JMUIR.JAN CAN SOFTWARE-BASED COMPUTER SECURITY BE AS EFFECTIVE AS HARDWARE- BASED TECHNOLOGIES? by JOHN MUIR John Muir has been involved in developing and marketing computer security systems since he and Robert Bosen formed Enigma Logic, Inc. in 1982. As company president, he travels the world, representing Enigma Logic's cryptographic approach to computer security and virus prevention. A Critical Need Sooner or later, every company must consider the issue of computer access control. Whether through wise preparation or sad experience, organizations are realizing that the inability to identify and control computer usage means that the organization no longer controls one of its most critical assets. The universal means of user identification, the memorized password, cannot provide adequate security for today's powerful, integrated systems. Prudent computer management realizes that, in order to regain control, more sophisticated access control systems must be implemented. The concept is analogous to installing locks on doors. A lock must be placed wherever something of value must be protected. Only people who need access are given keys. In the computer arena, this means installing a logical gateway to the machines, programs and data that must be protected. Protection Methods Though there is universal agreement that protective controls are essential, there is substantial disagreement about how they should be constructed. Furthermore, the question often revolves around whether the controlling mechanism should be a hardware box connected to the mainframe, or whether it can be done with software inside the mainframe. Hardware access control products exist outside the mainframe and are generally special purpose boxes containing a firmware or software security routine. These devices are often classified as front-end or back-end, depending where they are situated in the user-to-computer link. There is some variation in how the hardware access control devices protect the host computer. One common type of front-end device is the call-back unit, which usually sits astride the communications path into the mainframe. As their name implies, these units verify who a user is by first severing the communications connection and then redialing (calling back) the phone number associated with the user's ID (see Figure 1). This technique, though fairly simplistic, can be effective as a first-line of defense against intrusion. Although each user has a specific number, the call-back unit can't control who is using the number. As an extra level of protection, these devices usually implement some kind of fixed password identification scheme. A far more powerful technique based on cryptographic identification and recognition is available. Many back-end and some front-end devices have been developed to support this approach. The concept is often called dynamic password security because the password or access code is different every time and for every user. The ever-changing passwords are generated by hand-held calculator-like devices called tokens using cryptographic techniques that are generally regarded as beyond the ability of any commercial or non-military organization to break. Because they are constantly changing, the passwords cannot be guessed, tapped or captured in any manner that will compromise security. Furthermore, since even the authorized user cannot know or predict the one-time access codes, the codes cannot be written down, copied, lost or forgotten. The hand-held devices, about the size and shape of a credit card, provide access codes as needed. Each person is given a different password device which, via an encryption "seed," is encoded to generate access codes that are different from any other device. Software or firmware inside the security device is aware of the seeds as they have been assigned to each user, and is thus able to readily validate or reject each user's attempt to gain entry to the system. This process is as shown in Figure 2. Hardware vs. Software Generally speaking, the arguments for cryptographic-based access control in hardware seem compelling. For one thing, since everything vital is encoded in chips and circuits, only highly skilled professionals armed with sophisticated equipment could theoretically break the system. Additionally, in the case of boxes situated on the communications pathway into the mainframe, it is often argued that putting the gate in front frustrates hackers because there is no way to break the security and get into the mainframe. The same logic asserts that access controls performed in software are insecure because software is more breakable than hardware. The image of hackers patiently and methodically trying all permutations and combinations to enter computer systems is with us today. In the past, hackers have been able to easily penetrate the defenses of systems where security provisions have been lax or even non-existent. However, new software security techniques have been developed to provide substantial levels of protection against hackers. Outsmarting the Intruder Using these techniques, software-based security can be made powerful, but in a different way than hardware-based security. In fact, one of the basic contrasts between hardware-based security and software-based security is much like the difference between a fortress and submarine. Fortresses, like hardware, are a passive defense: additional security is simply a matter of making the wall stronger. Submarines, on the other hand, are designed to detect the presence of an intruder and to protect by attacking, while at the same time remaining elusive. Such is the case with sophisticated security software. Professionally constructed security software bristles with defense mechanisms that are not apparent to the intruder. Important bits of code can be camouflaged and scattered throughout the program, while enticing bits of code can parade as bait for software traps. Once the attacker falls into one of these, he's trapped. Integrated tamper testing allows the security software to automatically detect unauthorized changes that may have been made in an attempt to subvert the security process. The program can self-examine its critical points to see if there has been any change to code. When a change is discovered, the software can make a number of different decisions. It could halt itself immediately and post warning messages for the supervisor. Or it could effect a silent alarm to inform the supervisor that an attempt is being made, without the attacker knowing that he had been discovered. A more devious ploy is to lead the attacker into a decoy block of code that makes him feel like he is making progress, when in fact he is advertising his presence. The software activity resists intrusion and is fully capable of effectively informing the system supervisor of any attack. The same cryptographically-based dynamic password methodology used with hardware security devices can be used with a software- based security system. But because the security software is embedded within the host operating system using vendor-supplied security hooks, its integrity can be even greater than when the user-authentication algorithms are implemented in silicon outside the host. The absence of the external connection between the host computer and the hardware device eliminates one major point of vulnerability, while doing away with the need to make non- standard software patches. Connecting the hardware device drivers to the host operating system eliminates another vulnerable point. Keep in mind that the basic strength of cryptographically- generated dynamic passwords is completely independent of the physical medium. This is difficult for people to realize, perhaps because most of our non-computer methods of protection (i.e., bank vaults) tend to be based on the fortress approach. But logic, the material of which riddles, puzzles and computer software is made, can be used to create defenses that can easily match the capabilities of iron and steel. In fact, the cryptogography upon which dynamic password methodology is based is so secure that it would take the world's fastest computer hundreds of years to generate all possible combinations and permutations. Properly-implemented, logical security can be extremely effective. Long-standing government standards have led to some cryptographically-based methodologies that have never been broken. A Matter of Trade-offs Admittedly, all of these techniques could be made more attack- resistant by being encoded into chips and placed inside a sealed box. This would, however, lessen the overall effectiveness of the security system because the ideal security product must always strike a balance between objects of cost, convenience and security. Regardless of how secure a system might be, if it becomes prohibitively expensive, inflexible, or disrupts normal system operation, it cannot be viewed as an acceptable security approach. While pure hardware systems look secure, they often can become expensive and unwieldy in terms of purchase cost, maintenance logistics and the difficulties inherent in interfacing them in today's heterogeneous (integrated) computer installations. The net effect is that while hardware may be appropriate for some specific uses, software systems tend to lend themselves more to general usage. Software-based systems tend to be more flexible and usually are able to achieve a better balance among the overall security objectives. The merging of security software into computer systems has evolved to fulfill the premise that security should be as intelligent as the forces attempting to subvert it. To see the limitations inherent in hardware-only approaches, one need only consider the prospect of protecting an interconnected network of mainframes, minis, LANS and micros with a legion of passive, on- off hardware boxes. A sophisticated security system must be capable of becoming part of the system, woven tightly around specific applications and monitoring access through all possible gateways and entrances. Finally, intelligent security of this sort requires significant computing power. The cost of providing computational capabilities of this magnitude in an exterior hardware box is often significant. With a software solution, on the other hand, the host provides the computing facility. The bigger the computer, the more resources that are available. Extraneous costs of physical devices can be eliminated, and the focus can be placed on development of powerful and flexible software that creates a cost-effective, efficient environment for enforcing and managing the computer security function. Flexibility and Networking Applications Software-based systems can offer a control refinement that is not readily attainable with hardware-only solutions. For example, ID checks can be imposed at the system level, application level and file level. It is even possible to allow one protected host to function as an ID server to other hosts. Again, all of the flexibilities inherent in software can be added as a shell around the central concept of positive user identification and authentication (Figure 3). The advantages of software-based security systems also become apparent when sophisticated networks and super systems are considered. If properly designed, the security software can be made compatible with major operating systems such as IBM/MVS and VTAM, DEC VMS, UNIX, etc. Regardless of which machines users deal with, they will be confronted with a uniform, familiar security routine. The user needs only one password device since the device's identity can be associated with his account on all of the machines he is authorized to use. The log-in procedure remains the same whether he is dialing in from the outside or using a terminal. This flexibility can be exploited to create a uniform and system- wide security environment that is easier to administer than an assortment of hardware devices from different vendors. Users and administrators need only be trained once. Because of the consistent approach to security, all activity logs of the security system will be of the same format. User data can be easily extracted from one host for entry into the user database of other machines. There is no extraneous hardware devices that can malfunction and cause system downtime. In fact, when one considers the diversity and the rapid obsolescence of computer systems, it appears that the scales may be shifting toward software-based approaches. Such a technology can be extended to embrace new applications without needing to rethink security policy and train users on new security systems. It can be consistent across the entire heterogeneous system, presenting a common look and feel to all users, and it can be flexible (portable) enough to encompass new pieces of computer equipment as they are added. /* 1973