[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: photuris-06.txt

To: "William Allen Simpson" <bsimpson@morningstar.com>
Subject: Re: photuris-06.txt
From: Theodore Ts'o <tytso@MIT.EDU>
Date: Wed, 1 Nov 1995 23:38:54 -0500
Address: 1 Amherst St., Cambridge, MA 02139
Cc: ipsec@ans.net
In-Reply-To: William Allen Simpson's message of Thu, 2 Nov 95 00:05:45 GMT,<199511020118.AA17417@interlock.ans.net>
Phone: (617) 253-8091

   Date: Thu, 2 Nov 95 00:05:45 GMT
   From: "William Allen Simpson" <bsimpson@morningstar.com>

   > From: Ran Atkinson <rja@bodhi.cs.nrl.navy.mil>
   > 1.6:	Please replace the string 	"in Multi-Level Secure
   > environments,"
   > 	with the string			"for multi-user systems,"
   >
   Not intended for plain-old multi-user systems.  Too many holes.  Cannot
   guarantee correct operation of the protocol.  Folks have already
   indicated some of the holes on this list.

   Also, if there are no "levels" of security (that is, all users are
   authorized to the same access control or the access control is not
   mandatory), then there is no reason for separate user-level keying.
   They can read each others' traffic.

The generally accepted meaning of "Multi-Level Secure" environments, at
least in the security world, is environments where there is
non-discrentionary access controls --- that is, data is tagged with
labels such as "Secret", "Top-Secret", etc. and data which is labelled
as "Top-Secret" may not be displayed on devices which are labelled
"Secret".  

Thus, using the term "Multi-Level Secure" in your document is extremely
confusing, because this is not what is meant.  What we are talking about
is a system where you have a multi-user where the operating system
actually tries to protect user A from being able to do things to user B,
and vice versa.  Unix, for example, attempts to have this property,
although in practice there seems to always be one more way to break in
as root.

   For plain-old multi-user operating systems, node-node keying is the only
   technique available.  This secures IP from _outside_ interference, even
   when the end-systems themselves are not secure.

What you call "plain-old multi-user operating systems", by which I would
assume mean systems like Windows NT and ITS, I would merely call them
"single-user operating systems", or "insecure multi-user operating
systems".

Any secure multi-user system worth its salt must be able to protect its
resources from hostile users, and protect one hostile user from being
able to damage the resources controlled by another hostile user.

At the heart of this, I think we have a terminology problem; we can come
up with different terms, but we really should avoid the use of
Multi-Level Secure systems unless we mean a system which enforces
non-discrentional access control.  There's no point in bucking 3 decades
worth of usage.....

						- Ted

Follow-Ups:

Re: photuris-06.txt

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Re: photuris-06.txt

From: gwz@geek.ocsg.com

References:

Re: photuris-06.txt

From: "William Allen Simpson" <bsimpson@morningstar.com>

Prev by Date: Re: photuris-06.txt
Next by Date: Re: scenario: Authenticated Firewall Traversal
Prev by thread: Re: photuris-06.txt
Next by thread: Re: photuris-06.txt
Index(es):
- Main
- Thread