Adding bite to the bark
As the cable industry readies itself for the advent of DOCSIS (Data-Over-Cable-Service Interface-Specification)-based standards for cable modems, ensuring the privacy and security of a network is attracting the attention, and concern, of cable operators and customers in the burgeoning business market.
Nowhere is the business side of technology more evident than in the privacy and security sector. Businesses are requesting heartier security systems to protect valuable data and assets as they move into the world of cable modems and the high-speed data transmission promised by DOCSIS-based cable modems.
Keeping that promise, however, is a challenge to cable operators, vendors and manufacturers whose responsibility will be to provide adequate security to residential and business customers, while assuring a safe haven for their business clients' proprietary data, and that their networks will be dead-solid safe.
Baseline Privacy Interface (BPI) is the DOCSIS-based security system written specifically to address the issue of cable modem security, and after 18 months of scrutiny and re-writes, the system now includes additional elements intended to beef up certain security weaknesses found in the initial BPI document.
The result is Baseline Privacy Interface Plus (BPI Plus). It is currently being embraced by CableLabs, the cable industry's technological test bed, and after review by cable operators and vendors, is expected to be ready for DOCSIS 1.0 certification by fall, and modem-ready by second quarter 1999. All DOCSIS cable modems are required to support BPI, and eventually BPI Plus, in an effort to ensure basic data privacy in the shared cable environment.
BPI Plus is the enhanced version of its older sister, BPI, and is based on a more robust concept of security, starting with the 56-bit Digital Encryption Standard (DES) Cipher Block Chaining algorithm, and the Rivest, Shamir, Adelman (RSA) key exchange. The streamlining of BPI Plus meant scrapping some of its predecessors' heavy security features, which were costly and complex.
DES is a cryptographic algorithm that takes binary coded data and applies a known algorithm using a randomly-generated, 56-bit key to produce unintelligible or encrypted bits. A 56-bit key has 70 quadrillion possible values, and the only guaranteed way of discovering a truly random key is by "brute force," or trying all of the keys.
The RSA key exchange is a series of public key algorithms which has been used by the U.S. government for nearly 20 years. It is one method that does not require secrecy and uses encryption with one key and decryption with another key, making it nearly impossible to break.
After close examination and tinkering, modem vendors, engineers and MSOs agreed that additional security elements were needed before a baseline privacy standard could be included in the DOCSIS 1.0 initiative.
Enter BPI Plus.
"Now that the industry is maturing, we needed a baseline privacy standard. But there were still parts of the Security Systems Interface (SSI) we wanted to include," said Doug Jones, network architect for MediaOne Labs in Boulder, Colo., and visiting engineer at CableLabs focusing on network telephony and data.
SSI, Jones said, is the "heavy duty" security system designed to defeat network cloning. It also includes a number of sophisticated, and costly, features. "SSI protects expensive assets, but vendors said they could do it cheaper, so we wanted to include three SSI features in BPI Plus, which is the enhanced version of BPI. It allows us to beef up encryption service, and customers want it because it's so secure."
BPI Plus will include three key SSI components: 1) renewability, or a smart card, which allows interchangeability of RSA and DES cards; 2) physical security, which would prohibit attackers from "shaving" silicon off of chips and viewing transistors; and 3) authentication of cable modems, which would help defeat the cloning of modems through a registration process.
"The purpose of BPI Plus is to prevent the cloning of cable modems and offer a certain level of privacy. Potentially, someone could extract cryptographic identification and make a clone," said Chet Birger, vice president of engineering and chief technology officer for the YAS Group, a consulting firm in Andover, Mass. which is helping CableLabs with DOCSIS certification. Birger also co-authored the initial BPI document.
"We're working with MSOs for authentication methods for back-up systems. They want security in their systems, and have responded very positively." Cable operators are currently reviewing BPI Plus, and according to Birger, are expected to offer their feedback, beginning this month.
Vendors such as Motorola, however, are already on the BPI Plus issue. "We have encryption already in our CyberSurfr product, but we need a standards-based modem to interact with other modems, so we must have a standard, and BPI Plus is sufficient for the privacy link-layer and authentication to prevent theft of service," said Jeff Walker, senior manager of cable modems for Motorola Information Systems Group.
Yet for many businesses, a moderate, at best, security system such as BPI Plus may not be enough. According to Levent Gun, vice president and general manager of 3Com's cable access division: "The security tunnel should go all the way, so we are looking at layered types of security. As a company, we are heavily focused on private networks with end-to-end security and encryption, so we will be adding these as services. We consider BPI as a base function of our modems."
Full security can add cost to a network, adds Gun, yet he believes a customer's perception of a network's security system is of greater concern. "Full security will add some cost, but it won't be prohibitive. What worries me, besides the cost, is that if a smart card is needed for security, it gives the consumer the wrong message that the modem isn't secure without it."
The message to vendors regarding modem security is clear: give the customers, including cable operators, the level of privacy and security they want. Says Jerry White, chief technical officer for the broadband technology division at Bay Networks Inc.: "We'll be adding features as we go along, especially with Work @Home, and we expect BPI Plus to become more of a requirement. It raises the bar, and operators will probably mandate some sort of authentication feature with it."
The mandate for vendors such as Broadcom Corp., a leading supplier of highly integrated, system-level silicon solutions, is to stay flexible when it comes to the security needs of its customers. "Security is what everyone wants more of. But it can be costly and can slow down a process. It may take five times as long to send a message," says Tom Quigley, director of Broadcom's residential broadband business unit.
The difference in speed, Quigley says, is the trade-off between the heavier security components in the more complex, full security systems such as SSI, and the simpler BPI Plus. "The key difference between a 'security heavy' system and BPI is that we are able to use DES engines to build right into the MAC (media-access controller) chip and make it easy to build the circuitry right into the silicon. The security-heavy functions slowed down the initial BPI system. They just didn't fit right and were ponderously slow. Now, with BPI Plus, the DES engines are already in the MAC chip," Quigley explains.
Quigley, who worked on the initial BPI system, is confident that BPI Plus, with its added security components, will emerge as a viable security system for cable modems. "For 95 percent of the applications, BPI and BPI Plus are fine. We have a good privacy solution, and eventually cable modems can layer features for customers such as banks who need higher levels of security. In addition, MSOs have very capable people who are plugged into the costs and complexities of security systems. There's been a good consensus in the industry for a privacy function like BPI," Quigley said.
Once BPI Plus is certified, it should offer cable operators and the entire cable modem industry an acceptable privacy standard, which could not only ease much of the security angst in the business sector, but could add more value to cable modems as they explode onto the retail scene and into the rapidly expanding business of high-speed data transmission and E-commerce.