Don Davis' Cryptography Articles

My work focusses on network security, computer security, and cryptography. These papers' topics include symmetric and public-key hybrid protocols, key management, natural randomness, Kerberos, PKI, electronic commerce, and Web security. I've listed the papers and their abstracts in reverse chronological order. Most of the papers are formatted in Adode PDF and in PostScript. Please send your comments to me, at don at or dtd at .


Most-Cited Articles Kerberos Articles E-Commerce Articles

University materials using my articles:

Compliance Defects: Email crypto flaw Disk Randomness Other papers taught:


  • Mark S. Ackerman and Donald T. Davis, Jr., "Privacy and Security Issues in E-Commerce" Chapter 39 in: Derek C. Jones (ed.), New Economy Handbook, San Diego: Academic Press/ Elsevier, 2003, pp. 911-930. (PDF, 470 kbytes) This online version of our chapter is an imperfect galley proof (460 Kbyte PDF).

    Editor's Abstract:
    Privacy -- the control over one's personal data -- and security -- the control of attempted access to data by unauthorized others -- are two critical concerns in the "new economy." Consumers are concerned about their personal data leaking unexpectedly or uncontrollably, and e-commerce sites fear the financial losses associated with bad publicity, unauthorized access, and break-ins. This chapter discusses the business, social, and economic issues surrounding both privacy and security. This chapter also surveys the technologies that can be incorporated or have been proposed for both.
    (3 Citations)

  • Donald T. Davis, "Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML.", Proc. Usenix Tech. Conf. 2001 (Boston, Mass., June 25-30, 2001), pp. 65-78.(180 Kbytes) (PDF, 200 Kbytes) (HTML, 80 Kbytes) Also, a shortened version of this paper appeared in Dr. Dobb's:
    Don Davis, "Defective Sign-and-Encrypt," Dr. Dobb's Journal #330, v.26(11) (Nov. 2001), pp. 30-36.

    Summary of the paper.

    Simple Sign & Encrypt, by itself, is not very secure. Cryptographers know this well, but application programmers and standards authors still tend to put too much trust in simple Sign-and-Encrypt. In fact, every secure e-mail protocol, old and new, has codified naïve Sign & Encrypt as acceptable security practice. S/MIME, PKCS#7, PGP, OpenPGP, PEM, and MOSS all suffer from this flaw. Similarly, the secure document protocols PKCS#7, XML- Signature, and XML-Encryption suffer from the same flaw. Naïve Sign & Encrypt appears only in file-security and mail-security applications, but this narrow scope is becoming more important to the rapidly-growing class of commercial users. With file- and mail-encryption seeing widespread use, and with flawed encryption in play, we can expect widespread exposures.

    In this paper, we analyze the naïve Sign & Encrypt flaw, we review the defective sign/encrypt standards, and we describe a comprehensive set of simple repairs. The various repairs all have a common feature: when signing and encryption are combined, the inner crypto layer must somehow depend on the outer layer, so as to reveal any tampering with the outer layer.
    (25 Citations)

    I had no pubs from '97-2000, because my second daughter was born early in the year. A rule of thumb in research is, "A baby costs three papers or one book." I've found it holds true.
  • Daniel E. Geer and Donald T. Davis, "Token-Mediated Certification and Electronic Commerce", Proc. 2nd USENIX Workshop on Electronic Commerce, (Oakland, CA, 1996), pp. 13-22.

    Public key technology presumes the availability of certificates and certifying authorities (CAs) living within a shallow hierarchy rooted at a few (n << 100) public CAs. We propose an alternative that lessens the day-to-day dependence on centralized CAs while deepening the certificate tree. We do this by suggesting that smartcards provide CA functions, thus re-framing some payment problems as simpler authorization problems.
    (21 Citations)

  • Don Davis, "Compliance Defects in Public-Key Cryptography", Proc. 6th Usenix Security Symp, (San Jose, CA, 1996), pp. 171-178. (130 Kbytes) (PDF, 161 Kbytes)

    Public-key cryptography has low infrastructural overhead because public-key users bear a substantial but hidden administrative burden. A public-key security system trusts its users to validate each others' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users' discipline. A "compliance defect" in a cryptosystem is such a rule of operation that is both difficult to follow and unenforceable. This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public-key cryptography more suitable for server-to-server security than for desktop applications.
    (56 Citations)

    The slides (78 Kbytes) PDF (78 Kbytes) discuss a topic that the paper only touches upon: the complexity of thoroughly checking a certificate issuance-chain, to see whether any of the certs in the chain have been revoked recently. Even in the best case, this is a surprisingly messy procedure. See slides 12 & 13, and their annotations. See also (*).

  • Don Davis, "Kerberos Plus RSA for World Wide Web Security," Proc. 1st USENIX Workshop on Electronic Commerce, (NYC, July 1995). (93 Kbytes) (PDF, 122 Kbytes)

    We show how to use Kerberos to enable its clients to interact securely with non-Kerberized World Wide Web servers. That is, our protocol does not require that the Web server be a member of a Kerberos realm, and also does not rely on time-synchronization between the participants. In our protocol, the Kerberos client uses the Web server's public-key certificate to gain cryptographic credentials that conform to public-key authentication standards, and to SHTTP. The client does not perform any public-key encryptions. Further, the client is well-protected from a man-in-the-middle attack that weakens SSL [this MITM attack is described more thoroughly in the next paper]. Our protocol conforms to the current specifications for the Kerberos protocol and for the Secure Hypertext Transfer Protocol.
    (21 Citations)

  • Don Davis, Daniel Geer, and Theodore Ts'o,
    "Kerberos With Clocks Adrift: History, Protocols, and Implementation", USENIX Computing Systems 9:1 (Jan. '96). An early version of this paper appeared in: Proc. 5th USENIX UNIX Security Symposium, Salt Lake City, June 5-7, 1995. (160 Kbytes) (PDF, 219 Kbytes)

    We show that the Kerberos Authentication System can relax its requirement for synchronized clocks, with only a minor change which is consistent with the current protocol. Synchronization has been an important limitation of Kerberos; it imposes political costs and technical ones. Further, Kerberos' reliance on synchronization obstructs the secure initialization of clocks at bootstrap. Perhaps most important, this synchronization requirement limits Kerberos' utility in contexts where connectivity is often intermittent. Such environments are becoming more important as mobile computing becomes more common. Mobile hosts are particularly refractory to security measures, but our proposal gracefully extends Kerberos even to mobile users, making it easier to secure the rest of a network that includes mobile hosts. An advantage of our proposal is that we do not change the Kerberos protocol per se. We have implemented this protocol in the MIT Kerberos V5 source-distribution.
    (7 Citations)

  • D. Davis, R. Ihaka, P.R. Fenstermacher, "Cryptographic Randomness from Air Turbulence in Disk Drives", in Advances in Cryptology -- CRYPTO '94 Conference Proceedings, edited by Yvo G. Desmedt, pp.114--120. Lecture Notes in Computer Science #839. Heidelberg: Springer-Verlag, 1994. (104 Kbytes) (PDF, 153 Kbytes) PowerPoint slides (Stuffit archive, 70 Kbytes)

    A computer disk drive's motor speed varies slightly but irregularly, principally because of air turbulence inside the disk's enclosure. The unpredictability of turbulence is well-understood mathematically; it reduces not to computational complexity, but to information losses. By timing disk accesses, a program can efficiently extract at least 100 independent, unbiased bits per minute, at no hardware cost. This paper has three parts: a mathematical argument tracing our RNG's randomness to a formal definition of turbulence's unpredictability, a novel use of the FFT as an unbiasing algorithm, and a "sanity check" data analysis.
    (65 Citations)

    This is the most-cited of my papers, but it is fairly abstract. The poster session slides present much explanatory material that the published paper lacks. I'm preparing a newer, more readable, and more practically-oriented paper, which I'll include here soon. This paper gave me an Erdös number of 5, though my number has since dropped to 4. B^)

    Bell Labs' Markus Jakobssen et al. have built a practical disk RNG application that doesn't require kernel-level support. They also did some crucial hardware-level measurements, showing that a UNIX application can detect the disk's speed variations.

    Linux' /dev/random truly-random number generator uses disk timing, as well as other kernel-level noise, to create securely unpredictable random numbers. /dev/random was written by MIT's Ted Ts'o.

  • D. Davis and R. Swick, "Network Security via Private-Key Certificates," USENIX 3rd Security Symposium Proceedings, (Baltimore; Sept. '92). Also in ACM Operating Systems Review, v.24, #4 (Oct. 1990). (58 Kbytes)

    We present some practical security protocols that use private-key encryption in the public-key style. Our system combines a new notion of private-key certificates, a simple key-translation protocol, and key-distribution. These certificates can be administered and used much as public-key certificates are, so that users can communicate securely while sharing neither an encryption key nor a network connection.
    (56 Citations)

    This paper's title is somewhat dated. Nowadays, it might better be called, "Network Security via Symmetric-Key Certificates," because the meaning of "private-key" has shifted since I wrote the paper.

  • D. Davis and R. Swick, "Workstation Services and Kerberos Authentication at Project Athena," MIT Laboratory for Computer Science Technical Memorandum #424 (Feb. 1990). (45 Kbytes)

    We propose an extension to the Kerberos Ticket-Granting Service protocol, that cleanly supports user-to-user mutual authentication. This extension enables insecure desktop computers to offer secure network services, such as X-windows services, rlogin, rsh, and NFS. Each desktop service authenticates itself with a short-lived Kerberos session key, instead of using a long-lived secret key as secure centralized servers do. We use the Burrows-Abadi-Needham logic to prove that the user-to-user protocol fulfills several authentication goals.
    (35 Citations)

    We actually wrote this paper in late 1988 as an internal technical proposal for Project Athena. Page 2 includes an interesting tidbit: a concise statement of Kerberos' design constraints, which I deduced and distilled from corridor conversations with other Athena staff. This paper is now part of MIT's Kerberos source-distribution, and our user-to-user protocol has become part of Kerberos Version 5. According to a Microsoft staffer, the user-to-user protocol is part of Windows 2000's DCOM implementation. Further, a black-hat friend of mine says he's noticed in packet-captures that Microsoft's Xbox protocol uses the U2U protocol, too. Finally, our user-to-user protocol is also part of the P2P security component in the Globus Grid, a distributed supercomputing system being built by IBM, Sun, Microsoft, and by the DoE's Sandia, Lawrence Livermore, and Los Alamos National Labs.

    Network Security Consulting

    I'm a full-time consultant, specializing in network security, cryptography, and electronic commerce for large networks. In practice, that means I can:

  • Help you design and build a secure network or a secure networked application;
  • Analyze your network, products, and procedures for security flaws;
  • Advise and help you to repair those flaws, either with off-the-shelf technology, or with software that your staff and I build.

    I've been a security consultant since 1991, and my clients include investment banks, brokerages, and stock exchanges on Wall St., here in New England, and overseas. I also work for technology firms and ISP's. I've worked in security since the late '80's, when I was one of the senior programming and sys-admin staff at MIT's Project Athena, which was the first large client-server network. I've been a systems programmer (compilers, kernels, and tools) since 1978. I hold a B.Sc. degree in mathematics from MIT. I live in Somerville, Mass., a small city near Boston. My postal address and phone number are:

    Don Davis
    148 School St.
    Somerville, MA 02143
    (617) 629-3010
    (617) 625-2242

    System Experts is a consulting company with whom I do a lot of work, especially for large corporate and financial clients.

    Email addresses: dtd at, don at

    Last updated on September 26, 2011
    Visitors since Nov. 10, '98:
    Best viewed with /bin/vi .
    The World's Homepage