Abstract. We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modified, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a confidential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupted.

Abstract: In many cases users of mobile computers wish to have the same applications running and to have access to the same information as they would when connected to a fixed network. Such transparency is difficult to realise given the differences in the fundamental characteristics of wired and wireless links. These differences, apparent in variations in parameters such as delay, throughput and error rate can have a significant impact on demanding applications such as those which exploit multimedia communications. To overcome these problems, application requirements have to be adapted to match the capabilities of the wireless communication link. One general method of achieving this is the introduction of one or more proxies between the distributed components. This paper presents a generalised architecture for installing and managing proxies in the network in order to enable applications to continue operation in the face of variations in quality of service. The developed architecture is based on the CORBA standard to improve flexibility and acceptance. 1.

We report on the detailed verification of a substantial portion of the Kerberos 5 protocol specification. Because it targeted a deployed protocol rather than an academic abstraction, this multi-year effort led to the development of new analysis methods in order to manage the inherent complexity. This enabled proving that Kerberos supports the expected authentication and confidentiality properties, and that it is structurally sound; these results rely on a pair of intertwined inductions. Our work also detected a number of innocuous but nonetheless unexpected behaviors, and it clearly described how vulnerable the cross-realm authentication support of Kerberos is to the compromise of remote administrative domains.

We define and demonstrate an approach to securing distributed computation based on a shared reference monitor (Shamon) that enforces mandatory access control (MAC) policies across a distributed set of machines. The Shamon enables local reference monitor guarantees to be attained for a set of reference monitors on these machines. We implement a prototype system on the Xen hypervisor with a trusted MAC virtual machine built on Linux 2.6 whose reference monitor design requires only 13 authorization checks, only 5 of which apply to normal processing (others are for policy setup). We show that, through our architecture, distributed computations can be protected and controlled coherently across all the machines involved in the computation. 1.

Authentication protocols (including protocols that provide key establishment) are designed to work correctly in the presence of an adversary that can (1) perform an unbounded number of encryptions (and other operations) while fabricating messages, and (2) prompt honest principals to engage in an unbounded number of concurrent runs of the protocol. The amount of local state maintained by a single run of an authentication protocol is bounded. Intuitively, this suggests that there is a bound on the resources needed to attack the protocol. Such bounds clarify the nature of attacks on these protocols. They also provide a rigorous basis for automated verification of authentication protocols. However, few such bounds are known. This paper defines a language for authentication protocols and establishes two bounds on the resources needed to attack protocols expressible in that language: an upper bound on the worst-case number of encryptions by the adversary, and an exponential lower bound on the worst-case number of concurrent runs of the protocol. The upper bound on encryptions is relative to an upper bound on the number of runs; on-going work on proving such a bound is briefly described. 1

We show that the Kerberos Authentication System can relax its requirement for synchronized clocks, with only a minor change which is consistent with the current protocol. Synchronization has been an important limitation of Kerberos; it imposes political costs and technical ones. Further, Kerberos' reliance on synchronization obstructs the secure initialization of clocks at bootstrap. Perhaps most important, this synchronization requirement limits Kerberos' utility in contexts where connectivity is often intermittent. Such environments are becoming more important as mobile computing becomes more common. Mobile hosts are particularly refractory to security measures, but our proposal gracefully extends Kerberos even to mobile users, making it easier to secure the rest of a network that includes mobile hosts. An advantage of our proposal is that we would not change the Kerberos protocol per se; a special type of preauthentication exchange can convey just enough replay protection to authenticate the initial ticket and its timestamp to an unsynchronized client, without adding process-state to the system's servers.

This paper introduces ID-based secret-key cryptography, in which secret keys are privately and uniquely binded to an identity. This enables to extend public-key cryptography features at the high throughput rate of secret-key cryptography. As applications, e#cient login protocols, an enhanced version of Kerberos, and an ID-based MAC algorithm are presented.

I used tobe Snow White, but I drifted. {MaeWest We show that the Kerberos Authentication System can relax its requirement for synchronized clocks, with only a minor change which is consistent with the current protocol. Synchronization has been an important limitation of Kerberos � it imposes political costs and technical ones. Further, Kerberos ' reliance on synchronization obstructs the secure initialization of clocks at bootstrap. Perhaps most important, this synchronization requirement limits Kerberos ' utility in contexts where connectivity is often intermittent. Such environments are becoming more important as mobile computing becomes more common. Mobile hosts are particularly refractory to security measures, but our proposal gracefully extends Kerberos even to mobile users, making it easier to secure the rest of a network that includes mobile hosts. An advantage of our proposal is that we would not change the Kerberos protocol per se � a special type of preauthentication exchange can convey just enough replay protection to authenticate the initial ticket and its timestamp to an unsynchronized client, without adding process-state to the system's servers. 1

This report describes a new and innovative paradigm, Many-to-Many Invocation (M2MI), for building collaborative systems that run in wireless proximal ad hoc networks of fixed and mobile computing devices.

communications between multi-capacity devices with authentication support by network operators