Private Computing : The Trusted Digital Assistant

Het proefschrift is goedgekeurd door prof. dr. This dissertation was typeset with L A T E X in Charter and Euler, with symbols from A M S. The simple figures were drawn, then scanned at 1200 dpi, and converted to JPG with GIMP. The complicated once were programmed in METAPOST. The cover was drawn by Marianne Kulø. The dissertation was in its entirety written and typeset using NetBSD. ii Preface Over the last 10 years, I have continously been working on projects related to private computing. The projects to which I have been affiliated have varied in focus, in size and in scope. This dissertation reports from the various projects, and thus represents a decade of research. Over the years, I have had the pleasure of working with quite a few people. Fortunately, not all of them have let me be solely in control of our joint projects. In fact, some have put up quite some resistance when I have tried to lead the project in the direction I believed was best. Today, I believe this stubborn resistance benefited not only the projects per se, but probably also, in the end, this dissertation. The price to pay for cooperation is that I am not the sole author of every single publication this dissertaion is based on. However, I am the first author on all but one. On that last one, the authours are in alphabetic order. Thus, my claim is that this dissertation reports from my contributions. My ambition has been to present only work that has been validated by peer review. To that end, at the very beginning of each chapter there is a section identifying the underlying publication(s). All chapters , except those in the introduction (Chapters 1 – 3) and Chapter 7, are based on articles that has been published. A few of them has simply been printed, but most have been published. Because I report from a decade of continous work, some of the results presented here are quite dated. However, at the time they were published, they were not.

[1]  Butler W. Lampson,et al.  On-line data compression in a log-structured file system , 1992, ASPLOS V.

[2]  Jr. Allen B. Tucker,et al.  The Computer Science and Engineering Handbook , 1997 .

[3]  John Ioannidis,et al.  Using the Fluhrer, Mantin, and Shamir Attack to Break WEP , 2002, NDSS.

[4]  Bennet S. Yee,et al.  Secure Coprocessors in Electronic Commerce Applications , 1995, USENIX Workshop on Electronic Commerce.

[5]  Tage Stabell-Kulø,et al.  Offline Delegation , 1999, USENIX Security Symposium.

[6]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[7]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Ralph C. Merkle,et al.  Secure communications over insecure channels , 1978, CACM.

[9]  Arne Helme A System for Secure User-Controlled Electronic Transactions , 1997 .

[10]  Mark R. Tuttle,et al.  A Semantics for a Logic of Authentication , 1991, PODC 1991.

[11]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[12]  Ross J. Anderson,et al.  The XenoService { A Distributed Defeat for Distributed Denial of Service , 2000 .

[13]  R. S. Fabry,et al.  A fast file system for UNIX , 1984, TOCS.

[14]  Joseph Gray Jackson,et al.  Privacy and Freedom , 1968 .

[15]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[16]  Peter Neumann,et al.  Safeware: System Safety and Computers , 1995, SOEN.

[17]  Srinivasan Seshan,et al.  A network architecture for heterogeneous mobile computing , 1998, IEEE Wirel. Commun..

[18]  Peter Honeyman,et al.  Smartcard Integration with Kerberos V5 , 1999, Smartcard.

[19]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[20]  R. Anderson The Eternity Service , 1996 .

[21]  M. Frans Kaashoek,et al.  Mobile Computing with the Rover Toolkit , 1997, IEEE Trans. Computers.

[22]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[23]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[24]  Mahadev Satyanarayanan,et al.  Agile application-aware adaptation for mobility , 1997, SOSP.

[25]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[26]  Manuel Blum,et al.  An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All Partial Information , 1985, CRYPTO.

[27]  Bruce Schneier,et al.  Protocol Interactions and the Chosen Protocol Attack , 1997, Security Protocols Workshop.

[28]  D. Kahn The codebreakers : the story of secret writing , 1968 .

[29]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[30]  Peter G. Neumann,et al.  Security and Privacy Issues in Computer and Communication Systems , 1997, The Computer Science and Engineering Handbook.

[31]  Ross J. Anderson,et al.  Robustness Principles for Public Key Protocols , 1995, CRYPTO.

[32]  Mendel Rosenblum,et al.  The design and implementation of a log-structured file system , 1991, SOSP '91.

[33]  David K. Gifford,et al.  Weighted voting for replicated data , 1979, SOSP '79.

[34]  G. Hartvigsen,et al.  Supporting Mobile Users in a Variable Connected Distibuted System: the PASTA Approach , 1995 .

[35]  J. Thomas Monk,et al.  Smart cards: a guide to building and managing smart card applications , 1998 .

[36]  Ross Anderson,et al.  The Global Internet Trust Register , 1999 .

[37]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[38]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[39]  Servaas Vandenberghe,et al.  A Fast Software Implementation for Arithmetic Operations in GF(2n) , 1996, ASIACRYPT.

[40]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[41]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[42]  Ben Y. Zhao,et al.  OceanStore: an architecture for global-scale persistent storage , 2000, SIGP.

[43]  Sean W. Smith,et al.  Smart cards in hostile environments , 1996 .

[44]  Li Gong A note on redundancy in encrypted messages , 1990, CCRV.

[45]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[46]  Martín Abadi,et al.  Authentication in the Taos operating system , 1993, SOSP '93.

[47]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.

[48]  Loren M. Kohnfelder,et al.  Towards a practical public-key cryptosystem. , 1978 .

[49]  P. Syverson,et al.  A Unified Cryptographic Protocol Logic , 1996 .

[50]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[51]  Martín Abadi,et al.  Authentication and Delegation with Smart-cards , 1991, TACS.

[52]  Andrew S. Tanenbaum,et al.  Globe: a wide area distributed system , 1999, IEEE Concurr..

[53]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[54]  Tage Stabell-Kulø,et al.  The Open-End Argument for Private Computing , 1999, HUC.

[55]  Gustavus J. Simmons,et al.  Cryptanalysis and protocol failures , 1994, CACM.

[56]  Dan M. Nessett,et al.  A critique of the Burrows, Abadi and Needham logic , 1990, OPSR.

[57]  Garret Swart,et al.  The Echo Distributed File System , 1996 .

[58]  Christoph G. Günther,et al.  An Identity-Based Key-Exchange Protocol , 1990, EUROCRYPT.

[59]  Adam Shostack,et al.  Breaking Up Is Hard To Do: Modeling Security Threats for Smart Cards , 1999, Smartcard.

[60]  Andrzej M. Goscinski,et al.  Distributed operating systems - the logical design , 1991 .

[61]  Paul F. Syverson The use of logic in the analysis of cryptographic protocols , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[62]  Nathaniel S. Borenstein,et al.  MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies , 1992, RFC.

[63]  Jennifer Seberry,et al.  Public Key Cryptography , 2000, Lecture Notes in Computer Science.

[64]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[65]  Catherine A. Meadows,et al.  Formal Verification of Cryptographic Protocols: A Survey , 1994, ASIACRYPT.

[66]  Tage Stabell-Kulø Security and log structured file systems , 1997, OPSR.

[67]  Aline Baggio System support for transparency and network-aware adaptation in mobile environments , 1998, SAC '98.

[68]  Andrew S. Tanenbaum,et al.  Distributed operating systems , 2009, CSUR.

[69]  Tage Stabell-Kulø,et al.  User controlled sharing in a variable connected distributed system , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[70]  Ross J. Anderson,et al.  Programming Satan's Computer , 1995, Computer Science Today.

[71]  Gustavus J. Simmons,et al.  The Smart Card: A Standardized Security Device Dedicated to Public Cryptology , 1992 .

[72]  Paul F. Syverson,et al.  Group Principals and the Formalization of Anonymity , 1999, World Congress on Formal Methods.

[73]  Peter G. Neumann,et al.  Computer-related risks , 1994 .

[74]  Reihaneh Safavi-Naini,et al.  Some Remarks on the Logic of Gong, Needham and Yahalom , 1994 .

[75]  Joseph D. Touch,et al.  Report on MD5 Performance , 1995, RFC.

[76]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[77]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[78]  A. N.A.DurginP.D.LincolnJ.C.Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[79]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[80]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[81]  Paul F. Syverson,et al.  On unifying some cryptographic protocol logics , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[82]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[83]  N. Koblitz,et al.  A Fast Software Implementation for Arithmetic Operations in Gf(2 N ) (preprint) , 1996 .

[84]  Gianluca Dini,et al.  Detecting Key-Dependencies , 1998, ACISP.

[85]  John S. Heidemann,et al.  Primarily disconnected operation: experiences with Ficus , 1992, [1992 Proceedings] Second Workshop on the Management of Replicated Data.

[86]  Armin Liebl,et al.  Authentication in distributed systems: a bibliography , 1993, OPSR.

[87]  John Linn,et al.  Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures , 1987, RFC.

[88]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[89]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[90]  J. Doug Tygar,et al.  A Model for Secure Protocols and Their Compositions , 1996, IEEE Trans. Software Eng..

[91]  Tage Stabell-Kulø,et al.  Providing Authentication to Messages Signed with a Smart Card in Hostile Environment , 1999, Smartcard.

[92]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[93]  Wan-Sup Um,et al.  An Authentication System for Open Network Systems , 1998 .

[94]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[95]  Stefanos Gritzalis,et al.  Formal methods for the Analysis and Design of Cryptographic Protocols: A state-of-the-art review , 1997 .

[96]  James H. Aylor,et al.  Computer for the 21st Century , 1999, Computer.

[97]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[98]  Li Gong,et al.  Increasing Availability and Security of an Authentication Service , 1993, IEEE J. Sel. Areas Commun..

[99]  T. Fallmyr,et al.  QoS applied to security in mobile computing , 1997 .

[100]  Paul F. Syverson,et al.  Knowledge, Belief, and Semantics in the Analysis of Cryptographic Protocols , 1992, J. Comput. Secur..

[101]  Tage Stabell-Kulo,et al.  Off-line Delegation in a File Repository , 1996 .

[102]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[103]  Gustavus J. Simmons,et al.  Contemporary Cryptology: The Science of Information Integrity , 1994 .

[104]  Mahadev Satyanarayanan,et al.  Disconnected Operation in the Coda File System , 1999, Mobidata.

[105]  Li Gong,et al.  A security risk of depending on synchronized clocks , 1992, OPSR.

[106]  Jon Howell,et al.  End-to-end authorization , 2000, OSDI.

[107]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[108]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[109]  John Leubsdorf,et al.  Privacy and Freedom , 1968 .

[110]  Whitfield Diffie The first ten years of public-key cryptography , 1988 .

[111]  P. Boas Machine models and simulations , 1991 .

[112]  David Mazières,et al.  Separating key management from file system security , 1999, SOSP.

[113]  Ross J. Anderson Liability and Computer Security: Nine Principles , 1994, ESORICS.

[114]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[115]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[116]  Tage Stabell-Kulø,et al.  Security functions for a file repository , 1997, OPSR.

[117]  Colin Boyd,et al.  Designing Secure Key Exchange Protocols , 1994, ESORICS.

[118]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[119]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[120]  A. Froomkin The Essential Role of Trusted Third Parties in Electronic Commerce , 1996 .

[121]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[122]  Carl M. Ellison,et al.  SPKI Requirements , 1999, RFC.

[123]  Paul F. Syverson,et al.  The Logic of Authentication Protocols , 2000, FOSAD.