To view this site you need Adobe Flash Player and your browser must allow javaScripts. Go here to get the latest Flash Player. AGENCY SPOTLIGHT Security, standards and technology BY HANK HOGAN, HSTODAY IT CORRESPONDENT DIGITAL TELEVISION IS ONE OF THE MOST POPULAR REASONS TO VISIT THE DEPARTMENT OF COMMERCE’S WEBSITE RIGHT NOW. BUT COMMERCE’S IMPACT IS SUBSTANTIAL IN OTHER AREAS OF TECHNOLOGY MORE IMPORTANT TO HOMELAND SECURITY, SOME OF WHICH ARE VITAL TODAY AND OTHERS THAT WILL NOT BE CRITICAL FOR DECADES. A case in point of the latter is quantum information processing, a field that is currently largely confined to laboratories, but has already led to some commercial products. The technology exploits the seemingly magical realm of quantum mechanics and has drawn the attention of the National Institute of Standards and Technology (NIST), a part of Commerce. NIST is already looking down the road to a time decades hence when quantum computers could exist. Because they will operate differently than today’s computers, these new devices would have a devastating impact on the foundation of today’s secure communications. “It turns out that one of the things they’re very good at is solving the kinds of problems on which our current public key cryptographic algorithms depend,” William Barker, chief cybersecurity advisor at NIST, told Homeland Security Today. Since it takes many years to develop, prove and deploy new algorithms, NIST is already at work on the problem of finding new techniques that will stand up to assault from quantum computers. But that’s not all the agency is doing. It’s also working on providing much more near-term solutions that will improve computer security. 2005, researchers discovered potential flaws in the most widely used hash algorithms. So NIST is working on a replacement group, with a new standard perhaps being published four or five years from now. Still, nearer term, the agency is trying to come up with a solution to a common problem. Many systems ship in a configuration that isn’t the most secure, and the same is true for application packages. This arrangement is the norm because setup often requires access to settings and the like that shouldn’t be available during normal—and, therefore, more secure—operation. System administrators are then often left with the need to manually change settings to the optimal ones. Since it’s a manual operation, it sometimes doesn’t get done. But NIST has some software packages to help automate the process by comparing configurations against recommendations, and those packages are increasing in number. “We’ll have an increasing number of tools available over the next one to three years,” said Barker. Unfortunately, the configuration problem will grow much more complex during that time with the advent of cloud computing and the deployment ofWeb 2.0 applications. Barker is confident, though, that the agency’s work will help provide solutions. DEPARTMENT OF COMMERCE access cards that replace passwords and for tokens for physical right of entry. Part of this work entails helping to develop standards. Some of it, on the other hand, involves evaluating systems. This is done by subjecting a biometric system to a set of test data and then determining how well it did in correctly identifying subjects, according to Martin Herman, chief of the agency’s information access division. Unlike what might be done in a commercial setting, the evaluation results are freely available to all. This goes for the findings for both research and commercial systems, and there’s a fundamental reason for this approach. “We can let the developers know how well their systems are performing and possibly where their strengths and weakness are so they can improve. Our real goal is to accelerate the state of the art and the technology,” Herman told Homeland Security Today. He noted that an area of increasing interest involves multimodal biometrics, such as a fingerprint combined with face or iris recognition. The agency is running a multiple biometric challenge,using data gathered from people who are walking—as a result, the data is gathered at a distance. The evaluation against the sequestered test data set should be completed soon,with results compiled and published at a later date. One problem that such multimodal biometrics may solve is spoofing. It’s possible that someone could present a false fingerprint or use a picture, hoping in that way to fool a biometric system. Checking for more than one biometric would help prevent this, since the attacker would have to come up with false fingerprints and a corresponding fake iris, for example. Even multimodal biometrics may not be enough. The bad guys are likely to eventually devise ways to attack such safeguards. However, don’t worry. As is the case for other problems that present future homeland security threats, NIST is already contemplating what’s needed. For example, one solution to the biometrics challenge might be systems that automatically determine whether they’re being presented something static, like a picture or fake fingerprints, or something alive, like a real person. Summing up the situation, Herman said, “There need to be other technologies developed, such as, perhaps, liveness testing.” HST Homeland Security Today Magazine | May 2009 Hashing for security For example, within cryptography, NIST is in the process of running a competition to develop a new generation of hashing algorithms for digital signatures. These algorithms compress data and ensure, with a high degree of confidence, that nobody else can duplicate the hash output or tamper with the data without detection. Those properties make a digital signature unique and immune to counterfeiting. Actually, the immunity isn’t quite total. In The standard for identification A good deal of what NIST does involves standards, with examples being found in both computer security and access management. For the former,the agency has come up with standards and guidelines for the entire federal government. In the case of the latter, NIST is working with the biometric community to improve the identification of individuals. This technology is being used for Register online today for exclusive online content and eNewsletters 15