SPARTA ISSO

Finished Projects

Network Security

INFOSEC for Networked Systems: Enhancement and Maintenance of Internet Privacy Enhanced Mail

Objective
TIS will encourage the broad adoption of secure email technology in the Internet by enhancing and maintaining a base secure email technology.

Approach
Previously, the Internet community endorsed a secure email technology standard called Privacy Enhanced Mail (PEM), which provides authentication, integrity, confidentiality, and non-repudiation of text-based email messages. Initially, TIS was distributing TIS/PEM (a reference implementation of PEM) to sites in the U.S. and Canada. However, the adoption of the PEM secure email technology and the TIS/PEM implementation has been limited. Instead, the Internet community has endorsed and adopted an email technology that supports arbitrary contents, including images, voice, video, and structured combinations of contents: Multi-purpose Internet Mail Extensions (MIME). Unfortunately, MIME did not include any security services.

To support greatly expanded adoption of a secure email technology, TIS has leveraged off the adoption of the MIME technology and co-designed a specification that integrates the security services of PEM with MIME called MOSS: MIME Object Security Services. MOSS, in comparison to PEM, has improved functionality, expanded trust and naming rules, has been promoted for adoption as an Internet standard, and has been implemented for free use throughout the research community.

Specifically, TIS' implementation of MOSS (TIS/MOSS) has support for PEM certificates and distinguished names, but does not enforce the restrictions specified by RFC1422. This allows for the automatic validation of certificates from other hierarchies and the use of other name forms, for example, email addresses, which supports a natural transition from the existing insecure email environment to a secure one.

TIS/MOSS includes generic application programs that facilitates its straightforward integration with a variety of email user agents and other email related applications, for example, trusted mail forwarders (supporting encrypted remote mailing lists) and email responders. In addition, TIS/MOSS will port to a DOS/Windows environment.

Two Policy Certification Authorities (PCAs), the operative top levels of the Internet certification hierarchy, have been established and are operating. One is for the benefit of the Internet community and the second is for the benefit of the U.S. Government. This latter PCA is owned by the U.S. Government and transferable to the Government upon request. TIS will assist the Government in establishing a hardware base for this PCA.

Recent Accomplishments

  • TIS co-designed a specification for the addition of authentication, integrity, confidentiality, and non-repudiation services to MIME: MIME Object
  • Security Services (MOSS), which includes improved functionality through the integration with MIME and expanded trust and naming rules. This specification was published in October 1995 as an Internet Proposed Standard (RFC 1848).
  • TIS developed and is currently distributing an Internet Reference implementation of the MOSS protocol: TIS/MOSS. It is available to U.S. and Canadian residents via anonymous FTP from ftp.tis.com.

Fiscal Year 1997 plans

  • Coordinate the activities necessary to resolve the deadlock in standardization of security for SNMP.
  • Promote the use of a secure DNS as an infrastructure to distribute and manage public keys in the Internet.
  • Continue to participate in definition of the strategic evolution of security for the Internet.

Technology Transition

  • TIS is distributing TIS/MOSS to U.S. and Canadian residents via anonymous FTP to ftp.tis.com.
  • TIS integrated TIS/MOSS with harware-based cryptography, specifically the FORTEZZA card.
  • TIS integrated TIS/MOSS with commercial key escrow (CKE) technology.
  • The MOSS technology, specifically the certificate-based key management system, is being used by a secure distributed file system technology -- Truffles -- in support of integrity and authentication security services.