320 likes | 495 Views
Introduction: the security purpose of money More about the history of money Double entry bookkeeping Banking records and data processing The Clark-Wilson integrity model The purpose of audit Financial Transaction network protocols Cryptographically anonymised money
E N D
Introduction: the security purpose of money More about the history of money Double entry bookkeeping Banking records and data processing The Clark-Wilson integrity model The purpose of audit Financial Transaction network protocols Cryptographically anonymised money Limits of digital anonymous money The Security of Financial Transactions
One way to look at money is as a security construct. Alice has one more camel than she needs which Bob wants. How is Alice going to ensure that Bob values it at least as much as she does and that she can obtain something of value to her in return ? In an ideal world where people would always respect property and provide others with what they needed, money would not be required because Alice would know that Bob would look after the camel well and that she is as likely to receive from others what she needs as Bob would in being able to use and look after the camel. Money is needed because people are not always honest, generous, economical and willing to help. The security purpose of money
Direct barter, e.g. getting a lump of valuable metal in return isn't always practical. So Mallory, who has a strongroom, acts as banker to Alice keeping the piece of gold Bob gave for the camel, giving her a piece of paper to indicate the deposit. Mallory soon discovers that the gold stays in his strongroom to the extent that he can issue 7 notes for every measure of gold with little risk. One banknote goes to Alice and the other six are either lent out by Mallory at interest or perhaps he might invest them himself by building houses for rent. If Mallory's notes have serial numbers on them this makes it more possible to trace thieves who steal them from Alice or forgers who make copies of them. Origin of banking
Nowadays 97% of the money in circulation in the UK is in the form of chequable and electronically transferrable deposits and credit card limits. The world still contains our cast of characters intent on attacking the system, such as Joe Semtex the bank robber, Ethel the bent securities trader and Dmitry the money launderer etc. But with less cash moving around and more of the electronic equivalent, Joe's audacious armed raids on security vans are netting fewer returns for greater risks while Dmitry and Ethel's criminal activities are expanding. The increasing complexity of the system has given our cast of criminal misfits more possible modes of attack. Money as information
The job of the financial security engineer in closing the increasing number of holes isn't getting easier. Considering the rewards Mallory obtained from the construction of the strongroom in which Alice kept her gold, we shouldn't forget the price that everyone else has ended up paying those who succeed in the task of providing various kinds of security or persuading those who thought they didn't need this that they do. George Bernard Shaw: "every profession is a conspiracy against the laity". Andrew Carlan: "The third law of politics is that power abhors a vacuum". The difference between lawful and unlawful security services depends upon who makes the laws. Security services or protection racket ?
Various histories (e.g. Adam Smith, "The Wealth of Nations") suggest that money started out as lumps of valuable metal. The earliest metal coins date from around 650 BC. If recent archaelogical discoveries concerning ancient forms of accounting are correctly interpreted, earlier money may have taken the more abstract form of of clay warehouse receipts representing the goods concerned 3000 years before coins were first made. Early history of money
"The immediate precursor of cuneiform writing was a system of tokens. These small clay objects of many shapes--cones, spheres, disks, cylinders, etc.--served as counters in the prehistoric Near East and can be traced to the Neolithic period, starting about 8000 B.C. They evolved to meet the needs of the economy, at first keeping track of the products of farming, then expanding in the urban age to keep track of goods manufactured in workshops. The development of tokens was tied to the rise of social structures, emerging with rank leadership and coming to a climax with state formation. Also, corresponding to the increase in bureaucracy, methods of storing tokens in archives were devised. One of these storage methods employed clay envelopes, simple hollow clay balls in which the tokens were placed and sealed. A drawback of the envelopes was that they hid the enclosed tokens. Accountants eventually resolved the problem by imprinting the shapes of the tokens on the surface of the envelopes prior to enclosing them. The number of units of goods was still expressed by a corresponding number of markings. An envelope containing seven ovoids, for example, bore seven oval markings." Denise Schmandt-Besserat Did tax accounting precede writing ?
Early systems of accounting had to deal with the occasional corrupt insider. When business became too complex to trust record keeping to one person in one place, double-entry bookkeeping was invented. This still doesn't seem obvious, but the principle is that every transaction has to be recorded in one book or ledger as an asset and in another book as a liability. For example, a customer of a bank makes a cash deposit. From the bank's point of view, the contents of the cash till represents an asset, and the customer's deposit account is the bank's liability. It is obvious that the bank needs to keep score in terms of the deposit account. Double entry accounting extends to each bank branch - not just the business as a whole. Double-Entry Bookkeeping
Q. Why keep a seperate record on what goes in and out of the cash till as well as deposit accounts ? A. This means that the ledger recording money in and out of the till should correspond with the amount of cash in the till. Otherwise if the amount of money in the till is incorrect the discrepancy could not so easily be traced. DEB FAQs 1
Q. But isn't a business supposed to make a profit and isn't this an asset ? A. Yes but the profit a business makes belongs to its shareholders. If a bank has cash in the vault or owns deposits elsewhere which result from higher earnings than costs (i.e. profit) these will appear in the books as assets. Any profits that have been made are also immediately a liability that the business has to its owners the moment the profit is made, so if the book recording profits which the business owes to shareholders is kept up to date then all the books should still balance. DEB FAQs 2
Q. What happens if a business makes a loss ? A. To start with, a business needs investment. This asset is capital the business can use to launch operations before it starts making a profit. In the liabilities book this is what the business owes to its owners and creditors. A business becomes insolvent when its liabilities exceed assets to the extent creditors have to reduce expectations of what the business can pay back, so after these adjustments are made the books still balance. DEB FAQs 3
Accounting master file This will contain each customers current balance, previous transactions over a certain period, and a carry forward amount for the start of this period. Ledgers These track assets such as cash on their way through the system. Banking records and data processing 1
Journals These track transaction inputs from check sorters, cash machines etc. not yet input into ledgers. Audit trail This records which member of staff did what and when. Banking records and data processing 2
Batch Processing A set of programs runs in sequence at the end of a day's business, to input data from the various journals to update the relevant ledgers. An example might be a cash deposit by a customer into a savings account. The relevant journals should include deposits into savings accounts and cash in and out of the till. After all the inputs have been used to update the ledgers, all the asset and liability ledgers should still balance. If they don't this indicates an error which is investigated. The order in which batch programs are run can influence the outcome, e.g. making payments into accounts occur before payments out of them reduces the risk of overdrafts. Banking records and data processing 3
Transaction Processing The reason for having seperate journals and ledgers is that this enables a batch to be rerun based on the same starting state if a failure occurs prior to batch completion. Backup copies of all files have to be taken before a batch job is started, and these files determining the starting state of the system will be restored prior to a rerun. Software engineers describe the approach to data processing where a set of related updates either complete as a unit or are rewound to the starting state as transaction processing. Preventing accidental discrepancies and maintaining the security of the system are intimately connected concerns. Banking records and data processing 4
If double entry books are kept by different clerks, or computers, or sandboxed processes, containers or virtual machines under the control of different administrators, this leads to a situation where fraud requires the collusion of 2 or more members of staff, otherwise known as "shared control". This principle is extended in banking to ensure that one member of staff doesn't have too much influence over the systems that keep track of what they do. Giving Nick Leeson management control over the Barings Bank Singapore dealing room and back office operations at the same time violated this principle. The events leading up to this and the consequent collapse of Barings Bank was described in the film "Rogue Trader". Seperation of Duties
This is based on an analysis of the procedures adopted by the banking industry based upon the concepts described above, formulated into a set of rules. The Bell-La Padua model relevant to Multi-Level Security is primarily concerned with information confidentiality. The Clark Wilson model (CWM) is concerned with information integrity. The Clark-Wilson integrity model
UDI - Unconstrained Data Item, e.g. an input to the system prior to authentication and validation. CDI - Constrained Data Item e.g. a validated and authenticated input the processing of which maintains accounting balance. TP - Transformation Procedure. A means of transforming input data to output CDI which maintains the integrity of CDIs and which write enough information to an append-only CDI (audit trail) to enable the transaction to be reconstructed. Clark Wilson model terms: UDI, CDI, TP
IVP - Integrity Verification Procedure - a procedure used to check the validity of a CDI e.g. that books balance. user - a subject or an agent such as a bank clerk, ATM engineer, forex dealer systems programmer, security officer, typically having insider access. triple - Access control is by means of triples: (user,TP,CDI) so that shared control is enforced. Clark Wilson model terms: IVP, user, triple
The model consists of two sets of rules: Certification Rules (C) and Enforcement Rules (E). The nine rules ensure the external and internal integrity of the data items. To paraphrase these: C1 - When an IVP is executed, it must ensure the CDIs are valid. C2 - For some associated set of CDIs, a TP must transform those CDIs from one valid state to another. Clark Wilson rules C1, C2source: http://en.wikipedia.org/wiki/Clark-Wilson_model
Since we must make sure that these TPs are certified to operate on a particular CDI, we must have E1 and E2. E1 - System must maintain a list of certified relations and ensure only TPs certified to run on a CDI change that CDI. E2 - System must associate a user with each TP and set of CDIs. The TP may access the CDI on behalf of the user if it is "legal". Clark Wilson rules E1, E2source: http://en.wikipedia.org/wiki/Clark-Wilson_model
This requires keeping track of triples (user, TP, {CDIs}) called "allowed relations". C3 - Allowed relations must meet the requirements of "separation of duty". We need authentication to keep track of this. E3 - System must authenticate every user attempting a TP. Note that this is per TP request, not per login. Clark Wilson rules C3, E3source: http://en.wikipedia.org/wiki/Clark-Wilson_model
For security purposes, a log should be kept. C4 - All TPs must append to a log enough information to reconstruct the operation. When information enters the system it need not be trusted or constrained (i.e. can be a UDI). We must deal with this appropriately. C5 - Any TP that takes a UDI as input may only perform valid transactions for all possible values of the UDI. The TP will either accept (convert to CDI) or reject the UDI. Clark Wilson rules C4,C5source: http://en.wikipedia.org/wiki/Clark-Wilson_model
Finally, to prevent people from gaining access by changing qualifications of a TP: E4 - Only the certifier of a TP may change the list of entities associated with that TP. Clark Wilson rules E4source: http://en.wikipedia.org/wiki/Clark-Wilson_model
This policy formulation only goes so far in protecting a system against dishonest insiders. Rule C3 requires a "seperation of duties" but doesn't specify what this means. Another problem referred to by Ross Anderson in "Security Engineering", Wiley 2001 is that some transactions require more than one TP in order to be fully validated, e.g. a chequing account that requires 2 signatures. This can result in a pending transactions file, where there would normally be an expectation that entries in this ledger are completed or removed within a limited period of time, e.g. 3 days. Limitations of Clark-Wilson 1
Anderson describes an attack where a bank clerk siphoned money out of the system into a friend's account from a suspense account into which new transactions were continually input to cover the imbalance. Eventually the clerk responsible for the fraud became unable to keep track of the growing number of transactions. Having a rule where every bank employee has to take at least one week's holiday every 6 months reduces the risk of someone being able to maintain this kind of juggling act without being noticed for very long. Limitations of Clark-Wilson 2
It's one thing for an organisation to keep books and records. It's another for these records to pass muster by an independant and experienced professional who comes in unannounced at any time to check them and confirm whether or not the records correspond to reality. Banks do this more frequently using internal auditors, but accounts of all organisations over a certain size will have to be externally audited once a year. In practice auditors will tend to check samples of activity. The purpose of an audit isn't to prove that a system contains no errors, but to carry out spot checks which help encourage participants to stay honest and alert, by risking detection of any dishonesty or sloppy oversight through audit The purpose of Audit
In any protocol that involves a sequence of messages between the initiator (client), and the responder, (server) it is possible for the last message in the protocol to be lost. The sender and receiver of this last message are now in different states concerning the same transaction. For some purposes, e.g. sending an email, the client might simply resend later. This can result in the same email being sent once but received 1 or more times. Financial protocols have to be stateful, to avoid missed or duplicate payments. The final message can be re-requested later until both initiator and respondent are in certain and compatible states concerning an identified transaction. Financial Transaction network protocols
Probably the most useful form of anonymous money currently is conventional cash. You don't have to know who is spending it to authenticate it when you accept it, and you don't have to say who you are when you spend it. But cash isn't used for Internet purchases. In the early 1990ies, a number of libertarians designed, developed and campaigned for the concept of digital anonymous cash. This digital money was cryptographically "blinded" so as to prevent the bank knowing who was paying how much for what, while including protocols preventing double spending of digital tokens. Anonymous money 1
One reason why anonymous digital cash may be less neccessary than advocates including Hettinga and Chaum suggested is due to data protection laws preventing unwarranted use by banks of customer records. Another factor concerns the improved security the bank customer obtains precisely from the accounting carried out by the bank. Sacrificing this for anonymity is likely to be something few will feel the need to do other than for small payments. Anonymous money 2
This involves cryptographic discovery and signing of special numbers or 'Bitcoins' which results in proof of work. Initial and earlier 'mining' efforts were more productive of new valid Bitcoins than later as there exist a finite amount to be discovered. Validation of the next transaction block results in knowledge of which cryptography keys control which identified Bitcoins. This involves network 'consensus' between those engaged, so security depends upon no single party or conspiracy being able to establish a majority vote. Accepting and spending these in a genuinely 'anonymous' way seems difficult, as is securing a wallet. Dealers between Bitcoins and other currencies are at risk of conventional payment repudiation unless contract terms enforce use of cleared funds only. Some have likened this network to a Ponzi scheme as holder belief in value and lack of underwriting creates similar financial characteristics. The Bitcoin network
Electronic cash can probably never provide absolute anonymity because this conflicts with Carlan's third law of politics, that: "power abhors a vacuum". The state would use any means at its disposal to close down those visibly underwriting a financial system sufficiently anonymous to be usable for an assassination market, because the latter would directly conflict with a primary purpose of the state. If the network were not underwritten, the state would pursue those advertising acceptance of anonymous payments. This doesn't prevent development of useful payment systems e.g. based upon the London Oyster Card where the recipient of small amounts of money can't identify the person making the payment. Limits of anonymous finance