Business Process Modelling for the sake of Information Security

1. Heidelberg University of Applied Sciences
Germany/Heidelberg
Faculty of Informatics
Master Thesis
Business Process Modeling in the field of Information Security
Submitted by
Vishal Sharma
Supervised by
Prof. Dr. Gerd Möckel
Dr. Peter Misch
August 2011
Company’s Supervisor: Dipl. - Ing. Thomas Brandtstaetter
1

2. 2

3. Business Process modeling for the sake of
Information Security
By
Vishal Sharma
Matriculation no: m1000830
A thesis submitted as a pre-requisite for the
Degree of Master of Science
Thesis Advisory Committee
Prof. Dr. Gerd Möckel & Dr. Peter Misch Dipl-Ing. (BA) Thomas
Heidelberg University of Applied Science Brandtstaetter
BÜROTEX Synargos GmbH
Ludwig-Guttmann-Straße 6
Max-Eyth-Str. 21
69123 Heidelberg
72622 Nürtingen
Germany
Germany
3

4. Affidavit
Herewith I declare:
• That I have composed the chapters for the Master Thesis for
Which I am named as the author independently;
• That I did not use any other sources and additives then the one’s specified;
• That I did not submit this work at any other examination procedure;
Heidelberg,
(Date)______________________________
(Signature)______________________
4

5. Acknowledgements
Following the Indian tradition, first I would like to give my heartiest thank to the
Germany and its people who have accepted me here and gave me an opportunity to
learn and to move further in my life. Not forgetting about my family after staying
away from them for almost two years and who are the pillars of my life that always
stand by me to give me the strength to accomplish whoever I am today.
Mr. Thomas Brandtstaetter as my mentor, who has always gave me an inspiration to
achieve the best and to think in an eco-economic manner which is fruitful to the
whole society. I would like to give him my thanks to be with me all the time during
this project. As an Indian the most important people in my life are my teachers
(Gurus) Prof. Dr. Gerd Möckel and Dr. Peter Misch, the most generous persons I met
and the whole staff of Fachhochschule Heidelberg, who always helped me and
always motivated me during my studies.
Last but not least the whole Staff of BÜROTEX Synargos who has always shown me
the right path, and provided me with all the information which I needed during the
six months, and always spend their useful time for me to discuss things about my
project.
5

6. Table of Contents
Abstract ................................................................................................................................ 9
1 Introduction ............................................................................................................... 11
1.1 Various Techniques ............................................................................................... 16
1.2 UML ........................................................................................................................ 16
1.3 SOA ......................................................................................................................... 18
1.4 BPMN2.0 ................................................................................................................ 19
1.5 Advantages over others:........................................................................................ 19
2 Company Profile ........................................................................................................ 22
2.1 History .................................................................................................................... 23
2.2 Core Business ......................................................................................................... 24
2.3 Cryptography-Typical Application ..................................................................... 25
2.4 Hardware Security Module in Crypto Server-Implementation ........................ 25
2.5 HSM IBM 4764-001 Internal Architecture ......................................................... 26
2.6 FINPIN ................................................................................................................... 27
2.7 Functions ................................................................................................................ 28
3 Conceptualization ...................................................................................................... 29
3.1 NIST ........................................................................................................................ 29
3.2 FIPS ........................................................................................................................ 29
3.2.1 FIPS 140-2 Level 1: ............................................................................................... 30
3.2.2 FIPS 140-2 level 2: ................................................................................................. 30
3.2.3 FIPS 140-2 level 3: ................................................................................................. 30
3.2.4 FIPS 140-2 level 4: ................................................................................................. 30
6

7. 3.3 ISO 27001: ............................................................ Fehler! Textmarke nicht definiert.
3.4 VISA PIN Security Requirements Audit: ........................................................... 32
3.5 PCI DSS:................................................................................................................. 34
3.6 Devices used ........................................................................................................... 35
3.7 HSM: ....................................................................................................................... 35
3.8 Crypto processor ................................................................................................... 37
3.8.1 Functionality: ......................................................................................................... 37
3.9 Payment Card Industry PIN Security Requirements: ....................................... 37
3.9.1 Objectives ............................................................................................................... 38
3.10 Establishing Security Measures ........................................................................... 38
3.11 Risk assessment: .................................................................................................... 41
4 Chapter 4 – Solution .................................................................................................. 51
4.1 Prototyping ............................................................................................................. 51
4.1.1 Key Ceremony ....................................................................................................... 55
4.2 ISO 27001 Based Risk Analysis ............................................................................ 58
4.3 PCI-DSS Based Risk Analysis .............................................................................. 61
4.4 Master key Management ...................................................................................... 62
5 Chapter 5 – Tools....................................................................................................... 68
5.1 Bonita Soft:............................................................................................................. 68
5.2 Bonita User Experience ......................................................................................... 70
6 Future Prospects ........................................................................................................ 72
7 Table of Figures ......................................................................................................... 75
8 Abbreviations ............................................................................................................. 76
9 Bibliography ............................................................................................................... 78
7

8. 8

9. Abstract
We are heading towards the next generation solutions for making life better with the help
of technological advancements -we always talk about futuristic solutions:
How we could make the best for our upcoming generations which should be ecological and
fruitful. But we sometimes forget about the fundamentals that assist to achieve those things
- we have the ideas, we also have the aim in our mind - but still we are not able to get the
unsurpassable results out of those things that already exist. Technology has really helped a
lot to achieve that target of making things better: so that it could assist us to work well in
organizations, dealing with the problems and most importantly for the people to live their
life in a more valuable way.
This Master thesis is dedicated to those situations where a normal human intelligence is not
enough to manage certain complexities around us: Of course with the help of technology
and our brain power. Whatever we do in our life, it basically consists of some steps to
reach a goal. We start in the morning, when we wake up and everybody tries to give his or
her best to make the most out of a day, but still sometimes we are not able to meet those
goals that we decide for when we wake up. That’s because sometimes we forget to follow
our own rules or sometimes we stick to our rules enough that we cannot even see the other
possibilities which can affect our whole process of reaching somewhere.
This is the case of only our every day’s life, but here we are more concerned about a much
more complex process which is Information Security, so I am trying to represent my views
to ensure optimum Information Security and particularly in the field of Payment Card
industry. In last few years we all have been moved to electronic medium of managing and
maintaining vital information: Internet, Mobiles are good examples. We have tried all the
ways to make it more and more secure but still we have seen a lot of issues while
maintaining it.
This thesis is a research work of such issues and how we could handle them with the right
approach. Securing information is one of the most critical tasks in today’s world as the
cloud of information is increasing every day. That’s because the interaction of humans
with the machines is increasing at a very rapid rate. As you can see, the dependency of
managing the information with the help of machines has notably increased, as a result,
complexity of the processes has also increased. As a consequence, inability to managing
the vital information is also increasing.
Off course machines have made our life easy but think about a world where you cannot
even prove who you are because of the lack in the process of securing the content. The idea
is to overcome the issue of being „lost in possibilities”.
9

10. 10

11. 1 Introduction
My work starts from the definition of, “What is a Process” and I would answer that a
process is nothing more than a set of rules to reach certain results in an optimum manner.
But this is a very simple definition of the word “Process”, and everybody learns it from
their childhood to achieve the best at their school, in various subjects, different sports and
other activities etc. And the nature of doing it in a way to achieve the optimum comes
automatically. So my point is everybody is the manager of its own life and the various
processes around it. But still we can easily see that we rely on different strategies,
techniques and at most the technology to make things better e.g. we use technology to get
things done automatically and faster.
But if we come to the reality of complex processes in the corporate world, in these kinds of
situations ordinary human intelligence is not enough to handle everything by its own and
there comes the role of IT. It came into existence in the late 60’s and since then it has
played a major role in everybody’s life. As a result, we have been trying to automate the
things in almost every aspect of life. But we never asked ourselves that “are we making the
best out of IT” and my answer is yes but only up to some extent.
As we look at today’s process infrastructure in any industry, it’s very dynamic and very
complex in almost every aspect. So we need the concept of Business process modeling to
make it easy for the users to view, to find solutions around the complications, to manage
things in a useful way.
The basic idea of Information Security works on three elementary pillars:
Availability
Integrity
Privacy
In context of information security, if there is no privacy, it’s not worth it, if it is not
available then there is no use, if there is no integrity then we have lost the authenticity. So
to achieve the maximum security we should consider all three points, as without each other
they are incomplete and none of them make any sense.
In a more precise view the concept of availability depends on the infrastructure like
optimal system resources, power backups, backup of the information, disaster recovery
management etc. Second thing is to ensure the Integrity in order to provide trustworthy
information processing system: We must take care that information should be viewed in
the same manner as it is entered. Third and the most important pillar of information
security lead to maintaining the privacy -which in terms leads to granulated access control
to information, secured by the means of applied cryptography.
11

12. When we talk about privacy in the context of applied cryptography, the first idea that
comes to our mind is encryption and decryption, as we encipher the content and send it to
the desired user and the designated recipient can decipher it to read the original content.
This is the most basic definition of maintaining security by applying the methods of
cryptography for securing privacy. But in a real working environment it becomes more
than the simple definition, as additional security requirements needs to be considered:
Where do we want to ensure security?
What information needs to be secured?
Which quality requirements are appropriate?
How much we can invest into security precautions?
Especially the aspect of applied cryptography receives a more detailed augmentation along
this thesis. Cryptography on the one hand is a discipline covering more than just
encryption algorithms and associated cryptographic keys.
Most commonly, these algorithms are implemented in software libraries (e.g. OpenSSL,
NSS, CyaSSL, and many others) which can increase overall system security indeed. By the
way, OpenSSL has evolved to be a widely used and integrated cryptographic service
provider (SSL, 2011)
A closer look into the architecture though, reveals the focus of next generation cyber-
criminals and hackers: having potentials for compromising cryptographic key material. In
case an adversary gets access to the clear values of cryptographic keys, he has access to the
information realm protected by these keys.
Hence, the protection of cryptographic keys is an essential requirement to meet the basic
security requirements mentioned above.
In order to illustrate the potential risks behind the scene: whenever cryptography is
processed in software using a cryptographic service provider such as OpenSSL, a system-
dump, provoked by an adversary or caused by erroneous programming, can lead to a key-
compromise. That’s because, the keys in operation need to be available in clear form
within application memory.
This may sound to inherit a very theoretical probability and even professional risk
managers, today may still ignore the possible impacts, but such attacks are already
becoming reality. In order to reduce the risks for this kind of key-compromise method,
special crypto-hardware can be applied to backend-servers, in order to encapsulate
cryptographic functions and keys using tamper resistant security modules (TRSM, or more
abstract: Hardware Security Modules – HSM). Well defined protection profiles, aligned
and certified to international and open standards, enable the highest level of risk reduction
covering the technological aspects regarding applied cryptography.
12

13. Another scenario covers the usage of untrustworthy keys, in case an associated notary
function has been compromised. Notary functions for assigning higher trust-levels to
cryptographic key material using digital signing methods based on cryptography are
typically implemented as a Certification Authority (CA) for digital certificates. As a matter
of fact, digital certificates can be seen as today’s pillars of the stage, on which the play of
applied cryptography is performed, especially covering the act “Trusting the internet and
its web-services”.
As an example, a possible man-in-the-middle attack, using rogue digital certificates, can be
named. Further information regarding the recent attacks on CAs like Commodo and
DigiNotar can be found here:
Unauthorized issuing of Google certificates
Source: Sophos. (2011). naked Security. Retrieved September 4, 2011, from
http://nakedsecurity.sophos.com/2011/08/29/falsely-issued-google-ssl-certificate-
in-the-wild-for-more-than-5-weeks/)
Source: Hack on DigiNotar: Arstechnica. (2011). Retrieved August 3, 2011, from
http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-
other-cas-breached.ars
A brief resume of the above mentioned cases reveals that the security cannot be
achieved solely by integrating technological measures, without a strong focus on
the organizational measures.
This thesis will focus on possible misconceptions, unveiling the missing link in the overall
security equation and how possible mitigations can be implemented, especially on the basis
of holistic and risk-managed business process management and its dedicated workflows.
If cryptographic key-material is not managed properly, e.g. on time, then system-
availability cannot be assured. Certain keys must be securely generated, distributed and
imported at a corresponding crypto node on a cyclic basis, for instance yearly. In certain
cases when a key would not be provided in time, a business service may disrupt for
duration longer than demanded, thus harming business processes by causing severe
revenue losses.
Various international solution manufacturers have started responding to the growing need
for holistic enterprise key management systems and infrastructures over the last 10-20
years. As of today, the outcome can be reduced to a simple conclusion: even though many
key-management tools exist, they are mostly island-solutions, lacking standardization or
standards-harmonization, thus introducing a multitude of key-import-formats and
processes, leading to expensive investments for integration or increasing the possibility for
single-point-of-failure.
13

14. Even though standardization efforts show significant improvements, such as KMIP (Key
Management Interoperability Protocol) driven by the OASIS Group, the outcomes are
solutions mainly on the technological level, missing attention on the organizational level.
Due to resort-boundaries within organizations and different perspectives and priorities
along the management-lines, lacks in the organizational aspects of information security are
most common.
Uncertainty of employees, impacts of change management, the effects of mergers and
acquisitions, time-pressure on projects due to rapid market developments and oversized
shareholder expectations, lead to a very dynamic business environment. Therefore easily
disturbing business continuity and degrading the awareness for establishing and
maintaining a holistically oriented information security management system on a cross-
company level.
While discussing an overall concept of IT-based orchestration of Business Process
Management on the one hand, I will also guide a down-the-rabbit-hole journey through the
roundabouts of the administration and management of critical cryptographic key-material
for cryptographic service providers.
These are typically anticipated to be black-box systems and operations on the IT system
administration level, providing required cryptographic services to various levels of
information processing components, like business-applications, middle-ware, operating-
systems, network-devices and information long term storage.
In today’s business-world, there is a significant and growing demand for information
security based on applied cryptographic services and therefore also cryptographic keys.
The evolution has taken place in a rather subtle manner, multiplied by the achievements of
the internet-era and increasingly being under severe compliance-pressure due to the
multitude of successful attacks by cyber-criminals or even just system-failures, as a
consequence of underestimated quality-assurance and inexplicable processes and
workflows.
Therefore, an enterprise can face pervasive dependencies inherited in the IT-landscape
caused by missing knowledge about the lifecycle and whereabouts of cryptographic key-
material. As an example: not knowing about the whereabouts of cryptographic keys, can
lead to severe conflicts with national laws, in case law-enforcement agencies are entitled to
access company information within an investigation. Access to information can require
decryption of an information database, which can be hindered, if the corresponding
encryption-key is not accessible or cannot be recovered.
Resuming the above mentioned, the establishment and operation of cryptographic
infrastructures requires more than conventional system integration of IT-Systems. Each
14

15. implementation of a cryptographic service provider and its exploitation by applications
affords profound system-planning and process integration.
A very crucial aspect in this context is the risks being introduced with initially setting up
cryptographic infrastructures. Professional, trustworthy and obviously certified crypto-
equipment (Smartcards, Smart-Card readers, Password Tokens, Hardware Security
Modules (short: HSM, also called tamper resistant security Modules: TRSM)) requires a
primary protection layer, which needs to be managed using well-defined and approved
workflows under dual control and/or co-signing.
Source: In Personal communication with:
Brandtstaetter, T. (2011). Cyber Crime. Nürtingen: In Personal Communitaion.
The whole concept of protecting cryptographic keys starts from generating a key also
known as a Master Key so that it could encrypt or decrypt other keys lying in the key
hierarchy. This is the most essential requirement for maintaining the security. But as I have
already mentioned, the concept of applying cryptography depends on many other factors
especially regarding the realm for which we want to achieve the security goals. Due to vast
amount of standards that should be met by the industries and the international compliance
guidelines that may have to be followed, the location of the area in which one wants to
apply cryptography should be carefully checked according the national laws. In these kind
of situations may be you won’t be allowed to use certain cryptographic algorithms or must
limit the key length to be used. In these cases for instance, the operational controls for
cryptographic infrastructures exceed the white-paper presentation usually found on applied
cryptography.
To scramble up a more practice oriented approach, this master thesis is basically
considering the area of payment card industry in terms of Information Security which is of
course very crucial in today’s global world. Almost everybody uses ATMs these days to
withdraw money from their bank accounts but most of the people don’t know how they
work. Because people increasingly rely on standards like VISA, PCI PIN Security
Requirements, PCI-DSS, they may think that it must be secure enough if they are
following these standards. But still every day we can see a lot of forgeries and a lot of
hacks everywhere around the world and most of the time they arise because of human
negligence. This thesis will provide a strategic and practicable approach to overcome those
loopholes, which are more of an organizational nature rather than being only technological.
Because technologically we are advanced enough to make the system secure but in order to
achieve and maintain that level we depend on more than only highly diverse technologies.
15

16. So here I am trying to give a strategic approach to follow a plethora of standards and to
achieve the maximum information security possible, reducing mistakes, covering a
multitude of loopholes and balancing efforts:
1.1 Various Techniques
The complexity of the various technologies is increasing every day and the desire of
making them simpler is increasing as well. Lots of ideas have come and gone in the past to
make the world simpler but only few persist. If we talk about simplicity then we vision an
interactive system with which we can interact and which can give the answers to our
issues, which can maximize the profits, maximize the outputs, minimize the risks,
maximize the possibilities of change management etc. Below I introduced some strategies
that we have used so far on which we still rely at different levels, depending on the
different scope of requirements.
1.2 UML
The techniques of Unified Modeling Language (UML) are used to model some artifacts,
like to specify, modify, visualize and construct during the System or Software development
process. It came into the market after hard work from Rational Software Corporation.
UML provides us with a very good way of understanding different aspects and
perspectives of a software or system with the help of standardized diagrams for modeling.
We can easily design prototypes and the blueprints for testing purpose.
Advantages:
We can use it to re-engineer existing systems, for instance, if these were not properly
documented. Using UML improves collaboration and co-operation within larger
development teams, enables cost reduction in external auditing and support interactive
work during the SW-Engineering process.
16

17. Figure 1-1
Source: Ambler, S. (2010). fox.wikis. Retrieved August 2, 2011, from
http://fox.wikis.com/wc.dll?Wiki~BusinessRulesAndUML
UML has started the first revolution to handle the complex business processes. It has
provided many useful elements to keep track of the process and to visualize it for the
simplicity.
Activities
Actors
Business Processes database Schemas
Logical components
Programming Language components
Software Components
17

18. 1.3 SOA
Service oriented Architecture, it is a combination of different services which are loosely
coupled but at last we can make the benefit out of combining them together. It is kind of a
framework that covers various disciplines to conceptualize, analyze, design, and architect
their service-oriented assets. It was a great achievement for us to come to this point as
SOA has given us a power to integrate various things together and to give the optimal
output. But still it was basically meant for the IT industry, which is not enough if we deal
with the complexity of today’s world.
Figure 1-2
Source: Corbasson, L. (2007, December 24). SOA. Retrieved August 1, 2011, from
http://en.wikipedia.org/wiki/File:SOA_Metamodel.svg
18

19. Disadvantages:
The both models mentioned above, concentrate on issues regarding the IT industry and
don’t cover the holistic aspects of business process in any kind of industry. They both are
focusing on the development of software and systems in the field of IT, but they are not
aligning to the process-oriented business demands, that incorporate IT beyond today’s
system integration of island solutions.
1.4 BPMN2.0
Business Process Modeling Notations 2.0,itcomes with a lot of hopes and a lot of
expectations for many industries which are trying to automate their processes for a long
time; it’s been a big problem for a long time in industries and in general to handle
processes. People in different industries have been surrounded by this question since years
that how to generate culminating results out of any process. Many management techniques
were introduced, to handle the various issues within the industry (like policy management,
risk management, disaster recovery management etc.) but we never were able to
conglomerate all issues together to provide the unrivaled solution. We have tried to work
with different technologies so that we could manage different processes as I have already
mentioned a few of them above. But BPMN has provided all those functionalities and gave
us a platform which is not only suitable for the IT industry but it can fulfill a wider scope
of requirements depending on the demands of various industries.
1.5 Advantages over others:
As I have shown above two basic approaches to fulfill our intrinsic requirements, the
comparison to BPMN has its limitations.
Regardless of fulfilling our needs not only in IT, it gives us a wide variety of tools to play
with it as well. This eventually makes it more concrete to measure the complexity, and
more scenic. It also provides a much better chance for users to understand it easily. It has a
wide range of notations that can give us a lot of freedom in designing in order to reduce the
complexity. Some of its features are as follows:
We can design and implement various complex processes(like in designing a
car)
Choreography
19

20. Orchestration
Ease of Use
Easy to visualize
Human tasks
Gateways
Message Flows
Group Tasks
Collaborations
There are many tools available in order to apply BPMN to the design and implementation
of any work flow or the modeling of any process. But it’s always a challenging task to
decide which one to choose.
During the progress of my work, many options were available. Since, I intend to attract
towards open public for the topic of my thesis. I have focused on open source tools only, in
order to promote rapid applicability
The bewildering variety of open source technologies and solutions is obviously steadily
increasing, so I also wanted to contribute to this development. I have chosen to analyze the
following candidates:
Activiti
Source: Activiti. (2011). Components. Retrieved May 20, 2011, from
http://www.activiti.org/components.html
JBPM5
Source: Community, J. (2011). JBPM. Retrieved May 20, 2011, from Documentation:
http://www.jboss.org/
Bonita Soft
Source: Bonita Open Solution. (2011). Bonita Soft. Retrieved May 20, 2011, from
Resources: http://www.bonitasoft.com/
It depends on the requirements, which tool to choose, because every tool has some
advantage over the other. So it depends exactly on what we actually need to do, the
complexity of the process or the whole infrastructure we have to cope with. For my work I
would like to prefer Bonita Soft for further evaluation and prototyping.
20

21. According to Forbes magazine companies relish the prospect of reducing complexity,
while cutting and maintaining IT infrastructure and that’s the main motive behind the
introduction of BPMN in market. So with the help of BPMN we cannot even reduce the
complexity but we can also reduce cost, reduced stressed etc. so far these are the
achievement of BPMN.
21

22. 2 Company Profile
22

23. 2.1 History
1992 – 2009 SYNARGOS GmbH
- International projects with leading banks, manufacturers and
providers (data processing centers, outsourcing)
- Design and implementation of applied cryptography (key-
management and protocols) using hardware security modules
(HSM) for banking networks, based on solutions from leading
manufacturers for achieving highest security ratings possible
(NIST FIPS 140-2 Level 4)
2010 - 2011 BÜROTEX Synargos GmbH
- Continuation of line of business
- Business extension to infrastructures for business processes
based on mobile computing: RFID, NFC (near field
communication), secure user authentication using smart
phones
Establishing & Securing critical Business-Processes
Project development
Software and systems engineering
23

24. 2.2 Core Business
1. Establishing & Securing Business-Processes
Securing electronic payment systems for financial transaction solutions via
dedicated and internet-based networks (home banking)
Card based payment systems in networks running ATM and POS
2. Project & Solution development
Requirements-Management
Feasibility studies
Consulting, Training & Education
Tendering support
Project management
Sub-contracted and full scale project realization
Security and Risk Management (ISO 27001)
Audit Support (PCI-DSS, VISA PCI PIN Security Requirements)
3. Software and systems engineering
Standard processes and methodologies
Architecture, Design and Quality-assurance using the methodologies of
cybernetics
24

25. 2.3 Cryptography-Typical Application
Today, applied cryptographic methods reaches, almost all areas of information
processing. Typical applications are:
The encryption of personal data e.g. credit card information
Securing the information while transmission within Card based payment
systems
The calculation of personal data for pre-personalization of chips for smart
cards
The production and use of digital signatures for certificates signed by
Certification Authorities.
2.4 Hardware Security Module in Crypto Server-Implementation
The MX42 crypto server is delivered as an appliance with one or more
HSMs
The production of the appliance is done at BÜROTEX Synargos which
processed highly secured and with maximum measures regarding quality
assured components and quality-assurance processes:
- Hardware platform: IBMx3650 server, IBM 4764-001
HSM(certified to FIPS 140-2 Level 4)
- Software platform: SUSE Linux Enterprise server(Certified by
Common Criteria EAL4+), IBM CCA Services (Basic Crypto API),
BÜROTEX Synargos MX42 FINPIN Software(SW-Engineering
using Rational Unified Process and Extensions using V-Model when
required by customers)
The integrity of the appliance is detectable
25

26. 2.5 HSM IBM 4764-001 Internal Architecture
Figure 2-1
Source: IBM. (2005, October). Security. Retrieved August 2, 2011, from Crypto Cards:
www-03.ibm.com/security.cryptocards/pcixcc/library.shtml
26

27. 2.6 FINPIN
Background of Cryptographic Abstraction Layer
Name origin: Financial PIN Services
Description: FINPIN is an Application Programming interface
Architecture: Client Server
Licensing: As a feature enhancement to the crypto server MX42
Usage: Application can use the cryptographic services of MX42 Crypto
server via FINPIN API. FINPIN provides the basic features but you can also
add other features
Characteristics:
The interface is expendable FINPIN
The parameterization of key names is flexible and it provides a generic
referencing for the application
Inside the Crypto server a FINPIN call can be divided into several crypto
functions
No clear key or the intermediate results of cryptographic protocols outside
the HSM
The application is decoupled from the key management
Key administration for the initial keys e.g. Master key of the HSM, delivery
of the Transport key
27

28. 2.7 Functions
Possible general Functions are:
GMPX – German MAC/PAC Extension
GTPV- German Triple DES PIN Verification
EMVX- Euro Card Master Card Visa Card Extension, scripting for secure crypto
OS cards
Note: Other information about the customer specific functions on demand
Source: BÜROTEX Synargos. (2011). FIPS. Nürtingen: Communication with in the
company.
28

29. 3 Conceptualization
I have already mentioned the concept starting from encrypting data which itself is a result
of enciphering with the help of a key. But it always depends on technologies that you want
to use and the companies policies, so these two things are the most important to consider
first. Applied cryptography for securing critical business processes based on hardware
security modules is today’s choice, when prompting cryptographic strengths into IT-
security realms of critical businesses. You will get to know more about Hardware Security
Modules soon which really ensures a-high level of security. So technologically we have
enough means to ensure the optimum level of security. Still we can see a lot of nullifying
results every day, that’s because we are not able to manage certain things properly which
leads to many security loopholes. These organizational loopholes are very easy to
understand but most of the time they are not being accepted, due to interest-conflicts. Very
often they are taken for granted and at the end of the day we see the devastating results as
an outcome of initially small mistakes. This thesis is a work on these kinds of situations
and I am trying to figure out, how we could overcome those gaps.
My main focus is on the payment card industry and when you talk about this industry you
can easily imagine that it needs high end security, since it is mostly very complex and not
easy to manage. Almost everyone is related to this industry in today’s world but generally
people don’t want to go into details.
So before diving into the most complex part here I will provide a brief description of some
of the standards that we have to follow while handling issues related especially to this
industry.
3.1 NIST
National Institute of Standards and Technology is responsible for U.S. Security standards
that have been internationally spread and adapted by the security industry and its
applications. Its major task is to promote the innovation and the technological
advancements of security standards and certifying solutions, in order to be widely accepted
by governments and industries for the global benefit of the society.
3.2 FIPS
Federal Information Processing Standards are US government computer security standards
that specify requirements for cryptographic modules. There are different modules available
depending on what kind and what level of security you need in your organization and some
standards have already been defined for some particular organizations. These standards
have been defined by the NIST to ensure optimum security levels for processing
29

30. information. Amongst these standards, some are covering the security demands for the
implementation and accreditation of cryptographic modules: FIPS 140 here especially
FIPS 140-2.It is basically categorized in to four levels:
3.2.1FIPS 140-2 Level 1:
This is the lowest level of security, it prevail limited level of security and remarkably good
level of security is actually absent in this level. An example of the security level 1 is the
mother board of the personal computer encryption board or the FIPS validation of
OpenSSL being validated to FIPS-2 Level 1.
3.2.2FIPS 140-2 level 2:
It adds the concept of the physical tamper-evidence devices that just pick up the resistance
from the outside world related to the device. It is actually kind of a seal which places over
the cryptographic devices so that an attacker has to go through this layer of coating and if
he or she will break this coating then the authorized person will be informed and it also
facilitates the availability of the role based authentication.
3.2.3FIPS 140-2 level 3:
In addition to the tamper-evident, level 3 also ensures that the intruder cannot have the
access to the Critical Security Parameters held within the cryptographic module. This layer
especially focuses on the physical intrusion of the module and how to handle it. It also
ensures the security by the concept of the split knowledge, because of which you can trust
the system can trust yourself and can trust others, that’s why the knowledge is always
divided into two people.
3.2.4FIPS 140-2 level 4:
This level enforces the maximum level of security for cryptographic modules, providing
tamper-detection and tamper-prevention of attacks, forcing an internal overall mesh-
coating for achieving maximum resistance against tampers. Also enforced are protection
against X-Ray tampering, atmospherically tampering (temperature, surrounding air-
pressure) and voltage-tampering; the module must exactly test and detect all possible
tampers in its operating environment and in case of a tamper -zeroize all security elements
within the module, thus taking the device out of operation and preventing successful
attacks.
Source: BÜROTEX Synargos. (2011). FIPS. Nürtingen: Communication with in the
company.
30

31. Another most important standard is ISO 27001which is by far the basis for defining a
management process to assure information security. Being into this kind of industry and
focusing on the optimum security measures one should adhere to theISO27001 standards
family. Initially the British Standard Institution has developed a standard called BS7799
which was used to develop and implement an Information Security Management System
commonly known as ISMS. Its main focus was on the availability, integrity and the
confidentiality of organizational information. But it was initially a single standard and later
on they have added some more information to it and then it became ISO 17799. And then
ISO 27001 mandate the use of the BS7799 so, It is actually today the second part of the
ISO 27001. It is also beneficial for companies who already have ISO 9001 standard which
basically ensures a quality process.
ISO 27001 basically consists of four steps which covers most of the organizational security
measures.
PLAN(Establish the ISMS):
Establish the ISMS, policy, objectives, processes and procedures that are relevant for
managing risks and improving information security to deliver results in accordance with an
organization’s overall policies and objectives.
DO(Implement and operate the ISMS):
Implement and operate the ISMS policy, controls, processes and procedures.
Checks (monitors and review the ISMS):
Access and, where applicable, measure process performance against ISMS policy,
objectives and practical experience and report the results to management for review.
ACT(maintain and improve the ISMS):
Take corrective and preventive actions, based on the results of the internal ISMS audit and
management review or other relevant information, to achieve continual improvement of the
ISMS.
Source: ISO-27001. (2011). itgovernance. Retrieved July 10, 2011, from Compliance:
http://www.itgovernance.co.uk/iso27001.aspx
31

32. 1
Figure 3-1
3.3 VISA PIN Security Requirements Audit:
Visa explains in its standard management of the master key which starts with its
generation. As I said above that enciphering of data can be done with the help of a key and
at the top most level in the hierarchy of keys it is called Master Key. We need to take some
precautions while managing master keys and VISA helps us to do that.
We need to set up an environment to manage the whole process. The first and the foremost
thing, is to have a minimum of dual control for every process so that there will always be
two people who are responsible for the management of the master key. The reason for this
is to secure the master key from the person himself. By dual-control the knowledge about
the secret (master key) is always segregated among two people so that without each other
they cannot receive the knowledge of complete final key.
It depends on the security policies, in how many pieces we divide that key, and we can
even divide it into three parts depending on the policy we are using. So the master key
1
Created by author
32

33. always consists of minimum two parts and to do so we need two at least two people (key
custodians and their deputies) who are responsible for this purpose. So the first thing is to
decide who these two people are going to be, it depends on the management where we are
implementing it, in our case we will call them Custodian 1 and Custodian 2. So according
to the Visa requirements there are basically 7 stages to ensure the security of the key.
Secure equipment and methodologies
Secure key creation
Secure key conveyance/Transmission
Secure key loading
Prevent unauthorized usage
Secure key administration
Equipment management
Source: VISA. (2004). PIN Security Requirements. Retrieved May 20, 2011, from
https://partnernetwork.visa.com/vpn/
33

34. 3.4 PCI DSS:
Payment Card Industry Data Security Standard is an information security standard covers
data security requirements regarding security of personal data of a bank’s customer, who
holds the credit cards, debit cards, prepaid, e-purse, ATM, and POS cards etc. This
standard was basically meant to reduce the risk of the fraud in the payment card industry. It
applies to all the entities which are involved in the payment card processing like
merchants, processors, acquirers, issuers, service providers as well as all the other entities
which process and store the card holder’s details.
There are 12 requirements for meeting the PCI DSS which are divided into 6 groups
Build and Maintain a Secure Network
Requirements:
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data
Requirements:
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirements:
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirements:
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirements:
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy
Requirements:
Maintain a policy that addresses information security
34

35. Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, from
https://www.pcisecuritystandards.org/security_standards/
3.5 Devices used
There are also some kinds of devices that we use to reach the maximum level of security
some of them are as follows:
3.6 HSM:
It stands for Hardware Security Module, and is defined as a piece of hardware-component
and associated software that is usually installed inside a computer and provides a tamper
resistant environment for itself. An HSM basically used for secure generation of key
material, encryption, decryption, hashing etc.
There are many HSM manufacturers that are available in the market today but IBM is one
of the global players and also the most renowned in the HSM market, being the first
company in the market to have achieved FIPS 140-2 Level 4 validation for their HSMs by
NIST.
IBMs tradition in participating in the HSM market with cryptographic co-processors that
can be additionally installed by customers in backend servers, reaches back to 1989, where
the first HSM in form of cryptographic co-processor, being a tamper resistant HSM named
IBM 4755(adapter card) and IBM 4753(Network Security Processor for IBM mainframes)
were introduced. Along with this product availability IBM introduced IBM CCA.
Today IBM has basically two products which are available in the market: IBM 4764 and
IBM 4765, whose cryptographic services are made available to applications via the IBM
Common Cryptographic Architecture (CCA)
Even before the CCA era, IBM provided tamper resistant cryptographic modules as system
immanent components, for instance on the IBM 4700 controller series, which reaches back
to the seventies.
Being designed for long durations of operation, the IBM HSMs are used by top 500
companies, especially the ones using IBM mainframes (zSeries). In case of proper
maintenance, meaning regular exchange of batteries, the HSMs can be operated for
duration up to 10 years.
35

36. Figure 3-2
Source: IBM. (2011). Security. Retrieved August 2, 2011, from Cryptocards: http://www-
03.ibm.com/security/cryptocards/pcixcc/4764SerialNumbers.shtml
It does not only provide the security by its tamper proof architecture, but also accelerates
the processing time -for functions like key generation, encryption, decryption and digital
signing. There are many kinds of algorithms available today for the encryption and
decryption and some are really complex and also consumes too much CPU power when
using software crypto libraries on a server. When we talk about the payment card industry
then of course we are thinking about a very high volume of transactions requiring crypto
operations every day. So of course we need to handle the operations very quickly and in
some cases HSM can successfully off-load a servers CPU usage- when performing crypto
36

37. operations. And the most important thing is that these versions of HSMs from IBM qualify
the maximum level of security standards called-FIPS 140-2 Level 4.
Source: BÜROTEX Synargos. (2011). FIPS. Nürtingen: Communication with in the
company.
3.7 Crypto processor
Crypto processor is nothing more than a chip embedded in an HSM for carrying out
cryptographic operations. It also provides a certain degree of tamper resistance.
3.7.1Functionality:
In general how do we ensure the security is to bind the software to a piece of hardware so
that only the legitimate user can have access to the software: But in order to prevent not
only the execution of the software on other machines but to protect the entire software
from any access, we require a security perimeter that keeps unauthorized reverse
engineering from observing the memory and the execution of instructions. The manual
solution is to keep the computer into a locked room so that only the desired people can
have access to the hardware and the software but the problem lies there, only few people
can have access to the room. But there is another approach which is called as IBM's
µABYSS project. Here the security perimeters protect a single printed circuit board inside
a workstation. The operating system and cryptographic keys are stored in battery buffered
static RAM chips that are located on the same board as the CPU, the system bus, the hard
disk controller, a real time clock and a battery. The board is surrounded from all side by an
alarm mechanism that consists of a multilayered winding pattern of a pair of fine wires,
which is embedded into hard opaque epoxy resin. And any attempt to hamper the security
module will trigger the alarm and wipe out the software and the keys from the battery
buffered RAM.
Source: Kuhn, M. (1997, April 30). Cambridge. Retrieved May 20, 2011, from
http://www.cl.cam.ac.uk/~mgk25/trustno1.pdf
3.8 Payment Card Industry PIN Security Requirements:
It basically consists of 7 objectives which tell us all the required parameters to ensure the
PIN security.
37

38. 3.8.1Objectives
PINs used in transactions governed by these requirements are processed using
the equipment and methodologies that ensure they are kept secure.
Objective : Cryptographic keys used for the PIN encryption/decryption and related key
management are created using the process that ensure that it is not possible to predict any
key or determine that certain keys are more probable than others.
Keys are converted or transmitted in a secure manner.
Key loading to hosts and PIN entry devices is handles in secure manner
Keys are used in manner that prevents or detects their unauthorized usage
Keys are administered in a secure manner
Equipment used to process PINs and keys is managed in secure manner
Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, from
https://www.pcisecuritystandards.org/security_standards/
So far you have seen that to maintain all the security we need a lot of standards. And it is a
must have condition to follow all these standards to be in this industry otherwise we can
cannot assure the optimum quality. But the standards are so complex that many a times we
commit some mistakes and even these standards tells us all the formalities but they never
tell us how to apply all those and if you look into the details of every standard you can
even find a lot of loopholes. That’s where I am trying to focus in this master thesis.
3.9 Establishing Security Measures
As you can understand the importance of a Master key by now, which was generated
during the initial phase the rest of the security assurance will always depend on the
handling and protection of Master Key. But if the master key itself is compromised then
there is no use of securing anything underneath the Master Key-as it is the root cause of the
vulnerabilities. Using various technologies and different standards we safely generate the
master key, which itself is not easy to crack. The next step is the real challenge: that is to
place it into HSM and its real operational environment. Here lies the actual problem. How
we can manage the master key to ensure the security at its optimum?
The standard defines the measures, one should take to ensure the security but they don’t
define how we can establish them in a real world enterprise.
38

39. We need to start in an upmost hierarchy of any organization that is on the management
level, when establishing an Information Security Management System (ISMS) that
identifies and manage the risks existent to vital assets such as a Master Key.
When business processes are tied to profound ISMS, the awareness is placed accordingly
to manage the risks and assure the measures needed to prevent impacts of possible
loopholes that could lead to compromises of Master Keys.
Information Security:
In my scenario of a holistic coverage of security awareness, starting from Information
Security Management level, all the way down to the operational level, where Master Key
are process on the system level, I want to identify basically three layers which consists of :
1. Management- Risk assessment (which basically consists of ISO 27001)
2. Business Process- Following all the standards(PCI DSS mainly)
3. System- Management of the master key
39

40. 2
Figure 3-3
In order to achieve such an implementation in any organization of course, you will need to
segment the security context across different departments, which is another managerial
task to accomplish. So for my purpose I will divide the whole process into three different
layers within an organization.
Top Management
Line of Business management
Infrastructure and System- Management
And if you see the whole scheme then you will say it’s the top management’s job to decide
for what they want to go, depending on the objectives and the strategies of the company.
Top management basically consists of the highest ranking executives like the managing
directors, president, vice presidents etc. and their main responsibility is to define the goals,
objectives, strategies and for sure the future of the company. So their job stands at the top
of a company’s organizational hierarchy, they will have to decide whether they want to go
for a profound Information Risk and Security Management system or not.
If you look at today’s business world, it becomes a necessity to follow all required
standards and compliance issues.
Otherwise a company’s leadership may last for a short period of time only, which also
applies to manufacturers of security solutions, which require the same awareness in
2
Created by author
40

41. security management as the companies operating their solutions to provide high security
levels to their customers.
So the first step in order to ensure security starts with Risk assessment. Top management
will have to identify and manage the risks for the company’s future related to a particular
business and if they want to persist into the business then they have to commit to the
required processes.
Now if you have decided to go for all these standards then comes the second phase which
is line management who will plan to get the desired output or we could say the people who
are responsible for meeting the corporate goals, maintaining the policies and all the
standards. A line manager could be anybody depending on the industry where you are
participating in.
Like in any company we need a person who will handle the probabilities of the risks
regarding the particular working field. In our case he must be a person who will handle the
desired goals in real time to get the desired output that the top management has planned.
He will manage the resources under him to get the predefined result and it’s his job to plan
how to reach those targets.
The third and last layer I will consider is called Infrastructure Management the people who
are responsible for daily operations as defined by the top management and the line of
business management have planned. They will also have to adhere standards depending on
the industry area you work in, but in the cases of IT-infrastructure operations, the ITIL
standards-framework is a good approach to follow.
3.10 Risk assessment:
The top management is responsible to manage the overall risks for the company and needs
to govern, all the necessary measures that need to be fulfilled, so they will generate a set of
objectives and the second line of management will handle all those objectives.
In my scenario top management is responsible for defining the objectives of the ISMS.
The Chief Security Officer (CSO) will decide and plan to which extent an ISMS system is
needed and how efficient its implementation will need to be. Current development and
trends show, that companies accept the international standard ISO27001 as a guideline for
implementing an ISMS, which is the reason why I will further focus on it.
41

42. The CSO will identify applicable risks as outlined by ISO 27001, setting a major directive
on how to manage information security. But depending on the business area
diversifications on ISO 27001, other standards could also imply, resulting from the nature
of business risks.
The second line of management will take care of risk assessment to meet those targets
according to the desired standards. Various technologies, implementation strategies,
standards an studies are available in the market, that allow individual approaches for
establishing an ISMS
In my work, I have used the RM Studio application from Stiki (Iceland).
This tool is basically used to analyze the security risks while focusing on ISO 27001 and
other security measures. The advantage of RM Studio compared to an implementation of
an ISMS based on EXCEL is the round-trip-management that is possible with yearly audits
and re-certifications as well as the intelligent reporting system that produces assessment
and audit-report on the fly, thus saving considerably valuable time.
It has already predefined all the necessary requirements that can apply to a company, Very
practical is the fact, that standards like ISO 27001 or PCI-DSS are already copied in
verbose into the database of RM Studio, which saves valuable time in editing. In addition,
the standards are available in different languages, making it quite convenient to get ISMS
certification on an international basis, which is essential for global enterprises.
We can also create our own standards or add threats and measures depending on our
demands and assess the risks using the same ISMS tool infrastructure.
The below diagram is the first view of the RM Studio and here you can see that it looks
very user friendly and it has all the parameters as well to calculate the risks.
42

43. Figure 3-4
3
Calculate Risks
To calculate the risks on Information Security as defined by the ISO 27001 standard, we
need to define the infrastructure of our information processing landscape, including all the
assets, job roles, availability and the other resources and of course their dependencies on
each other. As you can see in the picture above, first we have to define the business entities
for which we are trying to calculate the risks. As we are talking about the security so we
must consider the ISO 27001 all the time, so for this reason whatever we are going to
analyze it will calculate the risk on the basis of ISO 27001. This is the first task to achieve
in any company who wants to do their business securely. ISO 27001 basically tells us to
design ISMS (Information Security Management System) which eventually ensures a
system to tell us about the overall security system in an Enterprise.
Since we have the desired standards integrated in RM Studio, we can easily define our
assets, assign the applicable risks and perform the risk assessment on the fly.
3
Created by author
43

44. The ISO27001 covers the whole organization but for this thesis my main focus will be on
the Objective A.12.3.1 which says:
Cryptographic Control
Objective:
Protect the confidentiality, authenticity and integrity of information by cryptography. In
further detail that means:
Policy in the use of Cryptographic control: A policy on the use of the cryptographic
control for protection of information shall be developed and implemented.
Key management: Key management shall be in place to support the organization’s use of
the cryptographic techniques.
Most of the people always neglect these two most basic problems and even the ISO doesn’t
define how to achieve these tasks. So the first thing in any organization is to check whether
they are following these standards or not and if they are then how much is the risk and the
RM Studio provides us this facility to calculate on the basis of above mentioned standards.
The next most important thing that comes is the PCI DSS, if we are working in the
information security and especially in the banking domain then we will have to follow the
PCI DSS which stands for Payment Card Industry Data Security Standards.
I will give a brief introduction on how to calculate the risk regarding these two standards
but I have to mention that, it varies from organization to organization.
We can easily see in the Figure3-5, various standards but for us means as security wise,
only ISO 27001 and PCI-DSS are important so first we will analyze with the ISO27001
standard and then we will try to find out the risk analysis with the PCI DSS.
In Figure 3.6 we can see that the next step is to define the Business entity for which we are
trying to calculate the risk. In the Business entity we have to provide the basic details of
the company like name, address etc.
44

45. 4
Figure 3-5
5
Figure 3-6
4
Created by author
5
Created by author
45

46. 6
Figure 3-7
The next thing is to define the business assets including all the details of the company.
Figure 3-7 explains this how to define the assets of the company and to get the accurate
result we have to define all the assets of the company that includes all the possibilities
exists in any organization that means the people their expertise, hardware, service level
agreements with the clients etc. Now as you can see in the Figure 3-7 the assets are defined
including all the people involved their dependency on each other and complete
infrastructural assets as well.
6
Created by author
46

47. 7
Figure 3-8
Figure 3-8 explains that how the individual component in the organization are important
for us, and what’s their credibility, their security risks and their impact in the organization
which is very important e.g. If the lead developer is not available in the company during
any issue so his availability has to be high during those period where as on the other hand a
person who is doing only the clerical stuff, he is also very important for the company but
his availability is not that important during the critical issues. So regarding all these
questions in mind we have to provide the different parameters in the risk scenarios for the
different assets.
7
Created by author
47

48. 8
Figure 3-9
The above Figure shows the risk analysis on the basis of ISO 27001 and different assets
that we have defined earlier. On the basis of values of the assets and availability it shows
us the risk is 2%, which is very low and good for the organization. Now we can also check
it for different parameters like the confidentiality and the integrity how much is the risk.
The below Figure 3-10, shows that now the result have been rises to 1% including the all
the factors in an organization. So it is even far better so by theses all results we can easily
define that we have gone through the risk parameters of the ISO 27001 standards and in
any case if the risk is too high then we can again define the assets and then we could do the
gap analysis.
8
Created by author
48

49. Figure 3-10
9
Figure 3-11
The Figure 3-11 shows here the PCI-DSS standards, we have to do the same things again
and then again we have to check the possibility of the risks and the threats from against
PCI-DSS. If the result is low like 1% or 2% then we could be sure of one thing that we can
go further that means we have successfully followed the PCI-DSS standards as well.
And now the real work start for the information security, initially we had the problem that
there are many standards which are very complicated and how to follow them all. Then we
9
Created by author
49

50. have seen the utility of the RM Studio which has made our work easy to asses our
organization against these standards. But still the problem is there, even though we have all
the standards but we can still see various attacks every day in news. So there must be a
problem somewhere which is the problem of good management and basically the problem
of following all the complex processes. And to solve all the problems we will take the help
of the BPMN2.0
50

51. 4 Chapter 4 – Solution
4.1 Prototyping
Now comes the role of Infrastructure Management- the lowest level of management, it’s
not only responsible for the IT infrastructure to meet the business needs for high
availability, reliability and scalability, but it is also responsible for managing services of
the business process management. It provides us a way to calculate the availability,
reliability, risks management etc. In the past this kind of structure was mainly meant for
the big organizations but today even the small organizations can also make profit with this
kind of approach.
In this chapter I am trying to find some loopholes on the basis of the infrastructure
manager with the help of the Business Process Modeling. It will be used as a prototype to
define the problems using the BPMN2.0. As I have already introduced BPMN2.0 and have
already explained that there are many tools available in the market today so for my
convenience I would use a tool called Bonita Studio. It consists of many facilities which
are using different technologies to solve our purpose. Figure 4-1 shows the basic view of
the Bonita Studio which explains itself that how we could design the workflows. On the
left hand side of the picture we can see the toolkit to design the workflows which consists
of the BPMN2.0 standards.
Source: Bonita Open Solution. (2011). Bonita Soft. Retrieved May 20, 2011, from
Resources: http://www.bonitasoft.com/
51

52. 10
Figure 4-1
As I have already explained in the previous chapter, first we have to follow the general
standards which are important to be compliant to, so that we could ensure maximum
security possible. First we have to go through all those steps to achieve the certifications
and to calculate risks in an enterprise accordingly.
Top Management: get ISMS certified according to ISO 27001
Business line: get certified according to PCI-DSS(while interacting with
ISMS)
Infrastructure: make sure, that processes meet required quality goals and
provide audible trails, adhering to policies directed by layer 1 and 2
respectively.
Then we come to the details of Master Key management.
Master Key management is a very complicated issue and the operational issues lie at the
bottom of the whole organizational hierarchy. In reality, experience shows, that dual
control can practice with compromises, as a result of project-pressure (e.g. change requests
10
Created by author
52

53. in exceptional situations) or degrading awareness and knowledge, due to employee
fluctuation. So, if a decision is made to have a single key-custodian process both parts of a
Master Key, then the key by definition is compromised. The associated crypto system may
still operate fully functional, but when it comes to an audit in the future, especially
connected to the implications of a successful and published hack by cyber-criminals, the
business itself may be faced with severe losses.
Bottom Line: if a Master Key is not properly secured, because the responsible persons for
the key ceremonies do not follow a pre-defined process, then nothing beneath it will be
secure.
It doesn’t matter which standards we are trying to comply to. Even after following all the
security measures and all standards we are not able to ensure the provable protection of
Master Key.
So in this chapter I will try to outline solution which can be used to overcome the issues of
process disruption during Master Key management. The idea itself is not new and it is a
conglomerate of all the standards that we have talked about earlier.
As according to VISA, the whole process has to be divided among two people so that the
possession and knowledge is segmented among two which is also called secret splitting.
One custodian therefore has no knowledge about the second part of Master Key. Without
the second part final Master Key cannot be reconstructed.
This is an essential step to ensure the highest level of trust in processing this kind of vital
asset.
If only one person would be responsible for the whole process, then lots of problems come
up:
Insider attack: if the person turns out to be corrupt, the organization can be
heavily damaged(all business processes go out of operation, reputation
damage, customer resigning due to loss of trust)
Social engineering made easy: it is easy for the attackers to leak out
information from just a single person, as compared to retrieving it from
segregated knowledge.
At any place the process starts from establishing an environment which has to be properly
defined and configured to produce the optimum output. So we will need at least two people
to handle the whole process at any cost (keeping in mind that substituted, also called
deputies, need to be assigned also). We will call them custodians for our own convenience
with specific rights to manage the master key and they must not know each other for the
sake of security.
53

54. The next thing coming up is the environment we need:
There are different possibilities, depending on the organizations. As it is most crucial part,
so I would suggest to, prefer for maximum security. In other words: to go for highest
quality, regarding Hardware, Software and Service Level Agreements (SLA, ITIL for
further details on the implications). As it is not easy to maintain operations without clear
structures and contracting schemes, this aspect alone requires intensive management
covering a complexity of, security measures of its own.
Now coming to my solution, the infrastructure to be managed will consists of different
things:
11 N no of
Workflow
application
front end
servers
Application
Server using Workflow
HSM Server
Crypto
Hardware to Web
WF-Mgr.
Customer secure Server
Business
Logic Workflow
for MK
CNM Mgmt
HSM
Key-Mgr.
N no of HSMs
11
Created by author
54

55. I would prefer to use three different servers to achieve more security; they all stay at the
client side (which is to say any bank). Now on the first server we have to use an API
through which we can communicate with the IBM-CCA (common cryptographic
architecture) which actually lies on the other server. Through this API users can enter into
the machine to do the desired operation. On the other server the whole processing works
under the HSM but users can access it through another login (for security purpose). While
in between there lies another server which is called as IBM MQ series which is basically
used for the queuing purpose. So that queuing takes place properly and it will never go into
the deadlock situations. On the second server there lies the crypto API and IBM CNM
through which we can generate the keys. These servers are connected with each other with
the help of LAN and must be placed under high supervision. This is another loophole when
we manage Master Key while in a real time environment and most of the standard doesn’t
provide much information regarding the management of the Master Key while handling it
in network attached HSMs. This is the technical aspect of the infrastructure that really
ensures very high end security but the real problem to be solved is performing the required
operations without loopholes.
The organizational infrastructure has many loopholes whenever key components are
produced by an HSM and there comes the most critical part.
Often enough, we face the problem that users don’t know how to handle the complete
environment so they make mistakes while doing so.
So here I am trying to give a best view of the complete process. It has to be divided into
different departments properly so that all participating roles are enforced to do their work
properly, which is the most important part regarding the organizational management.
The whole process, which is called key ceremony, is as follows:
Note: Each Key ceremony is understood as a change to a productive system. This implies,
that all the tasks performed during the following process for the key ceremony, are pre-
plan able and governed by a workflow management system, designed and implemented to
guide the process in a manner, that guarantees a continuous audit trail and provides logs,
that give detailed information about the life-cycle of any key processed.
4.1.1Key Ceremony
The centralized authority will instruct the two custodians that they will have to generate
their key parts for a certain target key; this notification could be sent via e-mail, physical
mail or anything whatever the policy is. The custodians have to confirm their availability
and if any case they are not available, they must take care of assigning the corresponding
deputy for that custodian in advance.
55

56. Special requirements and pre-requisites regarding the execution of the key ceremony: the
complete ceremony must be executed in a secure room(trusted environment, level: HIGH),
which requires:
- Isolation from outside environment, protecting against acoustic and
electromagnetically information trespassing
- Dual access control: no single person should be able to be alone in the
secure room, the access to the room is granted after dual-login to the
room
- In case of exceptional situations(fire, earthquake, etc.) the ceremony
must be cancelled, any key material produced during this session
marked as incomplete, not trustworthy-and should be destroyed
- Cellular/smart phones are not allowed during the residence in this
room
- Camera surveillance: this requirement can be conflicting, as gaining
knowledge about who enters the room on the one side, brings the
disadvantage, that surveillance officers could possibly re-construct
key-values that are entered by custodians after reading the values
from key letters
Security guards will check the facility access of the custodians and other
participating persons (in case if a live audit by Visa) and inspect and carried
item not required during the key ceremony, which may need to be deposited
by the security guards during the ceremony.
Custodians will have a dedicated time to achieve their task, as defined.
The custodians will be escorted by at least one other person (internal auditor)
until the last entrance of the room. As required before, no person is allowed
to be alone in the secure room.
There has to be a secured login accessing the system operated by the
custodians while performing the operation to generate the master key parts.
Access Control can be realized by various ways: smart card login, access
tokens with one time password etc. there are different technologies today, it
depends on the companies security demands and policies and external
compliance regulations.
56

57. Regarding the generation of the desired Key. It has to be dedicated systems
only for this purpose and it should be non -bootable from any media.
Another important issue: the system hardware should be connected to a
functionality tested and working Uninterruptible Power Supply.
As soon as the key generation is done, and stored to the intermediate
transportation media for further key part loading to the target HSMs, the has
to be backed up, for the purpose of key-recovery, depending on the
companies backup policies. Regarding cryptographic key material, long term
in experience and best practices show that most of the organizations still
believe key-parts printed all key letters on paper to be the best practical
choice and most enduring backup media still around. Once key-values are
securely printed out onto key-letters, the printouts are enveloped and are
required to be separately stored to different physical safes, providing
continuity in key separation under dual control.
There are different scenarios in different organizations where some people
prefer to have the key generation environment into the organization itself and
others prefer to have it at the other places. And the complexity differs from
case to case.
If it is at a different place then it has to be transported through a physical
medium and there comes another security loophole. There are different ways,
but most of the organizations do this thing, they contact the courier company
and they transport it within a tamper resistant module. So that if anybody tries
to hamper it then it will automatically destroy the content. Both the parts have
to be transported through different routes and through different courier
companies so that to achieve the concept of the dual control all the time.
As you can see this whole key ceremony process is a perfect candidate for implementing a
workflow using BPMN2.0:
It can be automated and run as a centralized governed authority moderating
the process
It can keep track of all process activities all the time
It could also reduce the human errors which people generally do in
organizations like forgetting about vital process steps that disrupt the quality
chain. So to overcome all those problems we need an automated process
control (our centralized authority) so the people who are involved in this
57

58. process can handle the whole system easily which will in consequence secure
our whole environment as well.
At this point I want to introduce the role and application of BPMN2.0 with the help of
which we cannot just automate the process but also we can keep track of all activities
applied.
4.2 ISO 27001 Based Risk Analysis
12
Figure 4-2
Figure 4-2 shows that we are going through our first phase of the whole process where we
will check the criteria for the ISO 27001. This workflow will initiate the STIKI RM
Studio, in order to perform the minimum yearly risk analysis. The outcome is the yearly
report required for ISO 27001 certification. If we will be able to follow the ISO27001
standards then we will go to the next phase.
So now it’s just time to automate the whole process and make it working. This part of the
workflow is the first swimlane and I have given it a name called Risk Assessment for the
12
Created by author
58

59. ISO-27001. As you can see in the Figure 4-2, it consists of the three tasks start task, a
script task and an end task. You can see in the middle which is the script task which is
actually a shell script which is going to initialize the STIKI RM Studio. It provides us a
wide variety of options. I have preferred to choose the script task as it seems simple for
me.
Figure 4-3shows how you could define the script task. This Figure is basically showing
connectors. In Bonita Studio, we have to define a connector for this task, which is of the
shell script type and then you just have to define the script that you want to run. It is
actually a simple GUI which is easy to understand and can guide you for everything that
you want to do. I have simply used one line of script to initiate RM Studio. There are
various other ways to do this task like you can create a java code as well but then the
whole process will be too mighty and if you want to make some changes then you will
have to make the changes everywhere. That’s why I have chosen the script task which is
easy to use and easy to perform, just one line of code and you can achieve your work.
Further this means I have provided a layer between workflow design and implementation
that means if you want to replace the implementation details you don’t have to touch the
workflow design. You also need to define the person who is going to initialize the process,
in my case this is the initiator who will handle the workflow and who is going to initialize
this particular process. There are several other facilities that you could achieve with this to
make it more secure like only a dedicated user can do a particular task. For this reason I
have created a particular user in RM Studio to perform this task as if we can see this in an
organization there has to be a person who will take care of this responsibility and who have
the complete knowledge of the company’s environment and also have a nice idea about the
ISO-27001.
59

60. 13
Figure 4-3
13
Created by author
60

61. 4.3 PCI-DSS Based Risk Analysis
Now comes the second part of the whole work flow which is to analyze the risks on the
basis of the PCI-DSS. After finishing the first job that is to analyze the risk on the basis of
ISO27001, workflow will jump onto the second level which is to analyze the risk on the
basis of PCI-DSS. You can see in the Figure4-4, the next swim lane comes into the
existence which is called as PCI-DSS Analysis. It has different criteria as compare to the
ISO27001 but it is also very important to fulfill this task so as to ensure the maximum
security and the optimum result. You have to do the same thing again like in previous
process. So again I have defined a script task to initialize the RM Studio but this time the
user is different. From the organizational point of view it will be a person who will take
care for the PCI-DSS certification and a person who has a sound knowledge about the PCI-
DSS, so that the organization could be sure about getting the certification properly. And if
the organization already has the certification then they could skip to the next step which is
for the management of the Master Key. And don’t forget to change the standards in RM
Studio as by default after finishing the previous step it must have been selected
automatically to ISO27001. These two swimlane are loosely coupled, they are not
dependent on each other but they are part of the whole process. So we just cannot skip any
of them.
14
Figure 4-4
14
Created by author
61

62. 4.4 Master key Management
15
Figure 4-5
Figure 4-5 shows the next layer of the work flow which consist of the more complex and
much interesting part. Here I am trying to show the management of the Master Key. Here I
have used Crypto Node Management (CNM) which is proprietary by IBM and delivered
with IBM HSM 4764 and IBM 4765 so I will not give much detail here but you can see the
login for CNM in Figure 4-6. And it doesn’t matter for us how it works because we are
only focused on the organizational issues rather than the technical details. It is also called
as Common Cryptographic Architecture Node Management Utility. As you can see in the
Figure 4-6, the custodians can login with different methods, it depends on the company’s
policy how you do this; you can also notice different tabs showing different utilities like
key storage, Crypto node etc. For our purpose there are of course few things to know
about. The Crypto Node and Master key tab are the most important for us to know. With
Crypto Node we can easily find the information about installed HSMs, like the state of the
HSM, its battery state, error logs etc. So whenever we notice any unwanted behavior like
unauthorized logon (outside valid time range), we can easily inspect Crypto Node and can
look into the details moreover can possibly find the cause of the issue.
15
Created by author
62

63. Second important tab for us to know is Master key which is of course used for generating
Master Keys, via several Master Key parts. It provides us a guided way of generating it.
The other important thing that comes next is key storage which gives us an ability to
manage the keys and their storage. As there are different algorithms available for the
encryption so it provides us different ways depending on key type.
Figure 4-6
Source:
IBM. (2011). Infocenter. Retrieved from ZOS:
http://publib.boulder.ibm.com/infocenter/zos/
In Figure 4-5, you can see in the workflow that this part of the whole workflow starts from
sending invitations to the custodians. Now we are sending mails to different Custodians,
inviting them for the key ceremony on a particular date and if any of the custodians are not
available then they will have to communicate with the responsible person that they are not
available, thus activating their deputy.
There is another scenario here that we have to invite different custodians on different dates
so that they will never come to know about each other, it makes the whole key ceremony
63

64. more secure and it might also be possible that instead of dual control there are three
custodians so we have to invite all of them at different times. And if they accept the
invitation then the workflow will move to the next step and it will guide all involved
people to move further.
But before workflow can do this we have to consider a few more things as regards to the
workflow. First we have to setup some technical requirements: configure mail server so
that we could receive or send mails. For the purpose of receiving the mails we could use
for e.g. Mozilla’s thunderbird or we can use default environment depending on the
individual infrastructure.
In the next step the CNM will come into existence and the work flow will ignite the CNM,
in order to initiate the generation of the required key material. It has a mechanism to
handle the complexity of generating the master key and you can also choose different
strategies for management or for distribution. As you can see in the diagram there are two
timers at the two different tasks. So there is always a dedicated time which has been
allocated to complete the task and if that time is reached and the job is not done then you
cannot go to the next phase of the process. This normally causes management alerts and
triggers appropriate measures to continue the process.
The next thing that comes into the mind is to store the key parts after generation, so for that
purpose we need to take the backup of the key parts and it depends on the organizations
policy how they could do this. Many organizations take the backup on a USB stick or, if
allowed by budgets, even smart cards16, but as sticking to the stereotypes that paper is the
best form of storing information for long lasting persistence, we will write down the key on
a piece of paper and will store it in a safe as you can see it in the Figure 4-7.
Details not mentioned: each custodian must deposit its key part in separate safes. Any
access to the safes and whereabouts of the key letters during absence must be logged in a
key life cycle protocol. After unpacking a key letter from an envelope, a new envelope
(tamper proof security bags) with registered serial numbers must be used before depositing
the key material back to the safes.
16
Smart cards are not secure by nature, as with HSMs, they need to be initialized and personalized before
they can be used by their associated custodians to carry key material and other security parameters. Also
smart cards need to be backed up otherwise in case of one smart card being damaged, recovery of certain
key is not possible anymore.
64

65. 17
Figure 4-7
18
Figure 4-8
17
Created by author
18
Created by author
65

66. At last you can see the final Figure 4-9 which is the complete workflow that reveals to us
the whole concept.
66

67. 19
Figure 4-9
19
Created by author
67

68. 5 Chapter 5 – Tools
5.1 Bonita Soft:
Bonita open solution had first come into existence in 2001, being developed for BPM and
handling workflows. Initially it was developed by the French National Institute for
Research in Computer Science. But since 2009 its development has been done by the
company called Bonita Soft. It is made up of three components:
Bonita Studio:
Bonita Studio allows the user to interact with the system and graphically design the
workflows on the basis of the BPMN2.0 standard. It provides us a lot of flexibility to
connect Bonita soft with lots of other information systems like the ERP systems, databases,
Content Management Systems. It has an inbuilt support for many other systems and the
good thing is most of them are open source. It also gives us a flexibility to design the forms
that you can see as an end user and can interact with the processes. The whole platform is
based on eclipse20 which itself is very mighty tool. So it provides us a very powerful tool
at the end and also a lot of flexibility.
Bonita BPM Engine:
The BPM engine is a JAVA API which gives users more flexibility to experiment,
implement and test process integration.
Bonita User Experience:
Bonita user interface provides the users a webmail kind of a portal with which user can
have a look at the various processes. It basically relies on the GWT.
20
(Source: Eclipse, retrieved from www.eclipse.org, 2011)
68