Inferno Security


Harvey Bernard
(hbb@lucent.com)
Lucent Technologies
Bell Labs Innovations
600 Mountain Ave.
Murray Hill, NJ 07974

Summary

Inferno is a network operating system that provides a software infrastructure for distributed, network applications. Inferno allows any application, written in the Limbo programming language, to run across multiple platforms and networks under the Dis virtual machine. Inferno provides an elegant file-like interface to resources and services that allows the dynamic construction of a user name space. An Inferno application can access the resources and services in its name space even though they may be distributed throughout the network. The Styx component of Inferno provides transparent comunications over a variety of networks with strong security capabilities built in.

The Inferno team has not devised a new encryption algorithm or protocol. Existing cryptographic techniques are more than adequate. What the Inferno team has done is designed algorithms and protocols into an operating system in such a way as to provide a high degree of security, make them easily accessible to application programs, make them work across networks, and make them easy to replace or modify as requirements change.



Why We Need Security

There is an increasing desire to protect information. Today with networking, companies and individuals need to protect proprietary information and communications, business-critical transactions, and electronic commerce. They need to secure personal and company business via e-mail, prevent viruses from infecting their systems, and identify who is accessing network services. Furthermore, they need to perform these functions across heterogeneous networks. When information and communications are compromised, the losses are significant and the impact potentially disastrous.

Levels of Security

Inferno enforces security in a number of important ways. Functions such as the security routines described in this paper as well as device drivers are built into the system so that they cannot be "spoofed" or replaced by other routines. Namespaces, one of the key features of Inferno, can be used to restrict access to network resources, making visible only the resources an application needs. In a hosted environment, Inferno can use the security features of the host operating system, including file permissions, to control access.

In addition to these features, Inferno incorporates the latest cryptographic techniques into built-in security routines and an API. This paper describes these routines and how they are used to implement security. For licensing and export reasons, some of the algorithms mentioned in this paper are not included in the Web release. These algorithms, including DES-ECB and DES-CBC, can be ordered separately.

The security routines of Inferno make it easy to provide any one or all of the following types of security:

Mutual authentication means that two users or applications that want to communicate can establish that they are who they say they are. This is the most basic level of security provided by Inferno. It means, for example, that when someone signs on to a service provider that he or she can be established as a legitimate user. This user could be someone accessing a service from a desktop computer, a set-top box, or a hand-held device.

Message digesting is a technique to ensure that an interloper cannot modify messages sent between users. This is especially important in financial transactions.

Inferno combines digesting with digital signatures to provide undeniable transactions, which prevent someone, for example, from claiming that it was really someone else who requested a withdrawal from their bank account. Like signing a letter, a digital signature testifies to the identity of the sender. Fortunately, it is much harder to forge a digital signature.

Encryption protects the confidentiality of messages so that only the party or parties for whom the messages are intended can decrypt and read them.

Mutual Authentication

Authentication requires a combination of elements: a third party that each user can trust, an algorithm or mathematical method to secure messages between users, and a protocol for exchanging messages that ensures that an intruder cannot pretend to be one of the users, or use some other method to undermine their communication.

After users are authenticated to each other, it is possible for someone listening in on the line to eavesdrop and even modify the communication without the users knowing it. So authentication solves one security requirement, but not all of them.

Message Digesting

Message digesting uses a mathematical hashing algorithm to take a message and digest it into an indecipherable string of fixed length, so that every message is digested to the same size. Inferno includes a counter as well as a secret key known only to the communicating parties in the message digest to ensure that messages are received in the correct order and that no messages are inserted by someone listening in on the line. It is almost impossible for two messages to digest to the same value.

Digital signatures

Inferno uses public key cryptography to create digital signatures. A secret key known only to the party sending a message is used to create the signature. A public key, or one that can be distributed openly, is used to verify the signature.

A signature in Inferno includes a digest of a message, the signer's identity, and the names of the algorithms used for hashing and signing. Using the sender's public key, the receiving party is able to "unlock" the information in the signature and verify that the message has not been modified and has indeed been sent by the user claiming to have sent it.

A message does not have to be encrypted to have a message digest appended to it. The digest ensures that no one has tampered with the message. It does not prevent someone from reading it. Likewise, digital signatures do not prevent an intruder from reading a message.

Message Encryption

The traditional notion of encryption is translating a message, called a plaintext in cryptography, into something unreadable, called a ciphertext. Cryptograms you see in the newspaper are simple examples of this. Its most obvious use is to provide confidentiality. Only someone who can decrypt the message, or translate it back to its original form, will be able to interpret it.

Two basic types of algorithms are used in cryptography: private key (or symmetric key) and public key algorithms. With symmetric algorithms the same key is used to encrypt and decrypt a message. This key must be a secret, known only to the users who want to communicate securely. It is often called a private or secret key.

In general, a public key algorithm may use a private or secret key to encrypt a message and a public key to decrypt it, or vice-versa. The private or secret key is known only to the user sending a message. The public key, however, does not have to be kept secret and may be distributed to anyone the user wishes to communicate with.

While public key algorithms offer a high degree of security, they are often slower than symmetric key cryptography. Inferno uses a public key algorithm for digital signatures and symmetric key algorithms for encryption.

Supplied Algorithms

Some of the tradeoffs related to choosing algorithms are speed, degree of security, and licensing restrictions (e.g., the U.S. government restricts which algorithms may be exported to other countries). All the algorithms used in Inferno are well known, commercially available, and rigorously tested.

For message digesting: SHA, MD4, and MD5 are all well known (in cryptographic circles) one-way hashing algorithms. MD4 and MD5 are high-speed, 128-bit hashes. SHA offers more security by using a 160-bit hash, but is slower. MD5 is more secure but slower than MD4.

For digital signatures: ElGamal is a widely used, public key system. It uses a private key for signing a message and a public key for verifying it. One property of ElGamal is that it makes it easier to adopt a different signature algorithm as requirements change compared with systems like RSA that use equivalent keys, where either a private or public key can be used for encrypting or decrypting. With constant advances in computing power and in the field of cryptography, one of the design goals of Inferno is to create a security component that will be easy to enhance as new algorithms are developed.

For encryption: DES (the Data Encryption Standard) was adopted by the U.S. government in 1976 as a standard encryption/decryption system for unclassified data in the United States. It is widely used, especially by the financial services industry. Two types of DES are offered: DES-ECB and DES-CBC. ECB or Electronic Code Book and CBC or Chain Block Coding are part of the ANSI Banking Standard. CBC is more complex and less vulnerable than ECB. Both versions of DES provide 56-bit keys. Neither is exportable outside the U.S.

RC4 is a symmetric or private key system that is about 10 times faster than DES and is exportable with a key size of 40 bits. In the U.S., RC4 can be used with keys of virtually unlimited length.

Diffie-Hellman is an algorithm for creating a secret key to be shared by users (sometimes called a shared secret) for encrypting messages. It requires each user to exchange certain information with the other. This information can be exchanged in the open, that is, without encryption. Each user is then able to create the same, secret key from this information, although no one else listening to their exchange would be able to determine the secret key.

Security Protocols

Strict protocols are used to thwart attempts to disrupt or listen to confidential communications. These protocols establish a level of trust between communicating parties. In Inferno, two well established protocols, Encrypted Key Exchange (EKE) and Station-to-Station (STS), are used to permit keys to be exchanged and the identities of communicating parties to be verified.

The record format used to transmit secure data between programs follows the SSL protocol proposed by Netscape, although Inferno uses a more secure, initial handshake.

The Certifying Authority

Signatures can be used to establish the identities of communicating parties, but a signature can only be trusted to the extent that the public key for verifying the signature can be trusted. Inferno allows for a third party, called a certifying authority, to create a certificate testifying to the identity of the user who owns the public key.

Mutual authentication in Inferno requires that two parties who want to communicate must trust the same certifying authority or CA. Otherwise each party would not be able to trust that the certificate for the other party's key was valid.

In Inferno, a certificate includes a variety of information: a user's public key, the identity of the user, Diffie-Hellman parameters, an expiration time for the certificate, along with the signature of the CA to confirm that the certificate is indeed from the party you know and trust.

As part of the EKE protocol used to get a certificate, the CA's public key is also sent to each user. This enables the users to verify the CA's signature to confirm that the certificate is from the CA that they trust.

Establishing trust between a CA and a user requires some out-of-band or non-computer communication (for example, a letter or phone call), since ultimately, secure communications depend on a level of trust that encryption algorithms and protocols cannot provide.

In Inferno, a password can be communicated out-of-band between the CA and user for this purpose. This password ensures the identities of the user and CA, and together with the EKE protocol, protects the exchange of keys and certificates between them.

Applications on a set-top box, which may not have a keyboard, can obtain a certificate using a different protocol that does not require a user to enter a password. With this protocol the CA sends a certificate to the set-top box encrypted with a bit pattern called a "blinding bit string." Without knowing this string, the box cannot produce a useable certificate. Only after the user has passed an out-of-band verification of their identity, does the CA send the blinding bit string to the set-top-box so that the certificate can be used.

In addition to providing certificates to users, the CA in Inferno also determines the algorithm and size of the public key used for digital signatures. These are determined during the EKE protocol when the CA provides the user with a certificate.

Using Certificates for Authentication

If someone sends you a public key and certificate, can you verify that it is indeed the public key of the party they claim to be? Well if you have the same CA as the party sending you the key, then you can use the CA's public key that you received previously to check the signature on the certificate. If the certificate is valid, it will testify that this is the public key of a particular user.

If you can trust the public key, then you can use it to check the signature that was sent to you. If the public key unlocks the signature, then whoever sent the signature must have the corresponding secret key, and, therefore, must be the owner of the public key.

This method of establishing trust between two parties is called authentication.

Protocol for Authentication: STS

The following diagram shows how the STS or Station-to-Station protocol is used in Inferno to perform authentication. This diagram assumes there are two users, U0 and U1, who have already received certificates from the same CA. First, one user sends the other their public key and certificate along with a computation based on the Diffie-Hellman (DH) parameters contained in their certificate. These parameters will be used to create a shared secret key between U0 and U1. U1 returns a computation based on the same Diffie-Hellman parameters along with U1's public key and certificate. With each other's public key and certificate, along with the CA's public key that each has, U0 and U1 can verify that each has the other's public key. All they need is to provide each other with a signature that can be verified with the other's public key to prove that they are indeed communicating with each other and not some intruder.

They each sign information that is known to both of them, and which they can verify. This information consists of the computations they passed each other previously. These computations using the DH parameters also enable U0 and U1 to compute a secret value that is known only to them and can be used as a shared secret key to encrypt later communications. The ability to derive the same key from the computations they passed back and forth such that no one else listening in on this protocol could determine the key, is a property of the Diffie-Hellman exchange.


Preventing Attacks

These are a few examples of design decisions to enhance security in Inferno. For ElGamal, Inferno uses a modulus of up to 4096 bits to determine key size. The key size for RC4 can be virtually unlimited. Large keys deter brute-force attacks to determine the values of keys.

Use of the EKE and STS protocols protect against various types of attacks, for example, man-in-the-middle attacks where someone pretends to be one of the users. Random numbers are generated for each communication to create a new secret key. This makes it difficult for a would-be attacker to reuse previous communications to figure out the key. Passwords are protected by XORing them with an initialization vector that is generated each session. The DES algorithm is enhanced by padding messages. This makes it more difficult for someone to use a known-text attack, that is, to decipher text that may be easily recognized at the end of a message.

Security at the Application Layer

Applications have the choice of using security or not. An application can use the login function to obtain a certificate and can establish an authenticated connection with another application over a network with the auth function. Having authenticated their connection, each application connects to an ssl (secure sockets layer) device by calling the connect function. The applications then can write to and read from the ssl device using various algorithms such as SHA, MD5, and RC4 to digest and/or encrypt messages.

The command interface for Inferno uses these same routines to provide secure connections. For example, the mount command to mount remote resources uses these routines to authenticate a connection and perform message digesting or encryption.

In addition to application routines, Inferno provides commands to set up a secure network, for example, to establish a server as a Certifying Authority (CA) and to provide certificates for file servers and clients. The command createsignerkey is used to create a secret and public key on the CA. Changelogin is an interactive command that stores a hashed password on the CA, and getauthinfo is used to obtain a certificate.

Inferno also provides special security routines for set-top boxes. On a set-top box, the register routine obtains a certificate without requiring a user to enter a password. Security routines for set-top boxes are demonstrated by the MUX application provided with Inferno.

Although only a few routines are necessary to provide secure communications between applications, lower-level routines used by login and auth are also made available to applications that may have special security requirements. These routines provide functionality such as:

These are only some of the additional routines which the designers of Inferno felt could be useful to other developers. An application could use these lower-level routines to implement its own protocols, for example, or it might use the signature and verification routines to create secure files.

Security Across the Network

One of the powerful capabilities of Inferno is to enable applications to access resources across heterogeneous networks using namespaces. The security layer we have described enables applications to access these resources in a secure manner no matter what platforms the resources exist on. For example, an application on one system, A, might need to access resources on a system, D, several hops away with systems B and C in between. System A could be a set-top box, system B could be running UNIX, system C could have Windows 95, and system D could be running Windows NT. In this scenario, system C would mount the resources of system D and obtain an authenticated connection, and likewise, system B would mount the resources from system C and establish an authenticated connection. When system A mounts the resources it needs from system B and authenticates the connection, the application on system A can be assured that it is accessing resources that physically exist on System D in a secure manner, because a level of trust has been established across the network. Each system would have obtained a certificate from the same CA and would have used the STS protocol to authenticate the system it was mounting.


As mentioned earlier, namespaces are also a key security feature in Inferno, since they control what resources an application can access.