Presented at the 39th Annual Meeting of the Institute of Nuclear Materials Management, July 1998

ABSTRACT

Nondestructive assay (NDA) instruments developed for international and domestic safeguards applications are normally operated in an attended mode requiring an operator. However, there is an increasing need for unattended and remote monitoring instruments. Three types of applications are currently being researched by Aquila and Canberra: a) radiation triggers for video surveillance, b) unattended assay of materials moving in automated fabrication and process plants, and c) monitoring radiation signatures to verify the movement of unirradiated and irradiated nuclear material. Each application involves the transmission of sensitive data that is vulnerable to counterfeit or tamper.

Aquila has proposed to migrate the proven authentication technology that is currently embedded in its GEMINI cameras into the NDA instruments so that the measurement data are signed before transmission. This approach eliminates the known vulnerability of these instruments while employing a methodology that has already been approved for Safeguards applications. This paper discusses the methodologies being investigated by Aquila and Canberra.

INTRODUCTION

Many nondestructive assay (NDA) instruments are in use in both international and domestic Safeguards applications. These instruments were designed with great care to understand the physics correctly, whether for neutron coincidence or multiplicity counting, gamma quantification, or isotopic/enrichment measurements. The recent need of unattended and remote monitoring in Safeguards does not affect the physics of the measurements, the measurements that must be made, or the measurement technology; however, the operating environment of the instruments is changed radically. Existing Safeguards instruments were designed to operate in an attended mode with an operator in attendance. Therefore, little attention was paid to data security because the operator would always be present when the measurement was made. Conversely, for unattended and remote monitoring applications, it must be assumed that the environment is hostile and that tampering will be attempted.

In order for any instrument to be used in an unattended or remote monitoring Safeguards application, the inspector must be certain that the data being reviewed actually originated from the correct instrument at the correct time and that the data have not been tampered with during the time between the measurement and data review. Without this level of certainty in the authenticity of the data, the inspector has no basis for drawing any Safeguards conclusions regardless of the data itself. Consequently, in order for NDA instruments to be suitable for unattended or remote monitoring, they must incorporate a mechanism that provides the assurance that the data has not been altered. Furthermore, this mechanism must be an integral part of the data itself so that it can be reverified at any time in the future.

Cryptographic authentication of NDA data provides exactly the required data authentication mechanism. This technique has been routinely used in the Safeguards video surveillance technology for several years, since video has always been an unattended technology. It has not been incorporated into NDA instruments since NDA measurements are only recently being considered for unattended or remote monitoring applications. Although it is easy to consider a cryptographic signature to authenticate the NDA data, it is quite another thing to actually do it. Fortunately, we are in a position to take advantage of the methods learned in video technology. Nonetheless, there are three major problems to be solved in the implementation.

First, there are many completely functional and serviceable instruments in the IAEA inventory that do not incorporate any authentication or encryption. Somehow these must be brought into the fold so that the capital investment in this equipment can be preserved. Secondly, and perhaps more significantly, the NDA instrument vendors are experts in physics and electronics; not cryptographic authentication. Therefore, a mechanism is needed to allow the instrument vendors to seamlessly incorporate approved cryptography technology without the potential for "learning curve" problems or for vulnerable implementations due to inexperience. Finally, the cryptography alters the NDA data structure. Applications must be modified to accommodate those changes, even if the cryptography itself is ignored. In particular, the authentication signature changes the size of a data block. At the minimum, the applications must step across the signature. Encryption totally alters the structure and cannot be ignored.

Canberra's approach is to leverage existing technology and products available from Aquila Technologies. In particular, the transfer of public-key cryptography from already working and approved products alleviates the need to redevelop that core technology internally. Secondly, we anticipate a phased implementation that begins with basic cryptography and then grows to encompass the scope of the latest I² SIP standard, which calls for networking and local storage, as well as authentication and encryption.

METHODOLOGY

The presumption of a hostile environment for unattended Safeguards applications introduces the need for cryptography, including both authentication and encryption, into the realm of NDA instruments. It is well known from the cryptographic literature that authentication and encryption are not the same. That is, encryption does not authenticate and authentication does not encrypt. ^1,2 Public-key signatures provide the means to verify data authenticity to any third party at any time, present or future, without revealing any secret keys and without compromising the integrity of existing or future data or operations. However, the authenticated data is plain text and can be viewed and interpreted by anyone. To hide the data, it is necessary to additionally encrypt the authenticated data package.

However, cryptography brings with it new issues such as key generation, key management, and key distribution and certification—issues which have never existed in the realm of NDA instruments. It is these elements of implementation, along with the keys, that provide the security of cryptography. Well known strong algorithms can be compromised by a weakness in the implementation of the protocol, as illustrated by the recent attack on Secure Socket Layer (SSL) on the World Wide Web. The strongest lock in the world provides no security if the key is left "under the door mat." The primary component of secure authentication for Safeguards application is that the instrument itself generates the keys and the private key cannot be extracted from the instrument by any means, including destruction.

Signing and Signature Verification (Authentication)

The objective of authentication is to allow anyone to verify the signature and thus to be sure that the attached data is valid and unaltered since the signature was attached. A digital signature does not hide data from anyone; it is still plain text, so the entire original message is available for use by other applications as if the signature were not present. When original data contains information that identifies the source of the data and the time of collection, then the digital signature also certifies that the data originated from a specific sensor at a particular time.

The signature is provided in two steps. In the first step, the NDA instrument's public key is appended to the message and the resulting combination is processed through a secure hash function, such as MD5, to produce a 128-bit representation (digest) of the input that is sensitive to a change of only one bit in the entire input. The second step is to encrypt only the digest with the transmitter's private key to produce the signature. The signature is then appended to the compound structure to form an authenticated message.

Because the public key is appended to the signed document, any receiver can verify the authenticity of the message without access to the transmitter's private key. Furthermore, since no one has access to the private key, the signature cannot be forged.

The signature is verified by repeating the signing process. That is, the signature is decrypted with the public key attached to the data packet. Then the compound message is submitted to the same hash function as the transmitter's. If the resulting digest matches the decrypted signature, the data is authentic. Note that use of public-key methods means that the available key cannot be used to re-sign an altered message.

Encryption and Decryption

Encryption prevents an unauthorized person from viewing the data - it does not authenticate the data. Encryption introduces a complication into the normal flow of data, because none of the data can be read by any application that does not decrypt it first. This is problematic if services are used to sort, route, store, or operate on the data or the packet header. Consequently, encryption cannot be transparent.

The IAEA has chosen to use an encryption method commonly known as an "RSA envelope" in order to ease the key management burden. Furthermore, because anyone with access to the public key could send "forged" data, all data must be authenticated before it is encrypted.

As shown at the top of the figure below, each message is encrypted using a fast secret-key algorithm with a key that is uniquely generated for each data package. Once the ciphertext is produced, the unique secret key is encrypted using the recipient's public key to produce a "cipher-key." The encrypted secret key and the public key are pre-pended to the encrypted message to produce a "packet."

This process results in data being encrypted using a fast algorithm, with the decryption key being securely distributed along with the data. This data can then be recovered only by the holder of the private key that corresponds to the public key used to encrypt the secret key. Furthermore, each data object uses a unique key, therefore, an attacker would have to cryptanalyze every data item independently (i.e., the key from one data item has no value for decrypting the next data item).

Implementation for NDA Instruments

While it is clear that the next generation of NDA instruments for Safeguards use will have the necessary cryptography built in, in the meantime, it is important to satisfy the requirements for data security with existing instruments.

Canberra has chosen to implement Safeguards data security in existing NDA instruments by using Aquila's RadComm technology, which was developed to implement LANL's RadNet protocol as described in the paper by Keith Olsen of Los Alamos National Laboratory. The RadComm "dongle" is a protocol translator that takes RS-232 or RS-485 output from a simple instrument. In case the instrument does not automatically output data, it will also query and translate the information into RadNet packets of information that can be broadcast on Ethernet (UDP). A variant of the RadComm dongle called SafeComm is already capable of providing authentication signatures on the RadNet data packets. Furthermore, the authentication methodology is the same process implemented in the GEMINI cameras and has been approved for Safeguards use. Although the RadNet protocol is not an IAEA standard, the hardware solutions created for RadNet can be easily adapted to meet the Agency's needs.

Phase 1 Implementation

Canberra's NDA instruments communicate using RS-232 serial communications, and the applications that use these instruments have generally been constructed for use with "com" ports. The first instrument to be adapted to deliver authenticated data will be the JSR-14 Neutron Coincidence Analyzer (shown in Figure 1 with the AWCC Active Well Coincidence Counter and laptop), which already has a large installed base for attended Safeguard applications and will see even more applications in the future.

Neutron coincidence analyzers, such as the JSR-12 or JSR-14, are required for operation of all neutron counters routinely used for international and domestic safeguards applications. Similar to the JSR-12, the JSR-14 is designed to perform conventional coincidence counting for the measurement of plutonium-bearing samples. It can also perform multiplicity analysis for measurement of impure or heterogeneous samples.

We will use the SafeComm in its "pass through" mode and the normal Ethernet changed to an RS-232 port so that existing systems are unaffected. The SafeComm will not try to package the NDA instrument signal in a specific protocol. Instead, it will allow the native communication to "pass-through," minimizing the effect on existing application software. The SafeComm dongle will either be mounted within the instrument itself or connected outside the instrument but within the tamperproof enclosure. The dongle will accept input on one port from the instrument, apply a cryptographic authentication signature to the data package, and then transmit the data to the Safeguards server through the other port.

Using this straightforward, "pass-through" approach, we will be able to thoroughly test and investigate IAEA-supplied data collection and analysis software to determine where any modifications may be needed to accommodate the increased size of the new data structure. Further software investigations will include determining the most effective place in the software for signature verification to occur, as well as examining options for effective user display of the verification results. The results of the Phase 1 implementation will provide a systematic mechanism for a field retrofit that can be easily applied to the existing installed base of Canberra NDA instruments.

Phase 2 Implementation

In Phase 2 we will bring the authenticated JSR-14 into full compliance with the latest I2SIP standards by adding local buffer storage and making the Ethernet option available in the data collection software. We anticipate that this approach will also apply to all other instruments in the Canberra line to provide a complete suite of authenticated and networkable NDA instruments for use in unattended and remote monitoring applications.

CONCLUSION

The need for data authentication in NDA instruments can be satisfied nearly immediately by using existing SafeComm technology. This approach leverages existing products to provide the new capabilities without reinventing the technology or re-engineering the instruments. Installed instruments can be retrofitted in the field, thus acquiring data authentication while preserving prior investments. Extension of the same technology, augmented with local data storage will allow Canberra instruments to meet both the requirements for data authentication and the new networking and local storage standards of the I² SIP.

¹ Schneier, Bruce. Applied Cryptography. John Wiley and Sons Inc. 2ed, 1996. ISBN 0-471-12845-7.

² RSA Laboratories. Frequently Asked Questions About Today's Cryptography. Version 3.0.