mastersthesis-120506103336-phpapp02
TRANSCRIPT
-
7/31/2019 mastersthesis-120506103336-phpapp02
1/79
1
Heidelberg University of Applied Sciences
Germany/Heidelberg
Faculty of Informatics
Master Thesis
Business Process Modeling in the field of Information Security
Submitted by
Vishal Sharma
Supervised by
Prof. Dr. Gerd Mckel
Dr. Peter Misch
August 2011
Companys Supervisor: Dipl. - Ing. Thomas Brandtstaetter
-
7/31/2019 mastersthesis-120506103336-phpapp02
2/79
2
-
7/31/2019 mastersthesis-120506103336-phpapp02
3/79
3
Business Process modeling for the sake ofInformation Security
By
Vishal Sharma
Matriculation no: m1000830
A thesis submitted as a pre-requisite for the
Degree of Master of Science
Thesis Advisory Committee
Prof. Dr. Gerd Mckel & Dr. Peter Misch
Heidelberg University of Applied Science
Ludwig-Guttmann-Strae 6
69123 Heidelberg
Germany
Dipl-Ing. (BA) ThomasBrandtstaetter
BROTEX Synargos GmbH
Max-Eyth-Str. 21
72622 Nrtingen
Germany
-
7/31/2019 mastersthesis-120506103336-phpapp02
4/79
4
Affidavit
Herewith I declare:
That I have composed the chapters for the Master Thesis forWhich I am named as the author independently;
That I did not use any other sources and additives then the ones specified;
That I did not submit this work at any other examination procedure;
Heidelberg,
(Date)______________________________
(Signature)______________________
-
7/31/2019 mastersthesis-120506103336-phpapp02
5/79
5
Acknowledgements
Following the Indian tradition, first I would like to give my heartiest thank to the
Germany and its people who have accepted me here and gave me an opportunity to
learn and to move further in my life. Not forgetting about my family after staying
away from them for almost two years and who are the pillars of my life that alwaysstand by me to give me the strength to accomplish whoever I am today.
Mr. Thomas Brandtstaetter as my mentor, who has always gave me an inspiration to
achieve the best and to think in an eco-economic manner which is fruitful to the
whole society. I would like to give him my thanks to be with me all the time during
this project. As an Indian the most important people in my life are my teachers
(Gurus) Prof. Dr. Gerd Mckel and Dr. Peter Misch, the most generous persons I met
and the whole staff of Fachhochschule Heidelberg, who always helped me and
always motivated me during my studies.
Last but not least the whole Staff of BROTEX Synargos who has always shown me
the right path, and provided me with all the information which I needed during the
six months, and always spend their useful time for me to discuss things about my
project.
-
7/31/2019 mastersthesis-120506103336-phpapp02
6/79
6
Table of ContentsAbstract ................................................................................................................................ 91 Introduction ............................................................................................................... 11
1.1 Various Techniques ............................................................................................... 161.2 UML ........................................................................................................................ 161.3 SOA ......................................................................................................................... 181.4 BPMN2.0 ................................................................................................................ 191.5 Advantages over others: ........................................................................................ 192 Company Profile ........................................................................................................ 22
2.1 History .................................................................................................................... 232.2 Core Business ......................................................................................................... 242.3 Cryptography-Typical Application ..................................................................... 252.4 Hardware Security Module in Crypto Server-Implementation ........................ 252.5 HSM IBM 4764-001 Internal Architecture ......................................................... 262.6 FINPIN ................................................................................................................... 272.7 Functions ................................................................................................................ 283 Conceptualization ...................................................................................................... 293.1 NIST ........................................................................................................................ 293.2 FIPS ........................................................................................................................ 293.2.1 FIPS 140-2 Level 1: ............................................................................................... 303.2.2 FIPS 140-2 level 2: ................................................................................................. 303.2.3 FIPS 140-2 level 3: ................................................................................................. 303.2.4 FIPS 140-2 level 4: ................................................................................................. 30
-
7/31/2019 mastersthesis-120506103336-phpapp02
7/79
7
3.3 ISO 27001: ............................................................Fehler! Textmarke nicht definiert.3.4 VISA PIN Security Requirements Audit: ........................................................... 323.5 PCI DSS: ................................................................................................................. 343.6 Devices used ........................................................................................................... 353.7 HSM: ....................................................................................................................... 353.8 Crypto processor ................................................................................................... 373.8.1 Functionality: ......................................................................................................... 373.9 Payment Card Industry PIN Security Requirements: ....................................... 373.9.1 Objectives ............................................................................................................... 383.10 Establishing Security Measures ........................................................................... 383.11 Risk assessment: .................................................................................................... 414 Chapter 4 Solution .................................................................................................. 514.1 Prototyping ............................................................................................................. 51
4.1.1
Key Ceremony ....................................................................................................... 55
4.2 ISO 27001 Based Risk Analysis ............................................................................ 584.3 PCI-DSS Based Risk Analysis .............................................................................. 614.4 Master key Management ...................................................................................... 625 Chapter 5 Tools ....................................................................................................... 685.1 Bonita Soft: ............................................................................................................. 685.2 Bonita User Experience ......................................................................................... 706 Future Prospects ........................................................................................................ 727 Table of Figures ......................................................................................................... 758 Abbreviations ............................................................................................................. 769 Bibliography ............................................................................................................... 78
-
7/31/2019 mastersthesis-120506103336-phpapp02
8/79
8
-
7/31/2019 mastersthesis-120506103336-phpapp02
9/79
9
Abstract
We are heading towards the next generation solutions for making life better with the help
of technological advancements -we always talk about futuristic solutions:
How we could make the best for our upcoming generations which should be ecological and
fruitful. But we sometimes forget about the fundamentals that assist to achieve those things
- we have the ideas, we also have the aim in our mind - but still we are not able to get the
unsurpassable results out of those things that already exist. Technology has really helped a
lot to achieve that target of making things better: so that it could assist us to work well in
organizations, dealing with the problems and most importantly for the people to live their
life in a more valuable way.
This Master thesis is dedicated to those situations where a normal human intelligence is notenough to manage certain complexities around us: Of course with the help of technology
and our brain power. Whatever we do in our life, it basically consists of some steps to
reach a goal. We start in the morning, when we wake up and everybody tries to give his or
her best to make the most out of a day, but still sometimes we are not able to meet those
goals that we decide for when we wake up. Thats because sometimes we forget to follow
our own rules or sometimes we stick to our rules enough that we cannot even see the other
possibilities which can affect our whole process of reaching somewhere.
This is the case of only our every days life, but here we are more concerned about a much
more complex process which is Information Security, so I am trying to represent my viewsto ensure optimum Information Security and particularly in the field of Payment Card
industry. In last few years we all have been moved to electronic medium of managing and
maintaining vital information: Internet, Mobiles are good examples. We have tried all the
ways to make it more and more secure but still we have seen a lot of issues while
maintaining it.
This thesis is a research work of such issues and how we could handle them with the right
approach. Securing information is one of the most critical tasks in todays world as the
cloud of information is increasing every day. Thats because the interaction of humans
with the machines is increasing at a very rapid rate. As you can see, the dependency ofmanaging the information with the help of machines has notably increased, as a result,
complexity of the processes has also increased. As a consequence, inability to managing
the vital information is also increasing.
Off course machines have made our life easy but think about a world where you cannot
even prove who you are because of the lack in the process of securing the content. The idea
is to overcome the issue of being lost in possibilities.
-
7/31/2019 mastersthesis-120506103336-phpapp02
10/79
10
-
7/31/2019 mastersthesis-120506103336-phpapp02
11/79
11
1 IntroductionMy work starts from the definition of, What is a Process and I would answer that a
process is nothing more than a set of rules to reach certain results in an optimum manner.But this is a very simple definition of the word Process, and everybody learns it from
their childhood to achieve the best at their school, in various subjects, different sports and
other activities etc. And the nature of doing it in a way to achieve the optimum comes
automatically. So my point is everybody is the manager of its own life and the various
processes around it. But still we can easily see that we rely on different strategies,
techniques and at most the technology to make things better e.g. we use technology to get
things done automatically and faster.
But if we come to the reality of complex processes in the corporate world, in these kinds of
situations ordinary human intelligence is not enough to handle everything by its own and
there comes the role of IT. It came into existence in the late 60s and since then it has
played a major role in everybodys life. As a result, we have been trying to automate the
things in almost every aspect of life. But we never asked ourselves that are we making the
best out of IT and my answer is yes but only up to some extent.
As we look at todays process infrastructure in any industry, its very dynamic and very
complex in almost every aspect. So we need the concept of Business process modeling to
make it easy for the users to view, to find solutions around the complications, to manage
things in a useful way.
The basic idea of Information Security works on three elementary pillars:
Availability Integrity Privacy
In context of information security, if there is no privacy, its not worth it, if it is not
available then there is no use, if there is no integrity then we have lost the authenticity. So
to achieve the maximum security we should consider all three points, as without each other
they are incomplete and none of them make any sense.
In a more precise view the concept of availability depends on the infrastructure like
optimal system resources, power backups, backup of the information, disaster recovery
management etc. Second thing is to ensure the Integrity in order to provide trustworthy
information processing system: We must take care that information should be viewed in
the same manner as it is entered. Third and the most important pillar of information
security lead to maintaining the privacy -which in terms leads to granulated access control
to information, secured by the means of applied cryptography.
-
7/31/2019 mastersthesis-120506103336-phpapp02
12/79
12
When we talk about privacy in the context of applied cryptography, the first idea that
comes to our mind is encryption and decryption, as we encipher the content and send it to
the desired user and the designated recipient can decipher it to read the original content.
This is the most basic definition of maintaining security by applying the methods of
cryptography for securing privacy. But in a real working environment it becomes more
than the simple definition, as additional security requirements needs to be considered:
Where do we want to ensure security? What information needs to be secured? Which quality requirements are appropriate? How much we can invest into security precautions?
Especially the aspect of applied cryptography receives a more detailed augmentation along
this thesis. Cryptography on the one hand is a discipline covering more than justencryption algorithms and associated cryptographic keys.
Most commonly, these algorithms are implemented in software libraries (e.g. OpenSSL,
NSS, CyaSSL, and many others) which can increase overall system security indeed. By the
way, OpenSSL has evolved to be a widely used and integrated cryptographic service
provider (SSL, 2011)
A closer look into the architecture though, reveals the focus of next generation cyber-
criminals and hackers: having potentials for compromising cryptographic key material. In
case an adversary gets access to the clear values of cryptographic keys, he has access to theinformation realm protected by these keys.
Hence, the protection of cryptographic keys is an essential requirement to meet the basic
security requirements mentioned above.
In order to illustrate the potential risks behind the scene: whenever cryptography is
processed in software using a cryptographic service provider such as OpenSSL, a system-
dump, provoked by an adversary or caused by erroneous programming, can lead to a key-
compromise. Thats because, the keys in operation need to be available in clear form
within application memory.
This may sound to inherit a very theoretical probability and even professional risk
managers, today may still ignore the possible impacts, but such attacks are already
becoming reality. In order to reduce the risks for this kind of key-compromise method,
special crypto-hardware can be applied to backend-servers, in order to encapsulate
cryptographic functions and keys using tamper resistant security modules (TRSM, or more
abstract: Hardware Security Modules HSM). Well defined protection profiles, aligned
and certified to international and open standards, enable the highest level of risk reduction
covering the technological aspects regarding applied cryptography.
-
7/31/2019 mastersthesis-120506103336-phpapp02
13/79
13
Another scenario covers the usage of untrustworthy keys, in case an associated notary
function has been compromised. Notary functions for assigning higher trust-levels to
cryptographic key material using digital signing methods based on cryptography are
typically implemented as a Certification Authority (CA) for digital certificates. As a matter
of fact, digital certificates can be seen as todays pillars of the stage, on which the play of
applied cryptography is performed, especially covering the act Trusting the internet and
its web-services.
As an example, a possible man-in-the-middle attack, using rogue digital certificates, can be
named. Further information regarding the recent attacks on CAs like Commodo and
DigiNotar can be found here:
Unauthorized issuing of Google certificatesSource: Sophos. (2011). naked Security. Retrieved September 4, 2011, from
http://nakedsecurity.sophos.com/2011/08/29/falsely-issued-google-ssl-certificate-in-the-wild-for-more-than-5-weeks/)
Source: Hack on DigiNotar: Arstechnica. (2011). Retrieved August 3, 2011, fromhttp://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-
other-cas-breached.ars
A brief resume of the above mentioned cases reveals that the security cannot beachieved solely by integrating technological measures, without a strong focus on
the organizational measures.
This thesis will focus on possible misconceptions, unveiling the missing link in the overall
security equation and how possible mitigations can be implemented, especially on the basis
of holistic and risk-managed business process management and its dedicated workflows.
If cryptographic key-material is not managed properly, e.g. on time, then system-
availability cannot be assured. Certain keys must be securely generated, distributed and
imported at a corresponding crypto node on a cyclic basis, for instance yearly. In certain
cases when a key would not be provided in time, a business service may disrupt for
duration longer than demanded, thus harming business processes by causing severe
revenue losses.
Various international solution manufacturers have started responding to the growing need
for holistic enterprise key management systems and infrastructures over the last 10-20
years. As of today, the outcome can be reduced to a simple conclusion: even though many
key-management tools exist, they are mostly island-solutions, lacking standardization or
standards-harmonization, thus introducing a multitude of key-import-formats and
processes, leading to expensive investments for integration or increasing the possibility for
single-point-of-failure.
-
7/31/2019 mastersthesis-120506103336-phpapp02
14/79
14
Even though standardization efforts show significant improvements, such as KMIP (Key
Management Interoperability Protocol) driven by the OASIS Group, the outcomes are
solutions mainly on the technological level, missing attention on the organizational level.
Due to resort-boundaries within organizations and different perspectives and priorities
along the management-lines, lacks in the organizational aspects of information security aremost common.
Uncertainty of employees, impacts of change management, the effects of mergers and
acquisitions, time-pressure on projects due to rapid market developments and oversized
shareholder expectations, lead to a very dynamic business environment. Therefore easily
disturbing business continuity and degrading the awareness for establishing and
maintaining a holistically oriented information security management system on a cross-
company level.
While discussing an overall concept of IT-based orchestration of Business Process
Management on the one hand, I will also guide a down-the-rabbit-hole journey through the
roundabouts of the administration and management of critical cryptographic key-material
for cryptographic service providers.
These are typically anticipated to be black-box systems and operations on the IT system
administration level, providing required cryptographic services to various levels of
information processing components, like business-applications, middle-ware, operating-
systems, network-devices and information long term storage.
In todays business-world, there is a significant and growing demand for information
security based on applied cryptographic services and therefore also cryptographic keys.
The evolution has taken place in a rather subtle manner, multiplied by the achievements of
the internet-era and increasingly being under severe compliance-pressure due to the
multitude of successful attacks by cyber-criminals or even just system-failures, as a
consequence of underestimated quality-assurance and inexplicable processes and
workflows.
Therefore, an enterprise can face pervasive dependencies inherited in the IT-landscapecaused by missing knowledge about the lifecycle and whereabouts of cryptographic key-
material. As an example: not knowing about the whereabouts of cryptographic keys, can
lead to severe conflicts with national laws, in case law-enforcement agencies are entitled to
access company information within an investigation. Access to information can require
decryption of an information database, which can be hindered, if the corresponding
encryption-key is not accessible or cannot be recovered.
Resuming the above mentioned, the establishment and operation of cryptographic
infrastructures requires more than conventional system integration of IT-Systems. Each
-
7/31/2019 mastersthesis-120506103336-phpapp02
15/79
15
implementation of a cryptographic service provider and its exploitation by applications
affords profound system-planning and process integration.
A very crucial aspect in this context is the risks being introduced with initially setting up
cryptographic infrastructures. Professional, trustworthy and obviously certified crypto-
equipment (Smartcards, Smart-Card readers, Password Tokens, Hardware SecurityModules (short: HSM, also called tamper resistant security Modules: TRSM)) requires a
primary protection layer, which needs to be managed using well-defined and approved
workflows under dual control and/or co-signing.
Source: In Personal communication with:
Brandtstaetter, T. (2011). Cyber Crime. Nrtingen: In Personal Communitaion.
The whole concept of protecting cryptographic keys starts from generating a key alsoknown as a Master Key so that it could encrypt or decrypt other keys lying in the key
hierarchy. This is the most essential requirement for maintaining the security. But as I have
already mentioned, the concept of applying cryptography depends on many other factors
especially regarding the realm for which we want to achieve the security goals. Due to vast
amount of standards that should be met by the industries and the international compliance
guidelines that may have to be followed, the location of the area in which one wants to
apply cryptography should be carefully checked according the national laws. In these kind
of situations may be you wont be allowed to use certain cryptographic algorithms or must
limit the key length to be used. In these cases for instance, the operational controls forcryptographic infrastructures exceed the white-paper presentation usually found on applied
cryptography.
To scramble up a more practice oriented approach, this master thesis is basically
considering the area of payment card industry in terms of Information Security which is of
course very crucial in todays global world. Almost everybody uses ATMs these days to
withdraw money from their bank accounts but most of the people dont know how they
work. Because people increasingly rely on standards like VISA, PCI PIN Security
Requirements, PCI-DSS, they may think that it must be secure enough if they are
following these standards. But still every day we can see a lot of forgeries and a lot ofhacks everywhere around the world and most of the time they arise because of human
negligence. This thesis will provide a strategic and practicable approach to overcome those
loopholes, which are more of an organizational nature rather than being only technological.
Because technologically we are advanced enough to make the system secure but in order to
achieve and maintain that level we depend on more than only highly diverse technologies.
-
7/31/2019 mastersthesis-120506103336-phpapp02
16/79
16
So here I am trying to give a strategic approach to follow a plethora of standards and to
achieve the maximum information security possible, reducing mistakes, covering a
multitude of loopholes and balancing efforts:
1.1 Various TechniquesThe complexity of the various technologies is increasing every day and the desire of
making them simpler is increasing as well. Lots of ideas have come and gone in the past to
make the world simpler but only few persist. If we talk about simplicity then we vision an
interactive system with which we can interact and which can give the answers to our
issues, which can maximize the profits, maximize the outputs, minimize the risks,
maximize the possibilities of change management etc. Below I introduced some strategies
that we have used so far on which we still rely at different levels, depending on the
different scope of requirements.
1.2 UML
The techniques of Unified Modeling Language (UML) are used to model some artifacts,
like to specify, modify, visualize and construct during the System or Software development
process. It came into the market after hard work from Rational Software Corporation.
UML provides us with a very good way of understanding different aspects and
perspectives of a software or system with the help of standardized diagrams for modeling.
We can easily design prototypes and the blueprints for testing purpose.
Advantages:
We can use it to re-engineer existing systems, for instance, if these were not properly
documented. Using UML improves collaboration and co-operation within larger
development teams, enables cost reduction in external auditing and support interactive
work during the SW-Engineering process.
-
7/31/2019 mastersthesis-120506103336-phpapp02
17/79
17
Figure 1-1
Source: Ambler, S. (2010). fox.wikis. Retrieved August 2, 2011, from
http://fox.wikis.com/wc.dll?Wiki~BusinessRulesAndUML
UML has started the first revolution to handle the complex business processes. It has
provided many useful elements to keep track of the process and to visualize it for the
simplicity.
Activities Actors Business Processes database Schemas Logical components Programming Language components Software Components
-
7/31/2019 mastersthesis-120506103336-phpapp02
18/79
18
1.3 SOAService oriented Architecture, it is a combination of different services which are looselycoupled but at last we can make the benefit out of combining them together. It is kind of a
framework that covers various disciplines to conceptualize, analyze, design, and architect
their service-oriented assets. It was a great achievement for us to come to this point as
SOA has given us a power to integrate various things together and to give the optimal
output. But still it was basically meant for the IT industry, which is not enough if we deal
with the complexity of todays world.
Figure 1-2
Source: Corbasson, L. (2007, December 24). SOA. Retrieved August 1, 2011, fromhttp://en.wikipedia.org/wiki/File:SOA_Metamodel.svg
-
7/31/2019 mastersthesis-120506103336-phpapp02
19/79
19
Disadvantages:
The both models mentioned above, concentrate on issues regarding the IT industry and
dont cover the holistic aspects of business process in any kind of industry. They both arefocusing on the development of software and systems in the field of IT, but they are not
aligning to the process-oriented business demands, that incorporate IT beyond todays
system integration of island solutions.
1.4 BPMN2.0Business Process Modeling Notations 2.0,itcomes with a lot of hopes and a lot of
expectations for many industries which are trying to automate their processes for a long
time; its been a big problem for a long time in industries and in general to handleprocesses. People in different industries have been surrounded by this question since years
that how to generate culminating results out of any process. Many management techniques
were introduced, to handle the various issues within the industry (like policy management,
risk management, disaster recovery management etc.) but we never were able to
conglomerate all issues together to provide the unrivaled solution. We have tried to work
with different technologies so that we could manage different processes as I have already
mentioned a few of them above. But BPMN has provided all those functionalities and gave
us a platform which is not only suitable for the IT industry but it can fulfill a wider scope
of requirements depending on the demands of various industries.
1.5 Advantages over others:As I have shown above two basic approaches to fulfill our intrinsic requirements, the
comparison to BPMN has its limitations.
Regardless of fulfilling our needs not only in IT, it gives us a wide variety of tools to play
with it as well. This eventually makes it more concrete to measure the complexity, andmore scenic. It also provides a much better chance for users to understand it easily. It has a
wide range of notations that can give us a lot of freedom in designing in order to reduce the
complexity. Some of its features are as follows:
We can design and implement various complex processes(like in designing acar)
Choreography
-
7/31/2019 mastersthesis-120506103336-phpapp02
20/79
20
Orchestration Ease of Use Easy to visualize Human tasks Gateways Message Flows Group Tasks Collaborations
There are many tools available in order to apply BPMN to the design and implementation
of any work flow or the modeling of any process. But its always a challenging task to
decide which one to choose.
During the progress of my work, many options were available. Since, I intend to attract
towards open public for the topic of my thesis. I have focused on open source tools only, in
order to promote rapid applicability
The bewildering variety of open source technologies and solutions is obviously steadily
increasing, so I also wanted to contribute to this development. I have chosen to analyze the
following candidates:
Activiti
Source: Activiti. (2011). Components. Retrieved May 20, 2011, fromhttp://www.activiti.org/components.html
JBPM5
Source: Community, J. (2011). JBPM. Retrieved May 20, 2011, from Documentation:http://www.jboss.org/
Bonita SoftSource: Bonita Open Solution. (2011). Bonita Soft. Retrieved May 20, 2011, fromResources: http://www.bonitasoft.com/
It depends on the requirements, which tool to choose, because every tool has some
advantage over the other. So it depends exactly on what we actually need to do, the
complexity of the process or the whole infrastructure we have to cope with. For my work I
would like to prefer Bonita Soft for further evaluation and prototyping.
-
7/31/2019 mastersthesis-120506103336-phpapp02
21/79
21
According to Forbes magazine companies relish the prospect of reducing complexity,
while cutting and maintaining IT infrastructure and thats the main motive behind the
introduction of BPMN in market. So with the help of BPMN we cannot even reduce the
complexity but we can also reduce cost, reduced stressed etc. so far these are theachievement of BPMN.
-
7/31/2019 mastersthesis-120506103336-phpapp02
22/79
22
2 Company Profile
-
7/31/2019 mastersthesis-120506103336-phpapp02
23/79
23
2.1 History1992 2009 SYNARGOS GmbH
- International projects with leading banks, manufacturers andproviders (data processing centers, outsourcing)
- Design and implementation of applied cryptography (key-management and protocols) using hardware security modules(HSM) for banking networks, based on solutions from leadingmanufacturers for achieving highest security ratings possible(NIST FIPS 140-2 Level 4)
2010 - 2011 BROTEX Synargos GmbH
- Continuation of line of business- Business extension to infrastructures for business processes
based on mobile computing: RFID, NFC (near fieldcommunication), secure user authentication using smartphones
Establishing & Securing critical Business-Processes Project development Software and systems engineering
-
7/31/2019 mastersthesis-120506103336-phpapp02
24/79
24
2.2 Core Business
1. Establishing & Securing Business-Processes Securing electronic payment systems for financial transaction solutions via
dedicated and internet-based networks (home banking)
Card based payment systems in networks running ATM and POS
2. Project & Solution development
Requirements-Management Feasibility studies Consulting, Training & Education Tendering support Project management Sub-contracted and full scale project realization Security and Risk Management (ISO 27001) Audit Support (PCI-DSS, VISA PCI PIN Security Requirements)
3.
Software and systems engineering
Standard processes and methodologies Architecture, Design and Quality-assurance using the methodologies of
cybernetics
-
7/31/2019 mastersthesis-120506103336-phpapp02
25/79
25
2.3 Cryptography-Typical ApplicationToday, applied cryptographic methods reaches, almost all areas of information
processing. Typical applications are:
The encryption of personal data e.g. credit card information Securing the information while transmission within Card based payment
systems The calculation of personal data for pre-personalization of chips for smart
cards The production and use of digital signatures for certificates signed by
Certification Authorities.
2.4 Hardware Security Module in Crypto Server-Implementation The MX42 crypto server is delivered as an appliance with one or more
HSMs The production of the appliance is done at BROTEX Synargos which
processed highly secured and with maximum measures regarding qualityassured components and quality-assurance processes:
- Hardware platform: IBMx3650 server, IBM 4764-001HSM(certified to FIPS 140-2 Level 4)
- Software platform: SUSE Linux Enterprise server(Certified byCommon Criteria EAL4+), IBM CCA Services (Basic Crypto API),BROTEX Synargos MX42 FINPIN Software(SW-Engineeringusing Rational Unified Process and Extensions using V-Model whenrequired by customers)
The integrity of the appliance is detectable
-
7/31/2019 mastersthesis-120506103336-phpapp02
26/79
26
2.5 HSM IBM 4764-001 Internal Architecture
Source: IBM. (2005, October). Security. Retrieved August 2, 2011, from Crypto Cards:www-03.ibm.com/security.cryptocards/pcixcc/library.shtml
Figure 2-1
-
7/31/2019 mastersthesis-120506103336-phpapp02
27/79
27
2.6 FINPIN
Background of Cryptographic Abstraction Layer
Name origin: Financial PIN Services Description: FINPIN is an Application Programming interface Architecture: Client Server Licensing: As a feature enhancement to the crypto server MX42 Usage: Application can use the cryptographic services of MX42 Crypto
server via FINPIN API. FINPIN provides the basic features but you can also
add other features
Characteristics:The interface is expendable FINPIN
The parameterization of key names is flexible and it provides a generic
referencing for the application
Inside the Crypto server a FINPIN call can be divided into several crypto
functions
No clear key or the intermediate results of cryptographic protocols outside
the HSM
The application is decoupled from the key management
Key administration for the initial keys e.g. Master key of the HSM, delivery
of the Transport key
-
7/31/2019 mastersthesis-120506103336-phpapp02
28/79
-
7/31/2019 mastersthesis-120506103336-phpapp02
29/79
-
7/31/2019 mastersthesis-120506103336-phpapp02
30/79
30
information. Amongst these standards, some are covering the security demands for the
implementation and accreditation of cryptographic modules: FIPS 140 here especially
FIPS 140-2.It is basically categorized in to four levels:
3.2.1FIPS 140-2 Level 1:
This is the lowest level of security, it prevail limited level of security and remarkably good
level of security is actually absent in this level. An example of the security level 1 is the
mother board of the personal computer encryption board or the FIPS validation of
OpenSSL being validated to FIPS-2 Level 1.
3.2.2FIPS 140-2 level 2:
It adds the concept of the physical tamper-evidence devices that just pick up the resistancefrom the outside world related to the device. It is actually kind of a seal which places over
the cryptographic devices so that an attacker has to go through this layer of coating and if
he or she will break this coating then the authorized person will be informed and it also
facilitates the availability of the role based authentication.
3.2.3FIPS 140-2 level 3:
In addition to the tamper-evident, level 3 also ensures that the intruder cannot have the
access to the Critical Security Parameters held within the cryptographic module. This layerespecially focuses on the physical intrusion of the module and how to handle it. It also
ensures the security by the concept of the split knowledge, because of which you can trust
the system can trust yourself and can trust others, thats why the knowledge is always
divided into two people.
3.2.4FIPS 140-2 level 4:
This level enforces the maximum level of security for cryptographic modules, providing
tamper-detection and tamper-prevention of attacks, forcing an internal overall mesh-coating for achieving maximum resistance against tampers. Also enforced are protection
against X-Ray tampering, atmospherically tampering (temperature, surrounding air-
pressure) and voltage-tampering; the module must exactly test and detect all possible
tampers in its operating environment and in case of a tamper -zeroize all security elements
within the module, thus taking the device out of operation and preventing successful
attacks.
Source: BROTEX Synargos. (2011). FIPS. Nrtingen: Communication with in thecompany.
-
7/31/2019 mastersthesis-120506103336-phpapp02
31/79
31
Another most important standard is ISO 27001which is by far the basis for defining a
management process to assure information security. Being into this kind of industry andfocusing on the optimum security measures one should adhere to theISO27001 standards
family. Initially the British Standard Institution has developed a standard called BS7799
which was used to develop and implement an Information Security Management System
commonly known as ISMS. Its main focus was on the availability, integrity and the
confidentiality of organizational information. But it was initially a single standard and later
on they have added some more information to it and then it became ISO 17799. And then
ISO 27001 mandate the use of the BS7799 so, It is actually today the second part of the
ISO 27001. It is also beneficial for companies who already have ISO 9001 standard which
basically ensures a quality process.
ISO 27001 basically consists of four steps which covers most of the organizational security
measures.
PLAN(Establish the ISMS):Establish the ISMS, policy, objectives, processes and procedures that are relevant for
managing risks and improving information security to deliver results in accordance with an
organizations overall policies and objectives.
DO(Implement and operate the ISMS):
Implement and operate the ISMS policy, controls, processes and procedures.
Checks (monitors and review the ISMS):Access and, where applicable, measure process performance against ISMS policy,
objectives and practical experience and report the results to management for review.
ACT(maintain and improve the ISMS):Take corrective and preventive actions, based on the results of the internal ISMS audit and
management review or other relevant information, to achieve continual improvement of the
ISMS.
Source: ISO-27001. (2011). itgovernance. Retrieved July 10, 2011, from Compliance:http://www.itgovernance.co.uk/iso27001.aspx
-
7/31/2019 mastersthesis-120506103336-phpapp02
32/79
32
1
Figure 3-1
3.3 VISA PIN Security Requirements Audit:Visa explains in its standard management of the master key which starts with its
generation. As I said above that enciphering of data can be done with the help of a key and
at the top most level in the hierarchy of keys it is called Master Key. We need to take some
precautions while managing master keys and VISA helps us to do that.
We need to set up an environment to manage the whole process. The first and the foremost
thing, is to have a minimum of dual control for every process so that there will always betwo people who are responsible for the management of the master key. The reason for this
is to secure the master key from the person himself. By dual-control the knowledge about
the secret (master key) is always segregated among two people so that without each other
they cannot receive the knowledge of complete final key.
It depends on the security policies, in how many pieces we divide that key, and we can
even divide it into three parts depending on the policy we are using. So the master key
1Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
33/79
33
always consists of minimum two parts and to do so we need two at least two people (key
custodians and their deputies) who are responsible for this purpose. So the first thing is to
decide who these two people are going to be, it depends on the management where we are
implementing it, in our case we will call them Custodian 1 and Custodian 2. So according
to the Visa requirements there are basically 7 stages to ensure the security of the key.
Secure equipment and methodologies Secure key creation Secure key conveyance/Transmission Secure key loading Prevent unauthorized usage Secure key administration Equipment management
Source: VISA. (2004). PIN Security Requirements. Retrieved May 20, 2011, fromhttps://partnernetwork.visa.com/vpn/
-
7/31/2019 mastersthesis-120506103336-phpapp02
34/79
34
3.4 PCI DSS:Payment Card Industry Data Security Standard is an information security standard covers
data security requirements regarding security of personal data of a banks customer, who
holds the credit cards, debit cards, prepaid, e-purse, ATM, and POS cards etc. This
standard was basically meant to reduce the risk of the fraud in the payment card industry. It
applies to all the entities which are involved in the payment card processing like
merchants, processors, acquirers, issuers, service providers as well as all the other entities
which process and store the card holders details.
There are 12 requirements for meeting the PCI DSS which are divided into 6 groups
Build and Maintain a Secure Network
Requirements: Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder DataRequirements:
Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management ProgramRequirements:
Use and regularly update anti-virus software Develop and maintain secure systems and applications
Implement Strong Access Control MeasuresRequirements:
Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
Regularly Monitor and Test NetworksRequirements: Track and monitor all access to network resources and cardholder data Regularly test security systems and processes
Maintain an Information Security PolicyRequirements:
Maintain a policy that addresses information security
-
7/31/2019 mastersthesis-120506103336-phpapp02
35/79
35
Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, fromhttps://www.pcisecuritystandards.org/security_standards/
3.5 Devices usedThere are also some kinds of devices that we use to reach the maximum level of security
some of them are as follows:
3.6 HSM:It stands for Hardware Security Module, and is defined as a piece of hardware-component
and associated software that is usually installed inside a computer and provides a tamperresistant environment for itself. An HSM basically used for secure generation of key
material, encryption, decryption, hashing etc.
There are many HSM manufacturers that are available in the market today but IBM is one
of the global players and also the most renowned in the HSM market, being the first
company in the market to have achieved FIPS 140-2 Level 4 validation for their HSMs by
NIST.
IBMs tradition in participating in the HSM market with cryptographic co-processors that
can be additionally installed by customers in backend servers, reaches back to 1989, wherethe first HSM in form of cryptographic co-processor, being a tamper resistant HSM named
IBM 4755(adapter card) and IBM 4753(Network Security Processor for IBM mainframes)
were introduced. Along with this product availability IBM introduced IBM CCA.
Today IBM has basically two products which are available in the market: IBM 4764 and
IBM 4765, whose cryptographic services are made available to applications via the IBM
Common Cryptographic Architecture (CCA)
Even before the CCA era, IBM provided tamper resistant cryptographic modules as system
immanent components, for instance on the IBM 4700 controller series, which reaches back
to the seventies.
Being designed for long durations of operation, the IBM HSMs are used by top 500
companies, especially the ones using IBM mainframes (zSeries). In case of proper
maintenance, meaning regular exchange of batteries, the HSMs can be operated for
duration up to 10 years.
-
7/31/2019 mastersthesis-120506103336-phpapp02
36/79
36
Figure 3-2
Source: IBM. (2011). Security. Retrieved August 2, 2011, from Cryptocards: http://www-03.ibm.com/security/cryptocards/pcixcc/4764SerialNumbers.shtml
It does not only provide the security by its tamper proof architecture, but also acceleratesthe processing time -for functions like key generation, encryption, decryption and digital
signing. There are many kinds of algorithms available today for the encryption and
decryption and some are really complex and also consumes too much CPU power when
using software crypto libraries on a server. When we talk about the payment card industry
then of course we are thinking about a very high volume of transactions requiring crypto
operations every day. So of course we need to handle the operations very quickly and in
some cases HSM can successfully off-load a servers CPU usage- when performing crypto
-
7/31/2019 mastersthesis-120506103336-phpapp02
37/79
37
operations. And the most important thing is that these versions of HSMs from IBM qualify
the maximum level of security standards called-FIPS 140-2 Level 4.
Source: BROTEX Synargos. (2011). FIPS. Nrtingen: Communication with in thecompany.
3.7 Crypto processorCrypto processor is nothing more than a chip embedded in an HSM for carrying out
cryptographic operations. It also provides a certain degree of tamper resistance.
3.7.1Functionality:
In general how do we ensure the security is to bind the software to a piece of hardware so
that only the legitimate user can have access to the software: But in order to prevent not
only the execution of the software on other machines but to protect the entire software
from any access, we require a security perimeter that keeps unauthorized reverse
engineering from observing the memory and the execution of instructions. The manual
solution is to keep the computer into a locked room so that only the desired people can
have access to the hardware and the software but the problem lies there, only few peoplecan have access to the room. But there is another approach which is called as IBM's
ABYSS project. Here the security perimeters protect a single printed circuit board inside
a workstation. The operating system and cryptographic keys are stored in battery buffered
static RAM chips that are located on the same board as the CPU, the system bus, the hard
disk controller, a real time clock and a battery. The board is surrounded from all side by an
alarm mechanism that consists of a multilayered winding pattern of a pair of fine wires,
which is embedded into hard opaque epoxy resin. And any attempt to hamper the security
module will trigger the alarm and wipe out the software and the keys from the battery
buffered RAM.
Source: Kuhn, M. (1997, April 30). Cambridge. Retrieved May 20, 2011, fromhttp://www.cl.cam.ac.uk/~mgk25/trustno1.pdf
3.8 Payment Card Industry PIN Security Requirements:It basically consists of 7 objectives which tell us all the required parameters to ensure the
PIN security.
-
7/31/2019 mastersthesis-120506103336-phpapp02
38/79
38
3.8.1Objectives
PINs used in transactions governed by these requirements are processed usingthe equipment and methodologies that ensure they are kept secure.
Objective : Cryptographic keys used for the PIN encryption/decryption and related keymanagement are created using the process that ensure that it is not possible to predict any
key or determine that certain keys are more probable than others.
Keys are converted or transmitted in a secure manner. Key loading to hosts and PIN entry devices is handles in secure manner Keys are used in manner that prevents or detects their unauthorized usage Keys are administered in a secure manner Equipment used to process PINs and keys is managed in secure manner
Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, fromhttps://www.pcisecuritystandards.org/security_standards/
So far you have seen that to maintain all the security we need a lot of standards. And it is a
must have condition to follow all these standards to be in this industry otherwise we can
cannot assure the optimum quality. But the standards are so complex that many a times we
commit some mistakes and even these standards tells us all the formalities but they never
tell us how to apply all those and if you look into the details of every standard you can
even find a lot of loopholes. Thats where I am trying to focus in this master thesis.
3.9 Establishing Security MeasuresAs you can understand the importance of a Master key by now, which was generated
during the initial phase the rest of the security assurance will always depend on the
handling and protection of Master Key. But if the master key itself is compromised then
there is no use of securing anything underneath the Master Key-as it is the root cause of the
vulnerabilities. Using various technologies and different standards we safely generate themaster key, which itself is not easy to crack. The next step is the real challenge: that is to
place it into HSM and its real operational environment. Here lies the actual problem. How
we can manage the master key to ensure the security at its optimum?
The standard defines the measures, one should take to ensure the security but they dont
define how we can establish them in a real world enterprise.
-
7/31/2019 mastersthesis-120506103336-phpapp02
39/79
39
We need to start in an upmost hierarchy of any organization that is on the management
level, when establishing an Information Security Management System (ISMS) that
identifies and manage the risks existent to vital assets such as a Master Key.
When business processes are tied to profound ISMS, the awareness is placed accordingly
to manage the risks and assure the measures needed to prevent impacts of possibleloopholes that could lead to compromises of Master Keys.
Information Security:
In my scenario of a holistic coverage of security awareness, starting from Information
Security Management level, all the way down to the operational level, where Master Key
are process on the system level, I want to identify basically three layers which consists of :
1. Management- Risk assessment (which basically consists of ISO 27001)2. Business Process- Following all the standards(PCI DSS mainly)3. System- Management of the master key
-
7/31/2019 mastersthesis-120506103336-phpapp02
40/79
-
7/31/2019 mastersthesis-120506103336-phpapp02
41/79
41
security management as the companies operating their solutions to provide high security
levels to their customers.
So the first step in order to ensure security starts with Risk assessment. Top management
will have to identify and manage the risks for the companys future related to a particular
business and if they want to persist into the business then they have to commit to therequired processes.
Now if you have decided to go for all these standards then comes the second phase which
is line management who will plan to get the desired output or we could say the people who
are responsible for meeting the corporate goals, maintaining the policies and all the
standards. A line manager could be anybody depending on the industry where you are
participating in.
Like in any company we need a person who will handle the probabilities of the risks
regarding the particular working field. In our case he must be a person who will handle the
desired goals in real time to get the desired output that the top management has planned.
He will manage the resources under him to get the predefined result and its his job to plan
how to reach those targets.
The third and last layer I will consider is called Infrastructure Management the people who
are responsible for daily operations as defined by the top management and the line ofbusiness management have planned. They will also have to adhere standards depending on
the industry area you work in, but in the cases of IT-infrastructure operations, the ITIL
standards-framework is a good approach to follow.
3.10 Risk assessment:The top management is responsible to manage the overall risks for the company and needs
to govern, all the necessary measures that need to be fulfilled, so they will generate a set of
objectives and the second line of management will handle all those objectives.
In my scenario top management is responsible for defining the objectives of the ISMS.
The Chief Security Officer (CSO) will decide and plan to which extent an ISMS system is
needed and how efficient its implementation will need to be. Current development and
trends show, that companies accept the international standard ISO27001 as a guideline for
implementing an ISMS, which is the reason why I will further focus on it.
-
7/31/2019 mastersthesis-120506103336-phpapp02
42/79
42
The CSO will identify applicable risks as outlined by ISO 27001, setting a major directive
on how to manage information security. But depending on the business area
diversifications on ISO 27001, other standards could also imply, resulting from the nature
of business risks.
The second line of management will take care of risk assessment to meet those targetsaccording to the desired standards. Various technologies, implementation strategies,
standards an studies are available in the market, that allow individual approaches for
establishing an ISMS
In my work, I have used the RM Studio application from Stiki (Iceland).
This tool is basically used to analyze the security risks while focusing on ISO 27001 and
other security measures. The advantage of RM Studio compared to an implementation of
an ISMS based on EXCEL is the round-trip-management that is possible with yearly audits
and re-certifications as well as the intelligent reporting system that produces assessmentand audit-report on the fly, thus saving considerably valuable time.
It has already predefined all the necessary requirements that can apply to a company, Very
practical is the fact, that standards like ISO 27001 or PCI-DSS are already copied in
verbose into the database of RM Studio, which saves valuable time in editing. In addition,
the standards are available in different languages, making it quite convenient to get ISMS
certification on an international basis, which is essential for global enterprises.
We can also create our own standards or add threats and measures depending on our
demands and assess the risks using the same ISMS tool infrastructure.
The below diagram is the first view of the RM Studio and here you can see that it looks
very user friendly and it has all the parameters as well to calculate the risks.
-
7/31/2019 mastersthesis-120506103336-phpapp02
43/79
43
Figure 3-4
3
Calculate RisksTo calculate the risks on Information Security as defined by the ISO 27001 standard, we
need to define the infrastructure of our information processing landscape, including all the
assets, job roles, availability and the other resources and of course their dependencies on
each other. As you can see in the picture above, first we have to define the business entitiesfor which we are trying to calculate the risks. As we are talking about the security so we
must consider the ISO 27001 all the time, so for this reason whatever we are going toanalyze it will calculate the risk on the basis of ISO 27001. This is the first task to achieve
in any company who wants to do their business securely. ISO 27001 basically tells us to
design ISMS (Information Security Management System) which eventually ensures a
system to tell us about the overall security system in an Enterprise.
Since we have the desired standards integrated in RM Studio, we can easily define our
assets, assign the applicable risks and perform the risk assessment on the fly.
3Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
44/79
44
The ISO27001 covers the whole organization but for this thesis my main focus will be on
the Objective A.12.3.1 which says:
Cryptographic ControlObjective:
Protect the confidentiality, authenticity and integrity of information by cryptography. In
further detail that means:
Policy in the use of Cryptographic control: A policy on the use of the cryptographic
control for protection of information shall be developed and implemented.
Key management: Key management shall be in place to support the organizations use of
the cryptographic techniques.
Most of the people always neglect these two most basic problems and even the ISO doesnt
define how to achieve these tasks. So the first thing in any organization is to check whether
they are following these standards or not and if they are then how much is the risk and the
RM Studio provides us this facility to calculate on the basis of above mentioned standards.
The next most important thing that comes is the PCI DSS, if we are working in theinformation security and especially in the banking domain then we will have to follow the
PCI DSS which stands for Payment Card Industry Data Security Standards.
I will give a brief introduction on how to calculate the risk regarding these two standards
but I have to mention that, it varies from organization to organization.
We can easily see in the Figure3-5, various standards but for us means as security wise,
only ISO 27001 and PCI-DSS are important so first we will analyze with the ISO27001
standard and then we will try to find out the risk analysis with the PCI DSS.
In Figure 3.6 we can see that the next step is to define the Business entity for which we are
trying to calculate the risk. In the Business entity we have to provide the basic details of
the company like name, address etc.
-
7/31/2019 mastersthesis-120506103336-phpapp02
45/79
45
4
Figure 3-5
5
Figure 3-6
4Created by author
5Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
46/79
46
6
Figure 3-7
The next thing is to define the business assets including all the details of the company.
Figure 3-7 explains this how to define the assets of the company and to get the accurate
result we have to define all the assets of the company that includes all the possibilities
exists in any organization that means the people their expertise, hardware, service levelagreements with the clients etc. Now as you can see in the Figure 3-7 the assets are defined
including all the people involved their dependency on each other and complete
infrastructural assets as well.
6Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
47/79
47
7
Figure 3-8
Figure 3-8 explains that how the individual component in the organization are important
for us, and whats their credibility, their security risks and their impact in the organization
which is very important e.g. If the lead developer is not available in the company during
any issue so his availability has to be high during those period where as on the other hand a
person who is doing only the clerical stuff, he is also very important for the company but
his availability is not that important during the critical issues. So regarding all these
questions in mind we have to provide the different parameters in the risk scenarios for thedifferent assets.
7Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
48/79
48
8
Figure 3-9
The above Figure shows the risk analysis on the basis of ISO 27001 and different assets
that we have defined earlier. On the basis of values of the assets and availability it shows
us the risk is 2%, which is very low and good for the organization. Now we can also check
it for different parameters like the confidentiality and the integrity how much is the risk.
The below Figure 3-10, shows that now the result have been rises to 1% including the all
the factors in an organization. So it is even far better so by theses all results we can easily
define that we have gone through the risk parameters of the ISO 27001 standards and in
any case if the risk is too high then we can again define the assets and then we could do thegap analysis.
8Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
49/79
49
Figure 3-10
9
Figure 3-11
The Figure 3-11 shows here the PCI-DSS standards, we have to do the same things again
and then again we have to check the possibility of the risks and the threats from againstPCI-DSS. If the result is low like 1% or 2% then we could be sure of one thing that we can
go further that means we have successfully followed the PCI-DSS standards as well.
And now the real work start for the information security, initially we had the problem that
there are many standards which are very complicated and how to follow them all. Then we
9Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
50/79
50
have seen the utility of the RM Studio which has made our work easy to asses our
organization against these standards. But still the problem is there, even though we have all
the standards but we can still see various attacks every day in news. So there must be a
problem somewhere which is the problem of good management and basically the problem
of following all the complex processes. And to solve all the problems we will take the help
of the BPMN2.0
-
7/31/2019 mastersthesis-120506103336-phpapp02
51/79
51
4 Chapter 4 Solution4.1 PrototypingNow comes the role of Infrastructure Management- the lowest level of management, its
not only responsible for the IT infrastructure to meet the business needs for high
availability, reliability and scalability, but it is also responsible for managing services of
the business process management. It provides us a way to calculate the availability,
reliability, risks management etc. In the past this kind of structure was mainly meant for
the big organizations but today even the small organizations can also make profit with this
kind of approach.
In this chapter I am trying to find some loopholes on the basis of the infrastructuremanager with the help of the Business Process Modeling. It will be used as a prototype to
define the problems using the BPMN2.0. As I have already introduced BPMN2.0 and have
already explained that there are many tools available in the market today so for my
convenience I would use a tool called Bonita Studio. It consists of many facilities which
are using different technologies to solve our purpose. Figure 4-1 shows the basic view of
the Bonita Studio which explains itself that how we could design the workflows. On the
left hand side of the picture we can see the toolkit to design the workflows which consists
of the BPMN2.0 standards.
Source: Bonita Open Solution. (2011). Bonita Soft. Retrieved May 20, 2011, fromResources: http://www.bonitasoft.com/
-
7/31/2019 mastersthesis-120506103336-phpapp02
52/79
52
10
Figure 4-1
As I have already explained in the previous chapter, first we have to follow the generalstandards which are important to be compliant to, so that we could ensure maximum
security possible. First we have to go through all those steps to achieve the certifications
and to calculate risks in an enterprise accordingly.
Top Management: get ISMS certified according to ISO 27001 Business line: get certified according to PCI-DSS(while interacting with
ISMS)
Infrastructure: make sure, that processes meet required quality goals andprovide audible trails, adhering to policies directed by layer 1 and 2
respectively.
Then we come to the details of Master Key management.
Master Key management is a very complicated issue and the operational issues lie at the
bottom of the whole organizational hierarchy. In reality, experience shows, that dual
control can practice with compromises, as a result of project-pressure (e.g. change requests
10Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
53/79
53
in exceptional situations) or degrading awareness and knowledge, due to employee
fluctuation. So, if a decision is made to have a single key-custodian process both parts of a
Master Key, then the key by definition is compromised. The associated crypto system may
still operate fully functional, but when it comes to an audit in the future, especially
connected to the implications of a successful and published hack by cyber-criminals, the
business itself may be faced with severe losses.
Bottom Line: if a Master Key is not properly secured, because the responsible persons forthe key ceremonies do not follow a pre-defined process, then nothing beneath it will be
secure.
It doesnt matter which standards we are trying to comply to. Even after following all the
security measures and all standards we are not able to ensure the provable protection of
Master Key.
So in this chapter I will try to outline solution which can be used to overcome the issues ofprocess disruption during Master Key management. The idea itself is not new and it is a
conglomerate of all the standards that we have talked about earlier.
As according to VISA, the whole process has to be divided among two people so that the
possession and knowledge is segmented among two which is also called secret splitting.
One custodian therefore has no knowledge about the second part of Master Key. Without
the second part final Master Key cannot be reconstructed.
This is an essential step to ensure the highest level of trust in processing this kind of vital
asset.
If only one person would be responsible for the whole process, then lots of problems come
up:
Insider attack: if the person turns out to be corrupt, the organization can beheavily damaged(all business processes go out of operation, reputation
damage, customer resigning due to loss of trust)
Social engineering made easy: it is easy for the attackers to leak outinformation from just a single person, as compared to retrieving it from
segregated knowledge.
At any place the process starts from establishing an environment which has to be properly
defined and configured to produce the optimum output. So we will need at least two people
to handle the whole process at any cost (keeping in mind that substituted, also called
deputies, need to be assigned also). We will call them custodians for our own convenience
with specific rights to manage the master key and they must not know each other for the
sake of security.
-
7/31/2019 mastersthesis-120506103336-phpapp02
54/79
54
The next thing coming up is the environment we need:
There are different possibilities, depending on the organizations. As it is most crucial part,
so I would suggest to, prefer for maximum security. In other words: to go for highest
quality, regarding Hardware, Software and Service Level Agreements (SLA, ITIL for
further details on the implications). As it is not easy to maintain operations without clearstructures and contracting schemes, this aspect alone requires intensive management
covering a complexity of, security measures of its own.
Now coming to my solution, the infrastructure to be managed will consists of different
things:
11
11Created by author
Application
Server using
HSM
CryptoHardware to
secure
Business
Lo ic
HSMCNM
Workflow
front end
Workflow
Server
Web
Server
Workflow
for MK
Mgmt
Customer
N no of
application
servers
N no of HSMs
WF-Mgr.
Key-Mgr.
-
7/31/2019 mastersthesis-120506103336-phpapp02
55/79
55
I would prefer to use three different servers to achieve more security; they all stay at the
client side (which is to say any bank). Now on the first server we have to use an API
through which we can communicate with the IBM-CCA (common cryptographic
architecture) which actually lies on the other server. Through this API users can enter into
the machine to do the desired operation. On the other server the whole processing works
under the HSM but users can access it through another login (for security purpose). While
in between there lies another server which is called as IBM MQ series which is basically
used for the queuing purpose. So that queuing takes place properly and it will never go into
the deadlock situations. On the second server there lies the crypto API and IBM CNM
through which we can generate the keys. These servers are connected with each other with
the help of LAN and must be placed under high supervision. This is another loophole when
we manage Master Key while in a real time environment and most of the standard doesnt
provide much information regarding the management of the Master Key while handling it
in network attached HSMs. This is the technical aspect of the infrastructure that really
ensures very high end security but the real problem to be solved is performing the requiredoperations without loopholes.
The organizational infrastructure has many loopholes whenever key components are
produced by an HSM and there comes the most critical part.
Often enough, we face the problem that users dont know how to handle the complete
environment so they make mistakes while doing so.
So here I am trying to give a best view of the complete process. It has to be divided into
different departments properly so that all participating roles are enforced to do their workproperly, which is the most important part regarding the organizational management.
The whole process, which is called key ceremony, is as follows:
Note: Each Key ceremony is understood as a change to a productive system. This implies,that all the tasks performed during the following process for the key ceremony, are pre-
plan able and governed by a workflow management system, designed and implemented to
guide the process in a manner, that guarantees a continuous audit trail and provides logs,
that give detailed information about the life-cycle of any key processed.
4.1.1Key Ceremony
The centralized authority will instruct the two custodians that they will have to generate
their key parts for a certain target key; this notification could be sent via e-mail, physical
mail or anything whatever the policy is. The custodians have to confirm their availability
and if any case they are not available, they must take care of assigning the corresponding
deputy for that custodian in advance.
-
7/31/2019 mastersthesis-120506103336-phpapp02
56/79
56
Special requirements and pre-requisites regarding the execution of the key ceremony: the
complete ceremony must be executed in a secure room(trusted environment, level: HIGH),
which requires:
- Isolation from outside environment, protecting against acoustic andelectromagnetically information trespassing
- Dual access control: no single person should be able to be alone in thesecure room, the access to the room is granted after dual-login to the
room
- In case of exceptional situations(fire, earthquake, etc.) the ceremonymust be cancelled, any key material produced during this session
marked as incomplete, not trustworthy-and should be destroyed
- Cellular/smart phones are not allowed during the residence in thisroom
- Camera surveillance: this requirement can be conflicting, as gainingknowledge about who enters the room on the one side, brings the
disadvantage, that surveillance officers could possibly re-construct
key-values that are entered by custodians after reading the values
from key letters
Security guards will check the facility access of the custodians and otherparticipating persons (in case if a live audit by Visa) and inspect and carried
item not required during the key ceremony, which may need to be deposited
by the security guards during the ceremony.
Custodians will have a dedicated time to achieve their task, as defined.
The custodians will be escorted by at least one other person (internal auditor)until the last entrance of the room. As required before, no person is allowed
to be alone in the secure room.
There has to be a secured login accessing the system operated by thecustodians while performing the operation to generate the master key parts.
Access Control can be realized by various ways: smart card login, access
tokens with one time password etc. there are different technologies today, it
depends on the companies security demands and policies and external
compliance regulations.
-
7/31/2019 mastersthesis-120506103336-phpapp02
57/79
57
Regarding the generation of the desired Key. It has to be dedicated systemsonly for this purpose and it should be non -bootable from any media.
Another important issue: the system hardware should be connected to afunctionality tested and working Uninterruptible Power Supply.
As soon as the key generation is done, and stored to the intermediatetransportation media for further key part loading to the target HSMs, the has
to be backed up, for the purpose of key-recovery, depending on the
companies backup policies. Regarding cryptographic key material, long term
in experience and best practices show that most of the organizations still
believe key-parts printed all key letters on paper to be the best practical
choice and most enduring backup media still around. Once key-values are
securely printed out onto key-letters, the printouts are enveloped and arerequired to be separately stored to different physical safes, providing
continuity in key separation under dual control.
There are different scenarios in different organizations where some peopleprefer to have the key generation environment into the organization itself and
others prefer to have it at the other places. And the complexity differs from
case to case.
If it is at a different place then it has to be transported through a physicalmedium and there comes another security loophole. There are different ways,but most of the organizations do this thing, they contact the courier company
and they transport it within a tamper resistant module. So that if anybody tries
to hamper it then it will automatically destroy the content. Both the parts have
to be transported through different routes and through different courier
companies so that to achieve the concept of the dual control all the time.
As you can see this whole key ceremony process is a perfect candidate for implementing a
workflow using BPMN2.0:
It can be automated and run as a centralized governed authority moderatingthe process
It can keep track of all process activities all the time It could also reduce the human errors which people generally do in
organizations like forgetting about vital process steps that disrupt the quality
chain. So to overcome all those problems we need an automated process
control (our centralized authority) so the people who are involved in this
-
7/31/2019 mastersthesis-120506103336-phpapp02
58/79
58
process can handle the whole system easily which will in consequence secure
our whole environment as well.
At this point I want to introduce the role and application of BPMN2.0 with the help of
which we cannot just automate the process but also we can keep track of all activities
applied.
4.2 ISO 27001 Based Risk Analysis
12
Figure 4-2
Figure 4-2 shows that we are going through our first phase of the whole process where wewill check the criteria for the ISO 27001. This workflow will initiate the STIKI RM
Studio, in order to perform the minimum yearly risk analysis. The outcome is the yearly
report required for ISO 27001 certification. If we will be able to follow the ISO27001
standards then we will go to the next phase.
So now its just time to automate the whole process and make it working. This part of the
workflow is the first swimlane and I have given it a name called Risk Assessment for the
12Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
59/79
59
ISO-27001. As you can see in the Figure 4-2, it consists of the three tasks start task, a
script task and an end task. You can see in the middle which is the script task which is
actually a shell script which is going to initialize the STIKI RM Studio. It provides us a
wide variety of options. I have preferred to choose the script task as it seems simple for
me.
Figure 4-3shows how you could define the script task. This Figure is basically showing
connectors. In Bonita Studio, we have to define a connector for this task, which is of the
shell script type and then you just have to define the script that you want to run. It is
actually a simple GUI which is easy to understand and can guide you for everything that
you want to do. I have simply used one line of script to initiate RM Studio. There are
various other ways to do this task like you can create a java code as well but then the
whole process will be too mighty and if you want to make some changes then you will
have to make the changes everywhere. Thats why I have chosen the script task which is
easy to use and easy to perform, just one line of code and you can achieve your work.Further this means I have provided a layer between workflow design and implementation
that means if you want to replace the implementation details you dont have to touch the
workflow design. You also need to define the person who is going to initialize the process,
in my case this is the initiator who will handle the workflow and who is going to initialize
this particular process. There are several other facilities that you could achieve with this to
make it more secure like only a dedicated user can do a particular task. For this reason I
have created a particular user in RM Studio to perform this task as if we can see this in an
organization there has to be a person who will take care of this responsibility and who have
the complete knowledge of the companys environment and also have a nice idea about the
ISO-27001.
-
7/31/2019 mastersthesis-120506103336-phpapp02
60/79
60
13
Figure 4-3
13Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
61/79
61
4.3 PCI-DSS Based Risk Analysis
Now comes the second part of the whole work flow which is to analyze the risks on thebasis of the PCI-DSS. After finishing the first job that is to analyze the risk on the basis of
ISO27001, workflow will jump onto the second level which is to analyze the risk on the
basis of PCI-DSS. You can see in the Figure4-4, the next swim lane comes into the
existence which is called as PCI-DSS Analysis. It has different criteria as compare to the
ISO27001 but it is also very important to fulfill this task so as to ensure the maximum
security and the optimum result. You have to do the same thing again like in previous
process. So again I have defined a script task to initialize the RM Studio but this time the
user is different. From the organizational point of view it will be a person who will take
care for the PCI-DSS certification and a person who has a sound knowledge about the PCI-DSS, so that the organization could be sure about getting the certification properly. And if
the organization already has the certification then they could skip to the next step which is
for the management of the Master Key. And dont forget to change the standards in RM
Studio as by default after finishing the previous step it must have been selected
automatically to ISO27001. These two swimlane are loosely coupled, they are not
dependent on each other but they are part of the whole process. So we just cannot skip any
of them.
14
Figure 4-4
14Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
62/79
62
4.4 Master key Management
15
Figure 4-5
Figure 4-5 shows the next layer of the work flow which consist of the more complex and
much interesting part. Here I am trying to show the management of the Master Key. Here I
have used Crypto Node Management (CNM) which is proprietary by IBM and delivered
with IBM HSM 4764 and IBM 4765 so I will not give much detail here but you can see the
login for CNM in Figure 4-6. And it doesnt matter for us how it works because we are
only focused on the organizational issues rather than the technical details. It is also called
as Common Cryptographic Architecture Node Management Utility. As you can see in the
Figure 4-6, the custodians can login with different methods, it depends on the companyspolicy how you do this; you can also notice different tabs showing different utilities like
key storage, Crypto node etc. For our purpose there are of course few things to know
about. The Crypto Node and Master key tab are the most important for us to know. With
Crypto Node we can easily find the information about installed HSMs, like the state of the
HSM, its battery state, error logs etc. So whenever we notice any unwanted behavior like
unauthorized logon (outside valid time range), we can easily inspect Crypto Node and can
look into the details moreover can possibly find the cause of the issue.
15Created by author
-
7/31/2019 mastersthesis-120506103336-phpapp02
63/79
63
Sec