e correct ID and password, access is blocked to everything on the machine. It is also possible to block certain Windows applications, allowing the system manager to set up different environments for different users on the same machine.
Rhea has taken this idea one step further by creating a networked version. It allows a user's environment to effectively follow him or her around a building. Instead of being tied to a specifically assigned PC on the network, employees can use their IDs and passwords to log in from any machine and have their personal work environment presented to them. This solution, which runs on NetWare and Windows NT networks with Windows 3.11 clients, is designed to ensure that intruders can't snoop around the entire LAN; if they get in, they can't get very far.
Recognize That Face
As a single form of security, p
assword control is insufficient. An alphanumeric password code is often either a name or a number, so obvious a system cracker can guess it or so obscure the user has it written down. To make life harder for hackers, and access codes easier for people to remember, Visage has developed a system that takes advantage of the subtleties of cognition. The system flashes a series of random human faces onto the screen. The user then has to identify the ones that together make up the password. The idea is simple: Faces are easy to remember. While a password or personal identification number (PIN) can be guessed or stolen, faces are almost impossible to describe. Even telling a thief what faces to look for would not help him or her get past this barrier.
Visage's software works on any graphical computer system, including Windows, Macintosh, and Unix. It can be used either in stand-alone mode, where it would suit the roaming PC user, or as part of a networked environment. An applications development kit allows cor
porations to integrate the Visage assemble-the-faces scheme into their security systems.
The Next Level: Encryption
But even elaborate password schemes can be cracked, and with no additional security, your mission-critical data is open to abuse. Encryption advances security to the next level of protection.
Deadlock, from Security Intelligence, creates a logical extra disk drive on a notebook or desktop machine in which sensitive data can be located. A user's ID and password locks and unlocks the drive that contains encrypted data. Deadlock works like a DOS device driver that encrypts or decrypts the data, then decides where to store it on the disk. The software runs under Windows 3.1 and will be released for Windows 95 in the second quarter (the Win 95 version uses a 32-bit VxD instead of the DOS device driver). This version will also allow access to a remote drive on a local-area network, says Security Intelligence's Simon Ordish.
The system is well-suited to the needs of
the individual remote worker, though there are possible drawbacks. For example, because the software works in exactly the same way as compression utilities such as Stacker and DoubleSpace, it cannot be used on machines where those utilities are already present. The other possible drawback that might concern network and systems administrators is that if a user forgets his or her password, data on the encrypted drive is lost forever. There is nothing any administrator can do to access those files. Indeed, not even Security Intelligence will be able to break through to the data.
Other programs, like EliaShim's EasySafe, offer randomly generated one-time passwords. If one of these passwords is forgotten, the program vendor always has a superkey to access the system. But many security managers are not happy with such a solution because they think it opens up new security risks.
Sharing Secure Floppy Disks
ICL/Fujitsu's TeamWare Crypto offers a technique similar to Deadlock's. TeamWa
re Crypto provides data-encryption capabilities for partial or complete contents of a disk drive. It works as an extension to the Windows File Manager and stretches across a networked environment. It also provides file-level encryption of data, with the encrypted files stored effectively side-by-side with unencrypted ones.
Copying sensitive data onto floppy disks is another security risk. Some systems, such as Eutron's SmartLock, install automatic encryption on floppy disk drives. All in-house PCs can share disks freely, but no file can be opened outside the company without authorization.
The main questions a systems security administrator typically has to deal with are "Who has access to what kind of data?" and "How can unauthorized data access be prevented?" PC Security has extended the protection levels available in its Stop-Lock V system by incorporating SmartCard technology to identify a user. The company developed a card reader that can be inserted into a PC Card slot in a mobile PC. The rea
der is compatible with all Type II and Type III slots and supports most ISO 7816-compliant SmartCards.
The card can be used as an authentication check, requiring the user to present a valid card along with the correct ID and password. The card can be programmed to hold details of the user's access rights to the PC's resources.
PC Security also targets areas such as intracompany trading. For this application, the vendor has come up with StopLock KE, a version that includes key-escrow management services. This allows systems administrators to maintain control over who has what encryption keys and to recover those keys at any time.
Secure Communications
For many users of mobile PCs, the most important issue has moved from securing the data on the system itself to securing the data while it is being communicated. Many remote workers feel that the most important function of a portable computer is its ability to communicate with the corporate office. As it becomes easier for the
legitimate worker to tap into the corporate LAN, it has become easier for a savvy industrial thief to break into a LAN.
Encrypting sensitive data during a communications session is a vital element in maintaining security. The SecureData system, developed by the South African company Nanoteq (and distributed throughout Europe by Secureteq), provides security levels that are among the most complex available. SecureData is based on a proprietary
encryption algorithm
called CARES, which is used in conjunction with a PC Card. The algorithm is, according to the company, used by the South African military and by major international banks working in that country. Though proprietary and not published, details of the algorithm are available to major users.
With this solution, the systems administrator can define the amount of data protected -- for example, a logical disk drive or the entire machine -- and only with the card inserted can the user access the information. When the card is
not in place, the PC, or the protected area, is inaccessible. One potential drawback with this approach is that it uses one PC Card slot.
SecureData requires the user to key in a six-digit PIN. This PIN is an alphanumeric code generated by software designed to create nonsense words. The objective is to produce a PIN that is easy to remember because it is phonetic but difficult to crack because it is not a real word. The system gives the user three attempts to get the PIN right. According to Secureteq, this process should reduce the number of times a user needs to change passwords. It should also reduce the security weakness that comes from people opting for just two alternate passwords when required to change them regularly.
Should the user forget the PIN and need to gain access to the data on the mobile PC, the system can be unlocked by what the company calls a SuperPIN, which is held by the systems administrator. This number can be provided over the telephone. In order to contain any potential c
ompromise of security, the systems administrator also flags that user's machine as inactive for remote communications. This flag can be removed only by the systems administrator when the user returns the mobile machine.
The CARES encryption system uses a 125-bit key. The key number itself is encrypted and held in EEPROM on the PC Card. Each communications session is encrypted using a key specifically generated for that session. This occurs transparently during the log-on sequence. Once the user is identified and authenticated to the base system, the software generates two random numbers, which are used to establish the key for that particular session.
The company also has a version, called SecureLAN, for use with NetWare. A Unix version should be available soon, and an NT implementation sometime during the first quarter. The only client implementation so far is for Windows 3.11, and the company has not yet decided if it will develop a Windows 95 version.
Intercepted Signals
Understandably, much of the user's concentration on mobile security is centered on the PC itself or on the network at headquarters. But there is another area of vulnerability: the communications medium. Though the GSM cellular phone system in Europe exploits digital technology, there is still the possibility for signals to be intercepted. One way around this problem is to use a communications service specifically developed with data communications in mind. This is Mobitex, the digital packet-switching system. It's available in a growing number of countries. In the U.K., it is run by RAM Mobile Data (West Drayton, Middlesex), and there are now Mobitex services in France, the U.S., Australia, Belgium, the Netherlands, Norway, Finland, Sweden, Singapore, Poland, Chile, and South Korea. An implementation is in the early stages of live operation in Germany.
The packet-switching technology, where packets of data transmitted to or from remote systems are interleaved with each other, makes any particular mess
age difficult to identify. According to RAM Mobile Data, it is possible for an eavesdropper to intercept the message stream, but it's impossible to identify the packets pertaining to a particular message and then reassemble them in the right order. The actual data contained in the message can itself be scrambled using the encryption software sold by RAM. As a measure of the security available with the Mobitex system, RAM has won several orders with United Kingdom police forces to provide secure communications.
It is important to realize that there will never be a totally secure system (see
"Picking the Crypto Locks,"
October '95 BYTE). Systems security managers must weigh the risks of data lost against the cost and inconvenience of securing data. For large corporate networks, single-sign-on facilities make life for users easier. Single sign-on permits users to automate an unlimited number of log-on procedures in a secure and trusted way. This is particularly an issue for large heterogeneous net
works, where people often have to sign on individually to different systems or servers. Single sign-on therefore makes sense, but it often creates a potential weak spot in terms of security.
The Secure European System for Applications in a Multi-vendor Environment (SESAME), a European Committee initiative, addressed this issue and developed the Generic Security Services API (GSS-API) to separate the caller process from the underlying security mechanism. This system works by getting users to authenticate themselves with a specific authentication server on the network. It produces a token that is then passed to a
privilege attribute server
, which issues the user a certificate containing details of access rights.
SESAME has developed not a product but a set of tools that suppliers can use to build secure networks (see the sidebar
"A Secure European System"
). The first examples of SESAME in actual use are expected to come from Bull Information Systemes (Louvecinnes, France) with its
Integrated System Management AccessMaster, and from ICL with its AccessManager system. The latter product is scheduled to appear early this year.
First and foremost, a corporation must decide that security is an integral part of its overall information-management policy. Access to valuable data, both on the portable and its links to corporate LANs, should be as difficult as possible, but not so difficult that the authenticated user can't get his or her job done.
PRODUCT INFORMATION
Deadlock...............starts at 99 Pounds UK
Security Intelligence
London, U.K.
Phone: +44 171 589 4567
Fax: +44 171 589 4824
Circle 977 on Inquiry Card.
EasySafe................starts at $139
MasterSafe..............starts at $185
EliaShim
Haifa, Israel
Phone: +972 4 516111
Fax: +972 4 528613
info@eliashim.co.il
http://www.eliashim.com
Circle 978 on Inquiry Card.
How to Keep Secrets Secret
