home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
isoc
/
pub
/
isoc_news
/
1-4
/
n-1-4-040.33.1a
< prev
next >
Wrap
Text File
|
1994-03-26
|
4KB
|
81 lines
Subject: 040.33
Towards an Internet Security Architecture: Part II
Stephen Kent, Chief Scientist, BBN Communications
<kent@bbn.com>
This is the second installment in a multi-part series
addressing architectural security issues in the Internet. As
noted in the first installment, policy statements about user,
vendor, system administrator, and network provider
responsibilities have been published (RFC 1281), as have more
detailed statements about good security procedures (RFC 1244).
However, these very high level and very low level approaches to
security should be complemented by an architectural view of
security for the Internet. This installment begins to
explore security services and the mechanisms used
to provide these services, using the terminology introduced in ISO
7498-2, the OSI security architecture.
The security service which often comes to mind first is that
of confidentiality. Data afforded confidentiality is only
disclosed to authorized individuals, processes, networks, or
computers. ISO 7498-2 characterizes this service as being
either connection-oriented, connectionless, selective field,
or traffic flow confidentiality.
From a practical standpoint,
connection-oriented and connectionless confidentiality are the
same service, distinguished only by the communication context in
which the service is offered. However, the security mechanism
implementations used to for confidentiality may differ for the
connection-oriented vs. connectionless service variants. In both
cases, and in most instances where confidentiality is required,
cryptographic techniques are the primary security mechanisms
employed.
Selective field confidentiality is a distinct service,
applicable in the context of application protocols. It permits an
application to protect from disclosure selected portions of a
packet or message. An example of this form of service is often
exhibited by automated teller machines (the other ATMs). A
transaction message sent from an ATM to a bank computer may
contain the ID of the ATM, the customer's account number, a
transaction serial number, a code to identify the type of
transaction (deposit, withdrawal, transfer, etc.), and parameters
specific to the transaction (e.g., amount of deposit, withdrawal,
or transfer). All of this data is often transmitted without
benefit of confidentiality, but the customer's personal
identification number (PIN) is afforded confidentiality.
Traffic flow confidentiality is a service which conceals
"external" characteristics of communication, such as the identity
of the source and destination of the data, the size of
packets, and the frequency with which packet are transmitted.
These external features of traffic can reveal quite a bit about
the nature of the communication. For example, observing that
two competitive companies are exchanging messages might indicate
that the companies are engaging in some joint project or that a
merger is being explored. Very high quality traffic flow security
is available for point-to-point circuits, through the use of layer
1 cryptographic techniques, or for certain types of radio
networks, through the use of spread spectrum technology.
In contrast, concealing traffic patterns in packet network
environments requires a certain degree of trust in intermediate
switches/routers. This is because of the need for the packet
header information to be visible at switches. In theory one could
transmit "dummy" packets of randomly varying sizes to a variety of
destinations, to conceal the true traffic characteristics in a
packet network. However, concerns over traffic congestion
or over the cost of sending lots of packets to other than the intended
destination, make these traffic flow
confidentiality techniques impractical in general. Instead, if
one requires this form of confidentiality in packet networks, one
tends to use point-to-point traffic flow confidentiality
techniques and to provide physical security for the switches.
Subsequent columns will examine other security services and
briefly discuss the primary security mechanisms used to effect
these services.