copyright (c) 2000 hitachi, ltd. all rights reserved. 1 research & development for internet...

Copyright (c) 2000 Hitachi, Ltd. All rights reserved.

1

Research & Development for Internet Security in Japan

November 24, 2000

Ryoichi Sasaki （ [email protected] ）Senior Chief Researcher

Systems Development Laboratory, Hitachi, Ltd.

14th AFSIT

AFSIT : Asian Forum for the Standardization of Information Technologies


2

Table of Contents

1. Introduction2. Security Threats and Countermeasures3. Status on Security Countermeasures in Japan4. Security Technology Creates Internet New Era5. Current Status on Security R&D in Japan6. R & D on Security Technologies in Hitachi7. On Security Standards


3

1. Introduction

Current Situation of Internet in Japan


4

0

200

400

600

800

1,000

1,200

1,400

1,600

1,800

2,000

1995 1996 1997 1998 1999

USA(.com)J apa n ( .j p )Ger man y ( .d e )Franc e ( .f r )tota l

0

200

400

600

800

1,000

1,200

1,400

1,600

1,800

2,000

1995 1996 1997 1998 1999

USA(.com)

Japan(.jp)Germany(.de)

France(.fr)total

Trend on Number of Hosts Connected to Internet

(Number in '95 is 100% for each country) (%)

Japan


5

Number of Internet Users in Japan

From White Paper 2000 of Ministry of Posts and Telecommunications

76.7

11.616.9

27.1

10

20

30

40

50

60

70

Number(M Persons)

10

20

30

40

50

60

70

(%)

1997 1998 1999 2005 (Year)

Diffusion Rate

1996

19.1%


6

Predicted Amount of E-Commerce (Business to Business)

020406080

100120140160180

1998 1999 2000 2001 2002 2003

JapanUSA

Trillion Yen

Year

Announced by MITIin 1999

９20 12

30

19

50

29

79

45

117

68

165


7

　　

Background of Increase of Security Threat

Big Digital Money Flow on Internet:

More Powerful Attack to Get Big Money

Increase of Victim CandidatesRapid Spread of Internet

インターネットの普及Increased Connection of Enterprise Network to Internet : Attack Increase via Internet to Extreme Valuable Information


8

Loss Caused by Attack to Security in USA

Estimated by FBI / CSI

1996

1997

100M$

100 150M$

1998

1999

50 200 250

130M$

120M$

260M$


9

Number of Reported Security Incidents in Japan

Data from JPCERT

971Q

972Q

973Q

974Q

981Q

982Q

981Q

983Q

984Q

991Q

992Q

993Q

994Q

001Q

0

100

200

300

400

500

600

700

800


10

2. Security Threats and Countermeasures


11

Objects

ElectronicCommerce

Threats to Security

Computer

Files

Threats to Security

Loss of Confidentiality

Loss of Integrity

Loss of Availability

(Repudiation)

(Eavesdropping)

(Interruption)

(Improper Use)

Loss of Evidence

Network


12

(1) Protection against Intrusion (a) Access Control (Firewall etc.) (b) Encryption(2) Prevention,Detection, Recovery (a) Security Surveillance (b) Security Audit etc.

Countermeasure against Attacker

Countermeasure by Technology

Countermeasure by Management

(a) Security Policy Establishment(b) Security Education

Attacker

Intrusion

MasqueradeSecurity Hole Attack


13

3. Status on Security Countermeasures in Japan


14

Rate ％

18.99.3

25.8

43.5

0.7

1.7

Decided Deciding Under ConsiderationNot Decided Unnecessary No Answer

Investigated by JIPDEC in 1999

No. of Companies ： 867No. of Mean Employees ： 2194 persons

Security Policy

Investigated Results on Security Measure Status (1)

is decided in only less than one fifth of companies.

JIPDEC: Japan Information Processing Development Corporation


15

Rate(%)

23.8

12.562.2

1

0.6

Exist Under Consideration Not Exist

Security Specialistexists in less than one fourth of companies.


Not Necessary No Answer


16


83.4

50.7

21.3

14.2

40.9

25.8

33.6

1.5

10.4

0

10

20

30

40

50

60

70

80

90

1

Usage of Password

Usage of Firewall

Usage of Access Control Soft

Access Control to Outside

Inhibition of Changing LAN Connection Log Analysis

Others

No Measure

Firewall is used in more than 50% companies.

Limitation of Network Operator


17

82.6

2.7

Usage of Cipher

Not Usage

No Answer

Cipher is used in less than 15% companies.


14.7

Rate(%)


18

4. Security Technology Creates Internet New Era


19

Inter Individuals

•Information Sharing•GroupWare

•Mail, News, WEB

Inner Companies

Inter Companies

Public,Home etc.

•EC(B to C)EC(B to C)

•E-Government

•EC(B to EC(B to B)B)

•E-Election

•New Social New Social InfrastructureInfrastructure

Internet*Internet*

IntranetIntranet

ExtranetExtranet

SocialnetSocialnet

CoveraCoveragege

•E-Auction

Future Direction

Security Technologies Support Internet New Era

Digital Signature Digital Watermarking

Security Technologies

AdditionalFeatures

InformationExchange

Improvement of　 work efficiency

Application toManagementStrategy

Creation of new　 value of services

E-Library

Note ： * Narrow Meaning


20

Outline of Digital Signature

< Objectives of Digital Signature or Electronic Seal > (1) Entity Authentication : Protection from Masquerade (2) Message Authentication : Detection of Message Manipulation

Real World Digital WorldObjectives

(1) Entity Authentication

(2) Message Authentication

Usage of Seal or Signature for Identifying Originator

Usage of Paper and Ink for Detecting Manipulation

Digital Signature or Electronic Seal

Usage of Asymmetric Cipher* : It is possible to identify single signature key user.

Usage of Hash Function : It is possible to detect manipulation by checking hash value.

* Asymmetric Cipher equals Public Key Cipher


21

Digital Signature Scheme

Massage(M)

Alice

Encryption by Using Sa and Asymmetric Cipher

Private Key of Bob ( Sa ) :Secret

Hash Function(h)

Hash Value( h(M))

M+Digital Signature

Digital Signature(S=Sa(h(M)))

Bob

Decryption by Using Pa and Asymmetric Cipher

Public Key of Bob( Pa ) : Open

h’=Pa(S)

h”=h(M)

Compare

AuthenticatedAuthenticated

If only one bit of M was changed, the hash value will be changed totally

Pair Keys

Digital Signature(S=Sa(h(M)))

Hash Function(h)

M+Digital Signature

=


22

Necessity of Certification Authority

Objective:Certificate the real owner of public key Pa ( Protect to pretend Pc generated by Carol as Pa of Bob)

Certification Authority:CA

Bob Alice

(1) Generate Private Key:SaPublic Key :Pa

Private Key of CA: Sn Secret

(2) Pa

with Sn (Pa)

(5) Signed Message+ X.509 Certificate

(6) Pn

(7) Calculate Pa Pa= Pn(Sn(Pa))(8) Use Pa for　　　 Verification

Public Key of CA: Pn Open

(4) Public Key Certificate(X.509 V.3)

(3) Registration of Pa and the Owner

(Note:There was same system in the era of King Hammurabi about 4100 years ago .)

(Asymmetric Cipher )


23

Example of Structure for CAs

Root CA

CA11 CA12

EE1 EE2 EE3 EE4

EE: End Entity ( User of CA )

Hierarchical Structure of CAs

Certificate

CA1 CA2


24

PKI for Supporting Certification

Root CA

CA11 CA12

EE1 EE2 EE3 EE4

Certificate

CA1 CA2

PKI consists of protocols, services, and standards supporting applications of public-key cipher (asymmetric cipher), especially related the use of Certificate Authority(CA).

PKI : Public Key Infrastructure


25

Inter Individuals

•Information Sharing•GroupWare

•Mail, News, WEB

Inner Companies

Inter Companies

Public,Home etc.

•EC(B to C)EC(B to C)

•E-Government

•EC(B to EC(B to B)B)

•E-Election

•New Social New Social InfrastructureInfrastructure

Internet*Internet*

IntranetIntranet

ExtranetExtranet

SocialnetSocialnet

CoveraCoveragege

•E-Auction

Future Direction

Security Technologies Support Internet New Era

Digital Signature Digital Watermarking

Security Technologies

AdditionalFeatures

InformationExchange

Improvement of　 work efficiency

Application toManagementStrategy

Creation of new　 value of services

E-Library

Note ： * Narrow Meaning


26

Example of WatermarkingOriginal Image Embedded Image

OwnerHtachibuyerSasaki

Embedd-ingsoftware

OwnerHitachiBuyerSasaki

Extract-ing Software

Embedded Position


27

5. Current Status on Security R&D in Japan


28

Main Players on Security R & D in Japan

CollaborationUniversities Companies

GovernmentMITI - IPAMPT - TAO

Fund for Security Projects

MITI : Ministry of International Trade and IndustryMPT : Ministry of Posts and TelecommunicationsIPA : Information - Technology Promotion Agency, JapanTAO : Telecommunications Advancement Organization of JapanSTA : Science and Technology Agency

STA


29


Collaboration

Universities Companies

GovernmentMITI - IPA

MPT - TAO


MITI : Ministry of International Trade and IndustryMPT : Ministry of Posts and TelecommunicationsIPA : Information - Technology Promotion Agency, Japan

(1) Anti-Computer-Virus Activities(2) Countermeasures Against Unauthorized Access to Computers in Cooperation with JPCERT(3) Study of Cryptography and Authentication Technologies(4) Study of IT Security Evaluation and Certification / Validation Scheme

IPA - Security Center


30


Collaboration



MPT - TAO


MITI : Ministry of International Trade and IndustryMPT : Ministry of Posts and TelecommunicationsIPA : Information - Technology Promotion Agency, JapanTAO : Telecommunications Advancement Organization of Japan

O Tokyo University (Professor IMAI), O Chuo University (Professor TSUJII), O Yokohama National University,O Kyushu University, O Keio University etc.

Universities


31


Collaboration



MPT - TAO


MITI : Ministry of International Trade and IndustryMPT : Ministry of Posts and TelecommunicationsIPA : Information - Technology Promotion Agency, JapanTAO :Telecommunications Advancement Organization of Japan

O NTT,O Hitachi,O Mitsubishi,O NEC, O NTT Data,O Fujitsu, O Panasonic, etc.

COMPANY


32

Security Technologies for Research

Field Technology

Element Technology

System Technology

Social Technology

1

2

34

5

6

78

9

10

11

12

Certification

Access Control

Encryption

Digital Signature

Computer Virus

Secure Network

Recovery

Vulnerability

Risk Assessment

Interdependency

Risk Communication

Security User Interface


33

Comparison of Research Area in USA and Japan

Field Technology

Element Technology

System Technology

Social Technology

1

2

34

5

6

78

9

10

11

12

Certification

Access Control

Encryption

Digital Signature

Computer Virus

Secure Network

Recovery

Vulnerability

Risk Assessment

Interdependency

Risk Communication

Security User Interface

USA* Japan+Research Area (%)

* Ratio of number of papers in ACM and IEEE for this ten years (Total No.:4696)+ Ratio of number of papers in IPSJ and IEICE for this ten years (Total No.:555)

29

28

24

4

6

3

3

4

31

3

3

33

2

1

4

61

47

6

0

0

0

0


34


Collaboration



MPT - TAO


MITI : Ministry of International Trade and IndustryMPT : Ministry of Posts and TelecommunicationsIPA : Information - Technology Promotion Agency, JapanTAO :Telecommunications Advancement Organization of Japan

O NTT,O Hitachi,O Mitsubishi,O NEC, O NTT Data,O Fujitsu, O Panasonic, etc.

COMPANY


35

6. R & D on Security Technologies in Hitachi


36

Hitachi’s Security Concept

Secureplaza

Attack!

Router

Crypt LSI

Smart Card

Attack!

Ｍｅｓｓａｇｅ

ＥＣ

Hitachi’s Total Power

Hitachi’s Security Services and ProductsHardware Products

SoftwareProductsSystems

Integration Services

OperationServices

Encryption Library

Firewall

EC SystemInter-Corporate EC

Certificate Authority

Security Monitoring


37

History on R&D of Security in Hitachi

Phase 3 (1998 - )

Business Establishment Period

Phase 2 (1993 - 1997)

Products Development Period

Phase 1 (1987 - 1993)

Technology Development Period


38

Business Area and Developed Security

TechnologiesBusiness Area

Service

Soft-ware

Hard-Ware

Developed Security Technologies

SI & Operation

Special Service

Security Monitoring, Key Recovery

Certificate Authority, Notary System

Middle Software

Library

Subsystem

Component LSI for Encryption, Smart Card

Encryption for Hardware EquipmentBiometrics for Authentication

Encryption Algorithms Digital Water Marking

Secure Commerce Protocol, Key Management ,Group Security


39

Common Key Cipher and Public Key Cipher

Public Key Cipher

Examples DES RSA

Relation betweenEncryption/Decryption Keys

Encryption Key = Decryption Key

Encryption Key ≠ Decryption Key

Secret Key Delivery Not Necessary

Digital Signature Difficult Straightforward

Speed Fast Slow

Applications Data EncryptionKey DeliveryDigital Signature

Common Key Cipher

Necessary


40

Common Key Cipher Developed in Japan

Company Name Year Comment

NTT

Mitsubishi

NEC

FEAL-NE2

MULTI2MULTI-S01

MISTY

Unicorn

1990

19892000

1996

1997

Candidate of AES

Stream CipherHitachi

1998


41

Products Related MULTI

(b) Encryption LSI for Satellite Broadcast

(a) Encryption Software Library （ Keymate/MULTI ）

(Japan Standard for Digital Satellite Broadcast）

PerfecTV

DirecTV Japan

TV

IRD

MULTI Chip

MULTI is the baseline cipher recommend by CPTWG for IEEE1394 CPTWG: Copy Protection Technology Working Group


42

Common Key Cipher and Public Key Cipher

Public Key Cipher

Examples DES RSA

Relation betweenEncryption/Decryption Keys

Encryption Key = Decryption Key

Encryption Key ≠ Decryption Key

Secret Key Delivery Not Necessary

Digital Signature Difficult Straightforward

Speed Fast Slow

Applications Data EncryptionKey DeliveryDigital Signature

Common Key Cipher

Necessary


43

Necessity of New Public Key Cipher

RSARequired key length for safe enough 1990 512 bits 1998 1024 bits 2004 2048 bits

Computation time when key length becomes twice 6 times - 8 times

Improvement of Hardware and Integer Factorization Method

Hitachi has decide to develop new public key cipher in 1996.


44

Hitachi Elliptic Curve Cryptosystem(ELCURVE)

Type ofElliptic Curve

SchemeDigitalSignature

Encryption/Decryption

K-out-of-NScheme

Elliptic Curvebased on2 powers

Elliptic Curvebased on largeprime numbers

Hitachi original scheme

ELCURVE

Software Library for PC and WS (Product:Keymate/Crypto)

Software for Smart Card( Prototype )


45

Development of ELCURVE on Smart Card

PCSmart Card H8/3111 BLOCK DIAGRAM

ROM 14K BYTES

RAM 512 BYTES

EEPROM

8K BYTES

CO-PROCESSOR

RAM 288 BYTES

H8/300 CPU I/O PORT

EXTERNAL CLOCK： 10MHZ

CPU ： 5MHZ 、CO-PROCESSOR ： 10MHZ

DIGITAL SIGNATURE(160BITS) 0.17 　 SEC

・ High speed calculation by utilizing co-processor in smart card designed for fast RSA calculation


46



Service

Soft-ware

Hard-Ware


SI & Operation

Special Service



Middle Software

Library

Subsystem




Secure Protocol, Key Management ,Group Security


47

paint-ing

Application Areas of WatermarkingProtection by watermarkingneeded

１month

$10

Life span

catalogue

news-paper

TV-news

educationsoftware

music

movie

karaoke

magazine

Stillpictur

e

painting

Motionpicture

Picture in digital bookVoic

e

MusicVoice in movie

Text

Sentence in digital book

Program

Application programs

Contents

kind

Examplesprogra

m

book

high

lowshort long

Movies in DVDPric

e

Photography


48

Actual Applications of Water Mark

(1) Copy Detection in Toppan Co. for Selling Digital Arts ( Still Picture )(2) Copy Protection Standard Proposal for DVD - RAM in CPTWG ( Motion Picture )(3) Internet - Marks For WWW

paint-ing

Protection by watermarkingneeded

１month

$10

Life span

catalogue

news-paper

TV-news

educationsoftware

music

movie

karaoke

magazine

program

book

short long

Pric

e


49

Problems

• Web systems are important social infrastructures.

– Means for effective information delivery and collection– Bases for most EC systems

• However they have trust problems.

– Impersonation (e.g., fake Web site represents itself as an established site) – Criminal actions (e.g., receives money and then disappears without sending goods)– Unclear service policies (e.g., on returning goods)


50

Authentication using visual seals

• Authority issues seals guaranteeing or rating Web sites.

• Seals are pasted on the Web pages.

• Consumers trust or know service levels of the Web sites via the seals.

Problems

Seals are easily forged and copied onto unauthorized Web pages.

Reliable seal system is needed.


51

Recommend forRecommend forSchool EducationSchool Education

SCIENCE

ΕΔΩ Assoc.ΕΔΩ Assoc.

Internet-Mark technology• Internet-Marks are verifiable seals because digital signatures are embedded in them by digital watermarking.

Material image (JPEG, bit map, etc.)

Internet-Mark(JPEG, bit map, etc.)

Watermarking

Embedded digital signature


SCIENCE

ΕΔΩ Assoc.ΕΔΩ Assoc.

Digital object forwhich Internet-markwill be used.

Private keyof issuer

Digital signature

Internet-Marks can be verified viathe embedded digital signatures.


52

Details of Internet-Mark


SCIENCE

Ε ΔΩΕ ΔΩ Assoc Assoc..

Watermarking

Material Image

Web site address

Web page

Internet-Mark

Signature, etc.


SCIENCE


Additional info.- term of validity etc.

Certificate for issuer

Private keyof issuer

Paste


SCIENCE


Digitalsignature


53



Service

Soft-ware

Hard-Ware


SI & Operation

Special Service



Middle Software

Library

Subsystem






54

Prototype model for Product

Biometric Authentication Devices of Hitachi

Demonstration model

Fingerprint DeviceVeridicom FPS100A300×300×8bits12Mbps USBI/FHitachi’s Contactless Smart Card & R/W

8bits CPU 8kB EEPROM 9600bps


55

Outline of Secured Office System

DoorControl unit

Smart cardR/W

Door

Log DB

TemporalFingerprint

file

DB

Entrance

X.509

User’s Office

UserList

EnrollmentServerCard　 Issuer　

System　

CertificationAuthority

Issuer　Center

Smart Cardcertificatedfingerprint

Smart Cardcertificatedfingerprint

PCs for End UserLive

scannerLive

scanner

DB access control Log-on access control

VerificationServer

Entrance control

Workflow control


56



Service

Soft-ware

Hard-Ware


SI & Operation

Special Service



Middle Software

Library

Subsystem


Encryption for Hardware EquipmentBiometrics for Identification




57

インタネット

For Operator

CA system

Against Invasion Against Invasion FirewallFirewall EncryptionEncryption

Hitachi Certificate Authority Server

CA Server

Certificate

Store Bank/Card CompanyConsumer

CertificationList

Against Inside Crime Prevent Single Operation

Front End Server

Firewall

CertificateCertificate


58

Certificate Authority

Notary Authority

Corporate A Corporate B

AB

NA

A NA B NA

NA

ＡＢ

1998/3/614:10

NA

Time StampingTime Stamping

NA

Archiving a digital documentArchiving a digital document

Notary Service

Certificate

Authorize

NAB

A

B

NA A

B

NA

Making(Writing) a notarial deedMaking(Writing) a notarial deed

CA認CA

CA

CACA

Authorizing a private documentAuthorizing a private document

Image of CA & NA System for Ministry of Justice


59



Service

Soft-ware

Hard-Ware


SI & Operation

Special Service



Middle Software

Library

Subsystem


Encryption for Hardware EquipmentBiometrics for Identification




60

7. On Security Standards


61

Security Standards and Related Organizations

National Level

World WideSecurity

ApplicationFieldOfficial ： ISO-SC27, ITU etc.

Private ： IETF(Protocol) etc.

Official: NIST(AES), JIS etc.

Private : IEEE (1394) etc.

SET (Certification)MULTOS (Card OS )CPTWG (Copy Protection )etc.

Security Basic Field


62

On Cryptography Standard

(1) USA: AES Project by NISTAES (Advanced Encryption Standard ) was selected in Oct. 2000.- > Rijndael Proposed from Belugium

(2) JAPAN: CRYPTEC Project by IPA and TAO ( Chair: Prof. Imai )Assessment of Security and the Implementation of Available Cryptographic Techniques to Achieve information Security in the Electronic Government-> Technical Report Including a List of Analytical Results on Security Profile and Implementation Aspects for Proposed Cryptographic Technologies ( in March, 2001 )

(3) EC : NESSIE Project by the Information Technology Programme of the European Commission

1.National Level / Official


63

On Cryptography Standard

2. World Wide / Official

Standardization of Ciphers has started at ISO/IEC JTC1 SC 27 (#18033) from 1999.< From Registration to Real Standard >

Standardization Items(1) Asymmetric Ciphers(2) Block Ciphers(3) Stream Ciphers

Symmetric Ciphers(Common Key Ciphers)


64

Security Standards and Related Organizations

National Level

World WideSecurity

ApplicationFieldOfficial ： ISO-SC27, ITU etc.

Private ： IETF(Protocol) etc.

Official: NIST(AES), JIS etc.

Private : IEEE (1394) etc.

SET (Certification)MULTOS (Card OS )CPTWG (Copy Protection )etc.

Security Basic Field


65

IETF WG on Security

Common Authentication Technology (cat) IP Security Protocol (ipsec) Intrusion Detection Exchange Format (idwg) Public-Key Infrastructure (X.509) (pkix) Simple Public Key Infrastructure (spki)XML Digital Signatures (xmldsig)

Authenticated Firewall Traversal (aft) One Time Password Authentication (otp) Secure Shell (secsh) Transport Layer Security (tls)

An Open Specification for Pretty Good Privacy (openpgp) Domain Name System Security (dnssec) S/MIME Mail Security (smime) Web Transaction Security (wts)Secure Network Time Protocol (stime)

Infrastructure

Middleware

Application

Category WG


66

8. Conclusion


67

Conclusions

1. R & D on security technologies in Japan were explained.2. Future Tendency (1) Attack will increase and be harder in future. (2) More powerful countermeasures will be required, especially in security surveillance, audit, evaluation and education. (3) Attack will be given from all over the world. Therefore, world wide collaborations must be performed to protect against the attacks.


68

Research & Development for Internet Security in Japan

END

copyright (c) 2000 hitachi, ltd. all rights reserved. 1 research & development for internet...

Documents

internet security

copyright c

security threats

security countermeasures

security technology

security technologies

security rd

security standards