Conclusion Achieving security in computer networks is a greater challenge than achieving it in stand-alone systems. In either case, the exercise may be like chasing one's own tail. However, we have looked at home reasons why achieving an adequate level of security in ntworks is possible, even with today's technology. The necessary, but not sufficient conditions are minimum standards of physical, procedural, backup security and audit. Postulated were a number of possibilities for enhancing system security, most of them available in current networks. There are many challenges yet to face you as users of network services. Some possibilities have been covered earlier. If you do nothing else after this session, do the following: 1. Plan for networks; they are the wave of the future. 2. Write security into the specifications and RFP's for computer services and equipment. 3. Install controls in systems from the very beginning. 4. Continually assess and audit those controls. If these actions are accomplished, the goal of simple, isolatable, mediatable, measurable and flexible security controls will be very much a current possibility. COMPUTER SYSTEM ARCHITECTURE AND ACCESS CONTROLS Oliver R. Smoot Computer and Business Equipment Manufacturers Association This morning we heard about the current and proposed statutory environment in which systems dealing with information on individuals will have to operate; and just a few minutes ago, we heard the viewpoints of the computer manufacturer and the computer professional. Now we'll begin to deal with the technical aspects of fulfilling some of these requirements set out this morning and in November. In this first section we will continue this format of discussing what exists today and then dealing with the technology needed to respond to new requirements. The first two papers this afternoon will concentrate on two of the most important issues raised at the November conference, the first on protection of data from observation through encryption and the second on control of access to systems resources. Our last two papers present important contrasts between the concept of the architecture of self-protecting computer systems and then management's role in implementing security regardless of the hardware base. SECURITY ARCHITECTURE USING ENCRYPTION Encryption has been extremely successful in preserving the security of private message traffic. So, why not use it for preserving the security of information contained in computers? This appears to be a good idea, but several questions must be answered: In which parts of a computer system can encryption and decryption be performed? • What protection improvements will encryption provide? What are its limitations? Is there a cost/performance penalty to be paid for the introduction of encryption techniques? Encryption by itself has not been found sufficient to protect a system, but when made part of a secure environment it can increase protection without causing severe economic impact. Data in Motion When we think of encryption, most of us think of coded messages-transmission of written information, and more recently, transmission of data by electronic means from one location to another. Messages are coded in order to protect against unauthorized interception such as monitoring of radio transmissions and tapping of land lines. For this reason, techniques for encoding messages, particularly for classified military and other government classified communications have been developed. As a result, a variety of electronic encryption/decryption devices are now manufactured. Secure communications are maintained through a pair of such devices by placing one encryption device at each end of the communications link. The data to be transmitted is fed into the first device where it is encoded and sent across the link; the second device receives the message, decodes it and outlines the data in its original form. These devices can be designed so that each one can either encode or decode, allowing two-way communications. They can be designed so that the code can be selected from among many by means of a key. By periodically changing the keys in the two devices the degree of security can be enhanced. Data at Rest As contrasted to data in motion, data at rest is data in a semipermanent file-data on magnetic tape, data on Magnetic Disk, or even data in main storage. The amount of encryption that can be performed depends, of course, on the cost and performance of the encryption devices available. For the moment we will assume the existence of an encryption device having no cost and having no performance limitations. Later, we will consider cost and performance constraints. Protection of Media The most obvious way of providing encryption on a tape or disk is to install an encryption device on each tape or disk drive in line with the data path to the recording head (fig. 1A). With everything on the tape or disk in code, the tape or disk is protected in case it is stolen, and it is easier to dispose of when it is no longer needed. This configuration has the disadvantage that a large number of encryption devices are required. This number can be reduced by placing the encryption devices. in the peripheral control units instead of in each tape. or disk drive (fig. 1B). For this configuration the encryption device must be designed to be set, enabled, or disabled by the peripheral control unit. Fortunately, transfers in a peripheral control unit are tagged as data or control. This permits encoding of data which is to be recorded by a peripheral device, while not encoding peripheral control and status information. But this configuration does not achieve exactly the same results as in figure 1A. On magnetic disks, the record identifier adn key fields cannot be encrypted because they must be interpreted by the device during search operations. For many applicaitons, this may be acceptable since the data itself is still encrypted. The encryption device can also be placed in the input output controller (fig. 1C), but now the encryp tion device must be enabled or disabled not only ac cording to whether control, status, or data is being transmitted, but according to which peripheral is re ceiving the transfer. Transfers should not be encrypted for unit record devices such as the line printer, console, card reader, or some of the tape or disk drives. More complications arise from changing the key or permitting the use of multiple keys. Protection within the System The mechanisms just described provide protection of a tape or disk if it is stolen and physically removed to another computer system. Protection can also be provided against unauthorized attempts to read the tape or disk on the same system. The encryption devices can be controlled by software-loadable keys. Each user provides a key to the system that matches his tape or disk. A more complicated scheme is necessary when files are shared (fig. 2). Data is divided up according to category of information. Each category is assigned to a different encryption key. Each user is provided with a list of keys the keys corresponding to the data he has permission to access. We call this a need-to-know protection scheme. Here is an example of how this scheme might be used: A bank's data processing system contains records of its savings accounts, checking accounts and loans. Customer names are encrypted using one key, savings account balances using another, and so on. Programs to report to the IRS are given the keys to access name, social security number, and interest amounts. Privacy of account balances and activity records can be assured. This scheme has several advantages over conventional file access control mechanisms: A file can be broken into pieces finer than the normally provided segment. • There are no large tables to match user names to file names. • It is not necessary to guarantee that a table access check is performed every time a file is opened. There are disadvantages to the use of encryption alone to protect files from unauthorized access: Encryption does not prevent files from being writ ten over and thus destroyed. Therefore, it would be absolutely necessary to have a good back-up file system. In order to protect files from professional code breakers, it is necessary to change all keys periodically. When this is done, all files may be copied and recorded using the new keys. Protection of Data in Main Storage This mechanism can be extended to protect data in main storage as in a timesharing system when many users' data are simultaneously present. FIGURE 1. Encryption devices may be placed in the individual disk or tape drives, in the peripheral control units, or in the input/ output controller. More encryption devices are required when they are placed in the disk and tape drives. The encryption device is more difficult to use when placed in the input/output controller. First, it will be necessary to put an encryption device between the CPU and main storage (fig. 3A). Second, it will be necessary to find a means of handling control information for I/O devices and data for the printer. This can be done in several ways: • The channel programs and data for transfer to unit records can be left in decoded form in main storage. This means that the encryption device will have to be turned on and off under program control, adding certain complexities to the CPU program. The CPU, for instance, must know the difference between data destined for the printer and data destined for tape, to be printed later. This distinction may not necessarily be visible to the programmer. • Encryption devices can be added to the I/O controllers to decode the channel programs and data when necessary (fig. 3B). The encryption device can be placed in the main storage unit. Keys and control information would be sent from the CPU and I/O controller at the same times addresses are sent (fig. 3C). When the encryption device is placed between the CPU and storage it must operate on small fields. This restricts the type of encryption algorithm that can be used. Several keys will have to be kept in CPU registers associated with registers containing addresses such as the instruction counter or base registers. These keys must be loaded and unloaded when the corresponding address registers are changed. It will be necessary to have tables of keys in main storage, and these tables will have to be protected. We cannot rely on encryption for al of our protection. Even if the tables of keys were encrypted, the key used for that encryption would require protection. So a conven tional segment descriptor, base/bounds protection mechanism, or lock and key protection mechanism is still necessary. What good is it to encrypt data in main storage if we still need the existing protection mechanism? The size and complexity of the existing mechanisms can be reduced. This is an important consideration when it becomes necessary to certify a protection scheme. Present efforts to make a system certifiably secure are directed toward the creation of a security "kernel." The "kernel" is a set of highly privileged programs with the power to impose access restrictions on the rest of the system. The proposed proof of correctness techniques can only be applied to a small amount of code. If a small enough kernel can be isolated then, theoreticaly, it can be proven secure. Economic Factors We have encryption devices fast enough and cheap enough for use in communications. These are capable of speeds up to 500,000 bits per second. Software routines that provide encryption secure enough for commercial applications can run at 10,000 bits per second. But tape, disk and main storage have much higher transfer rates. Tapes can transfer data at 2.000,000 bits per second. Disks can transfer at 6,000,000 bits per second and up. Some main storage units can transfer at 200,000,000 bits per second. Of course, we can improve the performance of most digital devices by increasing parallelism, but size and cost will often rise exponentially. A reasonable upper limit on the size of a commercial encryption device is around 200 TTL packages. This is about four average. sized printed circuit boards as compared to over 100 of these boards for a medium-size central processing unit. It has been estimated that sequential bit stream encryption devices of this size capable of 10,000,000 bits per second can be built. Such a device would be suitable for tape and disk applications, but for use between a CPU and storage it will be necessary to obtain a device that is both faster and capable of operation in a random access mode. The Future Thus we are currently limited by a lack of better, faster encryption techniques and speedier, less costly circuits. Fortunately, we are by no means at the end of our technological capability. Large Scale Integration (LSI) holds a promise that encryption may be feasible in a CPU. Other problems to be solved are mainly problems of getting more out of encryption schemes and devices: •Providing master and submaster key capability for distributing need-to-know level information from multiply-encoded files. • Implementation of the ring properties for multiprivilege access control or the star properties for multilevel government security classifications. FIGURE 3. Three configurations for providing encryption in main storage. Configuration A may not be practical because of complexities in controlling the encryption device The choice between configurations B and C depends upon the design of the main storage/processor interface and the number of main storage modules. Encryption does help to provide secure systems. However, encryption technology is a specialty of gov ernments. Because commercial demand for secure systems has been low there are too few technicians available to industry. The ultimate success of security archi tecture using encryption will depend on the willingness of the appropriate government agencies to help develop the algorithms necessary to satisfy the design criteria. of data processing machines. |