should therefore never be
written to disk, but should exist temporarily in RAM only.  At least,
any such data on disk must be truly erased after each use.  Removing
the directory entry is not sufficient.

Another advantage of the RSA algorithm is that the keys are short
enough (roughly 80 base-36 digits--which is equivalent to 124 base 10
digits, and is generally considered sufficient) that they can be kept
offline and entered by hand using a keyboard.  

Only the most trusted personnel should have access to the secret keys.
It should not be necessary for an officeworker to know a key in order
to work with encrypted data.  A trusted person should be able to enter
the key once at the start of a job to be completed by a less trusted
officeworker.  It should not then be possible for the officeworker to
decrypt files not related to the authorized task.  One tactic to
accomplish this would be to provide a different set of keys--for both
confidentiality and authentication--for each suspension member or other
logically separate business function.

Generally, confidential information should be shared on a strictly
"need to know" basis.

Finally, the security arrangements must be tested against attempts to
bypass them.  Such attempts should occur at random times by authorized
persons--perhaps paid professionals--without the knowledge of those
responsible for day-to-day operations.  Security procedures should be
changed as necessary based on the results of the "audit by fire."

If such a security system is not put in place, there will come a time when
Alcor will wish it had been.  TANSTAAFL.

--alan ()

[ FYI: Both the extropians mailing list ()
  and LiberNet () recently posted messages
  about an RSA-based public key encryption email system called PGP (Pretty
  Good Protection).  I have not used it myself, but FYI I have placed those
  messages in file 528.1 so that you can retrieve them by sending email to
  me with the "Subject" line "CRYOMSG 528.1".  Of course, if you want to get
  really paranoid, there are plenty of opportunities.  A recent issue of a
  USENET publication called "Computer Underground Digest" mentioned a
  demonstration of "TEMPEST technology (picking up the radio waves from a
  monitor, and being able to display what's being typed up to 1.5 miles away),"
  so shielding of all monitors may be on the agenda of the most security
  minded.  (Please let me know if this story about TEMPEST technology is just
  somebody's joke.)  And don't forget the worst security threat of all, being
  so secure that no useful work can get done any more! :-) - KQB ]

Rate This Message: http://www.cryonet.org/cgi-bin/rate.cgi?msg=528