C.9 Security and Privacy Technologies

Principal Authors:

Additional Contributors:

1. Introduction

Security, privacy and authentication of information within the NII are essential in order for the NII to gain widespread acceptance and use in health care, education, government, electronic commerce, and personal or social applications. Developing security and authentication for the NII is a challenging research problem because its novel applications and unprecedented scale present security requirements not addressed by previous work.

The research agenda described below includes problems that must be solved before large-scale adoption of NII technology should be seriously contemplated. The best way to address these problems is by building prototype NII systems that incorporate mechanisms for security and electronic commerce. Experience with these systems will show us the limitations of existing technologies and guide us in developing new ones.

We do not directly address policy issues. However, both providers and consumers of NII services will need a clear understanding of their rights, responsibilities and liabilities. Policy issues must be clarified as early as possible so that appropriate security and privacy mechanisms can be developed. Such issues include liability limitation, the right of individuals and organizations to protect their privacy, and the right to examine and correct personal information in organizational files. They also include development of a suitable security infrastructure and export regulations for NII security technology. One thing stands out above all others: The information economy is relentlessly global and no nation can successfully isolate itself from international competition. The network we build will have to be interoperable with those of other nations.

2. Technical Challenges

Examples of the diverse constituencies that make the NII security problem unique are:

• Individuals: Individuals will use the NII for shopping, entertainment, and personal and professional communication. The NII needs mechanisms not only for protecting the information people store or communicate, but for protecting their privacy against the inferences that can be made from their buying habits and other behaviors.

• Merchants: Merchants will use the NII for commerce by advertising and selling goods over the network. They will need assurance that NII payments are not fraudulent and will want sales figures and other business information to be protected from competitors.

• Schools: Schools, from kindergarten to college, will use the NII for education by receiving "courseware" via the NII and using teleconferencing capabilities for teaching. The privacy of student records and communications will need to be preserved and the timely delivery and return of broadcast examinations will be required.

• Medical facilities: Medical applications of the NII range from streamlining medical administration to telemedicine. Health care providers, facilities and patients will require a sophisticated security system that permits flexible access to information without compromising patient privacy.

• Financial institutions: New digital banks will evolve on the NII, offering a wide selection of financial products, services and instruments. The NII must provide security adequate to allow both individuals and corporations to bank electronically.

In contrast to closed systems, many transactions on the NII will be with unfamiliar people and services reached via public networks. The security mechanisms must make up for the distrust such unfamiliarity occasions. Electronic commerce, a subject not yet well understood by the security research community, must be universally accessible to both buyers and sellers. Adequate base-level security will be necessary to reduce the need for corporate fire-walls and other impediments to full connectivity. Finally, the NII will have to function within an International Information Infrastructure and security must extend across national borders.

Although many useful security mechanisms are already well developed, the NII is unique in the variety of security technologies it will have to integrate and the variety of security policies it will have to support. Experimental trials on realistic scales are critical to the creation of adequate NII security technologies.

Privacy, authentication and other forms of security are system-level attributes that require many elements to work together. Here the word "system" encompasses not only hardware and software, but the procedures followed by developers, managers and users. The distributed authority base of the NII will mean that users must often be coaxed rather than coerced to adhere to good security practices. It is well known that merely providing good security components does not guarantee that individuals or organizations will combine these into secure systems. (A security system depending on smart cards and passwords, for example, may fail if users write their passwords on their smart cards.) In fields such as aviation and nuclear power, the same attention is paid to operator training and safety procedures as to the design of equipment. Similarly, research on security and privacy must go beyond research on hardware and software. Social and organizational research will be needed to learn how to build organizations that can maintain system-level security. Research in human engineering will be needed to make security sufficiently unobtrusive that users will not ignore good security practices.

3. A Tactical Plan for NII Security

The following results can be expected within the estimated time frames:

• Two years: Secure pilot versions of popular Internet applications such as Mosaic; access control to information servers; wider use of secure mail; interorganization authentication systems for creating secure channels between computers; retail electronic payment; and initial security architecture.

• Five years: Flexible security primitives to allow customization of security to new applications; secure prototype applications in use by a substantial fraction of the NII user population; security management; widespread use of tamper-resistant devices for user identification; intellectual-property protection systems; wholesale business-to-business electronic payment; and refined security architecture.

• Ten years: Very easy-to-use security facilities; limitation of authority; well-understood threat models; anonymity; electronic contracts and escrow systems; standardization of NII security architecture beyond the Internet to other NII communication systems such as interactive TV; certified secure systems; and protection from malicious code.

4. Research and Development Recommendations

4.1 Systemwide Issues

• Prototypes: The NII requires integration of an unprecedented number of security technologies so that it can be used by a wide variety of applications. Research on integration of capabilities such as authentication, authorization and payment must be carried out in prototype systems, running in environments that pose real threats. These prototypes can be used to develop and debug new technologies for the necessary security and electronic-commerce components of the NII, including intellectual-property management tools. The prototypes may include fundamental applications such as electronic mail, collaborative technologies such as file sharing and whiteboards, and network information-access tools such as Mosaic.

• Security architecture: Recognizing that multiple security policies must be supported, the NII needs a well-specified architectural methodology capable of describing how security components can be combined in a modular way that facilitates risk assessment. The architecture will need to provide for both mandatory and discretionary security, financial facilities and audit mechanisms. It must be extensible to grow with the expansion of NII services and capabilities.

• Security management: Distribution of authority in the NII will make security management entirely different from that within a more unified network. Mechanisms must be developed to translate negotiations among various authorities into joint security policies.

• Ease of use: Special attention must be given to developing representations of security policies that permit non-expert users to communicate day-to-day security decisions (such as drawing up a distribution list for a document) to the programs and machines that must carry them out. Analogs of familiar time-tested security procedures should be carried over in the electronic world wherever possible. For the user, security should be mostly automatic, requiring an explicit action only in such actions as signing that would be meaningless without the user's conscious agreement.

• Security assurance for users, vendors and regulators: We must develop technical and social mechanisms that allow all of the NII's constituencies to be confident that the system is free of accidental or intentional security defects. There must be continuing, publicly accessible evaluation of the technology, design procedures and resulting designs, preferably without losing the commercial benefits of incorporating proprietary components. Periodic recertification is essential because both the system and the threats will evolve. At present, independent auditors, authorized professional attack teams and formal methods all play a valuable role, but fall far short of an adequate solution.

• Protected execution of untrusted code: We need to have protected execution environments for untrusted software or active agents that can detect or prevent attempts to interfere with host environments (e.g., through viruses and Trojan horses).

• Threat models: We need to develop constantly evolving models of attacks on systems. These models must be able to draw on published experience with actual attacks, much as aeronautical engineers can draw on official reports of airline crash investigations.

• Failure confinement and recovery procedures: Every precaution must be taken to ensure that the contagious failures such as those that have occasionally hit both the power grid and the telephone system do not cause catastrophic failures of the NII.

• Detection (through auditing) and prevention of frauds and other abuses: Development of techniques for auditing that can locate the malfeasant without violating the privacy of honest users.

• Tamper-resistant devices capable of protecting secret keys in smart cards and other network components: This technology must be affordable and will need to evolve over time. Multiple generations of its products must therefore be interoperable.

4.2 Core Security Services

• Authentication: We need techniques for authenticating principals in the network--including people, machines and agents acting in specific roles--that are scalable to billions of identities. These will require a combination of smart cards and other tamper-resistant devices for authentication with the deployment of certification authorities and certificate management facilities.

• Confidentiality: We need technologies for preventing the disclosure of information during communication or storage, including cryptosystems capable of gigabit- to terabit-per-second data rates.

• Key executors: We need techniques, such as secret sharing, that prevent the loss of encrypted data if something happens to the primary holders of keys but also offer good assurance that the data will not be disclosed in violation of the owner's wishes. Such mechanisms will be required for any large-scale encryption of data for storage.

• Authorization: We need scalable techniques for controlling access to privileges and resources on the basis of identity, capabilities or payment. These include access control lists, authorization servers, revocation lists, delegation of authority between principals and authorization techniques for mobile systems.

• Primitives: We need a set of security primitives that can be used by application programmers and is comprehensive enough for NII applications, including commerce. These primitives must be simple enough that application programmers, who are not security experts, can be educated in the combination of formal methods and art needed to build secure applications using standardized primitives.

• Infrastructure protection: We need security measures to solve problems not solvable by end users. These include configuration control and prevention of unauthorized modification, tamper-proof routing protocols, protection against denial of service, physical protection of switches and communication circuits, and protection against unauthorized traffic analysis.

• Anonymity: We need techniques to support anonymous access to appropriate NII services to protect user privacy.

• Metrics and evaluation: We need tools to measure the utilization and effectiveness of security mechanisms.

• Roles and limitation of authority: We need techniques for self-imposed limitation of authority, by using roles in communication and commerce to impose transaction caps and limits that prevent users from entering into unwanted agreements.

4.3 Applications and Electronic Commerce

• Electronic payments: Research is needed into electronic payment systems that simultaneously address credit risk, fraud risk, and the need for various levels of anonymity, privacy and accountability. To be commercially viable, these systems must link to such existing distributed payment mechanisms as credit cards and electronic funds transfer. Research issues include how to provide security commensurate with financial exposure, keep costs low enough to make the system usable for low-value transactions and handle very large transaction volumes. Research is needed on ways to make the payment system integrate easily with applications. Accountability requires research into mechanisms for receipts and non-repudiation. Research is needed into fraud detection as well as fraud prevention. Technical, social-science and policy research is also needed to understand how to balance privacy with fraud detection.

• Intellectual property: Research is needed on ways to tag components of compound objects with information describing the owner of the intellectual property and the terms and conditions under which the property can be disseminated. This may include separate tags in a multimedia document for audio, image or the arrangement as a whole. These tags will facilitate voluntary payment of royalties and in principle can be brought into use very quickly. These terms should be in a standard form to facilitate automatic handling by a wide variety of applications. Research is needed on technical means of enforcing licensing or copying restrictions. Such mechanisms appear easier for executables than for movies or text, which can be copied from the bus or even the display.

• Electronic contracts and information escrow: New technology is needed to represent contracts and information-escrow conditions in order to facilitate use of the NII for contracting. Mechanisms are needed for embedding contract terms in an application. Mechanisms are needed for detecting violation of contracts or escrow conditions and, finally, mechanisms are needed for enforcing contract conditions. Economic and policy research must determine how to handle liability for failure of software agents or damage done by those agents to other people's information systems.

• Transactional security: We must discover how to incorporate existing knowledge about achieving atomicity, concurrency, idempotency and durability in electronic-commerce transactions. Such integration has implications for record keeping and privacy that need to be explored.

• Time-sensitive information: Research is required on time-critical transactions, the varying value of information over time and mechanisms to equalize time delays where fairness requires simultaneous transactions.

• Biometrics: Research is needed on biometric identification (and counter-biometric measures) to provide inexpensive devices, such as electronic wallets, whose loss need not result in compromise.