1995-07-14 - SunFlash 79.05: SunScreen and Java Questions & Answers

Header Data

From: John Gilmore <gnu@toad.com>
To: cypherpunks@toad.com, gnu
Message Hash: 906e1df747f95e7f62c1278ce840164e546f08e1811d68109c13c0b1b088b311
Message ID: <9507140147.AA13138@toad.com>
Reply To: N/A
UTC Datetime: 1995-07-14 01:47:40 UTC
Raw Date: Thu, 13 Jul 95 18:47:40 PDT

Raw message

From: John Gilmore <gnu@toad.com>
Date: Thu, 13 Jul 95 18:47:40 PDT
To: cypherpunks@toad.com, gnu
Subject: SunFlash 79.05: SunScreen and Java Questions & Answers
Message-ID: <9507140147.AA13138@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


[Note the export related stuff, and the 40-bit RC2 & RC4.  But also note
"An International version will be available early in 1996".    --gnu]

==============================================================================
SunFlash 79.05

                 SunScreen and Java Questions & Answers

July  1995         John J. McLaughlin, Editor/Publisher    flash@flashback.com
==============================================================================

     SunScreen is a Product Line comprised of enabling products/solutions
     for doing business transactions on the Internet and other public
     networks. The first product offering in the SunScreen Product Line is
     the SPF-100, a completely new network security device. SPF-100 is a
     dedicated, turnkey solution designed to be network undetectable.
     Shipped pre-configured, SPF- 100 is based on state-of-the-art packet
     screening integrated with encryption to provide private and
     authenticated communications on public networks.

     Several questions about the Java language and the HotJava browser are
     also addressed.

-------------------------------------------------------------------------------

The SunScreen sits on network boundaries, either between two LAN's or
between a LAN and a WAN. It can be used to achieve compartmentalization
within internal networks or to use the Internet or other public
networks as a virtual, secure, private network (VSPN).

The SPF-100 is being targeted towards enterprise customers who require
the highest levels of network security and guaranteed privacy. The
market segments who have expressed the most interest in the SunScreen
SPF-100 include Telecommunications, Finance, Health Care and the
Government.

Due to restrictions imposed on the export of encryption products, the
SunScreen SPF-100 will initially be released only in the U.S.A.. and
Canada. An International version of the product is scheduled for early
1996.

What does SunScreen look like?

The SunScreen consists of two physical components: SPF-100, the
security gateway product is based on a headless SPARC-based system
running an embedded OS and shipped standard with five ethernet ports
(one on-board and four through a Quad Ethernet Card). Four of the ports
are used for screening packets and have no IP address. Since the
embedded OS does not include any user programs, network services, etc.,
it cannot be logged into, nor can any applications be run on it.

The SPF-100 is managed by the SunScreen Administration Station, an
Intel 486-based system running MS-DOS and Windows 3.1. Multiple
SPF-100's may be remotely managed by a single SunScreen Administration
Station, or a single SPF-100 can be managed by multiple SunScreen
Administration Stations. The SPF-100 uses the fifth ethernet port to
establish an encrypted connection to the SunScreen Administration
Station. The SunScreen Administration Station is the only device that
can be used for monitoring, configuring and managing the SPF-100.

A SunScreen is set up to be the point of contact between two
administrative domains such as a private and a public network. Two or
more of the Quad Ethernet ports can be used to bridge the private and
public sides. The on- board Lance Ethernet interface links the SPF-100
to the SunScreen Administration Station through an authenticated and
encrypted connection.

Functionally, the SPF-100 includes an IP level packet screen and a
facility to encrypt and decrypt data transmissions. The SPF-100 packet
screen software runs as an integral part of the SunScreen operating
environment. It tracks the state of session oriented packet
transactions (e.g. TCP) as well as sessionless packet transactions
(e.g., UDP). Maintaining state allows the SunScreen to provide
additional protection from connection stealing.

Effectively, the SPF-100 is invisible to any network entity other than
certified Administration Stations. Interfaces that participate in the
packet screening activity have no IP address and do not respond to any
network probing; they simply pass packets on to the screen.

Using the SunScreen Administrative GUI, an administrator can specify
packet screening rules, specify encryption/decryption criteria,
configure and implement a security policy and monitor the SPF-100
actions on incident network traffic. All transactions between
associated Administrative Stations and SPF-100's are encrypted, adding
security to administrative activity.

What is a packet screen? How is a SunScreen packet screen set up?

A packet screen is a software filter that is imposed on a network data
packet as it passes from a public network to a private network. A
packet screen acts on a data packet according to a set of rules.
Generally speaking, rules are used to discriminate certain packets and
to initiate certain actions on those packets.

SunScreen packet screens are specified by an administrator at the
Administration Station. A packet screen rule is defined by the contents
of three discriminator fields and two actor fields. Two of the
discriminator fields are the packet source and destination address.
These may be addresses of networks, subnets, hosts, or groups of hosts.
The third discriminator field identifies the packet's Internet service
type, e.g. telnet or ftp. This really equates to a socket port number,
so privately defined services can be discriminated as well. SunScreen
also does port coloring to ensure that the source address is consistent
with the ethernet interface.

The two actor fields determine what action is taken if the
discriminating conditions select an incoming packet. One actor simply
determines if the packet passes or fails. The other determines what
explicit action the packet triggers.

An example of a rule would be to discriminate any packet originating at
IP address 192.9.185.28, heading for IP address 129.146.10.14, and
using the telnet service. Any packet that meets these criteria is
allowed to pass through the screen but it is logged as an event.

In SunScreen, the default screening rule is to fail any packet that is
not explicitly allowed to pass.

What encryption alternatives are available in SunScreen?

SunScreen uses a combination of shared key and public key encryption to
provide data privacy and authentication. Privacy means that only the
intended recipient will be able to decipher the message; authentication
means that there is a high level of confidence that the identity of the
message originator is valid and that the message has not been modified
in transmission.

The following encryption software is available on SunScreen: shared
key: 40-bit RC2 and RC4, 56-bit DES public key: 1024-bit RSA, 1024-bit
Diffie-Hellman

Shared key encryption and public key encryption both have advantages
and disadvantages. Shared key encryption is desirable because it
ensures confidence in privacy and yet is moderate in its demands for
processing power during data transformation. It is flawed because both
sender and recipient need access to the same key; having to distribute
a key compromises its secrecy.

In public key encryption, two keys are used - a private key and a
public key.  The two keys are generated in the same operation. One key
can be thought of as the inverse of the other, though there is no
obvious relationship between the two. Any data stream that is encrypted
using one key can be decrypted by the other, but only by the other. The
owner of the private key can distribute the public key at will, but
need never (and should never) distribute the private key. Therefore,
public key encryption solves the twin problems of privacy and
authentication.

Consider the case of a holder of a public key encrypting a message to
be sent to the owner of its private pair. This is a private
transmission because nobody but the private key owner can decrypt the
message. Now consider the case of the of the owner of the private key
sending an encrypted message to a public key pair holder. If this
message decrypts successfully, then it must have come from the private
key owner. It is authenticated. A minor disadvantage to public key
encryption is that each originator needs his own private key and
multiple public keys in order to exchange private messages. A major
disadvantage is that public key cryptography demands a lot of
processing power during data transformations.

SunScreen combines these methods to assure private and authenticated
message transmission across public networks at reasonable performance.

Why was a PC chosen as the Administration Station platform?

>From a marketing perspective, since SunScreen is targeted towards all
customers, not just current Sun customers, it was felt that "a black
box controlled by a PC running Windows" would be easier to explain and
sell and would not require a detailed discussion of UNIX. Additionally,
since the Administration Station is required to be a dedicated system,
it was felt that customers would be more receptive to a lower cost
machine such as a PC, being a dedicated, single-purpose- only system.
Finally, ICG will be offering an end-user solution and due to its
popularity considered the PC a good end-user prototype. A SPARC-based
desktop Administration Station is under consideration

What is Sun ICG?

ICG is the Internet Commerce Group, a Sun business whose charter is to
produce enabling technologies and solutions for doing business over the
Internet and other public networks. ICG will be developing the
SunScreen Product Line, and its first product offering is the SPF-100

What is packet tunneling?

Packet tunneling refers to the capability of encapsulating one packet
in another packet. Together with encryption, tunneling provides data
privacy as well as network topology hiding. Network packets traveling
between two private networks are encrypted and encapsulated in a
wrapper packet at the exit point of one network and unwrapped and
decrypted at the entry point of the other and then passed along to
their destination host.

What is packet vectoring?

Packet vectoring is a capability which enables a packet to be "copied"
and diverted to other areas in addition to its intended route, for
further processing. Packet vectoring enables distributed processing of
packet streams for billing, metering, auditing and intrusion detection
purposes. SunScreen includes the capability to do packet vectoring but
currently does not have an application which would enable it to be used
by customers.

What is SKIP?

SKIP, an acronym for Simple Key Management Internet Protocol, provides
a simple means of secure communications between two SunScreens across
the Internet. SKIP was invented by Ashar Aziz of Sun Microsystems, Inc.
and is currently being considered by the Internet Engineering Task
Force (IETF) as an Internet service standard. It is a sessionless
service that acts as the entry and exit point for secure communications
between two private networks.

When invoked as a service, SKIP encrypts a client packet stream as
described above. Using packet tunneling, client source and destination
encrypted, hiding private network topologies from the public. This
encrypted packet stream is then forwarded to the destination network,
where it is decrypted by another SunScreen supporting the SKIP service.
Once inside the destination private network, the packet stream
continues on its way to the destination host.  Details on the SKIP
specification can be found at http://skip.incog.com/

Does SunScreen support application relays?

SunScreen does not support application relays. There is no way to load
applications on the SPF-100 embedded operating system. However
SunScreen application relays are legitimate, useful adjuncts to a
secure network. They can easily be integrated into a network access
barrier created by a SunScreen.  One or more of the Quad Ethernet
interfaces on the SunScreen can be dedicated to a network supporting
systems with application relays. Using the SunScreen packet filtering
feature, packets appropriate for an application relay would be directed
to the host running that application relay, returned to the SunScreen,
and passed on (or failed) to their destination.

What products compete with SunScreen?

SunScreen is a high-end network security solution. It is unique not
only due to its stealth design and integrated encryption technology,
but also because it includes services which makes it a truly complete
security solution. Other security products on the market today are
either implemented only in software, lack encryption capabilities or
are run layered on top of existing, multi purpose operating systems.
Currently popular security products include Eagle/Raptor, TIS Gauntlet,
CheckPoint FireWall-1, DEC SEAL, ANS Interlock and Livingston
Enterprises Firewall IRX.

Who are likely customers for SunScreen ?

SunScreen is targeted at commercial, enterprise, highly networked
customers.  Commercial enterprises which are critically dependent on
networks for their business functioning are the primary candidates for
this product. Such customer include telecommunications companies,
financial institutions, health care organizations and the Government

How does SunScreen differ from FireWall-1 ?

SunScreen can be regarded as a functional superset of FireWall-1 . It
is a highly sophisticated network security solution targeted at
complex, commercial networks. FireWall-1 restricts its operation to
packet screening. SunScreen provides support for message
encryption/decryption. In addition, SunScreen is invisible from the
network, rendering it more difficult to detect and invade; SunScreen
SPF-100 can only interface to a qualified Administration Station using
an encrypted link, making it very difficult to probe or to modify the
operating environment. SunScreen provides a higher level of security at
a higher price. Users need to evaluate their security needs. FireWall-1
may provide adequate security for the basic security needs of
corporation.

What restriction does the US Government impose on using cryptographic
methods available with SunScreen?

All modes of encryption included with SunScreen are permitted for all
transactions within the U.S.A.. and Canada. Shipping encryption
products including DES, 1024 bit Diffie-Hellman, and 1024 bit RSA
outside the U.S.A..  and Canada requires an export license. An export
license for the use of an encryption product by a foreign based entity
controlled by a U.S.A.. company, has a strong prospect for approval

What special security issues does interaction with the WWW present?

Communication with the WWW and other Internet services such as Archie
and Gopher present no special problem for SunScreen security. Packet
screens can easily be configured to regulate traffic from/to these
services using standard Administration Station tools.

Is there any kind of security certification for this class of product?

Typically, security classification such as B1 , C2 , etc. issued by the
NSA, entails certification of a complete operation environment,
including hardware, OS, applications, etc. Sun has designed the product
to be independent of a multi purpose operating system. The embedded OS
included in the SPF-100, has been stripped off all network services,
user programs, etc. and can be used only for executing the SunScreen
software. However, with the recognition that some sort of security
classification will be required for SunScreen, Sun is working with the
proper authorities to define appropriate classifications for this new
class of security.

------------------------------------------------------------------------------

HotJava Security Answers

First some bulk information on Java security, there are three concepts
here and you have to keep them separate: Safety, Security, and Trust.
They apply to both the language itself (Java) and the browser written
in the language (HotJava).

Java - Security Within The Language:

Safety:

The Java language is safe because the language has no intrinsic
semantics for modifying the trusted computing base. In simple terms
this means that there is no way for pure Java code to modify its own
stack, write on memory it hasn't allocated, or execute methods (invoke
functions) it wasn't explicitly given access too. The mechanisms used
to create this safety are the language design (no semantics), the
virtual machine design (sufficient semantic information is retained in
a 'binary' to verify that the language imposed limits are not
violated), and un-forgeable pointers (no casting). Further memory
reclamation is done by a garbage collector which eliminates hanging
pointer problems. Array indexing and pointer casting is checked at
runtime for validity.

Security:

The Java language is secure because, as an object oriented language the
only way to do anything is to invoke a method on a class, and the only
way to instantiate a class is with the 'new' operator. This operator is
tied into a system class of type ClassLoader which enforces arbitrary
security policies on classes that it loads. Class loaders are thus the
arbiters of the capabilities granted a class they have instantiated.

Trust:

The Java language will supply a class loader capable of verifying a
digital signature on a class prior to loading that class. This allows
different capabilities to be assigned to classes of differing origin.
Further, classes will be able to query the class loader for this
information and thus be able determine if they are being called by a
trusted class. (this is required to export cryptography in the Java
runtime, the crypto classes have to know who is calling them so as to
enforce US mandated restrictions on their operation.)

HotJava - Security Within The Browser:

Safety:

Safety in the HotJava browser revolves around primarily the control of
applets.  Applets are loaded using an anal class loader called the
NetClassLoader. This class loader can control access to system
services. Further the implementation of certain classes (such as File)
recognize when they are being invoked from a class that was loaded from
the network class loader and they enforce additional restrictions. For
example, applets can only open files in two directories on UNIX
systems: /tmp/hotjava and ~/.hotjava (this can be modified with the
READPATH and WRITEPATH environment var's) Further when files are
accessed in these directories a confirmation is raised in the form of a
dialog with the user. There is no way for an applet to get around this
restriction. To open a file it _has_ to use the File class, the network
class loader won't allow it to load a new version of the File class,
and the file class has to have some bound in C code to do its work and
the applet can't bring over its own native code.  Its stuck.

Security:

The browser keeps track of what the applets are doing. Under some
conditions it modifies the capabilities available to an applet after
certain events. For example, the network class loader keeps track of
whether or not the applet came from "within" the firewall (direct
access to host) or "outside" the firewall (through the firewall). It
also keeps track of any files or sockets the applet opens. If the
applet opens any socket or file that is bound "inside" the firewall
(any file, and host inside the firewall) it is prevented from ever
opening a connection to a host "outside" the firewall.

Trust:

The browser is "trusted" code, and the source is available to assist in
developing trust of the code. Further it will be possible to sign all
valid browser classes (package browser.*) with a browser key,
preventing from any subversion of the browser after it has reached
trusted status. (I envision it working something like: Certify the
browser through inspection or what ever, build the classes, sign the
classes, invoke the browser with the public key of the signature.
Destroy the secret key.)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Press announcements and other information about Sun Microsystems are
available on the Internet via the World Wide Web. URL http://www.sun.com

SunFlash - A Full-Text On Demand Newsletter for Users of Sun Computers

John J. McLaughlin - Publisher & Editor   - flash@FlashBack.COM 
Tim Wells          - Associate Editor     - tim@FlashBack.COM 
Mark Wood	   - Distribution Manager - flashadm@FlashBack.COM

Subscriptions to       majordomo@FlashBack.COM 
Article Requests to    flashback@FlashBack.COM 
Article Submissions to flash@FlashBack.COM 

For more information send email to flashback@FlashBack.COM with article
names or numbers in the Subject line:
	9001       - general introduction 
	index      - for an index of the most recent 150 articles
	fullindex  - for an index of 800+ articles
	popular    - for a summary of the popular article for each month
	73.00 1176 - For the January  1995 Table of Contents 
	74.00	   - For the February 1995 Table of Contents
	75.00 1221 - For the March    1995 Table of Contents
	76.00 1262 - For the April    1995 Table of Contents
	77.00 1286 - For the May      1995 Table of Contents
	78.00 1344 - For the June     1995 Table of Contents
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++





Thread