Encryption and Secure Computer Networks

GERALD J. POPEK AND CHARLES S. KLINE

Unwerstty of Cahfornta at Los Angeles, Los Angeles, Caltfornta 90024

There is increasing growth in the number of computer networks in use and in the kinds of
distributed computing applications available on these networks This increase, together
with concern about privacy, security, and integrity of information exchange, has created
considerable interest in the use of encryptlon to protect information in the networks
This survey is directed at the reader who ts knowledgeable about varmus network
designs and who now wishes to consider incorporating encryption methods into these
designs. It is also directed at developers of encryption algorithms who wish to understand
the characteristics of such algorithms useful in network applications.
Key management, network encryption protocols, digital signatures, and the utility of
conventional- or public-key encryptlon methods are each discussed. A case study of how
encryption was integrated into an actual network, the Arpanet, illustrates many issues
present m the design of a network encryption facdity.

Keywords and Phrases" computer networks, computer security, encryption, pubhc-key

cryptosystems, digital signatures, network registries, encryptlon protocols

CR Categories. 3 9, 4 35, 4.39, 5 39, 6 29

INTRODUCTION As a result, the nature of the protection

and security problem is beginning to
It has long been observed that as the cost
change. Concern over the convenience and
per unit of equivalent computation in small
reliability of central operating system pro-
machines became far less than in large cen-
tection facilities is transferring to analogous
tralized ones, and as the technology of in-
concerns in networks. T he issues of protec-
terconnecting machines matured, comput-
tion in computer networks differ in several
ing would take on a more and more distrib-
fundamental ways from those of centralized
uted appearance. This change of course is
operating systems. One of the most impor-
now happening. In many cases, users' data
tant distinctions is the fact that the under-
manipulation needs can be served by a sep-
lying hardware cannot in general be as-
arate machine dedicated to the single user,
sumed secure. In particular, the communi-
connected to a network of integrated data-
cation lines that comprise the network are
bases. Organizational needs, such as easy
usually not under the physical control of
incremental growth and decentralized con-
the network user. Hence no assumptions
trol of computing resources and informa-
can be made about the safety of the data
tion, are also well served in this manner.
being sent over the lines. Further, in current
Multiprogramming of general application
packet-switched networks [KIMB75] the
software diminishes in importance in such
software in the switches themselves is typ-
an environment.
ically quite complex and programmed in
assembly language; one cannot say with
This work was supported by the Advanced Research
Projects Agency of the Department of Defense under certainty that messages are delivered only
Contract MDA 903-77-C-0211. to the intended recipients.

Permission to copy without fee all or part of this materml is granted provided that the copies are not made or
distributed for direct commercial advantage, the ACM copymght notice and the title of the publication and its
date appear, and notice is given that copying is by permission of the Association for Computing Machinery To
copy otherwise, or to republmh, reqmres a fee and/or speofic permission
© 1979 ACM 0010-4892/79/1200-0331 $00.75

Computing Surveys, Vol 11, No 4, December 1979

332 • G. J. P o p e k a n d C. S. K l i n e
CONTENTS In networks, as in operating systems,
there are several major classes of protection
policies that one may wish to enforce. The
INTRODUCTION most straightforward policy, satisfactory
The Environment and Its Threats
Operational Assumptions
for most applications, concerns data secu-
l ENCRYPTION ALGORITHMS AND T H E I R rity: ensuring that no unauthorized modifi-
NETWORK APPLICATIONS cation or direct reference of data takes
1 1 Conventional Encryptlon place. Highly reliable data security in net-
1 2 Public-Key Encryption
works today is feasible; suitable methods to
1 3 Error Detection and Duphcate or Missing
Blocks
attain this security are outlined in the later
1 4 Block Versus Stream Ciphers sections.
1 5 Network ApphcaUons of Encryption A more demanding type of policy is the
16 Minimum Trusted Mechamsm, Minimum enforcement of confinement in the network:
Central Mechamsm
l 7 Limitations of Encryptlon
preventing unauthorized communication
2 SYSTEM AUTHENTICATION through subtle methods, such as signaling
3 KEY M A N A G E M E N T via noticeable variations in performance
3 l Conventional-Key Dmtnbutlon [LAMP73]. One commonly mentioned (and
3 2 Pubhc-Key-Based Distribution Algorithms fairly easily solved) confinement problem is
3 3 Comparison of Public- and Conventional-Key
Dmtnbutlon for Private Communication
traffic analysis: the ability of an observer to
4 LEVELS OF INTEGRATION determine the various flow patterns of mes-
5 ENCRYPTION PROTOCOLS sage movement. However, evidence to be
6 CONFINEMENT presented later indicates that the condi-
7 N E T W O R K ENCRYPTION PROTOCOL CASE
STUDY PRIVATE COMMUNICATION AT
tions under which confinement in general
PROCESS-PROCESS LEVEL can be provided in a network are quite
7 1 Imtlal Connection limited.
7 2 System Imtlahzatmn Procedures In the following sections we describe
7 3 Symmetry problems and alternative solutions in the
8 NETWORK MAIL
9 DIGITAL S I G N A T U R E S design of secure networks, discuss their util-
9 1 Network-Regastry-Based Signatures--A Con- ity with respect to data security and con-
ventmnal-Key Approach finement, and present an illustrative case
9 2 Notary-Public- and Arch',ve-Based Solutmns study. The material is intended as a prac-
9 3 Comparison of Signature Algorithms
ticum for those concerned with the devel-
I0 U S E R A U T H E N T I C A T I O N
II C O N C L U S I O N S opment of secure computer networks or
ACKNOWLEDGMENTS those who wish to understand the charac-
BIBLIOGRAPHY teristics of encryption algorithms useful in
network applications.

The only general approach to sending

The Environment and Its Threats
and storing data over media which are not
safe is to use some form of encryption. A network may be composed of a wide
Suitable encryption algorithms are there- variety of nodes interconnected by trans-
fore a prerequisite to the development of mission media. Some of the nodes may be
secure networks. Equally important ques- large central computers; others may be per-
tions concern the integration of encryption sonal computers or even simple terminals.
methods into the operating systems and The network may contain some computers
applications software which are part of the dedicated to switching message traffic from
network. We focus here on these latter is- one transmission line to another, or those
sues, taking a pragmatic, engineering per- functions may be integrated into general-
spective toward the problems which must purpose machines which support user com-
be settled in order to develop secure net- puting. One of the important functions of
work functions, eases where the safety of computer networks is to supply to users
the entire network can be assumed are not convenient private communication chan-
discussed here because in these eases the nels similar to those provided by common
problems are not special to networking. carriers. The underlying transmission me-
Computing Surveys, Vol 11, No 4, December 1979
 Encryption and Secure Computer Networks . 333
dia, of course, may be point to point or the sequence by which two parties com-
broadcast. Considerable software is typi- municate their identity to one another.
cally present to implement the exchange of Then it may be possible for some node to
messages among nodes. The rules or pro- falsely identify itself in cases where the
tocols governing these message exchanges valid originator of the message was tempo-
form the interface specifications between rarily out of service.
network components. These protocols can More and more applications of computer
significantly affect network security con- networks are becoming sensitive to mali-
cerns, as will be seen later. In any event, cious actions. Increased motivation to dis-
because of the inability to make assump- turb proper operation can be expected:
tions about the communication links and Consider the attention that will be directed
switching nodes, one typically must expect at such uses as military command and con-
malicious activity of several sorts. trol systems (by which missile firing orders
are sent), or commercial electronic funds
1) Tapptng of Lines. While the relevant
transfer systems (with daily transactions
methods are beyond the scope of this dis-
worth hundreds of billions of U.S. dollars).
cussion, it should be recognized that it is
frequently a simple matter to record the
message traffic passing through a given Operational Assumptions
communications line without detection by In this paper the discussion of protection
the participants in the communication and security in computer networks is based
[WEST70]. This problem is present whether on several underlying assumptions:
the line is private, leased from a common
carrier, or part of a broadcast satellite 1) Malicious attacks, including tapping, ar-
channel. tificial message injection, and disrup-
2) Introduction of Spurious Messages. It tion, are expected.
is often possible to introduce invalid mes- 2) The insecure network provides the only
sages with valid addresses into an operating available high-bandwidth transmission
network, and to do so in such a way that paths between those sites Which wish to
the injected messages pass all relevant con- communicate in a secure manner)
sistency checks and are delivered as if the 3) Reliable private communication is de-
messages were genuine. sired.
3) Retransmission of Previously Trans- 4) A large number of separately protected
mitted Vahd Messages. Given that it is logical channels are needed, even though
possible both to record and introduce mes- they may be multiplexed on a much
sages into a network, it is therefore possible smaller number of physical channels.
to retransmit a copy of a previously trans- 5) High-speed inexpensive hardware en-
mitted message. cryption units are available.
4) Disruption. It is possible that delivery It is believed that these assumptions cor-
of selected messages may be prevented: rectly mirror many current and future en-
Portions of messages may be altered, or vironments. In the next sections we outline
complete blockage of communications properties of encryption relevant to net-
paths may occur. work use. Those interested in a deeper ex-
Each of the preceding threats can, in the amination should see the companion papers
absence of suitable safeguards, cause con- in this issue [LEMP79, SIMM79]. After this
siderable damage to an operating network, brief outline, the discussion of network se-
to the extent of making it useless for com- curity commences in earnest.
munication. Tapping of lines leads to loss
of privacy of the communicated informa-
tion. Introduction of false messages makes l i t will turn out that s o m e presumed secure and
reception of any message suspect. Even re- correct channel wdl be needed to get the secure data
transmission of an earlier message can channel going, although the preexisting secure channel
can be awkward to use, with high delay and low
cause considerable difficulty in some cir- bandwidth. Dlstrlbuhon of the priming reformation
cumstances. Suppose the message is part of via armored truck might suffice, for example.

Computing Surveys, Vol. 11, No. 4, December 1979

334 ° G. J. Popek and C. S. Kline
1. ENCRYPTION ALGORITHMS AND THEIR gram) of such characters is to be fiat. Sim-
NETWORK APPLICATIONS ilarly, it is desirable that the n-gram prob-
ability distribution be as flat as possible for
1.1 Conventional Encryption each n. This characteristic is desired even
in the face of skewed distributions in the
Encryption provides a method of storing cleartext, for it is the statistical structure of
data in a form which is unintelligible with- the input language, as it "shows through"
out the "key" used in the encryption. Ba- to the encrypted language, which permits
sically; conventional encryption can be cryptanalysis.
thought of as a mathematical function, The preceding characteristics, desirable
from a protection viewpoint, have other
E = F ( D , K), implications. In particular, if any single bit
of a cleartext message is altered, then the
where D is data to be encoded, K is a key probability of any particular bit being al-
variable, and E is the resulting enciphered tered in the corresponding message is ap-
text. For F to be a useful function, there proximately ½. Conversely, if any single bit
must exist an F', the inverse of F, in an encrypted message is changed, the
probability is approximately ½that any par-
D ffi F ' (E, K )
ticular bit in the resulting decrypted mes-
sage has been changed [FEIs75]. This prop-
which, therefore, has the property that the erty follows because of the necessity for f l a t
original data can be recovered from the n-gram distributions. As a result, encryp-
encrypted data if the value of the key var- tion algorithms are excellent error detec-
iable originally used is known. tion mechanisms, as long as the recipient
The use of F and F' is valuable only if it has any knowledge of the original cleartext
is impractical to recover D from E without transmission.
knowledge of the corresponding K. A great The strength of an encryption algorithm
deal of research has been done to develop is also related to the ratio of the length of
algorithms which make it virtually impos- the key to the length of the data. Perfect
sible to do so, even given the availability of ciphers that completely mask statistical in-
powerful computer tools. formation require keys of lengths equal to
The strength of an encryption algorithm the data they encode. Fortunately, cur-
is traditionally evaluated using the follow- refitly available algorithms are of such high
ing assumptions. First, the algorithm is quality that this ratio can be small; as a
known to all involved. Second, the analyst result, a key can be often reused for subse-
has available to him a significant quantity quent messages. That is, subsequent mes-
of encrypted data and corresponding clear- sages essentially extend the length of the
text {i.e., the unencrypted text, also called data. It is still the ease that keys need to be
plaintext). He may even have been able to changed periodically to prevent the ratio
cause messages of his choice to be en- from becoming too small, and, thus, the
crypted. His task is to deduce, given an statistical information available to an ana-
additional unmatched piece of encrypted lyst too great. The loss of protection which
text, the corresponding cleartext. All of the would result from a compromised key is
matched text can be assumed to be en- thus also limited.
crypted through the use of the same key
which was used to encrypt the unmatched
1.2 Public-Key Encryption
segment. The difficulty of deducing the key
is directly related to the strength of the Diffie and Hellman [DZFF76b] proposed a
algorithm. variation of conventional encryption meth-
F is invariably designed to mask statisti- ods that may, in some cases, have certain
cal properties of the cleartext. Ideally the advantages over standard algorithms. In
probability of each symbol of the encrypted their class of algorithms there exists
character set appearing in an encoded mes-
sage E ideally is to be equal. Further, the E = F ( D , K),
probability distribution of any pair (di- as before, to encode the data, and
Computing Surveys, Vol 11, No 4, December 1979
 Encryption and Secure Computer Networks • 335
D = F'(E, K') are employed as checks, the probability of
an undetected error is less than 1/(2 e4) or
to recover the data. The major difference is 1/107.
that the key K' used to decrypt the data is In the case of natural language text, no
not equal to, and is impractical to derive special provisions need necessarily be
from, the key K used to encode the data. made, since that text already contains con-
Presumably there exists a pair generator siderable redundancy and casual inspection
which, on the basis of some input informa- permits error detection with very high
tion, produces the matched keys K and K ' probability. The check field can also be
with high strength {i.e., resistance to the combined with information required in the
derivation of K' given K, D, and matched block for reasons other than encryption. In
E = F ( D , K)). fact, the packet headers in most packet-
Many public-key algorithms have the switched networks contain considerable
property that either F or F' can be used for highly formatted information, which can
encryption, and both result in strong ci- serve the check function. For example, du-
phers. That is, one can encode data using plicate transmitted blocks may occur either
F' and decode using F. The RSA algorithm because of a deliberate attempt or through
is one that has this property [RwE77a]. abnormal operation of the network switch-
The property is useful in both key distri- ing centers. To detect the duplication, it is
bution and "digital signatures" (the elec- customary to number each block in order
tronic analogs of handwritten signatures) of transmission. If this number contains
and will be assumed here. enough bits and the encryption block size
The potential value of such encryption matches the unit of transmission, the se-
algorithms lies in some expected simplifi- quence number can serve as the check field.
cations in initial key distribution, since K Feistel et al. [FEm75] describe a variant
can be publicly known; hence the name of this method, called block chaining, in
public-key encryption. There are also sim- which a small segment of the preceding
plifications for digital signatures. These is- encrypted block is appended to the current
sues are examined further in Sections 3 and cleartext block before encryption and trans-
9. Rivest et al. and Merkle and Hellman mission. The receiver can therefore easily
have proposed actual algorithms which are check that blocks have been received in
believed strong, but they have not yet been proper order by making the obvious check.
extensively evaluated [RIvE77a, HELL78]. However, if the check fails, he cannot tell
Much of the remaining material in this how many blocks are missing. In both of
survey is presented in a manner indepen- these cases, once a block is lost and not
dent of whether conventional- or public- recoverable by lower level network proto-
key-based encryption is employed. Each cols, some method for reestablishing valid-
case is considered separately when signifi- ity is needed. One method is to obtain new
cant. matched keys. An alternative (essential for
public-key systems) is to employ an authen-
1.3 Error Detection and Duplicate or Missing tication protocol (as described in Section 2)
Blocks to choose a new valid sequence number or
data value to restart block chaining.
Given the general properties of encryption
as already described, it is an easy matter to
1.4 Block Versus Stream Ciphers
detect (but not correct) errors in encrypted
messages. A small part of the message must Whether an encryption method is a block
be redundant, and the receiver must know or stream cipher affects the strength of the
in advance the expected redundant part of algorithm and has implications for com-
the message. In a block with k check bits, puter use. A stream cipher, in deciding how
the probability of an undetected error upon to encode the next bits of a message, can
receipt of the block is approximately 1/(2k), use the entire preceding portion of the mes-
for reasonably sized blocks, if the probabi- sage, as well as the key and the current bits.
listic assumption mentioned in Section 1 is A block cipher, on the other hand, encodes
valid. For example, if three 8-bit characters each successive block of a message on the
Computing Surveys, Vol. 11, No 4, December 1979
336 • G. J. Popek a n d C. S. Kline

basis of that block only and the given key. of the key is able to send or receive trans-
It is easier to construct strong stream ci- missions in an intelligible way.
phers than strong block ciphers. However, Even using secure authentication, one is
stream ciphers have the characteristic that still subject to the problems caused by lost
an error in a given block makes subsequent messages, replayed valid messages, and the
blocks undecipherable. In many cases reuse of keys for multiple conversations
either method may be satisfactory, since {which exacerbates the replay problem). A
lower level network protocols can handle general authentication protocol which can
necessary retransmission of garbled or lost detect receipt of previously recorded mes-
blocks. Independent of whether a block or sages when the keys have not been changed
stream cipher is employed, some check is presented later. The actual procedures
data, as mentioned in Section 1.2, are still by which keys are distributed in the general
required to detect invalid blocks. In the case are, of course, important, and will be
stream cipher case, when an invalid block discussed in subsequent sections.
is discovered after decoding, the decryption
process must be reset to its state preceding 1 5.2 Private Communicatton
the invalid block.
Stream ciphers are less acceptable for The traditional use of encryption has been
computer use in general. If one wishes to in communications where the sender and
be able to update portions of a long en- receiver do not trust the transmission me-
crypted message (or file) selectively, then dium, be it a hand-carried note or mega-
block ciphers permit decryption, update, bytes shipped over high-capacity satellite
and reencryption of the relevant blocks channels. This use is crucial in computer
alone, while stream ciphers require reen- networks.
cryption of all subsequent blocks in the
stream. So block ciphers are usually pre- 1.5.3 Network Mad
ferred. The Lucifer system [FEIs73] is a
In the private communication function, it
candidate as a reasonably strong block ci-
is generally understood that first, all parties
pher. Whether or not the National Bureau
wishing to communicate are present, and
of Standards' Data Encryption Standard
second, they are willing to tolerate some
(DES), with its 56-bit keys, is suitably
overhead in order to get the conversation
strong is open to debate [DIFF77], but it is
established. A key distribution algorithm
being accepted by many commercial users
involving several messages and interaction
as adequate [NBS77].
with all participants would be acceptable.
In the case of electronic mail, which typi-
1.5 Network Applications of EncrypUon
cally involves short messages, it may be
Four general uses of encryption having ap- unreasonable for the actual transmission to
plication in computer networks are briefly require such significant overhead. Mail
described in this section. Much of the re- should not require that the receiver ac-
mainder of this paper is devoted to detailed tuaUy be present at the time the message is
discussion of them. sent or received. Since there is no need for
immediate delivery, it may be possible to
1.5.1 Authentication get lower overhead at the cost of increased
queuing delays.
One of the important requirements in com-
puter communications security is to pro-
1.5.4 Dtgital Signatures
vide a method by which participants in the
communication can identify one another in The goal here is to allow the author of a
a secure manner. Encryption solves this digitally represented message to "sign" it in
problem in several ways. First, possession such a fashion that the "signature" has
of the right key is taken as prima facie properties similar to an analog signature
evidence that the participant is able to en- written in ink for the paper world. Without
gage in the message exchanges. The trans- a suitable digital signature method, the
mitter can be assured that only the holder growth of distributed systems may be seri-

Computing Surveys, Vol. 11, No 4, December 1979

 Encryptton and Secure Computer Networks * 337
ously inhibited, since many transactions, 1.7 Limitations of Encryption
such as those involved in banking, require While encryption can contribute in useful
a legally enforceable contract. ways to the protection of information in
The properties desired of a digital signa- computing systems, there are a number of
ture method include the following: practical limitations to the class of appli-
1) Unforgeability. Only the actual author cations for which it is viable. Several of
should be able to create the signature. these limitations are discussed below.
2) Authenticity. There must be a straight- 1.7.1 Processtng m Cleartext
forward way to demonstrate conclu-
sively the validity of a signature in case Most of the operations that one wishes to
of dispute, even long after authorship. perform on data, from simple arithmetic
operations to the complex procedure of con-
3) No repudiation. It must not be possible
structing indexes to databases, require that
for the author of signed correspondence
the data be supplied in cleartext. Therefore,
to subsequently disclaim authorship.
the internal controls of the operating sys-
4) Low cost and high convenience. The tem, and to some extent the applications
simpler and lower cost the method, the software, must preserve protection controls
more likely it will be used. while the cleartext data are present. While
some have proposed that it might be pos-
sible to maintain the encrypted data in
1.6 Minimum Trusted Mechanism; Minimum main memory and have them decrypted
Central Mechanism only upon loading into CPU registers (and
subsequently reencrypted before storage
In all the functions presented in Section
into memory), there are serious questions
1.5, it is desirable that there be a minimum
as to the feasibility of this approach
number of trusted mechanisms involved
[GAIN77]. The key management facility re-
[PoPE74b]. This desire occurs because the
quired is nontrivial, and the difficulties in-
more mechanism, the greater the opportu-
herent in providing convenient controlled
nity for error, either by accident or by in-
sharing seem forbidding. Another sugges-
tention {perhaps by the developers or main-
tion sometimes made is to use an encoding
tainers). One wishes to minimize the in-
algorithm which is homomorphic with re-
volvement of a central mechanism for anal-
spect to the desired operations [RIVE78].
ogous reasons. This fear of large complex
Then the operation could be performed on
and central mechanisms is well justified,
the encrypted values, and the result can be
given the experience of failure of large cen-
decrypted as before. Unfortunately, known
tral operating systems and data manage-
ment systems to provide a reasonable level encoding schemes with the necessary prop-
erties are not strong algorithms, nor is it
of protection against penetration [POPE 74a,
generally believed that such methods can
CARL75]. Kernel-based approaches to soft-
be constructed.
ware architectures have been developed to
Therefore, since data must be processed
address this problem; they have as their
in cleartext, other means are necessary to
goal minimization of the size and complex-
protect data from being compromised by
ity of trusted central mechanisms. For more
applications software while the data are
information about such designs, see
under control of the operating system, and
McCA79, POPE79, DOWN79.
the remarks in the previous section con-
Some people are also distrustful that a
cerning minimization of these additional
centralized governmental communication
means are very important to keep in mind.
facility, or even a large common carrier, can
ensure privacy and other related character- 1.7 2 Revocation
istics. These general criteria are quite im-
portant to the safety and credibility of Keys are similar to simple forms of capa-
whatever system is eventually adopted. bihties, which have been proposed for op-
They also constrain the set of approaches erating systems [DENN66, FABR74]. They
that may be employed. act as tickets and serve as conclusive evi-

Computing Surveys, Vol 11, No. 4, December 1979

338 • G. J. P o p e k a n d C. S. K l i n e

dence that the holder may access the cor- not even practical to embed the keys in
responding data. Holders may pass keys, applications software, since that would
just as capabilities may be passed. Methods mean the applications software would re-
for selective revocation of access are just as quire very high quality protection.
complex as those known for capability sys- The problem of key storage is also pres-
tems [FABR74]. The only known method is ent in the handling of removable media.
to decrypt the data and reencrypt with a Since an entire volume (tape or disk pack)
different key. This action invalidates all the can be encrypted with the same key (or
old keys and is obviously not very selective. small set of keys}, the size of the problem
Hence new keys must be redistributed to is reduced. If archival media are encrypted,
all those for whom access is still permitted. then the keys must be kept for a long period
in a highly reliable way. One solution to
1.7.3 Protecbon Against Modlhcatton this problem would be to store the keys on
the units to which they correspond, perhaps
Encryption by itself provides no protection even in several different places to avoid
against inadvertent or intentional modifi- local errors on the medium. The keys would
cation of the data. However, it can provide have to be protected, of course; a simple
the means of detecting that modification by way would be to encrypt them with yet a
including as part of the encrypted data a different "master" key. The protection of
number of check bits. When decryption is this master key is absolutely essential to
performed, if those bits do not match the the system's security.
expected values, then the data are known In addition, it is valuable for the access
to be invalid. control decision to be dependent on the
Detection of modification, however, is value of the data being protected, or even
often not enough protection. In large data- on the value of other, related data; salary
bases, for example, it is not uncommon for fields are perhaps the most quoted example.
very long periods to elapse before any par- In this case, the software involved, be it
ticular data item is referenced. It is only at applications or system procedures, must
this point that a modification would be maintain its own key table storage in order
detected. Error correcting codes could be to examine the cleartext form of the data
applied to the data after encryption in order successfully. That storage, as well as the
to provide redundancy. However, these will routines which directly access it, requires a
not be helpful if a malicious user has suc- high-quality protection mechanism beyond
ceeded in modifying stored data and has encryption.
destroyed the adjacent data containing the Since a separate, reliable protection
redundancy. Therefore, very high quality mechanism seems required for the heart of
recovery software would be necessary to a multiuser system, it is not clear that the
restore the data from (possibly very old) use of encryption (which requires the im-
archival records. plementation of a second mechanism) is
advisable for protection within the system.
1 7 4 Key Storage and Management
The system's protection mechanism can
Every data item that is to be protected usually be straightforwardly extended to
independently of other data items requires provide all necessary protection facilities.
encryption by its own key. This key must
be stored as long as it is desired to be able 2. SYSTEM AUTHENTICATION
to access the data. Thus, to be able to
protect a large number of long-lived data Authentication refers to the identification
items separately, the key storage and man- of one member of a communication to the
agement problem becomes formidable. The other in a reliable, unforgeable way. In early
collection of keys immediately becomes so interactive computer systems, the primary
large that safe system storage is essential. issue was to provide a method by which the
After all, it is not practical to require a user operating system could determine the iden-
to supply the key when needed, and it is tity of the user who was attempting to log

Computing Surveys, Vol 11, No. 4, December 1979

 Encryption and Secure Computer Networks • 339
in. Typically, user identification involves depends only on the security of that key.
supplying confidential parameters, such as Assume that B holds A's matching key (as
passwords or answers to personal questions. well as the matching keys for all other
There was rarely any concern over the ma- parties to which B might talk).
chine identifying itself to the user.
In networks, however, mutual authenti- 1) B sends A, in cleartext, a random,
cation is of interest: Each "end" of the unique data item, in this case the current
channel may wish to assure itself of the time of day as known to B.
2) A encrypts the received time of day us-
identity of the other end. Quick inspection
ing its authentication key and sends the
of the class of methods used in centralized
resulting ciphertext to B.
systems shows that a straightforward ex-
tension is unacceptable. Suppose each par- 3) B decrypts A's authentication message,
using A's matched key, and compares it
ticipant must send a secret password to the
with the time of day which B had sent.
other. Then the first member that sends
If they match, then B is satisfied that A
the password is exposed. The other member
was the originator of the message.
may be an imposter, who has now received
the necessary information in order to pose This simple protocol exposes neither A
to other nodes as the first member. Exten- nor B if the encryption algorithm is strong,
sion to a series of exchanges of secret infor- since it should not be possible for a crypt-
mation will not solve the problem; it only analyst to be able to deduce the key from
forces the imposter into a multistep proce- the encrypted time of day. This is true even
dure. if the cryptanalyst knows the corresponding
There are a number of straightforward cleartext time of day. Further, since the
encryption-based authentication protocols authentication messages change rapidly, re-
which provide reliable mutual authentica- cording an old message and retransmitting
tion without exposing either participant. is not effective.
The methods are robust in the face of all To use such an authentication protocol
the network security threats mentioned to establish a sequence number or initial
earlier. The general principle involves the value for block chaining, A includes that
encryption of a rapidly changing unique information, before encryption, in its step
value using a prearranged key and has been 2 message to B.
independently rediscovered by a number of
people [FEIs75, KENT76, POPE78]. An ob- 3. KEY MANAGEMENT
vious application for such protocols is to For several participants in a network con-
establish a mutually agreed upon sequence versation to communicate securely, it is
number or block chaining initial value that necessary for them to obtain matching keys
can be used to authenticate communica- to encrypt and decrypt the transmitted
tions over a secure channel whose keys data. It should be noted that a matched
have been used before. The sequence num- pair of keys forms a logical channel which
ber or value should either be one that has is independent of all other such logical
not been used before, or it should be se- channels but as real as any channel created
lected at random, in order to protect against by a network's transmission protocols. Pos-
undetected replay of previous messages. session of the key admits one to the chan-
Here is an outline of a simple, general nel. Without the key the channel is una-
authentication sequence between nodes A vailable. Since the common carrier function
and B. At the end of the sequence A has of the network is to provide many commu-
reliably identified itself to B. A similar se- nication channels, how the keys which cre-
quence is needed for B to identify itself to ate the corresponding necessary private
A. Typically, one expects to interleave the channels are supplied is obviously an im-
messages of both authentication sequences. portant matter. The following sections de-
Assume that in the authentication se- scribe various key distribution methods for
quence A uses a secret key associated with both conventional- and public-key encryp-
itself. The reliability of the authentication tion systems.

Computing Surveys, Vol. 11, No. 4, December 1979

340 • G. J. Popek and C. S. Kline
3.1 Conventional-Key Distribution impossible, either because the node on
which the KDC is located is down or be-
As there are, by assumption, no suitable
cause the network itself breaks, then the
transmission media for the keys other than
establishment of any further secure com-
the physical network, it is necessary to de-
munication channels is impossible. If the
vise means to distribute keys over the same
overall system has been constructed to pre-
physical channels by which actual data are
vent any interuser communication in other
transmitted. The safety of the logical chan-
than a secure manner, then the entire net-
nels over which the keys are to pass is
work eventually stops. This design for dis-
crucial. Unfortunately, the only available
tributed systems is, in general, unaccepta-
method by which any data, including the
ble except when the underlying communi-
keys, can be transmitted in a secure manner
cations topology is a star and the KDC is
is through the very encryption whose ini-
located at the center. Note, however, that
tialization is at issue. This seeming circu-
this drawback can be fairly easily remedied
larity is actually easily broken through lim-
by the availability of redundant KDCs in
ited prior distribution of a small number of
case of failure of the main facility.2 The
keys by secure means. The usual approach
redundant facility can be located at any site
involves designating a host machine or a
which supports a secure operating system
set of machines [HWLL78] on the network
and provides appropriate key generation
to play the role of key distribution center
facilities. Centralized key control can quite
(KDC), at least for the desired connection.
easily become a performance bottleneck,
It is assumed that a pair of matched keys
however.
has been arranged previously between the
Needham and Schroeder present an ex-
KDC and each of the potential participants,
ample of how such a KDC would operate
say A~, A2. . . . . Am. One of the participants,
[NEED78]. Assume that A and B each have
A,, sends a short message to the KDC ask-
a secret key, Ks and Kb, known only to
ing that matched key pairs be distributed
themselves and the KDC. To establish a
to all the A's, including A,. If the KDC's
protection policy permits the connection, connection, A sends a request to the KDC
requesting a connection to B and includes
secure messages containing the key and
an identifier (a random number perhaps).
other status information will be sent to each
The KDC will send back to A: i) a new key
A over the prearranged channels. Data can
Kc to use in the connection, ii) the identifier,
then be sent over the newly established
iii) a copy of the request, and iv) some
logical channel. The prearranged key dis-
information which A can send to B to es-
tribution channels carry a low quantity of
tablish the connection and prove A's iden-
traffic, and thus, recalling the discussion in
tity. That message from the KDC to A is
Section 1, the keys can be changed rela-
encrypted with A's secret key Ka. Thus, A
tively infrequently by other means.
is the only one who can receive it, and A
This general approach has many varia-
tions to support properties such as a dis- knows that it is genuine. In addition, A can
check the identifier to verify that it is not
tributed protection policy, integrity in the
face of crashes, and the like. Some of these a replay of some previous request, and can
are discussed below. verify that his original cleartext message
was not altered before reception by the
KDC.
3.1.1 Centrahzed Key Control
Perhaps the simplest form of the key dis- 2 The redundant KDCs form a simple distributed,
tribution method employs a single KDC for replicated database, where the replicated reformation
the entire network. Therefore n prear- includes private keys and permission controls. How-
ever, the database is rarely updated, and when up-
ranged matched key pairs are required for dated, there are no serious requirements for synchro-
a network with n distinguishable entities. mzatlon among the updates It Is not necessary for
An obvious disadvantage of this unadorned copies of a key at all sites to be updated simultane-
ously, for example Therefore, little additional com-
approach is its effect on network reliability. plexity from the distributed character of the key man-
If communication with the KDC becomes agement function would be expected.

Computing Surveys, Vol 11, No 4, December 1979

 Encryption a n d Secure C o m p u t e r N e t w o r k s • 341

MESSAGE1 R E Q ~

KEYDISTRIBUTION J / ~ K v

MESSAGE, /

STEPS
F m U R E I. Key distributionand conversatlon establishment: conventlonal key algorithms. Note: [tJ] denotes
the cryptogram obtained from the cleartext t,encrypted wlth keyj.

Once A has received this message, A volved in the protection decision. One node
sends to B the data from the KDC intended chooses the key, and sends messages to
for B. Those data include the connection each of the other KDCs. Each KDC can
key Kc, as well as A's identity, all encrypted then decide whether the attempted channel
by B's secret key. Thus B now knows the is to be permitted and reply to the originat-
new key, that A is the other party, and that ing KDC. At that point the keys would be
all this came from the KDC. However B distributed to the participants. This ap-
does not know that the message he just proach has the obvious advantage that the
received is not a replay of some previous only nodes which must be properly func-
message. Thus B must send an identifier to tioning are those which support the in-
A encrypted by the connection key, upon tended participants. Each of the KDCs
which A can perform some function and must be able to communicate with all other
return the result to B. Now B knows that KDCs in a secure manner, implying that
A is current, i.e., there has not been a replay n * ( n - 1)/2 matched key pairs must have
of previous messages. Figure 1 illustrates been arranged. Of course, each node needs
the messages involved. Of the five mes- to store only n - 1 of them. For such a
sages, two can be avoided, in general, by method to be successful, it is also necessary
storing frequently used keys at the local for each KDC to communicate with the
sites, a technique known as caching. participants at its own node in a secure
fashion. This approach permits each host
3 1.2 Fully Distnbuted Key Control to enforce its own security policy if user
software is forced by the local system ar-
Here it is possible for every "intelligent" chitecture to use the network only through
node in the network to serve as a KDC for encrypted channels. This arrangement has
certain connections. (We assume some appeal in decentralized organizations.
nodes are "dumb," such as terminals or
possibly personal computers.) If the in-
3.1 3 H~erarch~cal Key Control
tended participants A~, A2. . . . . Am reside
at nodes N1, N2. . . . . Nm, then only the This method distributes the key control
KDCs at each of those nodes need be in- function among "local," "regional," and

Computing Surveys,Vol. II,No 4,December 1979

342 * G. J. Popek and C. S. Kline
"global" controllers. A local controller is different networks, which often employ dif-
able to communicate securely with entities ferent transmission protocols, is to have a
in its immediate logical locale, that is, with single host called a gateway common to
those nodes for which matched key pairs both networks [CERF78, BOGGS0]. Inter-
have been arranged. If all the participants network data are sent to the gateway,
in a channel are within the same region, which forwards them toward the final des-
then the connection procedure is the same tination. The gateway is responsible for any
as for centralized control. If the participants format conversions, as well as for the sup-
belong to different regions, then it is nec- port of both systems' protocols and naming
essary for the local controller of the origi- methods. If the networks' transmissions are
nating participant to send a secure message encrypted in a manner similar to that de-
to its regional controller, using a prear- scribed here, then the gateway might be
ranged channel. The regional controller for- responsible for decrypting the message and
wards the message to the appropriate local reencrypting it for retransmission in the
controller, who can communicate with the next network. This step is necessary if the
desired participant. Any of the three levels encryption algorithms differ, or if there are
of KDCs can select the keys. The details of significant differences in protocol. If the
the protocol can vary at this point, depend- facilities are compatible, then the gateway
ing on the exact manner in which the can merely serve as a regional key control-
matched keys are distributed. This design ler for both networks, or even be totally
approach obviously generalizes to multiple uninvolved.
levels in the case of very large networks. It There are strong similarities among these
is analogous to national telephone ex- various methods of key distribution, and
changes, where the exchanges play a role differences can be reduced further by de-
very similar to the KDCs. signing hybrids to gain some of the advan-
One of the desirable properties of this tages of each. Centralized control is a de-
design is the limit it places on the combi- generate case of hierarchical control. Fully
natorics of key control. Each local KDC distributed control can be viewed as a var-
only has to prearrange channels for the iant of hierarchical control. Each host's
potential participants in its area. Regional KDC acts as a local key controller for that
controllers only have to be able to com- host's entities and communicates with
municate securely with local controllers. other local key controllers to establish con-
While the combinatorics of key control may nections. In that case, of course, the com-
not appear difficult enough to warrant this munication is direct, without a regional
kind of solution, in the subsequent section controller required.
on levels of integration we point out circum-
stances in which the problem may be very
serious. 3.2 Public-Key-Based Distribution
The design also has a property not pres- Algorithms
ent in either of the preceding key control
architectures: local consequences of local The public-key algorithms discussed earlier
failures. If any component of the distrib- have been suggested as candidates for key
uted key control facility should fail or be distribution methods that might be simpler
subverted, then only users local to the failed than those described in the preceding sec-
component are affected. Since the regional tions. Recall that K', the key used to deci-
and global controllers are of considerable pher the encoded message, cannot be de-
importance to the architecture, it would be rived from K, the key used for encryption,
advisable to replicate them so that the or from matched encrypted and cleartext.
crash of a single node will not segment the Therefore, each user A, after obtaining a
network. matched key pair ( K, K' ), can publicize his
All of these key control methods permit key K. Another user B, wishing to send a
easy extension to the interconnection of message to A, can employ the publicly
different networks, with differing encryp- available key K. To reply, A employs B's
tion disciplines. The usual way to connect public key. At first glance this mechanism

Computing Surveys, Vol 11, No. 4, December 1979

 Encryption and Secure Computer Networks • 343
seems to provide a simplified way to estab- guarantees that this is not an old message
lish secure communication channels. No from the authority containing a key other
secure dialogue with a key controller to than B's current public key, and the copy
initiate a channel appears necessary. of the request permits A to verify that his
The idea is that an automated "telephone original cleartext message was not altered. 3
book" of public keys could be made avail- A can now send messages to B because
able. Whenever user A wishes to commu- he knows B's public key. However, to iden-
nicate with user B, A merely looks up B's tify himself, as well as to prevent a replay
public key in the book, encrypts the mes- of previous transmissions, A now sends his
sage with that key, and sends it to B name and an identifier to B, encrypted in
[DIFF76b]. There is no key distribution B's public key. B now performs the first
problem here at all. Further, no central two steps above with the authority to re-
authority is required to set up the channel trieve A's public key. Then B sends to A
between A and B. the identifier just received, and an addi-
This idea, however, is incorrect: Some tional identifier, both encrypted with A's
form of central authority is needed, and the public key. A can decrypt that message and
protocol involved is no simpler nor any is now sure that he is talking to the current
more efficient than one based on conven- B. A must now send back the new identifier
tional algorithms [NEED78]. First, the to B so that B can be sure he is talking to
safety of the public-key scheme depends a current A. These messages are displayed
critically on the correct public key being in Figure 2. The above protocol contains
selected by the sender. If the key listed with seven messages, but four of them, those
a number in the "telephone book" is the which retrieve the public keys, can be
wrong one, then the protection supplied by largely dispensed with by local caching
public-key encryption has been lost. Fur- of public keys. Thus, as in the conventional-
thermore, maintenance of the (by necessity, key distribution example, we again find
machine-supported) book is nontrivial be- three messages are needed.
cause keys will change, either because of Some public-key advocates have sug-
the desire to replace a key which has been gested ways other than caching in order to
used for high amounts of data transmission avoid requesting the public key from the
or because a key has been compromised central authority for each communication.
through a variety of ways. There must be One such proposal is the use of certificates
some source of carefully maintained [KoHN 78]. A user can request that his pub-
"books" with the responsibility of carefully lic key be sent to him as a certificate, which
authenticating any changes and correctly is a user/public-key pair, together with
sending out public keys (or entire copies of some certifying information. For example,
the book} upon request. the user/public-key pair may be stored as
A modified version of Needham and a signed message 4 from the central author-
Schroeder's proposal follows. Assume that ity. When the user wishes to communicate
A and B each have a public key known to with other users, he sends the certificate to
the authority and a private key known only them. They each can check the validity of
to themselves. Additionally, assume the the certificate, using the certifying infor-
authority has a public key known to all mation, and then retrieve the public key.
and a private key known only to the Thus the central authority is needed only
authority. once, when the initial certificate is re-
A begins by sending to the authority a quested.
time-stamped message requesting commu- Both certificates and caching have sev-
nication with B. The authority sends A the eral problems. First, the mechanism used
public key of B, a copy of the original to store the cache of keys must be correct.
request, and the time stamp, encrypted us-
ing the private key of the authority. A can
decrypt this message using the public key
~These m l h a l steps are essentially an a d a p t a t i o n of
of the authority and is thus also sure of the t h e a u t h e n t m a t l o n protocol given in Section 2.
source of the message. The time stamp 4 See Section 9 for a discussion of digital signatures.

Computing Surveys, Vol n , No. 4, December 1979

344 • G. J. Popek and C. S. Kline

MESSAGE1. R ~ U T H O R I T Y ~ G E 4?EQUEST,+TIME,

KEYDISTRIBUTIONJ J ~-MESSAGE2 [Ph+REQUEST+TIME] . . . . ~

STEPS

AUTHENTICATION
STEPS

FIGURE 2. K e y distribution a n d c o n v e r s a h o n e s t a b l i s h m e n t : p u b h c - k e y algorithms. Note P, is public key for

~, S~ Is secret key for ~.

Second, the user of the certificate must 3.3. Comparison of Public- and
decode it and check it (verify the signature) Conventional-Key Distribution for Private
each time before using it, and he must also Communication
have a secure and correct way of storing It should be clear that both of the above
the key. Perhaps most important, as keys protocols establish a secure channel, and
change, the cache and old certificates be- that both require the same amount of over-
come obsolete. This is essentially the ca- head to establish a connection (three mes-
pability revocation problem revisited sages). Even if that amount had been dif-
[REDE74]. Either the keys must be verified ferent by a message or two, the overhead is
(or re-requested) periodically, or a global still small compared to the number of mes-
search must be made whenever invalidating sages for which a typical connection will be
a key. Notice that even with the cache or used.
certificates, an internal authentication The above protocols can be modified to
mechanism is still required. handle multiple authorities; such modifi-
Public-key systems also have the prob- cations have also been performed by Need-
lem that it is more difficult to provide pro- ham and Schroeder [NEED78]. Again, the
tection policy checks. In particular, conven- number of messages can be reduced to three
tional encryption mechanisms easily allow by caching.
protection policy issues to be merged with It should also be noted that the safety of
key distribution. If two users may not com- these methods depends only on the safety
municate, then the key controller can refuse of the secret keys in the conventional
to distribute keys.~ However, public-key method or the private keys in the public-
systems imply the knowledge of the public key method. Thus an equivalent amount of
keys. Methods to add protection checks to secure storage is required.
public-key systems add an additional layer One might suspect, however, that the
of mechanism. software required to implement a public-
key authority would be simpler than that
for a KDC, and therefore it would be easier
to certify its correct operation. If this view
T h i s a p p r o a c h blocks c o m m u m c a t l o n if t h e h o s t
operating s y s t e m s are c o n s t r u c t e d m s u c h a way as to were correct, it would make public-key-
prohibit cleartext c o m m u m c a t l o n over t h e network based encryption potentially superior to
Computing Surveys, Vol ll, No 4, December 1979
 Encryption and Secure Computer Networks • 345
conventional algorithms, despite the equiv- be encrypted only once as it was sent
alent protocol requirements. It is true that through the network (or networks) rather
the contents of the authority need not be than being decrypted and reencrypted a
protected against unauthorized reference, number of times, as implied by the low-
since the public keys are to be available to level choice. In fact, one could choose an
all, while the keys used in the authentica- even higher architectural level: Endpoints
tion protocol between the KDC and the could be individual processes within the
user must be protected against reference. operating systems of the machines that are
However, the standards of software relia- attached to the network. If the user were
bility which need to be imposed on the employing an intelligent terminal, then the
authority for the sake of correctness are not terminal would be a candidate for an end-
substantially different from those required point. This viewpoint envisions a single en-
for the development of a secure KDC. More cryption channel from the user directly to
convincing, all of the KDC keys could be the program with which he is interacting,
stored in encrypted form, using a KDC even though that program might be run-
master key, and only decrypted when ning on a site other than the one to which
needed. Then the security of the KDC is the terminal is connected. This high-level
reduced to protection of the KDC's master choice of endpoints is sometimes called
key and of the individual keys when in use. end- to-end encryption.
This situation is equivalent to the public- The choice of architectural level in which
key repository case, since there the private the encryption is to be integrated has many
key of the repository must be safely stored ramifications. One of the most important is
and protected during use. the combinatorics of key control versus the
It has also been pointed out that a con- amount of trusted software.
ventional KDC, since it issued the conver- In general, as one considers higher and
sation key, can listen in and in fact generate higher system levels, the number of identi-
what appear to be valid messages. Such fiable and separately protected entities in
action cannot be done by the public-key the system tends to increase, sometimes
repository. This distinction is minor how- dramatically. For example, while there are
ever. Given that both systems require a less than a hundred hosts attached to the
trusted agent, it is a simple matter to add Arpanet [ROBE73], at a higher level there
a few lines of certified correct code to the often are over a thousand processes con-
conventional-key agent (the KDC) that de- currently operating, each one separately
stroys conversation keys immediately after protected and controlled. The number of
distribution. Thus the system characteris- terminals is of course also high. This nu-
tics of both conventional- and public-key merical increase means that the number of
algorithms, as used to support private com- previously arranged secure channels--that
munication, are more similar than initially is, the number of separately distributed
expected. matched key pairs--is correspondingly
larger. Also, the rate at which keys must be
4. LEVELS OF INTEGRATION
generated and distributed can be dramati-
cally increased.
There are many possible choices of end- In return for the additional cost and com-
points for the encryption channel in a com- plexity which result from higher level
puter network, each with its own trade-offs. choices, there can be significant reduction
In a packet-switched network, one could in the amount of software whose correct
encrypt each line between two switches functioning has to be ensured. This issue is
separately from all other lines. This is a very important and must be carefully con-
low-level choice and is often called link sidered. It arises in the following way. When
encryption. Instead, the endpoints of the the lowest level (i.e., link encryption) is
encryption channels could be chosen at a chosen, the data being communicated exist
higher architectural level--at the host ma- in cleartext form as they are passed by the
chines which are connected to the network. switch from one encrypted link to the next.
Thus the encryption system would support Therefore the software in the switch must
host-host channels, and a message would be trusted not to intermix packets of differ-
Computmg Surveys, Vol 11, No 4, December 1979
346 • G. J. Popek and C. S. Khne
ent channels. If a higher level is selected, 1) How is the initial cleartext/ciphertext/
then protection errors in the switches are cleartext channel from sender to re-
of little consequence. If the higher level ceiver and back established?
chosen is host to host, however, operating 2) How are cleartext addresses passed by
system failures are still serious, because the the sender around the encryption facili-
data exist as cleartext while they are system ties to the network without providing a
resident. path by which cleartext data can be
In principle then, the highest level inte- inadvertently or intentionally leaked by
gration of encryption is most secure. How- the same means?
ever, it is still the case that the data must 3) What facilities are provided for error
be maintained in cleartext form in the ma- recovery and resynchronization of the
chine upon which processing is done. The protocol?
more classical methods of protection within 4) How are channels closed?
individual machines are still necessary, and 5) How do the encryption protocols inter-
the value of very high level end-end en- act with the rest of the network proto-
cryption is thereby somewhat lessened. A cols?
rather appealing choice of level that inte- 6) How much software is needed to imple-
grates effectively with kernel-structured ment the encryption protocols? Does the
operating system architectures is outlined security of the network depend on this
in the case study in Section 7. software?
Another operational drawback to high-
One wishes a protocol which permits
level encryption should be pointed out.
channels to be dynamically opened and
Once the data are encrypted, it is difficult
closed, allows the traffic flow rate to be
to perform meaningful operations on them.
controlled (by the receiver presumably),
Many front end systems provide such low-
and provides reasonable error handling, all
level functions as packing, character era-
with a minimum of mechanism upon which
sures, and transmission on end-of-line or
the security of the network depends. The
control-character detect. If the data are
more software involved, the more one must
encrypted when they reach the front end,
be concerned about the safety of the overall
then these functions cannot be performed.
network. Performance resulting from use of
Any channel processing must he done
the protocol must compare favorably with
above the level at which encryption takes
the attainable performance of the network
place, despite the fact that performance
using other protocols not including encryp-
and considerations such as the above some-
times imply a lower level. tion. One would prefer a general protocol
which could also be added to the existing
networks, disturbing their existing trans-
5. ENCRYPTION PROTOCOLS
mission mechanisms as little as possible.
Network communication protocols concern The appropriate level of integration of en-
the discipline imposed on messages sent cryption or the method of key distribution
throughout the network to control virtually must be considered as well.
all aspects of data traffic, both in amount Fortunately, the encryption channel can
and direction. Choice of protocol has dra- be managed independently of the conven-
matic impacts on the flexibility and band- tional communication channel, which is re-
width provided by the network. Since en- sponsible for communication initiation and
cryption facilities provide a potentially closing, flow control, error handling, and
large set of logical channels, the encryption the like. As a result, many protocol ques-
protocols by which the operation of these tions can be ignored by the encryption fa-
channels is managed also has significant cilities and can be handled by conventional
impact on system architecture and per- means.
formance. In Section 7 we outline a complete pro-
There are several important questions tocol in order to illustrate the ways in which
which any encryption protocol must an- these considerations interact and the inde-
swer: pendence that exists. The case considered

Computing Surveys, VoL 11, No 4, December 1979

 Encryption and Secure Computer Networks • 347
employs distributed key management and even if certification is applied as suggested.
an end-to-end architecture, all added to an For example, the protocol-implementing
existing network. software in a given system usually manip-
ulates communications for several users si-
6. CONFINEMENT multaneously. Either this software must be
trusted, or data must be encrypted before
To confine a program, process, or user it reaches this software. Even in this latter
means to render it unable to communicate case, certain information may be passed
other than through the explicitly controlled between the user and the network software,
paths. Often improper communications are and thus, potentially, to an unauthorized
possible through subtle, sometimes timing- user. As an example, ff a queue is used to
dependent, channels. As an example, two hold information waiting to be sent from
processes might bypass the controlled the user to the network, the user can receive
channels by affecting each other's data information by noting the amount drained
throughput. Although many such improper from this queue by the network software.
channels are inherently error prone, the In almost any reasonable implementation
users may employ error detection and cor- on a system with finite resources, the user
rection protocols to overcome that prob- will at least be able to sense the time of
lem. data removal, if not the amount.
Unfortunately, the confinement problem How well current program verification
in computer networks is particularly diffi- and certification methods apply here is
cult to solve because most network designs open to question, since these confinement
require some information to be transmitted channels are quite likely to exist even in a
in cleartext form. This cleartext informa- correct implementation. T h a t is, any feasi-
tion, although limited, can be used for the ble design seems to include such channels.
passage of unauthorized information. In Given the difficulty of confinement en-
particular, the function of routing a mes- forcement, it is fortunate that most appli-
sage from computer to computer toward its cations do not require it.
final destination requires that the headers
which contain network addresses and con- 7. NETWORK ENCRYPTION PROTOCOL
trol information be in cleartext form, at CASE STUDY: PRIVATE COMMUNICATION
least inside the switching centers. A mali- AT PROCESS-PROCESS LEVEL
cious user, cooperating with a penetrator,
can send data by the ordering of messages It is useful to review a case study of how
between two communication channels. encryption was integrated into a real sys-
Even though the data of the communica- tem in order to recognize the importance of
tions are encrypted, the headers often are the various issues already presented. The
transmitted in cleartext form, unless link example here was designed and imple-
encryption is also used to encrypt the entire mented for the Arpanet, and is described in
packet, including header. In any case, the more detail by Popek and Kline [POPE78];
routing task, often handled in large net- here we only outline the solution in general
works by a set of dedicated interconnected terms. The goal is to provide secure com-
machines which form a subnet, requires munication that does not involve applica-
host addresses in the clear within the tion software in the security facilities. We
switching machines. Thus a penetrator who also wish to minimize the amount of trusted
can capture parts of the subnetwork can system software.
receive information. The only solutions to The protocol provides process-to-process
this problem appear to be certification of channels and guarantees that it is not pos-
the secure nature of some parts of the sub- sible for application software running
network and host hardware/software. within the process to cause cleartext to be
Work is in progress at the University of transmitted onto the network. Basic oper-
Texas on the application of program veri- ation of the protocol is suggested in Figure
fication methods to this problem [GooD77]. 3. It is assumed, in keeping with the discus-
Certain confinement problems remain sion in Section 1.6, that the system software

ComputingSurveys,VoL11,No.4, December1979
348 • G. J. Popek and C. S. Kline
U1 U2 Un NM NM" % % u~

~ PROCESSES

I/ \ / ISOFTWARE
F ~ L ~ _ ~ 7 ~ KERNEL
"AROmA"El\ /
'N,TWOR, NE"VOR, /
INTERFACE INTERFACE
~
' ~ ENCRYPTION ENCRYPTION/
UNIT UNIT
FIGURE 3. Data flow m process-to-process encrypted channels.

base at each node is a suitably small, secure so that switching computers which typi-
operating system kernel, which operates cally make up a network can route the
correctly. block appropriatelS
It is also expected that the amount of When the block arrives at the destination
software involved in management of the host computer, the network manager there
network from the operating system's point reads it in and strips off the header. It then
of view is substantial; therefore one does tells the kernel the process for which the
not wish to trust its correct operation. 6 Re- block is intended. The kernel informs the
sponsibilities of that software include estab- process, which can issue a Decrypt call,
fishing communications channels, support- causing the data to be decrypted with the
ing retransmission when errors are de- key previously arranged for that process. If
tected, controlling data flow rates, multi- this block really is intended for this process
plexing multiple logical channels on the (i.e., encrypted with the matching key),
(usually) single physical network connec- then the data are successfully received.
tion, and assisting or making routing deci- Otherwise, decryption with the wrong key
sions. We call the modules which provide yields nonsense. The encrypt and decrypt
these functions the network manager. functions manage sequence numbers in a
Let us assume for the moment that the manner invisible to the user, as discussed
keys have already been distributed and in Section 1.3.
logical channels established so far as Clearly this whole mechanism depends
the network managers are concerned. The on suitable distribution of keys, together
operating system nucleus in each case with informing the network managers in a
has been augmented with new calls: coordinated way of the appropriate end-
Encrypt( channel name, data) and De. points of the channel. It is worth noting at
crypt(channel name, data destination). this stage that matched keys form a well-
Whenever a process wishes to send an en- defined communication channel, and that
crypted block of data, it issues the Encrypt in the structure just outlined, it is not pos-
call. The nucleus takes the data, causes sible for processes to communicate to the
them to be encrypted, and informs the net- network or the network manager directly;
work manager, which can read the block only the encrypt and decrypt functions can
into its workspace. If we assume that the be used for this purpose. It is for this latter
network manager knows what destination reason that application software cannot
site is intended (which it must learn as part communicate in cleartext over the network,
of estaljlishing the logical channel), it then an advantage if that code is not trusted (the
can place a cleartext header on the en- usual assumption in military examples).
crypted block and send it out onto the
network. The cleartext header is essential
7 N e t w o r k e n c r y p t i o n facilities m u s t , m general, pro-
vide s o m e way to supply t h e h e a d e r of a m e s s a g e in
6 As an example, in t h e A r p a n e t software for t h e U m x cleartext, even t h o u g h t h e body is encrypted. Other-
operating s y s t e m , t h e network software is c o m p a r a b l e wise every node o n possibly multiple n e t w o r k s h a s to
m size to t h e operating s y s t e m itself be able to e x a m i n e every message, this is not practical.

Computing Surveys, Vol 11, No 4, December 1979

 Encryption and Secure Computer Networks • 349
7.1 Initial C o n n e c t i o n mation, will be sent to the other site in-
To establish the secure channel, several volved in the channel so that it too will
steps are necessary. T he local network have the relevant basis for deciding
whether or not to allow this channel to be
manager must be told with whom the local
established.
process wishes to communicate. This would
Once both sides have issued correspond-
be done by some highly constrained means.
The network manager must communicate ing Open calls, the process can communi-
with the foreign network manager and es- cate. The following steps illustrate the over-
all sequence in more detail. T he host ma-
tablish a name for this channel, as well as
chines involved are numbered 1 and 2.
other state information such as flow control
parameters. The network manager software Process A is at host 1 and B is at host 2.
The channel name will be x. T he notation
involved need not be trusted. Once these
steps are done, encryption keys need to be NM @ ~ denotes "network manager at
site i."
set up in a safe way.
We first outline how this step would be 1) A informs NM @ 1 "connect using x to
carried out employing conventional encryp- B @ 2." This message can be sent locally
tion with fully distributed key manage- in the clear. If confinement between the
ment; then we comment on how it would network manager and local processes is
change if public-key systems were used. important, other methods can be em-
Assume that there is a kernel-maintained ployed to limit the bandwidth between
key table which has entries of the form: A and NM.
2) NM @ 1 sends control messages to
foreign host name, NM @ 2, including whatever host ma-
channel name, chine protocol messages are required. 9
sequence number, 3) NM @ 2 receives an interrupt indicating
local process name, normal message arrival, performs an
key. I/O call to retrieve it, examines the
There are also two additional kernel calls. header, determines that it is the recipi-
Open( foreign process name, local process ent, and processes the message.
name, channel name, policy-data) makes 4) NM @ 2 initiates step 2 at site 2, leading
the appropriate entry in the key table (if to step 3's being executed at site 1 in
one is not already there for the given chan- response. This exchange continues until
nel}, setting the sequence number to an NM @ 1 and NM @ 2 establish a logical
initial value and sending a message to the channel, using x as their internal name
foreign kernel of the form (local process for the channel.
name, channel name, policy-data, key). 8 5) NM @ 1 executes Open(B, A, x, policy-
If there already is an entry in the local data).
key table, it should have been caused by 6) In executing the Open, the kernel @ 1
the other host's kernel. In that case Open generates or obtains a key, makes an
checks to make sure that the sequence entry in its key table, and sends a mes-
number has been initialized and does not sage over its secure channel to the kernel
generate a k ey - - r ath er it sends out the @ 2, which in turn makes a correspond-
same message, less the key. Close( channel ing entry in its table and interrupts
name) deletes the indicated entry in the NM @ 2, giving it the triple (B, A, x).
local key table, and sends a message to the 7) NM @ 2 issues the corresponding
foreign kernel to do the same. Open(A, B, x, policy-data'). This call
The policy-data supplied in the Open interrupts B and eventually causes the
call, such as classification/clearance infor- appropriate entry to be made in the
kernel table at host 1. T he making of
that entry interrupts NM @ 1 and
T h e reader will note that the kernel-to-kernel mes- A@I.
sage generated by the Open call m u s t be sent securely
and therefore m u s t employ a previously arranged key
The network manager m u s t also be involved, since T h e h o s t - h o s t protocol messages would normally be
only it contains the software needed to manage the sent encrypted using the N M - N M key in most imple-
network mentations.

Computing Surveys, Vol. 11, No. 4, December 1979

350 • G. J. Popek and C. S. Kline
8) A and B can now use the channel by tocol at the encryption level may still be
issuing successive Encrypt and Decrypt necessary. See KENT76 for a discussion of
calls. resynchronization of the sequencing sup-
ported by the encryption channel.
There are a number of places in the From the protection viewpoint, one can
mechanisms just described where failure consider the collection of NMs across the
can occur. If the network software in either network as forming a single (distributed)
of the hosts fails or decides not to open the domain. They may exchange information
channel, no kernel calls are involved and freely among themselves. No user process
standard protocols operate. (If user notifi- can send or receive data directly to or from
cation is permitted, an additional confine- an NM, except via narrow bandwidth chan-
ment channel is present.) An Open may fail nels through which control information is
because the name x supplied was already in sent to the NM and status and error infor-
use, a protection policy check was not suc-
mation is returned. These channels can be
cessful, or the kernel table was full. The limited by adding parameterized calls to
caller is notified. He may try again. In the the kernel to pass the minimum amount of
case of failure of an Open, it may be nec- data to the NMs and having the kernel
essary for the kernel to execute most of the post, to the extent possible, status reports
actions of Close to avoid race conditions
directly to the processes involved. The
that can result from other methods of in- channel bandwidth cannot be zero, how-
dicating failure to the foreign site.
ever.
The encryption mechanism just outlined The protocols in this case study can also
contains no error correction facilities. If be modified to use public-key algorithms.
messages are lost, or sequence numbers are The kernel, upon receiving the Open re-
out of order or duplicated, the kernel quest, should retrieve the public key of the
merely notifies the user and network soft- recipient. Presumably, the kernel would
ware of the error and renders the channel employ a protocol with the authority to
unusable? ° This action is taken on all chan- retrieve the public key and then utilize the
nels, including the host-host protocol chan- authentication mechanisms described in
nels as well as the kernel-kernel channels. the protocols of Section 2.
For every case but the last, Close calls must More precisely, in step 6 above, when the
be issued and a new channel created via kernel receives the Open call, it would re-
Opens. In the last case, the procedures for trieve the public key, either by looking it
bringing up the network must be used. up in a cache or requesting it from the
This simple-minded view is acceptable in central authority, or via other methods
part because the error rate which the logical such as certificates. Once the key is re-
encryption channel sees can be quite low. trieved, the kernel would send a message to
That is, the encryption channel is built on the other kernel over the secure kernel-
top of lower level facilities supplied by con- kernel channel, identifying the user and
ventional network protocols, some imple- supplying those policy and authentication
mented by the NM, which can handle parameters required. The other kernel,
transmission errors (forcing retransmission upon receipt of that message, would re-
of errant blocks, for example) before they trieve the user's private key (from wherever
are visible to the encryption facilities. On local user private keys are stored) and con-
highly error prone channels, additional pro- tinue the authentication sequence.

~oRecall that these sequence numbers are added to 7.2 System Initialization Procedures
the cleartext by the kernel Encrypt call before encryp-
t]on. They are removed and checked after decryption The task of initializing the network soft-
by a Decrypt call issued at the receiving site before
dehvery to the user. Hence, if desired, sequence num- ware is composed of two important parts.
bers can be handled by the encryption unit itself and First, it is necessary to establish keys for
never be seen by kernel software. If such a choice is the secure kernel-kernel channels and the
made, then the conventional network protocols sup-
ported by the NM will need another set of sequence N M - N M channels. Next, the NM can ini-
numbers for error control. tialize itself and its communications with

Computing Surveys, Vol. 11, No 4, December 1979

 Encryption and Secure Computer Networks • 351
other NMs. Finally, the kernel can initialize algorithmic capacity, as illustrated by sim-
its communications with other kernels. ple hardware terminals or simple micropro-
This latter problem is essentially one of cessors. Then a strongly asymmetric pro-
mutual authentication of each kernel with tocol is required, where the burden of es-
the other member of the pair, and appro- tablishing secure communications falls on
priate solutions depend on the expected the more powerful of the pair.
threats against which protection is desired. A form of this problem might also occur
The initialization of the kernel-kernel if encryption is not handled by the system,
channel and the NM-NM channel key but by the user processes themselves. Then
table entries requires that the kernel main- for certain operations, such as sending mail,
tain initial keys for this purpose. The kernel the receiving user process might not even
cannot obtain these keys using the above be present. (Note that such an approach
mechanisms at initialization because they may not guarantee the encryption of all
require the prior existence of the NM-NM network traffic.) The procedures outlined
and kernel-kernel channels. Thus this cir- in the next section are oriented toward re-
cularity requires the kernel to maintain at ducing the work of one of the members of
least two key pairs, n However, such keys the communicating pair.
could be kept in read-only memory of the
encryption unit if desired. 8. NETWORK MAIL
The initialization of the NM-NM com-
munications then proceeds as it would if Recall that network mail may often be
encryption were not present. Once this short messages, to be delivered as soon as
NM-NM initialization is complete, the ker- possible to the recipient site and stored
nel-kernel connections could be established there, even if the intended receiver is not
by the NM. At this point, the system would currently logged in.
be ready for new connection establishment. Assume that a user at one site wishes to
It should be noted that if desired, the ker- send a message to a user at another site,
nels could then set up new keys for the but because the second user may not be
kernel-kernel and NM-NM channels, thus signed on at the time, a system process
using the initialization keys for a short time (sometimes called a "daemon") is used to
only. To avoid overhead at initialization receive the mail and deliver it to the user's
time and to limit the sizes of kernel key "mailbox" file for his later inspection. It is
tables, NMs probably should only establish desirable that the daemon process not re-
channels with other NMs when a user quire access to the cleartext form of the
wants to connect to that particular foreign mail, for that would require trusting the
site, and perhaps the NM-NM channel mail receiver mechanism. This task can be
should be closed after all user channels are accomplished by sending the mail to the
closed. daemon process in encrypted form and hav-
This case study should serve to illustrate ing the daemon put that encrypted data
many of the issues present in the design of directly into the mailbox file. The user can
a suitable network encryption facility. decrypt the data when he signs on to read
his marl.
In either the conventional- or public-key
7.3, Symmetry
case, the protocols described in Section 3
The case study portrays a basically sym- can be employed with only. slight modifi-
metric protocol suitable for use by intelli- cations. In the conventional-key case, the
gent nodes, a fairly general case. However, last two messages, those which exchange an
in some instances one of the pair lacks identifier to ensure that the channel is cur-
rent, must be dropped (since the recipient
II In a centrahzed key controller vermon, the only keys may not be present). After the sender re-
needed would be those for the channel between the quests and gets a key K and a copy of K
key controller's NM and the host's NM, and for the encrypted with the receiver's secret key, he
channel between the key controller's kernel and the
host's kernel. In a distributed key m a n a g e m e n t sys- appends the encrypted mail to the en-
tem, keys would be needed for each key manager crypted K and sends both to the receiver.

CompuUng Surveys, Vol. 11, No. 4, December 1979

352 * G. J. Popek and C. S. Khne
The receiving mail daemon can deliver the Furthermore, and more serious, the un-
mail and key (both still encrypted), and the adorned public-key-signature protocol just
intended recipient can decrypt and read it described has an important flaw. The au-
at his leisure. thor of signed messages can effectively
In the case of public keys, the sender disavow and repudiate his signatures at any
retrieves the recipient's public key via an time, merely by causing his secret key to be
exchange with the repository, encrypts the made public or "compromised" [SALT78].
marl, and sends it to the receiving site. When such an event occurs, either by ac-
Again the mail daemon delivers the en- cident or intention, all messages previously
crypted mail, which can be read later by "signed" using the given private key are
the recipient since he knows his private invalidated, since the only proof of validity
key. Again, the authentication part of the has been destroyed. Because the private
public-key protocol must be dropped. In key is now known, anyone could have cre-
both of these approaches, since the authen- ated any message claimed to have been sent
tication steps were not performed, the re- by the given author. None of the signatures
ceived mail may be a replay of a previous can be relied upon.
message. If detecting duplicate mail is im- Hence the validity of a signature on a
portant, the receiver must keep records of message is only as safe as the entire future
previous marl. protection of the private key. Further, the
Both mechanisms outlined above do ability to remove the protection resides pre-
guarantee that only the desired recipient of cisely with the individual (the author) who
a message will be able to read it. However, should not hold that right. That is, one
as pointed out, the recipient is not guaran- important purpose of a signature is to in-
teed the identity of the sender. This prob- dicate responsibility for the content of the
lem is essentially that of digital signatures, accompanying message in a way that can-
which is discussed in the next section. not be later disavowed.
The situation with respect to signatures
using conventional algorithms might ini-
9. DIGITAL SIGNATURES tially appear slightly better. Rabin
Applications such as bank transactions, [RABI78] proposes a method of digital sig-
military command and control orders, and natures based on any strong conventional
contract negotiations, will require digital algorithm. Like public-key methods it too
signatures. At first, it appeared that public- requires either a central authority or an
key methods would be superior to conven- explicit agreement between the two parties
tional ones for use in digital message sig- involved to get matters going. 12 Similarly,
natures. The method, assuming a suitable an adjudicator is required for challenges.
public-key algorithm, is for the sender to Rabin's method, however, uses a large num-
encode the mail with his private key and ber of keys, with keys not being reused from
then send it. The receiver decodes the mes- message to message. As a result, if a few
sage with the sender'spubhc key. The usual keys are compromised, other signatures
view is that this procedure does not require based on other keys are still safe. This is
a central authority, except to adjudicate an not a real advantage over public-key meth-
authorship challenge. However, two points ods, since one could readily add a layer of
should be noted. First, a central authority protocol over the public-key method to
is needed by the recipient for aid in deci- change keys for each message as Rabin
phering the first message received from any does for conventional methods. One could
given author (to retrieve the corresponding even use a variant of Rabin's scheme itself
public key, as mentioned in Section 3.2).
Second, the central authority must keep all ~2In his paper, Rabm describes an initialization
method which revolves an exphcit contract between
old values of public keys in a reliable way each pair of parties that wish to commumcate with
to properly adjudicate conflicts over old digitally signed messages One can easily instead add
signatures (consider the relevant lifetime of a central authority to play this role, usmg statable
authentication protocols, thus obviating any need for
a signature on a real estate deed, for ex- two partms to make specific arrangements prior to
ample). exchanging mgned correspondence

Computing Surveys, Vol 11, No 4, December 1979

 Encryption and Secure Computer Networks • 353
with public keys, although it is easy to 2) The N R (not necessarily the local com-
develop a simpler one. ponent) computes a simple characteris-
All of the digital signature methods de- tic function of the message, author, re-
scribed or suggested above suffer from the cipient, and current time; encrypts the
problem of repudiation of signature via key result with a key known only to the NR;
compromise. Rabin's protocol or analogs to and forwards the resulting "signature
it merely limit the damage (or, equivalently, block" to the recipient. The N R only
provide selectivity!}. It appears that the retains the encryption key employed.
problem is intrinsic to any approach in 3) The recipient, when the message is re-
which the validity of an author's signature ceived, can ask the N R if the message
depends on secret information which can was indeed signed by the claimed author
potentially be revealed, either by the au- by presenting the signature block and
thor or other interested parties. Surely im- message. Subsequent challenges are
provement would be desirable. handled in the same way.
A number of proposals have been made
Certain precautions are needed to ensure
to augment or replace the unadorned ap-
proaches just outlined. One, suggested in the safety of the keys used to encrypt the
KLIN79 employs a network-wide distrib- signature blocks, including the use of differ-
uted signature facility. Others, based on ent keys between pairs of distributed N R
analogs to notaries public in the paper components, and a signature block compu-
world or replicated, trusted archival facili- tation which requires compromise of mul-
ties, provide a dependable time-stamping tiple components before signatutre validity
mechanism so that authors cannot disavow is affected. For example, several N R com-
ponents could each generate fragments of
earlier signed correspondence by causing
their keys to be revealed. the keys being used. There is not even any
need for all N R components to be under
control of a single centralized authority so
9.1 Network-Registry-Based Signatures
long as they can all cooperate.
- - A Conventional-Key Approach
The registry solution is based on the ob- 9.2 Notary-Public- and Archive-Based
vious approach of interposing some trusted Solutions
interpretive layer, a secure hardware and/
Public-key algorithms can provide safe sig-
or software "unit," between the author and
nature methods also. One straightforward
his signature keys, whatever their form.
method is based on the behavior of notaries
Then it is a simple matter to organize the
public in the paper world. ~3 Briefly, there
collection of units in the network to provide
can be a number of independently operat-
digital signature facilities. Consider all the
cooperating units together as a distributed ing (but perhaps licensed} notary public
machines attached to the network. When
network registry (NR). Some secure com-
a signed message has been produced, it can
munication protocol among the compo-
nents of the registry is required, but it can be sent to several of the notary public ma-
chines by the author after the author has
be very simple; low-level link-style encryp-
signed the message himself. The notary
tion using conventional encryption would
public machine time-stamps the message,
suffice.
signs it itself (thereby encoding it a second
Given that such facilities exist, then a
time}, and returns the result to the author.
simple implementation of digital signatures
The author can then put the appropriate
which does not require specialized protocols
cleartext information around the doubly
or encryption algorithms is as follows:
signed correspondence and send it to the
1) The author authenticates with a local intended receiver. He checks the notary's
component of the network registry signature by decoding with the notary's
(NR), creates a message, and hands the public key, then decodes the message using
message to the N R together with the
recipient identifier and an indication ' ~Thin approach was imtlally suggested to one of the
that a registered signature is desired. authors by David Redell.

ComputmgSurveys, Vol ll, No. 4, December 1979

354 • G. J. Popek and C. S. Kline
the author's public key. Several notarized ences from previous protocols. First, the
copies can be sent, if desired, to increase authors of messages do not retain the abil-
safety. ity to repudiate signatures at will. Second,
The assumption underlying this method the new facilities can be structured so that
is that most of the notaries can be trusted. failure or compromise of several of the com-
Since each notary time-stamps its signa- ponents is necessary before signature valid-
ture, it is not possible for the original author ity is lost. In the early proposals a single
to disavow prior signed correspondence by failure could lead to compromise.
"losing" his key at a given time. One might
think, however, that it is still possible for 10. USER AUTHENTICATION
someone to claim that his key had been
revealed sometime in the past without his While digital signatures are important, one
knowledge and selective messages forged. must realize that there must still exist a
This problem can be guarded against by guaranteed authentication mechanism by
having each notary public return a copy of which an individual is authenticated to the
each notarized message to the author's per- system. Any reasonable communication
manent address. {This "patch" of course system, of course, ultimately requires such
raises the question of how notaries are kept a facility, for if one user can masquerade as
reliably informed of permanent addresses.) another, all signature systems will fail.
Each notary is an independent facility, What is required is some reliable way to
so that no coordination among notaries is identify a user sitting at a terminal--some
required. Of course, if only one notary ex- method stronger than the password
ists, then the approach is at best no im- schemes used today. Perhaps an unforge-
provement over the scheme presented in able mechanism based on fingerprints or
the previous section without multiple NR other personal characteristics will emerge.
components. Danger of compromise of the
notaries' private keys is reduced by the 11. CONCLUSIONS
redundant facilities. This discussion of network security has out-
A related way to achieve reliable time lined the issues in developing secure com-
registration of signed messages is for there puter networks, as well as presented the
to be a number of independent archival context in which encryption algorithms will
sites where either authors or recipients of be increasingly used. It is surprising to note
signed mail may send copies of correspond- that once the system implications are un-
ence to be time-stamped and stored per- derstood, public-key algorithms and con-
manently. Of course, the entire message ventional algorithms are largely equivalent.
need not be stored; just a characteristic Indeed, it is highly unlikely that any
function will do. Challenges are handled by given class of encryption algorithms will be
interrogating the archives. The possibility sufficient alone to provide the various se-
of an individual's key being compromised cure functions which will be desired. Mas-
and used without his knowledge can be ter-key/subkey relationships, or k-out-of-n
treated in the same way as with notaries systems TM are just two examples. Rather
public. than attempt to develop and evaluate the
strength of a new encryption system for
9.3 Comparison of Signature Algorithms each such application, it would be prefera-
The improved conventional-key-based and ble to recognize that a strong extensible
public-key-based signature algorithms system is necessary. Such a system is one
share many common characteristics. They for which new characteristics may be easily
each involve some generally trusted mech- added, and where the strength of the addi-
anism shared among all those communicat- tion can be demonstrated in a straightfor-
ing. The safety of signatures still depends ward, incremental manner. Any strong al-
on the future protection of keys as before, gorithm, either conventional or public key,
now including those for the network regis-
try, notaries public, or archive facilities. ~4A k-out-of-nsystemis one in whichany k of a set of
n keys are sufficmntto decrypt, but it is infeasibleto
However, there are several crucial differ- do so with any fewer
Computing Surveys, VoL 11, No 4, December 1979
 Encryption and Secure Computer Networks • 355
can serve as the basis for a strong extensible the simple c o m m o n - c a r r i e r solutions are
s y s t e m w h e n c o m b i n e d with additional insufficient and m o r e work remains.
trusted m a n a g e m e n t algorithms, expressed
either in h a r d w a r e or software. E x a m p l e s
of such mixed s y s t e m s are given in Section ACKNOWLEDGMENTS
9. In fact, m u c h of the discussion in this The authors thank the referees for their comments. In
p a p e r suggests t h a t mixed s y s t e m s are es- particular, it is a pleasure to acknowledge Adele Gold-
sential. Once t h a t necessity is recognized, berg for her help and guidance in revising the manu-
pressure to develop encryption algorithms script.
with special characteristics is lessened; in-
stead, m o r e a t t e n t i o n is focused on the need BIBLIOGRAPHY
for strong algorithms in general.
I f one assumes t h a t the purpose of a AHO74 AHO, A., HopcRorr, J , AND ULLMAN,J.,
The Destgn and Analysis of Computer Al.
secure network is mainly to provide private gortthms, Addison.Wesley, Reading,
pipes, similar to those supplied by c o m m o n Mass., 1974.
carriers, t h e n general principles by which BocGS0 BoGGs, D., SxocH, J., TAFT, E., ANY MET-
CALFE, R., "Pup: An internetwork archi-
secure, common-carrier-based, point-to- tecture," to appear in IEEE Trans. Com-
point c o m m u n i c a t i o n can be provided are put., Feb. 1980.
BRAN73 BRANSTAD, D. K., "Security aspects of
reasonably well in hand. Of course, in any computer networks," presented at the
sophisticated implementation, there will be AIAA Computer Network Systems Conf,
considerable careful engineering to be done. April 1973.
BRAN75 BRANSTAD,D. K., "Encryption protection
However, this conclusion rests on an im- in computer data communications," in
p o r t a n t a s s u m p t i o n t h a t is not universally Proc. 4th Data Communwations Symp.,
valid. T h e security and correctness of func- 1975, pp. 8-1-8-7.
CARL75 CARLSTEDT, J.~ BISBE¥, R., AND POPEK,
tion of the underlying operating s y s t e m s G, Pattern directed protection evaluatton,
m u s t be suitably high so t h a t the network Rep. ISI/RR-75-31, Information Sciences
security m e t h o d s described here are not Inst., U. of Southern California, Marina
Del Rey, Calif., 1975.
being built on an unreliable base, obviating CERF78 CERF, V., AND KIRSTEIN, P., "Issues m
their safety. Fortunately, reasonably secure packet-network interconnection," Proc.
IEEE, 66, 11 (Nov. 1978), 1386-1408.
operating s y s t e m s are well on their way; DENN66 DENNIS,J B., ANDVANHORN,E. C., "Pro-
SO this intrinsic dependence of network grammmg semantics for multiprogrammed
security on a p p r o p r i a t e operating s y s t e m computations," Commun. ACM 9, 3
(March 1966), 143-155.
support should not seriously delay corn- DIFF76a DIFFIE,W., ANDHELLMAN,M, "Multiuser
mort carrier security [McCA79, POPE78, cryptographic techniques," in Proc. 1976
FP.IE79]. AFIPS NCC, Vol.45, AFIPS Press, Arling-
ton, Va., pp. 109-112.
One could, however, take a r a t h e r differ- DIFF76b DIFFIE, W., AND HELLMAN,M, "New di-
ent view of the nature of the network se- rections m cryptography," IEEE Trans.
Inf. Theory IT-22, 11 (Nov. 1976), 644-654.
curity problem. T h e goal m i g h t be to pro- DIFF77 DIFFIE, W., AND HELLMAN,M., "Exhaus-
vide a high-level extended m a c h i n e for the tive cryptanalysls of the NBS data encryp-
user, in which no explicit awareness of the tion standard," Computer 10, 6 (June
1977), 74-84.
network is required. T h e underlying facility DI~F79 DIFFIE, W., AND HELLMAN, M., "Privacy
is trusted to m o v e d a t a securely f r o m site and authentication: An introduction to
to site as necessary to s u p p o r t w h a t e v e r cryptography," Proc. IEEE 67, 3 (March
1979), 397-427.
d a t a types and operations are relevant to DowN79 DowNs, D., AND POPEK, G., "Data base
the user. T h e facility operates securely and system security and Ingres," m Proe. Conf.
Very Large Data Bases, 1979, Rio De Ja-
with integrity in the face of unplanned nelro, Brazil.
crashes of any nodes in the network. Syn- EVAN74 EVANS, A., KANTROWITZ,W., AND WEISS,
chronization of operations on user meaning- E., "A user authentication system not re-
qmring secrecy in the computer," Com-
ful objects (such as operation w i t h d r a w a l mun. ACM 17, 8 (Aug. 1974), 437-442
from object c h e c k i n g a c c o u n t } is reliably FABR74 FABRY, R. S, "Capability-based address-
maintained using m i n i m u m trusted mech- mg," Commun. ACM 17, 7 (July 1974),
403-412.
anism. O t h e r higher level security-relevant FETE79 FEIERTAG, R, AND NEUMANN, P., "The
operations beyond digital signatures are foundations of a provably secure operating
provided. I f one takes such a high-level system (PSOS)," in Proc. 1979 AFIPS
NCC, Vol. 48, AFIPS Press, Arlington, Va,
view of the goal of network security, then pp. 329-334.
ComputingSurveys,Vol. 11, No. 4, December1979
356 * G.J. Popek and C. S. Kline
FEIS73 FEISTEL, H., "Cryptography and computer NBS78a NATIONAL BUREAU OF STANDARDS, De-
privacy," Sc. Am. 228, 5 (May 1973), 15- sign alternatives for computer network se-
23. curity, Special Publ. 500-21, Vol. 1, NBS,
FEIS75 FEISTEL, H., NOTZ, U A., AND SMITH, J. Washington, D.C., 1978.
L., "Some cryptographic techniques for NBS78b NATIONAL BtJREAU OF STANDARDS, The
machine to machine data communica- network security center: A system level
tions," Proc. IEEE 63, 11 (Nov. 1975), approach to computer security, Special
1545-1554. Publ. 500-21, Vo| 1, Washington, D.C.,
GAIN77 GAINES, R. S., Prwate communication, 1978.
Sept. 1977. NEED78 NEEDHAM, R M., AND SCHROEDER,M D ,
GOOD77 GOOD, D. I., "Constructing verified and "Using encryption for authentmation in
rehable communications processmg sys- large networks of computers," Commun.
tems," ACM Soft. Eng. Notes, Oct 77, pp. ACM 21, 12 (Dec 1978), 993-999.
2-5. PoPE 74a POPEK, G J., "Protection structures,"
HELL78 HELLMAN, M. E., "Security in communi- IEEE Comput. (July 1974), 22-33
cations networks," m Proe. 1978 AFIPS POPE74b POPEK, G J., "A pnnclple of kernel de-
NCC, Vol. 47, AFIPS Press, Arhngton, Va., sign," in Proc. 1974 AFIPS NCC, Vol. 43,
pp 1131-1134. AFIPS Press, Arlington, Va., pp. 977-978.
KENT76 KENT, S., Encryptton-based protectton POPE78 POPEK, G. J., AND KLINE, C S., "Design
protocols for mteractive user-computer Issues for secure computer networks," m
communtcatmn, Tech. Rep. 162, M I T. Operating Systems, an Advanced Course,
Lab. for Computer Scmnce, May 1976. R. Bayer, R. M. Graham, and G. Seeg-
KIME75 KIMBLETON, S. R , AND SCHNEIDER,G. M, muller, Eds, Springer-Verlag, New York,
"Computer communications networks Ap- 1978.
proaches, objectwes and performance con- POPE79 POPEK, G. J., KAMPE, M, KLINE, C. S.,
siderations," Comput. Surv. 7, 3 (Sept STOUGHTON,A., URBAN,M , ANDWALTON,
1975), 129-173. E. J , "UCLA secure umx," in Proc. 1979
KLIN 79 KLINE, C S., AND POPEK, G. J., "Public AFIPS NCC, Vol 48, AFIPS Press, Arhng-
key vs. conventional key eneryption," in ton, Va., pp 355-364.
Proc. 1979 AF[PS NCC, Vol. 48, AFIPS RARI78 RABIN, M., "Dtgltalized signatures," m
Press, Arlington, Va., pp. 831-837 Foundations of Secure Computing, R De-
KOHN78 KOHNFELDER, L., Towards a practwal miUo et al., Eds., Academic Press, New
York, 1978.
pubhc-key eryptosystem, B.S. Thesis, REDE74 REDELL, D D , AND FAERY, R S., "Selec-
M.I.T, Cambridge, Mass.
tive revocation of capabilities," in Proc
LAMP73 LAMPSON, B. W., "A note on the confine- IRIA Conf. Protection m Operating Sys-
ment problem," Commun. ACM 16, 10 tems, Rncquencourt, France, Aug. 1974
(Oct 1973), 613- 615 RIVE77a RIVEST, R. L.,SHAMIR, A., AND ADLEMAN,
LEMP79 LEMPEL, A, "Cryptology m transition," L., A method for obtaining digital signa-
Comput. Surv. 11, 4 (Dec. 1979), 285-304. tures and public-key cryptosystems, Tech.
LENN78 LENNON, R. E , "Cryptography architec- Memo. LCS/TM82, M I.T Lab. for Com-
ture for information security," IBM Syst. puter Science, Car~bndge, Mass., April 4,
J 17, 2 (1978), 138-150. 1977 (revised Aug 31, 1977).
MATY78 MATYAS, S M., AND MEYER, C. H., "Gen- RIVE78 RiVEST, R. L., SHAMIR, A, AND ADLEMAN,
eration, distribution, and installation of L., "A method for obtaining digital signa-
cryptographic keys," IBM Syst. J 17, 2 tures and public-key cryptosystems," Com-
(1978), 126-137. mun. ACM 21, 2 (Feb 1978), 120-126.
McCA79 MCCAULEY, E. J , AND DRONGOWSKI, P ROEE73 ROBERTS, L., AND WESSLER, B., "The
J., "KSOS--The design of a secure oper- ARPA network," m Computer Communi-
ating system," m Proc 1979AFIPS NCC, cation Networks, Prentice-Hall, Engle-
wood Cliffs, N.J., 1973, pp. 485-499.
Vol 48, AFIPS Press, Arlington, Va., pp. SALT78 SALTZER, J , "On digital signatures," ACM
345-353.
Operating Syst. ReD. 12, 2 (Apr. 1978), 12-
MERK78 MERKLE, R. C, "Secure communicatmns 14.
over insecure channels," Commun. ACM SEND78 SENDROW, M., "Key management in EFT
21, 4 (April 1978), 294-299. environments," m Proc. COMPCON 1978,
MEYE73 MEYER,-C. H , "Design consideratmns for pp. 351-354 (available from IEEE, New
cryptography, in Proc. 1973 AFIPS NCC, York).
Vol. 42, AFIPS Press, Arhngton, Va., pp. SIMM79 SIMMONS, G. J., "The asymmetric encryp-
603-606. tion/decryption channel," Comput. Surv
NBS77 NATIONAL BUREAU OF STANDARDS,Data 11, 4 (Dec. 1979), 305-330
encryptmn standard, Federal Information WEST70 WESTIN, A. F., Privacy and Freedom, Ath-
Processmg Standards Publ 46, 1977 eneum Press, New York, 1970.

RECEIVED APRIL 1979; FINAL REVISIONACCEPTEDSEPTEMBER 1979

Computing Surveys, Vol 11, No 4, December 1979