An Authentication and Auditing Architecture for Enhancing Security on eGovernment Services Denys A. Flores Escuela Polit´ecnica Nacional Department of Informatics and Computer Sciences (DICC) Quito, Ecuador
[email protected] being discovered. In the previous CNE example, it was found that this database was not prevented from being accessed without permission, being unclear whether or not the user credentials were managed properly, as evidence based on audit logs where not found in the suspicious database [6]. Finally, it is true that digital certificates provide strong session-based security. However, the common citizen overrelies on digital certificate protection. E.g., in case of certificate-protected eGovernment web sites, majority of users ignore that visiting them does not fully guarantee a secure session, as they may trust on fake certificates [9], which grant access to unsecure web sites [10]. This can be done via phishing attacks against governmental web sites, which has been reported as a serious threat to citizen security in countries like China [11] and Turkey [12]. Hence, these issues demand enhancing the security of eGovernment web sites, considering the fact that even if they are protected by digital certificates and secure Public Key Infrastructure (PKI) [2]; other issues like data tampering and unauthorised access require additional measures that go beyond digital certificate protection. In this work, enhancements to eGovernment security is proposed, tackling unauthorised access through a Salting-Based Authentication Module (SAM), and data tampering through a Database Intrusion Detection Module (DB-IDM), both being architectural elements for authentication and auditing, respectively.
Abstract—eGovernment deploys governmental information and services for citizens and general society. As the Internet is being used as underlying platform for information exchange, these services are exposed to data tampering and unauthorised access as main threats against citizen privacy. These issues have been usually tackled by applying controls at application level, making authentication stronger and protecting credentials in transit using digital certificates. However, these efforts to enhance security on governmental web sites have been only focused on what malicious users can do from the outside, and not in what insiders can do to alter data straight on the databases. In fact, the lack of security controls at back-end level hinders every effort to find evidence and investigate events related to credential misuse and data tampering. Moreover, even though attackers can be found and prosecuted, there is no evidence and audit trails on the databases to link illegal activities with identities. In this article, a Salting-Based Authentication Module and a Database Intrusion Detection Module are proposed as enhancements to eGovernment security to provide better authentication and auditing controls. Index Terms—eGovernment, authentication, auditing, architecture, salting, intrusion detection, database, log
I. I NTRODUCTION eGovernment is the simplification and execution of information, communication, and interchange processes between governmental institutions, citizens and organizations [1]. However, as eGovernment relies on the Internet, as exchange platform, sensitive information can be exposed to security threats [2] [3] like data tampering, unauthorised access, and user overreliance on digital certificate protection. First, due to the lack of security controls at application level on eGovernment web sites [4], these become open doors that lead to security issues that can compromise important information. Examples are the governmental web sites in Ecuador, the services of which have been exposed to security attacks in the last years, due to the lack of security controls [5]. For instance, the National Electoral Council (CNE) database, which was used to register political parties, was highly suspicious of having being tampered [6]. These unexpected security events have urged the local government to enhance the application security, and adopt legal measures to identify and prosecute attackers [7]. Second, the lack of security controls at back-end level prevent authorities to find evidence and audit trails to prosecute malicious individuals, some of them employees [8], who illegally use access privileges to alter database records without
II. P REVIOUS S IMILAR W ORK In 2010, Zhong proposed a model [2] for securing eGovernment web sites, based on SSL and PKI. This model included some interesting features so that authenticity, integrity and confidentiality can be implemented as security controls into eGovernment web sites. Particularly, in this model, authentication management is achieved by setting up a centralised Certifying Authority (CA), which is in charge of managing digital certificates and key pairs for user authentication. In addition, this model implements a Key Escrow supported by a LDAP-based directory server with the purpose of providing user information and retrieve both, credentials and certificates on demand, during user authentication requests. Despite being an interesting approach to manage user credentials, a Directory Service requires a pre-defined hierarchy 73
Figure 1: Authentication and Auditing Model to describe an organization. Hence, applying a directorylike structure to eGovernment is worthless, as governmental services are non-static structures, constantly under technology development [13] which has to effectively respond to security affairs, most of them related to hacking activities [14]. Additionally, unless the government itself assume the important effort to set up a national CA with a secure infrastructure to support certificate issuing and revocation, each governmental institution willing to provide a service, will have to set up their own CA. Another similar work in the same year was proposed by Feng [15], but instead of a centralised CA and a directorymanaged escrow, a client-server architecture was proposed to authenticate and validate users. In this architecture, users are required to provide a certificate to prove identity along with their private key. These two elements of authentication are sent to the authentication service to validate user credentials, certificate revocation and user rights to access the requested service. However, this approach is acceptable if only the services are to be accessed by few users; i.e., when the services to be accessed must not be available to all the citizens, yet visible to a few privileged ones. If the service must be accessed by every citizen, it is going to be required as many certificates as citizens in the country, which may imply additional operational costs beyond acquiring and maintaining credentials and certificates [16]. Both solutions, although very innovative, incur into the same certificate management problem; if they are to be delivered to every citizen, key revocation and key distribution is going to be problematic (see section III.A). Furthermore, even though they provide session control based on access requests [2] [15], there is no way of preventing unauthorised access to the backend using the proposed models, unless audit trails are set on the database, and direct login requests to the back-end are detected. In conclusion, considering the restrictions in adopting a directory-like structure for access control on eGovernment services, and the limitations regarding certificate management
for every citizen, both certificate-based access control models for authentication [2] [15] are not scalable. Moreover, none of the proposed models solves the lack of evidence and audit trails in databases that are accessed without authorisation, which hinders the possibility to carry out effective digital investigations. In the next section, enhancements for authentication and auditing to strengthen eGovernment security, whilst mitigating the mentioned issues, are explained. III. E NHANCING E G OVERNMENT S ECURITY: A N AUTHENTICATION AND AUDITING M ODEL As it has been discussed in the previous section, in order to strengthen eGovernment security, this work proposes an authentication and auditing architecture as digital certificate protection is not enough to provide access control and prevent unauthorised access to databases. In Fig. 1, these models are represented as architectural modules with specific functions and design requirements. A. Salting-Based Authentication Module (SAM) As analysed in section II, the Client-Server model proposed by Feng [15] provides access control based on two elements of authentication: the user certificate and the private key. Considering that, in PKI, key management involves distribution and revocation [17], the latter is simple as any compromised key needs to be revoked once from the directory and the escrow. However, distribution is not as easy as the number of certificates is proportional to the number of users requiring access to a service. Additionally, despite the benefits of PKI-based models like openness, stability and security [3], its main pitfall is that it is trust-based. I.e. The client must trust the certificate that is given by the service so that it can be accessed. Nonetheless, in case the given certificate cannot be confirmed to be from a trusted party, there is no way to prevent user credentials to be stolen [10]; particularly, if the client is deceived, and establishes a secure connection to an insecure service [18]. 74
Figure 3: User Authentication Process in the Authentication Service Figure 2: User Registration Process in the Authentication Service
Database Server. I.e., attackers will not being able to use old salts to calculate possible hashes. B. Database Intrusion Detection Module (DB-IDM) Considering the models analysed in section II, in order to provide reliable auditing records, Zhong [2] proposes the inclusion of a role-based access control at application level in order to get controlled access to services, depending on the role that the user has been given. Similarly, Feng [15] proposes a role-based authentication model to authenticate users using a single-sign-on solution so that user credentials are not required to be provided every time a user wants to access to a specific service. In both models, eGovernment web sites can only be protected from unauthorised access when the front-end is the target, as both role-based controls are implemented at application level. Nonetheless, these controls cannot protect the database from unauthorised access when it is directly compromised by insiders [8] who take advantage of their credential privileges in order to alter sensitive information. For instance during the CNE database investigation, it was found that malicious employees were responsible of altering database records of political parties [6], even though records and audit trails were not found. Thus, the proposed Database Intrusion Detection Module (DB-IDM) explores the possibility of going beyond role-based access control, by implementing an additional security level in two stages: 1) Using Network Intrusion Detection Systems (NIDS) in order to report login attempts from within the network directly to the database. In Fig. 1, Snort, is deployed in between the intranet and the Application Database Server so that login attempts from within the intranet can be detected. For doing so, Snort has to be configured in passive mode so that login attempts to the Application Database Server can be logged in the Snort Database Server. Additionally, in order to protect the communication between the NIDS (Snort sensor) and the Snort Database Server, Stunnel is used to encrypt the communication between the two components [21]. 2) Implementing login audit logs in the database to keep track of all logins attempts to the database. This makes
Then, digital certificates can only be used as a means of credential protection over the Internet through SSL, but not as an access control to services, because if authentication relies in just one party during the communication, an attacker just needs to make one entry point vulnerable, for example through man-in-the-middle attacks [18]. Therefore, in the proposed authentication module (SAM), authentication is divided into two entry points (Fig. 1): 1) Credential protection via digital certificates and SSL: to guarantee that the web server which the user is trying to establish a connection to is providing a trusted connection. Hence, credentials in transit over the Internet are protected during SSL Handshake. 2) A centralised Authentication Service (AS): deployed into a SSL protected Web Server to provide one entry point for user registration and user authentication, as suggested by Zhong [2] and Feng [15]. However, a security measure is implemented using an algorithm for adding a salt to the password [19] before hashing and storing it [20] into the Application Database Server. a) During User Registration, as shown in Fig. 2, the normal process to hash salted passwords is followed [20]. Here, users provide their credentials and after the salted password hash is calculated, both the hash and the salt are stored in the database. b) During User Authentication, as illustrated in Fig. 3, the normal process to retrieve and compare the hash of salted passwords is followed [20]. However, once the password is validated and a session has been granted, a new salt is generated, so the previous salt is not used anymore. Afterwards, a new hash of the salted password must be calculated in order to prevent salt reuse [20] on every session request. As consequence, not only passwords can be protected from being stolen, but also security breaches can be prevented in case an attacker gets access to the previously stored salts. Moreover, as salts are generated and hashes recalculated on every session, credentials are secured by randomising the user credential records in the Application 75
it easier to find correlations in between the logs stored in the Snort Database Server and the login attempts recorded in the Login Audit Logs stored in the Application Database Server. Besides, in case any user credential has been compromised, having login audit logs provides an extra piece of evidence so that user credential misuse can be investigated. Therefore, having a NIDS to report login attempts from within the network and audit logs to store all login attempts in the database, it is possible to identify malicious logins that have been registered in order to alter database records from within the governmental network. It is also possible to generate digital evidence that can reveal suspicious events that have been recorded in both, the database Login Audit Logs and the Snort Database so that legal actions can be taken against malicious employees who have been illegally using valid credentials.
[5] El Comercio, “Ecuador es un blanco f´acil para ataque de hackers,” 22 August 2011. [Online]. Available: http://www.lahora.com.ec/index. php/noticias/show/1101192492/-1/%E2%80%98Ecuador es un blanco f%C3%A1cil para ataque de hackers%E2%80%99.html. [Accessed 4 February 2014 (In Spanish)]. [6] Ecuador Inmediato, “Manipulaci´on de Base de Datos del CNE, provino desde el propio organismo electoral,” ecuadorinmediato.com, 7 October 2012. [Online]. Available: http://www.ecuadorinmediato.com/ index.php?module=Noticias&func=news user view&id=182966& umt=manipulacion base datos del cne provino desde propio organismo electoral revela perito informatico. [Accessed 23 January 2014 (In Spanish)]. [7] El Tiempo, “Gobierno advierte a quienes intenten hackear p´aginas web oficiales,” eltiempo.com.ec, 7 August 2011. [Online]. Available: http://www.eltiempo.com.ec/noticias-cuenca/75076-gobierno-advierte-aquienes-intenten-hackear-paginas-web-oficiales/. [Accessed 23 January 2014 (In Spanish)]. [8] D. A. Flores, O. Angelopoulou and R. J. Self, “Combining Digital Forensic Practices and Database Analysis as an Anti-Money Laundering Strategy for Financial Institutions,” in Third International Conference on Emerging Intelligent Data and Web Technologies (EIDWT), Bucharest, Romania, 2012. [9] Microsoft, “Improperly Issued Digital Certificates Could Allow Spoofing,” Security TechCenter, 9 December 2013. [Online]. Available: http://technet.microsoft.com/en-us/security/advisory/ 2916652http://technet.microsoft.com/en-us/security/advisory/2916652. [Accessed 4 February 2014]. [10] P. Paganini, “Turkey – Another story on use of fraudulent digital certificates,” Security Affairs, 4 January 2013. [Online]. Available: http://securityaffairs.co/wordpress/11512/cyber-crime/turkeyanother-story-on-use-of-fraudulent-digital-certificates.html. [Accessed 4 February 2014]. [11] E. Kovacs, “Hacked Chinese Government and Educational Sites Used in ANZ Phishing Scam,” Softpedia - Security Blog, 25 November 2013. [Online]. Available: http://news.softpedia.com/news/HackedChinese-Government-and-Educational-Sites-Used-in-ANZ-PhishingScam-403241.shtmlhttp://news.softpedia.com/news/Hacked-ChineseGovernment-and-Educational-Sites-Used-in-ANZ-Phishing-Scam403241.shtml. [Accessed 4 February 2014]. [12] T. Brewster, “Turkish Government Body Accused Of Google Phishing Attack,” TechWeek Europe, 4 January 2013. [Online]. Available: http://www.techweekeurope.co.uk/news/turkish-government-digitalcertificate-google-103125. [Accessed 4 February 2014]. [13] A. Nilsson, “Management of Technochange in an Interorganizational e-Governmen tProject,” in 41st International Conference on System Sciences, Hawaii, US, 2008. [14] S. Xia, J. Zhang, J. Yang and J. Ni, “A Content-based Self-feedback E-Government Network Security Model,” in Fourth International Conference on Internet Computing for Science and Engineering, Chennai, India, 2009. [15] Z. Feng and Y. Zhu, “Design and Implementation of a Secure Scheme for the C/S mode E-Government system,” in Second International Workshop on Education Technology and Computer Science, Wuhan, China, 2010. [16] H. G. Miller and J. L. Fisher, “Requiring Strong Credentials: What’s Taking So Long?,” IEEE IT Professional, vol. 12, no. 1, pp. 57-60, 2010. [17] S. Misra, S. Goswami, P. G. Patak, N. Shah and I. Woungang, “Dividing PKI in Strongest Availability Zones,” in International Conference on Computer Systems and Applications, Rabat, Morocco, 2009. [18] D. A. Flores, “A Social Engineering Discussion about Privacy Attacks and Defences Considering Web Browsers and Social Networks,” in 8th Congress of Science and Technology - ESPE, Sangolqu´ı, EC, 2013. [19] M. C. Ah Kioon, Z. S. Wang and S. D. Das, “Security Analysis of MD5 algorithm in Password Storage,” in Second International Symposium on Computer, Communication, Control and Automation, Singapore, Asia, 2013. [20] Defuse Security, “Secure Salted Password Hashing,” 23 January 2014. [Online]. Available: https://crackstation.net/hashing-security.htm. [Accessed 5 February 2014]. [21] R. U. Rehman, Intrusion Detection Systems: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, United States: Prentice Hall, 2003.
IV. C ONCLUSION AND F UTURE W ORK As it has been discussed, in order to strengthen eGovernment security, this work proposes an authentication and auditing architecture as digital certificate protection is not enough to provide access control and prevent unauthorised access to databases. Access control can be achieved by implementing a centralised Authentication Service in charge of user authentication and user registration. This simple approach still keeps the centralised access control model proposed by Feng [15] and Zhong [2], but instead of using digital certificates as access controls, a model for securing passwords through salting is proposed, enhancing its security by randomizing salts on every session request. On the contrary, as unauthorised access to databases was not discussed in the mentioned models, this work proposes combining database auditing through login logs and intrusion detection by implementing a NIDS in passive detection mode. Both provide evidence sources that can ease the identification of evidence for investigating user credential misuse. Future work in this field is related to effectively using NIDS for network intrusion detection for specific purposes, like illegal activity detection and record modifications by using valid credentials, not only on eGovernment services but also in different public and private services like banking and online shopping. R EFERENCES [1] A. Meier, “eGov Framework,” in eDemocracy & eGovernment: Stages of a Democratic Knowledge Society, Berlin, DE, Springer, 2012, p. 4. [2] W. Zhong, “Research on e-Government Security Model,” in International Conference on eBusiness and eGovernment, Guangzhou, China, 2010. [3] H. Liping and S. Lei, “Research on Trust Model of PKI,” in Fourth International Conference on Intelligent Computation Technology and Automation, Zhangjiajie, China, 2011. [4] TrendMicro, “Latin American and Caribbean Cybersecurity Trends and Government Responses,” 2013. [Online]. Available: http://www. trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/ wp-latin-american-and-caribbean-cybersecurity-trends-and-governmentresponses.pdf. [Accessed 4 February 2014].
76
