This paper presents SiRiUS, a secure file system designed to be layered over insecure network and P2P file systems such as NFS, CIFS, OceanStore, and Yahoo! Briefcase. SiRiUS assumes the network storage is untrusted and provides its own read-write cryptographic access control for file level sharing. Key management and revocation is simple with minimal out-of-band communication. File system freshness guarantees are supported by SiRiUS using hash tree constructions. SiRiUS contains a novel method of performing file random access in a cryptographic file system without the use of a block server. Extensions to SiRiUS include large scale group sharing using the NNL key revocation construction. Our implementation of SiRiUS performs well relative to the underlying file system despite using cryptographic operations. 1.

As our economy and critical infrastructure increasingly rely on the Internet, securing routing protocols becomes of critical importance. In this paper, we present four new mechanisms as tools for securing distance vector and path vector routing protocols. For securing distance vector protocols, our hash tree chain mechanism forces a router to increase the distance (metric) when forwarding a routing table entry. To provide authentication of a received routing update in bounded time, we present a new mechanism, similar to hash chains, that we call tree-authenticated oneway chains. For cases in which the maximum metric is large, we present skiplists, which provides more efficient initial computation cost and more efficient element verification; this mechanism is based on a new cryptographic mechanism, called MW-chains, which we also present. For securing path vector protocols, our cumulative authentication mechanism authenticates the list of routers on the path in a routing update, preventing removal or reordering of the router addresses in the list; the mechanism uses only a single authenticator in the routing update rather than one per router address. We also present a simple mechanism to securely switch one-way chains, by authenticating the next one-way chain using the previous one. These mechanisms are all based on efficient symmetric cryptographic techniques and can be used as building blocks for securing routing protocols.

In this work, we aim to reduce the computational costs of using public-key digital signatures in securing routing protocols. Two protocols (COSP and IOSP) using one-time digital signatures are introduced to provide the functionality of public-key digital signatures. Our protocols are intended to be used in place of public-key digital signatures for signing all kinds of message exchanges among routers. We obtained more than ten-fold increase in speed compared with public-key signatures. Our protocols overcome the shortcomings identified in previous works, such as timing constraints, limited applications and high storage and computational costs for volatile environments [12].

We propose a new scheme for authenticating streamed data delivered in real-time over an insecure network. The difficulty of signing live streams is twofold. First, authentication must be efficient so the stream can be processed without delay. Secondly, authentication must be possible even if some packets in the sequence are missing. Streams of audio or video provide a good example. They must be processed in real-time and are commonly exchanged over UDP, with no guarantee that every packet will be delivered. Existing solutions to the problem of signing streams have been designed to resist worst-case packet loss. In practice however, network loss is not malicious but occurs in patterns of consecutive packets known as bursts. Based on this realistic model of network loss, we propose an authentication scheme for streams which achieves better performance as well as much lower communication overhead than existing solutions. We have implemented our constructions as plug-ins to the RealSystem platform from Real Networks to authenticate audio and video streams.

We propose and realize a definition of security for password-based key exchange within the framework of universal composability (UC), thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not adequately addressed by most prior notions. For instance, our definition does not assume any underlying probability distribution on passwords, nor does it assume independence between passwords chosen by different parties. We also formulate a definition of password-based secure channels, and show how to realize such channels given any passwordbased key exchange protocol. The password-based key exchange protocol shown here is in the common reference string model and relies on standard number-theoretic assumptions. The components of our protocol can be instantiated to give a relatively efficient solution which is conceivably usable in practice. We also show that it is impossible to satisfy our definition in the “plain ” model (e.g., without

Abstract. Wireless networking has the power to t the Internet with wings, however, it will not take o until the security technological hurdles have been overcome. In this paper we propose a very e cient and provably-secure group key agreement well suited for unbalanced networks consisting of devices with strict power consumption restrictions and wireless gateways with less stringent restrictions. Our method meets practicability, simplicity, and strong notions of security. 1

Digital signature schemes based on a general one-way function without trapdoor offer two potential advantages over digital signature schemes based on trapdoor one-way functions such as the RSA system: higher efficiency and much more freedom in choosing a cryptographic function to base the security on. Such a scheme is characterized by a directed acyclic computation graph and an antichain in a certain partially ordered set defined by the graph. Several results on the achievable efficiency of such schemes are proved, where the efficiency of a scheme is defined as the ratio of the size of messages that can be signed and the number of one-way function evaluations needed for setting up the system. For instance, the maximal achievable efficiency for trees is shown to be equal to a constant fl 0:4161426 and a family of general graphs with substantially greater efficiency 0:476 is demonstrated. This construction appears to be close to optimal.

Electronic commerce is becoming more and more commonplace, but security is still a major concern. To provide security, a good public-key infrastructure (PKI) is needed. However, PKIs have been slow in developing, with one of the major difficulties being the creation of certification authorities (CAs), and in particular, dealing with the problem of certificate revocation. We propose a new solution to this problem. Our solution is based on the idea that individually signed certificates provide little information over any significant time period, given that they may be revoked. That is, after a certain amount of time, a certificate is not useful without some more recent knowledge that it has not been revoked. In all previous work, this has either been handled by off-line/on-line schemes, which require costly updates by the CA for every outstanding certificate for every update period, or by certificate revocation lists/trees. We propose a system called EFECT (Easy Fast Effi...

Recently there has been an interest in zero-knowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, non-malleability, and universal composability. In this paper,

We describe a practical identity-based encryption scheme that is secure in the standard model against chosen-ciphertext attacks. Our construction applies “direct chosen-ciphertext techniques ” to Waters ’ chosen-plaintext secure scheme and is not based on hierarchical identity-based encryption. Furthermore, we give an improved concrete security analysis for Waters ’ scheme. As a result, one can instantiate the scheme in smaller groups, resulting in efficiency improvements. 1