Hardware Secure Access to Servers and Applications

Introduction

Current legislation at every country provides means to regulate the use and control of digital information (an useful standard to ensure a certain structured information security risk assessment can be found under the norm ISO/IEC 27002), specifically if its character compromises the private sphere or intimacy of persons. Operating systems provides standard protection methods, but nothing can be done to protect the data if the use of the operating system is not adequate (uncontrolled software installation may produce data stealing via Trojans, etc.). In addition, one may consider how security is at hand of everybody. Abelson, Ledeen & Lewis (2008) underlined two unexpected behaviours experienced in the new digital era we are now living in (1) people give up their privacy too easily, and in the process may give up third party’s privacy, and (2) little brother is watching, even non-experienced kids may run scripts to attack your data. Cryptography plays an important role offering privacy nowadays although few users employ it.

In this chapter we propose a system for granting secure access to stored data and even to applications that deal with them, based on a protocol of sharing secrets. The aim of this software is to avoid unauthorized uses of programs and their related data or even a whole system. Operating systems are in charge of protecting us from intrusions and our software will be responsible of converting the stolen information into a useless chunk of bits.

Restricted access to information stored in a system is turned into an issue of truly vital importance in certain circumstances. When access to such information is a privilege of only one person then it is usual that this information is encrypted using a symmetric cryptosystem, where the secret key is a property of the owner of the information. PGP (http://www.pgpi.org/) is a protocol that can be used to that end. However a problem arises when protected data should be accessible for a group of people and not only for a unique user. In that case, making copies of the key used to protect the information and giving them to authorized people is something that decreases the level of security in a significant way. Secret sharing schemes come to the rescue in such scenario (Menezes, A., 1996; Schneier, B., 2003). These algorithms are protocols that allow the sharing of the key used to protect the information in such a way that the original key can be recovered from a minimum number (maybe all) of the shares and, even if a lesser number keys are present such shares does not reveal any information about the shared key. Another issue of interest regarding the security scheme is one that has to do with length of the key. Keys used for any cryptosystem and thus, also the shares, are excessively long to be memorized which makes necessary providing any storing method, making the key susceptible of being stolen.

In this chapter we present an implementation that provides a security system based in USB devices for protecting data and applications on information systems, this can be carried out in an individual, shared or hierarchical way, also preventing the key or any sharing from being stolen was a desired objective. Section 2 will introduce the foundations of the cryptography used. Section 3 will show a roadmap of the decisions taken for choosing the Operating System where the software was to be deployed in, the language to build the software, the way of using the USB device in order to use the secret sharing, etc. Section 4 will show the implementation details, how we dealt with big numbers. Section 5 will show the conclusions and issues to be improved.