CS99I Freshman Seminar

Winter 1997/1998.

Traveling the Information Highways: Security

Maps, Encounters, and Directions

Master copy on Birch.
Draft 27Nov1993, updated 15May1994, 18,19Jun, Oct 1996, 6,9Feb, 7Mar1998.
This material is

©Gio Wiederhold and CS99I students, Stanford University, 1998.

Chapter: Security

On the Information Superhighway of the Future, What Feature Would You Most Like To See?". "Clean Restrooms" [Shoe, in comic strip by Jeff MacNelly, 15Dec1993].

Previous chapter: Mediators - Next chapter: The Future


[George Poste NY Sunday times heading about Apr11996: Toxic Knowledge. Should it be regulated?

Security is a major issue as we open op the information highways to travelers of all types, and from all countries. Without being to provide an adequate level of security travelers will be wary of using the highways. Without some guaranteed of securiy businesses will not committ their valuable wares to transport over the highways. Losing goods in transportation is serious and easily noticed. Security on the digital highways has also to deal with copying of information, a threat that in the traditional world was limited to plagiarizing books and using patent information without a license.

Secure information systems have three obligations:

  1. Do not to reveal what should not be revealed
  2. Display all what is requested and can be revealed
  3. Do not display any false information.
These obligations are an analog to the injunction on witnesses: tell the truth, the whole truth, and nothing but the truth. These obligations become more complex in practice when we consider the uncertainties associated with generating information, as addressed in the Technology to provide security and protect privacy will not resolve that conflict.

Privacy protection remains a major concern. Public demands have instigated a variety of laws, and again the technical tools that are available do not match the legal requirements for access and protection of privacy [Rotenberg:93]. The punishment for theft and other transgressions has been traditionally the levying of fines or the loss of freedom, namely going to jail. What suitable punishments in the information world? Already today traffc fines can be paid by credit card, and * e-money will do as well. In either case, the punishing authority gets its funds instantly, the convict, if poor, gets hit with additional finance charges. These issues are addressed in the Chapter on Electronic Commerce.

Loss of freedom could simply mean loss of passwords that give access to desirable information. Instead of jail, some convicts could be given the equivalent of * house arrest, with a requirement to connect ever so often to the warden or the parole officer's computer. Schemes for validation of the convicts actual presence at the designated on-line site have to be developed since the traditional password is portable. Today a virtual presence is easy to establish, by calling one's home computer from a remote spot and then connecting through it to other sites. Current schemes of passwords and encryption have focused on identifying people for whom a protected password was an economic advantage, as in using * ATMs.

We describe an early experiment with site-based identification in Sect. Kiosk. To what extent * digital jails can replace physical ones cannot be guessed today; but any relief of the patently unsatisfactory method of punishing people by housing and feeding them in public facilities is worthy of investigation.


Keeping information from others has been a means for retaining power through the ages, as discussed in the Chapter on Digital Libraries. To major means are used to keep information secure: All methods seen can be reduced to combinations of these two principles.

Figure Elements. Elements of cryptography [Wiederhold:77].


Ciphering converts messages into an unreadable language, so that even messages that are publicly accessible cannot be understood. The term derives from substituting numbers for characters in messages, although those numbers, after conversion, are commonly retranslated into other characters.

The * Ceasar Cipher, illustrated in Fig. Ceasar shows the elements associated with transmitting and breaking ciphered messages. There is an enciphering device, which takes * plain text and combines it with a key to yield cipher text. There is a similar decoding device, which takes cipher text and combines it with the same key to recover plain text. And then there is the crook, who tries to decrypt the cipher text, by analyzing the cipher text, making likely guesses. The crook succeeds when a guess yields something that makes sense. The substitution cipher shown is trivial, and literate barbarians should be able to decrypt such messages.

plain text  :   "BEWARE_THE_IDES_OF_MARCH"
Enciphering with key "4"
cipher text:   "FI_EVIDXMIDNHIWDTKDRGM"  using a 27 symbol alphabet
Crook: Decrypting without a key
Guess: frequent are blanks, the most frequent character in the cipher text is "D", 
hence D =_,  now deduce that    ... key=4, validate, "aha" 
Receiver, or successful crook:
Deciphering with key "4"

Figure Ceasar. Encryption using a Ceasar Cipher.

Ciphering became more sophisticated over time. !inventor?> Using a sequence of, say 10 numbers, as a key gave each one out of ten plain text characters a unique substitution key. The key length itself becomes another variable to be guessed by the decryptor. Such a key can be represented as text itself, and based on a citation, say Proverb 17 of the Bible. Using a larger alphabet for the cipher text permitted substituting of characters that are frequent in plain text by any one of several cipher text characters.

The invention of the telegraph provided electric encoding of characters and enabled automation of ciphering. By the start of the second world war ciphering machines were in use that had interchangable rotors, and the keys were reduced to instructions on which rotors to use. Germany used the Enigma machine to encode its messages, and lengthened its code word it in 1938, but Polish scientist determined how it was wired and delivered a copy to Great Britain. The longer code word motivated the development of automation in decrypting, and as such the development of computers. In general, machines and methods used in ciphering are difficult to keep secret, since they are used at many sites. The devices may be captured or their methods determined when some plain-text with corresponding cipher text is obtained. But without the key the search for reasonble plain text will take a excessive time, as discussed in the Section on Decryption. In most military situations decryption is only useful if it is rapid.

Managing keys securely is a major effort, and the loss of a key causes all protection to be lost. For that reason keys used in critical military operations are changed regularily. Most active military operations change keys on daily basis. Printed * signal operations instructions, or *code books are produced by intelligence agencies, distributed to the military units, and every day a new key is set.

A major task for early computing machines was the decryption of messages send to German U-boats by British intelligence officials. The automation proved very effective and analysts working with machines as the * Enigma were able to provide the British Navy with plain text within a day [Turing ref]. In the Pacific the U.S. Navy was able to intercept some Japanese code books, illustrates a major weakness of ciphering: the keys have to be transmitted securely [Kahn:49]. Once a key is known all successive messages, including those designating a new key, can be rapidly decrypted.

The distribution and manual entry of key is error prone and created probrlems during Desert Storm in 1991. Recently the U.S. military has moved to the use of an electronic key generator, the Revised Battlefield Electronics Operation Instruction System (RBECS). Modern radios and computers can receive the keys by direct connection [Burgess:94]. . Only a small fraction of computer data is protected by ciphering. The awkwardness of managing keys and the delays imposed by decoding are strong disincentives. Most data is protected by requiring passwords to gain access.


There have been many cases of individuals accessing computers to gain or change information. * Breaking into the the school's computer and changing one's grade was the objective in the film 'War Games' !???>. A disgruntled employee, about to be fired, amy also try to wreak havoc by deleting crucial files. A clever !!crook may plant a * time-bomb, perhaps by modifying a program that is executed only at the end of the quarter [Neumann:curr]. Maintaining up-to-date and isolated archival copies of data and programs reduces the cost of such damage, but does not prevent it. Many sites keep archival copi es to protect themselves from accidental destruction as well. As more and more computer-sites are linked into the digital highways, the damage that can be done has greatly increased.

The computer systems used at most sites are far from secure. The designer of a personal computer focuses on ease of use and high performance. Any damage done will only affect the owner. Even larger systems are envisaged for use by collaborating groups. mainframe computers, used by disparate owners will have more protection, but in the end it is the role of management to allocate resources and assure cooperation. To access another person's data files means having the right access permissions.

The *operating system, like the telephone and electric control rooms of modern buildings, provides the major opportunity for mischief. Current operating systems have unlimited privileges to the users' files, and so have the people that maintain the operating system, the * superusers. Once a user can enter the operating system, or mimick a superuser, there is no limit to the local destruction that can be perpetrated.


The digital highways themselves are fairly secure, especially optical cables, which are hard to monitor or splice. Wires can be spied on by attaching a magnetic sensor, and microwave transmissions can be received by others in the neighborhood. On the major arteries, where many lanes are combined, the effort to locate and decode a particular flow of information is hard, and only undertaken by professional spy and counter-spy agencies. However, the auxiliary structures along the highways are easily accessed. After all, there are many public and semi-public buildings, such as universities, whose role it is to disseminate information. But once one is in, linking to the digital highways it easy, and then one can investigate access to all the other structures along the highways.

The major locking mechanism in use today is the password. Once an intruder obtains a user's name and password for some part of a system, it is often easy to break into other areas or the control system. Since computer programs can replicate themselves. like * viruses, they can leave a copy in each room entered. That program in turn can continue to attempt to break into other rooms and other structures. As the virus programs replicate they can unleash a tremendous amount of computing power and bring large segments of networks on their knees.

A well-known incident was perpetrated by !robert> Morris of Cornell University in 1989, who had created a virus that replicated itself among many sites. The virus program gained entry by trying various sets of words likely to be used as passwords: first names, permutations of the user name, and words in an English dictionary. That notion is similar to trying all likely combinations in a number-lock for your bicycle, but the virus program has two advantages: patience and the ability to work well-nigh unobserved. Only by noticing that computers were much more busy than they should be could one detect that the virus was at work. That virus did no intentional damage to the contents of the structures, but used up so much of the computing resources that it disabled many sites. In order to kill the virus computer sites had to quarantine themselves from the network, and be scrubbed clean, greatly disabling the work of many legitimate users

Partially in response to the break-in by Morris, ARPA established a a task force at Carnegie Mellon University: (CERT). This task force collects information on break ins and attempted break ins, monitors ongoing violations, and attempts to identify the perpetrators. Legal actions are often difficult, since the perpetrator may live in a country where breaking into a computer network is not seen as a criminal act. CERT reports a steadily increasing number of break-ins as the Internet grows in popularity: 1990: 100; 1991: 410; 1992:720; and 1993:1300. This rate of growth is actually less than the growth in the number of users, but we cannot tell if that is due to more honesty, better protection methods, or more naivitŠ among the users.

A resource for information about break-ins is Neumann95; Peter Neumann also edits a monthly A HREF="http://www.csl.sri.com/insiderisks.html">column in the Communications of the ACM. Unfortunately, it is more difficult to provide prescriptions for preventing break-ins than describing them. [denning]

In February 1994 a virus was discovered which collected passwords by intercepting messages on the Internet. as described in Chap.\I\F in order to gain access to a remote computer the name and password is transmitted. By recognizing remote login and file transfer (ftp) requests, the virus could collect passwords, presumbly for use in later break-ins [Washington Post, 4Feb1994]

!ref Health Data in the Information age == buy , Michel Billelo>


Providing security is a complex task, and employs a wide variety of methods. Too much security restricts usage of information and the reduces the economic benefits that the right information can provide to the receiver. Too little protection creates worries about loss and inhibits participation, which also reduces economic benefits. The optimum is somewhere in between.

Figure\securebenefits The tradeoff between security and benefits [Ashok Chandra, lecture at Stanford 14Feb1995]


We consider three categories of owners of information: individuals, concerned about their privacy; commercial enterprises, concerned about economic effects; and the military, concerned about natioanal security.


People value their privacy greatly, even when it is not clear what losses they would incur if their privacy was violated. As discussed in the Chapter on Healthcare, systems with perceived inadequate privacy protection are not accepted, even when actual use of privacy provisions is minimal. There is a great deal of mistrust. During a conference discussing the Clipperchipthe White house representative asked: "How many people here fear that they at greater risk from government abuses of power than from criminal activity?" and the majority raised their hands, one participant shouted "Whats the difference?'

Commercial Security

Commercial requirements for security fall into three legally recognized categories:
  1. Trade Secrets: material restricted for internal use. All distribution to non-authorized individuals is to be protected. To maintain trade secrets legally, any known infarction must be acted on. If there information is made available publicly and the sources of the leaks are not prosecuted, then it is assumed that the information is not a trade secret.
  2. Patents: The conceptual basis for an innovative product can be described in a patent. A patent can be granted when no prior conflicted patent existed and the concept is not obvious to person versed in the state-of-the-art.When a patent is granted the information becomes public, but the owner of the patent has the exclusive right to its application. At times patents documents give only vague description, to make it harder to put put the concept into practice. Of course, when patents are vague the are easier to challenge legally.
  3. Copyrights: Written material, books, images, recorded performances and publications on the Internet derive their income from or other benefits for the author by being publicly known. Here the protection is based on the restrictions due to the copyright law.
Enterprises which value their information, whether it is for internal use or for sale. have to be concerned how putting information on the Internet can cause losses. There are many proposals and prototypes now, but the future is far from clear.


Military security exists in two dimension called mandatory and discretionary.

The mandatory levels are well known:

  1. Unclassified: no restrictions on publication
  2. Confidential: limited to members of the organization
  3. Secret: limited to individuals with assigned Secret or higher clearance level
  4. Top Secret: limited to individuals with assigned Top Secret clearance
The number of people eligible to receive Top Secret clearance is restricted. Above the Top Secret level are discretionary controls, for specific categories, allocated to people with a need-to-know. These categories function roughly as Trade Secrets do in commercial enterprises. The main difference is that all documents at the Secret level and above are carefully logged throughout their lifetime. Providing equivalent control for on-line documents is a challenge, but seems feasible.


at CMU Computer Emergency Response Team (CERT)
protected by Keberos @ MIT (encrypts passwords)


Reliability and survivability are crucial if we wish to achieve security, but has even broader implication !!mainly in \T


No country is an island once it is reached by the Information Highways. Policies have to mesh, else they are easily bypassed.


Providing too much security restricts usage and economic benefit, in addition to the cost of the security technology itself. However, having too little protection inhibits participation in Internet commerce by value-added suppliers and reduces economic benefits. The optimum is somewhere in between. In evaluating the technology we must always keep these opposing forces in mind.

The technology to support security is based on two concepts: identifying who has access rights and what is to be accessed, and creating a barrier between the two that is well controlled. The identification must be reliable, else any other security measure is compromised. The barrier must be well controlled, so that only identified and approved accessors and objects can pass through. !see fence discussion below> Since the barrier requires careful maintenance, * mediation technology is useful. A security mediator would be owned and maintained by a security officer, and carry out its actions as an agent of the officer. !see below> If the security mediator accesses information at different levels of classification, it must be capable of managing * multi-level security. However, the disparate information sources it draws upon may stay at a single level, which simplifies their management.

We will deal first with the technical problems of identification, !!......


When an automated system deals with a real person, or another computing system, there is need to be sure of teh identity of the respondent. To manage security on the highways we have driver's licenses and car registration plates, ...

!!refer to from E-com chapter?
A variant of *{public key encryption} can provide *authentication, assurance that a sender is indeed the legitimate source of a message. The sender also has a private (DKS) key and can derive from it a public key (PKS). Rather than just sending (PKR{m}) the sender sends (PKR{DKS{m}). After the recipient applies (DKR) to obtain (DKS{m}), which is then decoded by applying the senders public key (PKS) to obtain m. Applying a false (PAS) would result in garbage, informing the recipient that a false (DKS) has been used. !check,wrong?

Software for authentication forms the basis for digital signatures, used in *Signers, in *PGP, *Telescript, and *Kerberos.


In our daily lives we address people by names, short names for our family and colleagues, longer names for those we meet less often, so that confusion is minimized. But names are rarely unique, and confusing individuals with each other is not only embarrassing, but potentially dangerous. Computer technology has brought us all in contact with Personal Identification Numbers (PIN). We define PINs to be unique within a known context, sometimes the term is used for password numbers, as presented in the next section. The most common PIN in the U.S. is the Social Security Number, although the number itself was not designed to be secure.

!health card number>

An important choice in devising a PIN is the decision to let it have semantics or not. An example of an Identifier with semantics is the Dewey Decimal Code used for books. The initial numbers and letters provide a classification, the ones at the end are sequentially assigned. But classifications are not unique: is this book on communication, computing, or road transport? What do we do when classifications are refined, and should be split?

!!! example: . Where classifications become obsolete, as horse-drawn carriage building, much coding space may remain unused. Semantic PINs also compromise *privacy; the former French PIN, let anyone know what one's birthplace, birthdate, and birth gender were.

If a neutral PIN, without semantics, is used, a person, can be permanently associated with it. The same principle holds for general identifiers. For literary work we have encountered a !!xx>. Any object in general can be permanently associated with a suitable identifier. Retrieval, when coming from !the outside will rarely use identifiers, but attributes associated with them, as names, categories, locations, and the like, !as encountered in Chapter\X1,\X2,\P\GEO...>.


We have encountered passwords throughout this chapter, since they are the primary means for limiting access to computers. We have also seen how passwords can be lost, or copied from notes left near a computer [!movie Wargames?]. To protect stored passwords from internal theft they are no longer kept in plain-text in computer storage, but instead are recoded with a one-way encryption scheme. When a customer enters a password it is coded using the same scheme, and the check is performed on the translation.

A common way to *break into computers has been to try lists of word externally, using a computer to try likely passwords. To reduce the chance of this type of break-in a number of counter-methods are in use:

  1. Limiting the number of attempts. By 'hanging-up' the connection after, say, three unsuccessful tries the cost and delay of break-ins increased. Such candidate attempts can also be logged for analysis.
  2. A variation of this !inhibition!, suitable when there is no 'line' to be hung up, is to introduce an artificial delay, and double it for every successive attempt.
  3. Forbid the use of likely passwords, as names and words in a dictionary, including variations as spelling them backwards. Having awkward or long passwords increases the chance of loss however, since they are more likely to be written down.
    All these methods do not keep the password from being vulnerable to theft on networks of computers. One of the intermediate computers may be a *sniffer, copying any login sequence that passes through it. That sequence is then available for subsequent break-ins that are hard to detect, since a single attempt should suffice. Some schemes avoid password reuse.

  4. Using an algorithm as a password is a method suitable for customers that are good in arithmetic. The computer presents say ten digits, and the customer responds with the five products of alternate digits.
  5. A *password generator is a wallet size card which presents a new password every minute. It is keyed to a personal identification (PIN), and the combination has to be entered within that minute to give valid access. It is crucial that the card not be kept with the PIN, to avoid loss of the combination. The cards will also self destruct after some time.

    !! Generated, copied from transmissions sniffer or Trojan Horse (easy on ethernet, listen to tranmissions) [ATM caper]

Biometric identifiers

More reliable than passwords are biometric identifiers: voice prints, signature dynamics, key-stroke dynamics, hand measurements, finger prints, face recognition. The pattern of the iris in a person's eye is also a candidate for making a unique identification. Biometric identifiers are hard to forge, but the equipment to read them is awkward and forbidding. The person being identified must cooperate, for instance be willing to speak or write a specific expression clearly, or be scanned by a camera in a well-lighted space. *Voice recognition is probably the easiest to integrate into computer workstations. The voice pattern can also be recorded on a *smart-card, which can be linked securely to its owner. That card can contain passwords. which in turn are easily handled by the networks that verify access privileges.


In addition to authenticating individuals it is also useful to authenticate documents and the like. One approach is to use to use a checksum, so that inadvertent alteration can be detected. However, an intentional alteration can be combined with recomputing the checksum, if the algorithm is known.

Watermarking modifies a document by overlaying a barely perceptible identifying image over the base image. When watermarked paper is used the identifying image is best seen by holding the document up to light. Copying the text only from a document looses the watermark. Using digital watermarking consists of changing low-order intensity-encoding bits in the image so that the identification is barely visible. Alterations in sections of the document will also destroy the watermarks. Hidden digital watermarking or stegonagraphy is a technique which hides the identifying image. Here the pattern of bits in a document or image is changed in a matter which is practically invisible. In a high-resolution picture the low-order bits may be changed, causing imperceptible change of color. Other techniques will slightly distort the document, moving some pixels by one position, or changing the spacing of characters and lines in a document. [[more See IEEE Computer Feb1998, Xerox]] These techniques keep the document freely accessible. Another level of protection is encryption, where the document is made inacessible to all but authenticated and authorized users. In an encrypted document checksums can be used for authentication, and since only authorized people have access, it can be assumed that nobody has altered the document and recomputed the checksum.


On a driver's license one finds the categories of vehicles one is licensed to drive, for motorcycles to public buses. Once an individual has been authenticated, one should obtain the list of privileges, as functions and services, that the person is authorized to have.


Ciphering has a complementary function to a password: It makes material that is accessible unreadable by others The concept of a key is crucial to cryptography. In the example of Fig. Ceasar only 26 keys were possible, so that 26 decrypting attempts are sufficient. In today's encryption systems many millions of keys are valid, making decryption much more tedious.


To break encrypted text one should know or guess the method, and then guess the codeword for the particular text. If the codeword is completely unknown then decryption is performed by trying all combinations and generating and *pruning all possible plaintexts. Pruning must reduce the volume of results to a number that can be scanned by humans or tried of the result is used in further computer processing. Pruning uses knowledge of the expected result, for instance that most of the words should be English, that the length of words has a certain distribution, that blanks normally occur singly, etc. Crucial terms, as representations of latitude and longitude, are hints that the generated plaintext may be meaningful. If the pruning is inadequate the decrypter remains overwhelmed. The computer processing required for effective pruning is enormous, and if it exceeds available resources the encoded message is safe.


[Kent:93] To decode an encrypted message one must know the key. Managing the keys becomes the hardest problem. !!codebooks above?!!.

A solution, applicable to many situations is public key encryption .. A potential recipient broadcasts a key (PKR) to candidate senders, to be used in encoding any messages to the recipient. The (PKR) key, however, is not a key suitable for decoding, so that it does not have to be protected. The recipient keeps the decoding key (DKR). The recipient creates a (PKR) by a transformation of the (DKR) key, but the transformation function is as difficult to invert as other decryptions. The holder of a (PKR) key can hence send an encoded message m, but not decode a message (PKRm), that has been transformed.

The dominant mathematical foundation for public key transforms is factoring of large numbers. Given, say, a private key (DKR={3,7}), the public key (PKR = {21}). The encryption method is constructed so that 3 and 7 have to applied sequentially to decode the message encoded with 21. While it is easy to guess 3 and 7 from 21, guessing of source factors becomes extremely difficult when applied to products of many and large factors.

A patent for public key encryption is held commercially by RSA Data Security, but the software is available from several sources. An attempt to ban export of the software to non-U.S. companies seems to have failed, illustrating how difficult it is to keep intellectual property on local highways.


There is a concern that cryptographic techniques will reduce legitimate access to information about illegitimate transactions. Agencies as the National Security Agencies are currently able to eavesdrop whenever permitted by a legal order specifying who or what is to be subjected to surveillance. Cryptography can make that hard. These agencies prefer that encryption be only performed using a sanctioned chip, the *Clipper chip, which provides a *trapdoor for their purposes. Its trapdoor is partially opened by an !!special key, and further access is enabled by a key linked to the chip's identification number. The !!special key is held securely within a selected government agency !to be selected>. To protect the trapdoor the internal structure of the Clipper chip has been kept secret, a departure from the common practice where the mechanism is kept public, and only the keys are secret. The manufacturers of the Clipper chip must keep the masks used to make the key extremely secure and assure that a purchaser of the Chip is unable to re-engineer or disassemble it.

The need to trap criminal activities is real, and the desire to have access to criminal activities which pass along the information highways is sincere. But a government attempt to enforce the use of a breakable encryption method is swimming against the stream [Seabrook:94]. Since encryption can be performed by software as well as by hardware, the trapdoor feature can always be overridden; after entering the trapdoor one would only find another encrypted message, not accessible through any trapdoor. At the same time government agencies or suppliers that are forced to use only the Clipper chip are exposed to a massive risk: if the trapdoor can ever be opened by intruders, since then all encrypted information can become public. A malevolent enemy would in fact not divulge that they have a key to that trapdoor.

Trusting that the trapdoor keys can be truly kept secret over long term is obviously fallacious. If the torturous and limited bandwidth path provided by paper messages delivered via a chief of an intelligence agency can be bought for less than $ 2 million [ref Ames scandal], it is obvious that freeway access to all encrypted data in the U.S. can be purchased through somebody for a small fraction of the value of an illicit off-ramp.

Many potential sellers exist for alternate encryption technology, since such expertise was developed in all the world's intelligence agencies. Encoding valuable information does provide the best protection against compromise and legally sanctioned access. There is no economic inducement for legitimate or illegitimate businesses to use the Clipper chip. We will have to leave in world where the privacy protection afforded by cryptography will be equally available to all, no matter what their objectives are, and law-enforcement agencies will not be able to monitor illegitimate traffic on the information highway.


Threat of having databases with purposely misleading data.>


To achieve security the domain over which control is needed has to be defined. Within the world-wide-web there are areas that require specific authorization for access and areas that are open to wider and shared use. Other areas should be freely readable, as directories or repositories for basic mathematical routines, but must be protected from inadvertent damage or explicit vandalism. When information is transmitted across the boundaries of these areas the accessors have to be authenticated and their authority checked. Even after being authorized for access one may want to check what is being taken out, since the content of an area may be more varied than expected, and not always perfectly kept.

If the boundary of an area is formally defined and defended, we speak of a firewall. Within the firewall are a number of computing nodes, connected by some network. Access to the network from the outside is limited to one or a few nodes, and these nodes will check if the accessor is authentic and authorized. The degree of checking varies greatly, and firewalls must be carefully maintained and updated to deal with new types of threats as they develop. Firewalls can also protect against annoyances, as unwanted email (spamming) or, in reverse, disallow insiders to access undesirable places on the net, as games or pornographic sites. Areas that require a high degree of protection may dedicate one or more computers to the protection function, to avoid the risk that non-security motivated customer changes break the firewall.

Methods used by the firewall service include:

Highly protective systems may also check the contents of documents received or being taken out Since information is processed through many modules in a computer system it is useful to implement a *firewall.

On the storage side of the firewall data can be retrieved and freely shared. On the user-side of the firewall only * authenticated users can have access according to their authority they have been granted [Dadaism ref]. Programs that operate across the firewall must be written and validated with care, less effort is needed for other modules if we can guarantee that they stay on their side of the firewall.

!! make consistent firewall, barrier, fence, firewall, all defining protection domain, versus end-to-end security. Note that routers need not to encrypt.
Figure Borde (=fence) in Dadaism system.


The information itself can also be *classified into layers requiring certain access *privileges. In a simple layered model of security it is assumed any one having that higher layers have read access to all data that are classified lower (*read-down) and write access to more highly classified data (*write-up) [Bell and Lapadula]. Typical layers are {public, confidential, secret, and top secret}. There is an implicit assumption that such write-up operation will not destroy any data. If lower-level data is misleading or in error the higher level user cannot correct them, because it might reveal information that should be kept secret. Any information created by processing from multiple is raised to the highest participating level, so that results can only gain higher classification and become useful to fewer and fewer people.

Figure Layer model with implied permissions. Top secret on the inside. maybe in the shape of a round mountain.

Any information flow to lower layers requires *declassification. Declassification requires having knowledge about the content, and authority assigned to a responsible person. Such authorization is typically obtained manually. Automation to allow release of aggregated data whose privacy should be protected has been proposed and is feasible, but risky scenarios can be created.

Example: Salary of president of the company by statistical inference.

Even if the inference problems are not a concern, it is hard to attain a high confidence in the security of a software system. Formal mathematically-based technology is being developed, and automatic verification of secure behavior of modules in a clean architecture may soon be accomplished. In the meantime the verification is being performed by expert visual analysis of the module code. The verification of a system composed of many modules brings new challenges. The complexity and adaptability of substantial software-based systems makes comprehensive verification, if attempted, suspect..

[WAVE chip technology ATP]


Borders are easier to defend when they follow natural boundaries. Countries are often defined by waterways and mountain ridges. In computing systems the natural boundaries are communication channels. All traffic must pass along them, and the sources and destinations are identified. Information can flow through the system as in the Bell-LaPadula model, but all computing nodes are classified in their totality, so that security is achieved if the direction of information flow can be controlled.

Figure Flow through network, with security assignment an flows, related to layered model.

If flow in the insecure direction is needed then a specialized node, a *security mediator, is installed in the network. It is best if the security mediator resides in a private node, a computer not used for any other tasks. Only that node needs to support *multi-level security (*MLS). The simplest version of a security mediator only provides services to the *security officer, the person who has the authority to declassify information. A request for information from a source at a higher classification level is submitted to the security mediator. The security officer can display, edit, and if appropriate modify the request, release it for processing by causing it to enter the layer of the source and be transmitted to that source. The information comprising the response is also transmitted to the security mediator, so that the security officer can inspect the result, modify it if it is too revealing, and release the approved result for transmission to the requestor at the more public layer.

A simple security mediator can greatly speed-up the tedious paperwork prevalent today where much of the requests and results are transmitted in paper form, and reentered at their destination. The simplicity of the task makes comprehensive validation feasible and trustworthy. The performance of the overall system is minimally impacted. MLS systems, because of the time involved in their verification, tend to be a generation older than the best general processing systems that can be obtained. Now only the security mediator has requires MLS capability. Since its processing task is simple, poor performance will not impact the work carried out in the other nodes.

As the workload submitted to a security mediator increases, the task of security officer can be aided by automatic application of *release rules provided by the officer. Release rules could identify attributes of the database that are normally publicly releasable, they could constrain the aggregation being requested and being actually performed, and they could monitor successive requests which are in their totality suspicious and require fall back on manual release processing. By providing tools to reduce the workload for the security officer labor time is freed up that could be devoted to be responsive to queries too complex for automation and to monitor the overall security of the system's operation.

Examples of security rules, assuming operation within a commercial company:

We see that a security mediator follows the same paradigm as any mediator




To protect valuable documents from unauthorized copying during transport and storage they can be encrypted. The documents to be protected can vary widely, from simple texts, say an evaluation of some stock, an entire book, images, video, to software. The rights to be given out range equally widely: outright sale with permission to resell or loan the material, versus license to only use the material personally once, or for limited or unlimited time. Other forms can be the right to play a game, the right to search a database prior to retrieval of its contents, a subscription for a serial publication, the right to incorporate material in another publication, and such.

Documents require another level of protection than money. Once a twenty-dollar bill changes hands, you have lost all rights to that bill, and, if the money must be returned, other bills, coins, or checks can be used. A Digibox (tm), as being provided by Intertrust, is an encrypted and authenticated datastructure. Such a datastructure can be stored anywhere and transported. The creator or subsequent owner of a document can place it in a document, and make it available to potential consumers. It can be forwarded to wholesalers and distributors without opening it.

Intertrust software is reequired to decrypt it, but must be given keys. A consumer who changes any bits in it will not be able to decrypt it. The Digibox is active, and can report to a clearinghouse when it is legitimately opened, so that billing can occur on a per-use basis. Multiple digiboxes are needed to deal with alternate payment schemes. To protect payment from subversion the Digibox can only be opened inside an Intertrust Commercenode (tm). That node drives the printer and display, making electronic cut-and-paste impossible.

The privacy of the reader can also be protected, since the information is mediated by the clearinghouse. This will put additional requirements on the clearinghouse and it is not yet clear if readers will be willing to pay for privacy, although such anonymity exists today when you read documents in private.





A project in test in New York City replaces parole officer contacts with visits to a * kiosk, a computer station near City Hall, where the parolee logs in, and answers some questions about the past period and plans for the next period. Failure to report when and where expected initiates police follow-up. The benefits for the city are a reduced administrative burden for routine logging of parolees, and the freeing of parole officers for tasks require human intervention.


Willis Ware? Whitfield Diffie)


It is unrealistic to assume that privacy will be perfectly protected in a society where access to massive databases is rapid and economical. However, universal access empowers everyone equally, so the ability of people in power to locate embarrassing information on those that want to be, but are not, is relatively diminished. We may all have to lead cleaner lives if we want to avoid major embarrassments, and become more tolerant of minor ones.

There is information that must stay secure. Isolated systems and paper documents provide a simple level of security available to all. Encryption provides an effective method of protection if transmission over public facilities is required. Cryptography is well understood and can be implemented to provide nearly any level of security. Mismanagement of keys is the greatest risk, including the loss of a key, which will in effect cause loss of the encrypted information. An encryption system that can be legally broken into by government agencies, as discussed in the Section on trapdoors is not likely to be accepted. Allowing the government to have trapdoors on the information highway violates expectations of privacy, just as cars on a U.S. highway cannot be searched unless there is a violation or an outstanding warrant. Having a system with a trapdoor also presents an intolerable risk, since theft of the trapdoor key exposes all information.

!!from above: Current operating systems have unlimited privileges to the users files, although that should not be neccessary>


name fullname technology services [ref] |
Companies doing Security Software:
RSA (bought out 15 April 1996 by Security Dynamics - maker of the one-time card; for $250M)|
TIS Trusted Information System SI |
Rainbow Technologies Inc, Irvine CA |
Alladin Knowledge Systems Ltd, Tel Aviv (bought FAST Software AG, Munich April 1996 for $36.2M) |
Security Dynamics Security Dynamics password generator cards authentication www.securID.com|
SST Stanford Secure Technologies content checking privacy protection www.2ST.COM||


Previous chapter: Mediators - Next chapter: The Future

CS99I home page.


ARPA 25Nov 1994 Fundamental barrier to realizing the NII
new services
Exponential growth
Business dependence

Attack by foreign government
Industrila espionage
Vandalism and mischief

Pervasive and ubiquitous
Nooeed vomprehensive approach
Prevent Unauthorized access
Unau.. Denil aof access

Third party authenyication validation

Security controls for connectong to networks

Flexible enclaves - ditr . Virtial communities Secure interoperation

Enclaves -- security does not get in tehe way Designate systems without/within enclave perimeter

Near-trm : toolkits for Sec. admin, integrationm emergency resp

Experimnts Long term HPCC, Mobile ,, DigLib, ElComm, sensitive (Healthcare) Confinement technologies

Referene SKIP project at ETH Zurich [Germano Carroni] uses two level keymanagmemt (by handling certificates. Model has secure islands, subislands and outposts. Consider differences in client-server and peer-to-peers. In client server model the set of candidate ckients is unknown (unless subscription). In-line encryption is now feasible at little or no loss. With authentication net bandwidt is reduced.
Note: RSA patent expires in 1997?
focuses in key mangemnt to define the domains.
Which layer? Application -> kernel {session, transport}-> hardware
Recommends high level
WG IP security of IETF composed of architecture(RFC1825), authentication(1826, 1828) confidentiality (1827, ), key management (draft form only)
Shared secrets cannot easily use RSA, since symmetric.
Videoservers are unidirectional, simpler.

Tina consortium (Bellcore, Fujitsu, many) to move telecom towards sharable, single, architecture. !growth>.
Domains called schemes of authentication.

Booz-allen wg.10
Simple model, cenral holder, hierarchical assignemnet. rules to lower level can have their own rules for subsidiary certificate assignment.
Lower levels could violate tight rules set and promised at high levels.
Also neeeds recovery of lower level node dies. Fatal if top level node dies.
Distributed trust model makes user holds own key, travels through systems, where are they keys then. A long distance in terms of intermediate crtificate holders among signer and verifier leads to distrust. Need faciities to monitor, repaor, modify policies and systems, also in case of faults.

Vijay Varadharajan CSD, Un.West.Aust, Sydney.
Enterprise-wide security control.
DCE now only in server. Has privilge managemnt module, with acess lists. in, drived concptually from Kerberos DCE 2.0 too have public key from server. Check OSF votes?
UWA developing distinct authentication server.Their research prototype, supported by HP, provides tokens to certificate privileges. Can accoubt for aggregate use, as being limited to $10,000 withdrawal per week. Uses some public key techn. Open: how to propagate policy cahanges among domins (assumption: identical)
Have a policy language (no inheritance, positive (multiple levels) and (strong) negative authorizations.
Kerberos [MIT handles it all] plans to update with public key caapability.
Vesna Hassler, dep of distr systems TU vienna (advisor Posch) Collaboration security: Includes 1. Multi-party secure communication ports. 2. Group-oriented cryptography, as for teleconferencing, not served well by mutiple pairwise agreements. 3. Workflow security. 4. Application specific security.
Whitfield Diffie et l. at ASAFE panel 1Jul19996
Note objectives fof encryptor, and surveiller,
Yhe latter want to be able to filter many msgs to locate items of concern.

30 bit key decry (or 56)iable by PC
40 expoert limit
To lowr to be secure for WS attack today, done by MIT
doable at $8900 (prce to FBI $16,000.
To high for filtering by intercept device
60 bit (0r current 56 bit DES) also doable. With gate arrays
cost you $1,000,000 to break in 7 days.
90 not doable with cureent technology for document valid lifetime
120 bit secure in the foreseeable in the future

Good cryptography resaerch outside of the US. 90%papers are foreign, lets hamstringing in foreign products. Viz Jogoslavs working in Sweden.
Today 65 countries produce 270 cryptographic devices, available to all good guys and crooks.

NS!P>A motto in the 1980s: In God we trust, the rest we monitor.
[per Whitfield Diffie panel, 1996]

From national security poit of view what are the cost of encryption.
NSA wantted first to be able to break crtpto through ex[port control. Led to an crypto arms race. Made things actually worse, and so now tgey are hiding behind law enforcement agencies.
But law enforcemnt (as the FBI) only needs to decrypt docs, not do surveillance.