of the communications path for actual usage of the connection, for the following reasons: The least privilege and least common mechanism arguments The fact that the security control mechanism would thereby which is known to have serious vulnerabilities and per- Use of these connections therefore becomes independent of the centralized security control mechanism. A degree of usage control can be provided by the distributed mechanisms, namely the encryption devices, if they have sufficient "intelligence" built into them. Such features should include: Protection against spillage due to erroneous addressing information or routing (e.g., by having different encryption keys for each requestor-resource pair). The ability to accept a new key from the security control mechanism for use in each separate requestor/resource dialog. Protection against improper use of a connection (e.g., by having a check within the encryption device to ensure that the "tagged" security level of the message does not exceed that for which the connection was established). Ensuring that sensitive data never appears in the clear The security mechanisms should not unduly impact the network in terms of: User inconveniences (delays, uncertainties, memorization, etc.) Performance degradation (responsiveness and throughput) Error recovery at all levels Hardware and software costs (design, development and maintenance) Operational costs (administration and management of updates, etc. The need to separate data and control is a basic problem in data communications, and is even further compounded when encryption devices are used in such communication links. Before considering this latter complication, let us discuss the problems involved in the clear-text handling of data and control, after which we will extend these notions to include encryption. If multiple paths are available for information transfer, one can divide The added complications of encryption are due to the need to pass clear text control information through (or around) the device to provide addressing information, etc. that the communications net requires to deliver the message. Passing control information through the device can conceptually be done in any of several ways: 1. 2. By "disabling" the encryption for the desired interval By pre-encrypting the control information such that it The The above methods of passing control information through the encryption device give too much capability to the data processing equipment, so we will consider methods of passing this information around the device. possibilities include: 1. A direct data path over which one may send arbitrary con- misuse due to the general nature of the data that can be Since encipherment and decipherment by the exclusive-or are the same operation. 2. 3. 4. A direct data path, but with a predefined set of legal data elements which may be sent. An "indirect" data path in which one specifies the name An implicit scheme in which only one control string Of the above methods, only the second and third offer sufficient protection and flexibility for general network use. Rather than selecting between these two methods, one can selectively use the best features of each, e.g., by using (3) for control information that must change for each dialog, and (2) for information that has a fixed representation (error indications). The design approach should therefore use these two techniques, selecting between them depending on the static or dynamic nature of the data. Specific areas of control which must be addressed include those of timing, status indications, key control commands, exceptional condition indicators, and the control signals required for multiplexing. Security monitoring refers to collecting information for: (1) gathering audit trail information on requests for network access, both granted and denied, and (2) detecting and aborting improper network use whenever possible, as well as being able to assess possible compromise when discovered after-the-fact. The second function requires global interpretation and control, and a Network Security Center is suggested to serve this role. Collecting appropriate audit information is, at best, an art such that the tools to be provided must be left as flexible and open ended as possible. This is particularly necessary in the network environment since the information relating to a given use of network resources may become badly fragmented across the entities involved, e.g., if two or more security control mechanisms are involved in setting up connection (s) between a requestor and a resource, with possible N-th party iterations through other resources. One possible solution to the problem of information dispersal is to centralize at least part of security monitoring into a "Network Security Center." Such a center should not preclude local checking of inherently local use, but could support the global needs of correlating and interpreting audit information. One or more Network Security Center(s) could be formed, with audit information being collected by the security control mechanisms and HOSTS and sent to these centers via the network. This operation could be used either for routine audit processing, or on a more selective basis in which it would |