Privacy -- the control over one's personal data -- and security -- the control of attempted access to data by unauthorized others -- are two critical concerns in the "new economy." Consumers are concerned about their personal data leaking unexpectedly or uncontrollably, and e-commerce sites fear the financial losses associated with bad publicity, unauthorized access, and break-ins. This chapter discusses the business, social, and economic issues surrounding both privacy and security. This chapter also surveys the technologies that can be incorporated or have been proposed for both.
Summary of the paper.
Simple Sign & Encrypt, by itself, is not very secure. Cryptographers know this well, but application programmers and standards authors still tend to put too much trust in simple Sign-and-Encrypt. In fact, every secure e-mail protocol, old and new, has codified naïve Sign & Encrypt as acceptable security practice. S/MIME, PKCS#7, PGP, OpenPGP, PEM, and MOSS all suffer from this flaw. Similarly, the secure document protocols PKCS#7, XML- Signature, and XML-Encryption suffer from the same flaw. Naïve Sign & Encrypt appears only in file-security and mail-security applications, but this narrow scope is becoming more important to the rapidly-growing class of commercial users. With file- and mail-encryption seeing widespread use, and with flawed encryption in play, we can expect widespread exposures.
In this paper, we analyze the naïve Sign & Encrypt flaw,
we review the defective sign/encrypt standards, and we
describe a comprehensive set of simple repairs. The
various repairs all have a common feature: when signing
and encryption are combined, the inner crypto layer must
somehow depend on the outer layer, so as to reveal any
tampering with the outer layer.
Public key technology presumes the availability of certificates and certifying authorities (CAs) living within a shallow hierarchy rooted at a few (n << 100) public CAs. We propose an alternative that lessens the day-to-day dependence on centralized CAs while deepening the certificate tree. We do this by suggesting that smartcards provide CA functions, thus re-framing some payment problems as simpler authorization problems.
Public-key cryptography has low infrastructural overhead because public-key users bear a substantial but hidden administrative burden. A public-key security system trusts its users to validate each others' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users' discipline. A "compliance defect" in a cryptosystem is such a rule of operation that is both difficult to follow and unenforceable. This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public-key cryptography more suitable for server-to-server security than for desktop applications.
The slides (78 Kbytes)
PDF (78 Kbytes)
discuss a topic that the paper only touches upon: the complexity of
thoroughly checking a certificate issuance-chain, to see whether
any of the certs in the chain have been revoked recently. Even in
the best case, this is a surprisingly messy procedure. See slides 12 & 13,
and their annotations.
See also (*).
We show how to use Kerberos to enable its clients to interact securely with non-Kerberized World Wide Web servers. That is, our protocol does not require that the Web server be a member of a Kerberos realm, and also does not rely on time-synchronization between the participants. In our protocol, the Kerberos client uses the Web server's public-key certificate to gain cryptographic credentials that conform to public-key authentication standards, and to SHTTP. The client does not perform any public-key encryptions. Further, the client is well-protected from a man-in-the-middle attack that weakens SSL [this MITM attack is described more thoroughly in the next paper]. Our protocol conforms to the current specifications for the Kerberos protocol and for the Secure Hypertext Transfer Protocol.
We show that the Kerberos Authentication System can relax its requirement for synchronized clocks, with only a minor change which is consistent with the current protocol. Synchronization has been an important limitation of Kerberos; it imposes political costs and technical ones. Further, Kerberos' reliance on synchronization obstructs the secure initialization of clocks at bootstrap. Perhaps most important, this synchronization requirement limits Kerberos' utility in contexts where connectivity is often intermittent. Such environments are becoming more important as mobile computing becomes more common. Mobile hosts are particularly refractory to security measures, but our proposal gracefully extends Kerberos even to mobile users, making it easier to secure the rest of a network that includes mobile hosts. An advantage of our proposal is that we do not change the Kerberos protocol per se. We have implemented this protocol in the MIT Kerberos V5 source-distribution.
A computer disk drive's motor speed varies slightly but irregularly, principally because of air turbulence inside the disk's enclosure. The unpredictability of turbulence is well-understood mathematically; it reduces not to computational complexity, but to information losses. By timing disk accesses, a program can efficiently extract at least 100 independent, unbiased bits per minute, at no hardware cost. This paper has three parts: a mathematical argument tracing our RNG's randomness to a formal definition of turbulence's unpredictability, a novel use of the FFT as an unbiasing algorithm, and a "sanity check" data analysis.
This is the most-cited of my papers, but it is fairly abstract. The poster session slides present much explanatory material that the published paper lacks. I'm preparing a newer, more readable, and more practically-oriented paper, which I'll include here soon. This paper gave me an Erdös number of 5, though my number has since dropped to 4. B^)
Bell Labs' Markus Jakobssen et al. have built a practical disk RNG application that doesn't require kernel-level support. They also did some crucial hardware-level measurements, showing that a UNIX application can detect the disk's speed variations.
Linux' /dev/random truly-random number generator uses disk timing,
as well as other kernel-level noise, to create securely unpredictable
random numbers. /dev/random was written by MIT's Ted Ts'o.
We present some practical security protocols that use private-key encryption in the public-key style. Our system combines a new notion of private-key certificates, a simple key-translation protocol, and key-distribution. These certificates can be administered and used much as public-key certificates are, so that users can communicate securely while sharing neither an encryption key nor a network connection.
This paper's title is somewhat dated. Nowadays, it might better be called,
"Network Security via Symmetric-Key Certificates," because
the meaning of "private-key" has shifted since I wrote the paper.
We propose an extension to the Kerberos Ticket-Granting Service protocol, that cleanly supports user-to-user mutual authentication. This extension enables insecure desktop computers to offer secure network services, such as X-windows services, rlogin, rsh, and NFS. Each desktop service authenticates itself with a short-lived Kerberos session key, instead of using a long-lived secret key as secure centralized servers do. We use the Burrows-Abadi-Needham logic to prove that the user-to-user protocol fulfills several authentication goals.
We actually wrote this paper in late 1988 as an internal technical proposal for Project Athena. Page 2 includes an interesting tidbit: a concise statement of Kerberos' design constraints, which I deduced and distilled from corridor conversations with other Athena staff. This paper is now part of MIT's Kerberos source-distribution, and our user-to-user protocol has become part of Kerberos Version 5. According to a Microsoft staffer, the user-to-user protocol is part of Windows 2000's DCOM implementation. Further, a black-hat friend of mine says he's noticed in packet-captures that Microsoft's Xbox protocol uses the U2U protocol, too. Finally, our user-to-user protocol is also part of the P2P security component in the Globus Grid, a distributed supercomputing system being built by IBM, Sun, Microsoft, and by the DoE's Sandia, Lawrence Livermore, and Los Alamos National Labs.
I've been a security consultant since 1991, and my clients include investment banks, brokerages, and stock exchanges on Wall St., here in New England, and overseas. I also work for technology firms and ISP's. I've worked in security since the late '80's, when I was one of the senior programming and sys-admin staff at MIT's Project Athena, which was the first large client-server network. I've been a systems programmer (compilers, kernels, and tools) since 1978. I hold a B.Sc. degree in mathematics from MIT. I live in Somerville, Mass., a small city near Boston. My postal address and phone number are:
148 School St.
Somerville, MA 02143
System Experts is a consulting company with whom I do a lot of work, especially for large corporate and financial clients.
Email addresses: dtd at world.std.com, don at mit.edu