C.9 Security and Privacy Technologies

Principal Authors:

Whitfield Diffie and David Gifford

Additional Contributors:

Martin Abadi, Michael F. Angelo, Stephen D. Crocker, Alan Crosswell, Robert S. Dixon, A. Frederick Fath, Joan Feigenbaum, S. J. Hyduk, Butler W. Lampson, Susan Landau, Elizabeth Lee, Chuck McManis, B. Clifford Neuman, David Peyton, Randy Rettberg, Tom Rhyne, Ron Rivest, Daniel Schutzer, Marvin Sirbu, Kent Stewart, Jay M. Tenenbaum, Doug Tygar and Peter J. Weinberger


1. Introduction

The role of computers in everyday life does not yet compare with that of food, clothing, housing or transportation, but this is changing rapidly. Computers will soon be present in all complex human artifacts and will mediate most interactions between individuals and the world around them. The National Information Infrastructure will become the fabric of daily life. The society it creates must be free in order to prosper. Thus, the NII must support commercial and social activity in the same way that the physical infrastructure now supports them.

Security, privacy and authentication of information within the NII are essential in order for the NII to gain widespread acceptance and use in health care, education, government, electronic commerce, and personal or social applications. Developing security and authentication for the NII is a challenging research problem because its novel applications and unprecedented scale present security requirements not addressed by previous work.

The research agenda described below includes problems that must be solved before large-scale adoption of NII technology should be seriously contemplated. The best way to address these problems is by building prototype NII systems that incorporate mechanisms for security and electronic commerce. Experience with these systems will show us the limitations of existing technologies and guide us in developing new ones.

We do not directly address policy issues. However, both providers and consumers of NII services will need a clear understanding of their rights, responsibilities and liabilities. Policy issues must be clarified as early as possible so that appropriate security and privacy mechanisms can be developed. Such issues include liability limitation, the right of individuals and organizations to protect their privacy, and the right to examine and correct personal information in organizational files. They also include development of a suitable security infrastructure and export regulations for NII security technology. One thing stands out above all others: The information economy is relentlessly global and no nation can successfully isolate itself from international competition. The network we build will have to be interoperable with those of other nations.

2. Technical Challenges

Security concerns vary widely among the NII's many constituencies, making NII security requirements quite different from those of previous systems. Thus, although past government and commercial systems have developed useful components, the NII presents a largely unsolved security problem.

Examples of the diverse constituencies that make the NII security problem unique are:

The unique security problems of the NII grow out of the scope of the project, which will, of necessity, consist of many independent, interconnected networks. Unlike any existing system, the NII must be scalable to include almost every person and computer in the country. Security in the NII will be complex, in part because it will be implemented by a wide variety of equipment and service providers, whose implementations must work with one another. Users will own much of the information they create on the NII and must have mechanisms for controlling its disposition. Because NII users will place varying values on security, security measures must be adaptable to suit diverse budgets and preferences. Because these users will not be experts, the security systems must be easy to use.

In contrast to closed systems, many transactions on the NII will be with unfamiliar people and services reached via public networks. The security mechanisms must make up for the distrust such unfamiliarity occasions. Electronic commerce, a subject not yet well understood by the security research community, must be universally accessible to both buyers and sellers. Adequate base-level security will be necessary to reduce the need for corporate fire-walls and other impediments to full connectivity. Finally, the NII will have to function within an International Information Infrastructure and security must extend across national borders.

Although many useful security mechanisms are already well developed, the NII is unique in the variety of security technologies it will have to integrate and the variety of security policies it will have to support. Experimental trials on realistic scales are critical to the creation of adequate NII security technologies.

Privacy, authentication and other forms of security are system-level attributes that require many elements to work together. Here the word "system" encompasses not only hardware and software, but the procedures followed by developers, managers and users. The distributed authority base of the NII will mean that users must often be coaxed rather than coerced to adhere to good security practices. It is well known that merely providing good security components does not guarantee that individuals or organizations will combine these into secure systems. (A security system depending on smart cards and passwords, for example, may fail if users write their passwords on their smart cards.) In fields such as aviation and nuclear power, the same attention is paid to operator training and safety procedures as to the design of equipment. Similarly, research on security and privacy must go beyond research on hardware and software. Social and organizational research will be needed to learn how to build organizations that can maintain system-level security. Research in human engineering will be needed to make security sufficiently unobtrusive that users will not ignore good security practices.

3. A Tactical Plan for NII Security

If past experience with security technology is any guide, the widespread deployment and use of suitable NII security technologies will be at least as hard as creating the proper technology base. We recommend that pilot projects produce secure versions of popular Internet applications to create a library of components that can be used in other contexts. These pilot projects will explore different technology approaches in the context of important applications and will serve as a way of developing appropriate technologies, testing those technologies and getting them into the hands of the users.

The following results can be expected within the estimated time frames:

4. Research and Development Recommendations

The following recommendations for research are specifically directed to areas critical to the security of the NII and its capacity for electronic commerce that we do not expect to be addressed by other research programs. Within each area, issues are listed in approximate order of importance.

4.1 Systemwide Issues

4.2 Core Security Services

4.3 Applications and Electronic Commerce