A secure internet isn’t science fiction

To reinvent the internet from scratch, to make it safer, faster and more reliable, is impossible, most experts would say. That's one reason why the project Adrian Perrig began building at Carnegie Mellon University in 2009 was called SCI-FI, which is short for “Secure Communications Infrastructure for a Future Internet”. Back then, the young professor couldn't have imagined that ten years later, internet service providers (ISPs), banks and government offices would be interested in his technology.

At first, the team led by Adrian Perrig wasn't even sure whether the internet could be made secure at all. But the researchers persevered until, after a year of hard work, they finally found a solution: an innovative internet architecture that solves many of today's internet problems at once and can be implemented with minimal expenditure. The old name no longer fitted, and thus SCI-FI became SCION, which means “descendant” and stands for “Scalability, Control, and Isolation On Next-generation networks”.

In 2013, Perrig set up a new research group at ETH Zurich to further develop his ambitious project. With each new version of the software, the team achieved a quantum leap: SCION became even more secure, faster and more mature. Since SCION offers enhanced security, even when deployed on a small scale, and interfaces smoothly with the existing internet, the project quickly attracted interest from industry. As early as 2017, several internet service providers and financial institutions in Switzerland wanted to use SCION for their commercial operations. And so Adrian Perrig founded the spin-off Anapaya Systems together with David Basin and Peter Müller, fellow professors at the Department of Computer Science at ETH Zurich.

Today, the company employs some ten people and counts among its customers internet service providers such as Swisscom and SWITCH, as well as financial companies such as SIX and ZKB. Demand continues to rise. “Several major ISPs are interested in SCION,” says Adrian Perrig. “We are also currently setting up a secure communication system via SCION for banks, government offices and healthcare organisations.”

The project is also in demand in the field of research. As the core software is freely available on the internet, researchers and students at ETH and other universities are continually improving SCION’s architecture. “The research groups and the spin-off are working together on this open-source component,” says Perrig. “Other components are distributed exclusively by the company, such as the management system.”

New architecture to eliminate old vulnerabilities

But why reinvent the internet at all? The basic structure of internet communication was established in the 1980s, when no one could have imagined what a central role it would play in society. Moreover, some of the protocols used for data transmission are still the same as they were 25 years ago. This makes the internet vulnerable: data packets can be redirected by cybercriminals, security certificates can be forged and distributed denial-of-service (DDoS) attacks can disrupt internet services by making countless superfluous requests. Even without malicious intentions, problems arise: a simple configuration error on a router can lead to extensive internet outages.

Although there are frequent isolated attempts at solving these issues, they usually only provide symptomatic relief, are accompanied by bandwidth losses or are limited to individual internet domains. Hardly any solutions exist for the global network. “The common view is that it is impossible to change the global internet,” explains Adrian Perrig. “That's why hardly anyone has attempted it aside from us.”

The researchers’ persistence has paid off: SCION prevents DDoS attacks and unauthorised re-routing and makes the internet faster and more reliable. This is accomplished by two means: on the one hand, the internet is divided into subunits; on the other, the routing of data packets, i.e. the way they are forwarded through the network from sender to receiver, functions differently.

The internet consists of a large number of loosely interconnected networks. An example of such a network is an ISP, such as Swisscom or SWITCH, along with all its customers. Communication between the many different networks is particularly susceptible to errors and attacks. It is therefore possible for a data packet en route from Zurich to Berne to be diverted via other countries such as Russia without either the sender or the receiver noticing.

SCION unites several networks at a time into so-called isolation domains (ISDs). The ISDs can, for example, be divided geographically so that all of the Swiss networks belong to a single ISD. Communication between two networks in the same isolation domain does not leave this ISD. Thus, a uniform legal framework is applied to internal data traffic, and sensitive data cannot be diverted via other countries. According to Perrig, there is no cause to be concerned about increasing internet censorship, because another characteristic of SCION is the transparency of the network. “As the end user, you can actually see which path your data packets follow,” he explains. “Any blocking or other interference with the network is therefore clearly visible.”

SCION achieves this transparency by fundamentally changing the routing of data packets. While today packets are passed “blindly” from one router to the next, a SCION data packet “knows” which path it has to follow. Since there are several paths to choose from in each case, the fastest path can be used, whereas data packets in today's internet can be sent on detours or even lost completely due to attacks or routing errors. SCION routers also have the potential to be more time and energy efficient. “If SCION were to be deployed extensively, the internet would need around 5 percent less electricity to be able to operate,” says Adrian Perrig.

Mathematically proven

A secure internet – is that a prospect that is simply too good to be true? “In almost ten years of research, we haven't found any major vulnerabilities in SCION,” says Perrig. “There are new types of attacks that are only possible with SCION, but their consequences are much milder than in today's internet. It's like someone shooting a water gun instead of a real firearm: it's unpleasant, but the damage is minimal.”

Security is a rare commodity in today's internet. Unsurprisingly, every new solution that is claimed to be “secure” is generally viewed with scepticism. The SCION team therefore has to work hard to overcome such doubts, and that is where the other two co-founders of Anapaya Systems come in. Peter Müller is the head of the Chair of Programming Methodology, while David Basin heads the Information Security Group; as experts in their respective fields, their job is to be able to mathematically prove that SCION is secure and functions correctly. As David Basin explains: “A SCION network can be seen as a large distributed system of routers and end hosts that exchange data following specific rules. One can formalise this whole system as a mathematical object and then prove particular properties that it possesses, for example that it is built in such a way that an attacker cannot change the path of a data packet.”

In theory, it is therefore possible to mathematically determine that SCION is able to keep its promises – provided that the individual components, such as the routers, also function exactly to specification. This is Peter Müller's area of expertise: “David's group proves that the system as a whole has certain properties. My team’s objective is to show that each component does what it is supposed to do and that the code is stable and secure.” Combining these two tiers of proof would grant SCION the attribute “fully verified” – a crucial competitive advantage. But it's not that simple. SCION is complex and constantly evolving, which makes proving such elements a difficult task. Nevertheless, the researchers hope to be able to provide complete proof of its attributes in the next few years. According to Basin, the effort is worth it. “This is a way for people to really trust the technology,” he says. “You can be certain that there are no back doors. That is unique.” In addition, formal methods can be used to identify possible improvements to the design of the system and how it is implemented.

Secure internet for ETH Zurich

How long will it be before the entire internet is converted to this promising new technology? “It takes time, sometimes decades, for a new technology to become established,” explains Müller. The biggest hurdles to switching to SCION are administrative. Indeed, the new architecture requires network administrators themselves to be retrained. Obtaining cryptographic certificates also becomes somewhat more demanding: in a system geared towards security, every domain is required to obtain such a certificate. In the light of such obstacles, whether SCION will ever be used worldwide remains to be seen. But, according to Peter Müller, this is not necessarily the main goal. “Every connection via SCION makes communication a little safer,” says the researcher.