Presented at INMM in July 1998 (26th-30th), in Naples, Florida.

ABSTRACT

Cryptographic authentication has recently become a critical component of data surety and access control within Safeguards organizations. Proof of the authenticity of the data used to draw Safeguards conclusions has long been a primary and critical aspect of the entire Safeguards process. With the introduction of remote monitoring and networked review stations, access control has begun to be a consideration of equal concern. The cryptographic iButton provides the enabling technology that may allow safeguards agencies to implement cryptographically secure access to the sensitive Safeguards data as well as auditably demonstrate to the member countries that information about their facilities is rigorously access-controlled.

The iButton, made by Dallas semiconductor, is a 16mm computer chip housed in a stainless steel can (16mm diameter x 3-6 mm depth). The iButton can be worn by a person or attached to an object for up-to-date information at the point of use. The steel button is rugged enough to withstand harsh outdoor environments; it is durable enough for a person to wear everyday on a digital accessory like a ring, key fob, wallet, or badge. Information is transferred between the iButton and any PC with a momentary contact, at up to 142K bits per second. The Cryptographic iButton features very strong cryptography and has three immediate applications: 1) Secure E-mail: iButton users can have universal access to their email from public connections - such as hotels, airports, and satellite offices - and still be confident that their mail is private. 2) Internet commerce: The iButton can store and manage units of value (such as money), and 3) Remote login authentication: Individuals on travel can access safeguards databases directly from their PCs. iButtons can perform the sophisticated challenge and response authentication typically required to access sensitive information. This paper will investigate the safeguards applications of the iButton, specifically in the areas of data access security and data surety.

Introduction

Key management is the single most important aspect of all cryptography applications. The security and effectiveness of cryptosystems resides entirely in the keys. However, strong cryptography with weak key management is equivalent to installing the world's most secure lock on the door and then leaving the key under the doormat. The lock itself is unassailable, but no security is provided by the "system." Implementations with this flaw are commonplace. For example, many disk security products encrypt files with DES or RSA and then leave the keys either in the file header or the directory. The files themselves are well and truly encrypted, but no security is provided beyond frustration of the casual browser.

At a broader level, it is important to note that most cryptosystems have not been penetrated by analysis and "cracking the keys." Instead, they were broken by finding weaknesses in the key management process -- such as keys left written on sticky notes and left where anyone can appropriate them. The next most frequently used method of breaking a security system is known as "rubber hose cryptanalysis." That is, a person is bribed, blackmailed, tortured, or otherwise convinced to reveal the keys or provide access to the key distribution center. While cryptography itself cannot provide protection against these attacks, they serve to illustrate that effective key management and distribution is the most important element of overall system security.

Figure 1:
iButton Dimensions

The Cryptographic iButton from Dallas Semiconductor (shown in Figure 1) provides a secure "container" for keys that can significantly aid in reducing the complexity of key management. As the block diagram in Figure 2 illustrates, this small semiconductor device contains a computational engine with an arithmetic accelerator specifically designed to perform the arcane mathematics of cryptography, such as modular exponentiation, key generation, hashing, and others. The lasered serial number provides unique component identification that can be extended to the attached instrument. The true-time clock provides a time-stamping service for strong authentication and the temperature sensor is used to destroy any stored keys if the extreme temperatures associated with tampering is detected.

All operational power as well as data transfers are implemented with Dallas' one-wire interface. The one-wire interface not only augments the security provisions of the iButton, but also provides for a convenient "touch to use" mechanism. The touch method eliminates all clumsy interconnection cables, readers, and keypads.

Cryptographic Key Management

The term key management encompasses several processes and activities associated with cryptographic keys, including:

• • Key generation,
  • Key registration,
  • Key distribution, and
  • Key certification

Key generation refers to the proper creation of keys and key-pairs from "cryptographically adequate" random numbers. Using a suitable seed, the iButton applies a hash function to randomize the bits and then uses its specialized processor to create the requisite prime numbers. From these it creates the private-public key pair needed for authentication. This implementation solves two Safeguards implementation issues. First, the key pair is generated within the iButton. Therefore there is no need to install keys, with the associated security risks. Second, the iButton has no mechanism for releasing the private key, and destroys the key if the container is breached or overheated.

Figure 2:
Block Diagram of iButton Functionality

Key registration is the process of securely storing and recording the keys so that they cannot be altered by unauthorized persons and so that they cannot possibly be lost. This is normally accomplished through a simple database that connects particular keys to particular instruments or people. When symmetric cryptography is used, the entire database must be kept secret and secure. When public-key cryptography is used, most of the database can be published. The iButton publishes the public key electronically so that recording in the database requires no error-prone keyboard input.

Key distribution is the process of securely delivering the necessary keys to the people or systems that need them and who are authorized to have them. Although it is true that absolutely secure distribution of symmetric (secret) keys is theoretically impossible, there are some relatively elaborate methods that permit sufficiently secure key distribution.

Figure 3:
Crypto Ring

Cryptographic keys are truly nuisance numbers. They are large (180 digits) and random and therefore virtually impossible for a human to remember, let alone keyboard error free. The iButton provides a convenient "container" for carrying keys. It securely contains the user's private key and will not divulge that key even to the user. In addition, it can contain several other public keys that can be divulged without compromising the security of the system. The most popular iButton accessory is a ring with the iButton as the set (shown in Figure 3). Key fobs are another popular configuration.

Key certification is the "other hand" of key registration. It is the mechanism by which users of keys verify that they have the correct key, or that a key provided by an instrument data structure is, in fact, the key that was registered to that instrument. This is normally implemented by a database that connects the instrument to a specific public key. The database is a read-only system so that anyone can verify a public key but modification of a key is disallowed.

Safeguards Applications of the iButton

There are three broad categories of application within Safeguards that the Cryptographic iButton is ideally suited for. There may be others that arise as experience is gained.

Remote and unattended monitoring applications require that the data from the instruments be authenticated. The Safeguards requirement that the data be verifiable after months in archive--without revealing keys that would compromise other data security--can only be satisfied by a digital signature created using public key cryptography. The primary element of security for the data authentication implementation is that the keys be generated in the instrument itself and that the private key be completely inaccessible. It is not sufficient that the keys be "loaded" into the instrument, since the loading process itself provides a "window of opportunity" to tamper the system.

Authentication can be implemented in an instrument either natively or by use of an add-on device such as Aquila's SafeComm dongle. In either case, the instrument processor must perform the data formatting and hashing; however, the cryptographic iButton can be the means of secure key generation and storage as well as provide final signatures of the data digest.

In the case of Aquila's SafeComm dongle, the embedded PowerPC processor performs basic data structuring according to rules specific to the attached instrument. In addition, the processor applies the MD5 or SHA-1 one-way hash function from the BSAFE library to the input data. The hash results are then input to the iButton where they are ID-stamped, time-stamped, and encrypted with the private RSA key generated in the button to provide the digital signature.

Clearly, the iButton does not perform all the necessary cryptographic functions by itself. It does, however, vastly alleviate many of the painful implementation problems associated with key generation, secure key storage, and final signature processing.

 
Figure 4:
Key Fob

Data access verification is the means of providing a person with access to restricted data, primarily for review of Safeguards data. Many of the Safeguards agreements specify that only designated individuals may have access to the data. Cryptography provides a means for assuring limited data access. Carried on a ring or keychain, the cryptographic iButton provides a convenient mechanism for inspectors to possess the permissions necessary to decrypt and verify the data that they are authorized to review. Combined with a user password, the iButton can perform the challenge-response protocol necessary to establish both the inspector's identity as well as verify his/her access privileges. The same protocol can be used to interact with the key registration database to verify the public keys in the data records as well as to transfer the private decryption keys securely.

Secure key distribution is a significant issue with every cryptography system. Secret-key cryptography is particularly vulnerable whenever keys must be exchanged. Fortunately, the public key methods, which were invented specifically to solve the key exchange problem, are very easy to implement. The cryptographic iButton provides both elements necessary to implement secure key exchange: secure key containment, and challenge-response capability.

New keys can be encrypted with the instrumentation's public key and then written into the inspector's iButton ring where they are authenticated. At the facility, the inspector need merely touch the ring to the reader-pad on the instruments to cause the keys to be transferred and their authenticity verified. Furthermore, it is a more reliable method of key possession than the commonly used method of placing the key onto a floppy disk; the iButton is more difficult to duplicate and the proliferation of the key can be more effectively controlled.

Conclusion

The DS1954 Cryptographic iButton from Dallas Semiconductor provides a very convenient mechanism for simplifying what are often very difficult cryptographic processes. Key generation and secure key exchange are two of the most problematic implementation issues in every secure system, and the iButton simplifies them considerably. Because the iButton can implement the challenge-response protocol, it can serve as a secure data storage medium for distributing keys. Its small size and "touch" interface make it very easy and convenient for inspectors to use.

The iButton does not perform key management by itself, and it does not make cryptography transparent to the user. It does, however, vastly simplify many of the critical processes and provides a core technology that a complete key management system can be built around.

As the IAEA implements more and more networked instruments, remote monitoring, unattended measurements, and a digital data infrastructure, the requirement for pervasive authentication and encryption with universal distributed key management will become unavoidable. We believe that the Cryptographic iButton can be a significant contributor to the success, security, and ease of implementation of that environment.

¹ Schneier, Bruce. Why Cryptography Is Harder Than It Looks, CounterPane Systems, 1997. http//www.counterpane.com.

² Schneier, Bruce. Applied Cryptography, 2ed. John Wiley & Sons, Inc., 1996. ISBN 0-471-128435-7.

³ The SafeComm dongle is a small network device which sits between the monitoring equipment and the network. SafeComm translates data packets to and from monitoring equipment proprietary formats, and it provides data security throughout the transfer process.

⁴ RSA Laboratories. Frequently Asked Questions About Today's Cryptography, V3.0. RSA Data Security, Inc.1996. http//www.rsa.com.