RCAS Authentication (Correspondence, 05/04/93, GAO/AFMD-93-70R).

Pursuant to an Army request, GAO reviewed the electronic authentication
system used in the Army's Reserve Component Automation System (RCAS).
GAO noted that: (1) the electronic signatures generated by the
authentication system do not provide the same quality of evidence as
handwritten signatures; (2) the system's cryptographic algorithms and
techniques have not received required approval from the National
Institute of Standards and Technology or the National Security Agency;
(3) RCAS, as designed, is too dependent on the secrecy of its algorithms
and is too susceptible to unauthorized disclosure; and (4) the RCAS
contractor needs to adopt and properly implement government approved
standards and techniques to overcome the system's shortcomings.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AFMD-93-70R
     TITLE:  RCAS Authentication
      DATE:  05/04/93
   SUBJECT:  Army procurement
             Systems design
             Computer security
             Information processing operations
             ADP
             Computerized information systems
IDENTIFIER:  Army Reserve Component Automation System
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER



May 1993


GAO/AFMD-93-70R

RCAS Authentication

(901633)


Abbreviations
=============================================================== ABBREV

  DSS - Digital Signature Standard
  NIST - National Institute of Standards and Technology
  NSA - National Security Agency
  RCAS - Reserve Component Automation System

Letter
=============================================================== LETTER


B-253174

May 4, 1993

Mr.  Charles E.  Tompkins, III
Deputy Program Manager
Reserve Component Automation System
Department of the Army

Dear Mr.  Tompkins: 

This letter responds to your March 5, 1993, request that we sanction
the electronic authentication system used in the Reserve Component
Automation System (RCAS) for financial applications.  RCAS processes
unclassified and classified data.  Based on the material provided
with your letter and discussions with your staff, we have concluded
that the electronic signatures generated by this system do not
provide the same quality of evidence as the handwritten signatures
they are designed to replace.  We are unable to sanction your
electronic authentication system for financial and contractual
purposes because it does not provide reasonable assurance that the
signatures generated will meet the criteria outlined in 71 Comp. 
Gen.  l09 (1991).  Specifically, we note that your system uses
cryptographic algorithms and techniques which have not been approved
by either the National Institute of Standards and Technology (NIST)
or the National Security Agency (NSA).  We do not sanction systems
whose algorithms and techniques have not been approved by the
appropriate agency. 

The Computer Security Act assigns to NIST the authority and the
responsibility to establish standards for federal computer systems
that process sensitive but unclassified information after
coordination with NSA.  These standards include acceptable methods to
ensure the security and privacy of information in those systems.  In
addition, NSA establishes policies and procedures that must be used
for the protection of classified material.  Both NIST and NSA have
established procedures for the evaluation and approval of
cryptographic algorithms for use by the federal government. 

Although the RCAS contractor's conceptual approach of condensing the
data to be signed and then encrypting the condensed value can produce
acceptable electronic signatures, the techniques adopted do not
follow federal government standards and practices which have been
approved by NIST and NSA.  Our concerns include the use of (1)
proprietary cryptographic and hash algorithms which have not been
approved by either NIST or NSA and (2) a cryptographic process that
primarily depends on the protection and secrecy of the cryptographic
and hash algorithms.  We believe that several options are available
to address our concerns. 


   CRYPTOGRAPHIC AND HASH
   ALGORITHMS
------------------------------------------------------------ Letter :1

It is our understanding that the cryptographic and hash algorithms
used in your system were developed by your contractor and have not
been approved by either NIST or NSA.  Since these agencies are
recognized experts on cryptographic algorithms, systems, and
techniques for unclassified and classified applications,
respectively, we defer to them for ensuring that the methodology
selected is appropriate.  The hash algorithm appears to be critical
to your signature generation process because it represents a
condensed version of the data which is used in that process. 
Therefore, the hash algorithm needs to be designed so that it is
computationally infeasible to (1) find a message which corresponds to
a given message digest or (2) find two different messages which will
produce the same message digest.  As in the case of cryptographic
algorithms, very few hash algorithms have maintained their integrity
over time. 


   SECRECY OF CRYPTOGRAPHIC AND
   HASH ALGORITHMS
------------------------------------------------------------ Letter :2

As discussed in the material provided, the cryptographic and hash
algorithms appear to construct the keys used in their processes from
the data being signed.  Since the algorithms are able to generate and
derive the critical keying material, any individual who has access to
the algorithm can derive the key.  Once the key is known, the data
can be changed and a forged signature generated.  When these altered
data are validated later, the forged signature will validate the
changed data.  We are concerned about this approach because relying
primarily on an algorithm's secrecy for its security increases the
risk of accepting an improper signature as valid.  According to a
NIST official, good cryptographic systems do not depend entirely on
the secrecy of the algorithm.  Instead, they depend on (1) using good
key generation methods and (2) keeping the critical keying material
from unauthorized disclosure. 

The unauthorized disclosure of your cryptographic algorithm would be
catastrophic to your electronic signature system.  All data would
become suspect, and the electronic signature system would have to be
reengineered.  During this reengineering process, other methods,
probably costly manual paper and handwritten signatures, would need
to be employed.  We recognize that in good cryptographic systems the
unauthorized disclosure of critical keying material can also cause
significant problems and may cause the existing data to become
suspect.  However, the primary advantage of using sound cryptographic
techniques is that the system itself can still be used with new
keying material. 

Furthermore, the risk of unauthorized disclosure is increased in your
system because the electronic signature system is software-based and
is maintained in the RCAS system where access is more readily
available than if it resided in secure hardware-based cryptographic
modules.  For example, one possible source of unauthorized disclosure
would appear to include the programmers working on the electronic
signature generation and validation modules. 


   AVAILABLE OPTIONS
------------------------------------------------------------ Letter :3

Adopting and properly implementing government approved standards and
techniques would address our concerns.  For example, proper
implementation of the proposed Digital Signature Standard (DSS) would
be acceptable for your unclassified data and NSA has agreed to accept
it on a case-by-case basis for classified applications.  Therefore,
NSA may also approve its use in your system.  Since your system
processes classified data, we would also accept a statement from NSA
that your system has adequate controls to ensure that the GAO
criteria have been met.  Specifically, the signatures generated are
to be (1) unique to the signer, (2) under the signer's sole control,
and (3) capable of being verified.  The signatures must also be
generated in a manner that links the data to the signature. 
Therefore, should the underlying data change, the signature would be
invalidated during the signature verification process.  We recognize
that other alternatives may also address our concerns. 


---------------------------------------------------------- Letter :3.1

We appreciate the opportunity to comment on your proposed electronic
signature approach and the challenges that your agency faces in
undertaking a major system development such as RCAS.  We hope that
our comments will assist your efforts.  Should you have any
questions, please contact Chris Martin, Assistant Director, at (202)
512-9481. 

Sincerely yours,

Donald H.  Chapin
Assistant Comptroller General

*** End of document. ***