AIS-AIM SG/7-SN 4
09/01/2013
AERONAUTICAL INFORMATION SERVICES TO AERONAUTICAL
INFORMATION MANAGEMENT STUDY GROUP (AIS-AIM SG)
7th MEETING
Montréal, 14-17 January 2013
Agenda Item 3: AIM processes and requirements
FUTURE INFORMATION SECURITY NEEDS AND CONSIDERATIONS
Presented by Jan-Philipp Lauer
(Rapporteur Kelly Ann Hicks-Tindale)
SUMMARY
This study note proposes an ICAO operated Public Key Infrastructure in
support of aeronautical information exchanges. Further, the paper introduces
Trusted Computing as an emerging trend that needs to be duly considered by
the aviation stakeholders.
1.
INTRODUCTION
1.1
Current regulations (e.g. ICAO Annex 15, European EC IR 73/2010) require digital
aeronautical data to be protected by the inclusion of a 32-bit cyclic redundancy check (CRC32) to
ensure their integrity. CRCs are specifically designed to protect against common types of errors on
communication channels, where they can provide quick and reasonable assurance of the integrity of
messages delivered. However, they are not suitable for protecting against intentional alteration of
data. EC IR 73/2010 (ADQ 1) inter alia aims to address common issues of information security,
namely:

Authenticity;

Non-repudiation;

Integrity;

and Confidentiality.
Authenticity/non-repudiation means that only authorized users can send their data and that all
transactions are logged to ensure traceability. Integrity means that data is not modified accidentally or
deliberately with malicious intentions. Lastly, confidentiality is a technical concept that ensures only
authorized users can submit or get access to data. These requirements cannot be met solely by using
CRCs.
-2-
AIS-AIM SG/7-SN/4
1.2
How to meet these additional information security requirements
 Data integrity can be ensured by using a combination of CRC plus a digital signature. This not
only protects data from transmission errors but also from deliberate modifications.
 Traceability and non-repudiation requirements can also be met by using digital signatures to log
every change to a data item. This leads to a change log attached to each data item that adds a
metadata wrapper encapsulating the actual data item, whereas a new layer is added (like a
matryoshka doll) whenever a piece of data is manipulated.
 Appropriate levels of confidentiality can be achieved through data encryption.
 Last but not least authenticity can be verified through digital signatures and authentication of the
system and/or user.
Different protection level requirements can be accommodated by using these technologies.
1.3
What IT security infrastructure is needed to meet these requirements?
An information technology infrastructure to enable encryption and digital signatures to ensure
integrity, authenticity, confidentiality, back-traceability and non-repudiation for internal and
external data communication is required. This infrastructure needs to be highly interoperable to
enable secure data exchanges between all aviation stakeholders.
2.
PROPOSITION
2.1
State of the art technology uses asymmetric cryptographic techniques to address all
the requirements outlined. Figures 1-3 outline how this technology works.
Figure 1 Overview of asymmetric cryptographic techniques
-3-
AIS-AIM SG/7-SN/4
Figure 2 State of the art processes: Signing and encrypting data for transmission
Figure 3 State of the art processes: Decryption and verification of data after transmission
2.2
Using digital signatures to make changes traceable and unforgeable
The aeronautical data payload will be digitally signed upon creation and at each modification
performed on it. These digital signatures ensure the authenticity of the data originator as well as backtraceability and non-repudiation. Such digital signatures will be stored in the metadata section. These
signatures are created and used independently of digital signatures used for transmission protection
(encryption and authentication). Further, such signatures have to be retained throughout the entire data
management process and data lifecycle for auditing purposes (see Figure 4 - overleaf).
AIS-AIM SG/7-SN/4
-4-
Figure 4 Using digital signatures to make changes traceable and unforgeable
2.3
Example Public Key Infrastructure
To enable this technology, a Public Key Infrastructure (PKI) is needed. A PKI creates a hierarchy of
trust starting with a root certification authority that issues digital certificates and branches out into a
number of subordinate certification authorities plus a directory service. This directory service allows
access to public keys (as part of a digital certificate) and the revocation of keys (through certificate
revocation lists). An example implementation on a regional level is illustrated in Figure 5.
Figure 5 Example regional implementation
However, due to the hierarchical architecture of this technology a global top level certification
authority (root certification authority) is needed for implementation. ICAO already operates a Public
Key Infrastructure (called ICAO PKD) in support of machine readable travel documents.
2.4
ICAO Public Key Directory (PKD)
The ICAO PKD implements a global broker system for the validation of electronic machine readable
travel documents (eMRTDs, e.g. ePassports) at national border control offices. This is technically
achieved via the exchange of PKI certificates and certificate revocation lists, establishing a chain of
trust. PKI participants are governmental institutions/public authorities of participating States or “any
other entities issuing or intending to issue electronic machine readable travel documents (eMRTDs)”.
-5-
AIS-AIM SG/7-SN/4
The current services and interfaces are specifically designed for the purpose of ePassport validation.
Figure 6 illustrates the ICAO PKD.
Figure 6 ICAO PKD (source: A Primer on the ICAO PKD)
The ICAO PKD operates under the authority of the “Memorandum of Understanding (MoU)
Regarding Participation and Cost Sharing in the Electronic Machine Readable Travel Documents
ICAO Public Key Directory”. It is governed by the ICAO PKD Board. Amendments to the PKD have
to undergo a „proposed amendment“ process and have to be approved by the ICAO Council. Payment
of a one time registration fee (USD 56,000) and an annual fee (USD 13,600 in 2012) is required. The
ICAO PKD is hosted in Singapore by a commercial PKI provider (Netrust).
Leveraging the current ICAO PKD for securing aeronautical data exchanges would at least require the
participation of all ANSPs and appropriate other stakeholders in the PKD via appropriate
governmental institutions. Further, ICAO would need to provide a dedicated infrastructure similar to
the PKD it already operates specifically for aeronautical data exchange purposes because several
stakeholders have voiced concerns over such critical infrastructure being provided by a commercial
company.
3.
EMERGING TREND: TRUSTED COMPUTING
3.1
Another important aspect to consider in respect to information security for
aeronautical data exchanges is Trusted Computing. Many Governments have recognized that
software-based security measures need to be augmented by hardware-based measures. They have
developed standards around smart cards and hardware tokens for authentication and other key security
functions within government networks. As a result, Governments are increasingly specifying
hardware-based security requirements in their procurement practices. For example, branches of the
United States Government (e.g. the Department of Defense) require new computer hardware to be
equipped with a Trusted Platform Module (TPM). This trend to specify hardware-based data
protection and network access control solutions is also taken up by other governments. A recent
whitepaper on the subject by the German Government is contained in Appendix A.
3.2
Such hardware-based security mechanisms do not replace a Public Key Infrastructure,
but merely augment it by providing increased security on the platform level, e.g. providing a more
-6-
AIS-AIM SG/7-SN/4
secure data storage capability. Standards for such hardware-based security mechanisms are developed
particularly through the Trusted Computing Group (TCG). The TCG works within the international
standards community and has liaison and working group relationships with the Internet Engineering
Task Force (IETF) and the JTC1 Joint Committee of the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC). The Trusted Platform
Module is defined by an ISO/IEC international standard.
However, due to legal restrictions Trusted Platform Modules may not be deployed in a number of
countries. Possible reasons for these legal restrictions include the fact that State security services may
not be able to access data or keys secured with a TPM (source): China, Russia, Belarus, Kazakhstan.
This trend will have to be closely monitored to identify a common global way forward in the
exchange of aeronautical data.
4.
4.1
ACTION BY THE AIS-AIM SG
The AIS-AIM/SG is invited to:
a) Consider the need for increased information security provisions to enable secure
aeronautical data exchanges;
b) Discuss the need for ICAO to set up a dedicated Public Key Infrastructure in
support of aeronautical information exchanges; and
c) Consider the Trusted Computing trend and evaluate its consequences for future
aeronautical information exchanges.
————————
-7-
AIS-AIM SG/7-SN/4
APPENDIX A
German Federal Government White Paper on Trusted Computing and Secure Boot
August 2012
1. Definitions
The Federal Government understands "trusted computing" to mean the architectures,
implementations, systems and infrastructures which use or are based on the standards of the Trusted
Computing Group (TCG). This includes "secure boot" and additional functions in the Unified
Extensible Firmware Interface (UEFI) standard of the Unified EFI forum which builds on the TCG
standards or closely related technologies. To avoid misunderstanding, more general use of the term
"trusted computing" will always be noted.
2. Increasing IT security
The Federal Government supports raising the level of IT security on IT platforms of industry, public
administration and private users by introducing trusted computing solutions based on TCG standards
that meet the criteria listed in this White Paper.
3. Complete control by device owners
Device owners must be in complete control of (able to manage and monitor) all the trusted computing
security systems of their devices. As part of exercising control over their devices, device owners must
be able to decide how much of this control to delegate to their users or administrators. Delegating this
control to third parties (to the device manufacturer or to hard- or software components of the device)
requires conscious and informed consent by the device owner (i.e., also with full awareness of
possible limits on availability due to measures taken by the third party to whom control options were
delegated).
4. Freedom to decide
When devices are delivered, trusted computing security systems must be deactivated (opt-in
principle). Based on the necessary transparency with regard to technical features and content of
trusted computing solutions, device owners must be able to make responsible decisions when it comes
to product selection, start-up, configuration, operation and shut-down. Deactivation must also be
possible later (opt-out function) and must not have any negative impact on the functioning of hardand software that does not use trusted computing functions.
5. Public administration, national and public security interests
Because trusted computing security systems are widely used in the private-law mass market, public
administration can and should be able to benefit from the availability of cost-effective solutions as
well. However, the operation and availability of devices in public administration and in the field of
national and public security require the owner's sole control over the trusted computing security
systems on the devices used by the owner. Due to public and national security interests, under no
circumstances may the owner be forced to give up control, even partial control, over a trusted
computing security system to other third parties outside the public administration's sphere of
influence.
AIS-AIM SG/7-SN/4
-8-
6. Private use
The Federal Government explicitly calls on makers of trusted computing devices and components
(both hard- and software) to offer devices and components also to private users which allow owners
complete control over the trusted computing security system at all times.
7. Availability of standards
All applicable standards for trusted computing must be available in full to everyone, members of TCG
and non-members alike, at all times. Any secondary TCG documents which explain, specify or
delimit must also be freely available to all interested parties.
8. Open standards
Everyone, whether members of TCG or not, must be in a position to fully use all trusted computing
standards for implementation in architectures, implementations, systems and infrastructures. No
licensing fees (e.g. based on patent rights) may be charged for using the standards.
9. Freedom of Research
Trusted computing standards should be designed not to create barriers to academic research on trusted
computing-based solutions and their interaction with alternatives. Ways to restore defined previous
settings should be provided. The Federal Government supports independent academic research on the
technology of trusted computing and its effects.
10. Interoperability
When creating secure platforms, the interoperable use of trusted computing solutions with alternative
approaches must be a priority at all times and should be implemented wherever it does not interfere
with the specific purpose of the device. In addition, the same types of trusted computing applications
should be interoperable. For use in the federal administration, trusted computing products must be
interoperable with other solutions based on trusted computing and with alternative solutions.
11. Transparency
All standards, solutions and their development in the field of trusted computing are to be transparent
with regard to their actual purpose, their functional features and the encryption technologies used. The
required transparency means that only completely documented functions and no hidden processes will
be carried out. Transparency refers not only to documentation, but also to explaining the technologies
used and their effects to owners and users in language they can understand.
12. Certification
Every trusted computing solution based on TCG standards should be transparent, understandable and
certifiable for various security levels. As a basic component, the Trusted Platform Module (TPM)
must have at least one certification under the Common Criteria EAL4+ ("resistant against moderate
attack potential"). Certification may not lead to the exclusion of businesses, academic research or
solutions under free licences if these solutions can be examined in the necessary depth.
13. National IT industry
In the Federal Government's view, trusted computing technology affects both national security
interests and the competitiveness of the German IT security industry. The Federal Government
therefore calls for fair, transparent and non-discriminatory competition between all IT security
companies and calls on German industry to offer products based on the TCG standards that meet the
criteria given in this White Paper.
14. Ensuring IT security
The Federal Government believes that trusted computing can greatly help achieve the IT security
objectives of confidentiality, integrity, availability and authenticity. Every trusted computing solution
is to be checked for compliance with the required security objectives. In particular, availability must
not be subject to external control, and confidentiality must not be compromised by insufficient
authority over own keys. In the interest of the transparency needed to evaluate IT security, it is in any
case important that there are no undocumented functions and that other hardware components or
-9-
AIS-AIM SG/7-SN/4
functions cannot influence the functioning of TPMs. For use in security-critical networks in particular
(e.g. in public administration), only certified TPMs may be used. In the Federal Government's view,
this criterion is currently met only by discrete TPMs.
15. Availability of critical infrastructures
Trusted computing solutions for operators of critical infrastructures must be used in a way that does
not result in any additional risks to critical processes, especially with regard to the security objective
of availability. It must be possible to restore infrastructure rapidly without impediment and flexibly,
even in case of crisis or disaster.
16. Protection of digital content
In line with the requirements of this White Paper, the Federal Government regards the long-term
protection of stored, processed and transmitted digital content for all as a key function of trusted
computing. TC-based mechanisms should not restrict or alter the general legal and social conditions
for using such digital content.
17. Data protection
The protection of personal data is an important prerequisite for increasing IT security. For this reason,
when developing and running trusted computing applications, the principles of data protection must
be upheld (privacy by design) and may take priority over economic interests in the context of a
constitutional-law weighing of interests.
18. Standardization
Standardization is crucial to the widespread use of trusted computing technology and is primarily the
responsibility of the companies involved. The Federal Government is also involved in designing the
standardization process and is watching to make sure that businesses, research institutions and interest
groups in Germany have fair, open, appropriate and non-discriminatory access to the drafting of
standards. The participation of German organizations is being supported.
19. International cooperation
In this age of globalization, especially with regard to information and communications technology,
"going it alone" at national level has little chance of success. For this reason, the Federal Government
calls on businesses and organizations in Germany to become involved in trusted computing projects
and in the TCG in particular. In addition, the Federal Government is actively working at international
level with government and non-governmental organizations on issues of trusted computing, in
particular to see that the requirements for the trusted computing strategy defined in this White Paper
are met. The Federal Government also serves as an advocate in the TCG and other trusted computing
projects and initiatives for the public sector's special IT security needs.
— END —