Rhode Island New Hire Reporting Directory

THE PURPOSE

Security on the internet is an area that if looked at closely offers states and employers an excellent method for interfacing. With proper setup and implementation security on the internet can surpass many of the current measures in place today. To understand and appreciate this complex technology you need to understand how files are transferred and then what the encryption does to those files during the transfer. This white paper is an attempt to outline the measures taken by MAXIMUS as we introduce our New Hire Reporting Site. This is a significant opportunity to speed up a process where 75% of new hire reports are submitted via paper. All new hire reports done via the internet can be electronically downloaded to a new hire system eliminating data entry. Employers are granted access to the MAXIMUS secure site and the employer information is verified. The only information needed to be keyed by the employer is the new employee information. The new hire system does issue an e-mail receipt with date and time stamps for all reports. All reports will be downloaded to the states new hire system and wage assignments can be distributed by CSE. We believe this technology is the bridge for implementation of the Welfare Reform provisions that require partnerships with the private sector.

THE SECURITY ISSUES

Without thorough security, information transmitted over the Internet is susceptible to fraud and other misuse by intermediaries. Information traveling between an individual computer and a server uses a routing process that can extend over many computer systems. Any one of these computer systems represents an intermediary with the potential to access the flow of information between your computer and a trusted server. You need security to make sure that intermediaries cannot deceive you, eavesdrop on you, copy from you, or damage your communications.

The challenges of secure internet communication that need to be addressed are:

Server Authentication (thwarting impostors)

How do I authenticate users to make sure they are who they claim to be? Standard Web protocols such as TCP/IP and HTTP make impersonating a person or an organization relatively simple. For example, if Alice connects to http://www.well-known-retailer.com, how does she know that site is actually operated by the well-known retailer? How can I safeguard confidential documents to ensure that only authorized individuals have access to them?

Privacy (thwarting eavesdroppers)

How can I protect the privacy of my communications in real time (such as the data flowing between a Web client and a Web server).

Data Integrity (thwarting vandals)

How can I can ensure that messages have not been tampered with between the sender and the recipient?

There is a single technology that provides the foundation for solving all of these challenges: cryptography. Cryptographic technology is embodied in industry-standard protocols such as SSL (Secure Sockets Layer), SET (Secure Electronic Transactions) and S/MIME (Secure Multipart Internet Mail Encoding). These standards provide the foundation for a wide variety of security services, including encryption, message integrity verification, authentication, and digital signatures.

What Is Cryptography?

Cryptography comprises a family of technologies that include the following:

Encryption transforms data into some unreadable form to ensure privacy. Internet communication is like sending postcards, in that anyone who is interested can read a particular message; encryption offers the digital equivalent of a sealed envelope.

Decryption is the reverse of encryption; it transforms encrypted data back into the original, intelligible form.

Authentication identifies an entity such as an individual, a machine on the network, or an organization.

Digital signatures bind a document to the possessor of a particular key and are the digital equivalent of paper signatures.

Signature verification is the inverse of a digital signature; it verifies that a particular signature is valid.

SECURITY MEASURES TAKEN BY MAXIMUS

The security measures for both the New Hire Reporting site include:

1. Establish internet sites on a secure server. MAXIMUS has a secure server which uses an industry standard protocol called SSL (Secure Sockets Layer). The SSL protocol is able to negotiate encryption keys as well as authenticate the server before data is exchanged by the higher-level application. The SSL protocol maintains the security and integrity of the transmission channel by using encryption, authentication and message authentication codes. The Apache-SSL, which is what MAXIMUS uses, utilizes the highest level of encryption (128 bit) allowed by law.

2. The secure site can only be accessed by a browser that is compliant with SSL protocol. If a browser which is not compliant with SSL protocol attempts to connect to the secure server, it will be denied access. All of the leading browsers, Netscape, Microsoft, OAL, etc., are compliant with SSL protocol.

3. An unregistered URL (internet address) on the secure site. Therefore, the sites will not be listed with any search engines.

4. Companies wishing to use the internet to report New Hires need to contact MAXIMUS to receive the URL, a user name, and a unique password.

5. Upon connecting to the URL, a correct user name and password must be entered. Each entry is recorded and logged. All traffic on the site will be recorded on an access log. This log will record information about the site visitor and what they did while at the site. This log can be used for security measurement and to monitor compliance within the industry.

6. Once a company successfully connects to the secure site, all data transmitted between the company and MAXIMUS’s site will be encrypted.

HOW SECURITY MEASURES TAKEN BY MAXIMUS MEET THE CHALLENGES POSED

As stated earlier, the challenges of secure internet communication that need to be addressed are:

Server Authentication (thwarting impostors)

How do I authenticate users to make sure they are who they claim to be? How can I safeguard confidential documents to ensure that only authorized individuals have access to them?

Requiring all users to login with a user name and password will ensure that only authorized companies have access to MAXIMUS’s secure site. Mutual authentication is the process whereby the server convinces the client of its identity and (optionally) the client convinces the server of its identity. These identities are coded in the form of public-key certificates, and the certificates are exchanged during the SSL handshake. In addition to this level of security, MAXIMUS also has a number of server based methods, including the server based software Gabriel, for detecting individuals attempting to gain unauthorized access.

Privacy (thwarting eavesdroppers)

How can I protect the privacy of my communications in real time (such as the data flowing between a Web client and a Web server).

Message privacy is achieved through a combination of public-key and symmetric key encryption, as described below. All traffic between an SSL server and SSL client is encrypted using a key and an encryption algorithm negotiated during the SSL handshake described below. Encryption thwarts eavesdroppers who can capture a TCP/IP session using devices such as IP packet sniffers. Even though packet sniffers can still capture the traffic between a server and client, the encryption makes it impractical for them to actually read the message. Utilizing the highest level of encryption allowed by law ensures that any interception of data would be virtually impossible to read.

Data Integrity (thwarting vandals)

How can I can ensure that messages have not been tampered with between the sender and the recipient?

SSL protocol provides for a digital signature which is attached to data transfers. The slightest change in a document containing a digital signature will cause the digital signature verification process to fail. This ensures SSL session traffic does not change en route to its final destination. SSL uses a combination of a shared secret and special mathematical functions called hash functions to provide the message integrity service.

HOW IT WORKS - A MORE TECHNICAL EXPLANATION

SSL is designed to make its security services as transparent as possible to the end user. Typically, users click a link or a button on a page that connects to an SSL-capable server. A typical SSL-capable Web server accepts SSL connection requests on a different port (port 443 by default) than standard HTTP requests (port 80 by default).

When the client connects to this port, it initiates a handshake that establishes the SSL session. After the handshake finishes, communication is encrypted and message integrity checks are performed until the SSL session expires. SSL creates a session during which the handshake needs to happen only once.

The following high-level events take place during an SSL handshake:

1. The client and server exchange X.509 certificates to prove their identity. This exchange may optionally include an entire certificate chain, up to some root certificate. Certificates are verified by checking validity dates and verifying that the certificate bears the signature of a trusted certificate authority. The certificate authority for MAXIMUS is Verisign.

2. The client randomly generates a set of keys that will be used for encryption and calculating MACs (Message Authentication Codes). The keys are encrypted using the server's public key and securely communicated to the server. Separate keys are used for client to server and server to client communications for a total of four keys.

3. A message encryption algorithm (for encryption) and hash function (for integrity) are negotiated. In Netscape's SSL implementation, the client presents a list of all the algorithms it supports, and the server selects the strongest cipher available. Server administrators may turn particular ciphers on and off.

Symmetric-Key and Public-Key Cryptography

Symmetric-key or secret-key cryptography uses the same key to encrypt and decrypt messages. This is a familiar real-world phenomenon: We use the same key to unlock and lock our car doors, for instance. The problem with symmetric-key cryptography is having the sender and receiver agree on a secret key without anyone else finding out. How can they do this? Over the phone, on a floppy disk, using a courier? All of these are cumbersome, slow, and error-prone techniques. In addition, the number of keys tends to be much larger than the number of nodes; that is, people may have multiple keys they use for different purposes.

Public-key cryptography was invented in 1976 to solve precisely this problem. With public-key cryptography, each person gets a pair of keys, a public key and a private key. Each person's public key is published, while the private key is kept secret. When Alice wants to send Bob a secure message, she encrypts it using Bob's public key. When Bob gets the message, he decrypts it using his private key. The sender and receiver no longer have to share secret information before they can communicate securely.

Public-Key Certificates

Digital certificates, also called digital IDs, digital passports, or public-key certificates, are defined by an ITU standard called X.509. A certificate is the digital equivalent of an employee badge, passport, or driver's license.

The certificate and corresponding private key identify you to someone who needs proof of your identity. Over a network, a certificate serves the same role as a driver's license, employee badge, or credit card: It establishes your identity. Servers may be configured to grant access only to people with particular certificates; similarly, clients may be configured to trust servers that present certain certificates.

To demonstrate that the entity presenting the certificate is the legitimate certificate owner (rather than some impostor), SSL requires that the certificate presenter must digitally sign data exchanged during the handshake. The exchanged handshake data includes the entire certificate. The entities sign protocol data (which includes their certificates) to prove they are the legitimate owner of the certificate. This prevents someone from masquerading as you by presenting your certificate. The certificate itself does not authenticate; the combination of the certificate and the correct private key does.

Address questions to contact@RInewhire.com