by FRANK R. HEINRICH and DAVID J. KAUFMAN
Sysiem Developmeni Corporaiion Santa Monica, California
ABSTRACT
This paper presents an approach to network security at the system design level. Some basic network con-cepts and major network security threats are out-lined. The design approach is described and a brief se-curity analysis is presented. The proposed network structure incorporates data protection devices called network cryptographic devices and a special-purpose processor, the network security center, to control ac-cess in the network.
INTRODUCTION
The ever-increasing utilization of computer systems has heightened demand for broader computer service and data management capability. Computer networks are an attempt to meet this demand by organizing many individual computer systems to act as a single, very large system or supracomputer.
The distribution of data processing functions among a set of distinct systems decentralizes the control of data storage and processing. In addition, information must be transmitted between computers and is there-fore subject to exposure. These factors complicate the problem of providing a high degree of security assur-ance in computer networks. Additionally, current em-phasis on privacy considerations underlines the need for network security. Thus security must be a major factor in network design.
This paper presents an approach to network security at the system design level. To provide a basis for dis-cussion of this design, a few basic network concepts are first outlined. Some major network security threats are then presented to provide a context for evaluating the system. Finally, the network structure is described and a brief security analysis presented. The proposed network structure incorporates data protection devices called network cryptographic devices and a special
pur-* The work reported in this paper was supported by the U.S.
Department of Commerce, National Bureau of Standards con-tract # 5-35934.
85
pose processor, the Network Security Center, to con-trol access in the network.
The design in this paper provides a means for cen-tralizing control in computer networks. When global policies toward network access, data storage and pro-cessing can be established, this design is quite appro-priate. In some instances, however, it may be difficult to develop such global policies. The management at each network site may decide to maintain greater con-trol over local policy and resist centralization. A sec-ond approach to computer network security in which control can be more easily distributed, is presented in a companion paper.1
BASIC NETWORK'CONCEPTS
In an intercomputer network, a number of com-puter systems and terminals are linked. The individual computer systems (hosts) and terminals are called net-work resources. Interconnection of these resources re-quires functions performed by both hardware and software, but in this section we consider only the logi-cal arrangement of networking functions rather than associating any particular functions with specific hard-ware devices.
Network resources must be physically intercon-nected in some manner. That is, facilities must exist to provide data paths between network resources.
These facilities, called the communications subnetwork may take many forms. The communication
subnet~
work may consist of telecommunications lines, a mes-sage switch, or a packet s~Nitched network. Regardless of the configuration, however, we will view communi-cations subnetworks as logically equivalent, supplying a means for data to flow from any network resource to any other network resource.
Figure 1 illustrates three layers, or levels, of net-work functionality. Layer 1 is network resources;
layer 2 is connection-oriented functions; and layer 3 is the communications subnet. Network resources can be thought of as correspondents, freely exhanging in-formation (i.e., message text) by way of a carrier consisting of the connection-oriented functions and the
NETWORK RESOURCE
CONNECTION-ORIENTED FUNCTIONS
NETWORK - - - - RESOURCE
- -
-
--COMMUNICATION SUBNETWORK
Message Routing and Delivery
CONNECTION-ORIENTED FUNCTIONS
Figure i-Layers of network functionality
communications subnetwork. The connection-oriented functions at different locations are, in turn, corre-spondents, exchanging information concerning the state of message pipelines via their carrier, the com-munications subnetwork. We refer to correspondents as being (logically) above the carriers.
The actual content of the communication between correspondents is not of concern to lower layers (the carrier). Within a carrier, control messages may also be exchanged which are of no concern to higher level correspondents.
Countering the network security threats discussed in the following section will require introduction of addi-tional network functions. These new functions will not alter the logical relationship between the three layers already presented, but will necessitate the addition of a new functional layer.
NETWORK SECURITY THREATS
With privacy statutes being enacted, security vulner-abilities are a serious concern. Yet networks present formidable security problems due to the multi-user, multi-resource, multi-system environment. Physical and procedural controls have proven to be particu-larly inadequate in such geographically distributed systems. Primary security threats to intercomputer networks are:
1. Th'reats to Netwo'rk Communication-Network communications are susceptible to several maj or se-curity threats. Penetrators may tap communication lines or network devices outside of physically secure facilities. Tapping of communications may result in unauthorized exposure of sensitive information or
al-teration of message text. A penetrator may record legitimate messages and replay them at a later time in order to spoof a network resource. Spoofing could also be accomplished by generation of spurious, but appar-ently legitimate messages. Misrouting and subsequent misdelivery of messages, either accidentally or mali-ciously, may result in unauthorized disclosure of sensi-tive information.
2. Counterfeit Network Resources-Network pene-trators may be able to utilize counterfeit network re-sources. A bogus terminal or host computer may be made to appear as a legitimate source or destination of network messages. Without mutual authentication of network resources, uncontrolled use of the network may be obtained by those who would normally not have access to the network.
3. Forged User Identi/ication-A penetrator may gain network privileges by forging the identity of a valid user. Of course, this same threat applies to a single computer system. In a network, however, a penetrator may capitalize on a domino effect. A pene-trator may use a forged identity to compromise a sin-gle host with poor security controls. Other network re-sources may then be compromised if they, in turn, trust the user's identity as established by the compromised host.
4. Unauthorized Access by Legitimate Users-Legit-imate network users may gain unauthorized access to host computers, data files, programs, etc. A malicious user may take advantage of unauthorized access to de-lete or modify data files or programs, or even subvert an entire host computer system. Furthermore, sensi-tive or private information may be subject to unau-thorized browsing.
If each of the host computer systems which make up the intercomputer network were secure when operated separately, the security threats of forged user identifi-cation and unauthorized access would be eliminated.
Separate network countermeasures for these threats would then be unnecessary. Mechanisms might still be included to relieve each host of the operational burden of implementing identification/authentication mecha-nisms and to provide a single unified network access protocol increasing user convenience when accessing various network sites. However, no secure general-purpose computer systems exist today. Furthermore, it is doubtful such systems will be widely available for a long time. Thus, network mechanisms must be de-veloped to protect network communications and to avoid increasing compromise threats to hosts because those hosts are linked in a network.
SYSTEM DESCRIPTION
This section presents a system level design of a se-cure intercomputer network as illustrated in Figure 2.
The design incorporates cryptographic devices which
Centralized Approach to Computer Network Security 87
TERMINALS
TERMINALS
Figu:l'e 2-System ievel design
encipher data (Le., transform data in order to conceal its meaning) and decipher data (Le., reverse the en-cipher process to render data once again intelligible).2 This transformation is based on a secret parameter called a Key. The cryptographic devices provide an additional layer in the logical structure of the network.
The design also incorporates a new network resource called a Network Security Center (NSC), which is based on Branstad's concept of a Network Agency.3 Connections between nehvork resources are permitted only when authorized by the NSC, based on stored ac-cess control information. This control is enforced by the network cryptographic devices which will form cryptographic links only when instructed by the NSC.
The network shown in Figure 2 contains N ehvork Front Ends (NFEs). An NFE is a processor which implements connection-oriented functions for a set of terminals and hosts. A network, which adheres to the secure design, can be built without NFEs. NFEs do have operational advantages, however, and are being considered for use in many future networks. Thus, we address their role in network security.
An example may clarify the functioning of the NSC and network cryptographic devices.
A user (V) at a terminal, desires access to a process (P) at a distant host (H). Before being connected with H, the user must carryon a dialogue with the NSC. During this dialogue, V must identify himself and supply additional information, such as a password, to authenticate his identity. V then requests access to host H. The NSC verifies the user's identity. If the user's identity is valid, the access request is checked, otherwise access to H is denied. The NSC uses previ-ously stored access control information to determine if V is permitted access to host H. If the access control information indicates that the access request is legiti-mate, the NSC will initiate establishment of a logical connection between V and H.
The scenario is similar to that of a user attached di-rectly to a host with an access control mechanism. In
that sense the network appears to the user as a single large system.
All messages in the Vser-NSC dialogue are enciphered and deciphered by cryptographic devices attached to the terminal and to the NSC. Each network crypto-graphic device has the capability of protecting such dialogues with the NSC. Creating a con?ection between V and H requires that a new key be established in the cryptographic devices at V's terminal and at H. When the cryptographic devices begin to use the new key they ca~ c~m~unicate, forming a cryptographic link between V and H. Vser V may then initiate formation of a message pipeline to host H via the connection-oriented functions. This connection authorization pro-tocol is similar to that described by Branstad.2,3 CRYPTOGRAPHIC DEVICES
There are two main types of cryptographic devices utilized in this design. One is the cryptographic device at the NSC called the master cryptographic device. The other type is attached to each of the other network re-sources and is called the slave encryption device.
Slav~
encryption devices can accept new keys from a remote location. If attached to a single terminal, a slave cryptographic device need maintain only one new key. If attached to a host or NFE, a slave crypto-graphic device must be able to maintain several new keys in order to support each of the multiple logical connections with a distinct key.The master cryptographic device must be able to en-cipher and deen-cipher messages to and from each of the slave cryptographic devices. The master cryptographic device manages establishment of new keys at the slave cryptographic devices.
Both the master and slave cryptographic devices distinguish message headers from message text.
Headers must remain in the clear so that the com-munication subnetwork has sufficient control infor-mation to route and deliver messages. Only message text will be enciphered and deciphered.
These devices should make use of the National Bureau of Standards (NBS) Data Encryption Algo-rithm, which has been proposed as a Federal Infor-mation Processing Standard. -1 Several characteristics of this algorithm make it well suited for use in network cryptographic devices:
1. The secrecy of the transformation is dependent only on the secrecy of the key, not on the secrecy of the algorithm.
2. The length of the key is 64 bits, eight of which are reserved for parity. Thus there are 256 po-tential keys. The key is not so short as to make exhaustive search techniques feasible, yet not so long as to make distribution to a remote device difficult.
3. The algorithm is block-oriented; that is, data
is grouped into blocks of 64 bits which may be enciphered and deciphered independently of any other block. As long as the same key is used, position or time ~ynchronization of encryption with decryption is not required.
Due to routing and transmission differences, message transit time through a network is some-what variable. Messages may arrive at a des-tination in a different order than they were sent Using the NBS Algorithm, cryptographic device~
can be built which do not require position or time synchronization and are independent of the com-munication subsystem.
4. When enciphering or deciphering, the change of a single bit in either the key or the input text has an unpredictable effect on the output text.
This characteristic has two implications. First, the correct key must be known to make use of (Le., decipher) enciphered information. Second, alterations to enciphered text cannot produce predictable changes to the corresponding clear text.
5. Analysis of clear/enciphered text pairs does not aid in code-breaking to determine the key used.
Penetrators are forced to use impractical exhaus-tive search techniques for code-breaking.
6. The NBS algorithm is expected to be available as an LSI package. This will provide a low cost, high speed implementation suitable for use in network cryptographic devices.
Network security center
The NSC authenticates the identity of network users and authorizes connections between network resources.
When an access request is approved, the NSC must generate a random, distinct encryption key to be dis-tributed to the cryptographic devices at both subject and object. In addition, the NSC will keep audit logs of all access requests, both approved and denied, and will issue appropriate alarms when a suspected pene-tration attempt is detected.
The NSC must, therefore, maintain a data base which contains sufficient information to verify (au-thenticate) the identity of users, and sufficient access control information to determine the legitimacy of access requests (access authorization). This data base will not remain static, but will require timely up-dating. This updating can be accomplished by a secu-rity officer at the NSC or by protocols between the NSC and network hosts. Except for authentication of up-dates, the issues of NSC data base updating are con-ventional data management system cost and perform-ance tradeoff's and beyond the scope of concern here.
NSC access control information is defined in terms of subjects, objects, and capabilities. A subject is an entity such as a user or a process that can initiate
I
/1
I r--0_b.;...je_ct_s_,,...._
Subjects
The access control information can be represented by a 3-dimensional space.
The shaded plane would contain all information concerning user A.
Figure 3-Access control matrix
access requests. An object is an entity such as a data file, a process, a host computer system or another net-work resource that can be the target of access requests.
Capabilities are the actions which a subject may per-form on an object.
A good conceptual model for the access control in-formation is a three-dimensional access matrix5 as illustrated in Figure 3. On one axis of the matrix are subjects; on another axis are the objects, and on the third axis are the capabilities. Entries in the matrix are boolean values, indicating whether a capability is available to a subject for a given object. This model can accommodate objects to any desired degree of granularity; where granularity refers to the relative size of the subject being controlled. For most systems this matrix is rather sparsely populated, with subjects having access to only a few objects. Thus the actual implementation will use some other more compact and logically equivalent data structure.
Network front ends
A Network Front End (NFE) may interface one or more network resources to the communications sub-network. The NFE performs the connection-oriented functions on behalf of hosts as well as terminals. The NFE could also provide a user-level command inter-face for terminals. It is likely that NFEs can reduce the software cost and system overhead normally in-volved in connecting to networks. A Secure Front End may, in fact, enhance network security, a concept discussed later.
Centralized Approach to Computer Network Security 89
SECURITY ANALYSIS
The system design presented above counters the net-work security threats. The following discussion analyzes the design approach with respect to the threats presented earlier.
1. Network Communication Threats-The charac-teristics of the NBS data encryption algorithm (and cryptographic devices in general) eliminate many net-work communication threats. Obviously, line tapping yields encrypted text which cannot be read by a pene-trator. Furthermore, alteration of enciphered text can be detected if an error detection field is included in the message. This error check must be enciphered, so that the error check value cannot be predictably altered. Additionally, the check value must be cal-culated with clear, rather than enciphered, text; other-wise it is possible to alter enciphered text such that the error detection field does not indicate the change.
Inclusion of redundancy checks and message sequence numbers within the enciphered portion of the message can prevent undetected message playback or intro-duction of spurious messages.
The network cryptographic devices used in this design utilize a distinct encryption key for each logical connection between network resources. Therefore, misrouted messages are rendered unintelligible to unauthorized recipients. Currently available "line"
cryptographic devices can only be placed on the com-munication lines, and therefore do not eliminate the threat of misrouting.
Network cryptographic devices with the charac-teristics required in this design offer greater security assurance than is currently available with existing
"line encryption" devices. Although not currently available, network cryptographic devices can be built with current technology.
2. Counterfeit Network Resources-The term end-to-end encryption refers to data being enciphered at the source and remaining unintelligible until it is deciphered at its final destination. Network crypto-graphic devices provide such end-to-end encryption, thereby eliminating the threat of counterfeit network resources. Communication with a bogus network resource is impossible because it would not be attached to a network cryptographic device, or know an appro-priate key.
If a network resource, attached to an NFE, is the source or target of network communication, the NFE is responsible for maintaining a proper message pipe-line. The NFE must, therefore, guarantee that connec-tions are made with the proper resource. Thus a secure NFE guarantees that the message routing and connection management functions are performed cor-rectly on behalf of attached terminals and hosts.
3. Forged User Identity-The NSC requires each user to identify himself and provide information to authenticate that identity. A user's identity is
vali-dated before connection to any network resource is permitted. The NSC is a separate tamper-proof mechanism which is not part of a general purpose host computer system. Therefore, the NSC provides a
vali-dated before connection to any network resource is permitted. The NSC is a separate tamper-proof mechanism which is not part of a general purpose host computer system. Therefore, the NSC provides a