Abstract: The TCP/IP protocol suite, which is very widely used today, was developed under the sponsorship of the Department of Defense. Despite that, there are a number of serious security flaws inherent in the protocols, regardless of the correctness of any implementations. We describe a variety of attacks based on these flaws, including sequence number spoofing, routing attacks, source address spoofing, and authentication attacks. We also present defenses against these attacks, and conclude with a discussion of broad-spectrum defenses such as encryption.

Abstract: Andrew is a distributed computing environment that is a synthesis of the personal computing and timesharing paradigms. When mature, it is expected to encompass over 5,000 workstations spanning the Carnegie Mellon University campus. This paper examines the security issues that arise in such an environment and describes the mechanisms that have been developed to address them. These mechanisms include the logical and physical separation of servers and clients, support for secure communication at the remote procedure call level, a distributed authentication service, a file-protection scheme that combines access lists with UNIX mode bits, and the use of encryption as a basic building block. The paper also discusses the assumptions underlying security in Andrew and analyzes the vulnerability of the system. Usage experience reveals that resource control, particularly of workstation CPU cycles, is more important than originally anticipated and that the mechanisms available to address this issue are rudimentary.

Abstract: The Digital Distributed System Security Architecture is a comprehensive speci cation for security in a distributed system that employs state-of-the-art concepts to address the needs of both commercial and government environments. The architecture covers user and system authentication, mandatory and discretionary security, secure initialization and loading, and delegation in a general-purpose computing environment of heterogeneous systems where there are no central authorities, no global trust, and no central controls. The architecture prescribes a framework for all applications and operating systems currently available or to be developed. Because the distributed system is an open OSI environment, where functional interoperability only requires compliance with selected protocols needed by a given application, the architecture must be designed to securely support systems that do not implement or use any of the security services, while providing extensive additional security capabilities for those systems that choose to implement the architecture.

Abstract: This RFC specifies features for private electronic mail based on encryption technology. [STANDARDS-TRACK]

Abstract: The author describes the use of cryptographic authentication for controlling computer viruses. The objective is to protect against viruses infecting software distributions, updates, and programs stored or executed on a system. The authentication determines the source and integrity of an executable, relying on the source to produce virus-free software. The scheme relies on a trusted (and verifiable, where possible) device, the authenticator, used to authenticate and update programs and convert programs between the various formats. In addition, each user's machine uses a similar device to perform run-time checking. >

Abstract: A key distribution system (KDS) based on identification information (ID-based KDS) is presented. The system is founded on the Diffie-Hellman public key distribution scheme and has an identity authentication function. It uses an individual user's identification information instead of the public file used in the Diffie-Hellman scheme. It does not require any services of a center to distribute work keys or users to keep directories of key-encrypting keys. Therefore, key management in cryptosystems can be simplified by adopting the ID-based KDS. Two kinds of identity-based key distribution system are proposed and applied to actual communication networks. One uses two-way (interactive) communication to distribute work keys, while the other uses one-way communication. Modular exponentiations of large numbers, used in the systems, are implemented with digital signal processors. >

Abstract: In this paper, we propose a new type of authentication system, disposable zero-knowledge authentication system. Informally speaking, in this authentication system, double usage of the same authentication is prevented. Based on these disposable zero-knowledge authentication systems, we propose a new untraceable electronic cash scheme satisfying both untraceability and unreusablity. This scheme overcomes the problems of the previous scheme proposed by Chaum, Fiat and Naor through its greater efficiency and provable security under reasonable cryptographic assumptions. We also propose a scheme, transferable untraceable electronic cash scheme, satisfying transferability as well as the above two criteria, whose properties have not been previously proposed in any other scheme. Moreover, we also propose a new type of electronic cash, untraceable electronic coupon ticket, in which the value of one piece of the electronic cash can be subdivided into many pieces.

Abstract: Techniques are suggested to construct authentication protocols on a basis of one-way functions rather than encryption algorithms. This approach is thought of interest for several reasons. It appears that this approach could achieve, at least, equally simple and capable protocols.

Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.

Abstract: We consider two basic versions of the challenge-response authentication protocol, and exhibit both a method of attack and a simple modification preventing such attacks. We go on to consider three variants of the basic protocols and show that one of them is completely insecure.

Abstract: A framework for designing a type of distributed authentication protocol is given, whose security and availability are higher compared to those of centralized ones. It uses the technique of secret sharing and introduces a cross checksum scheme to achieve secure replication. Fewer than a certain number of malicious servers cannot damage security except by causing denial of service, and this only happens when too many honest servers accidentally fail at the same time. The protocol is suited to an environment where no trustworthiness of any server is permanently guaranteed. The approach is general enough not to rely on any particular authentication protocol. Existing implementations need minor modification. Only a short piece of code is needed to run the implementations as many times as required. Hence, different centralized protocols can be incorporated into one distributed protocol. >

Abstract: Zero Knowledge (ZK) theory formed the basis for practical identification and signature cryptosysems (invented by Fiat and Shamir). It also was used to construct a key distribution scheme (invented by Bauspiess and Knobloch); however, it seems that the ZK concept is less appropriate for key distribution systems (KDS), where the main cost is the number of communications. We propose relaxed criteria for the security of KDS, which we assert are sufficient, and present a system which meets most of the criteria. Our system is not ZK (it leaks few bits), but in return it is very simple. It is a Diffie-Hellman variation. Its security is equivalent to RSA, but it runs faster.Our definition for the surity of KDS is based on a new definition of security for one-way functions recently proposed by Goldreich and Levin. For a given system and given cracking-algorithm, I, the cracking rate is roughly the average of the inverse of the running-time over all instances (if on some instance it fails, that inverse is zero). If there exists a function s :N?N, s.t. for all I, the cracking-rate for security parameter n is O (1)/s (n). then we say that the system has at least security s. We use this concept to define the security of KDS for malicious adversary (the passive adversary is a special case). Our definition of a malicious adversary is relatively restricted, but we assert it is general enough for KDS. This restriction enables the proof of security results for simple and practical systems, We further modify the definition to allow past keys-and their protocol messages in the input data to a cracking algorithm. The resulting security function is called the "amortized security" of the system. This is justified by current usage of KDS, where the keys are often used with cryptosystems of moderate strength. We demonstrate the above properties on some Diffie-Hellman KDS variants which also authenticate the parties. In particular, we give evidence that one of the variants has super-polynomial security against any malicious adversary, assuming RSA modulus is hard to factor. We also give evidence that its amortized security is super-polynomial. (Ihe original DH scheme does not authenticate, and the version with public directory has a fixed key, i.e. rem amortized security.).

Abstract: Authentication protocols are the basis of security in many distributed systems, and it is therefore essential to ensure that these protocols function correctly. Unfortunately, their design has been...

Abstract: In a workstation environment, the user often has complete control over the worksta- tion. Workstation operating systems therefore cannot be trusted to accurately identify their users. Some other method of authentication is needed, and this motivated the design and implementation of the Kerberos authentication service.

Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorisation for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation centre, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.

Abstract: Computer viruses can be used by their authors to harness the resources of infected machines for the author's computation. By doing so without the permission or knowledge of the machine owners, viruses can be used to perform covert distributed processing. We outline the class of problems for which covert distributed processing can be used. A brute-force attack on cryptosystems is one such problem, and we give estimates of the time required to complete such an attack covertly.

Abstract: A network information security management system which authenticates and/or encrypts messages is proposed. Both authentication and key distribution are executed in a simple scheme. Once the system is set up, the transactions are done independently by the users involved, yet the amount of information that users must keep is small. The experimental implementation of the system on a personal computer network, using IC cards (smart cards) and digital signal processors, is described. The signal processors shorten calculation time and make the concept practical. >

Abstract: A hierarchical approach for key management is presented which utilizes the existing network specific protocols at the lower levels and protocols between authentication servers and/or control centers of different networks at the higher levels. Details of this approach are discussed for specific illustrative scenarios to demonstrate the implementation simplicity. A formal verification of the security of the resulting system in the sense of protecting the privacy of privileged information is also conducted by an axiomatic procedure utilizing certain combinatory logic principles. This approach is general and can be used for verifying the security of other existing key management schemes. >

Abstract: Aspects of the licensing and assessment of highly dependable computer systems an engineering approach to security evaluation some comments on program verification systems guidelines, standards, tools and practices for safe industrial computer systems errors, faults and failures - a model secure databases and safety - some unexpected conflicts a new approach to secure systems analysis programming the Viper microprocessor safety-critical software development assurance authentication dependable computing system Kernals for safety requirements and environmental issues in safety and security software security analysis and the denial of service problem very high reliability computer systems.

Abstract: A method insures that NETBIOS names are not illegally used on a local area network. The NETBIOS protocols use a naming system that allows any station to claim a name or set of names that are not already in use. This potentially allows any user to "masquerade" as another user, or service machine, by claiming the name when the real user is not connected to the network. This method detects these attempted masquerades, disconnects the offending station from the network, and logs information about the attempt.

Abstract: An identity verification scheme that uses a public authentication channel to validate a private authentication channel belonging to the individual who wishes to prove his identity is described. The user can prove his identity by demonstrating that he can authenticate (suitably chosen) messages in the private channel. It also provides certified receipts for transactions whose legitimacy can later be verified by impartial arbiters who do not need to be designated in advance or be involved in the transaction at the time it takes place. >

Abstract: This device comprises a microprocessor (22) capable of implementing an authentication algorithm, a data transmitter (26) connected to the microprocessor (22), a data receiver (32) connected to the microprocessor and an electro-acoustic transducer (40) having one input (41) connected to the transmitter (26) and one output (44) connected to the receiver (32). Application to the transmission of information by telephone.

Abstract: An approach to the secure logon problem in distributed systems managed by a single authority is considered in which central authentication is layered onto existing terminal services. This approach suggests itself when a large installed base of computer systems that do not support central authentication already exists. Work to assess the feasibility of this approach was carried out. The results demonstrate that layering can be used in certain circumstances to provide central authentication services, although, as a result, the concomitant maintenance costs may increase. It was also determined that terminal service features are necessary so that central authentication is easily layered over existing terminal services. Recommendations are made concerning how to structure terminal services in a distributed system to support an integrated central authentication service. >

Abstract: The Secure Data Network System (SDNS) is intended to provide secure data communications to a variety of DoD and commercial users SDNS services include key management and system management as well as data encryption, authentication and access control The program is a U S Government/Industry effort, with participation by the National Security Agency, National Institute for Standards and Technology, other government agencies and about a dozen government contractors During the concept definition and prototyping phases, a joint working group defined the set of security services to be provided and developed protocols for key management and for secure communications [1] The protocols and architecture are compatible with the International Standards Organization (ISO) Reference Model for Open Systems Interconnection (OSI), and the end-to-end encryption (E3) protocols are being proposed as US and international standards The E3 protocols are publicly released and appropriate for the OSI environment

Abstract: Cryptographic Systems - I. Secure Data Bases. EFTS and Banking. Cryptographic Systems - II. Organisations and Education. Computer Crime. Cryptographic Systems - III. Office Automation. Security Products and Systems. Crypto-Key Systems. Secure / Trusted Systems - I. Access / Authentication Control - I. Auditing - I. Secure / Trusted Systems - II. Access / Authentication Control - II. Secure / Trusted Systems - III. Document Interchange and Networks. Networks / EFT. EFTS and Cost of Security. Auditing - II. Networks, PCs and Workstations. Authentication and Identification. Index.

Abstract: The problem of authenticating the users of a computer network in order to protect the shared resources against unauthorized use is discussed. Since intruders could enter the network and try to use services they have no right to access, the host implementing the service (or server) has to check the user's identity and access rights by searching in the relevant database. The author presents a method of carrying out such checks efficiently. The basic idea is that a suitable interface process is associated with each user-server connection in order to filter out unauthorized requests, thus implementing a sort of cache with parallel search where the working set of the whole database is stored and explored. The use of the interface process enables the system to exploit the hardware support for capability checking provided by new microprocessors. In particular, an implementation using iAPX432-based hosts is illustrated and performance issues are discussed. >