In a security system that allows people to choose their own passwords, those people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose well-chosen secrets, which are likely to be di cult to remember, we propose solutions that maintain both user convenience and a high level of security at the same time. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not. We examine common forms of guessing attacks, develop examples of cryptographic protocols that are immune to such attacks, and suggest a systematic way to examine protocols to detect vulnerabilities to such attacks.

Internetworks of the future will allow and promote universal access. Users will be able to access the network at a multitude of access points separated by significant geographic distance and many administrative boundaries. Without a single central authority, a new set of inter-domain security mechanisms is needed to allow users to venture into remote domains while inheriting privileges from their home domain. Solutions addressing this issue must take into account a somewhat contradictory security constraint that calls for strict separation of security domains in order to avoid sharing sensitive user-related security information. In this paper, we propose a generic approach for authenticating mobile users in remote domains that satisfies the domain separation constraint. The protocols described herein can be applied in different mobile-user environments including wireless networks and mobile user services on traditional wireline networks. Keywords: mobility, internetworks, mobile users...

This paper describes KryptoKnight, an authentication and key distribution system that provides facilities for secure communication in any type of network environment. KryptoKnight was designed with the goal of providing network security services with a high degree of compactness and flexibility. Message compactness of KryptoKnight's protocols allows it to secure communication protocols at any layer, without requiring any major protocol augmentations in order to accommodate security-related information. Moreover, since KryptoKnight avoids the use of bulk encryption it is easily exportable. Owing to its architectural flexibility, KryptoKnight functions at both endpoints of communication can perform different security tasks depending on the particular network configuration. These and other novel features make KryptoKnight an attractive solution for providing security services to existing applications irrespective of the protocol layer, network configuration or communication paradigm. 1 In...

This paper argues that security design for Open Distributed Processing (ODP) would benefit from a shift of focus from the infrastructure to individual servers as the owners and enforcers of security policy. It debates the policy nuances, mechanisms, and protocol design consequences, that would follow from such a change of emphasis. In ODP, physically separate systems federate into heterogeneous networks of unlimited scale, so there can be no central authority, nor ubiquitous security infrastructure. Servers that offer, trade, supply and consume services must maintain their own security policies and defend themselves. For servers to take security policy and enforcement decisions, design is concerned with how they might seek advice and guidance from higher authority. This contrasts with an administrator imposed policy on a closed homogeneous network, where an infrastructure enforces administrator declared access rights to potential clients, including rights to delegate rights. 1

Traditional methods of user authentication in distributed systems suffer from an important weakness which is due to the low degree of randomness in secrets that human beings can use for identification. Even though weak secrets (passwords and PINs) are typically not exposed in the clear over the communication lines, they can be discovered with off-line brute force attacks based on exhaustive trials. Since such secrets are chosen from a relatively small key space, a determined adversary can try all possible values until a match is found between the trial value and the message recorded from a genuine authentication session. Authentication devices like smartcards and token cards offer an attractive solution by providing a user with a cryptographically strong key for authentication. In contrast to passwords and PINs, the device's key can be chosen from a much larger key space thus making a brute force attack computationally infeasible or, at least, difficult. In this paper we present a nove...

Many recent research e orts in computer security focus on constructing provably secure authentication protocols. Although many of the resulting protocols rely on the a priori secure distribution of secret keys, no provably secure key distribution protocols have yet been demonstrated. In this paper, we use an existing secure two-party authentication protocol as a stepping stone for constructing a series of simple and secure key distribution protocols. The protocols are shown to satisfy desired security requirements, using the security properties of the underlying authentication protocol. 1

Abstract. We propose a simple classification method for public-key based authentication protocols, which consists of identifying several basic properties leading to a large number of generic prototypes for authentication. Most published protocols can be identified as a concrete instance of one of the generic types. The classification method provides a means to clarify the similarities and differences between different concrete protocols. This facilitates avoidance of previous mistakes when designing a new protocol and allows re-use of analysis of a given abstract protocol when classifying any given concrete protocol. 1

The problem of secure key distribution has been the subject of much attention in the recent years. This paper describes a novel method for authenticated key distribution in the distributed systems environment. In particular, a braiding technique for key distribution is introduced. The underlying protocols are extremely compact in both the number of messages and message sizes which facilitates their application at any layer (at lower layers, in particular) in the protocol hierarchy. Furthermore, the protocols are shown to be resistant to a wide range of interleaving attacks. All this is achieved with minimal computational requirements and without the necessity of using traditional encryption (a strong one-way function suffices.) Keywords: Network Security, Network Protocols, Authentication, Key Distribution. 1 Introduction Research in authentication protocols has been fairly active since the publication in the late 1970s of Needham and Schroeder's landmark paper [13]. In it, they prop...

Abstract – Formal logics are increasingly used to verify correctness of theories and designs in engineering. However, the process of logic-based verification is complex, tedious and prone to error. This is a serious issue, as a single mistake can render the result of the verification useless. Automated techniques reduce the potential for human errors during verification. This paper presents the theoretical concept of Layered Proving Trees, for the automation of logic-based verification. Verification tools based on Layered Proving Trees result in comparatively simple- but powerful – systems. Empirical result on the performance of a prototype implementation of a layered proving trees verification tool are presented. I

In their recent paper, "Encrypted Key Exchange: Password-based Protocols Secure Against Dictionary Attacks, " Bellovin and Merritt propose a novel and elegant method for safeguarding weak passwords. This paper discusses a possible weakness in the proposed protocol, develops some enhancements and simplifications, and provides a security analysis of the resultant minimal EKE protocol. In addition, the basic 2-party EKE model is extended to the 3-party setting; this yields a protocol with some interesting properties. Most importantly, this paper illustrates, once again, the subtlety associated with designing password-based protocols. 1 Introduction The Encrypted Key Exchange paper [1] (hereafter referred to as simply EKE) presents a novel and elegant method of protecting weak secrets from dictionary attacks. It develops several protocol variants based on different underlying cryptosystems, e.g., RSA, El-Gamal, and Diffie-Hellman. The 'generic' version of EKE is illustrated in Figure 1. ...