Subject: 040.33 Towards an Internet Security Architecture: Part II Stephen Kent, Chief Scientist, BBN Communications This is the second installment in a multi-part series addressing architectural security issues in the Internet. As noted in the first installment, policy statements about user, vendor, system administrator, and network provider responsibilities have been published (RFC 1281), as have more detailed statements about good security procedures (RFC 1244). However, these very high level and very low level approaches to security should be complemented by an architectural view of security for the Internet. This installment begins to explore security services and the mechanisms used to provide these services, using the terminology introduced in ISO 7498-2, the OSI security architecture. The security service which often comes to mind first is that of confidentiality. Data afforded confidentiality is only disclosed to authorized individuals, processes, networks, or computers. ISO 7498-2 characterizes this service as being either connection-oriented, connectionless, selective field, or traffic flow confidentiality. From a practical standpoint, connection-oriented and connectionless confidentiality are the same service, distinguished only by the communication context in which the service is offered. However, the security mechanism implementations used to for confidentiality may differ for the connection-oriented vs. connectionless service variants. In both cases, and in most instances where confidentiality is required, cryptographic techniques are the primary security mechanisms employed. Selective field confidentiality is a distinct service, applicable in the context of application protocols. It permits an application to protect from disclosure selected portions of a packet or message. An example of this form of service is often exhibited by automated teller machines (the other ATMs). A transaction message sent from an ATM to a bank computer may contain the ID of the ATM, the customer's account number, a transaction serial number, a code to identify the type of transaction (deposit, withdrawal, transfer, etc.), and parameters specific to the transaction (e.g., amount of deposit, withdrawal, or transfer). All of this data is often transmitted without benefit of confidentiality, but the customer's personal identification number (PIN) is afforded confidentiality. Traffic flow confidentiality is a service which conceals "external" characteristics of communication, such as the identity of the source and destination of the data, the size of packets, and the frequency with which packet are transmitted. These external features of traffic can reveal quite a bit about the nature of the communication. For example, observing that two competitive companies are exchanging messages might indicate that the companies are engaging in some joint project or that a merger is being explored. Very high quality traffic flow security is available for point-to-point circuits, through the use of layer 1 cryptographic techniques, or for certain types of radio networks, through the use of spread spectrum technology. In contrast, concealing traffic patterns in packet network environments requires a certain degree of trust in intermediate switches/routers. This is because of the need for the packet header information to be visible at switches. In theory one could transmit "dummy" packets of randomly varying sizes to a variety of destinations, to conceal the true traffic characteristics in a packet network. However, concerns over traffic congestion or over the cost of sending lots of packets to other than the intended destination, make these traffic flow confidentiality techniques impractical in general. Instead, if one requires this form of confidentiality in packet networks, one tends to use point-to-point traffic flow confidentiality techniques and to provide physical security for the switches. Subsequent columns will examine other security services and briefly discuss the primary security mechanisms used to effect these services.