Cryptographic Modes of Operation for the Internet

Modes that may be appropriate and secure in one application or environment sometimes fail badly in others. This is especially true of stream modes where, e.g., re-use of the same segment of keystream to protect different plaintext renders the cipher insecure. The circumstances that can render a mode insecure are not always obvious, nor are the relevant characteristics of a particular application always apparent. Application and protocol designers, even those with experience and training in cryptography, cannot be expected to always identify accurately the requirements that must be met for a mode to be used securely or the conditions that apply to the application at hand. We strongly urge that, for each adopted mode, the standard include a clear statement of the requirements and assumptions that must be met in order for the mode to be used securely and what security properties the mode can be assumed to have and not have. Furthermore, we urge that detailed examples of acceptable and unacceptable application for each mode be provided as well. In this draft, we discuss some of the security properties, and pitfalls, of several proposed stream modes, and we note several ways in which these modes would be difficult to use securely in the context of Internet Network-, Transport- and Application-layer protocols

Steganographic Timing Channels

This paper describes steganographic timing channels that use cryptographic primitives to hide the presence of covert channels in the timing of network traffic. We have identified two key properties for steganographic timing channels: (1) the parameters of the scheme should be cryptographically keyed, and (2) the distribution of input timings should be indistinguishable from output timings. These properties are necessary (although we make no claim they are sufficient) for the undetectability of a steganographic timing channel. Without them, the contents of the channel can be read and observed by unauthorized persons, and the presence of the channel is trivially exposed by noticing large changes in timing distributions – a previously proposed methodology for covert channel detection. Our steganographic timing scheme meets the secrecy requirement by employing cryptographic keys, and we achieve a restricted form of input/output distribution parity. Under certain distributions, our schemes conforms to a uniformness property; input timings that are uniformly distributed modulo a timing window are indistinguishable from output timings, measured under the same modulo. We also demonstrate that our scheme is practical under real network conditions, and finally present an empirical study of its covertness using the firstorder entropy metric, as suggested by Gianvecchio and Wang [8], which is currently the best published practical detection heuristic for timing channels

KeyNote: Trust Management for Public-Key Infrastructures

This paper discusses the rationale for designing a simple trust-management system for public-key infrastructures, called KeyNote. The motivating principles are expressibility, simplicity, and extensibility. We believe that none of the existing public-key infrastructure proposals provide as good a combination of these three factors

Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet

For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. By the 1990s, however, the changing structure of telecommunications—there was no longer just “Ma Bell” to talk to—and new technologies such as ISDN and cellular telephony made executing a wiretap more complicated for law enforcement. Simple technologies would no longer suffice. In response, Congress passed the Communications Assistance for Law Enforcement Act (CALEA) which mandated a standardized lawful intercept interface on all local phone switches. Since its passage, technology has continued to progress, and in the face of new forms of communication—Skype, voice chat during multiplayer online games, instant messaging, etc.—law enforcement is again experiencing problems. The FBI has called this “Going Dark”: their loss of access to suspects’ communication. According to news reports, law enforcement wants changes to the wiretap laws to require a CALEA-like interface in Internet software. CALEA, though, has its own issues: it is complex software specifically intended to create a security hole—eavesdropping capability—in the already-complex environment of a phone switch. It has unfortunately made wiretapping easier for everyone, not just law enforcement. Congress failed to heed experts’ warnings of the danger posed by this mandated vulnerability, and time has proven the experts right. The so-called “Athens Affair,” where someone used the built-in lawful intercept mechanism to listen to the cell phone calls of high Greek officials, including the Prime Minister, is but one example. In an earlier work, we showed why extending CALEA to the Internet would create very serious problems, including the security problems it has visited on the phone system. In this paper, we explore the viability and implications of an alternative method for addressing law enforcements need to access communications: legalized hacking of target devices through existing vulnerabilities in end-user software and platforms. The FBI already uses this approach on a small scale; we expect that its use will increase, especially as centralized wiretapping capabilities become less viable. Relying on vulnerabilities and hacking poses a large set of legal and policy questions, some practical and some normative. Among these are: (1) Will it create disincentives to patching? (2) Will there be a negative effect on innovation? (Lessons from the so-called “Crypto Wars” of the 1990s, and in particular the debate over export controls on cryptography, are instructive here.) (3) Will law enforcement’s participation in vulnerabilities purchasing skew the market? (4) Do local and even state law enforcement agencies have the technical sophistication to develop and use exploits? If not, how should this be handled? A larger FBI role? (5) Should law enforcement even be participating in a market where many of the sellers and other buyers are themselves criminals? (6) What happens if these tools are captured and repurposed by miscreants? (7) Should we sanction otherwise illegal network activity to aid law enforcement? (8) Is the probability of success from such an approach too low for it to be useful? As we will show, these issues are indeed challenging. We regard the issues raised by using vulnerabilities as, on balance, preferable to adding more complexity and insecurity to online systems

Moving Targets: Geographically Routed Human Movement Networks

We introduce a new communication paradigm, Human-to-human Mobile Ad hoc Networking (HuManet), that exploits smartphone capabilities and human behavior to create decentralized networks for smartphone-to-smartphone message delivery. HuManets support stealth command-and-control messaging for mobile BotNets, covert channels in the presence of an observer who monitors all cellular communication, and distributed protocols for querying the state or content of targeted mobile devices. In this paper, we introduce techniques for constructing HumaNets and describe protocols for efficiently routing and addressing messages. In contrast to flooding or broadcast schemes that saturate the network and aggressively consume phone resources (e.g., batteries), our protocols exploit human mobility patterns to significantly increase communication efficiency while limiting the exposure of HuManets to mobile service providers. Our techniques leverage properties of smartphones – in particular, their highly synchronized clocks and ability to discern location information – to construct location profiles for each device. HuManets’ fully-distributed and heuristic-based routing protocols route messages towards phones with location profiles that are similar to those of the intended receiver, enabling efficient message delivery with limited effects to end-to-end latency

Trust Management for IPsec

IPsec is the standard suite of protocols for network-layer confidentiality and authentication of Internet traffic. The IPsec protocols, however, do not address the policies for how protected traffic should be handled at security end points. This article introduces an efficient policy management scheme for IPsec, based on the principles of trust management. A compliance check is added to the IPsec architecture that tests packet filters proposed when new security associations are created for conformance with the local security policy, based on credentials presented by the peer host. Security policies and credentials can be quite sophisticated (and specified in the trust-management language), while still allowing very efficient packet-filtering for the actual IPsec traffic. We present a practical portable implementation of this design, based on the KeyNote trust-management language, that works with a variety of UNIX-based IPsec implementations. Finally, we discuss some applications of the enhanced IPsec architecture

TAPI: Transactions for Accessing Public Infrastructure

This paper describes TAPI, an offline scheme intended for general Internet-based micropayments. TAPI, which extends and combines concepts from the KeyNote Microchecks and OTPCoins architectures, encodes risk management rules in bank-issued users' credentials which are in turn used to acquire small-valued payment tokens. The scheme has very low transaction overhead and can be tuned to use different risk strategies for different environments and clients

Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols

We describe JFK, a new key exchange protocol, primarily designed for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a number of novel engineering parameters that permit a variety of trade-offs, most notably the ability to balance the need for perfect forward secrecy against susceptibility to denial-of-service attacks

Dynamic Trust Management

Trust management forms the basis for communicating policy among system elements and demands credential checking for access to all virtual private service resources—along with careful evaluation of credentials against specified policies—before a party can be trusted