RSA Laboratories - Frequently Asked Questions

Nightingale™ is a security technology that helps protect all types of sensitive data against both internal and external threats. Drawing on RSA Laboratories' new secret-splitting technology, Nightingale is designed to be easily integrated into application software as a server module for the back-end of any network. It adds a powerful extra layer of defense to the applications you build.

Any ordinary server today is a single point of compromise. An attacker compromising just that one server can seize all its privileges and the data it manages. Even strong encryption and secure (FIPS 140) hardware don't solve this basic problem. (That's because a hacker compromising a server gets the same access to keys or hardware as the server itself.) Nightingale strengthens security by doing away with single points of compromise in a network.

With Nightingale, sensitive data is cryptographically distributed across two locations - the Nightingale module/server and an application server. This process is known as secret-splitting. A hacker, insider, Trojan horse, or virus that compromises either location gets no access at all to sensitive data. Most importantly, thanks to its special architecture and cryptographic design, the Nightingale server/module is better protected from Web-based threats and insider attacks than an ordinary server. In other words, Nightingale more than doubles the security of the data it protects.

Q. What benefits does Nightingale bring to my business?

Nightingale is a powerful, security technology that is engineered to be easy to integrate. There are several key benefits that come from enabling your application software with Nightingale:

Competitive advantage: With Nightingale, you can build applications and products that give sensitive data a whole new level of security. You and your software customers and/or users can employ data online more widely and seamlessly and with more confidence.
Easier compliance: The applications you build are better able to comply with regulatory laws for data privacy, including HIPAA, the Graham-Leach-Bliley Act, 21 CFR Part 11, and E.U. privacy directives and "safe-harbor" provisions. Nightingale reduces the risk to organizations of the stiff, multi-million-dollar fines and other penalties that violation of these laws can bring.
Reduced risk and liability: Nightingale brings the benefits of stronger, safer data stores, and therefore of less business risk and legal liability.
Greater confidence for consumers: Because identity theft is a growing menace, users and consumers will appreciate the enhanced privacy and security of personal data brought by Nightingale.

Q. Why else do I need to give extra protection to my data?

Firewalls, virus-checkers, strong authentication, and intrusion detection are critical front-line defenses in your network. But they aren't enough. New viruses, inside attackers, social engineers, and hackers exploiting new software bugs can punch through these defenses to get to the inner tiers of your network. That's why enterprises are increasingly subjected to major financial loss due to break-ins. In its 2002 annual "Computer Crime and Security Survey", the Computer Security Institute (CSI) revealed that the most serious financial losses resulting from computer-security breaches involved data theft. A mere twenty-six respondents together reported $170,827,000 in losses. The CSI surveys also show that these numbers are increasing dramatically from year to year. With new laws such as HIPAA, the Graham-Leach-Bliley Act, 21 CFR Part 11, and E.U. privacy directives imposing stiff fines and penalties for data-protection failures, it is clear that protection of sensitive data is a priority for any organization.

Q. What kind of data can Nightingale protect?

Nightingale helps protect three types of sensitive data with cryptographic secret-splitting. The first type is authentication data, meaning the secrets employed to enable users to prove their identities. This includes passwords and PINs. It also includes personal data, like your birth-date and Social Security Number, often used for self-service password reset. Nightingale protects such information by allowing an application server and the Nightingale server jointly to verify correct user entry of such secrets without either server ever seeing the secrets. This remarkable capability is achieved through sophisticated cryptographic protocols for concealed comparison of secrets.

The second type of data that Nightingale helps to protect is business data, including customer records, employee information, credit-card numbers, and any other type of sensitive intelligence. The application server and the Nightingale server store this information in cryptographically split form and only reassemble it for an entity that has successfully authenticated to both servers. The reassembly can be done on the client or on an authorized remote server such that the application and Nightingale servers never see the data in question; or the information can be reassembled temporarily on the application server.

Finally, Nightingale helps protect a third type of data, namely cryptographic keys. For example, it is possible to split the storage of a digital signing key between the application server and the Nightingale server. Like the business data above, the signing key could be reassembled on the client, enabling secure roaming. Or even better, the application server and the Nightingale server can keep the signing key in split form and jointly sign documents on behalf of a properly authenticated owner. This means a new level of non-repudiation for business transactions.

Q. Who should consider Nightingale?

Banks, healthcare organizations, identity-providers, and on-line government services are all important aggregators of sensitive consumer data. If you build applications for such enterprises, then Nightingale can give your software or product a critical defensive edge.

Q. How does Nightingale provide better security?

Everyone knows that it's a bad idea to have a single point of failure in your network, namely a server or resource whose failure alone disables your network. It's also a bad idea to have a single data store: You're taking a big risk if you store data in one place without backing it up in case of a software or hardware failure.

By similar reasoning, you cannot achieve the highest level of security if you have a single point of compromise on your network. But that's exactly what you have with a conventional server. When that one server is compromised, all its secrets and privileges are exposed. (That's because a hacker compromising a server gets the same access to keys or hardware as the server itself.) In the 2002 annual Computer Security Institute (CSI) "Computer Crime and Security Survey," which involved 503 computer security practitioners, 90% of respondents reported computer-security breaches within the last twelve months; these were primarily large corporations and government agencies, according to the survey. The security configurations in use today are often inadequate in an increasingly hostile Internet environment.

Nightingale adopts a new approach to security. It makes use of cryptographic secret splitting to disperse sensitive data across two locations - the Nightingale module/server and any other server you run. This eliminates single points of compromise. A hacker, insider, Trojan horse, or virus that compromises either location gets no access at all to your data. Moreover, thanks to its special architecture, the Nightingale server/module is better protected from Web-based threats than an ordinary server, so that Nightingale more than doubles your security.

Q. Why can't I just protect my secrets by hashing them?

Hashing cannot be used to protect data that you want to use in explicit form, like ordinary business data or cryptographic keys. That's because hashing is a non-reversible operation: Once hashed, the data cannot be conveniently recovered.

Hashing can be used to protect authentication secrets, namely the secrets used to verify users' identities. In fact, it is commonly used to protect passwords. Hashing does not generally offer good protection of low entropy secrets, though, like poorly chosen passwords or answers to "life questions," i.e., personal questions used for password reset. That's because an attacker that compromises such hashed values can mount a so-called brute-force or dictionary attack against them with relative ease.

Moreover, it is in some cases useful to be able to gain explicit access to authentication secrets. Suppose I've authenticated myself to a Web site and want to be reminded of my answer to the password-reset question, "What is your favorite book?" If it's hashed, the answer is not conveniently available. If it's stored in Nightingale, it can be presented to the user (without the servers seeing it).

Most importantly, though, Nightingale offers a critical security advantage over hashing alone. If an attacker compromises a user's hashed authentication secrets on an application server, then the attacker can impersonate the user. This is because the hashed secrets themselves serve as authenticators. The Nightingale system aims to protect against just this kind of compromise. Nightingale can in fact be used in conjunction with hashing for even stronger protection of authentication secrets.

Q. What is cryptographic secret-splitting?

Secret splitting is a cryptographic technique in Nightingale that breaks a piece of data into two components. Learning one of these components does not reveal half of the data -- it actually reveals no information at all. Secret splitting is a technique well known to cryptographic experts, and often known as secret sharing.

In the most basic form of secret splitting, a secret is split into shares, which are stored on two servers. The secret can later be reassembled from the shares and used for some cryptographic purpose. The secret is thus protected from compromise in its "stored" state, while becoming available "in transit".

In more advanced forms, such as those employed in Nightingale, the two servers can "simulate" the use of the secret without even reassembling it, thus not exposing the secret at all. Some examples of this "split-key cryptography" include digital signatures and verifying correct user entry of personal data

Q. What kind of network configurations are possible for the Nightingale server/module?

Nightingale is designed to enable a wide spectrum of different configurations, according to the security needs of a network. It can be deployed as an independent server on the back end of a network, offering protection of application servers. By placing the Nightingale server in a different physical location and/or administrative domain as the application servers it protects, it is possible to achieve effective secret-splitting and a high level of security.

In fact, the Nightingale server can even be administered by an outside entity. Thanks to the secret-splitting in Nightingale, this entity does not learn any information at all about the sensitive data on your application servers. In fact, special cryptographic protocols ensure that the Nightingale server does not even know the account names used by the application server - the shares are stored anonymously. Thus with Nightingale it is possible to create a new security paradigm in which privacy is outsourced.

Q. How easy is Nightingale to deploy and use?

Nightingale operates as a server module engineered for easy integration into the back-end on any network. The Nightingale software-development kit (SDK) is written in Java and can be easily integrated into most platforms. Underlying cryptographic protocols and operations are packaged for developers into easy-to-use, high-level APIs. Clients in a Nightingale-enhanced network can use any standard Web browser, so there's no need to deploy special-purpose software.

Nightingale server components can be implemented as applications, servlets, or Enterprise Java Beans. Data storage on the servers is flexible, allowing use of any JDBC-compliant relational database or a directory service. The SDK allows multiple formats for the messages exchanged by the Nightingale client and servers, including CGI for submitting data from Web forms and XML for Web-service applications.

Q. Will Nightingale affect the performance of my Web applications?

Powered by the RSA BSAFE« cryptographic toolkit, Nightingale offers fast performance. For most applications, Nightingale imposes no more overhead than other cryptographic security tools. For intensive operations like password checking in high-traffic environments, it is possible to replicate of Nightingale servers to deliver a high level of performance.

Q. Will Nightingale be available in RSA Security products?

RSA Laboratories is currently completing a research implementation of the Nightingale technology, consisting of a protocol library and a sample application. The implementation will be available to selected customers for evaluation and further development. Nightingale may support members of the RSA Security products family starting in 2005.

Q. Is Nightingale a scientific breakthrough?

Nightingale capitalizes on a range of inventions developed by the cryptographic community over the course of many years. These inventions include Diffie-Hellman key agreement, zero-knowledge proof techniques, cut-and-choose proofs, and secret sharing. It would be most accurate to say that Nightingale represents an advance in the practical application of these ideas.

Q. Can Nightingale replace secure (FIPS 140) hardware?

Nightingale is a complement to secure hardware, not a substitute. It is possible - and often desirable - to use both technologies together for the highest level of security. Individual secret shares - or the key that protects them - can be stored by the application server and the Nightingale server in their respective secure-hardware modules.

Q. Who invented Nightingale?

The design and implementation of Nightingale were the joint effort of the scientists at RSA Laboratories.

Q. Is Nightingale patented?

RSA Security has patents pending on a number of elements of the Nightingale technology.

Q. Can Nightingale be used for identity management?

Most certainly. First, Nightingale provides protection of authentication data, e.g., passwords, PINs, and personal data used for authentication in Web environments. This helps identity providers achieve a high level of security for authentication based on static secrets. Second, Nightingale helps protect stored data, and permits it to be securely transmitted, upon valid authentication, to any designated location - be it a client, an application server, or a remote site. Thanks to the underlying cryptographic protocols in the system, both of these functions can be achieved with the data being exposed to neither the application server nor the Nightingale server. Identity providers in particular need to protect their large aggregations of sensitive, personal data with the highest level of assurance. Nightingale is designed to meet this aim.

Q. Can Nightingale help prevent identity theft?

In February 2002, Gartner Group completed a survey revealing that 1 in 50 consumers was the victim of identity theft within the past year; their report further noted that the problem will likely swell in the next few years to unmanageable proportions. By securing the personal data used to authenticate users, including Social Security numbers, mothers' maiden names and birth-dates, Nightingale provides more accurate authentication of users: It thus alleviates the threat of identity theft resulting from attacks against authentication databases, helping to eliminate the "fear factor" cited by Gartner as deterring many consumers from Web use.

Q. How can I learn more about Nightingale?

To learn more about Nightingale, please visit the Nightingale Web site at http://www.rsasecurity.com/rsalabs/node.asp?id=2424, or talk to your RSA Security sales representative.

Enhanced User Authentication Techniques Life Question Primer Vouching Primer Primer on Error Tolerance in Life Question Authentication Nightingale RFID Privacy and Security Wireless Access-Control Research Project (WARP) High Assurance & Integrity Layer (HAIL)	Home: Research Areas: Enhanced User Authentication Techniques: Nightingale Frequently Asked Questions What is Nightingale? What benefits does Nightingale bring to my business? Why else do I need to give extra protection to my data? What kind of data can Nightingale protect? Who should consider Nigthingale? How does Nightingale provide better security? Why can't I just protect my secrets by hashing them? What is cryptographic secret-splitting? What kind of network configurations are possible for the Nightingale server/module? How easy is Nightingale to deploy and use? Will Nightingale affect the performance of my web applications? Will Nightingale be available in RSA products? Is Nightingale a scientific breakthrough? Can Nightingale replace secure (FIPS 140) hardware? Who invented Nightingale? Is Nightingale patented? Can Nightingale be used for identity management? Can Nightingale help prefent identity theft? How can I learn more about Nightingale? Q. What is Nightingale? Nightingale™ is a security technology that helps protect all types of sensitive data against both internal and external threats. Drawing on RSA Laboratories' new secret-splitting technology, Nightingale is designed to be easily integrated into application software as a server module for the back-end of any network. It adds a powerful extra layer of defense to the applications you build. Any ordinary server today is a single point of compromise. An attacker compromising just that one server can seize all its privileges and the data it manages. Even strong encryption and secure (FIPS 140) hardware don't solve this basic problem. (That's because a hacker compromising a server gets the same access to keys or hardware as the server itself.) Nightingale strengthens security by doing away with single points of compromise in a network. With Nightingale, sensitive data is cryptographically distributed across two locations - the Nightingale module/server and an application server. This process is known as secret-splitting. A hacker, insider, Trojan horse, or virus that compromises either location gets no access at all to sensitive data. Most importantly, thanks to its special architecture and cryptographic design, the Nightingale server/module is better protected from Web-based threats and insider attacks than an ordinary server. In other words, Nightingale more than doubles the security of the data it protects. Q. What benefits does Nightingale bring to my business? Nightingale is a powerful, security technology that is engineered to be easy to integrate. There are several key benefits that come from enabling your application software with Nightingale: Competitive advantage: With Nightingale, you can build applications and products that give sensitive data a whole new level of security. You and your software customers and/or users can employ data online more widely and seamlessly and with more confidence. Easier compliance: The applications you build are better able to comply with regulatory laws for data privacy, including HIPAA, the Graham-Leach-Bliley Act, 21 CFR Part 11, and E.U. privacy directives and "safe-harbor" provisions. Nightingale reduces the risk to organizations of the stiff, multi-million-dollar fines and other penalties that violation of these laws can bring. Reduced risk and liability: Nightingale brings the benefits of stronger, safer data stores, and therefore of less business risk and legal liability. Greater confidence for consumers: Because identity theft is a growing menace, users and consumers will appreciate the enhanced privacy and security of personal data brought by Nightingale. Q. Why else do I need to give extra protection to my data? Firewalls, virus-checkers, strong authentication, and intrusion detection are critical front-line defenses in your network. But they aren't enough. New viruses, inside attackers, social engineers, and hackers exploiting new software bugs can punch through these defenses to get to the inner tiers of your network. That's why enterprises are increasingly subjected to major financial loss due to break-ins. In its 2002 annual "Computer Crime and Security Survey", the Computer Security Institute (CSI) revealed that the most serious financial losses resulting from computer-security breaches involved data theft. A mere twenty-six respondents together reported $170,827,000 in losses. The CSI surveys also show that these numbers are increasing dramatically from year to year. With new laws such as HIPAA, the Graham-Leach-Bliley Act, 21 CFR Part 11, and E.U. privacy directives imposing stiff fines and penalties for data-protection failures, it is clear that protection of sensitive data is a priority for any organization. Q. What kind of data can Nightingale protect? Nightingale helps protect three types of sensitive data with cryptographic secret-splitting. The first type is authentication data, meaning the secrets employed to enable users to prove their identities. This includes passwords and PINs. It also includes personal data, like your birth-date and Social Security Number, often used for self-service password reset. Nightingale protects such information by allowing an application server and the Nightingale server jointly to verify correct user entry of such secrets without either server ever seeing the secrets. This remarkable capability is achieved through sophisticated cryptographic protocols for concealed comparison of secrets. The second type of data that Nightingale helps to protect is business data, including customer records, employee information, credit-card numbers, and any other type of sensitive intelligence. The application server and the Nightingale server store this information in cryptographically split form and only reassemble it for an entity that has successfully authenticated to both servers. The reassembly can be done on the client or on an authorized remote server such that the application and Nightingale servers never see the data in question; or the information can be reassembled temporarily on the application server. Finally, Nightingale helps protect a third type of data, namely cryptographic keys. For example, it is possible to split the storage of a digital signing key between the application server and the Nightingale server. Like the business data above, the signing key could be reassembled on the client, enabling secure roaming. Or even better, the application server and the Nightingale server can keep the signing key in split form and jointly sign documents on behalf of a properly authenticated owner. This means a new level of non-repudiation for business transactions. Q. Who should consider Nightingale? Banks, healthcare organizations, identity-providers, and on-line government services are all important aggregators of sensitive consumer data. If you build applications for such enterprises, then Nightingale can give your software or product a critical defensive edge. Q. How does Nightingale provide better security? Everyone knows that it's a bad idea to have a single point of failure in your network, namely a server or resource whose failure alone disables your network. It's also a bad idea to have a single data store: You're taking a big risk if you store data in one place without backing it up in case of a software or hardware failure. By similar reasoning, you cannot achieve the highest level of security if you have a single point of compromise on your network. But that's exactly what you have with a conventional server. When that one server is compromised, all its secrets and privileges are exposed. (That's because a hacker compromising a server gets the same access to keys or hardware as the server itself.) In the 2002 annual Computer Security Institute (CSI) "Computer Crime and Security Survey," which involved 503 computer security practitioners, 90% of respondents reported computer-security breaches within the last twelve months; these were primarily large corporations and government agencies, according to the survey. The security configurations in use today are often inadequate in an increasingly hostile Internet environment. Nightingale adopts a new approach to security. It makes use of cryptographic secret splitting to disperse sensitive data across two locations - the Nightingale module/server and any other server you run. This eliminates single points of compromise. A hacker, insider, Trojan horse, or virus that compromises either location gets no access at all to your data. Moreover, thanks to its special architecture, the Nightingale server/module is better protected from Web-based threats than an ordinary server, so that Nightingale more than doubles your security. Q. Why can't I just protect my secrets by hashing them? Hashing cannot be used to protect data that you want to use in explicit form, like ordinary business data or cryptographic keys. That's because hashing is a non-reversible operation: Once hashed, the data cannot be conveniently recovered. Hashing can be used to protect authentication secrets, namely the secrets used to verify users' identities. In fact, it is commonly used to protect passwords. Hashing does not generally offer good protection of low entropy secrets, though, like poorly chosen passwords or answers to "life questions," i.e., personal questions used for password reset. That's because an attacker that compromises such hashed values can mount a so-called brute-force or dictionary attack against them with relative ease. Moreover, it is in some cases useful to be able to gain explicit access to authentication secrets. Suppose I've authenticated myself to a Web site and want to be reminded of my answer to the password-reset question, "What is your favorite book?" If it's hashed, the answer is not conveniently available. If it's stored in Nightingale, it can be presented to the user (without the servers seeing it). Most importantly, though, Nightingale offers a critical security advantage over hashing alone. If an attacker compromises a user's hashed authentication secrets on an application server, then the attacker can impersonate the user. This is because the hashed secrets themselves serve as authenticators. The Nightingale system aims to protect against just this kind of compromise. Nightingale can in fact be used in conjunction with hashing for even stronger protection of authentication secrets. Q. What is cryptographic secret-splitting? Secret splitting is a cryptographic technique in Nightingale that breaks a piece of data into two components. Learning one of these components does not reveal half of the data -- it actually reveals no information at all. Secret splitting is a technique well known to cryptographic experts, and often known as secret sharing. In the most basic form of secret splitting, a secret is split into shares, which are stored on two servers. The secret can later be reassembled from the shares and used for some cryptographic purpose. The secret is thus protected from compromise in its "stored" state, while becoming available "in transit". In more advanced forms, such as those employed in Nightingale, the two servers can "simulate" the use of the secret without even reassembling it, thus not exposing the secret at all. Some examples of this "split-key cryptography" include digital signatures and verifying correct user entry of personal data Q. What kind of network configurations are possible for the Nightingale server/module? Nightingale is designed to enable a wide spectrum of different configurations, according to the security needs of a network. It can be deployed as an independent server on the back end of a network, offering protection of application servers. By placing the Nightingale server in a different physical location and/or administrative domain as the application servers it protects, it is possible to achieve effective secret-splitting and a high level of security. In fact, the Nightingale server can even be administered by an outside entity. Thanks to the secret-splitting in Nightingale, this entity does not learn any information at all about the sensitive data on your application servers. In fact, special cryptographic protocols ensure that the Nightingale server does not even know the account names used by the application server - the shares are stored anonymously. Thus with Nightingale it is possible to create a new security paradigm in which privacy is outsourced. Q. How easy is Nightingale to deploy and use? Nightingale operates as a server module engineered for easy integration into the back-end on any network. The Nightingale software-development kit (SDK) is written in Java and can be easily integrated into most platforms. Underlying cryptographic protocols and operations are packaged for developers into easy-to-use, high-level APIs. Clients in a Nightingale-enhanced network can use any standard Web browser, so there's no need to deploy special-purpose software. Nightingale server components can be implemented as applications, servlets, or Enterprise Java Beans. Data storage on the servers is flexible, allowing use of any JDBC-compliant relational database or a directory service. The SDK allows multiple formats for the messages exchanged by the Nightingale client and servers, including CGI for submitting data from Web forms and XML for Web-service applications. Q. Will Nightingale affect the performance of my Web applications? Powered by the RSA BSAFE« cryptographic toolkit, Nightingale offers fast performance. For most applications, Nightingale imposes no more overhead than other cryptographic security tools. For intensive operations like password checking in high-traffic environments, it is possible to replicate of Nightingale servers to deliver a high level of performance. Q. Will Nightingale be available in RSA Security products? RSA Laboratories is currently completing a research implementation of the Nightingale technology, consisting of a protocol library and a sample application. The implementation will be available to selected customers for evaluation and further development. Nightingale may support members of the RSA Security products family starting in 2005. Q. Is Nightingale a scientific breakthrough? Nightingale capitalizes on a range of inventions developed by the cryptographic community over the course of many years. These inventions include Diffie-Hellman key agreement, zero-knowledge proof techniques, cut-and-choose proofs, and secret sharing. It would be most accurate to say that Nightingale represents an advance in the practical application of these ideas. Q. Can Nightingale replace secure (FIPS 140) hardware? Nightingale is a complement to secure hardware, not a substitute. It is possible - and often desirable - to use both technologies together for the highest level of security. Individual secret shares - or the key that protects them - can be stored by the application server and the Nightingale server in their respective secure-hardware modules. Q. Who invented Nightingale? The design and implementation of Nightingale were the joint effort of the scientists at RSA Laboratories. Q. Is Nightingale patented? RSA Security has patents pending on a number of elements of the Nightingale technology. Q. Can Nightingale be used for identity management? Most certainly. First, Nightingale provides protection of authentication data, e.g., passwords, PINs, and personal data used for authentication in Web environments. This helps identity providers achieve a high level of security for authentication based on static secrets. Second, Nightingale helps protect stored data, and permits it to be securely transmitted, upon valid authentication, to any designated location - be it a client, an application server, or a remote site. Thanks to the underlying cryptographic protocols in the system, both of these functions can be achieved with the data being exposed to neither the application server nor the Nightingale server. Identity providers in particular need to protect their large aggregations of sensitive, personal data with the highest level of assurance. Nightingale is designed to meet this aim. Q. Can Nightingale help prevent identity theft? In February 2002, Gartner Group completed a survey revealing that 1 in 50 consumers was the victim of identity theft within the past year; their report further noted that the problem will likely swell in the next few years to unmanageable proportions. By securing the personal data used to authenticate users, including Social Security numbers, mothers' maiden names and birth-dates, Nightingale provides more accurate authentication of users: It thus alleviates the threat of identity theft resulting from attacks against authentication databases, helping to eliminate the "fear factor" cited by Gartner as deterring many consumers from Web use. Q. How can I learn more about Nightingale? To learn more about Nightingale, please visit the Nightingale Web site at http://www.rsasecurity.com/rsalabs/node.asp?id=2424, or talk to your RSA Security sales representative. Top of Page	Nightingale Frequently Asked Questions Nightingale in the News Related Documents RSA Conference 2003 Presentation (ppt) Technical Paper (pdf) Presented at the 12th USENIX Security Symposium, August 2003, Washington D.C.
		Email to a friend Print