You are on page 1of 82

Heidelberg University of Applied Sciences

Germany/Heidelberg
Faculty of Informatics

Master Thesis

Business Process Modeling in the field of Information Security

Submitted by
Vishal Sharma

Supervised by
Prof. Dr. Gerd Mckel
Dr. Peter Misch
August 2011
Companys Supervisor: Dipl. - Ing. Thomas Brandtstaetter

Business Process modeling for the sake of


Information Security
By

Vishal Sharma
Matriculation no: m1000830

A thesis submitted as a pre-requisite for the


Degree of Master of Science

Thesis Advisory Committee


Prof. Dr. Gerd Mckel & Dr. Peter Misch

Dipl-Ing. (BA) Thomas


Brandtstaetter

Heidelberg University of Applied Science

BROTEX Synargos GmbH

Ludwig-Guttmann-Strae 6

Max-Eyth-Str. 21

69123 Heidelberg

72622 Nrtingen

Germany

Germany

Affidavit

Herewith I declare:

That I have composed the chapters for the Master Thesis for
Which I am named as the author independently;

That I did not use any other sources and additives then the ones specified;

That I did not submit this work at any other examination procedure;

Heidelberg,

(Date)______________________________

(Signature)______________________

Acknowledgements

Following the Indian tradition, first I would like to give my heartiest thank to the
whole Germany and its people who have accepted me here and gave me an
opportunity to learn and to move further in my life. Not forgetting about my family
after staying away from them for almost two years and who are the pillars of my life
that always stand by me to give me the strength to accomplish whoever I am today.
Mr. Thomas Brandtstaetter as my mentor, who has always gave me an inspiration to
achieve the best and to think in an eco-economic manner which is fruitful to the
whole society. I would like to give him my thanks to be with me all the time during
this project. As an Indian the most important people in my life are my teachers
(Gurus) Prof. Dr. Gerd Mckel and Dr. Peter Misch, the most generous persons I met
and the whole staff of Fachhochschule Heidelberg, who always helped me and
always motivated me during my studies.
Last but not least the whole Staff of BROTEX Synargos who has always shown me
the right path, and provided me with all the information which I needed during the
six months, and always spend their useful time for me to discuss things about my
project.

Table of Contents
Abstract ................................................................................................................................ 9
2

Introduction ........................................................................................................... 11

2.1

Various Techniques ............................................................................................... 16

2.2

UML ........................................................................................................................ 16

2.3

SOA ......................................................................................................................... 18

2.4

BPMN2.0 ................................................................................................................ 20

2.5

Advantages over others:........................................................................................ 20

Company Profile .................................................................................................... 22

3.1

History .................................................................................................................... 23

3.2

Core Business ......................................................................................................... 24

3.3

Cryptography-Typical Application ..................................................................... 25

3.4

Hardware Security Module in Crypto Server-Implementation ........................ 25

3.5

HSM IBM 4764-001 Internal Architecture ......................................................... 26

3.6

Strategic Partner.................................................................................................... 27

3.7

FINPIN ................................................................................................................... 27

3.8

Functions ................................................................................................................ 29

Conceptualization .................................................................................................. 30

4.1

NIST ........................................................................................................................ 30

4.2

FIPS ........................................................................................................................ 30

4.2.1

FIPS 140-2 Level 1: ............................................................................................... 31

4.2.2

FIPS 140-2 level 2: ................................................................................................. 31

4.2.3

FIPS 140-2 level 3: ................................................................................................. 31

4.2.4

FIPS 140-2 level 4: ................................................................................................. 31

4.3

ISO 27001: .............................................................................................................. 33

4.4

VISA PIN Security Requirements Audit: ........................................................... 34

4.5

PCI DSS:................................................................................................................. 36

4.6

Devices used ........................................................................................................... 37

4.7

HSM: ....................................................................................................................... 37

4.8

Crypto processor ................................................................................................... 39

4.8.1

Functionality: ......................................................................................................... 39

4.9

Payment Card Industry PIN Security Requirements: ....................................... 39

4.9.1

Objectives ............................................................................................................... 39

4.10

Establishing Security Measures ........................................................................... 40

4.11

Risk assessment: .................................................................................................... 45

Chapter 4 Solution .............................................................................................. 54

5.1

Prototyping ............................................................................................................. 54

5.1.1

Key Ceremony ....................................................................................................... 59

5.2

ISO 27001 Based Risk Analysis ............................................................................ 62

5.3

PCI-DSS Based Risk Analysis .............................................................................. 64

5.4

Master key Management ...................................................................................... 65

Chapter 5 Tools................................................................................................... 71

6.1

Bonita Soft:............................................................................................................. 71

6.2

Bonita User Experience ......................................................................................... 73

Future Prospects .................................................................................................... 75

Table of Figures ..................................................................................................... 78

Abbreviations ......................................................................................................... 79

10

Bibliography ........................................................................................................... 81

Abstract
We are heading towards the next generation solutions for making life better with the help
of technological advancements -we always talk about the futuristic solutions:
How we could make the best for our upcoming generations which should be ecological and
fruitful. But we sometimes forget about the fundamentals that assist to achieve those things
- we have the ideas, we also have the aim in our mind - but still we are not able to get the
unsurpassable results out of those things that already exist. Technology has really helped a
lot to achieve that target of making things better: so that it could assist us to work well in
organizations, dealing with the problems and most importantly for the people to live their
life in a more valuable way.
This Master thesis is dedicated to those situations where a normal human intelligence is not
enough to manage the things around: Of course with the help of technology and our brain
power. Whatever we do in our life, it basically consists of some steps to reach a goal. We
start from morning, when we wake up and everybody tries to give his or her best to make
the most out of a day, but still sometimes we are not able to meet those goals that we
decide for when we wake up. Thats because sometimes we forget to follow our own rules
or sometimes we stick to our rules enough that we cannot even see the other possibilities
which can affect our whole process of reaching somewhere.
This is the case of only our every days life, but here we are more concerned about a much
more complex process which is Information Security, so I am trying to represent my views
to ensure optimum Information Security and particularly in the field of Payment Card
industry. In last few years we all have been moved to electronic medium of managing and
maintaining vital information: Internet, Mobiles are good examples. We have tried all the
ways to make it more and more secure but still we have seen a lot of issues while
maintaining it.
This thesis is a research work of such issues and how we could handle them with the right
approach. Securing information is one of the most critical tasks in todays world as the
cloud of information is increasing every day. Thats because the interaction of humans
with the machines is increasing at a very rapid rate. As you can see the dependency of
managing the information with the help of machines has notably increased as a result of
that complexity of the process has also increased; that has caused an inability to handle
vital information.
Off course machines have made our life easy but think about a world where you cannot
even prove who you are because of the lack in the process of securing the content. The idea
is to overcome the issue of being lost in possibilities.

10

Introduction

My work starts from the definition of, What is a Process and I would answer that a
process is nothing more than a set of rules to reach certain results in an optimum manner.
But this is a very simple definition of the word Process, and everybody learns it from
their childhood to achieve the best at their school, in various subjects, different sports and
other activities etc. And the nature of doing it in a way to achieve the optimum comes
automatically. So my point is everybody is the manager of its own life and the various
processes around it. But still we can easily see that we rely on different strategies,
techniques and at most the technology to make things better e.g. we use technology to get
things done automatically and faster.
But if we come to the reality of complex processes in the corporate world, in these kinds of
situations ordinary human intelligence is not enough to handle everything by its own and
there comes the role of IT. It came in to existence in the late 60s and since then it has
played a major role in everybodys life. As a result, we have been trying to automate the
things in almost every aspect of life. But we never asked ourselves that are we making the
best out of IT and my answer is yes but only up to some extent.
As we look at todays process infrastructure in any industry, its very dynamic and very
complex in almost every aspect. So we need the concept of Business process modeling to
make it easy for the users to view, to find solutions around the complications, to manage
things in a useful way.
The basic idea of Information Security works on three elementary pillars:
 Availability
 Integrity
 Privacy
In context of information security, if there is no privacy, its not worth it, if it is not
available then there is no use, if there is no integrity then we have lost the authenticity. So
to achieve the maximum security we should consider all three points, as without each other
they are incomplete and none of them make any sense.
In a more precise view the concept of availability depends on the infrastructure like
optimal system resources, power backups, backup of the information, disaster recovery
management etc. Second thing is to ensure the Integrity in order to provide trustworthy
information processing system: We must take care that information should be viewed in
the same manner as it is entered. Third and the most important pillar of information
security lead to maintaining the privacy -which in terms leads to granulated access control
to information, secured by the means of applied cryptography.
11

When we talk about privacy in the context of applied cryptography, the first idea that
comes to our mind is encryption and decryption, as we encipher the content and send it to
the desired user and the designated recipient can decipher it to read the original content.
This is the most basic definition of maintaining security by applying the methods of
cryptography for securing privacy. But in a real working environment it becomes more
than the simple definition, as additional security requirements some very hectic measures:





Where do we want to ensure security?


What information needs to be secured?
Which quality requirements are appropriate?
How much we can invest into security precautions?

Especially the aspect of applied cryptography receives a more detailed augmentation along
this thesis. Cryptography on the one hand is a discipline covering more than just
encryption algorithms and associated cryptographic keys.
Most commonly, these algorithms are implemented in software libraries (e.g. OpenSSL,
NSS, CyaSSL, and many others) which can increase overall system security indeed. By the
way, OpenSSL has evolved to be a widely used and integrated cryptographic service
provider (SSL, 2011)
A closer look into the architecture though, reveals the focus of next generation cybercriminals and hackers: having potentials for compromising cryptographic key material. In
case an adversary gets access to the clear values of cryptographic keys, he has access to the
information realm protected by these keys.
Hence, the protection of cryptographic keys is an essential requirement to meet the basic
security requirements mentioned above.
In order to illustrate the potential risks behind the scene: whenever cryptography is
processed in software using a cryptographic service provider such as OpenSSL, a systemdump, provoked by an adversary or caused by erroneous programming, can lead to a keycompromise. Thats because, the keys in operation need to be available in clear form
within application memory.
This may sound to inherit a very theoretical probability and even professional risk
managers, today may still ignore the possible impacts, but such attacks are already
becoming reality. In order to reduce the risks for this kind of key-compromise method,
special crypto-hardware can be applied to backend-servers, in order to encapsulate
cryptographic functions and keys using tamper resistant security modules (TRSM, or more
abstract: Hardware Security Modules HSM). Well defined protection profiles, aligned
and certified to international and open standards, enable the highest level of risk reduction
covering the technological aspects regarding applied cryptography.
12

Another scenario covers the usage of untrustworthy keys, in case an associated notary
function has been compromised. Notary functions for assigning higher trust-levels to
cryptographic key material using digital signing methods based on cryptography are
typically implemented as a Certification Authority (CA) for digital certificates. As a matter
of fact, digital certificates can be seen as todays pillars of the stage, on which the play of
applied cryptography is performed, especially covering the act Trusting the internet and
its web-services.
As an example, a possible man-in-the-middle attack, using rogue digital certificates, can be
named. Further information regarding the recent attacks on CAs like Commodo and
DigiNotar can be found here:
 Unauthorized issuing of Google certificates
Sophos. (2011). naked Security. Retrieved September 4, 2011, from
http://nakedsecurity.sophos.com/2011/08/29/falsely-issued-google-ssl-certificatein-the-wild-for-more-than-5-weeks/)
 Hack on DigiNotar:
Arstechnica.
(2011).
Retrieved
Ausugst
3,
2011,
from
http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hackeddiginotar-too-other-cas-breached.ars

A brief resume of the above mentioned cases reveals that the security cannot be achieved
solely by integrating technological measures, without a strong focus on the organizational
measures.
This thesis will focus on possible misconceptions, unveiling the missing link in the overall
security equation and how possible mitigations can be implemented, especially on the basis
of holistic and risk-managed business process management and its dedicated workflows.
If cryptographic key-material is not managed properly, e.g. on time, then systemavailability cannot be assured. Certain keys must be securely generated, distributed and
imported at a corresponding crypto node on a cyclic basis, for instance yearly. In certain
cases when a key would not be provided in time, a business service may disrupt for
duration longer than demanded, thus harming business processes by causing severe
revenue losses.
Various international solution manufacturers have started responding to the growing need
for holistic enterprise key management systems and infrastructures over the last 10-20
years. As of today, the outcome can be reduced to a simple conclusion: even though many
key-management tools exist, they are mostly island-solutions, lacking standardization or
standards-harmonization, thus introducing a multitude of key-import-formats and
13

processes, leading to expensive investments for integration or increasing the possibility for
single-point-of-failure.
Even though standardization efforts show significant improvements, such as KMIP (Key
Management Interoperability Protocol) driven by the OASIS Group, the outcomes are
solutions mainly on the technological level, missing attention on the organizational level.
Due to resort-boundaries within organizations and different perspectives and priorities
along the management-lines, lacks in the organizational aspects of information security are
most common.
Uncertainty of employees, impacts of change management, the effects of mergers and
acquisitions, time-pressure on projects due to rapid market developments and oversized
shareholder expectations, lead to a very dynamic business environment. Therefore easily
disturbing business continuity and degrading the awareness for establishing and
maintaining a holistically oriented information security management system on a crosscompany level.

While discussing an overall concept of IT-based orchestration of Business Process


Management on the one hand, I will also guide a down-the-rabbit-hole journey through the
roundabouts of the administration and management of critical cryptographic key-material
for cryptographic service providers.
These are typically anticipated to be black-box systems and operations on the IT system
administration level, providing required cryptographic services to various levels of
information processing components, like business-applications, middle-ware, operatingsystems, network-devices and information long term storage.
In todays business-world, there is a significant and growing demand for information
security based on applied cryptographic services and therefore also cryptographic keys.
The evolution has taken place in a rather subtle manner, multiplied by the achievements of
the internet-era and increasingly being under severe compliance-pressure due the multitude
of successful attacks by cyber-criminals or even just system-failures, as a consequence of
underestimated quality-assurance and inexplicable processes and workflows.
Therefore, an enterprise can face pervasive dependencies inherited in the IT-landscape
caused by missing knowledge about the lifecycle and whereabouts of cryptographic keymaterial. As an example: not knowing about the whereabouts of cryptographic keys, can
lead to severe conflicts with national laws, in case law-enforcement agencies are entitled to
access company information within an investigation. Access to information can require
decryption of an information database, which can be hindered, if the corresponding
encryption-key is not accessible or cannot be recovered.

14

Resuming the above mentioned, the establishment and operation of cryptographic


infrastructures requires more than conventional system integration of IT-Systems. Each
implementation of a cryptographic service provider and its exploitation by applications
affords profound system-planning and process integration.
A very crucial aspect in this context is the risks being introduced with initially setting up
cryptographic infrastructures. Professional, trustworthy and obviously certified cryptoequipment (Smartcards, Smart-Card readers, Password Tokens, Hardware Security
Modules (short: HSM, also called tamper resistant security Modules: TRSM)) requires a
primary protection layer, which needs to be managed using well-defined and approved
workflows under dual control and/or co-signing.
Source: In Personal communication with:
Brandtstaetter, T. (2011). Cyber Crime. Nrtingen: In Personal Communitaion.

The whole concept of protecting cryptographic keys starts from generating a key also
known as a Master Key so that it could encrypt or decrypt other keys lying in the key
hierarchy. This is the basic idea behind applied cryptography. But as I have already
mentioned, the concept of applying cryptography depends on many other factors especially
regarding the realm for which we want to achieve the security goals. Due to vast amount of
standards that should be met by the industries and the international compliance guidelines
that may have to be followed, the location of the area in which one wants to apply
cryptography should be carefully checked according the national laws. In these kind of
situations may be you wont be allowed to use certain cryptographic algorithms or limit the
key length to be used. In these cases for instance, the operational controls for cryptographic
infrastructures exceed the white-paper presentation usually found on applied cryptography.
To scramble up a more practice oriented approach, this master thesis is basically
considering the area of payment card industry in terms of Information Security which is of
course very crucial in todays global world. Almost everybody uses ATMs these days to
withdraw money from their bank accounts but nobody knows how they work. Because
people increasingly rely on some standards like VISA, PCI PIN Security Requirements,
PCI-DSS, and they think that it must be secure enough if they are following these
standards. But still every day we can see a lot of forgeries and a lot of hacks everywhere
around the world and most of the time they arise because of human negligence. This thesis
will provide a strategic and practicable approach to overcome those loopholes, which are
more of an organizational nature rather than being only technological. Because
technologically we are advanced enough to make the system secure but in order to achieve
and maintain that level we always depend on highly diverse technologies.

15

So here I am trying to give a strategic approach to follow a plethora of standards and to


achieve the maximum information security possible, reducing mistakes, covering a
multitude of loopholes and balancing efforts:

1.1

Various Techniques

The complexity of the various technologies is increasing every day and the desire of
making them simpler is increasing as well. Lots of ideas have come and gone in the past to
make the world simpler but only few persist. If we talk about simplicity then we vision an
interactive system with which we can interact and which can give the answers to our
issues, which can maximize the profits, maximize the outputs, minimize the risks,
maximize the possibilities of change management etc. Below I introduced some strategies
that we have used so far on which we still rely at different levels, depending on the
different scope of requirements.
1.2

UML

The techniques of Unified Modeling Language (UML) are used to model some artifacts,
like to specify, modify, visualize and construct during the System or Software development
process. It came into the market after a hard work from Rational Software Corporation.
UML provides us with a very good way of understanding different aspects and
perspectives of a software or system with the help of standardized diagrams for modeling.
We can easily design prototypes and the blueprints for testing purpose.
Advantages:
We can use it to re-engineer existing systems, for instance, if these were not properly
documented. Using UML improves collaboration and co-operation within larger
development teams, enables cost reduction in external auditing and support interactive
work during the SW-Engineering process.

16

Figure 1-1
Source: Black, S. (2005). Retrieved July 2, 2001, from http://fox.wikis.com/
UML has started the first revolution to handle the complex business processes. It has
provided many useful elements to keep track of the process and to visualize it for the
simplicity.







Activities
Actors
Business Processes database Schemas
Logical components
Programming Language components
Software Components

17

1.3

SOA

Service oriented Architecture, it is a combination of different services which are loosely


coupled but at last we can make the benefit out of combining them together. It is kind of a
framework that covers various disciplines to conceptualize, analyze, design, and architect
their service-oriented assets. It was a great achievement for us to come to this point as
SOA has given us a power to integrate various things together and to give the optimal
output. But still it was basically meant for the IT industry, which is not enough if we deal
with the complexity of todays world.

Figure 1-2
Source: Corbasson, L. (2007, December 24). SOA. Retrieved August 1, 2011, from
http://en.wikipedia.org/wiki/File:SOA_Metamodel.svg
18

Disadvantages:

The both models mentioned above, concentrate on issues regarding the IT industry and
dont cover the holistic aspects of business process in any kind of industry. They both are
focusing on the development of software and systems in the field of IT, but they are not
aligning to the process-oriented business demands, that incorporate IT beyond todays
system integration of island solutions.

19

1.4

BPMN2.0

Business Process Modeling Notations 2.0,itcomes with a lot of hopes and a lot of
expectations for many industries which are trying to automate their processes for a long
time; its been a big problem for a long time in industries and in general to handle
processes. People in different industries have been surrounded by this question since years
that how to generate culminating results out of any process. Many management techniques
were introduced, to handle the various issues within the industry (like policy management,
risk management, disaster recovery management etc.) but we never were able to
conglomerate all issues together to provide the unrivaled solution. We have tried to work
with different technologies so that we could manage different processes as I have already
mentioned a few of them above. But BPMN has provided all those functionalities and gave
us a platform which not only suitable for the IT industry but it can fulfill a wider scope of
requirements depending on the demands of various industries.

1.5

Advantages over others:

As I have shown above two basic approaches to fulfill our intrinsic requirements but as
compare to them BPMN has an edge. Regardless of fulfilling our needs not only in IT, it
gives us a wide variety of tools to play with it as well. This eventually makes it more
concrete to measure the complexity, and more scenic. It also provides a much better chance
for users to understand it easily. It has a wide range of notations that can give us a lot of
freedom in designing in order to reduce the complexity. Some of its features are as follows:

 We can design various complex processes(like in designing a car) and can


implement
 Choreography
 Orchestration
 Ease of Use
 Easy to visualize
 Human tasks
 Gateways
 Message Flows
 Group Tasks
 Collaborations

20

There are many tools available in order to apply BPMN to the design and implementation
of any work flow or the modeling of any process. But its always a challenging task to
decide which one to choose.
During the progress of my work, many options were available. Since, I intend to attract
towards open public for the topic of my thesis. I have focused on open source tools only, in
order to promote rapid applicability
The bewildering variety of open source technologies and solutions is obviously steadily
increasing, so I also wanted to contribute to this development. I have chosen to analyze the
following candidates:

Activiti
Source: Activiti. (2011). Components. Retrieved May 20, 2011, from
http://www.activiti.org/components.html

JBPM5
Source: JBOSS. (2011). JBPM. Retrieved July 20, 2011, from Documentation:
http://www.jboss.org/jbpm/documentation

Source: Bonita Open Solution. (2011). Bonitasoft. Retrieved July 20, 2011, from
http://www.bonitasoft.com/

It depends on the requirements, which tool to choose, because every tool has some
advantage over the other. So it depends exactly on what we actually need to do, the
complexity of the process or the whole infrastructure we have to cope with. For my work I
would like to prefer Bonita Soft for further evaluation and prototyping.

According to Forbes magazine companies relish the prospect of reducing complexity,


while cutting and maintaining IT infrastructure and thats the main motive behind the
introduction of BPMN in market. So with the help of BPMN we cannot even reduce the
complexity but we can also reduce cost, reduced stressed etc. so far these are the
achievement of BPMN.

21

Company Profile

22

2.1

History

1992 2009 SYNARGOS GmbH


-

International projects with leading banks, manufacturers and


providers (data processing centers, outsourcing)

Design and implementation of applied cryptography (keymanagement and protocols) using hardware security modules
(HSM) for banking networks, based on solutions from leading
manufacturers for achieving highest security ratings possible
(NIST FIPS 140-2 Level 4)

2010 - 2011 BROTEX Synargos GmbH


-

Continuation of line of business

Business extension to infrastructures for business processes


based on mobile computing: RFID, NFC (near field
communication), secure user authentication using smart
phones

 Establishing & Securing critical Business-Processes


 Project development
 Software and systems engineering

23

2.2

Core Business

1. Establishing & Securing Business-Processes





Securing electronic payment systems for financial transaction solutions via


dedicated and internet-based networks (home banking)
Card based payment systems in networks running ATM and POS

2. Project & Solution development










Requirements-Management
Feasibility studies
Consulting, Training & Education
Tendering support
Project management
Sub-contracted and full scale project realization
Security and Risk Management (ISO 27001)
Audit Support (PCI-DSS, VISA PCI PIN Security Requirements)

3. Software and systems engineering


 Standard processes and methodologies
 Architecture, Design and Quality-assurance using the methodologies of
cybernetic

24

2.3

Cryptography-Typical Application
Today, applied cryptographic methods reaches, almost all areas of information
processing. Typical applications are:
 The encryption of personal data e.g. credit card information
 Securing the information while transmission within Card based payment
systems
 The calculation of personal data for pre-personalization of chips for smart
cards
 The production and use of digital signatures for certificates signed by
Certification Authorities.

2.4

Hardware Security Module in Crypto Server-Implementation


 The MX42 crypto server is delivered as an appliance with one or more
HSMs
 The production of the appliance is done at BROTEX Synargos which
processed highly secured and with maximum measures regarding quality
assured components and quality-assurance processes:
-

Hardware platform: IBMx3650 server, IBM 4764-001


HSM(certified to FIPS 140-2 Level 4)
Software platform: SUSE Linux Enterprise server(Certified by
Common Criteria EAL4+), IBM CCA Services (Basic Crypto API),
BROTEX Synargos MX42 FINPIN Software(SW-Engineering
using Rational Unified Process and Extensions using V-Model when
required by customers)

 The integrity of the appliance is detectable

25

2.5

HSM IBM 4764-001 Internal Architecture

Figure 2-1
Source: BROTEX Synargos. (2011). FINPIN. Nrtingen: Internal Communication.

26

2.6

Strategic Partner













2.7

Novell/SUSE
IBM
HP
FIS KORDOBA
Zertificon
Stiki
Oracle
Microsoft
Diebold
NCR
Hypercom
Sagem

FINPIN

Background of Cryptographic Abstraction Layer








Name origin: Financial PIN Services


Description: FINPIN is an Application Programming interface
Architecture: Client Server
Licensing: As a feature enhancement to the crypto server MX42
Usage: Application can use the cryptographic services of MX42 Crypto
server via FINPIN API. FINPIN provides the basic features but you can also
add other features
 Characteristics:
The interface is expendable FINPIN
The parameterization of key names is flexible and it provides a generic
referencing for the application
Inside the Crypto server a FINPIN call can be divided into several crypto
functions
No clear key or the intermediate results of cryptographic protocols outside
the HSM
The application is decoupled from the key management
Key administration for the initial keys e.g. Master key of the HSM, delivery
of the Transport key

27

28

2.8

Functions

Possible general Functions are:


 GMPX German MAC/PAC Extension
 GTPV- German Triple DES PIN Verification
 EMVX- Euro Card Master Card Visa Card Extension, scripting for secure crypto
OS cards

Note: Other information about the customer specific functions on demand

Source: BROTEX Synargos. (2011). FINPIN. Nrtingen: Internal Communication.

29

Conceptualization

I have already mentioned the concept starting from encrypting data which itself is a result
of enciphering with the help of a key. But it always depends on technologies that you want
to use and the companies policies, so these two things are the most important to consider
first. Applied cryptography for securing critical business processes based on hardware
security modules is todays choice, when prompting cryptographic strengths into ITsecurity realms of critical businesses. You will get to know more about Hardware Security
Modules soon which really ensures a-high level of security. So technologically we have
enough means to ensure the optimum level of security. Still we can see a lot of nullifying
results every day, thats because we are not able to manage certain things properly which
leads to many security loopholes. These organizational loopholes are very easy to
understand but most of the time they are not being accepted, due to interest-conflicts. Very
often they are taken for granted and at the end of the day we see devastating as an outcome
of initially small mistakes. This thesis is a work on these kinds of situations and I am trying
to figure out, how we could overcome those gaps.
My main focus is on the payment card industry and when you talk about this industry you
can easily imagine that it needs high end security, since it is mostly very complex and not
easy to manage. Almost everyone is related to this industry in todays world but generally
people dont want to go into details.
So before diving into the most complex part here I will provide a brief description of some
of the standards that we have to follow while handling issues related especially to this
industry.

3.1

NIST

National Institute of Standards and Technology is responsible for U.S. Security standards
that have been internationally spread and adapted by the security industry and its
applications. Its major task is to promote the innovation and the technological
advancements of security standards and certifying solutions, in order to be widely accepted
by governments and industries for the global benefit of the society.

3.2

FIPS

Federal Information Processing Standards are US government computer security standards


that specify requirements for cryptographic modules. There are different modules available
depending on what kind and what level of security you need in your organization and some
standards have already been defined for some particular organizations. These standards
have been defined by the NIST to ensure optimum security levels for processing
30

information. Amongst the standards they are covering the security demands for the
implementation and accreditation of cryptographic modules: FIPS 140 here especially
FIPS 140-2.It is basically categorized in to four levels:
3.2.1FIPS 140-2 Level 1:

This is the lowest level of security, it prevail limited level of security and remarkably good
level of security is actually absent in this level. An example of the security level 1 is the
mother board of the personal computer encryption board or the FIPS validation of
OpenSSL being validated to FIPS-2 Level 1.
3.2.2FIPS 140-2 level 2:

It adds the concept of the physical tamper-evidence devices that just pick up the resistance
from the outside world related to the device. It is actually kind of a seal which places over
the cryptographic devices so that an attacker has to go through this layer of coating and if
he or she will break this coating then the authorized person will be informed and it also
facilitates the availability of the role based authentication.
3.2.3FIPS 140-2 level 3:

In addition to the tamper-evident, level 3 also ensures that the intruder cannot have the
access to the Critical Security Parameters held within the cryptographic module. This layer
especially focuses on the physical intrusion of the module and how to handle it. It also
ensures the security by the concept of the split knowledge, because of which you can trust
the system can trust yourself and can trust others, thats why the knowledge is always
divided into two people.
3.2.4FIPS 140-2 level 4:

This level enforces the maximum level of security for cryptographic modules, providing
tamper-detection and tamper-prevention of attacks, forcing an internal overall meshcoating for achieving maximum resistance against tampers. Also enforced are protection
against X-Ray tampering, atmospherically tampering (temperature, surrounding airpressure) and voltage-tampering; the module must exactly test and detect all possible
tampers in its operating environment and in case of a tamper -zeroize all security elements
within the module, thus taking the device out of operation and preventing successful
attacks.

31

Source: Evans, L. D., Bement, A. L., & Bond, P. J. (2001, May 25). FIPS. Security
Requirements For Cryptographic Modules . U.S.: U.S. Government printing office,
Washington.

32

3.3

ISO 27001:

Another most important standard is ISO 27001which is by far the basis for defining a
management process to assure information security. Being into this kind of industry and
focusing on the optimum security measures one should adhere to theISO27001 standards
family. Initially the British Standard Institution has developed a standard called BS7799
which was used to develop and implement an Information Security Management System
commonly known as ISMS. Its main focus was on the availability, integrity and the
confidentiality of organizational information. But it was initially a single standard and later
on they have added some more information to it and then it became ISO 17799. And then
ISO 27001 mandate the use of the BS7799 so, It is actually today the second part of the
ISO 27001. It is also beneficial for companies who already have ISO 9001 standard which
basically ensures a quality process.
ISO 27001 basically consists of four steps which covers most of the organizational security
measures.
 PLAN(Establish the ISMS):
Establish the ISMS, policy, objectives, processes and procedures that are relevant for
managing risks and improving information security to deliver results in accordance with an
organizations overall policies and objectives.
 DO(Implement and operate the ISMS):
Implement and operate the ISMS policy, controls, processes and procedures.
 Checks (monitors and review the ISMS):
Access and, where applicable, measure process performance against ISMS policy,
objectives and practical experience and report the results to management for review.
 ACT(maintain and improve the ISMS):
Take corrective and preventive actions, based on the results of the internal ISMS audit and
management review or other relevant information, to achieve continual improvement of the
ISMS.
Source: IT-Goveranance-UK. (2011). ISO-27001. Retrieved May 20, 2011, from
http://www.itgovernance.co.uk/

33

Figure 3-1

3.4

VISA PIN Security Requirements Audit:

Visa explains in its standard management of the master key which starts with its
generation. As I said above that enciphering of data can be done with the help of a key and
at the top most level in the hierarchy of keys it is called Master Key. We need to take some
precautions while managing master key and VISA helps us to do that.
We need to set up an environment to manage the whole process. The first and the foremost
thing, is to have a minimum of dual control for every process so that there will always be
two people who are responsible for the management of the master key. The reason for this
is to secure the master key from the person himself. By dual-control the knowledge about
the secret (master key) is always segregated among two people so that without each other
they cannot receive the knowledge of complete final key.
It depends on the security policies, in how many pieces we divide that key, and we can
even divide it into three parts depending on the policy we are using. So the master key
1

Created by author

34

always consists of two parts and to do so we need two people (key custodians and their
deputies) who are responsible for this purpose. So the first thing is to decide who these two
people are going to be, it depends on the management where we are implementing it, in our
case we will call them Custodian 1 and Custodian 2. So according to the Visa requirements
there are basically 7 stages to ensure the security of the key.








Secure equipment and methodologies


Secure key creation
Secure key conveyance/Transmission
Secure key loading
Prevent unauthorized usage
Secure key administration
Equipment management

Source: VISA. (2004). PIN Security Requirements. Retrieved May 20, 2011, from
https://partnernetwork.visa.com/vpn/

35

3.5

PCI DSS:

Payment Card Industry Data Security Standard is an information security standard covers
data security requirements regarding security of personal data of a banks customer, who
holds the credit cards, debit cards, prepaid, e-purse, ATM, and POS cards etc. This
standard was basically meant to reduce the risk of the fraud in the payment card industry. It
applies to all the entities which are involved in the payment card processing like
merchants, processors, acquirers, issuers, service providers as well as all the other entities
which process and stores the card holders details.
There are 12 requirements for meeting the PCI DSS which are divided into 6 groups

Build and Maintain a Secure Network


Requirements:
 Install and maintain a firewall configuration to protect cardholder data
 Do not use vendor-supplied defaults for system passwords and other security
parameters

Protect Cardholder Data


Requirements:
 Protect stored cardholder data
 Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program


Requirements:
 Use and regularly update anti-virus software
 Develop and maintain secure systems and applications

Implement Strong Access Control Measures


Requirements:
 Restrict access to cardholder data by business need-to-know
 Assign a unique ID to each person with computer access
 Restrict physical access to cardholder data

Regularly Monitor and Test Networks


Requirements:
 Track and monitor all access to network resources and cardholder data
 Regularly test security systems and processes

Maintain an Information Security Policy


Requirements:
 Maintain a policy that addresses information security

36

Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, from
https://www.pcisecuritystandards.org/security_standards/

3.6

Devices used

There are also some kinds of devices that we use to reach the maximum level of security
some of them are as follows:

3.7

HSM:

It stands for Hardware Security Module, and is defined as a piece of hardware-component


and associated software that is usually installed inside a computer and provides a tamper
resistant environment for itself. An HSM basically used for secure generation of key
material, encryption, decryption, hashing etc.
There are many HSM manufacturers that are available in the market today but IBM is one
of the global players and also the most renowned in the HSM market, being the first
company in the market to have achieved FIPS 140-2 Level 4 validation for their HSMs by
NIST.
IBMs tradition in participating in the HSM market with cryptographic co-processors that
can be additionally installed by customers in backend servers, reaches back to 1989, where
the first HSM in form of cryptographic co-processor, being a tamper resistant HSM named
IBM 4755(adapter card) and IBM 4753(Network Security Processor for IBM mainframes)
were introduced. Along with this product availability IBM introduced IBM CCA.
Today IBM has basically two products which are available in the market: IBM 4764 and
IBM 4765, whose cryptographic services are made available to applications via the IBM
Common Cryptographic Architecture (CCA)
Even before the CCA era, IBM provided tamper resistant cryptographic modules as system
immanent components, for instance on the IBM 4700 controller series, which reaches back
to the seventies.
Being designed for long durations of operation, the IBM HSMs are used by top 500
companies, especially the ones using IBM mainframes (zSeries). In case of proper
maintenance, meaning regular exchange of batteries, the HSMs can be operated for
duration up to 10 years.

37

Figure 3-2

Source: BROTEX Synargos. (2011). FINPIN. Nrtingen: Internal Communication.

It does not only provide the security by its tamper proof architecture, but also accelerates
the processing time -for functions like key generation, encryption, decryption and digital
signing. There are many kinds of algorithms available today for the encryption and
decryption and some are really complex and also consumes too much CPU power when
using software crypto libraries on a server. When we talk about the payment card industry
then of course we are thinking about a very high volume of transactions requiring crypto
operations every day. So of course we need to handle the operations very quickly and in
some cases HSM can successfully off-load a servers CPU usage- when performing crypto
operations. And the most important thing is that these versions of HSMs from IBM qualify
the maximum level of security standards called-FIPS 140-2 Level 4.
Source: BROTEX Synargos. (2011). FINPIN. Nrtingen: Internal Communication.

38

3.8

Crypto processor

Crypto processor is nothing more than a chip embedded in an HSM for carrying out
cryptographic operations. It also provides a certain degree of tamper resistance.

3.8.1Functionality:

In general how do we ensure the security is to bind the software to a piece of hardware so
that only the legitimate user can have access to the software: But in order to prevent not
only the execution of the software on other machines but to protect the entire software
from any access, we require a security perimeter that keeps unauthorized reverse
engineering from observing the memory and the execution of instructions. The manual
solution is to keep the computer into a locked room so that only the desired people can
have access to the hardware and the software but the problem lies there, only few people
can have access to the room. But there is another approach which is called as IBM's
ABYSS project. Here the security perimeters protect a single printed circuit board inside
a workstation. The operating system and cryptographic keys are stored in battery buffered
static RAM chips that are located on the same board as the CPU, the system bus, the hard
disk controller, a real time clock and a battery. The board is surrounded from all side by an
alarm mechanism that consists of a multilayered winding pattern of a pair of fine wires,
which is embedded into hard opaque epoxy resin. And any attempt to hamper the security
module will trigger the alarm and wipe out the software and the keys from the battery
buffered RAM.
Source: Kuhn, M. (1997, April 30). Cambridge. Retrieved May 20, 2011, from
http://www.cl.cam.ac.uk/~mgk25/trustno1.pdf

3.9

Payment Card Industry PIN Security Requirements:

It basically consists of 7 objectives which tell us all the required parameters to ensure the
PIN security.
3.9.1Objectives
 PINs used in transactions governed by these requirements are processed using
the equipment and methodologies that ensure they are kept secure.

39

Objective : Cryptographic keys used for the PIN encryption/decryption and related key
management are created using the process that ensure that it is not possible to predict any
key or determine that certain keys are more probable than others.






Keys are converted or transmitted in a secure manner.


Key loading to hosts and PIN entry devices is handles in secure manner
Keys are used in manner that prevents or detects their unauthorized usage
Keys are administered in a secure manner
Equipment used to process PINs and keys is managed in secure manner

Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, from
https://www.pcisecuritystandards.org/security_standards/
So far you have seen that to maintain all the security we need a lot of standards. And it is a
must have condition to follow all these standards to be in this industry otherwise we can
cannot assure the optimum quality. But the standards are so complex that many a times we
commit some mistakes and even these standards tells us all the formalities but they never
tell us how to apply all those and if you look into the details of every standard you can
even find a lot of loopholes. Thats where I am trying to focus in this master thesis.

3.10 Establishing Security Measures


As you can understand the importance of a Master key by now, which was generated
during the initial phase the rest of the security assurance will always depend on the
handling and protection of Master Key. But if the master key itself is compromised then
there is no use of securing anything underneath the Master Key-as it is the root cause of the
vulnerabilities. Using various technologies and different standards we safely generate the
master key, which itself is not easy to crack. The next step is the real challenge: that is to
place it into HSM and its real operational environment. Here lies the actual problem. How
we can manage the master key to ensure the security at its optimum?
The standard defines the measures, one should take to ensure the security but they dont
define how we can establish them in a real world enterprise.
We need to start in an upmost hierarchy of any organization that is on the management
level, when establishing an Information Security Management System (ISMS) that
identifies and manage the risks existent to vital assets such as a Master Key.
When business processes are tied to profound ISMS, the awareness is placed accordingly
to manage the risks and assure the measures needed to prevent impacts of possible
loopholes that could lead to compromises of Master Keys.
40

41

Information Security:
In my scenario of a holistic coverage of security awareness, starting from Information
Security Management level, all the way down to the operational level, where Master Key
are process on the system level, I want to identify basically three layers which consists of :

1. Management- Risk assessment (which basically consists of ISO 27001)


2. Business Process- Following all the standards(PCI DSS mainly)
3. System- Management of the master key

Figure 3-3

In order to achieve such an implementation in any organization of course, you will need to
segment the security context across different departments, which is another managerial
task to accomplish. So for my purpose I will divide the whole process into three different
layers within an organization.
2

Created by author

42

 Top Management
 Line of Business management
 Infrastructure and System- Management
And if you see the whole scheme then you will say its the top managements job to decide
for what they want to go, depending on the objectives and the strategies of the company.
Top management basically consists of the highest ranking executives like the managing
directors, president, vice presidents etc. and their main responsibility is to define the goals,
objectives, strategies and for sure the future of the company. So their job stands at the top
of companys organizational hierarchy, they will have to decide whether they want to go
for a profound Information Risk and Security Management system or not.
If you look at todays business world, it becomes a necessity to follow all required
standards and compliance issues.
Otherwise a companys leadership may last for a short period of time only, which also
applies to manufacturers of security solutions, which require the same awareness in
security management as the companies operating their solutions to provide high security
levels to their customers.
So the first step in order to ensure security starts with Risk assessment. Top management
will have to identify and manage the risks for the companys future related to a particular
business and if they want to persist into the business then they have to commit to the
required processes.

Now if you have decided to go for all these standards then comes the second phase which
is line management who will plan to get the desired output or we could say the people who
are responsible for meeting the corporate goals, maintaining the policies and all the
standards. A line manager could be anybody depending on the industry where you are
participating in.
Like in any company we need a person who will handle the probabilities of the risks
regarding the particular working field. In our case he must be a person who will handle the
desired goals in real time to get the desired output that the top management has planned.
He will manage the resources under him to get the predefined result and its his job to plan
how to reach those targets.

The third and last layer I will consider is called Infrastructure Management the people who
are responsible for daily operations as defined by the top management and the line of
business management have planned. They will also have to adhere standards depending on

43

the industry area you work in, but in the cases of IT-infrastructure operations, the ITIL
standards-framework is a good approach to follow.

44

3.11 Risk assessment:


The top management will decide to understand the risks for the company regarding the
business, all the necessary measures that need to be fulfilled, so they will generate a set of
objectives and the second line of management will handle all those objectives. In my
scenario top management is responsible for designing the objectives of ISMS. So here
Chief Security Officer will plan whether they need and ISMS system in company or not.
So CSO will demand for an ISMS system accordingly, as an example if CSO thinks that
the company should fulfill ISO 27001 standards then he will place them in the companies
policies. And second line of management will take care of risk assessment to meet those
targets according to the desired standards. There are various technologies available in the
market for the risk management, various standards, various studies etc. so it always
depends on you to follow any approach whatever you like. For my purpose I would suggest
a tool from STIKI, called RM Studio which is a company founded in Iceland. This tool is
basically used to analyze the security risks while focusing on ISO 27001 and other security
measures. The advantage of RM Studio compared to an implementation of an ISM based
on EXCEL is the round-trip-management that is possible with yearly audits and recertifications as well as the intelligent reporting system that produces assessment and
audit-report on the fly, thus saving considerably valuable time.
It has already predefined all the necessary requirements that can apply to a company, Very
practical is the fact, that standards like ISO 27001 or PCI-DSS are already copied in
verbose into the database of RM Studio, which saves valuable time in editing. In addition,
the standards are available in different languages, making it quite convenient to get ISMS
certification on an international basis, which is essential for global enterprises.
We can also create our own standards or add threats and measures depending on our
demands and assess the risks using the same ISMS tool infrastructure.
The below diagram is the first view of the RM Studio and here you can see that it looks
very user friendly and it has all the parameters as well to calculate the risks.
Source:
STIKI.
(2011).
Solutions.
http://www.stiki.is/index.php/en

Retrieved

45

August

10,

2011,

from

Figure 3-4
3

Calculate Risks
To calculate the risks on Information Security as defined by the ISO 27001 standard, we
need to define the infrastructure of our information processing landscape, including all the
assets, job roles, availability and the other resources and of course their dependencies on
each other. As you can see in the picture above, first we have to define the business entities
for which we are trying to calculate the risks. As we are talking about the security so we
must consider the ISO 27001 all the time, so for this reason whatever we are going to
analyze it will calculate the risk on the basis of ISO 27001. This is the first task to achieve
in any company who wants to do their business securely. ISO 27001 basically tells us to
design ISMS (Information Security Management System) which eventually ensures a
system to tell us about the overall security system in an Enterprise.

Created by author

46

As we have the desired standards in RM Studio so we dont have to worry about many
things. We will just define our assets in RM Studio and it will calculate the risks
automatically.

The ISO27001 ensures all parts in an organization but for this thesis my main focus will be
on the Objective A.12.3.1 which says:

Cryptographic Control
Objective:
Protect the confidentiality, authenticity and integrity of information by cryptography. In
further detail that means:
Policy in the use of Cryptographic control: A policy on the use of the cryptographic
control for protection of information shall be developed and implemented.

Key management: Key management shall be in place to support the organizations use of
the cryptographic techniques.

Most of the people always neglect these two most basic problems and even the ISO doesnt
define how to achieve these tasks. So the first thing in any organization is to check whether
they are following these standards or not and if they are then how much is the risk and the
RM Studio provides us this facility to calculate on the basis of above mentioned standards.
The next most important thing that comes is the PCI DSS, if we are working in the
information security and especially in the banking domain then we will have to follow the
PCI DSS which stands for Payment Card Industry Data Security Standards.
I will give a brief introduction on how to calculate the risk regarding these two standards
but I have to mention that, it varies from organization to organization.
We can easily see in the Figure3-5, various standards but for us means as security wise,
only ISO 27001 and PCI-DSS are important so first we will analyze with the ISO27001
standard and then we will try to find out the risk analysis with the PCI DSS.
In Figure 3.6 we can see that the next step is to define the Business entity for which we are
trying to calculate the risk. In the Business entity we have to provide the basic details of
the company like name, address etc.

47

Figure 3-5

Figure 3-6
4
5

Created by author
Created by author

48

Figure 3-7

The next thing is to define the business assets including all the details of the company.
Figure 3-7 explains this how to define the assets of the company and to get the accurate
result we have to define all the assets of the company that includes all the possibilities
exists in any organization that means the people their expertise, hardware, service level
agreements with the clients etc. Now as you can see in the Figure 3-7 the assets are defined
including all the people involved their dependency on each other and complete
infrastructural assets as well.

Created by author

49

Figure 3-8

Figure 3-8 explains that how the individual component in the organization are important
for us, and whats their credibility, their security risks and their impact in the organization
which is very important e.g. If the lead developer is not available in the company during
any issue so his availability has to be high during those period where as on the other hand a
person who is doing only the clerical stuff, he is also very important for the company but
his availability is not that important during the critical issues. So regarding all these
questions in mind we have to provide the different parameters in the risk scenarios for the
different assets.

Created by author

50

Figure 3-9
The above Figure shows the risk analysis on the basis of ISO 27001 and different assets
that we have defined earlier. On the basis of values of the assets and availability it shows
us the risk is 2%, which is very low and good for the organization. Now we can also check
it for different parameters like the confidentiality and the integrity how much is the risk.
The below Figure 3-10, shows that now the result have been rises to 1% including the all
the factors in an organization. So it is even far better so by theses all results we can easily
define that we have gone through the risk parameters of the ISO 27001 standards and in
any case if the risk is too high then we can again define the assets and then we could do the
gap analysis.

Created by author

51

Figure 3-10

Figure 3-11
The Figure 3-11 shows here the PCI-DSS standards, we have to do the same things again
and then again we have to check the possibility of the risks and the threats from against
PCI-DSS. If the result is low like 1% or 2% then we could be sure of one thing that we can
go further that means we have successfully followed the PCI-DSS standards as well.

And now the real work start for the information security, initially we had the problem that
there are many standards which are very complicated and how to follow them all. Then we
9

Created by author

52

have seen the utility of the RM Studio which has made our work easy to asses our
organization against these standards. But still the problem is there, even though we have all
the standards but we can still see various attacks every day in news. So there must be a
problem somewhere which is the problem of good management and basically the problem
of following all the complex processes. And to solve all the problems we will take the help
of the BPMN2.0

53

4
4.1

Chapter 4 Solution
Prototyping

Now comes the role of Infrastructure Management- the lowest level of management, its
not only responsible for the IT infrastructure to meet the business needs for high
availability, reliability and scalability, but it is also responsible for managing services of
the business process management. It provides us a way to calculate the availability,
reliability, risks management etc. In the past this kind of structure was mainly meant for
the big organizations but today even the small organizations can also make profit with this
kind of approach.
In this chapter I am trying to find some loopholes on the basis of the infrastructure
manager with the help of the Business Process Modeling. It will be used as a prototype to
define the problems using the BPMN2.0. As I have already introduced BPMN2.0 and have
already explained that there are many tools available in the market today so for my
convenience I would use a tool called Bonita Studio. It consists of many facilities which
are using different technologies to solve our purpose. Figure 4-1 shows the basic view of
the Bonita Studio which explains itself that how we could design the workflows. On the
left hand side of the picture we can see the toolkit to design the workflows which consists
of the BPMN2.0 standards.

Source: Bonita Open Solution. (2011). Bonitasoft. Retrieved July 20, 2011, from
http://www.bonitasoft.com/

54

10

Figure 4-1

As I have already explained in the previous chapter, first we have to follow the general
standards which are important to be compliant to, so that we could ensure maximum
security possible. First we have to go through all those steps to achieve the certifications
and to calculate risks in an enterprise accordingly.
 Top Management: get ISMS certified according to ISO 27001
 Business line: get certified according to PCI-DSS(while interacting with
ISMS)
 Infrastructure: make sure, that processes meet required quality goals and
provide audible trails, adhering to policies directed by layer 1 and 2
respectively.

Then we come to the details of Master Key management.


Master Key management is a very complicated issue and the operational issues lie at the
bottom of the whole organizational hierarchy. In reality, experience shows, that dual
control can practice with compromises, as a result of project-pressure (e.g. change requests
10

Created by author

55

in exceptional situations) or degrading awareness and knowledge, due to employee


fluctuation. So, if a decision is made to have a single key-custodian process both parts of a
Master Key, then the key by definition is compromised. The associated crypto system may
still operate fully functional, but when it comes to an audit in the future, especially
connected to the implications of a successful and published hack by cyber-criminals, the
business itself may be faced with severe losses.
Bottom Line: if a Master Key is not properly secured, because the responsible persons for
the key ceremonies do not follow a pre-defined process, then nothing beneath it will be
secure.
It doesnt matter which standards we are trying to comply. Even after following all the
security measures and all standards we are not able to ensure the provable protection of
Master Key.
So in this chapter I will try to outline solution which can be used to overcome the issues of
process disruption during Master Key management. The idea itself is not new and it is a
conglomerate of all the standards that we have talked about earlier.

As according to VISA the whole process has to be divided among two people so that the
possession and knowledge is segmented among two (secret splitting). One custodian
therefore has no knowledge about the second part of Master Key. Without the second part
Master Key cannot be generated.
This is an essential step to ensure the highest level of trust in processing this kind of vital
asset.
If only one person would be responsible for the whole process, then lots of problems come
up:
 Insider attack: if the person turns out to be corrupt, the organization can be
heavily damaged(all business processes go out of operation, reputation
damage, customer resigning due to loss of trust)
 Social engineering made easy: it is easy for the attackers to leak out
information from just a single person, as compared to retrieving it from
segregated knowledge.
At any place the process starts from establishing an environment which has to be properly
defined and configured to produce the optimum output. So we will need at least two people
to handle the whole process at any cost (keeping in mind that substituted, also called
deputies, need to be assigned also). We will call them custodians for our own convenience
with specific rights to manage the master key and they must not know each other for the
sake of security.
56

The next thing coming up is the environment we need:


There are different possibilities, depending on the organizations. As it is most crucial part,
so I would suggest to, prefer for maximum security. In other words: to go for highest
quality, regarding Hardware, Software and Service Level Agreements (SLA, ITIL for
further details on the implications). As it is not easy to maintain operations without clear
structures and contracting schemes, this aspect alone requires intensive management
covering a complexity of, security measures of its own.
Now coming to my solution, the infrastructure to be managed will consists of different
things:

I would prefer to use three different servers to achieve more security; they all stay at the
client side (which is to say any bank). Now on the first server we have to use an API
through which we can communicate with the IBM-CCA (common cryptographic
architecture) which actually lies on the other server. Through this API users can enter into
the machine to do the desired operation. On the other server the whole processing works
under the HSM but users can access it through another login (for security purpose). While
in between there lies another server which is called as IBM MQ series which is basically
used for the queuing purpose. So that queuing takes place properly and it will never go into
the deadlock situations. On the second server there lies the crypto API and IBM CNM
through which we can generate the keys. These servers are connected with each other with
the help of LAN and must be placed under high supervision. This is another loophole when
we manage Master Key while in a real time environment and most of the standard doesnt
provide much information regarding the management of the Master Key while handling it
in network attached HSMs. This is the technical aspect of the infrastructure that really
ensures very high end security but the real problem to be solved is performing the required
operations without loopholes.
The organizational infrastructure has many loopholes whenever key components are
produced by an HSM and there comes the most critical part.
Often enough, we face the problem that users dont know how to handle the complete
environment so they make mistakes while doing so.
So here I am trying to give a best view of the complete process. It has to be divided into
different departments properly so that all participating roles are enforced to do their work
properly, which is the most important part regarding the organizational management.

The whole process, which is called key ceremony, is as follows:

57

Note: Each Key ceremony is understood as a change to a productive system. This implies,
that all the tasks performed during the following process for the key ceremony, are preplan able and governed by a workflow management system, designed and implemented to
guide the process in a manner, that guarantees a continuous audit trail and provides logs,
that give detailed information about the life-cycle of any key processed.

58

4.1.1Key Ceremony

The centralized authority will instruct the two custodians that they will have to generate
their key parts for a certain target key; this notification could be sent via e-mail, physical
mail or anything whatever the policy is. The custodians have to confirm their availability
and if any case they are not available, they must take care of assigning the corresponding
deputy for that custodian in advance.

Special requirements and pre-requisites regarding the execution of the key ceremony: the
complete ceremony must be executed in a secure room(trusted environment, level: HIGH),
which requires:

Isolation from outside environment, protecting against acoustic and


electromagnetically information trespassing
Dual access control: no single person should be able to be alone in the
secure room, the access to the room is granted after dual-login to the
room
In case of exceptional situations(fire, earthquake, etc.) the ceremony
must be cancelled, any key material produced during this session
marked as incomplete, not trustworthy-and should be destroyed
Cellular/smart phones are not allowed during the residence in this
room
Camera surveillance: this requirement can be conflicting, as gaining
knowledge about who enters the room on the one side, brings the
disadvantage, that surveillance officers could possibly re-construct
key-values that are entered by custodians after reading the values
from key letters

 Security guards will check the facility access of the custodians and other
participating persons (in case if a live audit by Visa) and inspect and carried
item not required during the key ceremony, which may need to be deposited
by the security guards during the ceremony.
 Custodians will have a dedicated time to achieve their task, as defined.

 The custodians will be escorted by at least one other person (internal auditor)
until the last entrance of the room. As required before, no person is allowed
to be alone in the secure room.
59

 There has to be a secured login accessing the system operated by the


custodians while performing the operation to generate the master key parts.
Access Control can be realized by various ways: smart card login, access
tokens with one time password etc. there are different technologies today, it
depends on the companies security demands and policies and external
compliance regulations.

 Regarding the generation of the desired Key. It has to be dedicated systems


only for this purpose and it should be non -bootable from any media.
 Another important issue: the system hardware should be connected to a
functionality tested and working Uninterruptible Power Supply.
 As soon as the key generation is done, and stored to the intermediate
transportation media for further key part loading to the target HSMs, the has
to be backed up, for the purpose of key-recovery, depending on the
companies backup policies. Regarding cryptographic key material, long term
in experience and best practices show that most of the organizations still
believe key-parts printed all key letters on paper to be the best practical
choice and most enduring backup media still around. Once key-values are
securely printed out onto key-letters, the printouts are enveloped and are
required to be separately stored to different physical safes, providing
continuity in key separation under dual control.
 There are different scenarios in different organizations where some people
prefer to have the key generation environment into the organization itself and
others prefer to have it at the other places. And the complexity differs from
case to case.
 If it is at a different place then it has to be transported through a physical
medium and there comes another security loophole. There are different ways,
but most of the organizations do this thing, they contact the courier company
and they transport it within a tamper resistant module. So that if anybody tries
to hamper it then it will automatically destroy the content. Both the parts have
to be transported through different routes and through different courier
companies so that to achieve the concept of the dual control all the time.

As you can see this whole key ceremony process is a perfect candidate for implementing a
workflow using BPMN2.0:
60

 It can be automated and run as a centralized governed authority moderating


the process
 It can keep track of all process activities all the time
 It could also reduce the human errors which people generally do in
organizations like forgetting about vital process steps that disrupt the quality
chain. So to overcome all those problems we need an automated process
control (our centralized authority) so the people who are involved in this
process can handle the whole system easily which will in consequence secure
our whole environment as well.
At this point I want to introduce the role and application of BPMN2.0 with the help of
which we cannot just automate the process but also we can keep track of all activities
applied.

61

4.2

ISO 27001 Based Risk Analysis

11

Figure 4-2
Figure 4-2 shows that we are going through our first phase of the whole process where we
will check the criteria for the ISO 27001. This workflow will initiate the STIKI RM
Studio, in order to perform the minimum yearly risk analysis. If we will be able to follow
the ISO27001 standards then we will go to the next phase.
So now its just time to automate the whole process and make it working. This part of the
workflow is the first swimlane and I have given it a name called Risk Assessment for the
ISO-27001. As you can see in the Figure 4-2, it consists of the three tasks start task, a
script task and an end task. You can see in the middle which is the script task which is
actually a shell script which is going to initialize the STIKI RM Studio. It provides us a
wide variety of options. I have preferred to choose the script task as it seems simple for
me.
Figure 4-3shows how you could define the script task. This Figure is basically showing
connectors. In Bonita Studio, we have to define a connector for this task, which is of the
shell script type and then you just have to define the script that you want to run. It is
11

Created by author

62

actually a simple GUI which is easy to understand and can guide you for everything that
you want to do. I have simply used one line of script to initiate RM Studio. There are
various other ways to do this task like you can create a java code as well but then the
whole process will be too mighty and if you want to make some changes then you will
have to make the changes everywhere. Thats why I have chosen the script task which is
easy to use and easy to perform, just one line of code and you can achieve your work.
Further this means I have provided a layer between workflow design and implementation
that means if you want to replace the implementation details you dont have to touch the
workflow design. You also need to define the person who is going to initialize the process,
in my case this is the initiator who will handle the workflow and who is going to initialize
this particular process. There are several other facilities that you could achieve with this to
make it more secure like only a dedicated user can do a particular task. For this reason I
have created a particular user in RM Studio to perform this task as if we can see this in an
organization there has to be a person who will take care of this responsibility and who have
the complete knowledge of the companys environment and also have a nice idea about the
ISO-27001.

12

Figure 4-3

12

Created by author

63

4.3

PCI-DSS Based Risk Analysis

Now comes the second part of the whole work flow which is to analyze the risks on the
basis of the PCI-DSS. After finishing the first job that is to analyze the risk on the basis of
ISO27001, workflow will jump onto the second level which is to analyze the risk on the
basis of PCI-DSS. You can see in the Figure4-4, the next swim lane comes into the
existence which is called as PCI-DSS Analysis. It has different criteria as compare to the
ISO27001 but it is also very important to fulfill this task so as to ensure the maximum
security and the optimum result. You have to do the same thing again like in previous
process. So again I have defined a script task to initialize the RM Studio but this time the
user is different. From the organizational point of view it will be a person who will take
care for the PCI-DSS certification and a person who has a sound knowledge about the PCIDSS, so that the organization could be sure about getting the certification properly. And if
the organization already has the certification then they could skip to the next step which is
for the management of the Master Key. And dont forget to change the standards in RM
Studio as by default after finishing the previous step it must have been selected
automatically to ISO27001. These two swimlane are loosely coupled, they are not
dependent on each other but they are part of the whole process. So we just cannot skip any
of them.

13

Figure 4-4

13

Created by author

64

4.4

Master key Management

14

Figure 4-5
Figure 4-5 shows the next layer of the work flow which consist of the more complex and
much interesting part. Here I am trying to show the management of the Master Key. Here I
have used Crypto Node Management (CNM) which is proprietary by IBM and delivered
with IBM HSM 4764 and IBM 4765 so I will not give much detail here but you can see the
login for CNM in Figure 4-6. And it doesnt matter for us how it works because we are
only focused on the organizational issues rather than the technical details. It is also called
as Common Cryptographic Architecture Node Management Utility. As you can see in the
Figure 4-6, the custodians can login with different methods, it depends on the companys
policy how you do this; you can also notice different tabs showing different utilities like
key storage, Crypto node etc. For our purpose there are of course few things to know
about. The Crypto Node and Master key tab are the most important for us to know. With
Crypto Node we can easily find the information about installed HSMs, like the state of the
HSM, its battery state, error logs etc. So whenever we notice any unwanted behavior like
unauthorized logon (outside valid time range), we can easily inspect Crypto Node and can
look into the details moreover can possibly find the cause of the issue.
14

Created by author

65

Second important tab for us to know is Master key which is of course used for generating
Master Keys, via several Master Key parts. It provides us a guided way of generating it.
The other important thing that comes next is key storage which gives us an ability to
manage the keys and their storage. As there are different algorithms available for the
encryption so it provides us different ways depending on key type.

Figure 4-6

Source:
IBM.
(2011).
Infocenter.
http://publib.boulder.ibm.com/infocenter/zos/

Retrieved

from

ZOS:

In Figure 4-5, you can see in the workflow that this part of the whole workflow starts from
sending invitations to the custodians. Now we are sending mails to different Custodians,
inviting them for the key ceremony on a particular date and if any of the custodians are not
available then they will have to communicate with the responsible person that they are not
available, thus activating their deputy.
There is another scenario here that we have to invite different custodians on different dates
so that they will never come to know about each other, it makes the whole key ceremony

66

more secure and it might also be possible that instead of dual control there are three
custodians so we have to invite all of them at different times. And if they accept the
invitation then the workflow will move to the next step and it will guide all involved
people to move further.
But before workflow can do this we have to consider a few more things as regards to the
workflow. First we have to setup some technical requirements: configure mail server so
that we could receive or send mails. For the purpose of receiving the mails we could use
for e.g. Mozillas thunderbird or we can use default environment depending on the
individual infrastructure.
In the next step the CNM will come into existence and the work flow will ignite the CNM,
in order to initiate the generation of the required key material. It has a mechanism to
handle the complexity of generating the master key and you can also choose different
strategies for management or for distribution. As you can see in the diagram there are two
timers at the two different tasks. So there is always a dedicate time which has been
allocated to achieve the task and if that time is reached and the job is not done then you
cannot go to the next phase of the process. This normally causes management alerts and
triggers appropriate measures to continue the process.

The next thing that comes into the mind is to store the key parts after generation, so for that
purpose we need to take the backup of the key parts and it depends on the organizations
how they could do this. Many organizations take the backup on a USB stick or, if allowed
by budgets, even smart cards, but as sticking to the stereotypes that paper is the best form
of storing information for long lasting persistence, we will write down the key on a piece
of paper and will store it in a safe as you can see it in the Figure 4-7.
Details not mentioned: each custodian must deposit its key part in separate safes. Any
access to the safes and whereabouts of the key letters during absence must be logged in a
key life cycle protocol. After unpacking a key letter from an envelope, a new envelope
(tamper proof security bags) with registered serial numbers must be used before depositing
the key material back to the safes.

67

15

Figure 4-7

16

Figure 4-8

15
16

Created by author
Created by author

68

At last you can see the final Figure 4-9 which is the complete workflow that tells us the
whole concept.

69

17

Figure 4-9

17

Created by author

70

5
5.1

Chapter 5 Tools
Bonita Soft:

Bonita open solution had first come into existence in 2001, being developed for BPM and
handling workflows. Initially it was developed by the French National Institute for
Research in Computer Science. But since 2009 its development has been done by the
company called Bonita Soft. It is made up of three components:
 Bonita Studio:
Bonita Studio allows the user to interact with the system and graphically design the
workflows on the basis of the BPMN2.0 standard. It provides us a lot of flexibility to
connect Bonita soft with lots of other information systems like the ERP systems, databases,
Content Management Systems. It has an inbuilt support for many other systems and the
good thing is most of them are open source. It also gives us a flexibility to design the forms
that you can see as an end user and can interact with the processes. The whole platform is
based on eclipse which itself is very mighty tool. So it provides us a very powerful tool at
the end and also a lot of flexibility.

 Bonita BPM Engine:


The BPM engine is a JAVA API which gives users more flexibility to experiment,
implement and test process integration.
 Bonita User Experience:
Bonita user interface provides the users a webmail kind of a portal with which user can
have a look at the various processes. It basically relies on the GWT.

71

Other Features:
 Advanced role resolving and filtering
Have a role based process where you can assign the task to a dedicated user
 Central repository
Saves all the information at a central repository
 Context palette for designing the forms
Also provides a palette based designing ability to make the designing
faster
 Iterative environment
Built in environment testing and one click deployment
 Multiple image export formats
Provides bpmn2, JBPM3 and xpdl exporter features
 BPMN2 process modeler
You can design your workflows with all the features that BPMN2.0
provides
 Collaborative process modeling
It can narrows the gap between process owners, stake holders, business
analysts and developers
 Contributed connectors
There are many connectors available for many mostly used applications
like ERP systems and different content management systems
 Process Diagrams Validations
You can test your processes and it will also shows the errors
automatically

72

After the user will handle the process the Bonita experience will send a mail to his personal
so that the user can notify that he has done the process successfully and nobody else has
tampered, which is an integrity check on the process quality, thus improving the measures
for achieving governed security his work.
Source: Bonita Open Solution. (2011). Bonitasoft. Retrieved July 20, 2011, from
http://www.bonitasoft.com/

5.2

Bonita User Experience

Figure 5-1
Source: Bonita Open Solution. (2011). Bonitasoft. Retrieved July 20, 2011, from
http://www.bonitasoft.com/

Figure 5-1 shows the Bonita User Experience, which is like the root of the Bonita, there is
a default user called admin who has all the rights and here you can create the users of your
73

choice to handle the particular processes. It consists of many other things as well as you
can see in the picture 5-2, in the main window its showing the list of the users and here you
can do the rights management as well and on the left hand side you can various other
organizational facilities to generate a report or to have a look of the whole process in terms
of the statistics, which provides us an easy view to have a look at the overall workflow and
we can also compare it with the other processes. But this view is only the administrator
view as a user you will have a different view which you will see soon. User view is meant
for the handling the different tasks which are assigned to the different users.

Figure 5-2

74

Future Prospects

As I have shown you the whole concept by dividing the complete scenario into real
processing environment by assigning the different tasks to people, so it becomes very
important in todays business environment to fully integrate all involved departments in a
certain process, achieving an optimum flow and healthy performance, last not least,
recognized by the end customers. For the employees, the burden of misinterpreted
responsibilities can be off-loaded and it will become easier for new employees to
understand their job, pass information to others and identify potential interdependencies
and execution can deliver complete audit trails in form of continuous process logs. In the
end the main goal focused is the growth of the company and the individuals serving it.
But as soon as the size of the company increases the complexity also increases, as far as
dividing the tasks among different people under different departments concerned. So at end
of the day we need a proper line of management who can easily communicate with each
other among different departments etc. and BPMN2.0 gives us this opportunity to join the
people together while standing on the top of everything else. Security is only one concern
but in an organization there are more issues that can be resolved by proper business
process management. At least the reduction of unnecessary actions, prevention of
redundancies, higher flexibility and meeting budget and milestones supports management
to meet its goal on a healthier lane in the end.

As the complexity of processes is increasing, we need to make it simpler for all the
stakeholders involved. BPMN has provided us a chance to make it simpler and stays
flexible; it provides us with many features.

 We could easily view and process the whole application environment.


 It provides us the opportunity to manage risks, gap analysis while looking at
the issues which are not easily visible in a broader view.

 If we could add some more complexity then we can also add the feature of the
future prediction on the basis of mathematics and business intelligence
 It provides us a great option of testing any process without even wasting our
resources and without having to experiment in productive environments. So it
provides us with a virtual but a realistic environment to test any case.
75

 And the most important thing is that BPMN2.0 is quite versatile in every
field. You could use it in the IT-area but you can also use it in every kind of
industry without any complications.
I have opted only one scenario in the information security and there are many more
scenarios to be covered in the field of Information Security. The size of the company is not
important, as you can adapt and grow with the tasks you find to be important to be
automated, integrated, managed and controlled by BPMN2.0
We can also add the features of SOA with BPMN to extend its power.
As you might have understood so far; the importance of BPM is increasing, so that to
reduce the complexity and to increase the ease of use, especially in the applications like
ERP systems, Content management systems etc. As these kinds of applications are very
mighty and pervasive, they all need to have a kind of a workflow management system
which can reduce the overall process complexity and can easily show the complete
process.
It has reached the position that UML has today regarding modeling diagrams for arbitrary
systems. Its already been integrated successfully to fulfill our needs of the SOA
architecture. The other important thing is that it also provides us a lot of flexibility, like the
ease of integration with other technologies and existent systems.

76

77

Table of Figures

Figure 1-1 ............................................................................................................................ 17


Figure 1-2 ............................................................................................................................ 18
Figure 2-1 ............................................................................................................................ 26
Figure 3-1 ............................................................................................................................ 34
Figure 3-2 ............................................................................................................................ 38
Figure 3-3 ............................................................................................................................ 42
Figure 3-4 ............................................................................................................................ 46
Figure 3-5 ............................................................................................................................ 48
Figure 3-6 ............................................................................................................................ 48
Figure 3-7 ............................................................................................................................ 49
Figure 3-8 ............................................................................................................................ 50
Figure 3-9 ............................................................................................................................ 51
Figure 3-10 .......................................................................................................................... 52
Figure 3-11 .......................................................................................................................... 52
Figure 4-1 ............................................................................................................................ 55
Figure 4-2 ............................................................................................................................ 62
Figure 4-3 ............................................................................................................................ 63
Figure 4-4 ............................................................................................................................ 64
Figure 4-5 ............................................................................................................................ 65
Figure 4-6 ............................................................................................................................ 66
Figure 4-7 ............................................................................................................................ 68
Figure 4-8 ............................................................................................................................ 68
Figure 4-9 ............................................................................................................................ 70
Figure 5-1 ............................................................................................................................ 73
Figure 5-2 ............................................................................................................................ 74

78

Abbreviations

A
API: Application Programming Interface 25
ATM: Automated Teller Machine 24

B
BPMN: Business Process Modeling Notations 20
BS: British Standard 33

C
CCA: Commomn Cryptographic Architecture 25
CNM: Cryptographic Node Management 57
CPU: Central Processing Unit 39

E
ERP: Enterprise Resource Planning 71

F
FINPIN: Financial PIN Services 27
FIPS: Federal Information Processing Standard 30

G
GUI: Graphical User Interface 63
GWT: Google Window Toolkit 71

H
HSM: Hardware Security Modules 37
HSMs: Hardware Security Modules 25

I
IBM: International Business Machine 37
ISMS: Information Security Management System 33; INformation Security Management Systems See
ISO: International Standard Organization 33
IT: Information Technology 30

79

L
LAN: Local Area Network 57

N
NFC: Near Field Communication 23
NIST: National Institute of Standard and Technology 30

O
OS: Operating System 29

P
PCI-DSS: Payment Card Industry Data Security Standards 24
PIN: Personal Identification Number 40
POS: Point of Sale 24

R
RAM: Random Access Memory 39
RFID: Radio Frequency Identification 23

S
SOA: Service Oriented Architecture 18

U
UML: Unified Modeling Language 16

X
xpdl: XML Process Definition Language 72

80

Bibliography

Activiti. (2011). Components. Retrieved May 20, 2011, from


http://www.activiti.org/components.html
Arstechnica. (2011). Retrieved Ausugst 3, 2011, from
http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-tooother-cas-breached.ars
Black, S. (2005). Retrieved July 2, 2001, from http://fox.wikis.com/
Bonita Open Solution. (2011). Bonitasoft. Retrieved July 20, 2011, from
http://www.bonitasoft.com/
Brandtstaetter, T. (2011). Cyber Crime. Nrtingen: In Personal Communitaion.
BROTEX Synargos. (2011). Retrieved July 5, 2011, from http://www.synargos.com/
BROTEX Synargos. (2011). FINPIN. Nrtingen: Internal Communication.
Corbasson, L. (2007, December 24). SOA. Retrieved August 1, 2011, from
http://en.wikipedia.org/wiki/File:SOA_Metamodel.svg
Evans, L. D., Bement, A. L., & Bond, P. J. (2001, May 25). FIPS. Security Requirements
For Cryptographic Modules . U.S.: U.S. Government printing office, Washington.
IBM. (2011). Infocenter. Retrieved from ZOS:
http://publib.boulder.ibm.com/infocenter/zos/
IT-Goveranance-UK. (2011). ISO-27001. Retrieved May 20, 2011, from
http://www.itgovernance.co.uk/
JBOSS. (2011). JBPM. Retrieved July 20, 2011, from Documentation:
http://www.jboss.org/jbpm/documentation
Kuhn, M. (1997, April 30). Cambridge. Retrieved May 20, 2011, from
http://www.cl.cam.ac.uk/~mgk25/trustno1.pdf
PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, from
https://www.pcisecuritystandards.org/security_standards/
Sophos. (2011). naked Security. Retrieved September 4, 2011, from
http://nakedsecurity.sophos.com/2011/08/29/falsely-issued-google-ssl-certificate-in-thewild-for-more-than-5-weeks/)
SSL. (2011). Retrieved August 10, 2011, from www.openssl.org

81

STIKI. (2011). Solutions. Retrieved August 10, 2011, from


http://www.stiki.is/index.php/en
VISA. (2004). PIN Security Requirements. Retrieved May 20, 2011, from
https://partnernetwork.visa.com/vpn/

82