For the past decade cost savings associated with moving to IP (Internet Protocol) level communications, commonly referred to as Voice over Internet Protocol (VoIP) gained large momentum in 2007 and 2008. Coupled with the movement to Unified Communications Platforms combining voice, video, text and e-mail, the cost reduction and productivity gains have been implemented. In all of these cases, security has been an afterthought. Additionally, Short Message Service (SMS) text messaging is growing at 78% per year. It provides a ubiquitous global network for all forms of cellular text-based communication. The challenge from a command, and control -perspective is that all communications are executed in clear text. Once again, security is an afterthought.
One must first understand the overall security situation. There are a series of trends that impact mobile voice, data, and text communications regardless of whether a litany of known threats or breaches has been made public. For example, recent advancements in hacking encryption show that utilization of a small number of computer game controllers can crack Secure Socket Layer (SSL) protection on Web sites. SSL is the mainstay of secured Web transactions globally for personal, private, financial, and government transactions.
Complicated voice, data, and text communications is the general security situation on network security in the industrial world. Per 2008 studies by Price Waterhouse Coopers and Verizon Business organizations respectively; the number one threat of any network is the level of security, policy commitment, partner networks, and specifically, the system administrators on those networks. Additionally, a series of internal yearlong attacks within U.S. government networks have resulted in sensitive data being sent to server locations around the world. The most public example is the Poison Ivy attack of March 20, 2008. As reported in Business Week, April 21, 2008 edition:
Poison Ivy is part of a new type of digital intruder rendering traditional perimeter defense like firewalls virtually useless.
This year we have witnessed the expose of Ghostnet, a cyber espionage network of over 1,295 infected computers in 103 countries; 30% of which, were high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and non-governmental organizations (NGOs).
Whether it is attacks on financial, health care, e-mail, or the U.S. government, they are becoming more prevalent and sophisticated. The vectors of these attacks come from both inside and outside of the network, and show no sign of decreasing. Specifically, the Department of Defense (DoD) and other U.S. government security/intelligence agencies, including the United States Special Operations Command (USSOCOM) coalition partners are facing the challenges associated with the complacency of adopting new communication technologies. Several observations demonstrate the new technologies that are being used by common enemies of the U.S. and coalition partners:
1. The DoD and the U.S. government are under daily attack. As accomplished by the Poison Ivy virus, the bar representing attack sophistication has been raised.
2. Open Source Security Projects, circa 1998-2003. A search of open source project development for secured communications development was high during 1998-2003. Upon closer examination secure storage, secure communications, and extensible information frameworks sourced by individuals from Pakistan, Afghanistan, Iran, Iraq, Egypt, and Saudi Arabia can be found. Although many of these projects were abandoned in terms of development, the code to utilize the project remains available to anyone with Internet access.
3. Between the Taliban and al-Qaeda, the average age of their personnel leveraging (determining and using) technology is less than 30 years old. The average age of decision makers in the DoD is typically over the age of 50. One only has to observe the differences in technology uses by 45-year-old parents and their 10- to 20-year-old children to understand the potential threat this poses.
4. Coalition enemies regularly deploy communication servers and services for short periods, then take them down intermittently or move them while changing the network characteristics. Communication between their command centers and the field is secured, timely, and mobile.
5. The best and most recent public example of enemy use of these technologies is the Mumbai terrorist attacks in November 2008. The enemy utilized encrypted voice, encrypted text, encrypted storage, secured Web servers, and messaging. Electronically, the victims and protectors of the facilities attacked could not see them coming.
6. The internal threat—in a recent survey 33% of employees indicated they would accept financial payment for providing outsiders with internal corporate and private information. This is a disturbing piece of information and requires management systems, which can avert the transmission of such material information and data.
There are obviously consequences. An Ipsos MORI survey for ArmstrongAdams shows that 55% of British bank account holders are likely to switch their accounts to a different bank if their existing provider lost their personal details. Consequently, this could mean a loss of customers, a loss of reputation, and drop in share price, etc. What would be the consequences of a communication breach mean for the DoD and coalition partners? Essentially, a compromise of classified data.
Are there any correlations to the Allies’ advantage in World War II for having the ability to crack the secured communications of Germany and Japan? What about the advantages China gained after obtaining intelligence from the Poison Ivy and Ghostnet attacks? Comparably, what advantages does the enemy have when we do not even know the breach has occurred? Given this and the current state of communications security, it creates significant breach vectors for critical, sensitive, and secure information. Examples include:
• Traditional Ma Bell type communications occur on a private network and are rather secure. It can be tapped; however, this requires a hardware tap and must be legally approved.
• Cellular networks are not authenticated or encrypted. A simple $35 Fisher Price baby monitor can listen into a GSM (Global System for Mobile) phone call if positioned within 100 feet of the phone.
• Voice over Internet Protocol (VoIP) saves significant cost and offers newly integrated capabilities with converging communication approaches and provides new capabilities. The VoIP standards do not offer security as part of the solution. Both open source and commercial sniffers allow for eavesdropping of phone calls, conferences, and text chat sessions inside and outside of the firewall.
• Internet Messaging (IM) is generally unencrypted and usually stored by parent or Internet Service Provider (ISP) organizations for regulatory purposes.
• SMS text messaging is not encrypted and available to be breached in the open airwaves.
• E-mail is not encrypted and is stored on servers centrally by corporations and ISPs alike. Of note, Blackberry, Research in Motion (RIM) messages travel through Canada and are stored on RIM servers.
• Twitter, a popular broadcast system, has no encryption of messaging.
Web 2.0 technologies are driving open network communications. The pressure to leverage this capability, and the fact that U.S. enemies have been doing this for 15 years, complicates the challenge to electronically fight the enemy and remain secure. The challenge for the DoD and other law enforcement/intelligence/security-based agencies is not purely the establishment of new technologies to increase capabilities and productivity, but to maintain and secure existing capabilities, while still allowing the agencies to communicate without an enemy breach.
This section reviews several areas of secure and private communications. Included are encryption methods, authentication methods, methods for leveraging open and globally commercial protocols and networks, and risk management methods for mobile devices.
Multiple factors of authentication include signal processing for proximity authentication, advanced biometric solutions, and the methods listed below may all be used for maintaining the confidentiality, integrity and availability of voice and data transmissions.
There are several methods of authentication in order to determine trust. These include:
• Who you are
• What you have
• What you know
• Where you are
• When you are
Establishing trust for a communications session is the first step in security and privatizing the communications. On the Internet, for example, there is no trust established. Everything you place on it is open to the world to access. In the DoD, a Common Access Card (CAC) is utilized to provide multiple levels of authentication that control access to information and cryptography methods. Many have made proposals to move beyond the CAC implementation using multiple (more than two) factors to create verifiable authentication. In the field, the user will be capable of accessing classified data banks and both receive and provide classified data in a fluid environment outside the parameters usually reserved for a sensitive compartmented information facility (SCIF).
Software authentication systems today utilize a variety of methods to provide for authorized use of the system, or not, as the case may be. In mobile devices, the primary method of security has been and continues to be the use of a user ID and password that provides limited security. The methodology employs two-factor authentication of “who I am” and “what I know.” In reality, however, it is a simple one-factor method since the device automatically recognizes the “who” by default. It is the same method as employed on most computer systems today.
In an effort to make security both real time and robust, new methods must be employed. The use of biometrics (e.g., face, fingerprints, voice patterns, palm prints, iris images, etc.) will improve security, since biometrics is uniquely integral to an individual person. Recognition includes verification (authenticating or rejecting a claimed identity) and identification (matching a presented biometric to one of several in a database). Research has been very robust in a number of areas that include biometric authentication and are listed below:
• Facial recognition algorithms
• Fingerprint recognition methods
• Iris recognition methods
• Voice recognition
• Multi-modal biometric recognition approaches
• Factor X authentication
Live biometric authentication is both practical and has reached a high level of assurance. Methods have matured over the past decade for uses in both computer and mobile phones/computers alike. You will note a new phrase is being coined within biometrics called Factor X. Factor X authentication is the use of known biometric information that is very unique in principle and provides a very strong verifiable authentication to the user.
Rotating Encryption Keys and Temporal Keys During an Encryption Communication Session:
With the enhancement of authentication, the next challenge area is encryption itself. As a baseline, we position the following facts:
• Advanced Encryption Standard (AES) encryption is the accepted National Security Agency (NSA) standard for U.S. government data. Bit widths of 64, 128 and 256 are utilized for storage and communications.
• Secure Socket Layer (SSL)– Advanced Encryption Standard (AES) 128 bit is the globally accepted standard for secure Web communications.
• Hardware encryption is always more secure than software encryption. Software encryption stores specific encryption key information in dynamic memory in computers (phones, smartphones, notebooks, desktops, servers, or network devices) and offer a vector of attack. The Internet has several case studies available for how to thwart software encryption, and often cost less than $20.
• Once communications are established, encryption keys remain static through the communications session with many implementations of static keys for the lifetime of communications between peer computers or persons.
In the case of authentication it is the author’s position that this status quo is no longer satisfactory for securing privacy and communications. Especially in a world where the largest threat comes from within, and breaches may go undetected for months or even years. All the while, allowing sensitive information to be sent out of our networks encrypted. To be secure, communications must move to highly authenticated encrypted streams of information for voice, data, text, multimedia, and more. As higher levels of mobility are required, mobile devices must encrypt and interoperate.
There are several specific and internationally patent pending enhancements recommended. Consider the following structure of a key:
• Start date / time information1-n
• End date / time information1-n
• Encryption type1-n
• Encryption bits width1-n
• Seed key1-n
Temporal Keys—Temporal keys offer the ability to have a start date and time and an end date and time associated with the key. A key, therefore, is more than a simple seed key for the encryption algorithm. Information for date/time effectiveness, type of encryption, and an actually encryption seed and to varying degrees—misinformation providing a sink hole should a key ever be breached in the future.
Rotating Keys— Rotating keys offer the ability to change a key within a communications session. The rotation takes place in a predetermined or manual fashion that is defined at key creation time. For automated rotation, we recommend the use of Greenwich Mean Time as the trigger to automate the rotation. For manual rotation, we recommend an override of automation and a manual method for the operator to designate the key.
Dynamic Keys—As opposed to the status quo of providing a static key between end points once authenticated, authenticated keys should be dynamic between users. That is, a key could be used between the command and mission team alpha for operational information, while another key is used between the command and mission team alpha for tactical research communications. This provides an additional level of encrypted stream information, many times in the air, which changes on the enemy, thereby requiring any vectored attack to begin at square one.
Key Obscurity—The key should never be distributed as part of the communication stream. The status quo of Diffie-Hellman key exchanges in the authentication and seed key definition process provides information on the wire, or the air, by which to vector an attack. It is recommended that key distribution be complete via a mechanism outside the main communications capability between endpoints.
In conclusion, a key is more than a simple seed key for the encryption algorithm. A key may also represent information for date/time effectiveness, type of encryption, and contrived misinformation by providing a sink hole should a key ever be breached. The key has the ability to be a master key with the ability to store more than actual seed keys to perform the encryption. Rotating the keys provides a very high level of security. Automating the rotation of keys with no user intervention provides a level of cipher security, which targets the security of the communications streams for a dozen or more years to come. With the intervention of faster computers to attack this design, higher levels of encryption with enhanced algorithms and bit widths can be utilized, therefore making it extensible into the future. This process also bows well for the combatants under extreme stress and lack of time.
SMS text messaging is rapidly becoming the predominant method of communication not merely for personal messages to friends and family, but also for the global delivery of strategic and tactical messages for business and government alike. Whether sending or receiving financial information from clients, passing instructions to field personnel, or communicating emergency messages for businesses and government organizations, communicating via SMS is the communications method of choice today. The challenge in using SMS text for business, emergency, and tactical communications, message tracking for regulatory requirements, and message privacy and security. Specifically, it is available in the open, free and clear. It is also extensible and available in every global location where cell phones are used.
Closely associated with this messaging is Twitter. In this case, the messaging is based on centralized servers where each individual advises members of his group or community the status of him or herself. Finally, there is Internet messaging, available for the last 15-20 years in different forms. The challenge in all three cases is privacy and security. Nothing is encrypted and authentication is nonexistent or weak. Your messages travel through wired and wireless networks without privacy and security.
As in the case of voice, authenticating and encrypting messages is recommended. The challenge with authenticating this arena is the overhead associated with sharing your credentials with hundreds or thousands of other parties. Simply stated, it isn’t manageable with conventional techniques and therefore, rarely used. A different approach is recommended for authentication, which by definition allows for unique point-to-point encryption without the overhead.
The internationally patent pending approach utilizes communications servers to establish trust and credentials with each end point. Thus allowing the centralized server to manage the authentication, the encryption keys, and the communications themselves. With all communications traversing through a central server, the communications at each end point only requires authentication with each end point, as opposed to each end point authenticating with each other.
SMS is the largest global messaging platform with over 2 trillion messages per year. Traditionally, a SMS text message traverses through a cellular network from one cell phone to the other. To secure and privatize this architecture, each user is required to exchange credentials with everyone they communicate with. Encryption is then established, typically with static keys. Switching the architecture to build communities of interest on a server for SMS communications not only allows for higher security, but also allows for additional features that are not available in the standard text messaging capabilities of cellular phones. These features include:
• Unique authentication between each phone and the server.
• Unique encryption between each phone and the server.
• Audit trail of messages on the server for regulatory and audit purposes.
• Broadcasting of encrypted messages to a group of phones from the server through a portal interface.
• Broadcasting of encrypted messages to a subgroup of phones from the server through a portal interface.
• Reply from the phones from centralized broadcasts.
• 1-to-1 messaging from one cell phone to another cell phone.
• 1-to-many messaging from one cell phone to all members of a group.
• 1-to-many messaging from one cell phone to a subgroup of members.
With SMS text messaging as an example, this architecture allows for secure and private messaging over an open cellular network. This technique can be applied to all forms of message previously discussed.
Risk management is contingent upon many variables, particularly in a combat environment. However, at the core of it, risk must be tied to a hallmark issue and that issue is the compromise of classified data. If the device is lost, it must be rendered useless by anyone except the authorized user. This may be accomplished by several methods:
1. If lost and retrieved by enemy or unauthorized personnel:
• Password fails on predetermined number of attempts.
o Failure renders the device incapacitated.
2. In the event that the password is somehow identified and authenticated:
• Fingerprint biometric authentication that fails rendering the device incapacitated.
• This would be accomplished in a simple one-to-one ratio or effectively a biometric ‘syn’ – ‘ack’ process that when fails sets into motion a series of actions that render the device incapacitated.
3. If both password and fingerprint are somehow identified and authenticated:
• Thermal recognition of the fingerprint must be authenticated; or
• Factor X authentication must be recognized for the user.
Failure of either should render the device incapacitated. Of course the methods of authentication above are occurring in the background without the knowledge of the user, thereby adding yet, another layer of security.
4. If lost and not retrieved:
• G.P.S. (Global Positioning System) initiated incapacitation.
• Recognition of loss sets into motion a series of events that remotely disable the device, rendering it incapacitated. This method also provides for an opportunity to recover the device, should that decision be of value to the user organization.
If the device is stolen, then it becomes a rogue device in one sense, because it is no longer in the hands of the intended user. Under these circumstances, the methods applied above will also apply in this instance. If accessed through the capture of personnel or battlefield recovery the device becomes rogue and the command is faced with a difficult task to incapacitate. The command, including a user under duress and able to act, must determine if the device should be incapacitated. This can be broken into several situations:
1. Captured personnel— able to use the device with the security methods that are available to verify the user:
a. In this circumstance, a failsafe code may be entered to render the device incapacitated.
b. Intentional failure of the password will render incapacitation of the device.
c. The use of the wrong or non-validated fingerprint will render the device incapacitated.
d. Physical destruction of the device may be initiated prior to capture.
2. Captured personnel unable to use the device due to an injury or other problems such as unconsciousness:
a. Password fails on a predetermined number of attempts.
b. Failure renders the device incapacitated.
c. In the event the password is somehow identified and authenticated, a failed fingerprint biometric authentication will render the device incapacitated.
d. This would be accomplished in an simple one-to-one ratio or effectively a biometric ‘syn’ – ‘ack’ process that when fails sets into motion a series of actions that render the device incapacitated.
e. G.P.S. initiated incapacitation activated by a higher authority with knowledge of capture.
f. Recognition of loss sets into motion a series of events to remotely disable the device and render it incapacitated.
3. If the decision is made by higher authority to disable the device by remote access and render it incapacitated, see 2.e. above.
4. If a decision is made by higher authority to selectively incapacitate the device it may be of interest by a higher authority to use the device for information gathering/tracking, thereby setting into motion a disabling function rather than a total incapacitation of the device.
5. If a decision is made by the user to selectively incapacitate the device, it may be a user benefit to utilize the device for information gathering/tracking (specifically for recovery), thereby setting into motion a disabling function rather than a total incapacitation of the device.
6. The last method of incapacitation has been reserved for extreme consideration. We may refer to it as Factor X incapacitation. This method would utilize a discreet signal from the battlefield to render the device incapacitated. That signal may result from a close range explosion such as a grenade, rocket, or artillery round that generates enough force to render the user incapacitated and then sets into motion a series of events that automatically incapacitate the device.
We have discussed a series of events in the preceding sections that provide options for incapacitating the device in a hostile environment under varied conditions. But what are those events and how will they function?
Through a password failure as described above, the device could either be incapacitated or simply disabled for a certain period of time. In either event, an alert would be sent to the higher authority indicating a password breach has occurred and provides the higher command with additional options.
Should the password be acquired, but the fingerprint authentication fails, the device could be either be disabled or incapacitated based upon the needs of higher command. As noted above, an alert would be sent simultaneous to command indicating the failure and would provide additional options.
Should the password and fingerprint authenticate, but a thermal image fails because the finger used is below body temperature or not compliant with an embedded thermal image, as in the case of a severed digit, then the device would be rendered incapacitated. The same applies with Factor X as the next layer of authentication, a failure would render the device incapacitated.
Mobile devices today have the capability to use passwords and with modification, voice actuated methods. To increase the levels of security for the information that will be used and transmitted with this device, one may incorporate the use of fingerprint on a touchpad mobile device using elliptical curve methods to verify the user as an entry-level security measure.
Additional security measures will include the use of advanced biometrics, Factor X, authentication as another layer of security for the use of the device, rotating keys, and secured messaging over public and global communications channels.
In the near future, new technologies may provide additional security methodologies for the secured transmission of information whether voice, graphic, video stream or textual in nature.
Grow, Brian, Keith Epstein and Chi-Chu Tschang. April 21, 2008. The New E-spionage Threat. Business Week. http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm?chan=magazine+channel_top+stories
Baker,Wade H., C. David Hylender, A. Bryan Sartin, Peter Tippett, and J. Andrew Valentine. 2008 Verizon Data Breach Report. http://18.104.22.168/search?q=cache:wMA4L6VoL
Information Warfare Monitor. 2009. “Tracking GhostNet: Investigating a Cyber Espionage Network.” http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network.
Swcherman. 2009. Press Release. Sourcewire.com. 23 million British bank account holders are likely to switch their bank account if existing provider suffers loss of personal details of its customers. http://www.sourcewire.com/releases/rel_display.php ?relid=LggQg
Deccan Herald, 2009, FBI hands over evidence over Mumbai attack to Pak: Report, http://www.deccanherald.com/CONTENT/Jan42009/foreign20090104110597.asp?section=updatenews
Whitworth, Martin. 2006. VoIP- A Call for Better Protection. Science Direct. http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6VJG-4JV5MJ5-7&_user=10&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000050221&_version=1&_url Version=0&_userid=10&md5=5c5c7acebc3c692d565fd95048e7cdfb
Knight, Will. 2001. Computer program raises possibility of voice theft. New Scientist. http://www.newscientist.com/article/dn1148
Credant, Inc. 2009. Press Release. UK Businesses Left Vulnerable By Naïve Mobile Phone Users, http://www.credant.com/news-a-events/pressreleases/338-uk-businesses-left-vulnerable-by-naivemobile-phone-users-.html
Ives, R. W., Y. Du, D. M. Etter, and T. B. Welch. August 2005.A Multidisciplinary Approach to Biometrics. IEEE Transactions on Education. Vol. 48, No. 3, pp. 462-471. http://www.usna.edu/EE/bioWeb/Papers/Transactions _on_Education_Vol48_No3.pdf
Mr. Thomas Gluzinski has over 29 years of experience in all areas of Information and Physical Security Management. As a military officer, he has served at the tactical, operational, and strategic levels. He served on the joint operations staff to integrate joint operations across all services and utilized those assets and their associated resources for high-risk operations. Gluzinski can be reached at firstname.lastname@example.org
Peter Rung is the CEO of I.D. Rank Security, Inc. Rung has extensive management and business start-up consulting and technology experience in large and small companies focusing on security, operations, and finance. Rung can be reached at email@example.com
David Boubion is a marketing and business strategist with strong international business experience in Europe, North America, and Asia. Past industry experience includes mobile phone applications, mobile network computing applications, fingerprint biometrics, and data security. Boubion can be reached at firstname.lastname@example.org