Computer-Security Encryptors Help Halt Hackers.
Unfortunately, as the headlines have proclaimed, hackers have broken into the most-sensitive data bases, including those of NASA, the Los Alamos National Laboratories, the Irving Trust Bank and the Memorial Sloan-Kettering Medical Center. It's not just kid stuff anymore, and virtually every security scheme so far developed has proven vulnerable, but recent advances in security technology show cause for hope.
Key locks, log-in codes, audit trails, passwords--even fingerprint, voice and retina identification--while useful in securing a terminal, cannot adequately secure computer information. Companies must be able to depend upon the integrity of data transmitted via telephone lines (or by satellite), or there will continue to be senational headlines about break-ins and monumental headaches for data processing managers.
It's now possible to restrict access to data bases by controlling terminal use (through call-back systems) and to effectively protect data in transmission through the use of encryption/decryption devices. Both types of protection are finally available in a new device that combines terminal authentication with data encryption. None of these systems are inexpensive, but when considering how much computer information is worth, the cost of protecting it can seem very reasonable. In any case, the technology now exists to give the [area code] "414s" and other hackers a lot to think about. Let's look at the call-backs to see what these wonder machines are all about.
In the case of certain basic computer system configurations, such as the terminal-to-central processing unit (CPU) link-up shown in Figure 1 or the CPU-to-CPU system in Figure 2, the call-back system can be programmed to recognize an authorized user by an identification code. When remote terminals are used consistently from the same telephone number, such as a branch office or an employee's home, call-back systems can ensure that only terminals at those authorized telephone numbers can get into the data base. Call-Back System Will Deny Unauthorized Access
The call-back system verifies the location of the access request and will deny access if the call is made from an unauthorized location. A peripheral unit is installed between the direct-dial telephone network and the modem on a computer-interface port. It works with most conventional modems and can also be used on the remote-access port of any remotely controlled equipment.
The call-back circuitry, under software control, can answer all incoming calls and can accept a valid location number. It will then return the call to the appropriate location (whose number is stored in memory) and allow the authorized terminal access to the computer.
This security system can be used to access small, single-line systems, such as the ones in Figures 1 and 2. More-complex configurations, such as the multiplexer system in Figure 3 or the network shown in Figure 4, can support many more users--in excess of 2,000--and can interface scores of telephone lines with a single controller. For these larger systems, there are multiple-port call-back devices that protect all lines of access to the CPU. Only certain terminals can gain access through selected ports of the CPU. Not surprisingly, the cost of call-back security systems increase substantially in relation to the number of ports that need protection.
What callback systems cannot do is prevent a hacker from listening in on and recording or manipulating a transmission.
Time is also a factor with call-backs. They add to the time needed to connect a terminal with a CPU. Between 15 and 90 seconds can elapse before a data connection is made; but once the link is complete, there is no transmission delay. The reliance of these systems on software also slowss down access.
The appeal of distributed intelligence systems--of which the multiplexer and network are important parts--is the ease and speed with which the authorized users of their terminals can gain access to information in the system. To muddle this "friendliness" with complex log-in passwords and coding cuts down on the rapidity with which data can be accessed, and makes the systems much more cumbesome. For such sophisticated systems, encryption offers an attractive alternative.
Encryption, the transformation of sensible or clear text into unreadable nonsense, was originally developed for military purposes. Encryptors offer security for data in transmission, but no terminal authentication as does the call-back system.
The National Bureau of Standards has greatly improved on wartime encryption with development of its Data Encryption Standard (DES). DES is a mathematical algorithm. It transforms readable data into gibberish under the control of a compact key. DES scrambles data in a 64-bit block governed by a 56-bit keys. That is, the 64-bit clear text is encrypted by the algorithm in conjunction with the 56-bit key. To decrypt the message, the jumbled data is input to the same algorithm and the clear text is restored, provided the same key is used.
The DES level of encryption is 2.sup.56. The most-powerful computer, working nonstop to decrypt a message sent in encrypted form, would take months to unlock the message--unless it had the proper key to decipher the data. This key to the decryption needs to be changed often and at irregular intervals if encryption is to be effective against illegal access.
DES is at the heart of a number of encryption devices, and has been put to work by the American Bankers Association for its Financial Institution Message Authentication Standard (FIMAS). FIMAS uses DES technology to verify the integrity of a computer transmission, such as an electronic funds transfer (EFT). An EFT is assigned a value that's calculated using an algorithm that is highly sensitive to bit changes. This algorithm is then used to examine all or part of a message. If, on attempting to decrypt a block of a message, a message, a single bit of the key differs from the proper encrypt or decrypt key, the result will be scrambled text.
The problem of dispersing EFTs among branch offices and the main data center can also be solved by the ABA's standard. FIMAS can be incorporated intoc such systems as a hardware encrypting peripheral at terminals, and as software on the mainframe or CPU. The terminal's box serves only to alert operators that a message has failed to validate. They then inform the data center, where action can be taken to determine whether the authentication failure was due to electronic problems, communications problems or an attempt at illegal access.
Encryption has recently been taken a step further with a device that combines random data scrambling with encrypted terminal authentication. The peripheral is called Arbiter (from Computer Security Systems, Melville, New York) and encrypts at a level competitive with DES. The device authenticates the terminal simultaneously with data encryption, all in real time for cost savings. (Those little bits of transmission time can add up.) An extra advantage of the device is that it requires no key changing; in fact, there's no interaction with the terminal user at all. No one need know that the system is at work. The Typical Encryption Operation Sounds Simple
A typical operation is as follows: A remote-terminal user calls the host computer. The host then establishes a communications link with the user. The user's Arbiter encrypts the request to log on, and simultaneously sends an encrypted user identification. The host's encryptor determines the authenticity of the user's identification and, if valid, simultaneously decrypts the user's data. A new randomly assigned encryption pattern occurs--in real time--with each transmission.
At the terminal end, the data stream being sent is continuously scrambled with parts of itself and combined with a pair of encryption keys--one fixed and one randomly generated. Portions of the user's identification being sent continuously with the data help to determine the nature of the encryption key. The host encryptor, matched to the user's recognize the encryption keys and is thus able to decrypt the data. The encrypting device's algorithm controls the transmission characteristics, creating a data stream that bears no resemblance to the actual data being sent.
The Arbiter device connects between a modem and CPU or terminal. Tapping the transmission line between modems or attempting to illegally access the CPU gives the intruder meaningless strings of characters. If an attempt is made to dial into the CPU, an alarm goes off and the machine hangs up on the intruder, who has only gotten a blank screen and never realizes that contact was made with a computer.
Even a combined system of terminal authentication and encryption cannot solely be relied upon to cure all telecommunications security needs. Any dependable security system should incorporate a variety of internal policing procedures, follow-up and technology if computer data bases and data transmissions are to be secure and confidential.
|Printer friendly Cite/link Email Feedback|
|Date:||Feb 1, 1985|
|Previous Article:||Incoming Call Management: Past, Present and Future.|
|Next Article:||Hospital Corporation Boosts Employee Productivity by Installing Two Local Communication Networks.|