‘Open Security’ Is More Important Than Ever

By Matt Tooley

Security in cable networks has always been a priority. In the beginning, cable television operators worked to prevent signal theft and security efforts continued as cable operators upgraded their networks to provide high-speed Internet and voice services. In today’s always-on and always-connected world, reliance on the high-speed Internet services provided by cable operators makes security more important than ever.

From the beginning, cable operators have practiced ‘Open Security.’ Open security is based on the philosophy that transparency leads to security. The idea is to create security in the cable system not by relying on secrets, but rather through the complexity of algorithms that protect the system.

This is in stark contrast to security through obscurity, which relies on secrecy as the main method of securing a system. A good example of security by obscurity would be hiding your password under your keyboard. Your account is “secure” until someone discovers the password in its hiding place. Similarly, in the streaming video context, this issue arises when the video stream is encrypted but the de-encryption keys for it are out in the clear and available for anyone to use.

A computer science example of security through obscurity would be hiding or hardcoding a user’s passwords inside the binary code for an application. The idea here assumes the application is secure because the attacker won’t read or reverse engineer the password-containing code.

In 1883 the Dutch cryptographer, Auguste Kerckhoffs, published six principles on cryptography, which included one that has become to be known as Kerckhoffs’s principle and that now forms the foundation for open security.

“A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” — Auguste Kerckhoffs

Claude Shannon, an American mathematician, later refined Kerckhoffs’s principle to what is now known as Shannon’s maxim:

“The enemy knows the system.” — Claude Shannon

In other words, Kerckhoffs’s principle and Shannon’s maxim both articulate that to truly secure a system, all the details of the system should be able to be made public without compromising the security of the system. The security relies on the system itself, not the secrecy of the system.

Cable continues to practice open security across a broad spectrum of initiatives ranging from securing cable modems and DOCSIS® networks to large complex issues like supply chain security.

An early example in the context of cable modems and DOCSIS is the use of the Baseline Privacy Interface (BPI) specification, which uses a public key infrastructure that was adopted in the DOCSIS 1.1 specification. The BPI system, as do other public key systems, rely on the complexity of the encryption algorithms and a pair of keys to secure the data, rather than attempting to hide or obfuscate the data when it is being transmitted.

Public key encryption uses something called asymmetric encryption and is the magic that makes modern encryptions systems like the one used in BPI and other systems secure. Symmetric encryption system such as email passwords use a single key, allowing anyone with the password to access your email. Asymmetric encryption used in public key encryption uses two keys to encrypt and decrypt the data — a public key and private key. Any person can encrypt a message using the receiver’s public key, but that encrypted message can only be decrypted with the receiver’s private key. To keep the system secure only requires keeping the private key private while the public key can be openly distributed.

In addition to the open and transparent DOCSIS and PacketCable™ specifications developed by CableLabs, cable has been using open and transparent standards for broadband developed by the Internet Engineering Task Force, such as the Hyper Transfer Protocol Secure, Secure Socket Layer, and most recently DNS over HTTPs. All these specifications, as well as other IETF security specifications, are developed in an open, transparent forum and practice Shannon’s maxim. Anyone can download the specifications to learn how system security is accomplished not by hiding how it is secured but instead by using complex encryption algorithms like the asymmetric encryption used in public key encryption systems.

Open security protects streaming video too. The cornerstone to digital rights management is an encryption and key management system to ensure only authorized and authenticated clients can retrieve the key to decrypt the streamed video. Unfortunately, streaming videos are sometimes leaked due to poor key management. The cable industry is working with Streaming Video Alliance to identify and develop a set of best practices for securing streaming video, including key management.

The use and development of open source software is another example of open security. Intuitively, open source software may not appear as secure as closed-source, proprietary software. However, security experts have shown that open source is as safe, if not safer, than closed, proprietary software because the code is publicly and freely available for review. This allows end users, their experts, and the open source community at large, to verify that the software does exactly what it claims to do and that there are no “back doors.” The cable industry participates in and sponsors a number of open source projects. If one does a quick search on one of the major open source sites like Github, one will quickly see hundreds of open source code repositories sponsored by the cable industry.

The cable industry is also an active member of the Open Connectivity Foundation (OCF) which combines open standards with open source to improve the security in the Internet of Things. In addition to developing open standards for IoT devices, the OCF supports the IoTivity Lite open source project, which is a reference implementation representing best practices in the development and deployment of the OCF specifications.

Taking it one step further is the O-RAN Alliance, which also includes members from the cable industry. The O-RAN Alliance is a multi-carrier alliance to drive openness in the radio access networks (RAN) of next-generation wireless systems. An open radio access network (O-RAN) is a concept based on interoperability and standardization of RAN elements for white-box hardware and open source software elements from different vendors.

The O-RAN Alliance is developing an O-RAN architecture and set of specifications. In addition to the architecture and specifications, the O-RAN Alliance has released over 1.3M lines of open source code in partnership with the Linux Foundation.

Both the OCF and O-RAN Alliance are examples of industry initiatives applying the principles of open security to secure networks.

With the move to open source, network function virtualization, and long, global supply chains, industry observers have raised questions regarding how to better secure software supply chains. The supply chain security challenges are not limited just to software; these challenges exist across many parts of the broader supply chain. There are multiple initiatives underway to address each of these.

The first initiative, led by the National Telecommunications and Information Administration (NTIA), is a multi-stakeholder process, including cable industry representatives, that is looking at software supply chain transparency. Even though open-source software is open, it is often packaged as a mix of open and proprietary software when it is implemented in products. The NTIA’s multi-stakeholder process is looking at this through an open security lens as it works to develop guidelines for a “Software Bill of Materials” to address software transparency challenges. The underlying idea here is that the end-user of a software product should know the ingredients (e.g., the software components) used to build the product so that the end-user can better assess the risk associated with using the product. The idea is very similar to a nutrition label on food products.

The second initiative, the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, is sponsored by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency and includes members from the cable industry. The task force was chartered to look at broader supply chain security issues, including how to prevent products and services from being sabotaged by a party in the supply chain, for example through the use of backdoors in the software or fraudulent parts, among other issues.

The task force is in the second year of its two-year charter and is working on recommendations in the following areas:

  • bi-directional sharing of supply chain risk information between government and industry;
  • threat-based evaluation of ICT supplies, products, and services;
  • qualified bidder and manufacturer lists; and
  • vendor evaluation.

The top-line goal for each of the workstreams is to identify mechanisms to inject more transparency into the supply chain for the end-consumer in order to improve the overall security of the supply chain and the systems it supplies.

These are just a few examples of how the cable industry has applied and continues to work toward open security. Open security has and will continue to be applied broadly across the cable industry.


Matt Tooley

Matt Tooley,
Vice President,
Broadband Technology,
NCTA

 

Matt is currently Vice President of Broadband Technology at the NCTA — The Internet & Television Association.  At the NCTA, Matt provides technical expertise on all areas of broadband technology and cybersecurity to the NCTA and its members in support of technology and public policy.


 

Shutterstock