A centralized approach to computer network security*

A centralized approach to computer network security* by FRANK R. HEINRICH and DAVID J. KAUFMAN Sysiem Developmeni Corporaiion Santa Monica, California ABSTRACT This paper presents an approach to network security at the system design level. Some basic network concepts and major network security threats are outlined. The design approach is described and a brief security analysis is presented. The proposed network structure incorporates data protection devices called network cryptographic devices and a special-purpose processor, the network security center, to control access in the network. INTRODUCTION The ever-increasing utilization of computer systems has heightened demand for broader computer service and data management capability. Computer networks are an attempt to meet this demand by organizing many individual computer systems to act as a single, very large system or supracomputer. The distribution of data processing functions among a set of distinct systems decentralizes the control of data storage and processing. In addition, information must be transmitted between computers and is therefore subject to exposure. These factors complicate the problem of providing a high degree of security assurance in computer networks. Additionally, current emphasis on privacy considerations underlines the need for network security. Thus security must be a major factor in network design. This paper presents an approach to network security at the system design level. To provide a basis for discussion of this design, a few basic network concepts are first outlined. Some major network security threats are then presented to provide a context for evaluating the system. Finally, the network structure is described and a brief security analysis presented. The proposed network structure incorporates data protection devices called network cryptographic devices and a special pur- * The work reported in this paper was supported by the U.S. Department of Commerce, National Bureau of Standards contract # 5-35934. pose processor, the Network Security Center, to control access in the network. The design in this paper provides a means for centralizing control in computer networks. When global policies toward network access, data storage and processing can be established, this design is quite appropriate. In some instances, however, it may be difficult to develop such global policies. The management at each network site may decide to maintain greater control over local policy and resist centralization. A second approach to computer network security in which control can be more easily distributed, is presented in a companion paper.1 BASIC NETWORK'CONCEPTS In an intercomputer network, a number of computer systems and terminals are linked. The individual computer systems (hosts) and terminals are called network resources. Interconnection of these resources requires functions performed by both hardware and software, but in this section we consider only the logical arrangement of networking functions rather than associating any particular functions with specific hardware devices. Network resources must be physically interconnected in some manner. That is, facilities must exist to provide data paths between network resources. These facilities, called the communications subnetwork may take many forms. The communication subnet~ work may consist of telecommunications lines, a message switch, or a packet s~nitched network. Regardless of the configuration, however, we will view communications subnetworks as logically equivalent, supplying a means for data to flow from any network resource to any other network resource. Figure 1 illustrates three layers, or levels, of network functionality. Layer 1 is network resources; layer 2 is connection-oriented functions; and layer 3 is the communications subnet. Network resources can be thought of as correspondents, freely exhanging information (i.e., message text) by way of a carrier consisting of the connection-oriented functions and the 85

86 National Computer Conference, 1976 NETWORK RESOURCE CONNECTION ORIENTED FUNCTIONS COMMUNICATION SUBNETWORK Message Routing and Delivery NETWORK - - - - RESOURCE - - - -- Figure i-layers of network functionality CONNECTION ORIENTED FUNCTIONS communications subnetwork. The connection-oriented functions at different locations are, in turn, correspondents, exchanging information concerning the state of message pipelines via their carrier, the communications subnetwork. We refer to correspondents as being (logically) above the carriers. The actual content of the communication between correspondents is not of concern to lower layers (the carrier). Within a carrier, control messages may also be exchanged which are of no concern to higher level correspondents. Countering the network security threats discussed in the following section will require introduction of additional network functions. These new functions will not alter the logical relationship between the three layers already presented, but will necessitate the addition of a new functional layer. NETWORK SECURITY THREATS With privacy statutes being enacted, security vulnerabilities are a serious concern. Yet networks present formidable security problems due to the multi-user, multi-resource, multi-system environment. Physical and procedural controls have proven to be particularly inadequate in such geographically distributed systems. Primary security threats to intercomputer networks are: 1. Th'reats to Netwo'rk Communication-Network communications are susceptible to several maj or security threats. Penetrators may tap communication lines or network devices outside of physically secure facilities. Tapping of communications may result in unauthorized exposure of sensitive information or alteration of message text. A penetrator may record legitimate messages and replay them at a later time in order to spoof a network resource. Spoofing could also be accomplished by generation of spurious, but apparently legitimate messages. Misrouting and subsequent misdelivery of messages, either accidentally or maliciously, may result in unauthorized disclosure of sensitive information. 2. Counterfeit Network Resources-Network penetrators may be able to utilize counterfeit network resources. A bogus terminal or host computer may be made to appear as a legitimate source or destination of network messages. Without mutual authentication of network resources, uncontrolled use of the network may be obtained by those who would normally not have access to the network. 3. Forged User Identi/ication-A penetrator may gain network privileges by forging the identity of a valid user. Of course, this same threat applies to a single computer system. In a network, however, a penetrator may capitalize on a domino effect. A penetrator may use a forged identity to compromise a single host with poor security controls. Other network resources may then be compromised if they, in turn, trust the user's identity as established by the compromised host. 4. Unauthorized Access by Legitimate Users-Legitimate network users may gain unauthorized access to host computers, data files, programs, etc. A malicious user may take advantage of unauthorized access to delete or modify data files or programs, or even subvert an entire host computer system. Furthermore, sensitive or private information may be subject to unauthorized browsing. If each of the host computer systems which make up the intercomputer network were secure when operated separately, the security threats of forged user identification and unauthorized access would be eliminated. Separate network countermeasures for these threats would then be unnecessary. Mechanisms might still be included to relieve each host of the operational burden of implementing identification/authentication mechanisms and to provide a single unified network access protocol increasing user convenience when accessing various network sites. However, no secure generalpurpose computer systems exist today. Furthermore, it is doubtful such systems will be widely available for a long time. Thus, network mechanisms must be developed to protect network communications and to avoid increasing compromise threats to hosts because those hosts are linked in a network. SYSTEM DESCRIPTION This section presents a system level design of a secure intercomputer network as illustrated in Figure 2. The design incorporates cryptographic devices which

Centralized Approach to Computer Network Security 87 TERMINALS TERMINALS that sense the network appears to the user as a single large system. All messages in the Vser-NSC dialogue are enciphered and deciphered by cryptographic devices attached to the terminal and to the NSC. Each network cryptographic device has the capability of protecting such dialogues with the NSC. Creating a con?ection between V and H requires that a new key be established in the cryptographic devices at V's terminal and at H. When the cryptographic devices begin to use the new key they ca~ c~m~unicate, forming a cryptographic link between V and H. Vser V may then initiate formation of a message pipeline to host H via the connectionoriented functions. This connection authorization protocol is similar to that described by Branstad. 2,3 Figu:l'e 2-System ievel design encipher data (Le., transform data in order to conceal its meaning) and decipher data (Le., reverse the encipher process to render data once again intelligible).2 This transformation is based on a secret parameter called a Key. The cryptographic devices provide an additional layer in the logical structure of the network. The design also incorporates a new network resource called a Network Security Center (NSC), which is based on Branstad's concept of a Network Agency.3 Connections between nehvork resources are permitted only when authorized by the NSC, based on stored access control information. This control is enforced by the network cryptographic devices which will form cryptographic links only when instructed by the NSC. The network shown in Figure 2 contains N ehvork Front Ends (NFEs). An NFE is a processor which implements connection-oriented functions for a set of terminals and hosts. A network, which adheres to the secure design, can be built without NFEs. NFEs do have operational advantages, however, and are being considered for use in many future networks. Thus, we address their role in network security. An example may clarify the functioning of the NSC and network cryptographic devices. A user (V) at a terminal, desires access to a process (P) at a distant host (H). Before being connected with H, the user must carryon a dialogue with the NSC. During this dialogue, V must identify himself and supply additional information, such as a password, to authenticate his identity. V then requests access to host H. The NSC verifies the user's identity. If the user's identity is valid, the access request is checked, otherwise access to H is denied. The NSC uses previously stored access control information to determine if V is permitted access to host H. If the access control information indicates that the access request is legitimate, the NSC will initiate establishment of a logical connection between V and H. The scenario is similar to that of a user attached directly to a host with an access control mechanism. In CRYPTOGRAPHIC DEVICES There are two main types of cryptographic devices utilized in this design. One is the cryptographic device at the NSC called the master cryptographic device. The other type is attached to each of the other network resources and is called the slave encryption device. Slav~ encryption devices can accept new keys from a remote location. If attached to a single terminal, a slave cryptographic device need maintain only one new key. If attached to a host or NFE, a slave cryptographic device must be able to maintain several new keys in order to support each of the multiple logical connections with a distinct key. The master cryptographic device must be able to encipher and decipher messages to and from each of the slave cryptographic devices. The master cryptographic device manages establishment of new keys at the slave cryptographic devices. Both the master and slave cryptographic devices distinguish message headers from message text. Headers must remain in the clear so that the communication subnetwork has sufficient control information to route and deliver messages. Only message text will be enciphered and deciphered. These devices should make use of the National Bureau of Standards (NBS) Data Encryption Algorithm, which has been proposed as a Federal Information Processing Standard. -1 Several characteristics of this algorithm make it well suited for use in network cryptographic devices: 1. The secrecy of the transformation is dependent only on the secrecy of the key, not on the secrecy of the algorithm. 2. The length of the key is 64 bits, eight of which are reserved for parity. Thus there are 2 56 potential keys. The key is not so short as to make exhaustive search techniques feasible, yet not so long as to make distribution to a remote device difficult. 3. The algorithm is block-oriented; that is, data

88 National Computer Conference, 1976 is grouped into blocks of 64 bits which may be enciphered and deciphered independently of any other block. As long as the same key is used, position or time ~ynchronization of encryption with decryption is not required. Due to routing and transmission differences, message transit time through a network is somewhat variable. Messages may arrive at a destination in a different order than they were sent Using the NBS Algorithm, cryptographic device~ can be built which do not require position or time synchronization and are independent of the communication subsystem. 4. When enciphering or deciphering, the change of a single bit in either the key or the input text has an unpredictable effect on the output text. This characteristic has two implications. First, the correct key must be known to make use of (Le., decipher) enciphered information. Second, alterations to enciphered text cannot produce predictable changes to the corresponding clear text. 5. Analysis of clear/enciphered text pairs does not aid in code-breaking to determine the key used. Penetrators are forced to use impractical exhaustive search techniques for code-breaking. 6. The NBS algorithm is expected to be available as an LSI package. This will provide a low cost, high speed implementation suitable for use in network cryptographic devices. Network security center The NSC authenticates the identity of network users and authorizes connections between network resources. When an access request is approved, the NSC must generate a random, distinct encryption key to be distributed to the cryptographic devices at both subject and object. In addition, the NSC will keep audit logs of all access requests, both approved and denied, and will issue appropriate alarms when a suspected penetration attempt is detected. The NSC must, therefore, maintain a data base which contains sufficient information to verify (authenticate) the identity of users, and sufficient access control information to determine the legitimacy of access requests (access authorization). This data base will not remain static, but will require timely updating. This updating can be accomplished by a security officer at the NSC or by protocols between the NSC and network hosts. Except for authentication of updates, the issues of NSC data base updating are conventional data management system cost and performance tradeoff's and beyond the scope of concern here. NSC access control information is defined in terms of subjects, objects, and capabilities. A subject is an entity such as a user or a process that can initiate Subjects I I r--0_b.;...je_ct_s_,,..._ /1 The access control information can be represented by a 3-dimensional space. The shaded plane would contain all information concerning user A. Figure 3-Access control matrix access requests. An object is an entity such as a data file, a process, a host computer system or another network resource that can be the target of access requests. Capabilities are the actions which a subject may perform on an object. A good conceptual model for the access control information is a three-dimensional access matrix 5 as illustrated in Figure 3. On one axis of the matrix are subjects; on another axis are the objects, and on the third axis are the capabilities. Entries in the matrix are boolean values, indicating whether a capability is available to a subject for a given object. This model can accommodate objects to any desired degree of granularity; where granularity refers to the relative size of the subject being controlled. For most systems this matrix is rather sparsely populated, with subjects having access to only a few objects. Thus the actual implementation will use some other more compact and logically equivalent data structure. Network front ends A Network Front End (NFE) may interface one or more network resources to the communications subnetwork. The NFE performs the connection-oriented functions on behalf of hosts as well as terminals. The NFE could also provide a user-level command interface for terminals. It is likely that NFEs can reduce the software cost and system overhead normally involved in connecting to networks. A Secure Front End may, in fact, enhance network security, a concept discussed later.

Centralized Approach to Computer Network Security 89 SECURITY ANALYSIS The system design presented above counters the network security threats. The following discussion analyzes the design approach with respect to the threats presented earlier. 1. Network Communication Threats-The characteristics of the NBS data encryption algorithm (and cryptographic devices in general) eliminate many network communication threats. Obviously, line tapping yields encrypted text which cannot be read by a penetrator. Furthermore, alteration of enciphered text can be detected if an error detection field is included in the message. This error check must be enciphered, so that the error check value cannot be predictably altered. Additionally, the check value must be calculated with clear, rather than enciphered, text; otherwise it is possible to alter enciphered text such that the error detection field does not indicate the change. Inclusion of redundancy checks and message sequence numbers within the enciphered portion of the message can prevent undetected message playback or introduction of spurious messages. The network cryptographic devices used in this design utilize a distinct encryption key for each logical connection between network resources. Therefore, misrouted messages are rendered unintelligible to unauthorized recipients. Currently available "line" cryptographic devices can only be placed on the communication lines, and therefore do not eliminate the threat of misrouting. Network cryptographic devices with the characteristics required in this design offer greater security assurance than is currently available with existing "line encryption" devices. Although not currently available, network cryptographic devices can be built with current technology. 2. Counterfeit Network Resources-The term endto-end encryption refers to data being enciphered at the source and remaining unintelligible until it is deciphered at its final destination. Network cryptographic devices provide such end-to-end encryption, thereby eliminating the threat of counterfeit network resources. Communication with a bogus network resource is impossible because it would not be attached to a network cryptographic device, or know an appropriate key. If a network resource, attached to an NFE, is the source or target of network communication, the NFE is responsible for maintaining a proper message pipeline. The NFE must, therefore, guarantee that connections are made with the proper resource. Thus a secure NFE guarantees that the message routing and connection management functions are performed correctly on behalf of attached terminals and hosts. 3. Forged User Identity-The NSC requires each user to identify himself and provide information to authenticate that identity. A user's identity is validated before connection to any network resource is permitted. The NSC is a separate tamper-proof mechanism which is not part of a general purpose host computer system. Therefore, the NSC provides a protected environment for the user authentication process, which is less vulnerable than similar mechanisms within a general purpose host. 4. Unauthorized Access-The NSC maintains an access control data base that defines all permitted a connection between network resource is formed. The NSC is only involved in the initial decision to permit or deny access; an acceptable overhead cost analogous to "opening" a file in most operating systems. Access requests may specify objects with a varying degree or granularity, but network cryptographic devices can enforce access control only to the granularity of entire network resources. The NSC can, however, pass the results of the access request decision, and any necessary parameters for enforcement, to the host system. The host can then provide the finer granularity of enforcement. Terminals should not be connected to the network through network hosts. Connection of terminals to the network through general-purpose computer systems needlessly exposes the terminal's communications to security vulnerabilities within the host. Similarly~ the hosts are subject to uncontrolled access from the terminals. When terminals are connected directly to the network, on the other hand, all access can be controlled by the NSC. Terminals could therefore either be connected directly to the network with their own cryptographic device (and providing their own connection-oriented functions and message formatting) or be connected to the network through a secure NFE. SUMMARY AND CONCLUSION The secure network design outlined here is a centralized management and control philosophy based upon centralized key management. Keys are generated by the NSC and managed by the master cryptographic device. NSC access control decisions are enforced through the use of centralized key management. A companion paperl describes an alternative, equally effective approach to network security based upon decentralized key management, and is useful where centralized control is precluded by law, policy, jurisdiction, reliability or practical constraints. In that decentralized approach, all cryptographic devices are identical, but more complex, with each capable of generating keys and relaying keys to other cryptographic devices. The master cryptographic device is eliminated and the NSC is optional. The network structure described in this paper greatly reduces network security vulnerabilities. The

90 National Computer Conference. 1976 NSC provides a separate, secure network facility to insure that only legitimate users can access network resources and that only authorized access requests are... a... -.v..ffarl 1-''-'.L.l.l..1.1.1,;l..vu. Network cryptographic devices virtually eliminate security threats to network communications and aid in authentication of network resources. Although currently available cryptographic devices do not have the appropriate characteristics, suitable network cryptographic devices can be built with existing technology. Thus, a high degree of cost-effective security assurance can be provided in computer networks with currently available technology. REFERENCES 1. Kaufman, D. J., A Distributed App1'oach to Computer Network Security, System Development Corporation, SP-3848, May 31, 1976. 2. Branstad, D. K., "Encryption Protection in Computer Data Communications," Fourth Data Communications Symposium, Quebec City, Canada, October 1975. 3. Branstad, D. K., "Security Aspects at Computer Networks," AIAA Computer Network Conference, Huntsville, Alabama, April 1973. 4. National Bureau of Standards Data Encryption Algorithm, Federal Register, March 17, 1975 and August 4, 1975. 5. Lampson, B. \V., "Dynamic Protection Structures," Fall Joint Computer Conference, 1967.