Lyndon G. Pierson

Context-agile encryption for high speed communication networks

Different applications have different security requirements for data privacy, data integrity, and authentication. Encryption is one technique that addresses these requirements. Encryption hardware, designed for use in high-speed communications networks, can satisfy a wide variety of security requirements if the hardware implementation is key-agile, key length-agile, mode-agile, and algorithm-agile. Hence, context-agile encryption provides enhanced solutions to the secrecy, interoperability, and quality of service issues in high-speed networks. Moreover, having a single context-agile encryptor at an ATM aggregation point (such as a firewall) reduces hardware and administrative costs. While single-algorithm, key-agile encryptors exist, encryptors that are agile in a cryptographic robustness sense, are still research topics.

The effect of algorithm-agile encryption on ATM quality of service

Asynchronous transfer mode (ATM) users often open multiple ATM virtual circuits (VCs) to multiple ATM users on multiple ATM networks. Each network and user may implement a different encryption policy. Hence ATM users may need shared, flexible hardware-based encryption that supports multiple encryption algorithms for multiple concurrent ATM users and VCs. An algorithm-agile encryption architecture, that uses multiple, parallel encryption-pipelines, is proposed. The algorithm-agile encryptors effect on the ATM quality of service (QoS) metrics, such as cell transfer delay (CTD) and cell delay variation (CDV), is analyzed. Bounds on the maximum CDV and the CDVs probability density are derived.

A DES ASIC Suitable for Network Encryption at 10 Gbps and Beyond

The Sandia National Laboratories (SNL) Data Encryption Standard (DES) Application Specific Integrated Circuit (ASIC) is the fastest known implementation of the DES algorithm as defined in the Federal Information Processing Standards (FIPS) Publication 46-2. DES is used for protecting data by cryptographic means. The SNL DES ASIC, over 10 times faster than other currently available DES chips, is a high-speed, fully pipelined implementation offering encryption, decryption, unique key input, or algorithm bypassing on each clock cycle. Operating beyond 105 MHz on 64 bit words, this device is capable of data throughputs greater than 6.7 Billion bits per second (tester limited). Simulations predict proper operation up to 9.28 Billion bits per second. In low frequency, low data rate applications, the ASIC consumes less that one milliwatt of power. The device has features for passing control signals synchronized to throughput data. Three SNL DES ASICs may be easily cascaded to provide the much greater security of triple-key, triple-DES.

Distributed, on-demand, data-intensive and collaborative simulation analysis

Distributed, on-demand, data-intensive, and collaborative simulation analysis tools are being developed by an international team to solve real problems such as bioinformatics applications. The project consists of three distinct focuses: compute, visualize, and collaborate. Each component utilizes software and hardware that performs across the International Grid. Computers in North America, Asia, and Europe are working on a common simulation programs. The results are visualized in a multi-way 3D visualization collaboration session where additional compute requests can be submitted in real-time. Navigation controls and data replication issues are addressed and solved with a scalable solution.

On the use of trusted objects to enforce isolation between processes and data

This paper highlights the problem of run-time execution correctness of high-consequence applications in conventional Von Neumann computer architectures. It proposes an approach, trusted objects, in which the application program and data are cryptographically encapsulated in their own environment. The remainder of the paper is organized as follows: after presenting a description of trusted objects, their creation, and their execution, their potential applications are described. Finally, issues and problems requiring further research are discussed.

Integrating end-to-end encryption and authentication technology into broadband networks

BISDN services will involve the integration of high speed data, voice, and video functionality delivered via technology similar to Asynchronous Transfer Mode (ATM) switching and SONET optical transmission systems. Customers of BISDN services may need a variety of data authenticity and privacy assurances, via Asynchronous Transfer Mode (ATM) services Cryptographic methods can be used to assure authenticity and privacy, but are hard to scale for implementation at high speed. The incorporation of these methods into computer networks can severely impact functionality, reliability, and performance. While there are many design issues associated with the serving of public keys for authenticated signaling and for establishment of session cryptovariables, this paper is concerned with the impact of encryption itself on such communications once the signaling and setup have been completed. Network security protections should be carefully matched to the threats against which protection is desired. Even after eliminating unnecessary protections, the remaining customer-required network security protections can impose severe performance penalties. These penalties (further discussed below) usually involve increased communication processing for authentication or encryption, increased error rate, increased communication delay, and decreased reliability/availability. Protection measures involving encryption should be carefully engineered so as to impose the least performance, reliability, and functionality penalties, while achieving the required security protection. To study these trade-offs, a prototype encryptor/decryptor was developed. This effort demonstrated the viability of implementing certain encryption techniques in high speed networks. The research prototype processes ATM cells in a SONET OC-3 payload. This paper describes the functionality, reliability, security, and performance design trade-offs investigated with the prototype.

The role of decimated sequences in scaling encryption speeds through parallelism

End-to-end encryption can protect proprietary information as it passes from one end of a complex computer network to another, through untrusted intermediate systems. Encryption performance, in terms of bits per second encrypted, has not scaled well, as network performance has increased. The authors felt that multiple encryption modules, operating in parallel would be the cornerstone of scalable encryption. One of the major problems with parallelizing encryption is ensuring that each encryption module is getting the proper portion of the key sequence at the correct point in the encryption or decryption of the message. Many encryption schemes use linear recurring sequences, which may be generated by a linear feedback shift register. Instead of using a linear feedback shift register, the authors describe a method to generate the linear recurring sequence by using parallel decimated sequences, one per encryption module. Computing decimated sequences can be time consuming, so the authors have also described a way to compute these sequences with logic gates rather than arithmetic operations.

Tuning computer communications networks and protocols

The objective is to adjust the protocol parameters and network elements to achieve maximum data throughput over a certain circuit or set of circuits (a network path) subject to certain constraints, such as: delay-bandwidth product, error rate, and tuning parameter limits and accessibility. To provide optimal performance from the users perspective, which is application to application, all peer layers of the protocol must be tuned. The key to tuning protocols is reducing idle time on the links caused by various protocol layers waiting for acknowledgements. Experiments have been conducted on test bed systems, and on live satellite and terrestrial circuits. Various aspects of network tuning and certain specific issues relating to the tuning of three protocols (DECnet, TCP/IP, NETEX) over various media types (point-to-point and broadcast) under several different conditions (terrestrial and satellite) are examined. Also described are the lessons learned about protocol and network tuning.<<ETX>>

Protection of distributed internetworked computers

Current methods of enforcing security policy depend on security patches, anti-virus protections, and configuration control, all updated in the end users computer at ever decreasing intervals. This research is producing a method of hardening the corporate computer infrastructure by prototyping a mixed hardware and software architecture that enforces policies by pushing distributed security functions closer to the end users computer, but without modifying, relying on or reconfiguring the end users computer itself. Previous research has developed highly secure network components. Because it is impractical to replace our entire infrastructure with secure, trusted components, this paper investigates how to improve the security of a heterogeneous infrastructure composed of both trusted and untrusted components.

Electronic forensic techniques for manufacturer attribution

The microelectronics industry seeks screening tools that can be used to verify the origin of and track integrated circuits (ICs) throughout their lifecycle. Embedded circuits that measure process variation of an IC are well known. This paper adds to previous work using these circuits for studying manufacturer characteristics on final product ICs, particularly for the purpose of developing and verifying a signature for a microelectronics manufacturing facility (fab). We present the design, measurements and analysis of 159 silicon ICs which were built as a proof of concept for this purpose. 80 copies of our proof of concept IC were built at one fab, and 80 more copies were built across two lots at a second fab. Using these ICs, our prototype circuits allowed us to distinguish these two fabs with up to 98.7% accuracy and also distinguish the two lots from the second fab with up to 98.8% accuracy.