1 / 7

Security and the Internet (circa 1980-1990)

Security and the Internet (circa 1980-1990). Dr. Stephen Kent Chief Scientist- Information Security BBN Technologies. Popular Misconceptions re Security. No thought given to security in the design of the Internet

val
Download Presentation

Security and the Internet (circa 1980-1990)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and the Internet (circa 1980-1990) Dr. Stephen Kent Chief Scientist- Information Security BBN Technologies

  2. Popular Misconceptions re Security • No thought given to security in the design of the Internet • Kerberos was the first network security system to use a key distribution center • PGP was the first secure e-mail protocol • It’s all about passwords, … • Adding security mechanisms to a system will make the system more secure

  3. DoD Internet Security Assumptions • “Man in the middle” attacks are real • Trojan Horse attacks are real • Encrypt, authenticate, and integrity protect traffic from source to destination whenever possible • Rely on cryptographic key management technology to securely identify peer entities • Label traffic based on sensitivity • Use trusted operating systems, but require inline crypto devices for COMSEC

  4. Your Taxpayer Dollars at Work? • BCR (1976-81): encrypted TCP connections using DES, KDC, central access controller • Fig Leaf: (early 80s): fast BCRs, at IP layer • BLACKER (1981-90): BCR with high grade crypto, A1 assurance • CANEWARE: (1983-95?): BLACKER public key management, B2 assurance • IPLI (1983-86): high grade, secure IP, for tactical environments (backup for BLACKER) • SDNS (1987-91): SP3, SP4, MSP

  5. Shortcomings of the DoD Model • No cryptographic support for applications • No Internet infrastructure security • DNS • routing protocols • network management protocols • Not much thought about denial of service • Secure operating systems were not deployed • Inline crypto hardware too expensive, especially because end systems are so cheap

  6. IETF Security Work (in the 80’s) • Privacy Enhanced Mail (PEM): • RFC1989 (2/87), RFC 1040 (1/88), RFCs 1113/4 (8/89) • produced by the Privacy Task Force, not an IETF WG • the first Internet secure e-mail standard, soon followed by the first PKI standard • not widely deployed, but served as the foundation for later systems (S/MIME, MSP, Defense Message System PKI, …) • IP Security Option (IPSO) • RFC 1038-1/88 • in draft form at this stage, later standardized in RFC 1108 • not of much general interest, mostly for BLACKER and CMWs • produced by a DoD employee • No security WGs!

  7. Summary • The DoD was an early adopter of TCP/IP and did have a model for high quality security, but that model was not widely known, did not anticipate some important security issues, and was too costly for most users to implement • Market problems • The commercial Internet was just beginning to develop, e.g., no e-commerce, and thus no significant demand • The academic Internet community did not place a high priority on security • No IETF security WGs, just the Privacy Task Force

More Related