CERF: Classified NSA Work Mucked Up Security For Early TCP/IP
Internet pioneer Vint Cerf says that he had access to cutting edge cryptographic technology in the mid 1970s that could have made TCP/IP more secure – too bad the NSA wouldn’t let him!
Did the National Security Agency, way back in the 1970s, allow its own priorities to stand in the way of technology that might have given rise to a more secure Internet? You wouldn’t be crazy to reach that conclusion after hearing an interview with Google Vice President and Internet Evangelist Vint Cerf on Wednesday.
As a graduate student in Stanford in the 1970s, Cerf had a hand in the creation of ARPANet, the world’s first packet-switched network. He later went on to work as a program manager at DARPA, where he funded research into packet network interconnection protocols that led to the creation of the TCP/IP protocol that is the foundation of the modern Internet.
Cerf is a living legend who has received just about every honor a technologist can: including the National Medal of Technology, the Turing Award and the Presidential Medal of Freedom. But he made clear in the Google Hangout with host Leo Laporte that the work he has been decorated for – TCP/IP, the Internet’s lingua franca – was at best intended as a proof of concept, and that only now – with the adoption of IPv6 – is it mature (and secure) enough for what Cerf called “production use.”
Specifically, Cerf said that given the chance to do it over again he would have designed earlier versions of TCP/IP to look and work like IPV6, the latest version of the IP protocol with its integrated network-layer security and massive 128 bit address space. IPv6 is only now beginning to replace the exhausted IPV4 protocol globally.
“If I had in my hands the kinds of cryptographic technology we have today, I would absolutely have used it,” Cerf said. (Check it out here)
Researchers at the time were working on the development of just such a lightweight but powerful cryptosystem. On Stanford’s campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described a public key cryptography system. But they didn’t have the algorithms to make it practical. (That task would fall to Ron Rivest, Adi Shamir and Leonard Adleman, who published the RSA algorithm in 1977).
Curiously enough, however, Cerf revealed that he did have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren’t they used, then? The culprit is one that’s well known now: the National Security Agency.
Cerf told host Leo Laporte that the crypto tools were part of a classified project he was working on at Stanford in the mid 1970s to build a secure, classified Internet for the National Security Agency.
“During the mid 1970s while I was still at Stanford and working on this, I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends,” Cerf said. “So I was leading this kind of schizoid existence for a while.”
Hindsight is 20:20, as the saying goes. Neither Cerf, nor the NSA nor anyone else could have predicted how much of our economy and that of the globe would come to depend on what was then a government backed experiment in computer networking. Besides, we don’t know exactly what the cryptographic tools Cerf had access to as part of his secure Internet research or how suitable (and scalable) they would have been.
And who knows, maybe too much security early on would have stifled the growth of the Internet in its infancy – keeping it focused on the defense and research community, but acting as an inhibitor to wider commercial adoption?
But the specter of the NSA acting in its own interest without any obvious interest in fostering the larger technology sector is one that has been well documented in recent months, as revelations by the former NSA contractor Edward Snowden revealed how the NSA worked to undermine cryptographic standards promoted by NIST and the firm RSA .
It’s hard to listen to Cerf lamenting the absence of strong authentication and encryption in the foundational protocol of the Internet, or to think about the myriad of online ills in the past two decades that might have been preempted with a stronger and more secure protocol and not wonder what might have been.