CONNOTECH Experts-conseils Inc.

Overview of Secure Fax Technology by CONNOTECH Experts-conseils Inc.

Warning: This document is OBSOLETE
as CONNOTECH is not pursuing this business any more.

by Thierry Moreau

February 1995, updated February 1997

© 1995, 1997 CONNOTECH Experts-conseils Inc.


Table of Contents

Introduction
Applying Existing Knowledge or Expertise
. . . . Modern Cryptography
. . . . . . . . Public Key Cryptography and Digital Signatures
. . . . . . . . Security Certificates
. . . . . . . . Session Key Establishment
. . . . . . . . The Use of Random Numbers for Encipherment
. . . . . . . . The BBS Pseudo-random Number Generator
. . . . OSI, Open Systems Interconnection and Related Standards
. . . . . . . . Fax Coding Format
. . . . . . . . Fax Packet Assembler-Disassembler
. . . . . . . . OSI Network Layer Security Protocol
. . . . . . . . Base Unsecured Protocol
Group 3 Facsimile Security Protocol
Cryptographic Key Management
Cryptographic Application Rules
. . . . No Storage of Fax Message in Transit
. . . . No On-line Central Administration
. . . . Digital Signatures of Fax Page Image Data
. . . . Protection Against Fraudulent Use of Digital Signatures
. . . . Enforcement of Digital Signatures
. . . . Accommodation of Export Control Restrictions

Introduction

This document presents the secure facsimile technology under development by CONNOTECH. Emphasis is put on the product development strategy.

Nothing in this document can be interpreted as a final product specification. CONNOTECH does not commit itself to offer products conforming to any part of this document. Contact CONNOTECH to obtain more information.

The CONNOTECH fax encryption devices are based on modern cryptography (the science of concealing information with cipher techniques), state-of-the-art telecommunications technology, and a unique design. Features include:

CONNOTECH is on a steady course for the development of the fax security technology. The following milestones were reached:

Prototype Fax Encryption Device

A prototype fax encryption device has been built, including nearly all hardware features of a production unit. The decision to built this prototype and its design was strongly influenced by the need to accelerate software development and to shorten the time to market for a field trial. This prototype allows software development to proceed unrestricted by hardware development delays. Refinements of the prototype hardware may occur in parallel.

Group 3 Facsimile Security Protocol

CONNOTECH development efforts are systematic and include proper documentation of all the project phases. This is especially true of the fax security protocol which is the most important single component of the fax security technology. It is a long lasting intellectual property asset in the sense that once implemented, such a protocol for terminal attachment is very hard to replace.

Payment by Authenticated Fax Transmission

In refining the application of enforceable contracts by fax to electronic funds transfer, CONNOTECH conducted systematic research of related published material and realized that the payment process using fax transmission was not invented before. Consequently, CONNOTECH obtained a patent from the US, to protect the invention of the pay-by-fax method.

Applying Existing Knowledge or Expertise

Reinventing the wheel is avoided to the fullest extent possible by CONNOTECH. As a result, CONNOTECH uses any available knowledge, expertise or prior art. It conducts systematic research of

As a general rule, this search for information is focused on operating principles rather than commercially available products or components. In this sense, not reinventing the wheel does not force CONNOTECH products to be assembled from purchased components.

This section describes the sources of existing knowledge upon which CONNOTECH relies.

Modern Cryptography

According to the Webster's dictionary, a cipher is a method for transforming a text in order to conceal its meaning. The difficulty of breaking modern ciphers does not rely on hiding the method itself, but on hiding secret numbers used in the method. These secret numbers are known as cryptographic keys. Cipher systems are used routinely by the banking industry for securing electronic funds transfers, by diplomats, and by the military sector. They provide protection against espionage threat, ensuring privacy of communications.

The development of cipher systems is nowadays driven by the theoretical work of mathematicians, notably as refinements of the number theory. Cryptology is the science of cihper systems. In this document, the term cryptography is used, referring to the technique of applying cryptology in actual products. Practical systems are being built with theoretical work first published about 15 years ago and further investigated and refined since then.

Cipher systems are increasingly used for functions other than mere confidentiality. This includes:

The standardization activities in the area of information security came to distinguish these generic security functions from specific cryptographic mechanisms used to implement them.

The secure fax technology is based on state of the art cryptography. The remaining of this section describes the specific areas of the field of cryptography which are relevant to this project.

Public Key Cryptography and Digital Signatures

With traditional cipher systems, the communicating parties must make prior arrangements to exchange the cryptographic keys. The enciphered communication can take place only when both parties are sharing the knowledge of a secret key. In most actual situations where the number of possible correspondents is large, this key management task tend to be a nuisance. This led to the development of the public key cryptography where two parties can start a secure communication session without prior agreement on secret keys.

The public key cipher system is based on private/public key pairs containing a private key and a public key. The private key is never divulged because the public key is sufficient for to encipher a message to the private key holder.

Most private key cipher systems can be used for digital signature. Knowledge of the private key is needed to generate the digital signature of a message. Knowledge of the public key corresponding to the private key is sufficient to verify the digital signature of the message. If the private key holder keeps his private key secret, only him can be the originator of a signature verified with his public key.

The foremost public key cryptographic mechanism are the RSA scheme, named after its inventors Rivest, Shamir and Adleman, and the DSA (Digital Signature Algorithm) scheme promoted by the U.S. government. The RSA algorithm is patented in the United States.

Public key cryptography is highly compute-intensive. The digital signature of arbitrary long messages is not practical. It is then suggested to affix the digital signature to a message fingerprint known as a Manipulation Detection Code (MDC). A MDC is a short bit string representative of a long message in such a way that modifying the message without changing the representative MDC is extremely difficult. A manipulation detection code is a an instance of a hash code suitable for cryptographic application. Hash codes are sometimes used in computer databases to evenly distribute records indexed by long search criteria.

The selection of a suitable MDC for a cryptographic application remains an open issue since a number of proposals has been broken, at least in a theoretic perspective. An MDC is broken when someone finds a less than extremely difficult method to produce two messages with the same representative MDC.

Security Certificates

With the public key cryptography, there is a requirement to know the public key of the other party in the communication session. This public key may be freely distributed, or published in a directory. There remains a threat, the impersonation attack, where an impostor successfully presents his own public key as the legitimate receiver's public key. Then the impostor is able to receive the message in place of the legitimate receiver.

The impersonation attack is also threatening an application of digital signatures. For instance in the case of an electronic funds transfer service, if the impostor manages to register his public key as the public key of a bank account holder, he can digitally sing fraudulent fund transfer requests.

The impersonation attack creates a requirement for key management in the case of public key cryptography. With public key cryptography, the goal of key management is to authenticate the public key ownership, the association of a public key with the identity of the corresponding private key holder.

To materialize the benefits of public key cryptography, it is attractive to rely on a small number of certification authorities to authenticate the public key ownership of all possible correspondents. When the public key ownership is authenticated by the digital signature of a certification authority, a security certificate is created from the authentication message with the affixed signature of the certification authority. An interesting property of a security certificate is their lasting validity: once issued, they may be distributed by whatever mean is appropriate to the circumstance, without further intervention of the certification authority (with the usual restriction that any cryptographic key should be changed from time to time).

The impersonation attack threatens the certification authority itself. Although the potential damages are significant, the small number of certification authorities makes the preventive measures easier to implement. Such measures can include publication of the certification authority's public key in a trade periodical.

Session Key Establishment

One of the very first public key cryptosystems was a session key establishment protocol proposed by Diffie and Hellman. Such a protocol is useful to exchange secret keys at the beginning of a communication session. With the Diffie-Hellman scheme, the impersonation attack takes the form of an illicit intermediary between the two legitimate parties in the communication.

The Diffie-Hellman scheme is used by a recently approved security protocol standard (see OSI Network Layer Security Protocol ). This protocol includes provisions to counter the impersonation attack.

CONNOTECH developed an alternative to the Diffie-Hellman scheme, PEKE see the article by Thierry Moreau, Probabilistic Encryption Key Exchange, Electronics Letters, Vol. 31, number 25, 7th December 1995, pp 2166-2168. The PEKE scheme uses the mathematical theory supporting the BBS pseudo-random number generator (see The BBS Pseudo-random Number Generator ). The RSA cryptosystem can also be used for secret key transport, a reduced form of session key establishment protocol.

The Use of Random Numbers for Encipherment

A one-time pad is a cipher system in which a purely random stream of bits is used as a secret key. This secret key must be as long as the message itself and used only once. The encipherment algorithm is a simple exclusive-or operation between the cleartext message and the secret key. The legitimate recipient of the message knows the secret key and applies the same exclusive-or operation between the ciphertext and the secret key to recover the cleartext message. This type of cipher is impossible to break according to the information theory.

Practical difficulties with the one-time pad cipher are related to secret key management, including:

  1. the length of the key,
  2. the requirement of key transmission between the sender and the receiver with a secured communications channel,
  3. the requirement to establish different keys with each correspondent, and
  4. the requirement to establish a different key for each message sent or received.

The key length issue is addressed with the use of a pseudo-random number generator. For our purpose, a pseudo-random number generator is a mathematical algorithm producing a long sequence of bits from a short seed. The pseudo-random sequence is completely determined by the mathematical algorithm and the value of the seed. Yet, no statistical test can differentiate the output sequence from a purely random sequence of bits. By substituting a purely random stream of bits with a pseudo-random sequence, the strong theoretic foundation of the one-time pad is traded for easier key management.

The BBS Pseudo-random Number Generator

One candidate pseudo-random number generator for cryptographic applications is the BBS generator, based on the simple mathematical operation x² mod N with properly selected N and initial value of x. The cryptographic properties the x² mod N pseudo-random number generator were studied by three mathematicians, see the article by L. Blum, M. Blum, and M. Shub, A Simple Unpredictable Pseudo-random Number Generator, SIAM Journal of Computing, vol. 15, no. 2, May 1986, pp 364-383. See also an article submitted to Computers in Physics by Thierry Moreau, A practical 'perfect' pseudo-random number generator.

OSI, Open Systems Interconnection and Related Standards

The standard making process is steadily gaining momentum and influence on the information technology and telecommunications sectors. CONNOTECH focuses on applying recognized telecommunications standards. Interfacing standards are less valued. Telecommunications standards ensure proper operation of two distant devices, operated if not built by unrelated parties. Interfacing standards facilitate integration of components from various manufacturers into a single system.

The term Open Systems Interconnection, or simply OSI, refers to an ISO initiative to standardize data telecommunications on a large scale. Although TCP/IP and Internet has been deployed on a large scale, the OSI initiative represents a major achievement as a collection of worldwide consensuses. Recently, the work of the ITU (formerly CCITT) and the OSI initiative are converging at an accelerated rate.

In this section, the relevant telecommunications standards of ITU (known as CCITT recommendations) and OSI (known as ISO/IEC standards) are indicated.

Fax Coding Format

Any application of the group 3 facsimile technology benefit from a standard format for transmission of page image data. This format is specified in CCITT recommendations T.4 and T.6.

With the secure fax technology, this universal format is extended by affixing a digital signature to each transmitted page.

Fax Packet Assembler-Disassembler

The group 3 facsimile protocol is defined in the CCITT recommendation T.30. The conversion of fax protocol to and from a data communications protocol is covered by CCITT recommendations X.5, X.38, and X.39. This protocol conversion allows full duplex communication with error correction where the CCITT recommendation T.30 supports only half duplex communication. Full duplex communication with error correction is a much easier environment for implementing public key cryptography.

OSI Network Layer Security Protocol

In the context of the OSI initiative, a new standard protocol for information security was approved: ISO/IEC 11577:1994. This standard specifies the OSI Network Layer Security Protocol (NLSP). The NLSP procedures allow cryptographic mechanisms to be applied to an otherwise unsecured data communication protocol.

For various reasons, a cryptographic mechanism is something difficult to standardize on a large scale. Historically, intelligence operations and cryptography played an important role in the wars. This serves as a justification for export control restrictions on cryptographic equipment (see Accommodation of Export Control Restrictions ). Moreover, the security requirements vary largely from the privacy concerned individual to the protection of national interest. Finally, a cipher system requires key management procedures which are beyond the scope of a communications protocol specification according to the ISO programme of work. Consequently, the NLSP specification leaves the details of cryptographic mechanisms unspecified. In many respects, the NLSP scope is limited to the placeholder for the cryptographic mechanisms within the base (unsecured) protocol.

In general, this limitation of the NLSP is impeding the widespread deployment of secure communications. On the other hand, the NLSP allows the use of public key cryptography, enabling secure communication between unrelated parties without prior mutual agreement on secret keys. Optional features of the NLSP use the Diffie-Hellman scheme for establishment of encipherment keys, and digital signatures for authentication. The NLSP allows private extensions to be defined. These features of the NLSP are useful for the secure fax technology.

Base Unsecured Protocol

In the OSI initiative, the protocols are organized in layers. A protocol in a given layer uses the services provided by the layer below itself and provides services to the layer above itself. The NLSP uses the services of the network layer protocol as the base (unsecured) protocol. There are two flavours of the OSI Network Layer service: the connection oriented mode and the connection-less mode. The Fax-PAD protocol conversion requires a connection oriented data communication protocol. Consequently, the secure fax technology uses the NLSP in conjunction with a connection oriented network protocol. In practice, a number of protocols may qualify as candidate base (unsecured) protocol for the secure fax technology.

If strict compliance to OSI is desired, the base protocol should be X.25. The X.25 protocol is specified in ISO/IEC 8208 and ISO/IEC 7776. When used in the OSI context, ISO/IEC 8878 is also of interest. The selection of X.25 as a base protocol does not preclude the use of a conventional telephone network connection as the physical layer. This arrangement is provided for in ISO/IEC 10732 covering the use of X.25 over the public switched telephone network (PSTN).

The X.25 protocol is a very mature standard, with a list of optional features that seems endless. The required capabilities for the secure fax technology constitute a small subset of the full X.25 protocol. To integrate the secure fax technology with diverse networking interfaces, the support of additional X.25 options may be required.

Group 3 Facsimile Security Protocol

CONNOTECH designed a group 3 facsimile security protocol as a proposed de-facto standard. This protocol is specified in a detailed document using the ISO drafting rules and the OSI discipline. This systematic approach to technology development is deemed to enhance its intrinsic value by facilitating:

The group 3 facsimile security protocol designed by CONNOTECH supports payments by fax, other types of enforceable contracts by fax, and the confidential fax transmission.

Cryptographic Key Management

Conventional fax has been successful as a communication mean by virtue of being independent of any central administration. Fax is now seamless in the sense that given the phone number of any fax machine throughout the world, the fax user is highly confident that he can successfully establish a connection. When it comes to secure fax, the requirement for a public key certification authority is in contradiction with the success factor of fax.

The secure fax technology from CONNOTECH includes specific plans for cryptographic key management scenario intended to make secure fax as seamless as possible. Being based on security certificates, the key management scenario does not require any certification authority or other third party to participate in a communication session. The issuance of a security certificate to a secure fax user requires collecting and validating evidence of the user identification, which is best done by a decentralized organizational unit. Typically, this could be professional association, or a branch of a participating bank. Once the user identity verification has been completed by a decentralized organization unit, a security certificate should be issued by a certification authority as widely recognized as possible. In this way, user identifications from unrelated decentralized organizations can be mutually recognized.

CONNOTECH developed a specific key management scenario along these lines, accommodating the fact that the various participants may renew their public/private cryptographic key pairs from time to time. This scenario is described in internal documentation of CONNOTECH, and publication in a specialized periodical is under consideration.

The key management scenario has to accommodate a range of user needs. At the low end of the spectrum, there is the secure fax user who wants absolutely no key management overhead and accepts less than optimal protection against threats such as fraudulent use of someone's identity. For these users, the key management scenario offers the fax encryption device manufacturer as the certification authority for the initial device buyer. In the group 3 facsimile security protocol, the diverse requirements for key management are reconciled by an automated negotiation process occurring at the outset of a communication session.

The key management scenario is implemented by direct communication between a fax encryption device and a certification authority management system. These interactions are protected by authentication and encipherment. The certification authority server system is responsible for updating the fax encryption device internal configuration. This process is meant to be automated, except when identity verification has to be made.

Cryptographic Application Rules

This section describes the application rules governing the development of the secure fax technology by CONNOTECH. Some of these rules influence the design of the core technology itself, by stating the anticipating success factors for the technology. Other rules influence the packaging of the core technology int actual products.

No Storage of Fax Message in Transit

Fax is a one-way communications mean, more alike mail than a two-way telephone conversation. This characteristic makes fax ideal for applications such as store and forward, fax mailboxes, and information retrieval systems. For security application, any storage of the fax message in transit from the sender to the receiver would create security burden in addition to the burden imposed on the sender and receiver themselves. Storage of the fax message is avoided by the secure fax technology of CONNOTECH. One exception to this rule is the confidentiality-on-reception server which is meant to be run by small organizational units.

No On-line Central Administration

Electronic mail and electronic commerce (electronic data interchange or EDI) rely on a central administration to provide added value to a communications network which is otherwise a commodity. The secure fax technology avoids a central organization. To satisfy any user but the least demanding ones, communication security still requires at least a central administration for off-line cryptographic key management (see Security Certificates and Cryptographic Key Management). In this case, the required central administration is a certification authority. The certification authority does not participate in a communication session between two users of the secure fax technology. This avoids significant burden and cost that would otherwise be incurred for each communication session.

Digital Signatures of Fax Page Image Data

The group 3 facsimile standard is based on an electronic transmission of a page image. The recording of a fax transmission is an exact representation of the pages as they were received on the receiver fax machine. The conversion from the recording to the actual paper copy is driven by a publicly specified process. In this sense, the recording of a fax transmission is much closer to a paper record than typical computer records. For instance, a word processor file can look very different depending on the printer used to get a hardcopy. Also, a word processor format is a proprietary specification.

The secure fax technology is based on affixing digital signatures to the fax page. This digital signature does not appear as a visible mark on a printed copy of a fax page. Instead, it is automatically verified when the fax page is received. In addition, it may be recorded with the fax page itself in a digital format and kept on a computer diskette or in a computer archival system. A software utility is provided to record and verify the signatures.

Protection Against Fraudulent Use of Digital Signatures

In public key cryptography, if the private key is compromised, an enemy may be in a position to forge the digital signature of the legitimate private key user. Alternatively, the enemy may induce the legitimate private user to inadvertently sign some document. This is easier with digital signatures than with handwritten ones since the digital signing operation is done by an electronic device. Given the potential damages, securing the use and the actual value of a private key of a public/private key pair is extremely important.

A signing device may be designed so that the private key of a public/private key pair need not be stored outside of the device. Strong access control measures must protect the digital signature capability of the signing device to prevent a signature being requested by anyone but the legitimate user of a given private key.

CONNOTECH plans is implementing the required protection so that its fax encryption devices can be used with confidence to enter significant contractual obligations. The access control mechanisms include a physical key with digital memory and password protection. The private key stored in a stolen fax encryption device can not be used unless this physical key is also stolen and this password is known.

Enforcement of Digital Signatures

For nearly 20 years, the notion of a digital signature has been around in the field of cryptology. But still, the legal status of a digital signature is indeterminate. The application of public key cryptographic techniques for commercial contract signing was simply ignored by the members of the Electronic Messaging Services Task Force of the American Bar Association (see The Commercial Use of Electronic Data Interchange - A Report and Model Trading Partner Agreement and Model Electronic Data Interchange Trading Partner Agreement and Commentary, in the June 1990 edition of The Business Lawyer, on pages 1647-1749). This is typical of the slow penetration of new technologies. In this sense, applying digital signatures to fax is adapting a new technology to an mature one. The result may be easier to adopt than digital signatures in the context of electronic mail.

The close relation between the recording of a fax transmission and traditional paper based records is deemed to facilitate the enforcement of digital signatures. With this close relation, it is easier for an expert witness to certify that the digital signature is affixed the exact computer representation of a printed page, the signature enforcement process having nothing to do with the details of the page contents.

The strong protection against fraudulent use of digital signatures is also a requirement for the recognition of digital signatures. This argues in favour of a stand-alone fax encryption device, isolated from the virus prone personal computer environment.

Usually, when an obligation is created by the transmission of a signed document, the responsibility for evidence collection and preservation lies on the receiver of the document. This creates a requirement for the recording of the received secured fax message on a magnetic storage such as a computer diskette. This recorded evidence of a digital signature can be presented to an expert witness by the receiver if the contract has to be enforced by legal action. Presumably, the sender of the contract would have entered a prior agreement to acknowledge the validity of the expert testimony in the event of such dispute.

Accommodation of Export Control Restrictions

Cryptographic products are subject to export control restrictions. These export restrictions do not apply between the US and Canada. Export of encipherment products using key sizes of 56 bits and over are currently not permitted. If the effective key size is up to 40 bits, an export permit is to be expected. An export permit may also be granted when the end-user is a foreign subsidiary of a US or Canadian company. Another situation where an export license is generally granted is for products performing authentication only.

The export restrictions on cryptographic equipment are the subject of much debate in the US. Until now, the authorities has been hermetic to the argument that products manufactured abroad are as strong as their US or Canadian equivalents.

In the meantime, the secure fax technology by CONNOTECH includes special provisions to turn off the encipherment functions while retaining the authentication and digital signature functions. This is intended to facilitate acceptance of payment by fax and other forms of enforceable contracts by fax on an international basis irrespective of export control restrictions on encipherment equipment.

In addition, CONNOTECH is taking the necessary steps to get an export license for its fax encryption device, using an encipherment algorithm of reduced strength for export markets outside of US and Canada.


security scheme designalternative to PKIpatent publicationsSAKEMscholarly web contentsconsulting services ]
[ CONNOTECH home page: http://www.connotech.com/about us | e-mail to: info@connotech.com ]

CONNOTECH Experts-conseils Inc.
9130 Place de Montgolfier
Montréal, Québec, Canada, H2M 2A1
Tél.: +1-514-385-5691 Fax: +1-514-385-5900