Page 1

Tech Note #110: Concept for a Secure Network Computer

Tuesday, 11 January 2000

http://www.tatanka.com

[tn0110]

Page 1 of 18

Bionic Buffalo Tech Note #110:

Concept for a Secure Network Computer

last revised Tuesday 11 January 2000
©2000 Bionic Buffalo Corporation. All rights reserved.
Tatanka and TOAD are trademarks of Bionic Buffalo Corporation.

Background

Proprietary or confidential information resources, delivered by network to a restricted audience,
are highly vulnerable to interception and attack at the point of delivery.

Cryptography can protect data in transit and storage, but such data eventually must be
decrypted to be useful. Potential points of attack include the identification and authentication
process, the cryptographic mechanism itself (with attendant keys), display and entry operations,
transient or temporary storage and cache locations, and the exploitation of hardware and
software failures. Defence against attack requires a system known to be secure.

A secure system must be of verifiable design, and constructed of verifiable components in a
verifiable process. If all secure systems were identical (except for configuration and keys), then
economies of scale would allow reasonable costs in spite of the expenses of verification.
However, useful systems ought to execute a variety of insecure, unverifiable application
programs.

In order to allow these potentially dangerous programs to run, their operation must be
contained in such a way that they cannot compromise the security of the system.

This Tech Note describes a Secure Network Computer (SNC), which attempts to control
information access while allowing the limited use of unverified software.

Model & Terminology

Sensitive, proprietary, secret, or other valuable information may be restricted to one or more
domains. The domains are logical concepts used to contain the information. As examples, a
domain may contain:

•

military battle plans

•

hospital patient records

•

employee salary and benefit information