Presented at the 39th Annual Meeting of the Institute of Nuclear Materials Management, July 1998 |
M. Ondrik, S. Kadner;
Aquila Technologies Group, Inc.
D. Davidson, M. Zebarth;
CANBERRA Industries
Nondestructive assay (NDA) instruments developed for international
and domestic safeguards applications are normally operated in an attended
mode requiring an operator. However, there is an increasing need for
unattended and remote monitoring instruments. Three types of applications
are currently being researched by Aquila and Canberra: a) radiation
triggers for video surveillance, b) unattended assay of materials moving
in automated fabrication and process plants, and c) monitoring radiation
signatures to verify the movement of unirradiated and irradiated nuclear
material. Each application involves the transmission of sensitive data
that is vulnerable to counterfeit or tamper.
Aquila has proposed to migrate the proven authentication technology
that is currently embedded in its GEMINI cameras into the NDA instruments
so that the measurement data are signed before transmission. This approach
eliminates the known vulnerability of these instruments while employing
a methodology that has already been approved for Safeguards applications.
This paper discusses the methodologies being investigated by Aquila
and Canberra.
Many nondestructive assay (NDA) instruments are in use in both international
and domestic Safeguards applications. These instruments were designed
with great care to understand the physics correctly, whether for neutron
coincidence or multiplicity counting, gamma quantification, or isotopic/enrichment
measurements. The recent need of unattended and remote monitoring in
Safeguards does not affect the physics of the measurements, the measurements
that must be made, or the measurement technology; however, the operating
environment of the instruments is changed radically. Existing Safeguards
instruments were designed to operate in an attended mode with an operator
in attendance. Therefore, little attention was paid to data security
because the operator would always be present when the measurement was
made. Conversely, for unattended and remote monitoring applications,
it must be assumed that the environment is hostile and that tampering
will be attempted.
In order for any instrument to be used in an unattended or remote monitoring
Safeguards application, the inspector must be certain that the data
being reviewed actually originated from the correct instrument at the
correct time and that the data have not been tampered with during the
time between the measurement and data review. Without this level of
certainty in the authenticity of the data, the inspector has no basis
for drawing any Safeguards conclusions regardless of the data itself.
Consequently, in order for NDA instruments to be suitable for unattended
or remote monitoring, they must incorporate a mechanism that provides
the assurance that the data has not been altered. Furthermore, this
mechanism must be an integral part of the data itself so that it can
be reverified at any time in the future.
Cryptographic authentication of NDA data provides exactly the required
data authentication mechanism. This technique has been routinely used
in the Safeguards video surveillance technology for several years, since
video has always been an unattended technology. It has not been incorporated
into NDA instruments since NDA measurements are only recently being
considered for unattended or remote monitoring applications. Although
it is easy to consider a cryptographic signature to authenticate the
NDA data, it is quite another thing to actually do it. Fortunately,
we are in a position to take advantage of the methods learned in video
technology. Nonetheless, there are three major problems to be solved
in the implementation.
First, there are many completely functional and serviceable instruments
in the IAEA inventory that do not incorporate any authentication or
encryption. Somehow these must be brought into the fold so that the
capital investment in this equipment can be preserved. Secondly, and
perhaps more significantly, the NDA instrument vendors are experts in
physics and electronics; not cryptographic authentication. Therefore,
a mechanism is needed to allow the instrument vendors to seamlessly
incorporate approved cryptography technology without the potential for
“learning curve” problems or for vulnerable implementations due to inexperience.
Finally, the cryptography alters the NDA data structure. Applications
must be modified to accommodate those changes, even if the cryptography
itself is ignored. In particular, the authentication signature changes
the size of a data block. At the minimum, the applications must step
across the signature. Encryption totally alters the structure and cannot
be ignored.
Canberra’s approach is to leverage existing technology and products
available from Aquila Technologies. In particular, the transfer of public-key
cryptography from already working and approved products alleviates the
need to redevelop that core technology internally. Secondly, we anticipate
a phased implementation that begins with basic cryptography and then
grows to encompass the scope of the latest I2 SIP standard,
which calls for networking and local storage, as well as authentication
and encryption.
The presumption of a hostile environment for unattended Safeguards
applications introduces the need for cryptography, including both authentication
and encryption, into the realm of NDA instruments. It is well known
from the cryptographic literature that authentication and encryption
are not the same. That is, encryption does not authenticate and authentication
does not encrypt. 1,2 Public-key signatures provide the means
to verify data authenticity to any third party at any time, present
or future, without revealing any secret keys and without compromising
the integrity of existing or future data or operations. However, the
authenticated data is plain text and can be viewed and interpreted by
anyone. To hide the data, it is necessary to additionally encrypt the
authenticated data package.
However, cryptography brings with it new issues such as key generation,
key management, and key distribution and certification—issues which
have never existed in the realm of NDA instruments. It is these elements
of implementation, along with the keys, that provide the security of
cryptography. Well known strong algorithms can be compromised by a weakness
in the implementation of the protocol, as illustrated by the recent
attack on Secure Socket Layer (SSL) on the World Wide Web. The strongest
lock in the world provides no security if the key is left “under the
door mat.” The primary component of secure authentication for Safeguards
application is that the instrument itself generates the keys and the
private key cannot be extracted from the instrument by any means, including
destruction.
The objective of authentication is to allow anyone to verify the signature
and thus to be sure that the attached data is valid and unaltered since
the signature was attached. A digital signature does not hide data from
anyone; it is still plain text, so the entire original message is available
for use by other applications as if the signature were not present.
When original data contains information that identifies the source of
the data and the time of collection, then the digital signature also
certifies that the data originated from a specific sensor at a particular
time.
The signature is provided in two steps. In the first step, the NDA
instrument’s public key is appended to the message and the resulting
combination is processed through a secure hash function, such as MD5,
to produce a 128-bit representation (digest) of the input that is sensitive
to a change of only one bit in the entire input. The second step is
to encrypt only the digest with the transmitter’s private key
to produce the signature. The signature is then appended to the compound
structure to form an authenticated message.
Because the public key is appended to the signed document, any receiver
can verify the authenticity of the message without access to the transmitter’s
private key. Furthermore, since no one has access to the private key,
the signature cannot be forged.
The signature is verified by repeating the signing process. That is,
the signature is decrypted with the public key attached to the data
packet. Then the compound message is submitted to the same hash function
as the transmitter’s. If the resulting digest matches the decrypted
signature, the data is authentic. Note that use of public-key methods
means that the available key cannot be used to re-sign an altered message.
Encryption prevents an unauthorized person from viewing the data - it
does not authenticate the data. Encryption introduces a complication
into the normal flow of data, because none of the data can be read by
any application that does not decrypt it first. This is problematic
if services are used to sort, route, store, or operate on the data or
the packet header. Consequently, encryption cannot be transparent.
The IAEA has chosen to use an encryption method commonly known as an
“RSA envelope” in order to ease the key management burden. Furthermore,
because anyone with access to the public key could send “forged” data,
all data must be authenticated before it is encrypted.
As shown at the top of the figure below, each message is encrypted
using a fast secret-key algorithm with a key that is uniquely generated
for each data package. Once the ciphertext is produced, the unique secret
key is encrypted using the recipient’s public key to produce a “cipher-key.”
The encrypted secret key and the public key are pre-pended to the encrypted
message to produce a “packet.”
This process results in data being encrypted using a fast algorithm,
with the decryption key being securely distributed along with the data.
This data can then be recovered only by the holder of the private key
that corresponds to the public key used to encrypt the secret key. Furthermore,
each data object uses a unique key, therefore, an attacker would have
to cryptanalyze every data item independently (i.e., the key from one
data item has no value for decrypting the next data item).
While it is clear that the next generation of NDA instruments for Safeguards
use will have the necessary cryptography built in, in the meantime,
it is important to satisfy the requirements for data security with existing
instruments.
Canberra has chosen to implement Safeguards data security in existing
NDA instruments by using Aquila’s RadComm technology, which was developed
to implement LANL’s RadNet protocol as described in the paper by Keith
Olsen of Los Alamos National Laboratory. The RadComm “dongle” is a protocol
translator that takes RS-232 or RS-485 output from a simple instrument.
In case the instrument does not automatically output data, it will also
query and translate the information into RadNet packets of information
that can be broadcast on Ethernet (UDP). A variant of the RadComm dongle
called SafeComm is already capable of providing authentication signatures
on the RadNet data packets. Furthermore, the authentication methodology
is the same process implemented in the GEMINI cameras and has been approved
for Safeguards use. Although the RadNet protocol is not an IAEA standard,
the hardware solutions created for RadNet can be easily adapted to meet
the Agency’s needs.
Canberra’s NDA instruments communicate using RS-232 serial communications,
and the applications that use these instruments have generally been
constructed for use with “com” ports. The first instrument to be adapted
to deliver authenticated data will be the JSR-14 Neutron Coincidence
Analyzer (shown in Figure 1 with the AWCC Active Well Coincidence Counter
and laptop), which already has a large installed base for attended Safeguard
applications and will see even more applications in the future.
Neutron coincidence analyzers, such as the JSR-12 or JSR-14, are required
for operation of all neutron counters routinely used for international
and domestic safeguards applications. Similar to the JSR-12, the JSR-14
is designed to perform conventional coincidence counting for the measurement
of plutonium-bearing samples. It can also perform multiplicity analysis
for measurement of impure or heterogeneous samples.
We will use the SafeComm in its “pass through” mode and the normal
Ethernet changed to an RS-232 port
so that existing systems are unaffected. The SafeComm will not try to
package the NDA instrument signal in a specific protocol. Instead, it
will allow the native communication to “pass-through,” minimizing the
effect on existing application software. The SafeComm dongle will either
be mounted within the instrument itself or connected outside the instrument
but within the tamperproof enclosure. The dongle will accept input on
one port from the instrument, apply a cryptographic authentication signature
to the data package, and then transmit the data to the Safeguards server
through the other port.
Using this straightforward, “pass-through” approach, we will be able
to thoroughly test and investigate IAEA-supplied data collection and
analysis software to determine where any modifications may be needed
to accommodate the increased size of the new data structure. Further
software investigations will include determining the most effective
place in the software for signature verification to occur, as well as
examining options for effective user display of the verification results.
The results of the Phase 1 implementation will provide a systematic
mechanism for a field retrofit that can be easily applied to the existing
installed base of Canberra NDA instruments.
In Phase 2 we will bring the authenticated JSR-14 into full compliance
with the latest I2SIP standards by adding local buffer storage and making
the Ethernet option available in the data collection software. We anticipate
that this approach will also apply to all other instruments in the Canberra
line to provide a complete suite of authenticated and networkable NDA
instruments for use in unattended and remote monitoring applications.
The need for data authentication in NDA instruments can be satisfied
nearly immediately by using existing SafeComm technology. This approach
leverages existing products to provide the new capabilities without
reinventing the technology or re-engineering the instruments. Installed
instruments can be retrofitted in the field, thus acquiring data authentication
while preserving prior investments. Extension of the same technology,
augmented with local data storage will allow Canberra instruments to
meet both the requirements for data authentication and the new networking
and local storage standards of the I2 SIP.
1 Schneier, Bruce. Applied Cryptography.
John Wiley and Sons Inc. 2ed, 1996. ISBN 0-471-12845-7.
2 RSA Laboratories. Frequently Asked
Questions About Today’s Cryptography. Version 3.0.
