Year
2001
Abstract
This paper examines the requirements and motivations for development of authentication tools for monitoring systems. Authentication is the process by which the Monitoring Party gains appropriate confidence that the information reported by a monitoring system accurately reflects the true state of the monitored item. Gaining confidence that the inspection results are always credible is a greater challenge when an information-barrier, which protects classified information by blocking access to raw data and intermediate results, is included in an automated measurement system. Confidence in the results requires gaining continuity of knowledge regarding all the data processing within the entire system. The authentication process involves searching for both 1) inadvertent design or implementation flaws leading to incorrect results or a non-robust system and 2) deliberate covert features designed into the system for some Host advantage. Functional testing can only address the first of these. A thorough investigation of system functionality can ensure it functions as designed over a wide range of measurement parameters and environmental conditions. It is important that the analysis software be robust enough to handle unexpected situations, since these systems are designed to operate in a closed and secure mode without user input or analysis. Functional testing tools include a reasonable set of test sources and a means of combining data from them to span a wider range of input parameters. Software that distorts spectra in a controlled fashion can establish robustness limits. Thorough authentication must address the threat where the host selectively triggers a built-in \"hidden switch\" that alters the measurement results to erroneously pass selected containers. Functional testing is insufficient to preclude a selectively triggered \"hidden switch\" unless the host is compelled to trigger it during that testing. Private examination of a duplicate system with complete documentation and system design information is crucial to discovering intentional flaws. The host can be deterred from installing a \"hidden switch\" by both the documentation requirements and a random selection of duplicate components for private examination. The Host’s ignorance of the Monitor’s activity during private examination is also a powerful deterrent to cheating, since the Host cannot be certain that a hidden switch will remain undetected. Matching the actual system to the duplicate and documentation is an effective tool for finding hidden switches.