User-Level Security on Demand in ATM Networks: A New Paradigm

Since World War II, the focus in the security community has been on cryptography that aims to protect written traffic through encoding and decoding. With the proliferation of computers and the birth of IP networks, of which the Internet is a prime example, the role of cryptography has also expanded and has continued to dominate network security. Security in the Internet assumes the form of encoding data packets through cryptographic techniques [63] [64] coupled with peer-level, end-to-end authentication mechanisms [65], such as Kerberos [66], at the transport or higher layers of the OSI model. This is necessitated by a fundamental characteristic of store-and-forward networks: that the actual intermediate nodes through which packets propagate are unknown a priori. A potential weakness of this approach may be described as follows. Conceivably, in the worldwide Internet, a data packet, though encoded, may find itself propagating through a node or a set of nodes in an insecure region of the world where it may be intercepted by a hostile unit. While there is always a finite probability, however small, that the hostile unit may successfully break the cryptographic technique, even if the coding is not compromised, the hostile unit may simply destroy the packet, thereby causing the end systems to trigger retransmissions, which, in effect, slows down the network and constitutes a performance attack. The philosophy underlying the security approach in the Internet may be traced to the end-to-end reasoning in the survey paper by Voydok and Kent [67]. They are cognizant of the need to protect the increasing quantity and value of the information being exchanged through the networks of computers, and they assume a network model in which the two ends of any data path terminate in secure areas, while the remainder may be subject to physical attack. Accordingly, cryptographic communicat ions security, i.e., link encry ption, will defeat wiretapping. Furthermore, to defeat intruders who are otherwise legitimate users of the network , authentication and access-control techniques are essential. Voydok and Kent state a crucial assumption: For successful link encryption, all intermediate nodes—packet switches and gateways—must be physically secure, and the har dware and software components must be certified to isolate the inform ation on each packet of data traffic transported through the node. The difficulty with th e assumption in today’s rapid ly expa nding, worldwide, Internet is clear. Increasingly, however, researchers are criticizing the overemphasis on cryptography and are stressing the need to focus on other, equally important, aspects of security, including denial of service and attacks aimed at performance degradation. Power [26] warns of a new kind of threat, information warfare, which consists in disabling or rendering useless the enemy’s key networks including the command and control, power grid [20], financial, and telecommunications networks. It may be pointed out that the literature of the 19708 and 1980s contains a number of references to many of the noncryptographic security concerns that had been proposed primarily for operating systems. Thompson [68] warns of the danger of compiling malicious code, deliberately or accidentally, into an operating system and labels them Trojan horses. In enumerating the basic principles for information protection, Saltzer and Schroeder [69] warn against the unauthorized denial of use and cite, as examples , the crashing of a computer, the disruption of a scheduling algorithm, and the firing of a bullet into a computer. They also propose extending the use of encipherment and decipherment beyond their usual role in communications security to authenticate users. In stating that concealment is not security, Grampp and Morris [70] reflect the reality that computer systems ought to remain open, and clever techniques must be invented to ensure information security.