103 research outputs found
Recommended from our members
Using Bloom Filters for Authenticated Yes/No Answers in the DNS
Some aspects of DNSSEC, such as NXDOMAIN error messages, require an authenticated answer. Producing this answer requires complex mechanisms, online storage of the zone's secret key, expensive online computations, or massive zone files. As an alternative, we propose storage of authenticated pointers to Bloom filters. This scheme provides large reductions in the size of, and computational expense to produce, partially-signed zone files
Recommended from our members
A Technique for Counting NATted Hosts
There have been many attempts to measure how many hosts are on the Internet. Many of those end-points, however, are NAT boxes (Network Address Translators), and actually represent several different computers. We describe a technique for detecting NATs and counting the number of active hosts behind them. The technique is based on the observation that on many operating systems, the IP header's ID field is a simple counter. By suitable processing of trace data, packets emanating from individual machines can be isolated, and the number of machines determined. Our implementation, tested on aggregated local trace data, demonstrates the feasibility (and limitations) of the scheme
Recommended from our members
Security and Privacy: Enemies or Allies?
We show ID cards at every juncture. Is this necessary? Is it helpful? Or is it actually harmful, not just to our privacy but to security as well
Recommended from our members
On Many Addresses per Host
This document was submitted to the IETF IPng area in response to RFC 1550. Publication of this document does not imply acceptance by the IPng area of any ideas expressed within. Comments should be submitted to the [email protected] mailing list
Recommended from our members
The "Session Tty" Manager
In many UNIX systems, it is possible for a program to retain access to the login terminal after the user has logged out. This poses obvious security risks and can also confuse the modem control signals. We solve this for System V by adding a layer of indirection known as the session tty driver. At login time, a session device is linked to the physical terminal. User programs have access to the session device only, and may not open the physical line. Upon logout or carrier drop, the link is severed. New login sessions are given new session devices, and are thus insulated from persistent processes. Use of session devices is controlled by a new system process known as the session manager; by means of suitable plumbing primitives, a "reconnect after line drop" facility can easily be implemented
Recommended from our members
Further Information on Miller's 1882 One-Time Pad
New information has been discovered about Frank Miller's 1882 one-time pad. These documents explain Miller's threat model and show that he had a reasonably deep understanding of the problem; they also suggest that his scheme was used more than had been supposed
Recommended from our members
Computer Security—An End State?
Over the last several years, popular applications such as Microsoft Internet Explorer and Netscape Navigator have become prime targets of attacks. These applications are targeted because their function is to process unauthenticated network data that often carry active content. The processing is done either by helper applications, or by the web browser itself. In both cases the software is often too complex to be bug free. To make matters worse, the underlying operating system can do very little to protect the users against such attacks since the software is running with the user's privileges
Recommended from our members
The Security Flag in the IPv4 Header
Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases
Recommended from our members
Distributed Firewalls
Conventional firewalls rely on the notions of restricted topology and controlled entry points to function. More precisely, they rely on the assumption that everyone on one side of the entry point—the firewall—is to be trusted, and that anyone on the other side is, at least potentially, an enemy. The vastly expanded Internet connectivity in recent years has called that assumption into question. We propose a "distributed firewall", using IPSEC, a policy language, and system management tools. A distributed firewall preserves central control of access policy, while reducing or eliminating any dependency on topology
Recommended from our members
Unconventional Wisdom
We are told that passwords are evil. We are told to change our passwords frequently, and never, never to write them down. We are even told that if you work for most U.S. corporations, frequent password changes are required by law. How much of this is true, and how much is simply mythology? Remarkably enough, the conventional wisdom can be wrong on all of these points, even the first
- …