Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!uwm.edu!bionet!agate!darkstar!cs.cornell.edu From: rvr@cs.cornell.edu (Robbert Van Renesse) Newsgroups: comp.os.research Subject: Re: Amoeba Message-ID: <14174@darkstar.ucsc.edu> Date: 4 Apr 91 19:50:38 GMT Sender: usenet@darkstar.ucsc.edu Organization: Cornell Univ. CS Dept, Ithaca NY 14853 Lines: 44 Approved: comp-os-research@jupiter.ucsc.edu In UDP and TCP there are 2^16 ports, of which, in UNIX, the lowest 1024 are reserved and protected. In Amoeba no ports are protected, but there are 2^48 ports total. Such a port is chosen at random (it's a well-known property of large random numbers that they are unique...). Say that the one-way encryption function f() takes only 1 millisecond to execute, then it would take you, on average, over 4000 years to find g given f(g). ``Wie dan leeft, wie dan zorgt.'' (Dutch saying: Who lives then, who cares then.) Note that the protection scheme is very similar to the UNIX password login protection, except that Amoeba ports are chosen by the system at random, giving a much better distribution of the port space. In the new release of Amoeba the size of a port will be increased to 64 bits for further protection. The problem with this protection scheme is the implementation of it. The easiest way is using trusted kernels: if the user cannot access the network other than through using supplied kernels, then the kernel can apply the one-way encryption function. Another implementation would be to use a custom-made network, with the one-way encryption executed in the physically protected cable duct in the wall. Not a very practical solution. The third way is to encrypt messages on the network. For example, this could be done by choosing the public and private ports of a service to be encryption and decryption keys in a public key encryption scheme (so you don't use the one-way function). You lose the performance benefits the scheme this way. To solve this last problem, the new Amoeba internet protocol (FLIP) divides networks in trusted and untrusted networks. For example, processors within the machine room are connected by a trusted network segment, while the connections to the workstations and long-haul connections are untrusted. The gateways, in the machine room as well, encrypt messages the first time they get forwarded from a trusted to an untrusted network. Machines on untrusted network segments encrypt all messages. This way traffic between processors in the machine room does not need to be encrypted. Since in Amoeba systems most work is done in the processor pool and specialized servers, all of which reside in the machine room, communication remains fast despite its security. (You only need to fill the machine room with poisonous gas.) Robbert van Renesse