AIS-AIM SG/7-SN 4 09/01/2013 AERONAUTICAL INFORMATION SERVICES TO AERONAUTICAL INFORMATION MANAGEMENT STUDY GROUP (AIS-AIM SG) 7th MEETING Montréal, 14-17 January 2013 Agenda Item 3: AIM processes and requirements FUTURE INFORMATION SECURITY NEEDS AND CONSIDERATIONS Presented by Jan-Philipp Lauer (Rapporteur Kelly Ann Hicks-Tindale) SUMMARY This study note proposes an ICAO operated Public Key Infrastructure in support of aeronautical information exchanges. Further, the paper introduces Trusted Computing as an emerging trend that needs to be duly considered by the aviation stakeholders. 1. INTRODUCTION 1.1 Current regulations (e.g. ICAO Annex 15, European EC IR 73/2010) require digital aeronautical data to be protected by the inclusion of a 32-bit cyclic redundancy check (CRC32) to ensure their integrity. CRCs are specifically designed to protect against common types of errors on communication channels, where they can provide quick and reasonable assurance of the integrity of messages delivered. However, they are not suitable for protecting against intentional alteration of data. EC IR 73/2010 (ADQ 1) inter alia aims to address common issues of information security, namely: Authenticity; Non-repudiation; Integrity; and Confidentiality. Authenticity/non-repudiation means that only authorized users can send their data and that all transactions are logged to ensure traceability. Integrity means that data is not modified accidentally or deliberately with malicious intentions. Lastly, confidentiality is a technical concept that ensures only authorized users can submit or get access to data. These requirements cannot be met solely by using CRCs. -2- AIS-AIM SG/7-SN/4 1.2 How to meet these additional information security requirements Data integrity can be ensured by using a combination of CRC plus a digital signature. This not only protects data from transmission errors but also from deliberate modifications. Traceability and non-repudiation requirements can also be met by using digital signatures to log every change to a data item. This leads to a change log attached to each data item that adds a metadata wrapper encapsulating the actual data item, whereas a new layer is added (like a matryoshka doll) whenever a piece of data is manipulated. Appropriate levels of confidentiality can be achieved through data encryption. Last but not least authenticity can be verified through digital signatures and authentication of the system and/or user. Different protection level requirements can be accommodated by using these technologies. 1.3 What IT security infrastructure is needed to meet these requirements? An information technology infrastructure to enable encryption and digital signatures to ensure integrity, authenticity, confidentiality, back-traceability and non-repudiation for internal and external data communication is required. This infrastructure needs to be highly interoperable to enable secure data exchanges between all aviation stakeholders. 2. PROPOSITION 2.1 State of the art technology uses asymmetric cryptographic techniques to address all the requirements outlined. Figures 1-3 outline how this technology works. Figure 1 Overview of asymmetric cryptographic techniques -3- AIS-AIM SG/7-SN/4 Figure 2 State of the art processes: Signing and encrypting data for transmission Figure 3 State of the art processes: Decryption and verification of data after transmission 2.2 Using digital signatures to make changes traceable and unforgeable The aeronautical data payload will be digitally signed upon creation and at each modification performed on it. These digital signatures ensure the authenticity of the data originator as well as backtraceability and non-repudiation. Such digital signatures will be stored in the metadata section. These signatures are created and used independently of digital signatures used for transmission protection (encryption and authentication). Further, such signatures have to be retained throughout the entire data management process and data lifecycle for auditing purposes (see Figure 4 - overleaf). AIS-AIM SG/7-SN/4 -4- Figure 4 Using digital signatures to make changes traceable and unforgeable 2.3 Example Public Key Infrastructure To enable this technology, a Public Key Infrastructure (PKI) is needed. A PKI creates a hierarchy of trust starting with a root certification authority that issues digital certificates and branches out into a number of subordinate certification authorities plus a directory service. This directory service allows access to public keys (as part of a digital certificate) and the revocation of keys (through certificate revocation lists). An example implementation on a regional level is illustrated in Figure 5. Figure 5 Example regional implementation However, due to the hierarchical architecture of this technology a global top level certification authority (root certification authority) is needed for implementation. ICAO already operates a Public Key Infrastructure (called ICAO PKD) in support of machine readable travel documents. 2.4 ICAO Public Key Directory (PKD) The ICAO PKD implements a global broker system for the validation of electronic machine readable travel documents (eMRTDs, e.g. ePassports) at national border control offices. This is technically achieved via the exchange of PKI certificates and certificate revocation lists, establishing a chain of trust. PKI participants are governmental institutions/public authorities of participating States or “any other entities issuing or intending to issue electronic machine readable travel documents (eMRTDs)”. -5- AIS-AIM SG/7-SN/4 The current services and interfaces are specifically designed for the purpose of ePassport validation. Figure 6 illustrates the ICAO PKD. Figure 6 ICAO PKD (source: A Primer on the ICAO PKD) The ICAO PKD operates under the authority of the “Memorandum of Understanding (MoU) Regarding Participation and Cost Sharing in the Electronic Machine Readable Travel Documents ICAO Public Key Directory”. It is governed by the ICAO PKD Board. Amendments to the PKD have to undergo a „proposed amendment“ process and have to be approved by the ICAO Council. Payment of a one time registration fee (USD 56,000) and an annual fee (USD 13,600 in 2012) is required. The ICAO PKD is hosted in Singapore by a commercial PKI provider (Netrust). Leveraging the current ICAO PKD for securing aeronautical data exchanges would at least require the participation of all ANSPs and appropriate other stakeholders in the PKD via appropriate governmental institutions. Further, ICAO would need to provide a dedicated infrastructure similar to the PKD it already operates specifically for aeronautical data exchange purposes because several stakeholders have voiced concerns over such critical infrastructure being provided by a commercial company. 3. EMERGING TREND: TRUSTED COMPUTING 3.1 Another important aspect to consider in respect to information security for aeronautical data exchanges is Trusted Computing. Many Governments have recognized that software-based security measures need to be augmented by hardware-based measures. They have developed standards around smart cards and hardware tokens for authentication and other key security functions within government networks. As a result, Governments are increasingly specifying hardware-based security requirements in their procurement practices. For example, branches of the United States Government (e.g. the Department of Defense) require new computer hardware to be equipped with a Trusted Platform Module (TPM). This trend to specify hardware-based data protection and network access control solutions is also taken up by other governments. A recent whitepaper on the subject by the German Government is contained in Appendix A. 3.2 Such hardware-based security mechanisms do not replace a Public Key Infrastructure, but merely augment it by providing increased security on the platform level, e.g. providing a more -6- AIS-AIM SG/7-SN/4 secure data storage capability. Standards for such hardware-based security mechanisms are developed particularly through the Trusted Computing Group (TCG). The TCG works within the international standards community and has liaison and working group relationships with the Internet Engineering Task Force (IETF) and the JTC1 Joint Committee of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The Trusted Platform Module is defined by an ISO/IEC international standard. However, due to legal restrictions Trusted Platform Modules may not be deployed in a number of countries. Possible reasons for these legal restrictions include the fact that State security services may not be able to access data or keys secured with a TPM (source): China, Russia, Belarus, Kazakhstan. This trend will have to be closely monitored to identify a common global way forward in the exchange of aeronautical data. 4. 4.1 ACTION BY THE AIS-AIM SG The AIS-AIM/SG is invited to: a) Consider the need for increased information security provisions to enable secure aeronautical data exchanges; b) Discuss the need for ICAO to set up a dedicated Public Key Infrastructure in support of aeronautical information exchanges; and c) Consider the Trusted Computing trend and evaluate its consequences for future aeronautical information exchanges. ———————— -7- AIS-AIM SG/7-SN/4 APPENDIX A German Federal Government White Paper on Trusted Computing and Secure Boot August 2012 1. Definitions The Federal Government understands "trusted computing" to mean the architectures, implementations, systems and infrastructures which use or are based on the standards of the Trusted Computing Group (TCG). This includes "secure boot" and additional functions in the Unified Extensible Firmware Interface (UEFI) standard of the Unified EFI forum which builds on the TCG standards or closely related technologies. To avoid misunderstanding, more general use of the term "trusted computing" will always be noted. 2. Increasing IT security The Federal Government supports raising the level of IT security on IT platforms of industry, public administration and private users by introducing trusted computing solutions based on TCG standards that meet the criteria listed in this White Paper. 3. Complete control by device owners Device owners must be in complete control of (able to manage and monitor) all the trusted computing security systems of their devices. As part of exercising control over their devices, device owners must be able to decide how much of this control to delegate to their users or administrators. Delegating this control to third parties (to the device manufacturer or to hard- or software components of the device) requires conscious and informed consent by the device owner (i.e., also with full awareness of possible limits on availability due to measures taken by the third party to whom control options were delegated). 4. Freedom to decide When devices are delivered, trusted computing security systems must be deactivated (opt-in principle). Based on the necessary transparency with regard to technical features and content of trusted computing solutions, device owners must be able to make responsible decisions when it comes to product selection, start-up, configuration, operation and shut-down. Deactivation must also be possible later (opt-out function) and must not have any negative impact on the functioning of hardand software that does not use trusted computing functions. 5. Public administration, national and public security interests Because trusted computing security systems are widely used in the private-law mass market, public administration can and should be able to benefit from the availability of cost-effective solutions as well. However, the operation and availability of devices in public administration and in the field of national and public security require the owner's sole control over the trusted computing security systems on the devices used by the owner. Due to public and national security interests, under no circumstances may the owner be forced to give up control, even partial control, over a trusted computing security system to other third parties outside the public administration's sphere of influence. AIS-AIM SG/7-SN/4 -8- 6. Private use The Federal Government explicitly calls on makers of trusted computing devices and components (both hard- and software) to offer devices and components also to private users which allow owners complete control over the trusted computing security system at all times. 7. Availability of standards All applicable standards for trusted computing must be available in full to everyone, members of TCG and non-members alike, at all times. Any secondary TCG documents which explain, specify or delimit must also be freely available to all interested parties. 8. Open standards Everyone, whether members of TCG or not, must be in a position to fully use all trusted computing standards for implementation in architectures, implementations, systems and infrastructures. No licensing fees (e.g. based on patent rights) may be charged for using the standards. 9. Freedom of Research Trusted computing standards should be designed not to create barriers to academic research on trusted computing-based solutions and their interaction with alternatives. Ways to restore defined previous settings should be provided. The Federal Government supports independent academic research on the technology of trusted computing and its effects. 10. Interoperability When creating secure platforms, the interoperable use of trusted computing solutions with alternative approaches must be a priority at all times and should be implemented wherever it does not interfere with the specific purpose of the device. In addition, the same types of trusted computing applications should be interoperable. For use in the federal administration, trusted computing products must be interoperable with other solutions based on trusted computing and with alternative solutions. 11. Transparency All standards, solutions and their development in the field of trusted computing are to be transparent with regard to their actual purpose, their functional features and the encryption technologies used. The required transparency means that only completely documented functions and no hidden processes will be carried out. Transparency refers not only to documentation, but also to explaining the technologies used and their effects to owners and users in language they can understand. 12. Certification Every trusted computing solution based on TCG standards should be transparent, understandable and certifiable for various security levels. As a basic component, the Trusted Platform Module (TPM) must have at least one certification under the Common Criteria EAL4+ ("resistant against moderate attack potential"). Certification may not lead to the exclusion of businesses, academic research or solutions under free licences if these solutions can be examined in the necessary depth. 13. National IT industry In the Federal Government's view, trusted computing technology affects both national security interests and the competitiveness of the German IT security industry. The Federal Government therefore calls for fair, transparent and non-discriminatory competition between all IT security companies and calls on German industry to offer products based on the TCG standards that meet the criteria given in this White Paper. 14. Ensuring IT security The Federal Government believes that trusted computing can greatly help achieve the IT security objectives of confidentiality, integrity, availability and authenticity. Every trusted computing solution is to be checked for compliance with the required security objectives. In particular, availability must not be subject to external control, and confidentiality must not be compromised by insufficient authority over own keys. In the interest of the transparency needed to evaluate IT security, it is in any case important that there are no undocumented functions and that other hardware components or -9- AIS-AIM SG/7-SN/4 functions cannot influence the functioning of TPMs. For use in security-critical networks in particular (e.g. in public administration), only certified TPMs may be used. In the Federal Government's view, this criterion is currently met only by discrete TPMs. 15. Availability of critical infrastructures Trusted computing solutions for operators of critical infrastructures must be used in a way that does not result in any additional risks to critical processes, especially with regard to the security objective of availability. It must be possible to restore infrastructure rapidly without impediment and flexibly, even in case of crisis or disaster. 16. Protection of digital content In line with the requirements of this White Paper, the Federal Government regards the long-term protection of stored, processed and transmitted digital content for all as a key function of trusted computing. TC-based mechanisms should not restrict or alter the general legal and social conditions for using such digital content. 17. Data protection The protection of personal data is an important prerequisite for increasing IT security. For this reason, when developing and running trusted computing applications, the principles of data protection must be upheld (privacy by design) and may take priority over economic interests in the context of a constitutional-law weighing of interests. 18. Standardization Standardization is crucial to the widespread use of trusted computing technology and is primarily the responsibility of the companies involved. The Federal Government is also involved in designing the standardization process and is watching to make sure that businesses, research institutions and interest groups in Germany have fair, open, appropriate and non-discriminatory access to the drafting of standards. The participation of German organizations is being supported. 19. International cooperation In this age of globalization, especially with regard to information and communications technology, "going it alone" at national level has little chance of success. For this reason, the Federal Government calls on businesses and organizations in Germany to become involved in trusted computing projects and in the TCG in particular. In addition, the Federal Government is actively working at international level with government and non-governmental organizations on issues of trusted computing, in particular to see that the requirements for the trusted computing strategy defined in this White Paper are met. The Federal Government also serves as an advocate in the TCG and other trusted computing projects and initiatives for the public sector's special IT security needs. — END —