9.3.5. Email impersonation
9.3.5.1. Risk classification table
Table 9.5.
9.3.5.2. Context
This vulnerability applies to eAIP distribution by email through the Internet or another network.
9.3.5.3. Description
SMTP, the protocol used for email transmission on the Internet, does not provide authentication of the sending party. Anybody can forge the sender's name and email address. Therefore, the sender's name and address cannot be trusted. To impersonate an AIS office, all the attacker needs to know is the (usually, publicly available) email address and name. He can then simply change his name and email address in his email client software and send out mails which appear to come from the official AIS office, and which contains modified, outdated or erro-neous data..
9.3.5.4. Mitigating controls
Electronic signature: The sending party signs the email or attached documents. The end-user can then confirm the authenticity and origin of the message, as the attacker can not forge the electronic signature.
9.3.6. Media interception
9.3.6.1. Risk classification table
Table 9.6.
9.3.6.2. Context
This vulnerability applies to eAIP distribution via CD-ROM, DVD, hard disk or any other digital transmission which requires physical transport.
9.3.6.3. Description
A determined attacker may arrange the interception of one or several packages containing eAIP digital media. He may replace these media by others containing a modified or outdated eAIP.
9.3.6.4. Mitigating controls
Electronic signature: An end user can check the authenticity and origin of the package he receives by validating the electronic signature associated to it.
9.3.7. Data corruption
9.3.7.1. Risk classification table
Table 9.7.
9.3.7.2. Context
This vulnerability applies to all digital channels of distribution of the eAIP.
9.3.7.3. Description
The integrity of the eAIP package is not guaranteed: transport and media failures (a hard disk failure, CD-ROM corruption or interrupted download) can leave the user with an incomplete or corrupt eAIP.
This corruption can be accidental or intentional (i.e. sabotage).
9.3.7.4. Mitigating controls
Electronic signature: An end user can check the validity of a file using the electronic signature. Indeed, the signature contains integrity information regarding the signed file. Data corruption is similar to data tampering in the sense that the file is modified. As such, it will not match its signature.
9.4. Proposed Mitigation
9.4.1. Proposed solution
The risk analysis above shows us that the use of electronic signatures can reduce the risks associated with the publication and transmission of the electronic AIP.
The use of electronic signature in conjunction with the eAIP has the following effects:
.
The end-user can certify the authenticity of the information: certify that the eAIP ori-ginates from the right authority;
.
The end-user can guarantee the integrity of the data: certify that the received eAIP is complete, not corrupt and unmodified since its publication by the AIS office.
In short, this solution requires first to set-up the necessary environment:
1.
The AIS office sets up a signing environment, for example, x509 or PGP.
2.
The AIS office provides each end-user with the signing certificate or public key using a different channel than the one used for transmitting the eAIP. The end-user checks with the AIS office for authenticity.
3.
The end-user acquires the proper software to verify the signature.
For each publication of an eAIP:
1.
The AIS office signs the published eAIP package, for example using x509 or PGP. If several packages are provided, each is signed individually.
2.
The eAIP packages are distributed together with their signatures.
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:Electronic AIP Specification(20)
