Security functions for a file repository

When personal machines are incorporated into distributed\ud systems a new mixture of threats is exposed.\ud The security effort in the MobyDick project\ud is aimed at understanding how privacy can be protected\ud in this new environment. Our claim is that\ud a two-step process for authentication and authorisation\ud is required, but also sufficient. The research\ud vehicle is a distributed file repository

Detecting Key-Dependencies

The confidentiality of encrypted data depends on how well the key under which it was encrypted is maintained. If a session key was exchanged encrypted under a long-term key, exposure of the long-term key may reveal the session key and hence the data encrypted with it. The problem of key-dependencies between keys can be mapped onto connectivity of a graph, and the resulting graph can be inspected. This article presents a structured method (an algorithm) with which key-dependencies can be detected and analysed. Several well-known protocols are examined, and it is shown that they are vulnerable to certain attacks exploiting key-dependencies. Protocols which are free from this defect do exist. That is, when a session is terminated it is properly closed

Off-line Delegation

This article describes mechanisms for offline delegation of access rights to files maintained by a distributed 'File Repository. The mechanisms are designed for a target environment where personal machines are used at times when critical services, such as authentication and authorization services, are not accessible. We demonstrate how valid delegation credentials can be transferred verbally without the use of shared secrets. Our main result shows that delegation of access rights can be accomplished in a system that uses public-key encryption for secrecy and integrity, without forcing the user to rely on a trusted third party, and without requiring connection to the infrastructure. The implementation runs on a contemporary Personal Digital Assistant (PDA); the performance is satisfactory

SCIP: A Secure Network Layer under Unix

This report describes the design and implementation of a secure IP layer under Unix for the Berkeley 4.4 TCP/IP protocol suite. We show how such security features can easily be incorporated into this networking model. Our approach is based on pseudo-network device drivers and encapsulation of IP datagrams. We discuss some related performance issues and how the protocol performance can be improved by kernel optimizations. We summarise the current status of the prototype implementation and give an outline of future extensions. 1 Introduction An increasing problem with network computing is the tradeoff between security and increased availability of resources worldwide. Current trends in distributed and mobile computing and commercial use of global networks, such as the Internet, lead us to believe that network security will be a necessity for the success of public access to services. It will, for example, not be acceptable to carry out "Internet commerce" with remote services if eavesd..

Authentication and Key Distribution in SCIP: Experience with Secure Protocol Design

We describe how authentication logics and design rules for secure protocol design have been applied to a network level authentication and key distribution protocol. We show how existing methods for secure protocol design are often can be inadequate for the development of a secure protocol with simple properties. The paper is intended as feedback to researchers who are busy developing tools and techniques for secure protocol design, and as a guiding example for systems designers who are in the process of developing new secure protocols. 1 Introduction Design and implementation of secure protocols is a difficult task. If one does not pay careful attention to the initial assumptions and goals of a protocol, it might not carry out its intended task. Many formal techniques and less formal design principles have been proposed in the literature to help system designers develop more secure protocols (e.g., [2, 3, 5, 8, 10, 11]). Far less has been published on experience with applying such m..

A Secure System Architecture for Software Agents: The Virtual Secretary Approach

This paper presents the Virtual Secretary system architecture which is an attempt to utilize the potential processing and problem solving strength of software agents while eliminating most of the security risks related to such programs. This is done by the construction of an environment for software agents, including propagation mechanisms, mechanisms for authentication and control, and common user software. A key element in this approach is the propagation of the Virtual Secretary's user model (i.e., a non-executable initialization and control software). A necessary assumption is that an authorised Virtual Secretary body process is present at all possible target hosts in the network, or if not, a secure way to start a new Virtual Secretary body process at a remote host exists. 1 Introductio