A secure Internet requires a secure network protocol

Implementing -- and requiring -- stronger authentication and cryptography standards is the next step toward a new Internet

This is my third column on creating a more secure computing ecosystem. My first two columns summarized the larger ideas behind this project: It begins with secure hardware and moves on to secure booting, a secure OS, secure applications, and authenticated users, as well as the ability to track network packets from start to end.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Supporters have so far outnumbered critics four to one (whatever that means in a nonrandom survey). Reader Michael Hartmann was among the many proponents of the solution. I like the way he captured the idea: “I think making the Internet more secure is really analogous to making any human society more secure. Anarchy is the easiest but riskiest course, and forming a government of laws is difficult but a necessary evil. Without some form of agreed-upon limits, there really is no method for fairly and effectively policing the miscreants. With a system of verification, we have the start of security, just like we have the start of some reasonable security with a judicial system and other safeguards.”

As a former mohawk-wearing punk rocker (I wish I was making that up), I loved anarchy as an ideal. But I noticed that all my punk friends still called the police when someone hit them or stole their property.

The most important part of a secure ecosystem is being able to trace a network packet from source to destination. Malicious hackers hack because they can’t be caught. But if we could always track every packet back to its originating computer, the benevolent masses could once again compute safely. Our networks and servers would not be clogged with spam and botnet traffic. We might actually be able to spend more time being productive than trying to figure out why the computer is so slow and crashes all the time. Imagine not having to waste money on anti-virus scanners, host-based firewalls, and all their ilk.

Of course, if I want to be truthful about this, those pubescent products would be replaced by more mature, more accurate descendants in my more secure reality.

But how do you authenticate or track every network packet from source to destination? I’m no crypto expert, so I’m just throwing out layman ideas. I’m not even sure if we need the ability to trace every packet back through every participating hoop or just back to the originating source. The latter is easier than the former, but I don’t have the expertise to figure out which is needed.

It would have to start with some sort of authenticated MAC addressing so that the packets could be traced from the original IP stack that created them. Forged MAC addresses wouldn’t be allowed; the originating computer would sign the packet as belonging solely to it. We would need a new digital machine certificate type with an OID field to include the machine’s authenticated MAC address (or other identifying information).

The IP stack on every participating host would have to be rewritten to include default signing and authentication. (IPv8, anyone?) If done properly, I don’t even think all the current routers would have to be replaced. 

Essentially, the originating host would sign the packet with its own private key, then encrypt it with the destination host’s public key. (I think that’s how it goes in crypto: sign, then encrypt -- or is it the other way around?) Just before sending the packet, the originating host would obtain the destination host’s public key and cache it for future use. Like any asymmetric crypto solution, the packet would remain securely encrypted to prevent prying eyes along the way, and if the originator was spoofed, the packet would not verify correctly.

IPv6 gets us part of the way there, but we need more: Default authentication and default encryption, no exceptions. More robust key exchange protocols. Ubiquitous application. Absolute standards adherence. Network access control (a.k.a. network access protection) can play a role, too. You can’t join the network unless you agree to the IP stack operations.

We have similar pseudo-models all over the place for this type of thing, including PKI, S/MIME, DNSSEC, and some of the newer anti-spoofing protocols. We’re already overly familiar with the challenges. But every challenge I’ve ever read about was basically due to a lack of empathy and participation. DNSSEC and all the other newer crypto standards would work better if we all cared more, implemented them in a standard way, and required them.

I believe any decrease in performance due to the new network crypto mechanics would be more than made up by the decrease in spam and malware that is so pervasive today.

The next column on this topic will talk about application authentication in a secure ecosystem.