Design > Security

Release Information

Project: TAPAS
Internal Release Number: $Revision: 1.8 $ $State: Exp $
Related Documents: Design document

Overview


This document specifies the security design of the TAPAS system.  It details mechanisms to implement the security requirements specified in the corresponding requirements document.

 security design overview

Security Threat Analysis (by computational node)

1. TAPAS Server
Data: The TAPAS server contains sensitive data in its database: private messages, private encryption keys for each mobile user, calendar items, and user information. The data is not encrypted in the server's database.

Threats:
  • Data may be accessed/modified by unauthorised users while the server remains in place
  • Server (or parts thereof such has hardrives) may be stolen.
  • Data sent or received from the initiation station or the Internet (through the firewall) may be accessed or modified by intruders
Countermeasures:
  • Servers will be kept under high physical access security. (locked room with key available only to administrators)
  • Server case itself has a security cable that prevents the case from being opened (so the hard-disk with sensitive data cannot be removed).
  • Backup tapes are encrypted and stored in a locked cabinet in a locked room.
  • Operation system security:
    • Users will not be able to log-in to the server except for administrators.
    • Special "users" will be created for the application (with minimal permissions)
    • Operating system permissions on files and directories are set to prevent undesired access or modification.
  • Database security:
    • DB access control features will be used to control access to data. Different users will be created for different data sets (messages, calendar, keys)
  • Any access to data on the server is audited
  • The TAPAS server will only run software needed for its operation and any software install has to be approved by an administrator
  • Network security:
    • Any sensitive data that leaves the TAPAS server must be encrypted
    • Any host communicating with the TAPAS server must authenticate with a cryptograhically strong authentication
    • Any communication with clients on the Internet is protected by a firewall that enables only the required ports.
    • Sessions are tied to a particular client IP-address so that stolen cookies cannot be used.
    • Sessions time out so that unattended terminals cannot be abused.
    • The data access layer will allow read-only connections, which will be used for most requests, as well as write connections for requests that update the database.
    • The initiation station's IP and MAC address are registered (and verified) with the server
    • All mobile client MAC addresses are registered (and verified) with the server
    • All Intranet clients (administrative or backup) are registered with their IP and MAC addresses with the server
2. Initiation station / PDA Sync Conduit
Data: The only confidential data persisted by the initiation station is the private key used to authenticate the initiation station against the server. Other than that, the initiation station only deals with information of low confidentiality, i.e., meta information about messages (sender and receiver ID, msg number, flags, etc.). All other information is encrypted.

Threats:
  1. An attacker may hack the initiation station and steal the private key certificate
  2. An attacker may steal the initiation station hardware or parts thereof
  3. An attacker may use the initiation station in-place to initiate an unauthorised PDA
  4. An attacker may fake the identity if the initiation station to get to the server data
  5. An attacker may fake the identity of the initiation station to get to authorised user credentials (in order to pose as the user later)
  6. An attacker may intercept/modify network traffic to/from the initiation station
Countermeasures:
  • The private key will be kept encrypted at the initiation station.
  • Password authentication will be used to decrypt the private key for each initiation action.
  • Passwords will be encrypted and checked for quality
  • The initiation station will be located in a space inaccessible to the public (locked office).
  • The initiation station portion will only be activated when new PDAs need to be added to the system. It will not be active during other times.
  • Educational measures:
    • TAPAS users will be educated how to confirm that initiation station users are authentic.
    • Initiation station users will be educated how to confirm that TAPAS users are authentic.
  • Operating System security:
    • A separate user will be created for the use of the initiation station software (JSync Manager GUI). OS access rights on the file system will be set such that no other user can access the JSync Manager software or data. Likewise, the initiation station user will not be able to use any other software / data.
    • The initation station will be "locked down" such that only administrators are able to install new software
  • Network security
    • Any communication with the TAPAS server has to by cryptographically authenticated (signed by the TAPAS server's private key)
    • Confidential data (message contents, calendar schedules, keys) will be transmitted to and from the initiation station without the need to decrypt it.
3. TAPAS Synced clients
Data: Synced clients are not always connected to a network. They are mobile, small computers (such as PDAs). To be useful, they need to persist certain data provided by the server at the time of synchronisation. This data includes information about messages relevant to a particular user, calendar information (call schedules), electronic medical summaries of patients relevant to this user, and additional confidential credentials used for authentication and confidentiality (a secret key for encyption). Synchronisation is performed via the Internet.

Threats:
  1. Attackers may directly access/modify the confidential data persisted in the data base of a synced client
  2. Attackers may access the TAPAS applications on the synced client in order to get to the data
  3. The server be faked to gain user credentials (man-in-the-middle attack)
Countermeasures:
  • All confidential data is cryptographically protected on the synced device. This includes messages (message contents, subject, addressee and addresser), electronic medical summaries (patient data), and private cryptographic keys. (Calendar information is not cryptographically protected. However, it only contains call schedules.)
  • All TAPAS applications require user authentication using a user-selected password. (This is in addition to the authentication scheme supported by the PDA operating system. The same password can be used.)
  • TAPAS applications will have an in-activity timeout that will automatically challenge for re-authentication.
  • Synced clients will use strong cryptographic authentication whenever they sync up to the server. The authentication will be based on a secret key installed at the time of device initiation. This secret key will be persisted in encrypted format on the synced client (using the user's password). The key will be unique per device and therefore per user as each user is given a specific PDA on their account.
  • In addition to the secret authentication key, the tapas server will check the clients serial number and network adapter (MAC) address.
  • The secret key will also be used to authenticate the server to the client (and prevent man-in-the-middle attacks).
4. TAPAS Online clients
Data: While confidential data should not be stored on the client online machines, Web browsers have a cache that may automatically store confidential data. Session cookies may be persisted as well. Moreover, we cannot technically prevent the user from downloading and saving confidential data to their local machines. In contrast to TAPAS synced clients, online clients are permanently connected to the network. They do not need to persist medical summaries, calendars, messages etc. The only confidential data persisted on PCs running online clients  are cryptographic key material used for authentication.

Threats:
  1. Attackers may directly access/modify the cryptographic key material persisted at the online client
  2. Attackers may access the TAPAS applications on the online client in order to get to the data
  3. The server be faked to gain user credentials (man-in-the-middle attack)
Countermeasures:
  • Online clients use the same strong cryptographic authentication that synced clients use. The initiation of an online client is performed with an initiated synced client.
  • All TAPAS applications require user authentication using a user-selected password.
  • TAPAS applications will have an in-activity timeout that will automatically challenge for re-authentication.
  • The secret key will also be used to authenticate the server to the client (and prevent man-in-the-middle attacks).
  • In addition to the secret authentication key, the tapas server will check the ip address and the network adapter (MAC) address of the online client.

Copyright © 2003-2004 Jason Robbins. All rights reserved. License terms. Retain this copyright statement whenever this file is used as a template.
0