Jeffrey James Stapleton - Security Without Obscurity: A Guide to Cryptographic Architectures

Security without Obscurity

A Guide to Cryptographic Architectures

J. J. Stapleton

Published in 2019 by CRC Press

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

2019 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group

No claim to original U.S. Government works

Printed in the United States of America on acid-free paper

10 9 8 7 6 5 4 3 2 1

International Standard Book Number-13: 978-0-8153-9641-3 (hardback)

This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use.

No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site at

www.taylorandfrancis.com

and the CRC Press Web site at

www.crcpress.com

This is the third book in the Security without Obscurity series. The first installment was my first book done on my very own. Previously, I had written articles and chapters for other peoples books but not my own. The second book came about because of my collaboration with Clay Epstein and our decision to write a book together, and inadvertently created the series. At that time, I had no particular plans for a third book. The genesis for this book had several origins.

First, during my career, many times I have had to ferret out the cryptographic details for products, applications, and networks. From a crypto perspective, understanding the journalistic questions: who, what, why, where, when, and how is a critical aspect of information security. Too often the information is difficult to ascertain; misinformation and disinformation are not helpful. For example, vendors or service providers might be reluctant to reveal details, developers might have unreliable data, or product specifications are obsolete.

Further, vendors and service providers undergo mergers and acquisitions. Knowledge is often lost when employees or contractors depart. Product lines might be decommissioned and no longer supported. Products might not be updated and run with aging software. Product documentation might be dated or contain mistakes. Marketing sometimes makes unsubstantiated claims that are difficult to verify.

Second, the ability to conduct a security assessment in a reluctant or adversarial situation requires a set of skills that can only be learned by experience. However, there are dependable processes that can provide consistent results. Over the years, things to do and things not to do are included in lessons learned. These same processes work just as well for enthusiastic conditions. This book has an entire chapter on performing risk assessments.

Third, I published the article Cryptographic Architectures: Missing in Action in the July 2017 ISSA Journal. The article was on the journal cover, and it was republished in the Best Articles of 2017 in the January 2018 ISSA Journal. However, there was so much that I could have discussed, but a six-page article can only provide a limited amount of information. I provided the article to my publisher, and he agreed the topic would make another good book.

On another note, the ISSA article and this book refer to simple applications or network diagrams as cartoons. I personally credit Don Provencher a former colleague at Bank of America, coining the term cartoon when referring to simplistic diagrams. Don was extremely knowledgeable about network architectures and was able to educate even me. We all miss you, Don.

In the first book, I mentioned my long-term participation with X9 standards. My participation and chairing the X9F4 workgroup endures to this day. The X9F4 program of work continues to grow with new standards and technical reports. Meanwhile, I continue to have a day job, work on X9 standards, and write this book. All of this with the loving support from my wife, Linda, and everyone still likes her best.

J. J. Stapleton has been involved with cryptography, public key infrastructure (PKI), key management, and numerous other information security technologies since 1989 when he attended his first Accredited Standards Committee X9 work-group meeting. He has continued his X9 membership across many employers and has been chair of the X9F4 cryptographic protocol and application security work-group since 1998.

Jeff began as a software engineer at Citi Information Resources in 1982 when he was still working on his bachelors of science in computer science from the University of MissouriSt. Louis (UMSL).

Jeff continued his career as a developer at MasterCard in 1984, managed developers on card payments applications, and began working on his masters of science in computer science from the University of MissouriRolla (UMR, now renamed Missouri Science and Technology). He also began his long-term X9 affiliation.

Jeff was assigned the design and development of a key management service (KMS) for the MasterCard network Banknet. The KMS was literally 24 hour from going live in production when a strategic decision to replace the then current IBM Series/1 minicomputers with a to-be-determined platform delayed the KMS project. He was able to take advantage of the experience by writing his thesis: Network Key Management in a Large Distributed Network, J. J. Stapleton, 1992, a thesis presented to the faculty of the Graduate School of UMR approved by Daniel C. St. Clair, Chaman L. Sabharwal, and James Hahn.

He actively participated in the development of the X9 technical guideline TG-3 personal identification number (PIN) Security Compliance Guideline (renumbered as technical report TR-39). The guideline provides evaluation criteria based on industry standards (X9.8 and X9.24) that defined security requirements for handling PINs and associated cryptographic keys. TG-3 was adopted by many payment networks for a biennial security assessment for interoperability.

Another accomplishment was his involvement in the development of the Secure Electronic Transaction (SET) specification, a joint venture between Visa and MasterCard for online card payments. As part of the SET project, he also worked with Netscape in their development of the Secure Socket Layer Protocol.