2.2.5 Checking Required to Access the Authorization Mechanism There are two basically different approaches for access to the authorization mechanism: (1) access to use it, e.g., by any requestor, and (2) access to modify it, e.g., by special personnel who have such privileges. The former is considered the normal mode of operation since one of our requirements from the Reference Monitor analogy (section 2.1) was that the access mechanism be always invoked. The second approach has particularly serious implications since another requirement was that the mechanism be isolated from unauthorized alteration. Three different schemes are possible: Allow access only by manual means (e.g., by authorized Use the authorization mechanism to protect itself, e.g., only certain requestors have the capability to change the authorization data. • A combination of these two. While the manual approach has an intuitive sense of control, its real viability will depend on the frequency and complexity of the updates, which could "over-whelm" the manual methods. The second alternative distributes the control of authorization over a wider community of responsible agents, each of whom has some limited capability to modify the privileges of a particular group such as a project team. These agents might in turn be controlled by either some higherlevel set of responsible agents,* or control at this level could revert to manual methods, e.g., in the combination approach. Both schemes seem to have merit, and fortunately are not mutually exclusive. Therefore, the recommended approach is to develop the system with both features; using the third approach, i.e., manual controls over a set of agents (initially all changes), with the possibility of allowing these agents to delegate capabilities in some future version of the system. *These levels of authorization define a hierarchy of increasing privileges, which is not universally accepted as being desirable, (e.g., see Wulf, et al (WUL-73) who claim that "such structures are inherently wrong and are at the heart of society's concern with computer security.") 2.3 ACCESS CONTROL; ISSUES RELATED TO THE ESTABLISHMENT OF CONNECTIONS The proposed network security mechanisms gain a substantial part of their strength by their ability to control the creation of communication paths between a requestor and a resource. Establishing such a path or connection involves several different levels, some of them being conceptual (levels of abstraction) and some of them being physical (implementation levels which build upon each other). This notion of levels, their definition, separation, and transparency, is a critical aspect of networking which is as important as the analogous levels of the top-down design of a large-scale software system. It is doubly important for our investigation which has an intended generality in terms of network usage, HOST computer systems, encryption devices, and communications network technology. "Establishing a connection" means that: (1) a logical or physical path is created through the communications net (e.g., for message-switched or lineswitched nets respectively), (2) the appropriate control disciplines are initiated, (3) the encryption devices are keyed, (4) the requestor/resource control programs are initialized, and (5) certain identification and authorization data are sent to the resource. This sequence establishes a user-to-process (or process-to-process) communications path which has end-to-end protection and a defined set of capabilities. Three general areas will be considered relative to the creation of connections: The implications of HOST acceptance of the connection. The profile information to be sent at the time of connection establishment. Error handling on initial connection requests. The controlled establishment of communication paths or connections is, to some extent, prima facie evidence that the requestor is legitimate and authorized to access certain resources. However, the HOST containing these resources may, at its option, present a further set of checks, thereby pro viding: • Multiple "barriers" through which a potential penetrator An evolutionary development in which HOSTS can gradually accept the existence of the independent access controller. 2.3.2 Profile Information to be Sent at Connection Establishment The information which should be sent from the security control mechanism to the HOST at the time of the connection creation might be any of several alternatives, e.g., the requestor's entire profile or only that subset which is relevant for the requested access, or perhaps none at all. Considerations on this tradeoff include: The requestor may not know in advance all of the N-th party accesses may be required on the requestor's The particular subset of profile information may be Sending profile information at the time of connection This is an issue which will remain open for the time being since its impact on the network security mechanisms must be more carefully considered. Since the creation of a connection and the accompanying profile information assumes that the requestor is authorized, the creation mechanisms must be secure even in their failure modes (i.e., fail-secure). Failures must be a primary design consideration in all of these mechanisms. 2.4 ACCESS CONTROL; POLICY ISSUES AND REQUIREMENTS RELATED TO USE All communications via the network must be via paths which have been explicitly created by the security control mechanisms described in the previous section. Considering the nature, use, and control of these paths, the following issues arise: Should the security control mechanism be part of the What control mechanisms are available via the encryption What degradation is caused by the need for security mechanisms? How should data and control information be separated? Each of these topics will be considered in the following sections. 2.4.1 Security Control Mechanism as Part of the Communication Path Each protected connection should be established for a particular requestor/ resource dialog, and should use a "one-time" encryption key assigned by the security control mechanism. However, this mechanism should not be part |