Secure Software Development: Cryptography
Problem Statement & Student Guide
Version 3: 19-Nov-2015
Introduction
You are a lead security consultant in a large telecommunications enterprise EdgeWise Mobile
International, the enterprise has markets within the UK, Europe, America and the Far East, and
currently employs 120,000 employees globally. Your team has approximately 70 security
consultants globally, supported by additional security subject matter experts who specialise in
Cryptography, Security Engineering, Security Architecture and Governance and Risk. The firm is
organised into four main lines of business:




Retail in store
Telephone sales (customer services)
Wholesale
Digital (internet).
Supporting each line of business there are operational teams that cover the following areas:










Marketing and Branding
Accounts (customer billing)
Finance (accounts)
Legal
Fraud
Regulatory compliance
Business Information Systems (BIS)
Information Technology (IT Support)
Telecommunication Engineering
Information Security (the team you work in).
The firm currently has over 200 million customers who use the company mainly for the
provision of mobile phone handsets and their associated pay as you go and monthly contract
SIM card packages.
Recently the firm has recruited a new chief operating officer (Lewis Pinstripe) who is in charge
of the strategic business operating model and product lines. Despite the firm’s relative success
within the traditional mobile telecommunications sector, they currently have 16% of global
market and require their share price to increase from 300p per share to 400p per share over
the next 3 years. Lewis has been informed by her executive colleagues that they need to
increase their market share from 16% to 22% within the next 2 years in order to be on target.
Lewis has therefore recently decided that the firm needs to embark on an ambitious
programme to expand its digital and wholesale channels. His marketing department has
decided that the digital channel needs to include the following high-level customer services, so
that EdgeWise Mobile can gain a competitive advantage and entice new customers:



Mobile applications to support customer account enquiry.
Mobile applications to support sales of products.
Mobile applications to recruit and drive the firms brand into new markets, such as:
o Location services,
o Payment services (peer to peer payments),
o Entertainment (music and video streaming services).
1
As is usual, Lewis has delegated the programme of work to the Business Information Systems
team to operate the project management office (PMO) for the delivery of the project within
defined strategic phases.
The annual budget for the project is set at 50,000,000 GBP.
As one of the lead security consultants for the firm, it is your role to assist the programme
management in the identification of security tasks, general advice and guidance, standards
adherence (compliance with the firm’s security standards – which are based on the ISO
27001:2013 Annex A controls), as well as appropriate risk identification and acceptance in
accordance with the firm’s Information Security Management System (ISMS) that is also based
upon ISO27001, but as yet is not fully audited to be compliant.
The project team that has been assembled includes the following people:






Business Analysts.
Solution Architects.
Infrastructure Architects.
Software Developers.
Test Teams.
Representatives from key business teams (stakeholders):
o Marketing.
o Fraud.
o Legal.
o Regulatory compliance.
So far the programme has very little in terms of direction, however, Lewis (who is from a
software development background) has stated that the firm’s usual method of software
development which is based on the Software/Systems Development Life Cycle (SDLC) is too
verbose and bureaucratic; consequently the programme has been charged with not only
developing and delivering the new products, but it has also being asked to develop a new
governance process that will allow the programme to meet its high-level business
requirements quickly and safely with minimal risk to the business.
The project management has decided that the first year of the programme will focus on the
following deliveries:




Quarter 1 – construct the new governance model.
Quarter 2 – develop the designs for a new software product to be platformed on
Android, iOS, Windows Mobile and Blackberry (RIM) operating systems.
Quarter 3 – develop the customer support tools.
Quarter 4 – launch the product to staff.
The second year will refocus the project on the release of the core mobile application to
customer base, ensuring that iterative software releases include new and exciting features that
realise Lewis ’ vision for the selling of location, payment and entertainment services.
The final steer from Lewis is that the customer registrations with the new mobile applications
must be as mobile as possible. Allowing customers to see an advert in the street and decide
there and then that they would like to be registered to participate in the service, and register
to receive services without the need to answer post delivered mailer responses.


The registration process must cater for existing customers of the firm; and
It must also be able to expand to extend to other customers of other mobile phone
company networks.
One month into the development programme at EdgeWise Telecommunications Plc, it is
widely recognised that 2 years is actually a very tight timeline in which to deliver the
programme, and much emphasis has been made by the senior stakeholders within the
business that the programme must deliver prototypes and methodologies within the first year.
The PMO, which is panicked and is escalating all teams to mobilise dedicated resources, has
2
therefore decided that delivery milestones for software prototypes shall be based on a 30 day
cycle.
They have a working prototype for a web service that will broker mobile client requests, and a
mobile application.
Learning Outcomes
On completion of the scenario, students will be able to:
1. Identify and justify the selection of appropriate encryption methods to secure stored
sensitive data including card details.
2. Explain the relative strengths of encryption algorithms and the types of attack possible
on them.
3. Explain the requirements of appropriate standards and practices in relation to card
data.
4. Minimising the risk to an asset or product through the use of encryption software.
5. Explain good practices in relation to key management.
3
Scenario
During the development of the EdgeWise Telecommunications Mobile Application, the lead
software developer has asked you to provide advice and guidance on the development of a
suitable encryption scheme for the protection of sensitive data at rest.
The data includes:







Text messages that the customer has sent [160 characters]
Passwords and codes (secrets) [30 characters]
Bank account details name [20 characters]
Bank account details sort code [6 characters]
Bank account details account number [12 characters]
Card number (PAN) [16 characters]
CCV [5 characters]
The developer has advised you that the information will be stored in a SQL database that is
hosted on a hypervisor within the firm’s strategic data centre. The firm has suffered from
historical thefts of sensitive customer data, which is suspected to have been facilitated by
internal infrastructure support staff. It is therefore important that the data cannot be
decrypted by the maintenance staff including the DBA.
The developer is thinking of using 2 Key Triple DES in ECB mode, with no padding as he has
some sample code that he can re-use.
Your Task
Write and present a paper providing advice and guidance report to developer (2500 words)
1. Identify which information should be encrypted and state why.
2. Identify which information must not be stored.
3. Evaluate the suitability of the chosen encryption algorithm for the task and where
applicable suggest an alternative.
4. Explain the attacks that could be leveraged against various cryptographic algorithms.
5. Identify the tasks required for the secure implementation of cryptography, including:
5.1. Key storage
5.2. Key management (rotation, retirement).
6. Suggest alternatives to the developer writing the encryption routine (can this be done by
an off the shelf product – for example Oracle or MS SQLServer – if so how?).
Reflection on Learning
It is also important that at the end of the scenario you should reflect on your learning and
team working and identify what worked well, what didn’t and actions for future improvement.
The Consulting Process
One of the benefits of Problem-based Learning is that you learn professional skills as well as
technical knowledge. The process we ask you to follow to explore and provide solutions to the
problem also mirror those used in consultancy.
In order to assist you with the process, the following table shows the activities we would
expect you to complete in your PBL team. You should read this carefully and make sure you
are familiar with both the generic activities (in column 2) and the specific ones in column 3.
Steps 1 & 2 will be conducted in the first PBL tutorial.
Step 3 a) and b) comprises your individual research, and summarizing your learning.
Step 3c) takes place as a sharing and teaching session at the next tutorial. This process of
sharing and teaching others is extremely beneficial to your own learning.
4
Step 4, 5 consist of team work and whilst they are logically distinct, they may take place at the
same meeting as stage 3c) depending on the schedule of meetings.
Steps 6, 7: In this Scenario you will not be implementing a solution, so these are not
undertaken in this scenario
Step 8 should be completed at the end of the scenario, both individually and as a team, to
identify what you’ve learned and how you can improve your learning and team performance in
future.
Your tutor/ facilitator will discuss it with you.
The CSKE Consulting/ Learning Model
Problem-solving model
1
Understanding
organizational history and
context
What PBL normally includes’
2
3
Determining the problem
to be resolved
Identifying/ learning
necessary knowledge
Scenario analysis
Socio-technical organizational analysis.

Clarification of ambiguities

Requirements Analysis: identify key
issues
Simulated consultation with
stakeholders (e.g. through role-play
and/or online interaction).



Reviewing technology/ processes in use.
Identifying learning goals.
Facilitator Guidance.

Individual research & learning to resolve
knowledge gaps.
Summarising & reflection.
Teams share learning.



4
Identifying alternative
solutions


5
6
7
8
Implementation
Deciding on best technical,
organizational and social outcomes.

Proposing solution with justification


Applying planning and scheduling
techniques.
Proposing plan and deadlines.

Building the solution (if appropriate).

Deploying the solution (if appropriate).

Formal evaluation methods re project
success.
Personal reflection and evaluation.
Final evaluation

5
Determining and agreeing evaluation
criteria and process.
Identifying technical possibilities,
considering acceptance issues and
organizational fit.
Facilitator Guidance.

Choosing optimal solution
Planning the
implementation
a)



What you will be doing at each stage
b)
c)
a)
b)
c)
a)
b)
c)
a)
b)
c)
a)
b)
c)
a)
b)
Individual and team review of scenario
text and video resources.
Team discussion.
Clarification of ambiguities with
tutor/facilitator.
Team review of scenario: identifying key
issues.
Identifying learning goals.
Team publish action list & summary in
forum.
Individual research & learning to resolve
knowledge gaps.
Individually creating summary of learning
and how it applies to the scenario.
Team sharing learning/ teach each other.
Determining evaluation criteria through
team discussion.
Team identification of options considering
acceptance issues and organizational fit.
Facilitator Guidance.
Team decision and justification.
Presentation to tutor in role of main
stakeholders.
Creating the report
Team evaluation of performance and
project success.
Individual reflection on personal learning
& development.
Resources
Aizuddin, A. (2001) The Common Criteria ISO/IEC 15408–The insight, some thoughts, questions
and issues. SANS Institute, Available online at: http://www.sans.org/readingroom/whitepapers/standards/common-criteria-iso-iec-15408-insight-thoughts-questionsissues-545

This paper provides an overview of an international effort called Common Criteria (CC),
an IT Security evaluation methodology, developed to define and facilitate consistent
evaluations of security products and systems,fostering international recognition and
trust in the quality of security products and systems. You need to be aware of the
Common Criteria.
Anderson, R. (2008) Security Engineering: A Guide to Building Dependable Distributed Systems,
2nd Edition, Wiley: http://www.cl.cam.ac.uk/~rja14/book.html

An updated (and expanded) version of the 2001 book, widely acclaimed as an in-depth
treatment of taking a holistic approach to building secure systems. . A Brief video
introduces it, from eurocrypt 2008: https://www.youtube.com/v/jU4QHfi6E3w
Axelrod,C.,W. (2012) Engineering Safe and Secure Software Systems , Artech House.

Engineering Safe and Secure Software Systems gives readers conceptual explanations
about the differences between security and safety; ways to integrate the 2 concepts into
the information systems life cycle; technology solutions; and detailed, in-depth case
studies. The book also analyzes current practices for security and safety regarding
appropriate maturity. It has a comprehensive view and analysis of management and
technology solutions that companies require.
Common Criteria (2012), available at: https://www.commoncriteriaportal.org/cc/

The Common Criteria for Information Technology Security Evaluation (abbreviated as
Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security
certification. It comprises 3 parts: Part 1 - Introduction and General Model. defines general
concepts and principles of IT security evaluation. Part 2 - Security Functional Requirements
establishes a set of security functional components as a standard way of expressing the
security requirements for IT products and systems. Part 3 - Security Assurance
Requirements. This part produces a catalog of establishes set of assurance components
that can be used as a standard way of expressing the assurance requirements for IT
products and systems. .The CC should be used to produce deliverables to meet the (CC)
requirements.
ISO/IEC 15408-1:2009 Information technology -- Security techniques -- Evaluation criteria for IT
security -- Part 1, Part 2, Part 3 Available from:
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

The ISO standards from the Common Criteria.
,
NIST (2002) SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES FIPS PUB 140-2
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. Available online at:
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

Another detailed standard from NIST which contains the requirements and standards for
cryptography modules that include both hardware and software components. The
standard provides four increasing, qualitative levels of security intended to cover a wide
range of potential applications and environments
NIST (2007) Guide to storage encryption technologies for end user devices, SP 800-111, NIST,
Available online at: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
NIST Computer security Division Cryptographic toolkit, http://csrc.nist.gov/groups/ST/toolkit/
6

These NIST resources are directly relevant for this scenario.
PCIDSS Various papers, and standards, https://www.pcisecuritystandards.org/index.php

A key standard for payment cards. The Payment Card Industry Data Security Standard (PCI
DSS) is a proprietary information security standard for organizations that handle branded
credit cards from the major card schemes. Certification is critical for conducting ecommerce.
Vendor documentation Oracle and Microsoft relating to Transparent Data Encryption (TDE.):
http://www.oracle.com/technetwork/database/options/advanced-security/index-099011.html
and https://msdn.microsoft.com/en-us/library/bb934049.aspx

Transparent Data Encryption (often abbreviated to TDE) is a technology employed by
both Microsoft and Oracle to encrypt database files. TDE offers encryption at file level.
TDE solves the problem of protecting data at rest, encrypting databases both on the
hard drive and consequently on backup media. Enterprises typically employ TDE to
solve compliance issues such as PCI DSS.
IISP Framework C2 – Secure Development –elements relevant to this scenario.




7
Implementing secure systems, products and components using an appropriate
methodology.
Defining and implementing secure development standards and practices including, where
relevant, formal methods.
Minimising the risk to an asset or product through the ‘standard’ design and development
processes.
Specifying and/or implementing processes that maintain the required level of security of a
component, product, or system through its lifecycle.
Assessment Grading Criteria
Learning Outcome
LO1. Identify and justify the
selection of
appropriate encryption
methods to secure
stored sensitive data
including card details.
LO2. Explain the relative
strengths of encryption
algorithms and the
types of attack possible
on them.
LO3. Explain the
requirements of
appropriate standards
and practices in
relation to card data.
LO4. Minimising the risk to
an asset or product
through the use of
encryption software.
LO5. Explain good practices
in relation to key
management.
Working With Others:
Participate constructively in
team by



Taking responsibility
Showing sensitivity and
provide supportive
feedback to others.
Meeting deadlines
Evidence
Pass (40-49%)
Sound Pass (50-59%)
Very Good Pass (60-69%)
Excellent (70-100%)
Weight
Almost all information is
provided accurately for all
aspects of the task Links are
made between business
requirements and solutions.
Alternatives are discussed,
but may be briefly.
Report structured with
appropriate headings.
Accurate spelling and
grammar.
Generally appropriate level
of detail, but inconsistent
Wide range of appropriate
references provided in
correct format and cited
correctly.
Accurate and fully appropriate
information provided for all
information is provided for all aspects
of the task with detailed explanation.
Business requirements are integrated
throughout the report.
Some alternatives discussed
Report structured with appropriate
headings.
Written in clear consistent and
appropriate (business) style of English.
Technical detail explained appropriately
and consistently.
Wide range of appropriate references
provided and cited correctly with full
adherence to disciplinary standard
formatting conventions.
Systematic and comprehensive
discussion of solutions to all aspects of
the task with compelling justification.
Critical evaluation of alternatives with
well-justified selection of most
appropriate solution.
Report structured with appropriate
headings.
Accurate and consistent English
throughout report.
Clear, concise and complete with
appropriate level of detail throughout
almost all report.
Wide range of appropriate references
provided and cited correctly with full
adherence to disciplinary standard
formatting conventions.
70%
Team Report
Mostly accurate
information is provided for
all aspects of the task.
Reports are structured with
appropriate headings.
Acceptable spelling and
grammar.
Mostly relevant content.
References provided with
citations.
Team
Presentation
Presentation is consistent
with, and relates to report.
As pass and presentation
emphasises key points and
has balanced content.
As sound pass and presentation clearly
links features/ benefits of solution with
client needs and problems.
Presentation is persuasive, balanced,
thorough and clearly links
features/benefits of solution to client
needs/p[problems
20%
Timekeeping
, oral
contribution
s, VLE
postings,
timeliness of
work
produced.
Usually communicates
quickly with others if
problems attending or
meeting commitments.
On time for most meetings.
Completes most work
allocated.
NB Students can be
excluded from teams for
not meeting these
requirements.
Considered reliable by team
mates.
Almost always communicates
quickly with others &
renegotiates if problems
attending or meeting
commitments.
Shares work with others in
timely way.
As Sound pass and on time for almost
all meetings.
Completes all work as agreed.
As Very good pass and shows initiative /
leadership in some areas of work.
10%
8