Entity authentication and key distribution are central cryptographic problems in distributed computing -- but up until now, they have lacked even a meaningful definition. One consequence is that incorrect and inefficient protocols have proliferated. This paper provides the first treatment of these problems in the complexity-theoretic framework of modern cryptography. Addressed in detail are two problems of the symmetric, two-party setting: mutual authentication and authenticated key exchange. For each we present a definition, protocol, and proof that the protocol meets its goal, assuming the (minimal) assumption of pseudorandom function. When this assumption is appropriately instantiated, the protocols given are practical and efficient.

A global public-key infrastructure (PKI), components of which are emerging in the near future, is a prerequisite for security in distributed systems and for electronic commerce. The purpose of this paper is to propose an approach to modelling and reasoning about a PKI from a user Alice's point of view. Her view, from which she draws conclusions about the authenticity of other entities' public keys and possibly about the trustworthiness of other entities, consists of statements about which public keys she believes to be authentic and which entities she believes to be trustworthy, as well as a collection of certificates and recommendations obtained or retrieved from the PKI. The model takes into account recommendations for the trustworthiness of entities. Furthermore, it includes confidence values for statements and can exploit arbitrary certification structures containing multiple intersecting certification paths to achieve a higher confidence value than for any single c...

We describe the design and implementation of secure network objects. Secure network objects provide security for object-oriented network communication. Our design supports both access control lists and capabilities; it takes advantage of objects and subtyping to present a simple programming interface for security. Our implementation is reasonably straightforward; in particular, it does not require changes in the structure of network objects. We discuss its internal components, its performance, and its use in some applications. 1 Introduction Object-oriented communication has become popular in distributed systems [2, 22, 8]. With objects or without them, distributed systems typically rely on networks with no low-level support for security; the vulnerability of distributed systems is by now evident and worrisome [23, 4]. A need exists therefore for secure objectoriented communication. We describe the design and implementation of secure network objects. Secure network objects ex...

We present the design of a distributed authorization service which parallels existing authentication services for distributed systems. Such a service would operate on top of an authentication substrate. There are two distinct ideas underlying our design: (1) The use of a language, called generalized access control list (GACL), as a common representation of authorization requirements. (2) The use of authenticated delegation to effect authorization offloading from an end server to an authorization server. We present the syntax and semantics of GACL, and illustrate how it can be used to specify authorization requirements that cannot be easily specified by ordinary ACL. We also describe the protocols in our design. 1 Introduction Advances in internetworking have transformed distributed systems into a marketplace of services. Some of the standard services in today's distributed systems include file service, print service, electronic mail service, and so on. Apart from these "system" servi...

When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collision-free function, we can derive others which are also collision-free, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...

Various published authentication protocols that employ symmetric cryptographic algorithms are examined. A number of misconceptions found in the specification, design and implementation of these protocols are revealed. Some misconceptions are considered responsible for definite security flaws, while others are shown to cause weaknesses which may help in attacks on the cryptographic mechanisms. We identify an underlying problem and attempt a remedy by developing a methodology for the development of secure and strong authentication protocols.

SNP provides a high-level abstraction for secure end-toend network communications. It supports both stream and datagram semantics with security guarantees (e.g., data origin authenticity, data integrity and data confidentiality). It is designed to resemble the Berkeley sockets interface so that security can be easily retrofitted into existing socket programs with only minor modifications. SNP is built on top of GSS-API, thus making it relatively portable across different authentication mechanisms conforming to GSSAPI. SNP hides the details of GSS-API (e.g., credentials and contexts management), the communication sublayer as well as the cryptographic sublayer from the application programmers. It also encapsulates security sensitive information, thus preventing accidental or intentional disclosure by an application program.

In hostile environments, the enemy can launch traffic analysis against interceptable routing information embedded in routing messages and data packets. Allowing adversaries to trace network routes and infer the motion pattern of nodes at the end of those routes may pose a serious threat to covert operations. We propose ANODR, an anonymous on-demand routing protocol for mobile ad hoc networks deployed in hostile environments. We address two closelyrelated problems: For route anonymity, ANODR prevents strong adversaries from tracing a packet flow back to its source or destination; for location privacy, ANODR ensures that adversaries cannot discover the real identities of local transmitters. The design of ANODR is based on "broadcast with trapdoor information", a novel network security concept which includes features of two existing network and security mechanisms, namely "broadcast" and "trapdoor information". We use simulations and implementation to validate the effectiveness of our design.

OF THE DISSERTATION ENGINEERING ACCESS CONTROL FOR DISTRIBUTED ENTERPRISE APPLICATIONS by Konstantin Beznosov Florida International University, 2000 Miami, Florida Professor Yi Deng, Major Professor Access control (AC) is a necessary defense against a large variety of security attacks on the resources of distributed enterprise applications. However, to be effective, AC in some application domains has to be fine-grain, support the use of application-specific factors in authorization decisions, as well as consistently and reliably enforce organization-wide authorization policies across enterprise applications. Because the existing middleware technologies do not provide a complete solution, application developers resort to embedding AC functionality in application systems. This coupling of AC functionality with application logic causes significant problems including tremendously difficult, costly and error prone development, integration, and overall ownership of application softwa...

Abstract not found