mastersthesis-120506103336-phpapp02

7/31/2019 mastersthesis-120506103336-phpapp02

1/79

1

Heidelberg University of Applied Sciences

Germany/Heidelberg

Faculty of Informatics

Master Thesis

Business Process Modeling in the field of Information Security

Submitted by

Vishal Sharma

Supervised by

Prof. Dr. Gerd Mckel

Dr. Peter Misch

August 2011

Companys Supervisor: Dipl. - Ing. Thomas Brandtstaetter


2/79

2


3/79

3

Business Process modeling for the sake ofInformation Security

By

Vishal Sharma

Matriculation no: m1000830

A thesis submitted as a pre-requisite for the

Degree of Master of Science

Thesis Advisory Committee

Prof. Dr. Gerd Mckel & Dr. Peter Misch

Heidelberg University of Applied Science

Ludwig-Guttmann-Strae 6

69123 Heidelberg

Germany

Dipl-Ing. (BA) ThomasBrandtstaetter

BROTEX Synargos GmbH

Max-Eyth-Str. 21

72622 Nrtingen

Germany


4/79

4

Affidavit

Herewith I declare:

That I have composed the chapters for the Master Thesis forWhich I am named as the author independently;

That I did not use any other sources and additives then the ones specified;

That I did not submit this work at any other examination procedure;

Heidelberg,

(Date)______________________________

(Signature)______________________


5/79

5

Acknowledgements

Following the Indian tradition, first I would like to give my heartiest thank to the

Germany and its people who have accepted me here and gave me an opportunity to

learn and to move further in my life. Not forgetting about my family after staying

away from them for almost two years and who are the pillars of my life that alwaysstand by me to give me the strength to accomplish whoever I am today.

Mr. Thomas Brandtstaetter as my mentor, who has always gave me an inspiration to

achieve the best and to think in an eco-economic manner which is fruitful to the

whole society. I would like to give him my thanks to be with me all the time during

this project. As an Indian the most important people in my life are my teachers

(Gurus) Prof. Dr. Gerd Mckel and Dr. Peter Misch, the most generous persons I met

and the whole staff of Fachhochschule Heidelberg, who always helped me and

always motivated me during my studies.

Last but not least the whole Staff of BROTEX Synargos who has always shown me

the right path, and provided me with all the information which I needed during the

six months, and always spend their useful time for me to discuss things about my

project.


6/79

6

Table of ContentsAbstract ................................................................................................................................ 91 Introduction ............................................................................................................... 11

1.1 Various Techniques ............................................................................................... 161.2 UML ........................................................................................................................ 161.3 SOA ......................................................................................................................... 181.4 BPMN2.0 ................................................................................................................ 191.5 Advantages over others: ........................................................................................ 192 Company Profile ........................................................................................................ 22

2.1 History .................................................................................................................... 232.2 Core Business ......................................................................................................... 242.3 Cryptography-Typical Application ..................................................................... 252.4 Hardware Security Module in Crypto Server-Implementation ........................ 252.5 HSM IBM 4764-001 Internal Architecture ......................................................... 262.6 FINPIN ................................................................................................................... 272.7 Functions ................................................................................................................ 283 Conceptualization ...................................................................................................... 293.1 NIST ........................................................................................................................ 293.2 FIPS ........................................................................................................................ 293.2.1 FIPS 140-2 Level 1: ............................................................................................... 303.2.2 FIPS 140-2 level 2: ................................................................................................. 303.2.3 FIPS 140-2 level 3: ................................................................................................. 303.2.4 FIPS 140-2 level 4: ................................................................................................. 30


7/79

7

3.3 ISO 27001: ............................................................Fehler! Textmarke nicht definiert.3.4 VISA PIN Security Requirements Audit: ........................................................... 323.5 PCI DSS: ................................................................................................................. 343.6 Devices used ........................................................................................................... 353.7 HSM: ....................................................................................................................... 353.8 Crypto processor ................................................................................................... 373.8.1 Functionality: ......................................................................................................... 373.9 Payment Card Industry PIN Security Requirements: ....................................... 373.9.1 Objectives ............................................................................................................... 383.10 Establishing Security Measures ........................................................................... 383.11 Risk assessment: .................................................................................................... 414 Chapter 4 Solution .................................................................................................. 514.1 Prototyping ............................................................................................................. 51

4.1.1

Key Ceremony ....................................................................................................... 55

4.2 ISO 27001 Based Risk Analysis ............................................................................ 584.3 PCI-DSS Based Risk Analysis .............................................................................. 614.4 Master key Management ...................................................................................... 625 Chapter 5 Tools ....................................................................................................... 685.1 Bonita Soft: ............................................................................................................. 685.2 Bonita User Experience ......................................................................................... 706 Future Prospects ........................................................................................................ 727 Table of Figures ......................................................................................................... 758 Abbreviations ............................................................................................................. 769 Bibliography ............................................................................................................... 78


8/79

8


9/79

9

Abstract

We are heading towards the next generation solutions for making life better with the help

of technological advancements -we always talk about futuristic solutions:

How we could make the best for our upcoming generations which should be ecological and

fruitful. But we sometimes forget about the fundamentals that assist to achieve those things

- we have the ideas, we also have the aim in our mind - but still we are not able to get the

unsurpassable results out of those things that already exist. Technology has really helped a

lot to achieve that target of making things better: so that it could assist us to work well in

organizations, dealing with the problems and most importantly for the people to live their

life in a more valuable way.

This Master thesis is dedicated to those situations where a normal human intelligence is notenough to manage certain complexities around us: Of course with the help of technology

and our brain power. Whatever we do in our life, it basically consists of some steps to

reach a goal. We start in the morning, when we wake up and everybody tries to give his or

her best to make the most out of a day, but still sometimes we are not able to meet those

goals that we decide for when we wake up. Thats because sometimes we forget to follow

our own rules or sometimes we stick to our rules enough that we cannot even see the other

possibilities which can affect our whole process of reaching somewhere.

This is the case of only our every days life, but here we are more concerned about a much

more complex process which is Information Security, so I am trying to represent my viewsto ensure optimum Information Security and particularly in the field of Payment Card

industry. In last few years we all have been moved to electronic medium of managing and

maintaining vital information: Internet, Mobiles are good examples. We have tried all the

ways to make it more and more secure but still we have seen a lot of issues while

maintaining it.

This thesis is a research work of such issues and how we could handle them with the right

approach. Securing information is one of the most critical tasks in todays world as the

cloud of information is increasing every day. Thats because the interaction of humans

with the machines is increasing at a very rapid rate. As you can see, the dependency ofmanaging the information with the help of machines has notably increased, as a result,

complexity of the processes has also increased. As a consequence, inability to managing

the vital information is also increasing.

Off course machines have made our life easy but think about a world where you cannot

even prove who you are because of the lack in the process of securing the content. The idea

is to overcome the issue of being lost in possibilities.


10/79

10


11/79

11

1 IntroductionMy work starts from the definition of, What is a Process and I would answer that a

process is nothing more than a set of rules to reach certain results in an optimum manner.But this is a very simple definition of the word Process, and everybody learns it from

their childhood to achieve the best at their school, in various subjects, different sports and

other activities etc. And the nature of doing it in a way to achieve the optimum comes

automatically. So my point is everybody is the manager of its own life and the various

processes around it. But still we can easily see that we rely on different strategies,

techniques and at most the technology to make things better e.g. we use technology to get

things done automatically and faster.

But if we come to the reality of complex processes in the corporate world, in these kinds of

situations ordinary human intelligence is not enough to handle everything by its own and

there comes the role of IT. It came into existence in the late 60s and since then it has

played a major role in everybodys life. As a result, we have been trying to automate the

things in almost every aspect of life. But we never asked ourselves that are we making the

best out of IT and my answer is yes but only up to some extent.

As we look at todays process infrastructure in any industry, its very dynamic and very

complex in almost every aspect. So we need the concept of Business process modeling to

make it easy for the users to view, to find solutions around the complications, to manage

things in a useful way.

The basic idea of Information Security works on three elementary pillars:

Availability Integrity Privacy

In context of information security, if there is no privacy, its not worth it, if it is not

available then there is no use, if there is no integrity then we have lost the authenticity. So

to achieve the maximum security we should consider all three points, as without each other

they are incomplete and none of them make any sense.

In a more precise view the concept of availability depends on the infrastructure like

optimal system resources, power backups, backup of the information, disaster recovery

management etc. Second thing is to ensure the Integrity in order to provide trustworthy

information processing system: We must take care that information should be viewed in

the same manner as it is entered. Third and the most important pillar of information

security lead to maintaining the privacy -which in terms leads to granulated access control

to information, secured by the means of applied cryptography.


12/79

12

When we talk about privacy in the context of applied cryptography, the first idea that

comes to our mind is encryption and decryption, as we encipher the content and send it to

the desired user and the designated recipient can decipher it to read the original content.

This is the most basic definition of maintaining security by applying the methods of

cryptography for securing privacy. But in a real working environment it becomes more

than the simple definition, as additional security requirements needs to be considered:

Where do we want to ensure security? What information needs to be secured? Which quality requirements are appropriate? How much we can invest into security precautions?

Especially the aspect of applied cryptography receives a more detailed augmentation along

this thesis. Cryptography on the one hand is a discipline covering more than justencryption algorithms and associated cryptographic keys.

Most commonly, these algorithms are implemented in software libraries (e.g. OpenSSL,

NSS, CyaSSL, and many others) which can increase overall system security indeed. By the

way, OpenSSL has evolved to be a widely used and integrated cryptographic service

provider (SSL, 2011)

A closer look into the architecture though, reveals the focus of next generation cyber-

criminals and hackers: having potentials for compromising cryptographic key material. In

case an adversary gets access to the clear values of cryptographic keys, he has access to theinformation realm protected by these keys.

Hence, the protection of cryptographic keys is an essential requirement to meet the basic

security requirements mentioned above.

In order to illustrate the potential risks behind the scene: whenever cryptography is

processed in software using a cryptographic service provider such as OpenSSL, a system-

dump, provoked by an adversary or caused by erroneous programming, can lead to a key-

compromise. Thats because, the keys in operation need to be available in clear form

within application memory.

This may sound to inherit a very theoretical probability and even professional risk

managers, today may still ignore the possible impacts, but such attacks are already

becoming reality. In order to reduce the risks for this kind of key-compromise method,

special crypto-hardware can be applied to backend-servers, in order to encapsulate

cryptographic functions and keys using tamper resistant security modules (TRSM, or more

abstract: Hardware Security Modules HSM). Well defined protection profiles, aligned

and certified to international and open standards, enable the highest level of risk reduction

covering the technological aspects regarding applied cryptography.


13/79

13

Another scenario covers the usage of untrustworthy keys, in case an associated notary

function has been compromised. Notary functions for assigning higher trust-levels to

cryptographic key material using digital signing methods based on cryptography are

typically implemented as a Certification Authority (CA) for digital certificates. As a matter

of fact, digital certificates can be seen as todays pillars of the stage, on which the play of

applied cryptography is performed, especially covering the act Trusting the internet and

its web-services.

As an example, a possible man-in-the-middle attack, using rogue digital certificates, can be

named. Further information regarding the recent attacks on CAs like Commodo and

DigiNotar can be found here:

Unauthorized issuing of Google certificatesSource: Sophos. (2011). naked Security. Retrieved September 4, 2011, from

http://nakedsecurity.sophos.com/2011/08/29/falsely-issued-google-ssl-certificate-in-the-wild-for-more-than-5-weeks/)

Source: Hack on DigiNotar: Arstechnica. (2011). Retrieved August 3, 2011, fromhttp://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-

other-cas-breached.ars

A brief resume of the above mentioned cases reveals that the security cannot beachieved solely by integrating technological measures, without a strong focus on

the organizational measures.

This thesis will focus on possible misconceptions, unveiling the missing link in the overall

security equation and how possible mitigations can be implemented, especially on the basis

of holistic and risk-managed business process management and its dedicated workflows.

If cryptographic key-material is not managed properly, e.g. on time, then system-

availability cannot be assured. Certain keys must be securely generated, distributed and

imported at a corresponding crypto node on a cyclic basis, for instance yearly. In certain

cases when a key would not be provided in time, a business service may disrupt for

duration longer than demanded, thus harming business processes by causing severe

revenue losses.

Various international solution manufacturers have started responding to the growing need

for holistic enterprise key management systems and infrastructures over the last 10-20

years. As of today, the outcome can be reduced to a simple conclusion: even though many

key-management tools exist, they are mostly island-solutions, lacking standardization or

standards-harmonization, thus introducing a multitude of key-import-formats and

processes, leading to expensive investments for integration or increasing the possibility for

single-point-of-failure.


14/79

14

Even though standardization efforts show significant improvements, such as KMIP (Key

Management Interoperability Protocol) driven by the OASIS Group, the outcomes are

solutions mainly on the technological level, missing attention on the organizational level.

Due to resort-boundaries within organizations and different perspectives and priorities

along the management-lines, lacks in the organizational aspects of information security aremost common.

Uncertainty of employees, impacts of change management, the effects of mergers and

acquisitions, time-pressure on projects due to rapid market developments and oversized

shareholder expectations, lead to a very dynamic business environment. Therefore easily

disturbing business continuity and degrading the awareness for establishing and

maintaining a holistically oriented information security management system on a cross-

company level.

While discussing an overall concept of IT-based orchestration of Business Process

Management on the one hand, I will also guide a down-the-rabbit-hole journey through the

roundabouts of the administration and management of critical cryptographic key-material

for cryptographic service providers.

These are typically anticipated to be black-box systems and operations on the IT system

administration level, providing required cryptographic services to various levels of

information processing components, like business-applications, middle-ware, operating-

systems, network-devices and information long term storage.

In todays business-world, there is a significant and growing demand for information

security based on applied cryptographic services and therefore also cryptographic keys.

The evolution has taken place in a rather subtle manner, multiplied by the achievements of

the internet-era and increasingly being under severe compliance-pressure due to the

multitude of successful attacks by cyber-criminals or even just system-failures, as a

consequence of underestimated quality-assurance and inexplicable processes and

workflows.

Therefore, an enterprise can face pervasive dependencies inherited in the IT-landscapecaused by missing knowledge about the lifecycle and whereabouts of cryptographic key-

material. As an example: not knowing about the whereabouts of cryptographic keys, can

lead to severe conflicts with national laws, in case law-enforcement agencies are entitled to

access company information within an investigation. Access to information can require

decryption of an information database, which can be hindered, if the corresponding

encryption-key is not accessible or cannot be recovered.

Resuming the above mentioned, the establishment and operation of cryptographic

infrastructures requires more than conventional system integration of IT-Systems. Each


15/79

15

implementation of a cryptographic service provider and its exploitation by applications

affords profound system-planning and process integration.

A very crucial aspect in this context is the risks being introduced with initially setting up

cryptographic infrastructures. Professional, trustworthy and obviously certified crypto-

equipment (Smartcards, Smart-Card readers, Password Tokens, Hardware SecurityModules (short: HSM, also called tamper resistant security Modules: TRSM)) requires a

primary protection layer, which needs to be managed using well-defined and approved

workflows under dual control and/or co-signing.

Source: In Personal communication with:

Brandtstaetter, T. (2011). Cyber Crime. Nrtingen: In Personal Communitaion.

The whole concept of protecting cryptographic keys starts from generating a key alsoknown as a Master Key so that it could encrypt or decrypt other keys lying in the key

hierarchy. This is the most essential requirement for maintaining the security. But as I have

already mentioned, the concept of applying cryptography depends on many other factors

especially regarding the realm for which we want to achieve the security goals. Due to vast

amount of standards that should be met by the industries and the international compliance

guidelines that may have to be followed, the location of the area in which one wants to

apply cryptography should be carefully checked according the national laws. In these kind

of situations may be you wont be allowed to use certain cryptographic algorithms or must

limit the key length to be used. In these cases for instance, the operational controls forcryptographic infrastructures exceed the white-paper presentation usually found on applied

cryptography.

To scramble up a more practice oriented approach, this master thesis is basically

considering the area of payment card industry in terms of Information Security which is of

course very crucial in todays global world. Almost everybody uses ATMs these days to

withdraw money from their bank accounts but most of the people dont know how they

work. Because people increasingly rely on standards like VISA, PCI PIN Security

Requirements, PCI-DSS, they may think that it must be secure enough if they are

following these standards. But still every day we can see a lot of forgeries and a lot ofhacks everywhere around the world and most of the time they arise because of human

negligence. This thesis will provide a strategic and practicable approach to overcome those

loopholes, which are more of an organizational nature rather than being only technological.

Because technologically we are advanced enough to make the system secure but in order to

achieve and maintain that level we depend on more than only highly diverse technologies.


16/79

16

So here I am trying to give a strategic approach to follow a plethora of standards and to

achieve the maximum information security possible, reducing mistakes, covering a

multitude of loopholes and balancing efforts:

1.1 Various TechniquesThe complexity of the various technologies is increasing every day and the desire of

making them simpler is increasing as well. Lots of ideas have come and gone in the past to

make the world simpler but only few persist. If we talk about simplicity then we vision an

interactive system with which we can interact and which can give the answers to our

issues, which can maximize the profits, maximize the outputs, minimize the risks,

maximize the possibilities of change management etc. Below I introduced some strategies

that we have used so far on which we still rely at different levels, depending on the

different scope of requirements.

1.2 UML

The techniques of Unified Modeling Language (UML) are used to model some artifacts,

like to specify, modify, visualize and construct during the System or Software development

process. It came into the market after hard work from Rational Software Corporation.

UML provides us with a very good way of understanding different aspects and

perspectives of a software or system with the help of standardized diagrams for modeling.

We can easily design prototypes and the blueprints for testing purpose.

Advantages:

We can use it to re-engineer existing systems, for instance, if these were not properly

documented. Using UML improves collaboration and co-operation within larger

development teams, enables cost reduction in external auditing and support interactive

work during the SW-Engineering process.


17/79

17

Figure 1-1

Source: Ambler, S. (2010). fox.wikis. Retrieved August 2, 2011, from

http://fox.wikis.com/wc.dll?Wiki~BusinessRulesAndUML

UML has started the first revolution to handle the complex business processes. It has

provided many useful elements to keep track of the process and to visualize it for the

simplicity.

Activities Actors Business Processes database Schemas Logical components Programming Language components Software Components


18/79

18

1.3 SOAService oriented Architecture, it is a combination of different services which are looselycoupled but at last we can make the benefit out of combining them together. It is kind of a

framework that covers various disciplines to conceptualize, analyze, design, and architect

their service-oriented assets. It was a great achievement for us to come to this point as

SOA has given us a power to integrate various things together and to give the optimal

output. But still it was basically meant for the IT industry, which is not enough if we deal

with the complexity of todays world.

Figure 1-2

Source: Corbasson, L. (2007, December 24). SOA. Retrieved August 1, 2011, fromhttp://en.wikipedia.org/wiki/File:SOA_Metamodel.svg


19/79

19

Disadvantages:

The both models mentioned above, concentrate on issues regarding the IT industry and

dont cover the holistic aspects of business process in any kind of industry. They both arefocusing on the development of software and systems in the field of IT, but they are not

aligning to the process-oriented business demands, that incorporate IT beyond todays

system integration of island solutions.

1.4 BPMN2.0Business Process Modeling Notations 2.0,itcomes with a lot of hopes and a lot of

expectations for many industries which are trying to automate their processes for a long

time; its been a big problem for a long time in industries and in general to handleprocesses. People in different industries have been surrounded by this question since years

that how to generate culminating results out of any process. Many management techniques

were introduced, to handle the various issues within the industry (like policy management,

risk management, disaster recovery management etc.) but we never were able to

conglomerate all issues together to provide the unrivaled solution. We have tried to work

with different technologies so that we could manage different processes as I have already

mentioned a few of them above. But BPMN has provided all those functionalities and gave

us a platform which is not only suitable for the IT industry but it can fulfill a wider scope

of requirements depending on the demands of various industries.

1.5 Advantages over others:As I have shown above two basic approaches to fulfill our intrinsic requirements, the

comparison to BPMN has its limitations.

Regardless of fulfilling our needs not only in IT, it gives us a wide variety of tools to play

with it as well. This eventually makes it more concrete to measure the complexity, andmore scenic. It also provides a much better chance for users to understand it easily. It has a

wide range of notations that can give us a lot of freedom in designing in order to reduce the

complexity. Some of its features are as follows:

We can design and implement various complex processes(like in designing acar)

Choreography


20/79

20

Orchestration Ease of Use Easy to visualize Human tasks Gateways Message Flows Group Tasks Collaborations

There are many tools available in order to apply BPMN to the design and implementation

of any work flow or the modeling of any process. But its always a challenging task to

decide which one to choose.

During the progress of my work, many options were available. Since, I intend to attract

towards open public for the topic of my thesis. I have focused on open source tools only, in

order to promote rapid applicability

The bewildering variety of open source technologies and solutions is obviously steadily

increasing, so I also wanted to contribute to this development. I have chosen to analyze the

following candidates:

Activiti

Source: Activiti. (2011). Components. Retrieved May 20, 2011, fromhttp://www.activiti.org/components.html

JBPM5

Source: Community, J. (2011). JBPM. Retrieved May 20, 2011, from Documentation:http://www.jboss.org/

Bonita SoftSource: Bonita Open Solution. (2011). Bonita Soft. Retrieved May 20, 2011, fromResources: http://www.bonitasoft.com/

It depends on the requirements, which tool to choose, because every tool has some

advantage over the other. So it depends exactly on what we actually need to do, the

complexity of the process or the whole infrastructure we have to cope with. For my work I

would like to prefer Bonita Soft for further evaluation and prototyping.


21/79

21

According to Forbes magazine companies relish the prospect of reducing complexity,

while cutting and maintaining IT infrastructure and thats the main motive behind the

introduction of BPMN in market. So with the help of BPMN we cannot even reduce the

complexity but we can also reduce cost, reduced stressed etc. so far these are theachievement of BPMN.


22/79

22

2 Company Profile


23/79

23

2.1 History1992 2009 SYNARGOS GmbH

- International projects with leading banks, manufacturers andproviders (data processing centers, outsourcing)

- Design and implementation of applied cryptography (key-management and protocols) using hardware security modules(HSM) for banking networks, based on solutions from leadingmanufacturers for achieving highest security ratings possible(NIST FIPS 140-2 Level 4)

2010 - 2011 BROTEX Synargos GmbH

- Continuation of line of business- Business extension to infrastructures for business processes

based on mobile computing: RFID, NFC (near fieldcommunication), secure user authentication using smartphones

Establishing & Securing critical Business-Processes Project development Software and systems engineering


24/79

24

2.2 Core Business

1. Establishing & Securing Business-Processes Securing electronic payment systems for financial transaction solutions via

dedicated and internet-based networks (home banking)

Card based payment systems in networks running ATM and POS

2. Project & Solution development

Requirements-Management Feasibility studies Consulting, Training & Education Tendering support Project management Sub-contracted and full scale project realization Security and Risk Management (ISO 27001) Audit Support (PCI-DSS, VISA PCI PIN Security Requirements)

3.

Software and systems engineering

Standard processes and methodologies Architecture, Design and Quality-assurance using the methodologies of

cybernetics


25/79

25

2.3 Cryptography-Typical ApplicationToday, applied cryptographic methods reaches, almost all areas of information

processing. Typical applications are:

The encryption of personal data e.g. credit card information Securing the information while transmission within Card based payment

systems The calculation of personal data for pre-personalization of chips for smart

cards The production and use of digital signatures for certificates signed by

Certification Authorities.

2.4 Hardware Security Module in Crypto Server-Implementation The MX42 crypto server is delivered as an appliance with one or more

HSMs The production of the appliance is done at BROTEX Synargos which

processed highly secured and with maximum measures regarding qualityassured components and quality-assurance processes:

- Hardware platform: IBMx3650 server, IBM 4764-001HSM(certified to FIPS 140-2 Level 4)

- Software platform: SUSE Linux Enterprise server(Certified byCommon Criteria EAL4+), IBM CCA Services (Basic Crypto API),BROTEX Synargos MX42 FINPIN Software(SW-Engineeringusing Rational Unified Process and Extensions using V-Model whenrequired by customers)

The integrity of the appliance is detectable


26/79

26

2.5 HSM IBM 4764-001 Internal Architecture

Source: IBM. (2005, October). Security. Retrieved August 2, 2011, from Crypto Cards:www-03.ibm.com/security.cryptocards/pcixcc/library.shtml

Figure 2-1


27/79

27

2.6 FINPIN

Background of Cryptographic Abstraction Layer

Name origin: Financial PIN Services Description: FINPIN is an Application Programming interface Architecture: Client Server Licensing: As a feature enhancement to the crypto server MX42 Usage: Application can use the cryptographic services of MX42 Crypto

server via FINPIN API. FINPIN provides the basic features but you can also

add other features

Characteristics:The interface is expendable FINPIN

The parameterization of key names is flexible and it provides a generic

referencing for the application

Inside the Crypto server a FINPIN call can be divided into several crypto

functions

No clear key or the intermediate results of cryptographic protocols outside

the HSM

The application is decoupled from the key management

Key administration for the initial keys e.g. Master key of the HSM, delivery

of the Transport key


28/79


29/79


30/79

30

information. Amongst these standards, some are covering the security demands for the

implementation and accreditation of cryptographic modules: FIPS 140 here especially

FIPS 140-2.It is basically categorized in to four levels:

3.2.1FIPS 140-2 Level 1:

This is the lowest level of security, it prevail limited level of security and remarkably good

level of security is actually absent in this level. An example of the security level 1 is the

mother board of the personal computer encryption board or the FIPS validation of

OpenSSL being validated to FIPS-2 Level 1.

3.2.2FIPS 140-2 level 2:

It adds the concept of the physical tamper-evidence devices that just pick up the resistancefrom the outside world related to the device. It is actually kind of a seal which places over

the cryptographic devices so that an attacker has to go through this layer of coating and if

he or she will break this coating then the authorized person will be informed and it also

facilitates the availability of the role based authentication.

3.2.3FIPS 140-2 level 3:

In addition to the tamper-evident, level 3 also ensures that the intruder cannot have the

access to the Critical Security Parameters held within the cryptographic module. This layerespecially focuses on the physical intrusion of the module and how to handle it. It also

ensures the security by the concept of the split knowledge, because of which you can trust

the system can trust yourself and can trust others, thats why the knowledge is always

divided into two people.

3.2.4FIPS 140-2 level 4:

This level enforces the maximum level of security for cryptographic modules, providing

tamper-detection and tamper-prevention of attacks, forcing an internal overall mesh-coating for achieving maximum resistance against tampers. Also enforced are protection

against X-Ray tampering, atmospherically tampering (temperature, surrounding air-

pressure) and voltage-tampering; the module must exactly test and detect all possible

tampers in its operating environment and in case of a tamper -zeroize all security elements

within the module, thus taking the device out of operation and preventing successful

attacks.

Source: BROTEX Synargos. (2011). FIPS. Nrtingen: Communication with in thecompany.


31/79

31

Another most important standard is ISO 27001which is by far the basis for defining a

management process to assure information security. Being into this kind of industry andfocusing on the optimum security measures one should adhere to theISO27001 standards

family. Initially the British Standard Institution has developed a standard called BS7799

which was used to develop and implement an Information Security Management System

commonly known as ISMS. Its main focus was on the availability, integrity and the

confidentiality of organizational information. But it was initially a single standard and later

on they have added some more information to it and then it became ISO 17799. And then

ISO 27001 mandate the use of the BS7799 so, It is actually today the second part of the

ISO 27001. It is also beneficial for companies who already have ISO 9001 standard which

basically ensures a quality process.

ISO 27001 basically consists of four steps which covers most of the organizational security

measures.

PLAN(Establish the ISMS):Establish the ISMS, policy, objectives, processes and procedures that are relevant for

managing risks and improving information security to deliver results in accordance with an

organizations overall policies and objectives.

DO(Implement and operate the ISMS):

Implement and operate the ISMS policy, controls, processes and procedures.

Checks (monitors and review the ISMS):Access and, where applicable, measure process performance against ISMS policy,

objectives and practical experience and report the results to management for review.

ACT(maintain and improve the ISMS):Take corrective and preventive actions, based on the results of the internal ISMS audit and

management review or other relevant information, to achieve continual improvement of the

ISMS.

Source: ISO-27001. (2011). itgovernance. Retrieved July 10, 2011, from Compliance:http://www.itgovernance.co.uk/iso27001.aspx


32/79

32

1

Figure 3-1

3.3 VISA PIN Security Requirements Audit:Visa explains in its standard management of the master key which starts with its

generation. As I said above that enciphering of data can be done with the help of a key and

at the top most level in the hierarchy of keys it is called Master Key. We need to take some

precautions while managing master keys and VISA helps us to do that.

We need to set up an environment to manage the whole process. The first and the foremost

thing, is to have a minimum of dual control for every process so that there will always betwo people who are responsible for the management of the master key. The reason for this

is to secure the master key from the person himself. By dual-control the knowledge about

the secret (master key) is always segregated among two people so that without each other

they cannot receive the knowledge of complete final key.

It depends on the security policies, in how many pieces we divide that key, and we can

even divide it into three parts depending on the policy we are using. So the master key

1Created by author


33/79

33

always consists of minimum two parts and to do so we need two at least two people (key

custodians and their deputies) who are responsible for this purpose. So the first thing is to

decide who these two people are going to be, it depends on the management where we are

implementing it, in our case we will call them Custodian 1 and Custodian 2. So according

to the Visa requirements there are basically 7 stages to ensure the security of the key.

Secure equipment and methodologies Secure key creation Secure key conveyance/Transmission Secure key loading Prevent unauthorized usage Secure key administration Equipment management

Source: VISA. (2004). PIN Security Requirements. Retrieved May 20, 2011, fromhttps://partnernetwork.visa.com/vpn/


34/79

34

3.4 PCI DSS:Payment Card Industry Data Security Standard is an information security standard covers

data security requirements regarding security of personal data of a banks customer, who

holds the credit cards, debit cards, prepaid, e-purse, ATM, and POS cards etc. This

standard was basically meant to reduce the risk of the fraud in the payment card industry. It

applies to all the entities which are involved in the payment card processing like

merchants, processors, acquirers, issuers, service providers as well as all the other entities

which process and store the card holders details.

There are 12 requirements for meeting the PCI DSS which are divided into 6 groups

Build and Maintain a Secure Network

Requirements: Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security

parameters

Protect Cardholder DataRequirements:

Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management ProgramRequirements:

Use and regularly update anti-virus software Develop and maintain secure systems and applications

Implement Strong Access Control MeasuresRequirements:

Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

Regularly Monitor and Test NetworksRequirements: Track and monitor all access to network resources and cardholder data Regularly test security systems and processes

Maintain an Information Security PolicyRequirements:

Maintain a policy that addresses information security


35/79

35

Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, fromhttps://www.pcisecuritystandards.org/security_standards/

3.5 Devices usedThere are also some kinds of devices that we use to reach the maximum level of security

some of them are as follows:

3.6 HSM:It stands for Hardware Security Module, and is defined as a piece of hardware-component

and associated software that is usually installed inside a computer and provides a tamperresistant environment for itself. An HSM basically used for secure generation of key

material, encryption, decryption, hashing etc.

There are many HSM manufacturers that are available in the market today but IBM is one

of the global players and also the most renowned in the HSM market, being the first

company in the market to have achieved FIPS 140-2 Level 4 validation for their HSMs by

NIST.

IBMs tradition in participating in the HSM market with cryptographic co-processors that

can be additionally installed by customers in backend servers, reaches back to 1989, wherethe first HSM in form of cryptographic co-processor, being a tamper resistant HSM named

IBM 4755(adapter card) and IBM 4753(Network Security Processor for IBM mainframes)

were introduced. Along with this product availability IBM introduced IBM CCA.

Today IBM has basically two products which are available in the market: IBM 4764 and

IBM 4765, whose cryptographic services are made available to applications via the IBM

Common Cryptographic Architecture (CCA)

Even before the CCA era, IBM provided tamper resistant cryptographic modules as system

immanent components, for instance on the IBM 4700 controller series, which reaches back

to the seventies.

Being designed for long durations of operation, the IBM HSMs are used by top 500

companies, especially the ones using IBM mainframes (zSeries). In case of proper

maintenance, meaning regular exchange of batteries, the HSMs can be operated for

duration up to 10 years.


36/79

36

Figure 3-2

Source: IBM. (2011). Security. Retrieved August 2, 2011, from Cryptocards: http://www-03.ibm.com/security/cryptocards/pcixcc/4764SerialNumbers.shtml

It does not only provide the security by its tamper proof architecture, but also acceleratesthe processing time -for functions like key generation, encryption, decryption and digital

signing. There are many kinds of algorithms available today for the encryption and

decryption and some are really complex and also consumes too much CPU power when

using software crypto libraries on a server. When we talk about the payment card industry

then of course we are thinking about a very high volume of transactions requiring crypto

operations every day. So of course we need to handle the operations very quickly and in

some cases HSM can successfully off-load a servers CPU usage- when performing crypto


37/79

37

operations. And the most important thing is that these versions of HSMs from IBM qualify

the maximum level of security standards called-FIPS 140-2 Level 4.

Source: BROTEX Synargos. (2011). FIPS. Nrtingen: Communication with in thecompany.

3.7 Crypto processorCrypto processor is nothing more than a chip embedded in an HSM for carrying out

cryptographic operations. It also provides a certain degree of tamper resistance.

3.7.1Functionality:

In general how do we ensure the security is to bind the software to a piece of hardware so

that only the legitimate user can have access to the software: But in order to prevent not

only the execution of the software on other machines but to protect the entire software

from any access, we require a security perimeter that keeps unauthorized reverse

engineering from observing the memory and the execution of instructions. The manual

solution is to keep the computer into a locked room so that only the desired people can

have access to the hardware and the software but the problem lies there, only few peoplecan have access to the room. But there is another approach which is called as IBM's

ABYSS project. Here the security perimeters protect a single printed circuit board inside

a workstation. The operating system and cryptographic keys are stored in battery buffered

static RAM chips that are located on the same board as the CPU, the system bus, the hard

disk controller, a real time clock and a battery. The board is surrounded from all side by an

alarm mechanism that consists of a multilayered winding pattern of a pair of fine wires,

which is embedded into hard opaque epoxy resin. And any attempt to hamper the security

module will trigger the alarm and wipe out the software and the keys from the battery

buffered RAM.

Source: Kuhn, M. (1997, April 30). Cambridge. Retrieved May 20, 2011, fromhttp://www.cl.cam.ac.uk/~mgk25/trustno1.pdf

3.8 Payment Card Industry PIN Security Requirements:It basically consists of 7 objectives which tell us all the required parameters to ensure the

PIN security.


38/79

38

3.8.1Objectives

PINs used in transactions governed by these requirements are processed usingthe equipment and methodologies that ensure they are kept secure.

Objective : Cryptographic keys used for the PIN encryption/decryption and related keymanagement are created using the process that ensure that it is not possible to predict any

key or determine that certain keys are more probable than others.

Keys are converted or transmitted in a secure manner. Key loading to hosts and PIN entry devices is handles in secure manner Keys are used in manner that prevents or detects their unauthorized usage Keys are administered in a secure manner Equipment used to process PINs and keys is managed in secure manner

Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, fromhttps://www.pcisecuritystandards.org/security_standards/

So far you have seen that to maintain all the security we need a lot of standards. And it is a

must have condition to follow all these standards to be in this industry otherwise we can

cannot assure the optimum quality. But the standards are so complex that many a times we

commit some mistakes and even these standards tells us all the formalities but they never

tell us how to apply all those and if you look into the details of every standard you can

even find a lot of loopholes. Thats where I am trying to focus in this master thesis.

3.9 Establishing Security MeasuresAs you can understand the importance of a Master key by now, which was generated

during the initial phase the rest of the security assurance will always depend on the

handling and protection of Master Key. But if the master key itself is compromised then

there is no use of securing anything underneath the Master Key-as it is the root cause of the

vulnerabilities. Using various technologies and different standards we safely generate themaster key, which itself is not easy to crack. The next step is the real challenge: that is to

place it into HSM and its real operational environment. Here lies the actual problem. How

we can manage the master key to ensure the security at its optimum?

The standard defines the measures, one should take to ensure the security but they dont

define how we can establish them in a real world enterprise.


39/79

39

We need to start in an upmost hierarchy of any organization that is on the management

level, when establishing an Information Security Management System (ISMS) that

identifies and manage the risks existent to vital assets such as a Master Key.

When business processes are tied to profound ISMS, the awareness is placed accordingly

to manage the risks and assure the measures needed to prevent impacts of possibleloopholes that could lead to compromises of Master Keys.

Information Security:

In my scenario of a holistic coverage of security awareness, starting from Information

Security Management level, all the way down to the operational level, where Master Key

are process on the system level, I want to identify basically three layers which consists of :

1. Management- Risk assessment (which basically consists of ISO 27001)2. Business Process- Following all the standards(PCI DSS mainly)3. System- Management of the master key


40/79


41/79

41

security management as the companies operating their solutions to provide high security

levels to their customers.

So the first step in order to ensure security starts with Risk assessment. Top management

will have to identify and manage the risks for the companys future related to a particular

business and if they want to persist into the business then they have to commit to therequired processes.

Now if you have decided to go for all these standards then comes the second phase which

is line management who will plan to get the desired output or we could say the people who

are responsible for meeting the corporate goals, maintaining the policies and all the

standards. A line manager could be anybody depending on the industry where you are

participating in.

Like in any company we need a person who will handle the probabilities of the risks

regarding the particular working field. In our case he must be a person who will handle the

desired goals in real time to get the desired output that the top management has planned.

He will manage the resources under him to get the predefined result and its his job to plan

how to reach those targets.

The third and last layer I will consider is called Infrastructure Management the people who

are responsible for daily operations as defined by the top management and the line ofbusiness management have planned. They will also have to adhere standards depending on

the industry area you work in, but in the cases of IT-infrastructure operations, the ITIL

standards-framework is a good approach to follow.

3.10 Risk assessment:The top management is responsible to manage the overall risks for the company and needs

to govern, all the necessary measures that need to be fulfilled, so they will generate a set of

objectives and the second line of management will handle all those objectives.

In my scenario top management is responsible for defining the objectives of the ISMS.

The Chief Security Officer (CSO) will decide and plan to which extent an ISMS system is

needed and how efficient its implementation will need to be. Current development and

trends show, that companies accept the international standard ISO27001 as a guideline for

implementing an ISMS, which is the reason why I will further focus on it.


42/79

42

The CSO will identify applicable risks as outlined by ISO 27001, setting a major directive

on how to manage information security. But depending on the business area

diversifications on ISO 27001, other standards could also imply, resulting from the nature

of business risks.

The second line of management will take care of risk assessment to meet those targetsaccording to the desired standards. Various technologies, implementation strategies,

standards an studies are available in the market, that allow individual approaches for

establishing an ISMS

In my work, I have used the RM Studio application from Stiki (Iceland).

This tool is basically used to analyze the security risks while focusing on ISO 27001 and

other security measures. The advantage of RM Studio compared to an implementation of

an ISMS based on EXCEL is the round-trip-management that is possible with yearly audits

and re-certifications as well as the intelligent reporting system that produces assessmentand audit-report on the fly, thus saving considerably valuable time.

It has already predefined all the necessary requirements that can apply to a company, Very

practical is the fact, that standards like ISO 27001 or PCI-DSS are already copied in

verbose into the database of RM Studio, which saves valuable time in editing. In addition,

the standards are available in different languages, making it quite convenient to get ISMS

certification on an international basis, which is essential for global enterprises.

We can also create our own standards or add threats and measures depending on our

demands and assess the risks using the same ISMS tool infrastructure.

The below diagram is the first view of the RM Studio and here you can see that it looks

very user friendly and it has all the parameters as well to calculate the risks.


43/79

43

Figure 3-4

3

Calculate RisksTo calculate the risks on Information Security as defined by the ISO 27001 standard, we

need to define the infrastructure of our information processing landscape, including all the

assets, job roles, availability and the other resources and of course their dependencies on

each other. As you can see in the picture above, first we have to define the business entitiesfor which we are trying to calculate the risks. As we are talking about the security so we

must consider the ISO 27001 all the time, so for this reason whatever we are going toanalyze it will calculate the risk on the basis of ISO 27001. This is the first task to achieve

in any company who wants to do their business securely. ISO 27001 basically tells us to

design ISMS (Information Security Management System) which eventually ensures a

system to tell us about the overall security system in an Enterprise.

Since we have the desired standards integrated in RM Studio, we can easily define our

assets, assign the applicable risks and perform the risk assessment on the fly.

3Created by author


44/79

44

The ISO27001 covers the whole organization but for this thesis my main focus will be on

the Objective A.12.3.1 which says:

Cryptographic ControlObjective:

Protect the confidentiality, authenticity and integrity of information by cryptography. In

further detail that means:

Policy in the use of Cryptographic control: A policy on the use of the cryptographic

control for protection of information shall be developed and implemented.

Key management: Key management shall be in place to support the organizations use of

the cryptographic techniques.

Most of the people always neglect these two most basic problems and even the ISO doesnt

define how to achieve these tasks. So the first thing in any organization is to check whether

they are following these standards or not and if they are then how much is the risk and the

RM Studio provides us this facility to calculate on the basis of above mentioned standards.

The next most important thing that comes is the PCI DSS, if we are working in theinformation security and especially in the banking domain then we will have to follow the

PCI DSS which stands for Payment Card Industry Data Security Standards.

I will give a brief introduction on how to calculate the risk regarding these two standards

but I have to mention that, it varies from organization to organization.

We can easily see in the Figure3-5, various standards but for us means as security wise,

only ISO 27001 and PCI-DSS are important so first we will analyze with the ISO27001

standard and then we will try to find out the risk analysis with the PCI DSS.

In Figure 3.6 we can see that the next step is to define the Business entity for which we are

trying to calculate the risk. In the Business entity we have to provide the basic details of

the company like name, address etc.


45/79

45

4

Figure 3-5

5

Figure 3-6

4Created by author

5Created by author


46/79

46

6

Figure 3-7

The next thing is to define the business assets including all the details of the company.

Figure 3-7 explains this how to define the assets of the company and to get the accurate

result we have to define all the assets of the company that includes all the possibilities

exists in any organization that means the people their expertise, hardware, service levelagreements with the clients etc. Now as you can see in the Figure 3-7 the assets are defined

including all the people involved their dependency on each other and complete

infrastructural assets as well.

6Created by author


47/79

47

7

Figure 3-8

Figure 3-8 explains that how the individual component in the organization are important

for us, and whats their credibility, their security risks and their impact in the organization

which is very important e.g. If the lead developer is not available in the company during

any issue so his availability has to be high during those period where as on the other hand a

person who is doing only the clerical stuff, he is also very important for the company but

his availability is not that important during the critical issues. So regarding all these

questions in mind we have to provide the different parameters in the risk scenarios for thedifferent assets.

7Created by author


48/79

48

8

Figure 3-9

The above Figure shows the risk analysis on the basis of ISO 27001 and different assets

that we have defined earlier. On the basis of values of the assets and availability it shows

us the risk is 2%, which is very low and good for the organization. Now we can also check

it for different parameters like the confidentiality and the integrity how much is the risk.

The below Figure 3-10, shows that now the result have been rises to 1% including the all

the factors in an organization. So it is even far better so by theses all results we can easily

define that we have gone through the risk parameters of the ISO 27001 standards and in

any case if the risk is too high then we can again define the assets and then we could do thegap analysis.

8Created by author


49/79

49

Figure 3-10

9

Figure 3-11

The Figure 3-11 shows here the PCI-DSS standards, we have to do the same things again

and then again we have to check the possibility of the risks and the threats from againstPCI-DSS. If the result is low like 1% or 2% then we could be sure of one thing that we can

go further that means we have successfully followed the PCI-DSS standards as well.

And now the real work start for the information security, initially we had the problem that

there are many standards which are very complicated and how to follow them all. Then we

9Created by author


50/79

50

have seen the utility of the RM Studio which has made our work easy to asses our

organization against these standards. But still the problem is there, even though we have all

the standards but we can still see various attacks every day in news. So there must be a

problem somewhere which is the problem of good management and basically the problem

of following all the complex processes. And to solve all the problems we will take the help

of the BPMN2.0


51/79

51

4 Chapter 4 Solution4.1 PrototypingNow comes the role of Infrastructure Management- the lowest level of management, its

not only responsible for the IT infrastructure to meet the business needs for high

availability, reliability and scalability, but it is also responsible for managing services of

the business process management. It provides us a way to calculate the availability,

reliability, risks management etc. In the past this kind of structure was mainly meant for

the big organizations but today even the small organizations can also make profit with this

kind of approach.

In this chapter I am trying to find some loopholes on the basis of the infrastructuremanager with the help of the Business Process Modeling. It will be used as a prototype to

define the problems using the BPMN2.0. As I have already introduced BPMN2.0 and have

already explained that there are many tools available in the market today so for my

convenience I would use a tool called Bonita Studio. It consists of many facilities which

are using different technologies to solve our purpose. Figure 4-1 shows the basic view of

the Bonita Studio which explains itself that how we could design the workflows. On the

left hand side of the picture we can see the toolkit to design the workflows which consists

of the BPMN2.0 standards.

Source: Bonita Open Solution. (2011). Bonita Soft. Retrieved May 20, 2011, fromResources: http://www.bonitasoft.com/


52/79

52

10

Figure 4-1

As I have already explained in the previous chapter, first we have to follow the generalstandards which are important to be compliant to, so that we could ensure maximum

security possible. First we have to go through all those steps to achieve the certifications

and to calculate risks in an enterprise accordingly.

Top Management: get ISMS certified according to ISO 27001 Business line: get certified according to PCI-DSS(while interacting with

ISMS)

Infrastructure: make sure, that processes meet required quality goals andprovide audible trails, adhering to policies directed by layer 1 and 2

respectively.

Then we come to the details of Master Key management.

Master Key management is a very complicated issue and the operational issues lie at the

bottom of the whole organizational hierarchy. In reality, experience shows, that dual

control can practice with compromises, as a result of project-pressure (e.g. change requests

10Created by author


53/79

53

in exceptional situations) or degrading awareness and knowledge, due to employee

fluctuation. So, if a decision is made to have a single key-custodian process both parts of a

Master Key, then the key by definition is compromised. The associated crypto system may

still operate fully functional, but when it comes to an audit in the future, especially

connected to the implications of a successful and published hack by cyber-criminals, the

business itself may be faced with severe losses.

Bottom Line: if a Master Key is not properly secured, because the responsible persons forthe key ceremonies do not follow a pre-defined process, then nothing beneath it will be

secure.

It doesnt matter which standards we are trying to comply to. Even after following all the

security measures and all standards we are not able to ensure the provable protection of

Master Key.

So in this chapter I will try to outline solution which can be used to overcome the issues ofprocess disruption during Master Key management. The idea itself is not new and it is a

conglomerate of all the standards that we have talked about earlier.

As according to VISA, the whole process has to be divided among two people so that the

possession and knowledge is segmented among two which is also called secret splitting.

One custodian therefore has no knowledge about the second part of Master Key. Without

the second part final Master Key cannot be reconstructed.

This is an essential step to ensure the highest level of trust in processing this kind of vital

asset.

If only one person would be responsible for the whole process, then lots of problems come

up:

Insider attack: if the person turns out to be corrupt, the organization can beheavily damaged(all business processes go out of operation, reputation

damage, customer resigning due to loss of trust)

Social engineering made easy: it is easy for the attackers to leak outinformation from just a single person, as compared to retrieving it from

segregated knowledge.

At any place the process starts from establishing an environment which has to be properly

defined and configured to produce the optimum output. So we will need at least two people

to handle the whole process at any cost (keeping in mind that substituted, also called

deputies, need to be assigned also). We will call them custodians for our own convenience

with specific rights to manage the master key and they must not know each other for the

sake of security.


54/79

54

The next thing coming up is the environment we need:

There are different possibilities, depending on the organizations. As it is most crucial part,

so I would suggest to, prefer for maximum security. In other words: to go for highest

quality, regarding Hardware, Software and Service Level Agreements (SLA, ITIL for

further details on the implications). As it is not easy to maintain operations without clearstructures and contracting schemes, this aspect alone requires intensive management

covering a complexity of, security measures of its own.

Now coming to my solution, the infrastructure to be managed will consists of different

things:

11

11Created by author

Application

Server using

HSM

CryptoHardware to

secure

Business

Lo ic

HSMCNM

Workflow

front end

Workflow

Server

Web

Server

Workflow

for MK

Mgmt

Customer

N no of

application

servers

N no of HSMs

WF-Mgr.

Key-Mgr.


55/79

55

I would prefer to use three different servers to achieve more security; they all stay at the

client side (which is to say any bank). Now on the first server we have to use an API

through which we can communicate with the IBM-CCA (common cryptographic

architecture) which actually lies on the other server. Through this API users can enter into

the machine to do the desired operation. On the other server the whole processing works

under the HSM but users can access it through another login (for security purpose). While

in between there lies another server which is called as IBM MQ series which is basically

used for the queuing purpose. So that queuing takes place properly and it will never go into

the deadlock situations. On the second server there lies the crypto API and IBM CNM

through which we can generate the keys. These servers are connected with each other with

the help of LAN and must be placed under high supervision. This is another loophole when

we manage Master Key while in a real time environment and most of the standard doesnt

provide much information regarding the management of the Master Key while handling it

in network attached HSMs. This is the technical aspect of the infrastructure that really

ensures very high end security but the real problem to be solved is performing the requiredoperations without loopholes.

The organizational infrastructure has many loopholes whenever key components are

produced by an HSM and there comes the most critical part.

Often enough, we face the problem that users dont know how to handle the complete

environment so they make mistakes while doing so.

So here I am trying to give a best view of the complete process. It has to be divided into

different departments properly so that all participating roles are enforced to do their workproperly, which is the most important part regarding the organizational management.

The whole process, which is called key ceremony, is as follows:

Note: Each Key ceremony is understood as a change to a productive system. This implies,that all the tasks performed during the following process for the key ceremony, are pre-

plan able and governed by a workflow management system, designed and implemented to

guide the process in a manner, that guarantees a continuous audit trail and provides logs,

that give detailed information about the life-cycle of any key processed.

4.1.1Key Ceremony

The centralized authority will instruct the two custodians that they will have to generate

their key parts for a certain target key; this notification could be sent via e-mail, physical

mail or anything whatever the policy is. The custodians have to confirm their availability

and if any case they are not available, they must take care of assigning the corresponding

deputy for that custodian in advance.


56/79

56

Special requirements and pre-requisites regarding the execution of the key ceremony: the

complete ceremony must be executed in a secure room(trusted environment, level: HIGH),

which requires:

- Isolation from outside environment, protecting against acoustic andelectromagnetically information trespassing

- Dual access control: no single person should be able to be alone in thesecure room, the access to the room is granted after dual-login to the

room

- In case of exceptional situations(fire, earthquake, etc.) the ceremonymust be cancelled, any key material produced during this session

marked as incomplete, not trustworthy-and should be destroyed

- Cellular/smart phones are not allowed during the residence in thisroom

- Camera surveillance: this requirement can be conflicting, as gainingknowledge about who enters the room on the one side, brings the

disadvantage, that surveillance officers could possibly re-construct

key-values that are entered by custodians after reading the values

from key letters

Security guards will check the facility access of the custodians and otherparticipating persons (in case if a live audit by Visa) and inspect and carried

item not required during the key ceremony, which may need to be deposited

by the security guards during the ceremony.

Custodians will have a dedicated time to achieve their task, as defined.

The custodians will be escorted by at least one other person (internal auditor)until the last entrance of the room. As required before, no person is allowed

to be alone in the secure room.

There has to be a secured login accessing the system operated by thecustodians while performing the operation to generate the master key parts.

Access Control can be realized by various ways: smart card login, access

tokens with one time password etc. there are different technologies today, it

depends on the companies security demands and policies and external

compliance regulations.


57/79

57

Regarding the generation of the desired Key. It has to be dedicated systemsonly for this purpose and it should be non -bootable from any media.

Another important issue: the system hardware should be connected to afunctionality tested and working Uninterruptible Power Supply.

As soon as the key generation is done, and stored to the intermediatetransportation media for further key part loading to the target HSMs, the has

to be backed up, for the purpose of key-recovery, depending on the

companies backup policies. Regarding cryptographic key material, long term

in experience and best practices show that most of the organizations still

believe key-parts printed all key letters on paper to be the best practical

choice and most enduring backup media still around. Once key-values are

securely printed out onto key-letters, the printouts are enveloped and arerequired to be separately stored to different physical safes, providing

continuity in key separation under dual control.

There are different scenarios in different organizations where some peopleprefer to have the key generation environment into the organization itself and

others prefer to have it at the other places. And the complexity differs from

case to case.

If it is at a different place then it has to be transported through a physicalmedium and there comes another security loophole. There are different ways,but most of the organizations do this thing, they contact the courier company

and they transport it within a tamper resistant module. So that if anybody tries

to hamper it then it will automatically destroy the content. Both the parts have

to be transported through different routes and through different courier

companies so that to achieve the concept of the dual control all the time.

As you can see this whole key ceremony process is a perfect candidate for implementing a

workflow using BPMN2.0:

It can be automated and run as a centralized governed authority moderatingthe process

It can keep track of all process activities all the time It could also reduce the human errors which people generally do in

organizations like forgetting about vital process steps that disrupt the quality

chain. So to overcome all those problems we need an automated process

control (our centralized authority) so the people who are involved in this


58/79

58

process can handle the whole system easily which will in consequence secure

our whole environment as well.

At this point I want to introduce the role and application of BPMN2.0 with the help of

which we cannot just automate the process but also we can keep track of all activities

applied.

4.2 ISO 27001 Based Risk Analysis

12

Figure 4-2

Figure 4-2 shows that we are going through our first phase of the whole process where wewill check the criteria for the ISO 27001. This workflow will initiate the STIKI RM

Studio, in order to perform the minimum yearly risk analysis. The outcome is the yearly

report required for ISO 27001 certification. If we will be able to follow the ISO27001

standards then we will go to the next phase.

So now its just time to automate the whole process and make it working. This part of the

workflow is the first swimlane and I have given it a name called Risk Assessment for the

12Created by author


59/79

59

ISO-27001. As you can see in the Figure 4-2, it consists of the three tasks start task, a

script task and an end task. You can see in the middle which is the script task which is

actually a shell script which is going to initialize the STIKI RM Studio. It provides us a

wide variety of options. I have preferred to choose the script task as it seems simple for

me.

Figure 4-3shows how you could define the script task. This Figure is basically showing

connectors. In Bonita Studio, we have to define a connector for this task, which is of the

shell script type and then you just have to define the script that you want to run. It is

actually a simple GUI which is easy to understand and can guide you for everything that

you want to do. I have simply used one line of script to initiate RM Studio. There are

various other ways to do this task like you can create a java code as well but then the

whole process will be too mighty and if you want to make some changes then you will

have to make the changes everywhere. Thats why I have chosen the script task which is

easy to use and easy to perform, just one line of code and you can achieve your work.Further this means I have provided a layer between workflow design and implementation

that means if you want to replace the implementation details you dont have to touch the

workflow design. You also need to define the person who is going to initialize the process,

in my case this is the initiator who will handle the workflow and who is going to initialize

this particular process. There are several other facilities that you could achieve with this to

make it more secure like only a dedicated user can do a particular task. For this reason I

have created a particular user in RM Studio to perform this task as if we can see this in an

organization there has to be a person who will take care of this responsibility and who have

the complete knowledge of the companys environment and also have a nice idea about the

ISO-27001.


60/79

60

13

Figure 4-3

13Created by author


61/79

61

4.3 PCI-DSS Based Risk Analysis

Now comes the second part of the whole work flow which is to analyze the risks on thebasis of the PCI-DSS. After finishing the first job that is to analyze the risk on the basis of

ISO27001, workflow will jump onto the second level which is to analyze the risk on the

basis of PCI-DSS. You can see in the Figure4-4, the next swim lane comes into the

existence which is called as PCI-DSS Analysis. It has different criteria as compare to the

ISO27001 but it is also very important to fulfill this task so as to ensure the maximum

security and the optimum result. You have to do the same thing again like in previous

process. So again I have defined a script task to initialize the RM Studio but this time the

user is different. From the organizational point of view it will be a person who will take

care for the PCI-DSS certification and a person who has a sound knowledge about the PCI-DSS, so that the organization could be sure about getting the certification properly. And if

the organization already has the certification then they could skip to the next step which is

for the management of the Master Key. And dont forget to change the standards in RM

Studio as by default after finishing the previous step it must have been selected

automatically to ISO27001. These two swimlane are loosely coupled, they are not

dependent on each other but they are part of the whole process. So we just cannot skip any

of them.

14

Figure 4-4

14Created by author


62/79

62

4.4 Master key Management

15

Figure 4-5

Figure 4-5 shows the next layer of the work flow which consist of the more complex and

much interesting part. Here I am trying to show the management of the Master Key. Here I

have used Crypto Node Management (CNM) which is proprietary by IBM and delivered

with IBM HSM 4764 and IBM 4765 so I will not give much detail here but you can see the

login for CNM in Figure 4-6. And it doesnt matter for us how it works because we are

only focused on the organizational issues rather than the technical details. It is also called

as Common Cryptographic Architecture Node Management Utility. As you can see in the

Figure 4-6, the custodians can login with different methods, it depends on the companyspolicy how you do this; you can also notice different tabs showing different utilities like

key storage, Crypto node etc. For our purpose there are of course few things to know

about. The Crypto Node and Master key tab are the most important for us to know. With

Crypto Node we can easily find the information about installed HSMs, like the state of the

HSM, its battery state, error logs etc. So whenever we notice any unwanted behavior like

unauthorized logon (outside valid time range), we can easily inspect Crypto Node and can

look into the details moreover can possibly find the cause of the issue.

15Created by author


63/79

63

Sec

mastersthesis-120506103336-phpapp02

Documents