Tom wrote:
>It would seem that you need unique public/private key pairs for each machine
>and that each machine on the 'virtual Z' network would have to have the
>public key for every other machine on that virtual network. Distributing
>these keys in the first place (when the network is still unsecure) would
>seem to be a nightmare (sniffing-spoofing, etc).
>
> (amateur opinion, use with caution), Tom
I obviously did not express this clearly: All machines on virtual network Z
will be able to understand communication from all other machines on this
virtual net and to transmit to all other machines on net Z. However, no
communication between machines on different virtual networks is initially
possible. Thus the solution lends itself to symmetric crypt like DES and you
would not use public/private key pairs to run the network itself. Obviously,
if you wish to add privacy to communication from machine Z(n) to machine
Z(m) you can stick an assymetric crypt algo on top.
Practically I think a good way to implement this would be to use special
NICs incorporating small secured boxes (you could use external crypt boxes,
but that would most likely mean that short pieces of external cable would
carry unencrypted info). If you really want to secure this you could add
small pressurised cartridges containing cyan gas, you know, the
nice-smelling stuff that adversely affects breathing when hitting humid lung
tissue, releasing the gas if tampered with. To deter everybody you could
stick warnings on the outside of the boxes, and then again, to effectively
deter the ones you REALLY would want to deter, you could refrain from doing
so... Nasty.
In any case I can think of a number of elegant was to initialise this type
of system, and even to change keys regularly in a self-synchronising manner.
This whole solution is so obvious that it must have been implemented
(somewhat similar solutions exist e.g. for bank WANs). Anybody know of
actual products built on the principles discussed?
Rgds,
Niels
------------------------------------------------------------------------
-- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 --
-- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 --
-- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 519 8011 --
-- Netherlands Email: njb @
csehost .
knoware .
nl --
-- PGP Public key available on request - please use when mailing vira --
------------------------------------------------------------------------
|
|
