background image
Tech Note #110: Concept for a Secure Network Computer
2000 Bionic Buffalo Corporation; All Rights Reserved.
         Tuesday, 11 January 2000
Page 17 of 18
Reduced-Assurance Versions
The concept presented here uses dual boundary controllers to assure very high probability that
the security of an information domain will not be breached. In the overall lifecycle cost of the
SNC, the extra cost of the redundancy will be relatively low.
However, there are two additional options to provide lower cost when extreme levels of security
are not required.
The first such option eliminates the redundancy, while still providing the physical security. The
main increase in risk comes from design and implementation failure, but there is also a
possibility that single hardware failures might compromise security.
A second option can offer even lower cost. It restricts most of the physical security and tamper
resistance to long-term key storage, and to session key generation. This option might be useful
when the SNC is operated in a relatively safe physical environment, and the likelihood of
physical attack is reduced. The design can employ the same technology used in identification
tokens. Essentially, an embedded identity token carries the SNC’s keys and certificates - its
identity - and performs key generation and authentication for each session.
Autonomous Remote Computing
In some applications, a device such as the SNC is useful without an operator or local human
user. For example, a remote telemetry computer might process sensor data before forwarding it
to a central location. It might be useful to run untrusted software on the remote computer, while
still being assured that there would be no uncontrolled access to the information domain.
The same architecture as described above would apply, with some major simplifications. First,
the tunnel to the remote enclave would require only a single authentication - for the computer
itself, rather than for both computer and user. This eliminates the need for a user i/o device.
In addition, the HC’s display, pointing device, and keyboard, which are significant potential
vulnerabilities, are no longer required.