[Technology Report]
Security ICs Are Targeting Consumer Applications
New devices will address the need to secure sensitive data in both networks and personal computers.
The need for secure data communications to protect commercial and personal data on PCs and networks has given rise to a spate of security IC developments. Security is becoming increasingly important and represents significant commercial value. In business communications, for example, data protection is necessary for such intangible goods as software, music, images, and intellectual property (IP), which are sent over networks to which hackers sometimes gain access. These hackers have also been able to play with people's credit card numbers or other confidential data as a result of security gaps.
Recognizing this problem, a number of semiconductor companies are busy producing devices designed specifically to ensure secure data communications on PCs and networks. These ICs include processors, controllers, and sensors, as well as encryption and decryption ICs.
For many concerned individuals, the issue of security is synonymous with privacy. But privacy is much more complex, involving four general aspects: authentication, data integrity, confidentiality (encryption), and accessibility.
Authentication is obviously an important issue. At the very least, it prevents any Internet user from making illegal transactions in a bank account by falsely using the legitimate account holder's name. For commercial applications, an unequivocal identification and authentication is a must.
Data integrity means that the data received equals exactly the data that's sent out. Whenever a data stream is changed, the receiver must recognize that change if appropriate means to protect data integrity are applied. This is an important feature. Consider the transmission of banking data. If the amount and/or the destination account number are changed fraudulently (as by changing the receiver's account number), then the data integrity of the original packet ceases to exist.
Encryption represents the classic confidentiality topic. Applying appropriate encryption methods ensures that the confidential data within the intercepted data streams aren't available to third parties. If, for example, an Internet user submits his credit card data to an online store, a hacker may be able to intercept the physically transmitted data. But with the appropriate encryption, the hacker won't be able to decipher the data, which makes the entire interception useless.
Encryption Needed At All Levels Even without a network connection, however, data encryption is an important topic. For instance, the notebook computers of many designers, managers, and consultants commonly contain a lot of sensitive data that should only be accessible to authorized users. Losing one's notebook computer through misplacement or theft can have serious consequences, unless the data on the computer's disk is encrypted.
Finally, accessibility means that the data is accessible at all times, as seen in the recent denial-of-service attacks by hackers. When spam e-mail blocks a server of an online mail-order company, the accessibility of mail-order information isn't guaranteed, resulting in a loss of business.
When security features are added to data streams, the volume of data increases, causing a decrease in the available data-transmission bandwidth. This, in turn, necessitates the use of data-compression techniques. There are, however, security-induced penalties revolving around the implementation of compression technology in the point-to-point protocol (PPP) at layer 2 of the network protocol stack (Fig. 1). IP security (IPSec), the dominant protocol for virtual private networks (VPNs), is layer 3 of the stack. The secure socket layer (SSL) encryption is at layer 5, and PGP, SMIM, and e-mail encryption, for example, are at application layer 6.
Three issues induced by network security are the loss of effective compression, the inefficiencies relating to the security protocol overhead, and the increase in packet-processing burdens for routers, firewalls, and access servers targeted to perform network security.
Loss of effective compression can be explained as follows: an outbound data packet coming from application layer 6 goes down to the IP layer 3 where it's encrypted. But, when that encrypted packet passes down to the PPP IP layer 2, it cannot be compressed. Therefore, one of the challenges is losing the effectiveness of layer 2 compression when layer 3 encryption is added. This is a security-induced penalty.
Encryption works by randomizing data or hiding any traces of patterns. If patterns can be detected, a hacker might be able to detect the data. It's hoped that encryption will scramble the data and make it undecipherable. This means that encrypted data has no patterns. So if data compression is performed after the encryption, it will prove ineffective because compression relies on data to have patterns. As a result, data must be compressed first and then encrypted.
The loss of effective compression equates to bandwidth constraints, which can cause the enterprise manager to have considerable head-aches. PPP compression is the aspirin that relieves the pain. More specifically, LZS and MPPC resolve those problematic areas. These two algorithms are based on Hi/fn patents from Hi/fn Inc. and are Internet Engineering Task Force (IETF) Requests For Comments (RFCs). "The fact that encrypted data doesn't compress means that PPP compression is rendered ineffective when encryption emerges at higher layers," says Joe Gagliano, manager of Hi/fn, based in Los Gatos, Calif. When IPSec is applied to a data packet at IP layer 3, either a header, a trailer, or both are added to the packet to alert the receiving system that IP security is used and to call out the associated algorithms. Consequently, the packet grows in length.
Reprints
