Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
SECURITY OF METROPOLITAN TELECOMMUNICATIONS Eberhardt R e c h t m Hewle t t -Packard Company Pa lo A l t o , Cal i f o r m a 531
SECURITY OF METROPOLITAN TELECOMMUNICATIONS INTRODUCTION The purpose o f t h i s s h o r t paper i s t o o u t l i n e the b a s i c s o f p r i v a c y and s e c u r i t y m m e t r o p o l i t a n t e l e c o m m u n i c a t i o n s s y s t e m s F i r s t , some d e f i n i t i o n s of terms P r i v a c y The a b i l i t y o f an i n d i v i d u a l (or o r g a n i z a t i o n ) t o d e c i d e whether, when, and to whom p e r s o n a l (or o r g a n i z a t i o n a l ) i n f o r m a t i o n i s r e l e a s e d e g , "the r i g h t t o p r i v a c y " A c c e s s The a b i l i t y t o make use o f i n f o r m a t i o n S e c u r e P r o t e c t e d e g , s e c u r e communications s y s t e m s " S e c u r i t y P r o t e c t i o n mechanisms and t e c h n i q u e s b a r r i e r s t o u n a u t h o r i z e d a c c e s s e g , e n c r y p t i o n , p l a n t s e c u r i t y P r i v a c y and a c c e s s a r e c o n f l i c t i n g s o c i a ' l o b j e c t i v e s The con- f l i c t i s sometimes e x p r e s s i b l e by the s t a t e m e n t . What's mine i s mine and vvhat's y o u r s i s a l s o mine ' The two e x t r e m e s , complete p r i v a c y and complete a c c e s s , p r e s e n t no t e c h n i c a l problems f o r t e l e c o m m u n i c a t i o n s I n c o m p l e t e p r i v a c y , n o t h i n g needs to be t r a n s m i t t e d I n complete a c c e s s , no one c a r e s who a c q u i r e s t h e i n f o r m a t i o n The s o c i a l and t e c h n i c a l problems a r i s e when the need i s f o r l i m i t e d a c c e s s and m u l t i p l e use 532
The fundamental t e c h n i c a l problem, t h e r e f o r e , i s t o buileJ i n f o r m a t i o n s y s tems which f a c i l i t a t e a u t h o r i z e d a c c e s s w h i l e p r o t e c t i n g a g a i n s t u n a u t h o r i z e d a c c e s s An a l m o s t e q u i v a l e n t s t a t e m e n t i s t h a t t h e purpose o f s e c u r i t y s y s t e m s i s t o r a i s e t h e p r i c e o f a d m i s s i o n t o u n a u t h o r i z e d u s e r s w h i l e k e e p i n g i t a t an a c c e p t a b l e c o s t to the a u t h o r i z e d ones â a s t a t e m e n t p a r t i c u l a r l y a p p l i c a b l e to n a t i o n a l s e c u r i t y , law e n f o r c e m e n t and i n v e s t i g a t i v e a p p l i c a t i o n s Another v a r i a t i o n , perhaps more s u i t a b l e f o r c o m m e r c i a l and f i n a n c i a l t r a n s a c t i o n s , i s t h a t s e c u r i t y measures r e f l e c t a t r a d e o f f between t h e i r c o s t and the v a l u e o f the compromised i n f o r m a t i o n The p a r t i c u l a r s y s t e m d e s i g n depends upon such a d d i t i o n a l f a c t o r s as « An e s t i m a t e o f t h e d e t e r m i n a t i o n o f the p o t e n t i a l a t t a c k e r ( m a d v e r t a n t m i s t a k e , chance d i s c o v e r y , o p p o r t u n i s t i c , d e l i b e r a t e but- c o v e r t , m a l i c i o u s and o v e r t , e t c ) e The dynamics o f use ( s t a t i c o r c h a n g i n g s e c u r i t y measures'') ® F a i l - s a f e p r o v i s i o n s (e g , t h e e f f e c t s o f f a i l u r e s on u n d e t e c t e d d i s a b l i n g of t h e s e c u r i t y measures) » The u s e r ' s image o f t h e s e c u r i t y problem t o be s o l v e d (e g , what needs p r o t e c t i o n , why, f o r how l o n g , a g a i n s t whom'') 533
⢠The i n t e n d e d u s e f u l l i f e t i m e o f t h e s e c u r i t y measures ⢠T r a d e o f f s between t e c h n o l o g y , c o s t and t i m e (e g , new t e c h n o l o g y may make b e t t e r measures a v a i l a b l e l a t e r on) Guaranteeing ( c e r t i f y i n g ) t h a t a system i s secure i s a v e r y d i f f i - c u l t t e c h n i c a l t a s k even i f a l l o f t h e f o r e g o i n g f a c t o r s have been taken i n t o account Even i f the l e v e l o f d e t e r m i n a t i o n o f th e p o t e n t i a l a t t a c k e r i s p r e c i s e l y known, which i t seldom i s , i t I S v e r y d i f f i c u l t t o prove t h a t t h e double n e g a t i v e r e q u i r e m e n t t o p r e v e n t a l l u n a u t h o r i z e d accesses has been met The f a c t t h a t a thousand p o s s i b l e a t t a c k s can be d e f e a t e d doesn't guarantee t h a t th e thousand and f i r s t one doesn't e x i s t I t I S a l s o an unhappy f a c t t h a t a system w i t h u n d e t e c t e d f l a w s i s almost worse t h a n none a t a l l , p a r t i c u l a r l y i f t h e user b e l i e v e s t h a t t h e system i s secure The user w i l l use t h e system as i f secure, w i l l p u t i n f o r m a t i o n i n t o i t t h a t he would never e n t e r i f he suspected i t t o be i n s e c u r e , and may never know t h a t u n a u t h o r i z e d access has o c c u r r e d A f i n a l i n t r o d u c t o r y comment t e l e c o m m u n i c a t i o n s i s o n l y p a r t o f a t o t a l system t h a t must be p r o t e c t e d The t o t a l svstem i n c l u d e s t h e people who use i t , t h e p h y s i c a l f a c i l i t i e s , i n p u t / o u t p u t t e r m i n a l s , computers, l o c a l l o o p s , l o c a l s w i t c h e s t e l e - communications l i n k s , t e l e c o m m u n i c a t i o n s nodes, and even such a u x i l i a r y s e r v i c e s as b i l l i n g and equipment s e r v i c i n g I t i s beyond the scope o f t h i s paper t o d i s c u s s t h e n o n - t e l e c o r j - i u n i c ^ j t i o i i 534
subsystems S u f f i c e i t t o say, t h e s e c u r i t y l e v e l s o f t h e sub- systems must be t h e same th e y are a l l l i n k s i n a c h a i n THE STATE OF THE ART IN TCLECOMJ-iUNICATIONS SECURITY The v a s t majority, i f n o t t h e t o t a l i t y o f s i g n a l e n c r y p - t i o n and code c r a c k i n g developments are under n a t i o n a l s e c u r i t y auspices But w i t h o u t g o i n g i n t o c l a s s i f i e d m a t t e r s , t h e f o l l o w i n g s t atements may be tak e n as t r u e o Telecommunications s e c u r i t y , on a l i n k - b y - l i n k b a s i s , can be made f a r b e t t e r , a t a rea s o n a b l e c o s t than t h e s e c u r i t y o f o t h e r i n f o r m a t i o n subsystems ⢠O v e r a l l , end-to-end, t e l e c o m m u n i c a t i o n s s e c u r i t y i s more complex and more expensive than l i n k - b y - l i n k s e c u r i t y b u t t h i s , t o o , can be made f a r b e t t e r than t h e s e c u r i t y o f o t h e r i n f o r m a t i o n subsystems (End- to-end s e c u r i t y means t h a t i n t e r m e d i a t e nodes m the t e l e c o m m u n i c a t i o n system have a b s o l u t e l y no access t o t h e c o n t e n t o f t h e i n f o r m a t i o n b e i n g passed The t e c h n i c a l problem i s one o f d i s t r i b u t i n g a p p r o p r i a t e keys t o t h e many users o f t h e s w i t c h e d telecommunica- t i o n s network ) e No one knows how t o b u i l d a m u l t i p l e u s e r , m u l t i p l e s e c u r i t y l e v e l computer system w i t h o u t f l a w s , a l t h o u g h a g r e a t d e a l o f remarkable woik lias been done and the 535
l e v e l s o f p r o t e c t i o n o f f e r e d by commercial computers have been r i s i n g s t e a d i l y (For an e x c e l l e n t d i s - c u s s i o n o f s e c u r i t y m g e n e r a l and f o r computers, see "The P r o t e c t i o n o f I n f o r m a t i o n m Computer Systems, S a l t z e r and Schroeder, Proceedings o f t h e IEEE, September 1975 ) o D i g i t a l b i t streams are r e l a t i v e l y easy t o secure and a t a r e l a t i v e l y low c o s t Voice s e c u r i t y i s more d i f f i c u l t and c o n s i d e r a b l y more ex p e n s i v e , p a r t i c u l a r - l y i f t he e n c r y p t e d t r a n s m i s s i o n must be over con- v e n t i o n a l t e l e p h o n e networks © The q u a l i t y o f t h e t e l e c o m m u n i c a t i o n t r a n s m i s s i o n l i n k a f f e c t s t h e c o m p l e x i t y , c o s t and performance o f secure t e l e c o m m u n i c a t i o n s t h r o u g h m t e r - s y ^ b o l i n t e r f e r e n c e drop o u t s , f a d i n g , echoes, phase i n v e r s i o n s , e t c l o n o s p h e i i c l i n k s a r e t h e most d i f f i c u l t l o c a l t e l e - phone loops are o f t e n a problem s \ ^ i t c h i n g t r a n s i e n t s can cause t r o u b l e s b u t most microwave and s a t e l l i t e l i n k s are almost i d e a l METROPOLITAN TELECO^LMUNIC^TJQMS SECURITY C l e a r l y , t e l e c o m m u n i c a t i o n s s e c u r i t i f o r m e t r o p o l i t a n c i v i l i a n usage sh o u l d not be i n s t a l l e d u n t i l t h e r e i s a need f o r i t The need i n t h e p a s t , undoubtoc'l\ i n f l u e n c e d by t h e c o s t t o s a t i s f \ t h e 536
need, has been m i n i m a l P a r t o f t h e reason i s t h e u b i q u i t o u s n e s s and c o m p l e x i t y o f the s w i t c h e d t e l e p h o n e netv/ork So many c a l l s are made from so many pl a c e s t h r o u g h so many d i f f e r e n t s w i t c h c o n n e c t i o n s t h a t anyone a t t e m p t i n g t o i n t e r c e p t a p a r t i c u l a r c a l l (even i f he y-new when t o expect i t ) , w i t h o u t r i s k i n g b e i n g d e t e c t e d h i m s e l f , faces r e a l problems The p r o b a b i l i t y o f m a d v e r t a n t i n t e r c e p t i o n i s e x t r e m e l y s m a l l D e d i c a t e d (and t h e r e - f o r e presumably i m p o r t a n t ) l i n k s lacK t h i s n a t u r a l p r o t e c t i o n indeed, they c a l l a t t e n t i o n t o t h e i r own importance The t e l e - phone network i s not al//ays so p r o t e c t e d c e r t a i n microwave l i n k s can p r o v i d e e a s i e r - t h a n - n o r m a l access, as t h e r e c e n t s t o r i e s o f p o s s i b l e S o v i e t i n t e r c e p t o f micro^'ave l i n k s m the Washington, D C area a t t e s t The u s u a l m e t r o p o l i t a n user o f t h e t e l e p h o n e network i s n o t up a g a i n s t d e d i c a t e d i n t e r c e p t o r s b u t , a law enforcement agency i n a l a r g e m e t r o p o l i t a n area, c o n f r o n t e d w i t h o r g a n i z e d c r i m e , m i g h t have l e g i t i m a t e concerns The p e r c e i v e d needs, m any case, are l i k e l y t o i n c r e a s e m response t o p r i v a c y i s s u e s now b e f o r e s t a t e and f e d e r a l govern- ments Most o f t h e p r i v a c y needs can be s a t i s f i e d r e l a t i v e l y e a s i l y m the t e l e c o m m u n i c a t i o n s subsystem by user - e n c r y p t i o n o f data and message c o n t e n t The more e l a b o r a t e t o t a l e n c r y p t i o n o f addresses, r o u t i n g i n d i c a t o r s , t i m e - d a t e i n d i c a t o r s , e t c , i s p r o b a b l y unnecessary and VNOuld n e e d l e s s l y c o m p l i c a t e t h e use o f a p u b l i c s w i t c h e d network Message c o n t e n t e n c r y p t i o n m i g h t a l s o 537
s a t i s f y many o f t h e needs o f law enforcement and i n v e s t i g a t i v e agencies Judging from m i l i t a r y t a c t i c a l e x p e r i e n c e , c i v i l i a n law enforcement may soon need secure v o i c e communications, p a r t i c u - l a r l y w i t h m o b i l e u n i t s Secure v o i c e equipments p r e s e n t l y a v a i l a b l e on commercial s a l e , o f f e r m i n i m a l p r o t e c t i o n a g a i n s t a d e d i c a t e d i n t e r c e p t o r V i r t u a l l y a l l such equipments a r e based on tec h n i q u e s i n v e n t e d , and c i r c u m v e n t e d , d u r i n g World War I I However, b e t t e r t e c h n i q u e s m i g h t be expected based on new s o l i d s t a t e c i r c u i t t e c h n o l o g i e s As seen by t h e n e t r o o o l i t a n t e l e c o m m u n i c a t i o n s system, secure communications would c o n s i s t o f a p p a r e n t l y random sequences o f b i t s g e n e r a l l y r e s e m b l i n g synchronous h i g h speed t e l e t y p e o r PCM v o i c e A t r a t e s much above 2 4 kbs, i t w i l l n o t be p o s s i b l e t o determine whether t h e s i g n a l s were o r i g i n - a l l y d a ta o r v o i c e , t h e y w i l l , however, have t o be t r e a t e d as x f t h e y were r e a l t i m e v o i c e and n o t i n t e r r u p t a b l e messages There are two reasons f o r t h i s t h e s i g n a l s may a c t u a l l y be e n c r y p t e d v o i c e , and t h e e n c r y p t i o n systems m g e n e r a l w i l l be s e n s i t i v e t o i n t e r r u p t i o n s S w i t c h i n g , whether c i r c u i t o r packet , may have t o be done w i t h some ca r e A l t e r n a t i v e l y , t h e secure t r a n s m i s s i o n s would have t o be t a i l o r e d t o t h e t r a n s - m i s s i o n systems w i t h more e l a b o r a t e e n c r y p t i o n and m o d u l a t i o n schemes, an a l t e r m t e which p l a c e s more o f a bui d e n on the 538
s e c u r e communications customer and l e s s on t h e p u b l i c s w i t c h e d network T e c h n i c a l l y and e c o n o m i c a l l y s p e a k i n g , s e c u r e m e t r o p o l - i t a n t e l e c o m m u n i c a t i o n s c o u l d appear a t a p p r o x i m a t e l y t h e f o l l o w i n g times Pre-1980 R o u t i n e e n c r y p t i o n o f s e l e c t e d law e n f o r c e - ment and i n v e s t i g a t i v e agency d a t a and messages 1980-85 E n c r y p t i o n o f s e n s i t i v e f i n a n c i a l and b u s i n e s s t r a n s a c t i o n d a t a and messages l i m i t e d e n c r y p t i o n o f v o i c e t r a f f i c f o r law e n f o i c c m e n t and m i l i t a r y p u r p o s e s r o u t i n e e n c r y p t i o n of a l l d a t a and message t r a f f i c f o r an expanding number of go v e r n - ment o p e r a r i o n s 1985-90 R o u t i n e e n c r y p t i o n o f a l l f i n a n c i a l and major b u s i n e s s t r a n s a c t i o n d a t a and messages R o u t i n e e n c r y p t i o n o f a l l law enf o r c e m e n t v o i c e t r a f f i c p a s s i n g o v e r any r a d i o l i n k The p r i n c i p - i l unknown m the above p r e d i c t i o n s i s a s o c j a l / p o l i t i c a l one would t h e p u b l i c view c i v i l government e n c r y p t e d t r a f f i c as a p r o t e c t i o n o f , o r a s a t h r e a t t o , the r i g h t s o f the i n d i v i d m l ' ' 539 GCN 1-1 1 1-3-75