Securing Networks: End-to-End Encrpytion vs. Link Encryption and Trusted Systems

1983 IEEE Symposium on Security and Privacy Pub Date : 1983-04-25 DOI:10.1109/SP.1983.10021

W. Diffie

{"title":"Securing Networks: End-to-End Encrpytion vs. Link Encryption and Trusted Systems","authors":"W. Diffie","doi":"10.1109/SP.1983.10021","DOIUrl":null,"url":null,"abstract":"Today, two components are prominent in the technology of communication network security: cryptography and trusted systems. Reflection on the roles of these two components shows that both are essential, that some element of each must occur in any secure network. At the same time, there is an element of competition and some network designs treat encryption as primary, supported by only the minimum of trusted software, while others take the opposite course. At one extreme, a network can employ end-to-end encryption as its primary security mechanism. In such a network, two users in secure contact rely on their exclusive possession of a common key to guarantee that their messages cannot be understood or imitated by others, regardless of whether intervening components of the network perform correctly or not. Here, trusted systems are limited to the role in which they cannot be avoided: decisions on how keys are to be distributed. At the other extreme, a network can employ cryptography only to create the appearance of overall physical security. Link encryption is used to protect the exposed communication paths and for no other purpose. The problem is reduced to that of designing a multi-level secure operating system; the fact that it may span continents is concealed. In arguing for the cryptographic approach, one could point out that trusted system technology is new and its products are prone to the performance and cost problems common with new technologies. They would say that cryptography, by comparison, is a well developed art. The trusted system people, on the other hand, would assert that cryptography is inflexible and cannot adequately support the complex security policies required. Despite the value of many of these implementation arguments, the actual distinction lies more in the network builders notions of trust and authority. The user of a system that relies primarily on trusted system technology may be extremely well protected from opponents outside the network, but can have no true security from the network builders and administrators. This sense of security is perhaps best suited to users who are employees and act within a hierarchical authority structure. The user of an end-to-end encrypted network on the other hand can be very certain that his traffic is protected from everyone except the person he is conversing with. This situation is more closely aligned with our notions of a user who is part of a voluntary association. 136 CH18S2-O/83/0000/0136$01 .00@ 1983 IEEE","PeriodicalId":236986,"journal":{"name":"1983 IEEE Symposium on Security and Privacy","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1983-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"1983 IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.1983.10021","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Today, two components are prominent in the technology of communication network security: cryptography and trusted systems. Reflection on the roles of these two components shows that both are essential, that some element of each must occur in any secure network. At the same time, there is an element of competition and some network designs treat encryption as primary, supported by only the minimum of trusted software, while others take the opposite course. At one extreme, a network can employ end-to-end encryption as its primary security mechanism. In such a network, two users in secure contact rely on their exclusive possession of a common key to guarantee that their messages cannot be understood or imitated by others, regardless of whether intervening components of the network perform correctly or not. Here, trusted systems are limited to the role in which they cannot be avoided: decisions on how keys are to be distributed. At the other extreme, a network can employ cryptography only to create the appearance of overall physical security. Link encryption is used to protect the exposed communication paths and for no other purpose. The problem is reduced to that of designing a multi-level secure operating system; the fact that it may span continents is concealed. In arguing for the cryptographic approach, one could point out that trusted system technology is new and its products are prone to the performance and cost problems common with new technologies. They would say that cryptography, by comparison, is a well developed art. The trusted system people, on the other hand, would assert that cryptography is inflexible and cannot adequately support the complex security policies required. Despite the value of many of these implementation arguments, the actual distinction lies more in the network builders notions of trust and authority. The user of a system that relies primarily on trusted system technology may be extremely well protected from opponents outside the network, but can have no true security from the network builders and administrators. This sense of security is perhaps best suited to users who are employees and act within a hierarchical authority structure. The user of an end-to-end encrypted network on the other hand can be very certain that his traffic is protected from everyone except the person he is conversing with. This situation is more closely aligned with our notions of a user who is part of a voluntary association. 136 CH18S2-O/83/0000/0136$01 .00@ 1983 IEEE

查看原文本刊更多论文

网络安全:端到端加密、链路加密和可信系统

目前，通信网络安全技术中有两个重要组成部分:密码学和可信系统。对这两个组件的作用的反思表明，两者都是必不可少的，任何安全网络中都必须出现其中的某些元素。与此同时，存在竞争因素，一些网络设计将加密作为主要内容，仅由最少的可信软件支持，而其他网络设计则相反。在一种极端情况下，网络可以采用端到端加密作为其主要安全机制。在这样的网络中，处于安全联系的两个用户依赖于他们对公共密钥的独占，以保证他们的消息不会被其他人理解或模仿，而不管网络的干预组件是否正确执行。在这里，可信系统被限制在它们无法避免的角色中:关于如何分发密钥的决策。在另一个极端，网络只能使用加密技术来创建整体物理安全的外观。链路加密用于保护暴露的通信路径，没有其他目的。这个问题被简化为设计一个多级安全的操作系统;它可能跨越大陆的事实被掩盖了。在为加密方法争论时，人们可以指出，可信系统技术是新的，其产品容易出现新技术常见的性能和成本问题。他们会说，相比之下，密码学是一门发达的艺术。另一方面，可信系统人员会断言密码学不灵活，不能充分支持所需的复杂安全策略。尽管这些关于实现的争论有很多价值，但实际的区别更多地在于网络建设者对信任和权威的概念。主要依赖于可信系统技术的系统的用户可能会受到非常好的保护，不受网络外部对手的攻击，但无法获得来自网络建设者和管理员的真正安全。这种安全感可能最适合作为雇员并在分层权限结构中操作的用户。另一方面，端到端加密网络的用户可以非常确定，除了与他交谈的人之外，他的流量是受保护的。这种情况更符合我们关于用户是自愿协会的一部分的概念。136 ch18s2-o /83/0000/0136$01 .00@ 1983 ieee

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

1983 IEEE Symposium on Security and Privacy

自引率

0.00%

发文量