Specifications for a Componetised Digital Rights Management (DRM) Framework

This document lays out the specifications for a componentised DRM system. Requirements for a general DRM system are discussed, and we detail a set of components that address these requirements. This document also details the specific services that should be offered by each component and specifies the communication protocols and contents of these messages. Each of the components of the DRM system are fully fledged web services, and thus some of these components can be used in areas other than DRM. Furthermore, we envisage existing services, such as Certificate Authorities, easily fitting into our proposed framework

Building a Secure Intranet

This thesis will explain the vulnerabilities of computers in a networking environment and demonstrate proper procedures for building a secure Intranet. The Internet is built around the concept of open communication. Data is shared around the globe just as easily as it is from one office or cubical to the next. Corporations are skeptical about putting company data on such a public transport mechanism as the Internet, but the tools used on the Internet are exciting and everyone wants to use them. Out of a desire for the best of both worlds, the Intranet was born. An intranet that has no connection to the Internet can safely make a significant amount of company data available to employees, but when hosts are connected to the Internet, things change. Each application on the Internet comes with a threat to a company\u27s data. More office managers would probably install and use an Intranet if they understood them better and trusted them more. The purpose of his paper is to educate the non-technical manager in the subject of Internet applications and security mechanisms so that he or she can make an informed decision about installing an Intranet. There is so much software available for building and securing a Web site that many feel overwhelmed at the prospect of getting started. The goal will be to define the terms and acronyms used in this technology, and to evaluate the services and software available for building a secure Intranet. Securing a Web site requires some knowledge of TCP/IP, routers, firewalls and data encryption. These subjects will be covered at an introductory level with the goal of enabling the reader to understand the issues involved. The work will terminate in a project that builds an Intranet that shares data with a selective audience while securing it from others. The hardware and software configuration will be documented as a sample that can be duplicated in any office environment. The Web site will be built using some HTML coding to demonstrate the complexity of the language and some high-level software that demonstrates the value of these new tools. Two security specialists evaluated the project. They agreed that an Intranet built with the specifications in the project would be functional and secure

Securing the Drop-Box Architecture for Assisted Living

Home medical devices enable individuals to monitor some of their own health information without the need for visits by nurses or trips to medical facilities. This enables more continuous information to be provided at lower cost and will lead to better healthcare outcomes. The technology depends on network communication of sensitive health data. Requirements for reliability and ease-of-use provide challenges for securing these communications. In this paper we look at protocols for the drop-box architecture, an approach to assisted living that relies on a partially-trusted Assisted Living Service Provider (ALSP). We sketch the requirements and architecture for assisted living based on this architecture and describe its communication protocols. In particular, we give a detailed description of its report and alarm transmission protocols and give an automated proof of correspondence theorems for them. Our formulation shows how to characterize the partial trust vested in the ALSP and use the existing tools to verify this partial trust

Electronic Mail: What Leaders Need to Know

Electronic mail (email) was introduced to the business environment in the early 1970\u27s. It was estimated that 130 million workers sent approximately 2.8 billion messages every day in 2000. Today, leaders all across the nation are installing email systems in their organizations. Many leaders understand the benefits but they do not understand the risks of implementing an email system. Some of the issues and risks to an organization may be: lack of rules for proper use, personal use on company time, perceptions of privacy, lack of confidentiality, and legal liability to the organization. Leaders may reduce the risk to their organization when installing en\u27iail by: training staff on the proper use of email, educating staff on the difference between written, oral and email communication, and implementing an organizational policy for the use of email. Leaders should understand all aspects of this bringing it into their organization

Security Improvements for the Automatic Identification System

The Automatic Identification System (AIS) is used aboard the vast majority of sea-going vessels in the world as a collision avoidance tool. Currently, the AIS operates without any security features, which make it vulnerable to exploits such as spoofing, hijacking, and replay attacks by malicious parties. This paper examines the work that has been done so far to improve AIS security, as well as the approaches taken on similar problems in the aircraft and vehicular mobile ad-hoc network (MANET) industries. The first major contribution of this paper is the implementation of a Software Defined Radio (SDR) AIS transmitter and receiver which can be used to conduct vulnerability analysis and test the implementation of new security features. The second contribution is the design of a novel authentication protocol which overcomes the existing vulnerabilities in the AIS system. The proposed protocol uses time-delayed hash-chain key disclosures as part of a message authentication code (MAC) appended to automatic position reports to verify the authenticity of a user. This method requires only one additional time slot for broadcast authentication compared to the existing standard and is a significant reduction in message overhead requirements compared to alternative approaches that solely rely on public key infrastructure (PKI). Additionally, there is an embedded time stamp, a feature lacking in the existing system, which makes this protocol resistant to replay attacks. A test implementation of the proposed protocol indicates that it can be deployed as a link layer software update to existing AIS transceivers and can be deployed within the current AIS technical standards as an expanded message set

Secrecy and Signatures—Turning the Legal Spotlight on Encryption and Electronic Signatures

Paper presented by Hogg on encryption and electronic signatures, 2000

An investigation into tools and protocols for commercial audio web-site creation

This thesis presents a feasibility study of a Web-based digital music library and purchasing system. It investigates the current status of the enabling technologies for developing such a system. An analysis of various Internet audio codecs, streaming audio protocols, Internet credit card payment security methods, and ways for accessing remote Web databases is presented. The objective of the analysis is to determine the viability and the economic benefits of using these technologies when developing systems that facilitate music distribution over the Internet. A prototype of a distributed digital music library and purchasing system named WAPS (for Web-based Audio Purchasing System) was developed and implemented in the Java programming language. In this thesis both the physical and the logical component elements of WAPS are explored in depth so as to provide an insight into the inherent problems of creating such a system, as well as the overriding benefits derived from the creation of such a system

Providing cryptographic security and evidentiary chain-of-custody with the advanced forensic format, library, and tools

This paper presents improvements in the Advanced Forensics Format Library version 3 that provide for digital signatures and other cryptographic protections for digital evidence, allowing an investigator to establish a reliable chain-of-custody for electronic evidence from the crime scene to the court room. No other system for handling and storing electronic evidence currently provides such capabilities. This paper discusses implementation details, user level commands, and the AFFLIB programmer's API.Approved for public release; distribution is unlimited

Design principles and patterns for computer systems that are simultaneously secure and usable

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2005.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Includes bibliographical references (p. 429-464) and index.It is widely believed that security and usability are two antagonistic goals in system design. This thesis argues that there are many instances in which security and usability can be synergistically improved by revising the way that specific functionality is implemented in many of today's operating systems and applications. Specific design principles and patterns are presented that can accomplish this goal. Patterns are presented that minimize the release of confidential information through remnant and remanent data left on hard drives, in web browsers, and in documents. These patterns are based on a study involving the purchase of 236 hard drives on the secondary market, interviews conducted with organizations whose drives had been acquired, and through a detailed examination of modern web browsers and reports of information leakage in documents. Patterns are presented that enable secure messaging through the adoption of new key management techniques. These patterns are supported through an analysis of S/MIME handling in modern email clients, a survey of 469 Amazon.com merchants, and a user study of 43 individuals. Patterns are presented for promoting secure operation and for reducing the danger of covert monitoring. These patterns are supported by the literature review and an analysis of current systems.(cont.) In every case considered, it is shown that the perceived antagonism of security and usability can be scaled back or eliminated by revising the underlying designs on which modern systems are conceived. In many cases these designs can be implemented without significant user interface changes. The patterns described in this thesis can be directly applied by today's software developers and used for educating the next generation of programmers so that longstanding usability problems in computer security can at last be addressed. It is very likely that additional patterns can be identified in other related areas.by Simson L. Garfinkel.Ph.D