Internet security can't be a secret sauce

In the early years of distributed information systems, computer security was the guard at the door of the club. The role of computer security was to welcome the trusted few, who enjoyed the run of the place once they got past the velvet rope.
Written by Peter Coffee, Contributor
In the early years of distributed information systems, computer security was the guard at the door of the club. The role of computer security was to welcome the trusted few, who enjoyed the run of the place once they got past the velvet rope.

Security has quite a different role in the electronic marketplace, as described here at the RSA Conference 2000 by IBM's Jim Curtin (formerly CEO of DASCOM Inc., which was acquired by IBM last September). In the context of e-commerce, Curtin asserted, security is an escort, not a bouncer: Its task is to welcome the prospective customer and to establish a relationship that's defined by specific privileges rather than blanket trust.

Markets have three functions, said IBM's Dr. Jeffrey M. Jaffe during the conference's Tuesday morning general session. Markets bring buyers and sellers into contact with each other, a function that the Internet easily and effectively performs. Markets enable transactions, providing the infrastructure needed to offer credit and make payments. These are also functions that the Internet performs fairly well today, aided by mechanisms such as SSL and the established services of credit firms such as Visa International.

Between introduction and transaction, however, is the vital intermediate step of qualification. Markets establish the qualifications of buyers and sellers to offer quality goods and services and to make prompt payment in return ¡ª these are functions that the Internet is only slowly assuming.

Auction sites such as eBay are breaking new ground in creating trust among strangers, but the real money and the real action are in raw materials and industrial goods and services ¡ª not in collectible toys, or even rare art. It's the business-to-business auction sites such as ComAuction, and non-cash trading networks such as Ubarter.com, that demonstrate what IBM's Jaffe called the third stage of the Internet's commercial development. First the Internet is used to exchange information, then it's used as a foundation for re-engineering companies, then it becomes the marketplace in which those transformed companies do business.

Beyond the boundary solution

In all but the simplest business relationships, there are areas of both cooperation and competition. It is therefore essential that businesses be able to grant selective access to their information assets, making boundary security an obsolete approach ¡ª and yet, boundary security and the all-or-nothing granting of access are the rule for much of today's Internet access based on the use of cryptographic certificates.

What's needed is trust management, not signature management, asserted AT&T Laboratories scientist Matt Blaze while moderating a Tuesday afternoon panel discussion, "Securing the Internet: When Cryptography Isn't Enough." Digital certificates, said Blaze, provide "accountability, not security."

By contrast, trust management is more like the mechanism provided in Java, in which specific actions are either authorized or not authorized for a given participant in a given context.

"Trust management unifies the notions of security policy, credentials, access control and authorization. An application that uses a trust-management system can simply ask the compliance checker whether a requested action should be allowed," explain Blaze and his co-authors in their September 1999 paper on the KeyNote trust management system.

Security can't permit secrets

It may seem a paradox, but one of the vital elements of security is the absence of secrecy. By this I mean that open access to algorithms, and to the source code that implements those algorithms, is essential if anyone is to rely on the Internet to be a safe forum for business.

Excessive confidence in security systems has been a continuing theme throughout the history of modern cryptography, with notable examples including the Enigma machine that was trusted too completely by German forces during World War II. (A well-preserved Enigma was on view at the RSA Conference as part of an exhibit loaned by the National Cryptologic Museum that's maintained by the National Security Agency in Fort Meade, Maryland.)

It's therefore a tenet of modern cryptographic practice that no algorithm can be trusted unless it's been exposed to expert scrutiny. This also applies to the products that embed those algorithms. "We found a DES product, embedded in an application, with an effective key length of only 9 bits," said security guru Peter Neumann during the afternoon panel discussion. "Design is no protection against improper implementation," agreed co-panelist Jeff Schiller of MIT.

But implementation errors seem to go hand in hand with the growing complexity that characterizes new operating systems such as Microsoft's Windows 2000, according to panelist Bruce Schneier of Counterpane Internet Security Inc. Windows NT, estimated Schneier, reveals about one new security bug per week in its roughly 16 million lines of code. With Windows 2000 massing more like 40 million lines of code, said Schneier, "the odds of Windows 2000 being more secure than Windows NT 4.0 are roughly zero."

In such an environment, there's a lot to be said for systems that are based on the simplest possible ideas. Whale Communications avoids many modes of attack by using an "air gap" approach that shuttles data back and forth between the public network and the local system, without ever connecting the two in any way that could expose sensitive information assets.

Intel offloads the processing of computationally intensive security algorithms to its PRO/100 S network adapters, announced on Tuesday at the RSA conference: You can see the dramatic reduction in CPU workload that occurs when a streaming video transfer, with triple-DES encryption, is shifted to the dedicated security hardware rather than being borne by the server CPU.

But modular architectures, open algorithms, and open implementations for security products and subsystems are not enough. Only open source code for enterprise platforms can leave security bugs with no place to hide.

It requires no small effort to educate managers on this point, but open source should ultimately increase enterprise confidence in the readiness of information technology to take on tomorrow's e-market roles.

Is open source an open and shut case? Write me at peter_coffee@zd.com. Off the Cuff, an online exclusive column, appears Monday, Wednesday and Friday.

Editorial standards