Abstract: An approach to analyzing encryption protocols using machine-aided formal verification techniques is presented. The properties that the protocol should preserve are expressed as state invariants, and the theorems that must be proved to guarantee that the cryptographic facility satisfies the invariants are automatically generated by the verification system. A formal specification of an example system is presented, and several weaknesses that were revealed by attempting to verify and test the specification formally are discussed. >

Abstract: The invention is an apparatus and method for validating that key management functions requested for a cryptographic key by the program have been authorized by the originator of the key. The invention includes a cryptographic facility characterized by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key. The control vector checking unit has an input coupled to the input path for receiving a control vector associated with the cryptographic key and an input connected to the cryptographic instruction storage, for receiving control signals to initiate checking that the control vector authorizes the key management function which is requested by the cryptographic service request. The control vector checking unit has an authorization output connected to an input of the cryptographic processing means, for signalling that the key management function is authorized, the receipt of which by the cryptographic processing unit initiates the performance of the requested key management function with the cryptographic key. The invention enables the flexible control of many cryptographic key management functions in the generation, distribution and use of cryptographic keys, while maintaining a high security standard.

Abstract: The author develops methods for analyzing cryptographic protocols using techniques developed for the solutions of equations in a term rewriting system. In particular, she describes a model of a class of cryptographic protocols and possible attacks on those protocols as term rewriting systems. She also describes a software tool based on the narrowing algorithm that can be used in the analysis of such protocols. Finally, she uses the tool in the analysis of a simple protocol and outlines ways in which the tool might be improved to provide greater assistance in the analysis of more complex protocols. >

Abstract: We describe experimental work on cryptographic protection of databases and software. The database in our experiment is a natural language dictionary of over 4000 Spanish verbs. Our tentative conclusion is that the overhead cost of computing with encrypted data is fairly small.

Abstract: This thesis concerns two subjects whose primary applications are in the field of cryptography: reversible programs and multi-party protocols. The first part of the thesis investigates a model of computation called a "reversible program", and its relationship to the level of cryptographic security attainable by a "simple product cipher" (which is a type of method for encrypting fixed-length blocks of data). The notion of a simple product cipher is motivated by the design of some ciphers, including the widely used Data Encryption Standard. Informally, reversible programs and simple product ciphers both have the property that they can be expressed as a composition of "very simple" permutations on the set of n-bit binary strings. We show that, under a cryptographic assumption (namely, that there exists a pseudorandom function generator that is feasibly computed by a particular kind of computation, called an "iterated integer matrix product"), there exists a cryptographically secure simple product cipher. This can be regarded as progress towards showing that a secure simple product cipher exists. A by-product of our investigation of reversible programs is a result of independent interest in the field of algebraic complexity theory: over an arbitrary ring, any polynomial-size algebraic formula is computed by an algebraic straight-line program that uses only three registers. The second part of the thesis investigates the cryptographic security attainable in two-party protocols that carry out "collective coin flipping" transactions (or "games"), and "secret bit exchanging" transactions. In both cases, we construct protocols that, under some widely believed number theoretic intractability assumptions, attain various levels of security for the transaction. We also prove some non-trivial lower bounds on the level of security attainable by any protocol for either of the transactions.

Abstract: A model for secure delivery of documents is proposed, and a prototype system based on earlier work on secure electronic mail and automated document delivery systems is described. In the proposed architecture, security protection is provided for both document requests and the actual documents delivered. Electronic mail protocols are used for document requests and delivery, although file transfer protocols could be used in some circumstances. The document delivery system background is discussed, and the client-server model for the secure system is presented. The security philosophy, requirements, policy, and techniques are dealt with next. The criterion for validation is analyzed, the relationship to OSI (Open systems interconnection) is shown, implementation issues are discussed, and the direction of future efforts is pointed out. >

Abstract: Both network-layer and transport-layer encryption are permitted by the OSI Security Addendum. The advantages of network-layer encryption are discussed. Secure data network system (SDNS) protocols are described. In the SDNS, SP is a single, simple encryption protocol between end-systems. This protocol has two descriptions, SP3 (network layer) and SP4 (transport layer). Both definitions are OSI compliant. Extensions of the basic protocol allow SP3 to be used at intermediate systems and allow SP4 to provide a more connection-oriented service. >

Abstract: This paper examines the requirements and tradeoffs of cryptographic security for local area networks (LANs). Cryptographic security mechanisms must be carried in standard protocol formats for interoperable security. No standard security protocols are currently defined specifically for LANs. The constraints of existing LAN communication protocols limit the viable alternatives for new security protocols. The considerations and tradeoffs for a security protocol in the lower layers of the Organization of International Standardization's (ISO) Open System Interconnection (OSI) reference model are examined in detail for LAN environments.

Abstract: Construction of a simple local area network encapsulation security protocol is discussed. The paper illustrates the way that the key distribution scheme, the confidentiality algorithm, and the integrity algorithm drive the protocol construction. A Needham/Schroeder based key distribution scheme, DES Cipher Block Chaining, and the Message Authentication Code are used as building blocks for a sample protocol. The sample protocol provides data origin authentication, confidentiality, and integrity.

Abstract: The normal use of cryptography in unclassified computing systems often fails to provide the level of protection that the system designers and users would expect. This is partially caused by confusion of cryptographic keys and user passwords, and by underestimations of the power of known plaintext attacks. The situation is worsenned by performance constraints and occasionally by the system builder's gross misunderstandings of the cryptographic algorithm and protocol.

Abstract: The theory of computation and automata has occasionally aroused some interest among political scientists. The article outlines some early applications, although the main emphasis is on the most recent ones. We concentrate on the applications to bargaining and negotiation procedures. It is argued that many existing bargaining procedures can be essentially improved by resorting to cryptographic protocols.

Abstract: Three approaches to securing electronic mail are described and compared: the 1988 CCITT X.411 Recommendation, RFC 1113, and the Message Security Protocol (MSP). Each approach offers the same basic security services. The MSP approach is found to be the least invasive. Thus, the MSP approach is unable to provide additional security features such as protected reports from MTAs (mail transfer agents) and selective body part protection. >

Abstract: Owing to their mathematical properties, quadratic residues have been used successfully in designing a number of cryptographic applications, such as oblivious transfer protocol and coin flipping protocol. The authors propose an encryption scheme based on quadratic residue theory. In particular, they incorporate the encrypting procedure and error-detecting code into a complete communication system.

Abstract: The work of IEEE 802.10, the LAN Security Working Group, in developing the Standard for Interoperable LAN Security (SILS) is described. The areas for security standardization are: a protocol for the secure exchange of data at the data link layer, the management of cryptographic keys at the application layer, and the specification of the network management objects associated with the secure data exchange protocol and the key management protocol. As of July 1989, IEEE 802.10 has produced the fifth draft of SILS. The standard contains the SILS model and the secure data exchange protocol specification. It also includes the security definitions, the objectives of SILS, and the threats against which the services defined can provide protection. >

Abstract: A key distribution protocol is proposed for digital mobile communication systems. The protocol can be used with a star-type network. User terminals have a constraint of being hardware-limited.Security of the protocol is discussed. A countermeasure is proposed to cope with a possible active attack by a conspiracy of two opponents.

Abstract: Most routing protocols, including proposed policy routing protocols, focus on environments where detection of an attack after it has taken place is sufficient. The authors explore the design of policy routing mechanisms for sensitive environments where more aggressive preventative measures are mandated. In particular, they detail the design of four secure protocol versions that prevent abuse by cryptographic checks of data integrity. They analyze and compare these schemes in terms of their prepacket processing overhead. It is concluded that preventative security is feasible, although the overhead cost is quite high. Consequently, it is critical that prevention-based schemes coexist with detection-based schemes. >