MRC@SU-SCORE.ARPA (Mark Crispin) (03/07/84)
As a taxpaying citizen of the United States of America (and
reasonably patriotic, despite certain leftist political views), I
strongly object to the idea of having Internet mail used for ANY
confidential, official, or any other traffic which in some way
involves USA national security.
Internet mail is, and should remain, a high-connectivity,
high-throughput mail network with reasonable reliability and
validation. This is quite suited for the research purposes it is
mostly put to. Excessive validation (which tends to affect the
HELO command and not the return-path in the MAIL FROM command)
will only serve to seriously impact the high connectivity of
Internet mail.
I am glad to hear the military follows up all official (and
unclassified, I hope!) directives sent over Internet with a TWX.
My faith in the US military as a viable agency in defending our
nation against foreign aggression would be shattered if it relied
on Internet mail.
What makes this whole discussion silly is that NONE of the
hosts on Internet (except perhaps the Multics sites) are secure
enough to have authenticated mail in any case. Certainly not any
of the Tenex, TOPS-20, or Unix systems. It is only when you can
restrict entry into the network (e.g. the secure subnet of Milnet)
that there is any authentication at all. Even then all it means
is that the mail was not forged outside of the network.
Can't we end this once and for all? Authentication does not
exist, and cannot exist with the current hosts on the network.
-- Mark --
-------Rudy.Nedved@CMU-CS-A.ARPA (03/07/84)
Mark, Can't you use semi-secret "public" key encryption to validate the sender? The semi-secret parts comes from the fact that you can't set up in any enviroment by the points you mentioned (insecure networks and hosts) a authentication server without the potential for forgery of it....but you can have users type in magic numbers at both ends and have the mail authenticated....the magic numbers are sent by "secure" courier...a guy with a handcuffed briefcase. This is one the issues CMU CS/RI systems staff is suppose to solve ASAP....probably after we get the user names and host names "addressing" issues solved. -Rudy
Rudy.Nedved@CMU-CS-A.ARPA (03/07/84)
Oh. The mail message would be in clear text with a complete business like letter enclosed (duplicating the from:, to:, cc: and subject: fields) and would have at the end a "encrypted checksum" of sorts. -Rudy
RSX-DEV@DEC-MARLBORO.ARPA (John R. Covert) (03/07/84)
Authentication does not exist without encryption (because without encryption you can hack the authentication). I'm amazed that people who are concerned about authentication think that following up a message with a TWX or Telex involves any more authentication! A TWX or Telex can be hacked just as easily as netmail! All it takes is changing the answerback. When people worry about authentication in netmail, my usual reply is "Anyone can throw a letter into the Postal Service with any return address they want, as well as a forged signature." No unencrypted mail system has authentication. /john --------
RICH.GVT@OFFICE-3.ARPA (Rich Zellich) (03/07/84)
Well, the TWXs come through the secure commo centers using the DoD AUTODIN network. Supposedly, the manual channels covering getting the typed original to the comm center for transmission take care of authenticating the Sender/From/Authorized-by/etc. Last I heard, the plan is to use the new MilNet/ARPANET protocols with the security and precedence stuff added to replace the aged AUTODIN. How the AUTODIN-replacement network will be interconnected with the ARPANET, current-version MilNet, or any other part of the internet, I have no idea. -Rich
WWB.TYM@OFFICE-2.ARPA (Bill Barns) (03/07/84)
Yes, to expand a bit on your discussion: the authentication and security of AUTODIN I are derived from three things: physical security of the terminals and switches, encryption of data, and administrative procedures. If you could connect your terminal or PC into AUTODIN and type away, authentication would be out the window. One of the effects of the AUTODIN admin procedures is that it is generally impossible to get something transmitted without it going through the hands of someone other than the originator. There are exceptions to this, as well as the possibility of admin breakdowns. Message centers are supposed to maintain files of signatures of authorized releasers and all the message forms are supposed to be signed. As to the exceptions, there are a bunch of rules not worth repeating, but basically they are logged in a special way. The idea of using Internet for AUTODIN GENSER type traffic relies heavily on encryption. I haven't heard what the drafter/releaser procedures will be; I suspect no "official" decision has been made. Once you get the data "canned" with the right NSA techniques, there is no problem sending it down any pipe you want - Milnet, Arpanet, direct broadcast satellite, suit yourself. The interesting questions have to do with how you get your can of data sealed. I don't see it working with the style of mail-sending we use now; probably military installations will eventually be set up to let people "draft" items by a procedure similar to Internet "sending", but before being "released" they will have to go through some procedure similar to what is done to declassify a magtape, which basically means somebody else in a secure place will have to poke at it. There is a bunch of work in progress on retinal scanners and other gee whiz stuff, but I don't think you should plan on finding one on your desk any time soon. Back in '77 I was hearing that by 1984 the Pentagon would be full of Secure Office Terminals. It isn't (but yes, there has been some progress). Someday, probably, but not before all the Spectra-70's keel over. I think there will have to be one or more interim solutions. -b
rf@wu1.UUCP (03/09/84)
John (RSX-DEV@DEC-MARLBORO.ARPA) writes:
A TWX or Telex can be hacked just as easily as netmail! All
it takes is changing the answerback.
Nonsense! Both Telex I and Telex II (TWX) are connected to the
Western Union switches via dedicated lines. When you dial a
terminal through the Telex net, you may request its answerback
code, thereby assuring that the message went to a terminal with
the appropriate answerback connected to the appropriate ports on
the Telex net. To forge a Telex one must either change the
terminal address in the Western Union switches (which takes
about a week) or physically fiddle with the telephone lines
which connect Telex terminals. This is far more difficult than
forging a Uucpnet message.
Randolph Fritz
Western Union Telegraph
{philabs, allegra!sunrise}!wu1!rf