Your search keyword '"Message authentication code"' showing total 125 results

1. Digital evidence collection process in integrity and memory information gathering

Author

Seokhee Lee, Hyun-Sang Kim, Jongin Lim, and Sangjin Lee

Subjects

Information privacy, Computer science, business.industry, Public key infrastructure, Computer security, computer.software_genre, Public-key cryptography, Digital evidence, Data integrity, Virtual memory, Message authentication code, business, computer, Core dump

Abstract

In this paper, we inspect general digital evidence collection process which is according to RFC3227 document, and establish specific steps for guaranteeing integrity of digital evidence and memory information collection. EnCase/spl trade/ which was used globally has a weakness that MDC value of digital evidence can be modified, hence we propose MDC public system, MAC system and public authentication system with PKI as a countermeasure. And we explain detail of each system. Besides, we include memory dump process to existing digital evidence collection process, and examine privacy information through dumping real user's memory and collecting pagefile which is part of virtual memory system.

Published

2006

2. Development of personal authentication system using fingerprint with digital signature technologies

Author

Y. Seto, M. Kataoka, and Y. Isobe

Subjects

Authentication, Biometrics, Computer science, business.industry, Fingerprint Verification Competition, Public key infrastructure, Certificate, Computer security, computer.software_genre, Electronic signature, Public-key cryptography, Digital signature, Fingerprint, Data integrity, Physical access, Message authentication code, Smart card, business, computer

Abstract

Authentication based on biometrics is being applied to control physical access to high-security facilities. Recently, with the recent rapid growth of information system technologies, applications for accessing databases or business workflow systems have also begun to use biometrics. These applications need to implement measures to counter threats to security. In the case of authentication through an open network, such as non-face-to-face trading, the integrity of data is important. We have to guarantee the integrity of the registered biometric data. This paper presents a biometrics-based personal authentication system in which a smart card, a public-key infrastructure (PKI) such as an X.509 certificate, and fingerprint verification technologies are combined. We have developed a prototype system in which the system is applied to a business workflow. The proposed system can also be applied to some public-key platforms such as the 'electronic signature act', because our system has been developed on equivalent platforms.

Published

2005

3. Application intrusion detection using language library calls

Author

A.K. Jones and Yu Lin

Subjects

Host-based intrusion detection system, Intrusion, Computer science, System call, Anomaly-based intrusion detection system, Authorization, Message authentication code, Intrusion detection system, Intrusion prevention system, Computer security, computer.software_genre, computer

Abstract

Traditionally, intrusion detection systems detect intrusions at the operating system (OS) level. We explore the possibility of detecting intrusion at the application level by using rich application semantics. We use short sequences of language library calls as signatures. We consider library call signatures to be more application-oriented than system call signatures because they are a more direct reflection of application code. Most applications are written in a higher-level language with an associated support library such as C or C++. We hypothesize that library call signatures can be used to detect attacks that cause perturbation in the application code. We are hopeful that this technique will be amenable to detecting attacks that are carried out by internal intruders, who are viewed as legitimate users by an operating system.

Published

2005

4. Seamless object authentication in different security policy domains

Author

M. Kataoka, Satoru Tezuka, and Ryoichi Sasaki

Subjects

Authentication, Cloud computing security, Computer science, Mobile computing, Covert channel, Distributed object, Computer security model, Computer security, computer.software_genre, Security policy, Security information and event management, Common Object Request Broker Architecture, Security service, Distributed System Security Architecture, Network Access Control, Message authentication code, computer

Abstract

In the trading of intangible goods, there co-exist, from the security policy point of view, several different domains, such as CORBA and Java. In such environments, mobile objects such as Applets, can move freely between domains, which contributes greatly to the dynamic evolution of the distributed computer system. However, there arises a new security problem: there is no way for the mobile objects to move appropriately and seamlessly between the different security policy domains, according to the required rights. This cannot be prevented by the present security functions that are provided in such an environment and in each of the mobile objects. We therefore propose Seamless Object Authentication (SOA), which is: (1) a function which clearly defines the required rights to the mobile object, and (2) a function for the domains to check the mobile objects when they move between domains. We believe that this will lead to the dynamic evolution of the distributed computer system between different security policy domains and provide the basis of a Security Centric System.

Published

2005

5. Implementing the intrusion detection exchange protocol

Author

B. Feinstein, G. Matthews, T. Buchheim, M. Erlinger, J. Betser, R. Pollock, and A. Walther

Subjects

Computer science, computer.internet_protocol, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Intrusion detection system, law.invention, Exchange protocol, Internet protocol suite, law, Application protocol, Internet Protocol, The Internet, Message authentication code, business, computer, Protocol (object-oriented programming), Computer network

Abstract

We describe the goals of the IETF's Intrusion Detection Working Group (IDWG) and the requirements for a transport protocol to communicate among intrusion detection systems. We then describe the design and implementation of IAP the first attempt at such a protocol. After a discussion of IAP's limitations, we discuss BEEP, a new IETF general framework for application protocols. We then describe the intrusion detection exchange protocol (IDXP), a transport protocol designed and implemented within the BEEP framework that fulfills the IDWG requirements for its transport protocol. We conclude by discussing probable future directions for this ongoing effort.

Published

2005

6. Partitioning attacks: or how to rapidly clone some GSM cards

Author

Pankaj Rohatgi, Josyula R. Rao, Helmut Scherzer, and S. Tinguely

Subjects

Authentication, business.industry, Computer science, Cryptography, Cryptographic protocol, Computer security, computer.software_genre, GSM, Key (cryptography), Message authentication code, Side channel attack, Smart card, business, computer, Computer network

Abstract

In this paper, we introduce a new class of side-channel attacks called partitioning attacks. We have successfully launched a version of the attack on several implementations of COMP128, the popular GSM authentication algorithm that has been deployed by different service providers in several types of SIM cards, to retrieve the 128 bit key using as few as 8 chosen plaintexts. We show how partitioning attacks can be used effectively to attack implementations that have been equipped with ad hoc and inadequate countermeasures against side-channel attacks. Such ad hoc countermeasures are systemic in implementations of cryptographic algorithms, such as COMP128, which require the use of large tables since there has been a mistaken belief that sound countermeasures require more resources than are available. To address this problem, we describe a new resource-efficient countermeasure for protecting table lookups in cryptographic implementations and justify its correctness rigorously.

Published

2005

7. Efficient multicast packet authentication using signature amortization

Author

Howard Jay Siegel, Jung-Min Park, and Edwin K. P. Chong

Subjects

Authentication, Multicast, Computer science, business.industry, Network packet, Distributed computing, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Hash function, Cryptography, Digital signature, Packet loss, The Internet, Message authentication code, business, Erasure code, Computer network

Abstract

We describe a novel method for authenticating multicast packets that is robust against packet loss. Our main focus is to minimize the size of the communication overhead required to authenticate the packets. Our approach is to encode the hash values and the signatures with Rabin's Information Dispersal Algorithm (IDA) to construct an authentication scheme that amortizes a single signature operation over multiple packets. This strategy is especially efficient in terms of space overhead, because just the essential elements needed for authentication (i.e., one hash per packet and one signature per group of packets) are used in conjunction with an erasure code that is space optimal. To evaluate the performance of our scheme, we compare our technique with four other previously proposed schemes using analytical and empirical results. Two different bursty loss models are considered in the analyses.

Published

2005

8. Expander graphs for digital stream authentication and robust overlay networks

Author

J. D. Tygar, David Zuckerman, and Dawn Song

Subjects

Revocation list, Authentication, business.industry, Computer science, Network packet, Overlay network, Graph theory, Graph, Computer Science::Multimedia, Scalability, Expander graph, Message authentication code, business, Computer Science::Cryptography and Security, Computer network

Abstract

We use expander graphs to provide efficient new constructions for two security applications: authentication of long digital streams over lossy networks and building scalable, robust overlay networks. Here is a summary of our contributions: (1) To authenticate long digital streams over lossy networks, we provide a construction with a provable lower bound on the ability to authenticate a packet - and that lower bound is independent of the size of the graph. To achieve this, we present an authentication expander graph with constant degree. (Previous work used authentication graphs but required graphs with degree linear in the number of vertices.) (2) To build efficient, robust, and scalable overlay networks, we provide a construction using undirected expander graphs with a provable lower bound on the ability of a broadcast message to successfully reach any receiver. This also gives us a new, more efficient solution to the decentralized certificate revocation problem.

Published

2005

9. Talk on activities of security and grid computing service project

Author

Fumio Mizoguchi

Subjects

Authentication, Service (systems architecture), business.industry, Computer science, Interface (Java), Multi-agent system, Computer security, computer.software_genre, Grid, Grid computing, Message authentication code, Project management, business, computer

Abstract

Summary form only given. With the rapid expansion of the GRID environment and the maturing of software technology such as multiagent system, systems that provide commercial services are faced with conventional commercial concerns, namely how to build trust between service owners and users. Authentication and authorization must be enforced on the use and provision of services. Based on our experiences, we introduce an authorization-based trust model (ABTM) (W. Wen et al., 2000) for such an environment, and then introduce a graphic-based authentication interface.

Published

2005

10. A semifragile watermark scheme for image authentication

Author

Xiang Zhou, Daoxian Wang, and Xiaohui Duan

Subjects

Theoretical computer science, business.industry, Computer science, Data_MISCELLANEOUS, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Watermark, Cryptography, computer.file_format, Lossy compression, Encryption, JPEG, Computer vision, Message authentication code, Artificial intelligence, business, computer, Digital watermarking, Data compression

Abstract

In this paper, a semifragile watermarking scheme for image authentication is proposed, which addresses the issue of protecting images from illegal manipulations and modifications. The scheme extracts a signature (watermark) from the original image and inserts this signature back into the image, avoiding additional signature files. The error correction coding (ECC) is used to encode the signatures that are extracted from the image. To increase the security of this scheme, user's private key is employed for encryption and decryption of the watermark during watermark extraction and insertion procedures. Experimental result shows that if there is no change in the obtained image, the watermark will be correctly extracted, thus will pass through the authentication system. This scheme is tolerant of lossy compression such as JPEG, but malicious changes of the image will result in the breach of the watermark detection. In addition, this scheme can detect the exact locations, which are illegal modified blocks.

Published

2004

11. A hierarchical signature scheme for robust video authentication using secret sharing

Author

Ee-Chien Chang, Pradeep K. Atrey, Mohan S. Kankanhalli, and Wei Qi Yan

Subjects

Authentication, Digital signature, business.industry, Computer science, Video tracking, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Inter frame, Message authentication code, Cryptography, business, Secret sharing, Digital watermarking, Computer network

Abstract

Ensuring the integrity of a digital video is an important and challenging research problem arising out of many video applications. In this paper, we present a hierarchical framework for video authentication based on cryptographic secret sharing that protects a video from spatial cropping and temporal jittering, yet is robust against frame dropping in the streaming video scenario. Our algorithm provides a tradeoff between security and robustness by having configurable inputs. The authentication signature is compact and very sensitive against spatial attacks such as region tampering, and interframe attacks like frame replacement, major frame dropping, and frame reordering. Given a video, we identify the key frames based on different energy between the frames. Considering video frames as shares, we compute the secret at three hierarchical levels. The master secret is used as digital signature to authenticate the video. We present extensive experimental results which show the utility of our technique.

Published

2004

12. Dynamic context-aware access control for grid applications

Author

Manish Parashar and Guangsen Zhang

Subjects

Authentication, business.industry, Computer science, Context (language use), Access control, computer.software_genre, Grid, Grid computing, Middleware, Role-based access control, Message authentication code, business, computer, Computer network

Abstract

The emerging grid infrastructure presents many challenges due to its inherent heterogeneity, multidomain characteristic, and highly dynamic nature. One critical challenge is providing authentication, authorization and access control guarantees. We present the SESAME dynamic context-aware access control mechanism for pervasive grid applications. SESAME complements current authorization mechanisms to dynamically grant and adapt permissions to users based on their current context. The underling dynamic role based access control (DRBAC) model extends the classic role based access control (RBAC). We also present a prototype implementation of SESAME and DRBAC with the Discover computational collaboratory and an experimental evaluation of its overheads.

Published

2004

13. Architectural defects of the secure shell

Author

Takamichi Saito, T. Kito, K. Umesawa, and Fumio Mizoguchi

Subjects

Challenge-Handshake Authentication Protocol, Password, Key generation, Authentication, business.industry, Computer science, Secure Shell, Key distribution, Encryption, Computer security, computer.software_genre, Key authentication, S/KEY, Public-key cryptography, ssh-agent, Authentication protocol, Session key, Message authentication code, Pre-shared key, Challenge–response authentication, business, SSH File Transfer Protocol, computer, Key exchange, Computer network

Abstract

Although flaws have been found out in SSH, the Secure Shell, there has been little discussion about its architecture or design safety. Therefore, considering SSH architecture, e.g. the key exchange protocol, user authentication protocols and total design of the SSH, we not only discuss SSH architectural safety but show critical flaws for SSH users. For establishing the SSH connection, before user authentication, the SSH server and client exchange a session key, which can communicate securely. Then, over the secret channel encrypted by the session key, the SSH server authenticates a user in the SSH client using a user's password or public key. However, owing to defects in the SSH protocols and its design, a user can be deprived of their password in the authentication protocol. Moreover, we show that those who use its public key for authentication are exposed to the same risks as password-oriented users.

Published

2004

14. Ubiquitous Internet access control: the PAPI system

Author

D.R. Lopez and R. Castro-Rojo

Subjects

Information privacy, Authentication, business.product_category, Computer access control, business.industry, Computer science, Authorization, Hypermedia, Access control, law.invention, World Wide Web, Software, law, Internet access, The Internet, Message authentication code, business

Abstract

PAPI is a system for providing access control to restricted information resources across the Internet. The authentication mechanisms are designed to be as flexible as possible, allowing each organization to use its own authentication schema, keeping user privacy, and offering information providers data enough for statistics. Access control mechanisms are transparent to the user and compatible with the most commonly employed Web browsers and any operating system. Since PAPI uses standard HTTP procedures, PAPI authentication and access control does not require any specific hardware or software, thus providing users with ubiquitous access to any resource they have right to.

Published

2004

15. A novel Web security evaluation model for a one-time-password system

Author

Ben Soh and A. Joy

Subjects

Password, Password policy, Zero-knowledge password proof, Authentication, Cognitive password, business.industry, Computer science, Salt (cryptography), Password cracking, Authorization, Passphrase, Computer security model, Computer security, computer.software_genre, Internet security, One-time password, Password strength, S/KEY, Message authentication code, Challenge–response authentication, business, computer, Replay attack

Abstract

One-time passwords (OTPs) have the advantage over regular passwords in that they protect legitimate users from replay attacks by generating a different password for each time of authentication. There are two variables that play a major role in creating a secure OTP; they are the passphrase length and the number of times the one-time password should be hashed. It is already a known fact that the larger the passphrase length the better is the security an OTP can offer. However, there is still a lack of quantitative analysis carried out to study how optimal Web security can be achieved. We propose a novel Web security evaluation model that can be used to measure the strength of a one-time password.

Published

2004

16. A secure group key management framework: design and rekey issues

Author

Sahar M. Ghanem and Hussein Abdel-Wahab

Subjects

Public-key cryptography, business.industry, Computer science, Distributed computing, Rekeying, Key distribution, Message authentication code, Encryption, business, Computer network, Group key

Abstract

In many secure group communication models, there exists a group manager that creates the group key and distributes it to every group member. Such group manager is responsible for changing and re-distributing (rekeying) the group key whenever it deems necessary. Many applications will require very fast rekeying so that it is not disruptive to their performance. In this paper, we present a generic software model for secure group key management. We present the main components along with their functionality and interactions. With emphasis on the rekey manager, we discuss two issues that critically impact the rekey time: establishment and maintenance of the logical key hierarchy (LKH), and the key packet construction for a changed key. We show that our novel idea of maintaining balanced LKH as B/sup +/ search tree greatly reduces the number of changed keys compared to an unbalanced LKH. In addition, we show that a rekey packet construction using simple XOR operations between keys instead of the usual encryption technique substantially reduces rekey time. We preformed experiments that demonstrate the effectiveness and feasibility of our approaches.

Published

2004

17. Distributed data authentication

Author

Roberto Tamassia, C.D. Straub, Michael T. Goodrich, and M. Shin

Subjects

Revocation list, Authentication, Digital rights management, Computer science, business.industry, Certificate policy, Computer security, computer.software_genre, Distributed System Security Architecture, Data integrity, Message authentication code, business, computer, Data Authentication Algorithm, Computer network

Abstract

We demonstrate the functionality of a distributed system that supports the wide-scale deployment of an authenticated map. The system can be easily extended to support applications that use authenticated maps, including certificate revocation, document integrity, and digital rights management.

Published

2004

18. Design and performance evaluation of a flexible and efficient server assisted signature protocol

Author

Nazife Baykal and Kemal Bicakci

Subjects

Key generation, business.industry, Computer science, Cheating, Key distribution, Public-key cryptography, Blind signature, Key (cryptography), Verifiable secret sharing, Message authentication code, Key server, business, Protocol (object-oriented programming), Computer network

Abstract

One method to reduce the computational costs of generating public key signatures on constrained devices is to get help from a verifiable server. In this paper, we propose a (verifiable) server assisted signature protocol, which is the first one that totally eliminates public key operations for the ordinary user. Our protocol is also more efficient and flexible in terms of storage since unlike previous ones the user does not need to save the server's signature to prove it's cheating.

Published

2004

19. Secret key cryptography with cellular automata

Author

Pascal Bouvry, Albert Y. Zomaya, and F. Seredynski

Subjects

Pseudorandom number generator, Neural cryptography, Theoretical computer science, business.industry, Computer science, Random number generation, Cryptography, Encryption, Cellular automaton, Set (abstract data type), Symmetric-key algorithm, Cipher, Key (cryptography), Message authentication code, business, Algorithm, Generator (mathematics)

Abstract

Summary form only given. The problem of designing symmetric key algorithms based upon cellular automata (CAs) is considered. As the basic cryptography scheme, the Vernam cipher is applied. The reliability of the Vernam cipher depends highly on the quality of random numbers used in the process of encryption. One dimensional, nonuniform CAs are considered as a generator of a high quality pseudorandom number sequences (PNSs). The quality of PNSs highly depends on a set of applied CA rules. To find such rules, nonuniform CAs with two types of rules are considered. The search of rules is performed using an evolutionary technique called cellular programming. As the result of collective behavior of a discovered set of CA rules, very high quality PNSs are generated. The quality of PNSs outperforms the quality of known one-dimensional CA-based PNS generators used for secret key cryptography. The extended set of CA rules, which was found makes the cryptography system much more resistant to breaking a cryptography key.

Published

2004

20. The unlinkability of randomization-enhanced Chaum's blind signature scheme

Author

Zichen Li

Subjects

Theoretical computer science, Merkle signature scheme, Computer science, Electronic voting, business.industry, Cryptography, Computer security, computer.software_genre, Undeniable signature, Public-key cryptography, Ring signature, Digital signature, Key (cryptography), Blind signature, ComputingMilieux_COMPUTERSANDSOCIETY, Message authentication code, business, computer, Schnorr signature

Abstract

The key issue in e-commerce security is digital signature. Chaum first proposed the concept of blind digital signature, and designed untraceable payments. To avoid threats from chosen-message attacks presented by Coron et al. (1999), Fan et al. (2000) proposed a randomization enhanced Chaum blind signature scheme, by injecting a random factor into messages. In this paper, we first formally define the unlinkability of the blind signature scheme. According to this definition, we prove that Fan's scheme does not possess the unlinkablity property: after the message and signature have been revealed to the public by the sender, the signer can trace the corresponding blinded message and signature by constructing a linkage between the message and the blind message. Therefore, Fan's scheme cannot provide true blind signatures.

Published

2004

21. Dynamic trust-based resource allocation

Author

P.A. Muckelbauer, T. Hughes, and M. Junod

Subjects

Authentication, Trustworthiness, Computer science, Resource allocation, Trust anchor, Message authentication code, Resource management, Computational trust, Time based, Computer security, computer.software_genre, computer

Abstract

Summary form only given. DyTR is an approach to trust that goes beyond traditional authentication-based techniques, in which the trustworthiness of entities in a system adapts over time based on system events. Using a socio-cognitive model of trust, DyTR provides an adaptive trust-assessment methodology that allocates resources dynamically to an initial level of credentials, continually assesses trust, and adaptively allocates resources in accordance with changes in perceived trust. DyTR tightly couples this continually assessed trust with low-level resource-allocation mechanisms to ensure that requesting entities are trusted and, thus, permitted to use system resources. If a requesting entity exhibits suspicious behavior, DyTR degrades its level of trust for that entity, and subsequently reduces that entity's access to system resources, so that other critical resources can continue to operate. This paper features a coalition naval fleet simulation in which DyTR dynamically assesses the trustworthiness of coalition entities and uses trust assessments to regulate weapon, sensor, and communication pathway resource allocations.

Published

2004

22. Are e-commerce users defenceless?

Author

Matjaž Pančur, Mojca Ciglarič, Tone Vidmar, and M. Trampus

Subjects

Web server, Transport Layer Security, Exploit, Computer science, business.industry, Client-side, computer.software_genre, Computer security, Application software, Electronic mail, World Wide Web, Pre-play attack, The Internet, Message authentication code, business, computer, Server-side

Abstract

We are interested in new ways of threats and attack on the e-commerce. The server side of e-commerce platform is usually very well protected and secured. Unfortunately, this is not true for the client side. End users are usually undereducated in the field of computer security. They use Internet clients such as Web browsers and e-mail programs to do their e-commerce business. Their platform that is used to run these programs can hardly be trusted. This paper focuses on the attacks on system and application infrastructure. The main idea of our approach is to take advantage of existing applications and attack them while they are executing. We analyze the steps that need to be taken in such attacks and point out the properties of the applications and execution environments that can be exploited. To demonstrate the findings, we present two case studies of such attacks. The first exploits a Web browser which uses SSL (Secure Sockets Layer) and the second an e-mail client which uses digital signatures. In both cases we are able to successfully perform the attack which escapes the end user's notice. In the final part of the paper we present a possible defence against such attack together with our work on a security enforcement system.

Published

2004

23. Efficient and scalable infrastructure support for dynamic coalitions

Author

Michael T. Goodrich and R. Tarnassia

Subjects

Authenticated data structures, Collaborative software, Work (electrical), business.industry, Computer science, Distributed computing, Scalability, Authorization, Message authentication code, Military computing, business, Data structure, Data science

Abstract

We overview our work on the subject of authenticated data structures, with applications to the development of a trust infrastructure for dynamic coalitions. We summarize our theoretical and practical contributions and discuss future research directions.

Published

2004

24. Secure authentication watermarking for binary images

Author

A. Afif and Hae Yong Kim

Subjects

Authentication, Theoretical computer science, Computer science, business.industry, Color image, Binary image, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Watermark, Cryptography, Code (cryptography), Computer vision, Message authentication code, Artificial intelligence, business, Digital watermarking

Abstract

Authentication watermarking is a hidden data inserted into an image, in order to detect any alterations. It seems to be almost impossible to design a really secure authentication watermarking without making use of the solid cryptography theory and techniques. In a cryptography-based authentication watermarking, a message authentication code (or digital signature) of the whole image is computed and the resulting code is inserted into the image itself. However, inserting the code alters the image and consequently its authentication code, invalidating the watermark. To avoid this problem, for gray-scale or color image, usually the least significant bits (LSBs) are cleared, the authentication code of the LSB-cleared image is computed and then the code is inserted into LSBs. Surely, one cannot perform the same procedure for binary images. We propose a quite simple solution for inserting a secure authentication watermarking in dispersed-dot halftone images. This technique can also be applied to any kind of binary images (including clustered-dot halftones), though the visual quality is not as good as when applied to dispersed-dot halftones. The proposed technique can be used with both secret-key or public-key ciphers.

Published

2004

25. Prophylactic, treatment and containment techniques for ensuring active network security

Author

S. Krishnaswamy, A. Hayatnagarkar, W. Morrison, S. Murphy, and Robert N. M. Watson

Subjects

Flexibility (engineering), Authentication, Revocation, business.industry, Computer science, Cryptography, Computer security, computer.software_genre, Distributed System Security Architecture, Network Access Control, Message authentication code, business, computer, Computer network, Active networking

Abstract

The flexibility and power achieved by using active networks come with their own risks - any fault in the active code or the security infrastructure now represents a fault in the network as a whole. Secure containment of active code is necessary in order to ameliorate this risk. This paper describes innovative approaches for recovering from faults in the active code as well as faults in the security infrastructure of an active network. Diverse authentication techniques that provide fail-over when some component of the security infrastructure is unavailable, and compensatory authentication techniques, both prophylactic and treatment-based, are discussed. The paper concludes by outlining an active code revocation architecture that facilitates secure containment of faulty active code within the active network.

Published

2004

26. Pesto flavored security

Author

Feike W. Dillema and T. Stabell-Kulo

Subjects

Revocation, business.industry, Computer science, Access control, Cryptography, Computer security, computer.software_genre, Encryption, Public-key cryptography, Task (computing), Distributed data store, Message authentication code, business, computer

Abstract

We demonstrate that symmetric-key cryptography can be used for both read and write access control. One-time write access can be granted by handing over an encryption key, and our encryption framework allows the revocation of previously granted rights. The number of keys to be managed explicitly grows linearly with the number of access control policies a user defines, making security manageable. The framework is used in the Pesto distributed storage system. In Pesto, policies can be stored the same as other data and the same mechanism can be used to control access to them. Delegation of authority over policies concerning different tasks can then be performed. Separating the different tasks of the system, allows for different tasks to be assigned to different sets of nodes. Nodes need then only be trusted with respect to the specific task(s) they have been assigned with.

Published

2004

27. Building universal profile systems over a peer-to-peer network

Author

Yu-En Lue, Yuh-Jzer Joung, and Shi-Cho Cha

Subjects

Information privacy, business.industry, Internet privacy, Peer-to-peer, computer.software_genre, Computer security, Internet security, Data integrity, Accountability, Message authentication code, The Internet, Monopoly, business, computer

Abstract

We propose personal data backbone (PDB) to provide universal profile services over peer-to-peer networks. The main objective is to bring the control of personal data back to their owners. By using peer-to-peer technology, people can collaborate with one another to establish the services without resorting to a centralized mechanism or corporation, thereby removing concerns such as privacy, security, and monopoly. The peer-to-peer technology also achieves better trust, availability, accountability, and reliability, as compared to the centralized ones.

Published

2004

28. Federation Web: a scheme to compound authorization chains on large-scale distributed systems

Author

J. da Silva Fraga, E.R. de Mello, Frank Siqueira, and Altair Olivo Santin

Subjects

Scheme (programming language), Authentication, Computer science, business.industry, Distributed computing, Public key infrastructure, Public-key cryptography, Scalability, The Internet, Message authentication code, Single point of failure, business, computer, computer.programming_language, Computer network

Abstract

Traditional security systems are not easily scalable and can become single points of failure or performance bottlenecks when used on a large-scale distributed system such as the Internet. This problem occurs also when using a public key infrastructure (PKI) with a hierarchical thrust model. SDSI/SPKI is a PKI that adopts a more scalable trust paradigm, which is focused on the client and based on authorization chains. However, the task of locating the chain that links a client to a server is not completely addressed by SDSI/SPKI. Aiming to overcome this limitation, the paper proposes extensions to the SDSI/SPKI authorization and authentication model. The proposed approach introduces the concept of Federation Webs, which allows the client to build new authorization chains linking it to a server when a direct path does not exist. A prototype implementation of this proposal has shown promising results.

Published

2004

29. Security aspects of wireless heterogeneous databases - protocol, performance, and energy analysis

Author

Ali R. Hurson, H. Haridas, and Yu Jiao

Subjects

Database, Distributed database, Computer science, business.industry, Mobile computing, Authorization, Cryptography, computer.software_genre, Concurrency control, Wireless, Message authentication code, business, computer, Computer network

Abstract

Users have been demanding information "anytime, anywhere". The notion of accessing diverse and autonomous information repositories with different APIs is not accepted. This has necessitated the logical integration of diverse information from different sources with common APIs. Current multi-database researchers have effectively addressed issues such as local autonomy, heterogeneity, transaction management, concurrency control, transparency, and query resolution in a "sometimes, somewhere" environment. The concept of mobility, however, introduces additional complexities and restrictions to multi-database designers. A user accessing data through a remote connection with a portable device has high probability to face issues like reduced capacity network connections, frequent disconnections, and processing and resource restrictions. This work extends the scope of our previous effort in the design of an authorization model for a multi-database system. The authorized summary schema model is used as the underlying paradigm and is extended to provide a secure wireless environment. The proposed system is simulated and the impact of a wireless medium on performance is presented, evaluated, and analyzed.

Published

2004

30. A hypersphere oriented key exchange scheme for multiparty

Author

Chin-Chen Chang and Chao-Wen Chan

Subjects

Scheme (programming language), ComputingMethodologies_PATTERNRECOGNITION, Theoretical computer science, Computer science, Group (mathematics), Telecommunication security, Message authentication code, Hypersphere, computer, Key exchange, computer.programming_language

Abstract

The paper proposes a new key exchange scheme that is based on hyperspherical equation. Each participant fairly contributes a piece of final radius of a hypersphere. Thus, the proposed scheme can be modified to support the dynamic behavior of communication patterns of the peer-to-peer dynamic group.

Published

2004

31. Source authentication in group communication systems

Author

Xin Zhao and Atul Prakash

Subjects

Authentication, Computer science, business.industry, Authorization, Email authentication, Cryptography, Computer security, computer.software_genre, Chip Authentication Program, Digital signature, Authentication protocol, Lightweight Extensible Authentication Protocol, Message authentication code, business, computer, Data Authentication Algorithm, Group key

Abstract

Many group communication systems need to enforce a restriction that limits members are authorized to send messages to the group. Receivers therefore need to authenticate message sources before the received messages are accepted. Source authentication in peer-to-peer systems is trivial: the two communication parties can agree on one pair key and use this key to authenticate each other. However, because the group key is shared by all members in a group system, it is quite challenging to identify the sender and determine its authorization. Furthermore, if the authorization can be changed at run-time, source authentication problem can be even harder. This paper presents a source authentication technique called TTA scheme (Transitive Trust Authentication). TTA supports source authentication as well as dynamic authorization change. In addition, its computation and communication overhead is low.

Published

2004

32. Attribute-based interactions in a distributed authentication and unauthorization infrastructure

Author

D.R. Lopez and R. Castro-Rojo

Subjects

Authentication, Information privacy, Computer access control, Computer science, business.industry, Privacy software, Authorization, Email authentication, Multi-factor authentication, Personalization, World Wide Web, Distributed System Security Architecture, Internet Authentication Service, Message authentication code, The Internet, business

Abstract

This paper presents the experience of the authors with the deployment of a distributed authentication and authorization infrastructure for Web-based services. It introduces the steps in the evolution of the main characteristics of the software in which it is based (PAPI 1.2) as new functionalities were added, due both to user requests and user organization needs. There is also a discussion on how the system is evolving to incorporate a wider range of authentication procedures, to integrate a fully attribute-based approach to authorization, and to enhance personalization while preserving user privacy.

Published

2004

33. Some protocols useful on the Internet from threshold signature schemes

Author

Javier Herranz, Germán Sáez, and Vanesa Daza

Subjects

Theoretical computer science, Computer science, business.industry, Key distribution, Cryptography, Signature (logic), Public-key cryptography, Digital signature, Financial cryptography, Blind signature, Key (cryptography), Message authentication code, Commitment scheme, business, Threshold cryptosystem, Schnorr signature, Computer network

Abstract

In a threshold signature scheme, a group of players shares some secret information in such a way that only those subsets with a minimum number of players can compute a valid signature. In this paper we propose methods to construct some computationally secure distributed protocols from threshold signature schemes. Namely, we construct metering schemes from threshold non-interactive signature schemes. We also show that threshold deterministic signature schemes can be used to design distributed key distribution schemes. Furthermore, the constructed protocols attain some desirable properties and have useful applications on the Internet.

Published

2004

34. Certified e-mail systems using public notice board

Author

Kouichi Sakurai and Kenji Imamoto

Subjects

Information privacy, Notice, Public notice, business.industry, Computer science, Internet privacy, Certification, E-commerce, Computer security, computer.software_genre, Electronic mail, Message authentication code, business, computer, Electronic data interchange

Abstract

When two parties connect via a possibly unreliable network, ensuring fairness becomes a serious problem. To solve this problem, a lot of Certified E-mail systems are proposed. However, user's privacy is not considered in almost all of these systems. In this paper, we propose two Certified E-mail systems using an electronic notice board to realize user's privacy.

Published

2004

35. Towards a logic of privacy-preserving selective disclosure credential protocols

Author

Theodoros Balopoulos and Stefanos Gritzalis

Subjects

Information privacy, Cryptographic primitive, business.industry, Computer science, Authorization, Computer security, computer.software_genre, Credential, Public-key cryptography, Authentication protocol, Message authentication code, business, computer, Formal verification, Selective disclosure

Abstract

This paper presents a first approach towards a logic suited for protocols aiming to achieve selective disclosure of credentials while preserving privacy. The analysis draws from the BAN and related logics by M. Burrows et al (1990) and P. Syverson and I. Cervesanto (2001) that are targeted to aid reasoning about authentication protocols, as well as from formal methods on PKIs by C. Liu et al (2000, 2001) . The families of protocols directly covered are built using selective disclosure certificates, blind signatures and one-way has functions as cryptographic primitives. The logic is able to prove that if the protocol's credentials are properly constructed and signed by trusted issuers, they should convince a verifier; furthermore, it provides a framework on which mechanized attacks against privacy may be attempted by an automatic theorem prover. The runner example is a protocol by J.E. Holt and K.E. Seamons (2002).

Published

2004

36. Practical asymmetric fingerprinting with a TTP

Author

Miguel Soriano, Francesc Sebé, Antoni Martínez-Ballesté, and Josep Domingo-Ferrer

Subjects

Public-key cryptography, business.industry, Computer science, ComputingMilieux_COMPUTERSANDSOCIETY, Message authentication code, Trusted third party, business, Computer security, computer.software_genre, Digital watermarking, computer

Abstract

Fingerprinting schemes allow tracing of illegally redistributed multimedia contents. When using asymmetric fingerprinting, the merchant does not know the marked copy nor the embedded mark, so fraudulent distribution of the content by the merchant - which could lead to framing honest customers - is not possible. A problem with the deployment of classical asymmetric fingerprinting protocols is that they are based on information transfer methods whose implementation is difficult, if not infeasible. We propose an architecture to obtain asymmetric fingerprinting through symmetric (and thus implementable) schemes and a trusted third party (TTP).

Published

2004

37. Supporting digital signatures in mobile environments

Author

S. Campbell

Subjects

Decision support system, Workstation, business.industry, Computer science, Computer security, computer.software_genre, Signature (logic), law.invention, Public-key cryptography, Digital signature, law, Key (cryptography), Message authentication code, Mobile telephony, business, computer

Abstract

Digital signatures, like physical signatures, can verify that a specific user affixed their signature to a document and they can also verify that the document is the same as when the user affixed the digital signature. Digital signature systems (DSS) use public key cryptography methods to create digital signatures. The integrity of the digital signature is tied to the security of the user's private key. As long as the user's private key is secure, then only the user can affix their digital signature to a document. In this paper, we examine methods and risks involved in creating digital signatures on workstations other than the user's primary workstation. The challenge is to allow the user to create a digital signature, which requires their private key, at workstations where we cannot guarantee the key's security.

Published

2004

38. A flexible role-based secure messaging service: exploiting IBE technology for privacy in health care

Author

Keith Alexander Harrison, Pete Bramhall, and Marco Casassa Mont

Subjects

Information privacy, business.industry, Computer science, Internet privacy, Authorization, Public key infrastructure, Cryptography, Encryption, Computer security, computer.software_genre, Identifier, Public-key cryptography, Off-the-Record Messaging, Secure messaging, Message authentication code, business, computer

Abstract

The management of private and confidential information is a major problem for dynamic organizations. Secure solutions are needed to exchange confidential documents, protect them against unauthorized accesses and cope with changes of people's roles and permissions. Traditional cryptographic systems and PKI show their limitations, in terms of flexibility and manageability. This paper describes an innovative technical solution in the area of secure messaging that exploits identifier-based encryption (IBE) technology. It illustrates the advantages against a similar approach based on traditional cryptography and PKI. It discusses a few open issues. Our main contribution is a practical solutions based on IBE technology. A secure messaging system based on IBE has been fully implemented and it is currently used in a trial with a UK health service organization.

Published

2004

39. A procedure for verifying security against type confusion attacks

Author

Catherine Meadows

Subjects

Theoretical computer science, Computer science, business.industry, media_common.quotation_subject, Principal (computer security), Cryptography, Ambiguity, Computer security, computer.software_genre, Notation, Set (abstract data type), Message authentication code, business, Communications protocol, computer, Formal verification, media_common

Abstract

A type confusion attack is one in which a principal accepts data of one type as data of another. Although it has been shown by Heather (et al., 2000) that there are simple formatting conventions that will guarantee that protocols are free from simple type confusions in which fields of one type are substituted for fields of another, it is not clear how well they defend against more complex attacks, or against attacks arising from interaction with protocols that are formatted according to different conventions. In this paper we show how type confusion attacks can arise in realistic situations even when the types are explicitly defined in at least some of the messages, using examples from our recent analysis of the Group Domain of Interpretation Protocol. We then develop a formal model of types that can capture potential ambiguity of type notation, and outline a procedure for determining whether or not the types of two messages can be confused. This work extends our earlier work on the subject in that it includes an explicit model of attacker and defender and extends the informal model of the type confusion attacks in terms of a game between an intruder and a set of honest principals in or earlier work to a more formal model in which actions of intruder and honest principals are described explicitly. This gives us a simpler, more intuitive approach that allows us to calculate probabilities in a more systematic manner, and to compare different intruder strategies and different assumptions about the way in which the protocol is implemented in terms of their effects on type confusion.

Published

2004

40. Fairness in wallets with observer

Author

T. Schwarzpaul and H. Neumann

Subjects

Information privacy, business.industry, Computer science, media_common.quotation_subject, Internet privacy, Electronic cash, Trusted third party, Computer security, computer.software_genre, Electronic money, Cash, ComputingMilieux_COMPUTERSANDSOCIETY, Message authentication code, business, computer, Tamper resistance, media_common, Anonymity

Abstract

We examine the interference of fairness and observers in digital coin systems. Since copying of coins cannot be prevented cryptographically in anonymous off-line coin systems, double-spending detection is one of the major tasks. An observer is a tamper resistant device that prevents double-spending physically. While privacy protection is a desirable property of cash systems, perfect anonymity is not. Perfect anonymity enables criminals to do perfect blackmailing or money laundry according to B. von Solms and D. Naccache (1992). To prevent a perfect crime it has to be possible to revoke the anonymity of customers in case of need. Anonymity revocation is done by a trusted third party. Cash systems that allow anonymity revocation are called fair. We present a coin system which features both observer and fairness. This shows that both concepts do not interfere and can be implemented simultaneously without loss of security.

Published

2004

41. A protocol for programmable smart cards

Author

M. Di Natale, David Corcoran, and Tommaso Cucinotta

Subjects

OpenPGP card, business.industry, Computer science, Interoperability, Cryptography, BasicCard, Computer security model, computer.software_genre, Smart card application protocol data unit, Operating system, Message authentication code, Open Smart Card Development Platform, Smart card, Java Card, business, Protocol (object-oriented programming), computer

Abstract

This paper presents an open protocol for interoperability across multi-vendor programmable smart cards. It allows exposition of on-card storage and cryptographic services to host applications in a unified, card-independent way. Its design, inspired by the standardization of on-card Java language and cryptographic API, has been kept as generic and modular as possible. The protocol security model has been designed with the aim of allowing multiple applications to use the services exposed by the same card, with either a cooperative or a no-interference approach, depending on application requirements. With respect to existing protocols for smart card interoperability, defining sophisticated card services intended to be hard-coded into the device hardware, this protocol is intended to be implemented in software on programmable smart cards.

Published

2004

42. New key improvements and its application to XTR system

Author

Fei Feng, Xiaofeng Chen, and Yumin Wang

Subjects

Theoretical computer science, Multiplicative group, business.industry, Computer science, Computation, Reduction (complexity), Public-key cryptography, Finite field, Blind signature, Key (cryptography), XTR, Message authentication code, Arithmetic, Elliptic curve cryptography, business

Abstract

XTR is a novel public key system based on a method to represent elements of a subgroup of a multiplicative group of a finite field. It integrates most of the advantages of RSA and ECC without any of their limitations. Recently, Lenstra et al. (2000) described an improved while conceptually more complicated method for XTR key representation and present two excellent formulas. In this paper, an original and fundamental method for XTR public key reduction is introduced. The formulas we present seem a little more complicated than those of Lenstra et al., however, the computation is almost the same as that of the previous method, which takes only a small number of operations in the finite field. Meanwhile, we present a fast algorithm for computing the trace, which can be used to construct XTR blind signature schemes.

Published

2003

43. An enhanced authentication key exchange protocol

Author

Chih-Hua Lai, Sheng-Hua Shiau, and Ren-Junn Hwang

Subjects

Network security, Computer science, computer.internet_protocol, Generic Security Service Algorithm for Secret Key Transaction, Key distribution, Cryptography, Access control, Shared secret, Computer security, computer.software_genre, Internet security, Security information and event management, Diffie–Hellman key exchange, Distributed System Security Architecture, Security association, Forward secrecy, Message authentication code, Pre-shared key, Key exchange, Authentication, Cloud computing security, business.industry, Information security, Computer security model, Security service, Network Access Control, Authentication protocol, IPsec, Security through obscurity, Challenge–response authentication, business, computer, Computer network

Abstract

This paper proposes an efficient authentication key exchange protocol. The authentication key exchange is an important issue in information security and network security. It assures two parties to generate shared keys secretly. Many information security and network security techniques provide security based on this shared secret key. The proposed scheme generates multiple shared keys for two parties at a time. It does not only withstand general attacks, also provides perfect forward secrecy. By making comparisons with other method, it takes less computation time.

Published

2003

44. Signature schemes based on two hard problems simultaneously

Author

Chin-Chen Chang, Ching-Te Wang, and Chu-Hsing Lin

Subjects

Post-quantum cryptography, Theoretical computer science, Merkle signature scheme, business.industry, Computer science, ElGamal signature scheme, Baby-step giant-step, Public-key cryptography, EdDSA, Ring signature, Discrete logarithm, Blind signature, Message authentication code, business, Algorithm, Schnorr signature, ElGamal encryption, Computer Science::Cryptography and Security

Abstract

Harn (1994) proposed a signature scheme based on the modified ElGamal scheme and claimed that the security relies on both the factorization and the discrete logarithm. That is, his scheme cannot be broken unless both of the above two problems can be solved simultaneously. Lee and Hwang (1996) showed that an attacker could generate a forged signature on the assumption when the discrete logarithm is solved. Recently, Shao (1998) proposed another two signature schemes, which the security rests on the two problems. In this paper, we propose two improved signature schemes that are really based on two hard problems simultaneously. In addition, the numbers of parameters and computations are reduced in comparison with those of Shao.

Published

2003

45. A non-repudiation message transfer protocol for e-commerce

Author

Stanley Y. W. Su, Seokwon Yang, and Herman Lam

Subjects

business.industry, Computer science, Authorization, E-commerce, Computer security, computer.software_genre, Message switching, chemistry.chemical_compound, Non-repudiation, Security service, chemistry, The Internet, Message broker, Message authentication code, business, computer, Database transaction, Electronic data interchange, Computer network

Abstract

In the business world, exchange of signatures or receipts is a common practice in case of future dispute. Likewise, it is critical in e-commerce applications to have the security service that generates, distributes, validates, and maintains the evidence of an electronic transaction. Quite of number of non-repudiation protocols have been proposed in distributed systems and evaluated based on some evaluation criteria. However, in the context of e-commerce, there are additional evaluation criteria to be considered: fairness to both the message sender and the message receiver with respective to their control over the completion of a transaction, the degree of trust on a third party, and existence dependency on a third-party for dispute settlement on a committed transaction. We identify the set of requirements for a message transfer protocol in e-commerce, and propose a new non-repudiation message transfer protocol that meets these additional criteria. Our protocol protects the confidentiality of message contents such that no unauthorized intermediary is able to see the contents. And, the protocol is superior to other protocols in that continuous existence of the third-party authority is not needed beyond the completion of a message transfer. Furthermore, with respect to the control over the commitment of a transaction, our protocol is fair to both the message sender and the receiver.

Published

2003

46. Secure transmission of the prescription order communication system based on the internet and the public-key infrastructure using master smart cards in the 2-way type terminal

Author

Byung Ha Ahn and Won Jay Song

Subjects

Computer science, business.industry, education, Public key infrastructure, Communications system, Computer security, computer.software_genre, humanities, Smart card application protocol data unit, Digital signature, The Internet, Message authentication code, Smart card, business, Secure transmission, computer

Abstract

This research paper presents a new system's design and development of the prescription order communication system (POCS) based on the Internet between the hospital and the pharmacy, on the public-key infrastructure, and on the concurrently parallel co-operation with both medical professional's and patient's smart cards in the 2-way type terminal under the synchronized status. Concurrently parallel co-operation method at the synchronized status has been proposed in order to merge the digital signature generated by a medical professional with a patient's prescription data. The digital signatures written by the medical doctors and pharmacists holding and using their individually master smart cards are applied to all contents of the prescription stored on a patient's slave smart card at the synchronized status in the 2-way type terminal. Therefore, digital signatures for all prescriptions stored on the smart card in the developed prototype system should effectively he used to prevent being altered, forged, and reused by unauthorized users and being repudiated by medical professionals.

Published

2003

47. Streamed or detached triple integrity for a time stamped secure storage system

Author

J. Hughes, A. Apvrille, and V. Girier

Subjects

File Transfer Protocol, Digital signature, Computer science, computer.internet_protocol, Data integrity, Message authentication code, Timestamp, Computer security, computer.software_genre, computer, XML, PATH (variable), Block (data storage)

Abstract

Organizations and companies with integrity concerns for their archivals are currently left with very few and unconvenient solutions. To cope with those needs, a Time Stamped Virtual WORM system has been proposed previously, but only its concepts and theory have been examined yet. Hence, this paper focuses on defining practical block formats to help implement this system in reality. But there are several pitfalls on the path of implementation, and this paper has to be extremely cautious not to introduce any limit - or security flaw into virtual WORMs. With such requirements, two different block formats are successfully defined: a streamed format where security data is inserted within user's documents, and a detached format where security information is written in a different location. Finally, the detached format is studied in the sample case of a tamper-evident FTP server.

Published

2003

48. Distributed authentication for peer-to-peer networks

Author

S. Gokhale and Partha Dasgupta

Subjects

Modular exponentiation, Authentication, Computer science, business.industry, Node (networking), Public key infrastructure, Peer-to-peer, Cryptographic protocol, computer.software_genre, Computer security, Public-key cryptography, Message authentication code, business, computer, Computer network

Abstract

A public key infrastructure is generally (and effectively) used for cryptographically secure authentication in networks. Ad-hoc networks are formed in a haphazard manner. Security services for ad-hoc networks cannot assume the existence of a particular infrastructure. Peer-to-peer technology is promising in addressing security issues in ad-hoc networks. We provide a novel; cryptographically secure representation of trust based on secure groups - troupes. We show how troupes can be constructed in a distributed manner using RSA accumulators. Troupe-membership is verified using the zero-knowledge protocol of modular exponentiation. Each node in a group has an identity within a group, but it is not required to reveal the identity during verification. This trust model is not centrally controlled and can be deployed incrementally in the network. This paper presents protocols and a prototype implementation of the troup based authentication system.

Published

2003

49. On the (non)universality of the one-time pad

Author

Yevgeniy Dodis and J. Spencer

Subjects

Theoretical computer science, Cryptographic primitive, business.industry, Computer science, Cryptography, Cryptographic protocol, Shared secret, Encryption, Computer security, computer.software_genre, One-time pad, Message authentication code, business, computer, Randomness

Abstract

Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. We initiate the quantitative study concerning feasibility of building secure cryptographic primitives using imperfect random sources. Specifically, we concentrate on symmetric-key encryption and message authentication, where the shared secret key comes from an imperfect random source instead of being assumed truly random. In each case, we compare the class of "cryptographic" sources for the task at hand with the classes of "extractable" and "simulatable" sources, where: (1) "cryptographic" refers to sources for which the corresponding symmetric-key primitive can be built; (2) "extractable" refers to a very narrow class of sources from which one can extract nearly perfect randomness; and (3) "simulatable" refers to a very general class of weak random sources which are known to suffice for BPP simulation. For both encryption and authentication, we show that the corresponding cryptographic sources lie strictly in between extractable and simulatable sources, which implies that "cryptographic usage" of randomness is more demanding than the corresponding "algorithmic usage", but still does not require perfect randomness. Interestingly, cryptographic sources for encryption and authentication are also quite different from each other, which suggests that there might not be an elegant way to describe imperfect sources sufficient for "general cryptographic use". We believe that our initial investigation in this new area will inspire a lot of further research.

Published

2003

50. A prototype of security for active networks

Author

Li Zengzhi, Liao Zhigang, and Kou Ya-nan

Subjects

Network architecture, Security service, Distributed System Security Architecture, Computer science, Network security, business.industry, Network Access Control, Message authentication code, Cryptography, business, Active networking, Computer network

Abstract

As a new programmable network architecture, the active network supports the development, verification and deployment of new network protocols and services. It is not used widely as we expected. The main reason is that its security has not been resolved. We introduce an active network security prototype designed by a pluggable module. It implements three aspects of security, including cryptography and digital signatures; authentication and authorization; revocation; etc. Especially, cryptography solves the integrity and confidentiality of active codes, and the decode mode implements cryptography's replacement and extensibility. Our system is dual nonrepudiation on both. Nonrepudiation on both is that the sender cannot deny that he sends the message; dual nonrepudiation means that nonrepudiation has been done in digital signature authentication and authorization authentication. The section of revocation designed according to the active network guarantees the validity of active code's execution. We measured latency and throughput of the experimental active network on two services: a prototype for active networks, a prototype of security for active networks. In fact, the security techniques applied in our system have little influence on the latency and throughput of active networks.

Published

2003