On Distributed Communications Series
IX. Security, Secrecy, and Tamper-Free Considerations
One key difference between a civilian and a military communications system is the provision made in the latter for the preservation of secrecy and for immunity from destructive tampering. These considerations are most effectively integrated into a network as an integral part of the switching mechanism, rather than in the form of "black boxes" tacked on as an afterthought. This Memorandum is an examination of the proposed Distributed Adaptive Message Block Network's use of this integrated design approach to the problem of providing cryptographic security.
It is acknowledged that the approach represents a departure from conventional practices, which have traditionally maintained a separation between the design of the communications network itself (which is most often a slight modification of a system originally designed for civilian use) and the design and implication of cryptographic safeguards. The rationale is stated that recent major advances in digital computer technology now make it technically feasible and economically desirable to consider a system designed primarily with military applications in mind, and which from the outset of design is cognizant of cryptographic requirements.
As a prelude to the proposal, however, the view is expressed that if one cannot safely describe a proposed system in the unclassified literature, then, by definition, it is not sufficiently secure to be used with confidence. A totally secure system design requires a full understanding of the problem by everyone involved with every part of the system--even those who would not normally hold any security clearance.
As applied to the proposed distributed network system, the specified integrated design would include various combinations of:
- End-to-end cryptography;
- Link-by-link cryptography;
- Use of automatic error-detection and repeat transmission (allowing use of more powerful cryptographic transformations);
- Transmission of successive Message Blocks by ever changing paths;
- Use of a cryptographic scheme which requires complete and correct reception of all previous traffic in a conversation in order to decrypt subsequent Message Blocks, and which suppresses silence periods in voice and data transmission;
- An initial system design which assumes potential infiltration by enemy
agents having access to portions of the system and the cryptographic key
- Use of key bases split into separate parts and delivered by two or more individuals;
- Non-acceptance of a Message Block for processing (and non-advancement of the crypto synchronization count) until preliminary filtering tests for validity of source and timing have been accomplished;
- Use of an essentially new key for each separate conversation (permitting intermingling of classified and unclassified traffic without fear of security compromises);
- Encouraging heavy use of the system for unclassified traffic, and the processing of all traffic as if it were of the highest secrecy level (perhaps even to the extent of intentionally adding fraudulent traffic between fictitious subscribers).