Abstract

Information security is a problem that is only exacerbated in an increasingly networked environment. Current state of the art environments provide secure storage and access control for locally kept data as well as secure transport of data across node boundaries. While such mechanisms offer a foundation for a secure infrastructure, such mechanisms do not deal effectively with the problem of use control and intra-node access control.

Contact

Christoph Busch
Email: christoph.buschh-da.de

Stephen Wolthusen

CIPRESS: The ReEncryption™ System

Traditional security mechanisms cannot be used to audit and trace the distribution and use of data across a networked environment; even if a secure transport mechanism is employed, that protection ends once it has reached a recipient; that recipient is then free to use the data as she sees fit. As a result, mishandling of sensitive information cannot be prevented effectively by traditional means, even if there is no malicious intent on the part of the user; even a very diligent individual can on occasion forgo necessary steps to ensure security because this typically requires additional, sometimes lengthy and repetitive steps to be taken. The situation is even bleaker in case the recipient has no common interest with the originator of data such as in the case of copyrighted or sensitive third party material.

Another problem typically encountered is the protection of storage media. If such media (or even entire computers) are stolen or misplaced, data can typically be recovered easily by an attacker.
Both issues can be resolved only by providing a mandatory security mechanism that gives the owner of a data item full control over access and use (hence also distribution) of this data. In addition, a security system must provide means for precise auditing of the use of any such data.

The ongoing CIPRESS project (Cryptographic Intellectual Property Rights Enforcement SyStem) was initiated in March of 1998 by the Fraunhofer Institute for Computer Graphics based in Darmstadt, Germany on behalf of the Mitsubishi Corporation, Tokyo, Japan. During the course of the project, a system was developed which addresses the problems outlined above; the system also provides efficient mechanisms for handling primary and secondary copyrights (i.e. copyrights on compositions of otherwise copyrighted material into a new form in and of itself again copyrightable). The results of this research have been incorporated into the ReEncryption™ product by the Mitsubishi Corporation.

Security is achieved by embedding additional functionality into otherwise standard commercial operating systems. These security modules provide automatic and mandatory encryption of any and all file system accesses. Users and applications do not notice this as long as they do not attempt to perform disallowed operations; for both the system appears just like a normal, unsecured system. The same applies also to access attempts via a network.

Mandatory encryption in the file system occurs at two distinct levels. Any file created locally is never stored in plaintext but rather encrypted with a key - depending on the configuration used - either tied to the system where it is created or to the user creating the file. This means that the file can be used by the user himself or, respectively, by any user, an application acting on behalf of a user, or the operating system itself. If a document (i.e. an arbitrary file) is to be shared with other users, it must be registered with a central instance called the Key Center which users access through intermediate instances called Content Servers. During the registration process the user can assign an access control list to the document, and the Key Center can verify that the same document is not already registered anywhere within its control. The Key Center assigns the access rights to the document along with keys to be used for subsequent encryption which is performed automatically and mandatorily by the Content Server. The local copy is then replaced by this now registered document. Any access to any copy of this document must then mediated by the Key Center which can verify whether the user and system accessing the document has the proper permissions and will yield a key for decryption and subsequent re-encryption only if this is the case. This ensures that both access and use control is in place and also provides a mechanism for enforcing security across individual nodes in a network. To a user, there is no difference between a local document and a document under the control of the Key Center.

Besides acting as an intermediary in the registration process, Content Servers can also act as repositories for registered documents. Documents are held at a Content Server for retrieval by a number of protocols including standard FTP and HTTP as well as a custom protocol. In addition to the data itself, Content Servers also store metainformation regarding documents such as keywords for indexing and document creation and expiry dates. There can be an arbitrary number of Content Servers which can be organized into Domains; privileged users called Domain Administrators can then, using any protected workstation, remotely administer their Domain by creating and adding users, user groups, or managing documents.
However, the registered (encrypted) documents can also be archived or held for access on any storage medium or file server, the system will always transparently detect the presence of a registered and encrypted document even if it is retrieved from a file server that is not aware of any security features.
To protect against cut-and-paste attacks and »writing down« sensitive information into documents with a lower security classification (accessible to more users), a »taint 16 security technologying« mechanism is used. Any registered document stays within the control of the Key Center and can be shared among authorized users only as long as it is completely unmodified. If a single bit is changed in such a document, it reverts to a state locked to an individual user or system and must be registered again with the Key Center. This permits precise auditing of information flows.

Since the underlying axiom of the system is to limit inconveniencing users if at all possible and work invisibly in the background, information security becomes a problem once data (particularly multimedia data) is transformed into analog representations. While this can be blocked partially by disallowing access to interfaces providing analog representations, it is highly unlikely that users will forgo such elementary things as printing. Since printouts cannot be encrypted, the security provided by mandatory encryption ends at the analog interface. However, a solution exists in the form of digital watermarking. Watermarking algorithms provide a mechanism for embedding hidden (invisible, inaudible, etc.) information into an existing signal such as an image. The difference between a digital watermark and simple steganography is that a watermark must also be robust against manipulations and inseparably linked to its carrier signal. Robustness here means that the marking must survive an analog-to-digital and vice versa transformation as well as other manipulations such as cropping, color-space reduction or skewing or local distortion.
The system employs digital watermarking for multiple purposes. First is as a means for provably identifying the organization owning the data (the company or a copyright holder); second as a means for identifying the origin of an analog representation by embedding the identity of the last legitimate users (e.g. the user initiating a print job of a sensitive document whose results are later found in an unauthorized location). Finally, watermarks can be used as an identification mechanism for documents, allowing the identification of a document source and its archived digital representation from an analog representation or even just a fragment thereof. This is possible due to the unique properties of the watermark algorithms developed at Fraunhofer IGD which permit the embedding of multiple digital watermarks into a single carrier signal. Just like the encryption process, digital watermarking is embedded into the operating system; users and applications have no means of accessing data without it being processed by the marking mechanisms. Since each multimedia data type (images, audio, etc. but not media representations such as MP3 or AAC, the latter are treated indiscriminately by a single data type handler) requires a specially adapted algorithm, the system permits the fast and flexible integration of media handler modules.
The system provides scalability across a broad range by means of a three-tier architecture; both Key Center and Content Server store all data on a separate database back end that is accessed via a standardized interface. Each server’s database can itself be replicated and accessed via a parallel server architecture. The middle tier of each server handling requests by client nodes and containing the server logic consists of a load-balanced cluster of up to 32 nodes. In combination with a replicated parallel database implementation this not only provides a highly scalable but also fault-tolerant solution. Fault tolerance and handling of inter-server operations are handled on both the Key Center and Content Servers by operating the logic components under the control of a transaction monitor which also handles nested transactions across server boundaries.

Since it is anticipated that the system will be integrated into large organizations, interoperability was one of the core considerations in the design. As a result, user management can be performed both internally in case no previous central user management exists, or it can be synchronized with existing user databases. Similarly, the requirements of the system for the necessary public key infrastructure have been kept to a minimum that can be fulfilled by a large number of PKI systems without adaptation.

The system was originally implemented under the Microsoft Windows NT 4.0 operating system for both client and server systems. A commercial implementation, the ReEncryption™ system, will be available in the last quarter of 2001 by the Mitsubishi Corporation. In addition, a version for the Microsoft Windows 2000 operating system has been developed for both clients and servers and will be made available for commercial use. Work is ongoing on client system support for several Unix System V Release 4-based operating systems, notably Sun Solaris 8. It has generated considerable interest worldwide and appeals to a number of customer groups including government, finance, corporate R&D and strategy, software publishers, and similar groups needing to handle sensitive data across networks using standard commercial operating systems and application programs.