CERF: Classified NSA Work Mucked Up Security For Early TCP/IP

Internet pioneer Vint Cerf says that he had access to cutting edge cryptographic technology in the mid 1970s that could have made TCP/IP more secure – too bad the NSA wouldn’t let him!

computer-guy

Did the National Security Agency, way back in the 1970s, allow its own priorities to stand in the way of technology that might have given rise to a more secure Internet? You wouldn’t be crazy to reach that conclusion after hearing an interview with Google Vice President and Internet Evangelist Vint Cerf on Wednesday.

As a graduate student in Stanford in the 1970s, Cerf had a hand in the creation of ARPANet, the world’s first packet-switched network. He later went on to work as a program manager at DARPA, where he funded research into packet network interconnection protocols that led to the creation of the TCP/IP protocol that is the foundation of the modern Internet.

Cerf is a living legend who has received just about every honor a technologist can: including the National Medal of Technology, the Turing Award and the Presidential Medal of Freedom. But he made clear in the Google Hangout with host Leo Laporte that the work he has been decorated for – TCP/IP, the Internet’s lingua franca – was at best intended as a proof of concept, and that only now – with the adoption of IPv6 – is it mature (and secure) enough for what Cerf called “production use.”

Specifically, Cerf said that given the chance to do it over again he would have designed earlier versions of TCP/IP to look and work like IPV6, the latest version of the IP protocol with its integrated network-layer security and massive 128 bit address space. IPv6 is only now beginning to replace the exhausted IPV4 protocol globally.

“If I had in my hands the kinds of cryptographic technology we have today, I would absolutely have used it,” Cerf said. (Check it out here)

Researchers at the time were working on the development of just such a lightweight but powerful cryptosystem. On Stanford’s campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described a public key cryptography system. But they didn’t have the algorithms to make it practical. (That task would fall to Ron Rivest, Adi Shamir and Leonard Adleman, who published the RSA algorithm in 1977).

Curiously enough, however, Cerf revealed that he did have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren’t they used, then? The culprit is one that’s well known now: the National Security Agency.

Cerf told host Leo Laporte that the crypto tools were part of a classified project he was working on at Stanford in the mid 1970s to build a secure, classified Internet for the National Security Agency.

“During the mid 1970s while I was still at Stanford and working on this, I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends,” Cerf said. “So I was leading this kind of schizoid existence for a while.”

Social-mediaHindsight is 20:20, as the saying goes. Neither Cerf, nor the NSA nor anyone else could have predicted how much of our economy and that of the globe would come to depend on what was then a government backed experiment in computer networking. Besides, we don’t know exactly what the cryptographic tools Cerf had access to as part of his secure Internet research or how suitable (and scalable) they would have been.

And who knows, maybe too much security early on would have stifled the growth of the Internet in its infancy – keeping it focused on the defense and research community, but acting as an inhibitor to wider commercial adoption?

But the specter of the NSA acting in its own interest without any obvious interest in fostering the larger technology sector is one that has been well documented in recent months, as revelations by the former NSA contractor Edward Snowden revealed how the NSA worked to undermine cryptographic standards promoted by NIST and the firm RSA .

It’s hard to listen to Cerf lamenting the absence of strong authentication and encryption in the foundational protocol of the Internet, or to think about the myriad of online ills in the past two decades that might have been preempted with a stronger and more secure protocol and not wonder what might have been.

vint cerf | April 4, 2014 4:53 pm

The technology of the time was NOT public key crypto and key distribution would not have scaled well so we really did not lose an opportunity – the more ironic thing is the timing of the PKI and RSA work that took a while to become operationally available.

Josh Knight | April 6, 2014 2:09 pm

Vint Cerf was an assistant professor at Stanford, not a graduate student. I took a couple of classes from him. The lab where the computers that linked to the early Arpanet was at the end of the hall and the patch panel with the (two IIRC) 64kb leased lines for those connections was in the atrium for the offices I shared with several other graduate students.

Gordon Peterson | April 7, 2014 11:28 pm

It was interesting to hear Vint Cerf’s talk at University of Texas at Dallas a week or two ago. I’ve often wondered (as we were aware of what he was doing at DARPA) how much he was aware of us at Datapoint working on our packet-switching network… much faster (2.5 megabits) but designed really for local area use (with each segment limited to 255 nodes). We announced ours to the public on Dec 1, 1977… just over a week past the point where Vint mentioned that they had done the first intercontinental tests of TCP/IP for DARPA. At the point of the 50th anniversary of the System/360, it’s worth remembering that the LAN really for the first time made it possible to cluster more processing power around shared data than was practical in just one machine… the transformation in the industry which made it possible to produce incrementally expandable systems to which processors could be added pretty much wherever they were needed, without having the rigid monolithic limitations which were characteristic of mainframes of the era.

(it’s also an intriguing historical note that when Datapoint’s LAN system was first installed commercially, in late September 1977, at Chase Manhattan Bank in New York… our system was being called “Internet”. The product name was changed at the last minute because the feeling was that “If we call it ‘Internet’, it will never be successful… because people’s perceptions are that ‘networks are complicated and hard to manage.’”)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

*

RSS feed for comments on this post