We consider the authentication of digital streams over a lossy network. The overall approach taken is graph-based, as this yields simple methods for controlling overhead, delay, and the ability to authenticate, while serving to unify many previously known hash- and MAC-based techniques. The loss pattern of the network is defined probabilistically, allowing both bursty and random packet loss to be modeled. Our authentication schemes are customizable by the sender of the stream; that is, within reasonable constraints on the input parameters, we provide schemes that achieve the desired authentication probability while meeting the input upper bound on the overhead per packet. In addition, we demonstrate that some of the shortcomings of previously known schemes correspond to easily identifiable properties of a graph, and hence, may be more easily avoided by taking a graph-based approach to designing authentication schemes.

We have developed a scheme to secure networkattached storage systems against many types of attacks. Our system uses strong cryptography to hide data from unauthorized users; someone gaining complete access to a disk cannot obtain any useful data from the system, and backups can be done without allowing the superuser access to unencrypted data. While denial-of-service attacks cannot be prevented, our system detects forged data. The system was developed using a raw disk, and can be integrated into common file systems. We discuss the design and security tradeoffs such a distributed file system makes. Our design guards against both remote intruders and those who gain physical access to the disk, using just enough security to thwart both types of attacks. This security can be achieved with little penalty to performance. We discuss the security operations that are necessary for each type of operation, and show that there is no longer any reason not to include strong encryption and authentication in network file systems. 1.

Skein [13] is a fast, versatile, and secure hash function that has been submitted as an AHS candidate. One of Skein’s features is that it is backed by security proofs. This paper presents, explains, and justifies the various provable security claims underlying Skein.

We propose a host architecture for secure IP multicast. We identify the basic components of the architecture, describe their functionalities and how they interact with one another. The fundamental design tenets of the proposed architecture are simplicity, modularity, and compatibility with existing protocols and systems. More specifically, we try to re-use existing IPSec mechanisms as far as possible, and extend them when necessary. We also discuss our experiences with implementing the proposed architecture on Linux. 1

Abstract. We present Badger, a new fast and provably secure MAC based on universal hashing. In the construction, a modified tree hash that is more efficient than standard tree hashing is used and its security is proven. Furthermore, in order to derive the core hash function of the tree, we use a novel technique for reducing ∆-universal function families to universal families. The resulting MAC is very efficient on standard platforms both for short and long messages. As an example, for a 64-bit tag, it achieves performances up to 2.2 and 1.3 clock cycles per byte on a Pentium III and Pentium 4 processor, respectively. The forgery probability is at most 2 −52.2.

Mobile IP enables mobile computers to roam transparently in any network. However, the current proposed protocol specification does not support a suitable handoff mechanism to allow a mobile computer to change its point of attachment from one network to another. This paper describes a technique to support thin-client systems with our handoff mechanism while providing subnetwork outage support for a mobile host which makes use of Internet Protocol version 6 (IPv6) and Mobile IP without the need to introduce a new mobility management protocol or make changes to the network infrastructure. Results from handoff experiments show a dramatic reduction in the handoff latency and that mobility support for thin-clients is feasible.

Abstract not found

In environments like the Internet, faults follow unusual patterns, dictated by the combination of malicious attacks with accidental faults such as long communication delays caused by temporary network partitions. In this scenario, attackers can force buffer overflows in order to leave the system in an inconsistent state or to prevent it from doing progress, causing a denial of service. This paper is about the effects that finite memory has on intrusion-tolerant protocols and systems. We present the problem and propose a generic mitigation technique based on repair nodes that reduces the buffer space requirements. An experimental evaluation of the buffer usage with and without this technique is presented, allowing to assess in practice the effects of finite memory in a real, albeit simple, intrusion-tolerant system.