Sirene Online Abstracts 2001

(Sorted by authors.)

Most of the following papers are available online in gnuzipped Postscript, some also in PDF. There is also a complete list of all our publications sorted by language and subject.

Don't forget: some proceedings are published in a later year than the conference is held.


André Adelsbach, Ahmad-Reza Sadeghi: Zero-Knowledge Watermark Detection and Proof of Ownership; accepted for 4th International Information Hiding Workshop (IH '01).

Abstract: The goal of zero-knowledge watermarking detection is to allow a prover to soundly convince a verifier of the presence of a watermark in a certain stego-data without revealing any information which the verifier can use to remove the watermark. Existing proposals do not achieve this goal in terms of definition (not formally zero-knowledge), security (unproven) and coverage (handle only blind watermark detection).
In this paper we define zero-knowledge watermark detection precisely. We then propose efficient and provably secure zero-knowledge protocols for blind and non-blind versions of a well-known class of watermarking schemes. Our protocols can be applied to improve the security of many watermark based applications.
Using such protocols as building blocks we propose concrete protocols for direct proof of ownership which enable offline ownership proofs, i.e., copyright holders can prove their rightful ownership to anyone without involving a trusted third party in the actual proof protocol.


André Adelsbach, Birgit Pfitzmann (ed.): Formal Model of Basic Concepts; MAFTIA Deliverable D4, Project IST-1999-11583, July 2001.

Abstract: The overall goal of MAFTIA Workpackage 6 is to rigorously define the basic concepts developed by MAFTIA, and to verify results of the work on dependable middleware. The main objective of this first deliverable is to present a rigorous model of the most impor- tant concepts of malicious- and accidental-fault tolerance. Additionally, work has already started on the two later objectives of specification and verification with CSP, i.e., in a formal language and with a model checker, and on a sound combination of cryptographic and formal analysis techniques.
The main result is a general rigorous model for the security of reactive systems using a simulatability definition. It comprises various types of faults (attacks), synchrony and topology as considered in MAFTIA. A proof of secure message transmission, a low-level middleware protocol, is shown in this model. A composition theorem for this model and a relation to integrity requirements have been proven; they allow modular proofs in this model, which is essential for the modular design approach of MAFTIA. These theorems can also be seen as a step towards the combination with formal analysis because system specifications can be abstract (in particular deterministic) even if the implementations use cryptography, and thus specifications of higher layers can use standard tools.
The initial CSP investigations were carried out for synchronous contract signing. A distributed synchronous protocol of this type and complexity has not been formally mod- eled in the literature before. It should provide good links with an abstract treatment of cryptography in the future. The results include a general CSP model of a synchronous network, which was then specialized with malicious faults pertaining to contract signing. This model was used to obtain positive verification of the MAFTIA synchronous contract signing protocol.


Ammar Alkassar, Alexander Geraldy, Birgit Pfitzmann, Ahmad-Reza Sadeghi: Optimized Self-Synchronizing Mode of Operation; 8th International Workshop on Fast Software Encryption, Yokohama, April 2001, LNCS, Springer-Verlag.

Abstract: Modes of operation adapt block ciphers to many applications. Among the encryption modes, only CFB (Cipher Feedback) has both of the following properties: Firstly it allows transmission units shorter than the block-cipher length to be encrypted and sent without delay and message expansion. Secondly, it can resynchronize after the loss of such transmission units.
However, CFB is inefficient in such applications, since for every transmission unit, regardless how short, a call to the block cipher is needed.
We propose a new mode of operation based on CFB which remedies this problem. Our proposal, OCFB, is almost optimally efficient (i.e., almost as many message bits are encrypted as block-cipher output bits produced) and it can self-synchronize after the loss or insertion of transmission units. We prove the security of CFB and OCFB in the sense of modern cryptography.


Oliver Berthold, Hannes Federrath, Stefan Köpsell: Web MIXes: A system for anonymous and unobservable Internet access; Proc. Workshop on Design Issues in Anonymity and Unobservability, LNCS 2009, Springer-Verlag, Heidelberg 2001.

Abstract: We present the architecture, design issues and functions of a MIX-based system for anonymous and unobservable real-time Internet access. This system prevents tra^^c analysis as well as flooding attacks. The core technologies include an adaptive, anonymous, time/volume-sliced channel mechanism and a ticket-based authentication mechanism. The system also provides an interface to inform anonymous users about their level of anonymity and unobservability.


Oliver Berthold, Hannes Federrath, Stefan Köpsell: Praktischer Schutz vor Flooding-Angriffen bei Chaumschen Mixen. Patrick Horster (Hrsg.): Kommunikationssicherheit im Zeichen des Internet. DuD-Fachbeiträge, Vieweg, Wiesbaden, 2001, 235-249.

Zusammenfassung: Dieses Papier beschreibt Verfahren, mit denen sich Angriffe der Klasse der Flooding- bzw. (n-1)-Angriffe auf Anonymisierungsdienste erkennen lassen und deren Erfolg verhindert werden kann.


Hannes Federrath (Ed.): Designing Privacy Enhancing Technologies. Proc. Workshop on Design Issues in Anonymity and Unobservability, LNCS 2009, Springer-Verlag, Heidelberg 2001.

Abstract: Anonymity and unobservability have become key issues in the context of securing privacy on the Internet and in other communication networks. Services that provide anonymous and unobservable access to the Internet are important for electronic commerce applications as well as for services where users want to remain anonymous. This book is devoted to the design and realization of anonymity services for the Internet and other communcation networks. The book offers topical sections on: attacks on systems, anonymous publishing, mix systems, identity management, pseudonyms and remailers. Besides nine technical papers, an introduction clarifying the terminology for this emerging area is presented as well as a survey article introducing the topic to a broader audience interested in security issues.


Hannes Federrath: Mehrseitige Sicherheitsfunktionen in Telekommunikationsnetzen. Safety of Modern Technical Systems -- Congress Documentation Saarbrücken 2001, TÜV-Verlag, Köln 2001, 485-489.

Zusammenfassung: Mehrseitige Sicherheit bedeutet die Einbeziehung der Schutzinteressen aller Beteiligten sowie das Austragen daraus resultierender Schutzkonflikte beim Entstehen einer Kommunikationsverbindung. Die mehrseitige Sicherheit verbindet die Sichtweisen von Datenschutz und Datensicherheit zu einem gemeinsamen Konzept.


Günter Karjoth, Matthias Schunter, Michael Waidner: Unternehmensweites Datenschutzmanagement, Datenschutz Sommerakademie 2001, Kiel, Germany, September 18, 2001.

Abstract: Die IBM Enterprise Privacy Architecture (EPA) ermöglicht Unternehmen ihren Kunden einen umfassenden und wohldefinierten Grad an Datenschutz anzubieten. EPA besteht aus den folgenden vier Grundelementen. Die Datenschutzregulierungsanalyse (privacy regulation analysis) identifiziert und strukturiert die anzuwendenden Bestimmungen. An Hand des Managementreferenzmodells kann das Unternehmen seine Datenschutzstrategie sowie die daraus resultierenden Datenschutzpratiken herleiten. Das datenschutzorientierte Geschäftmodell beschreibt eine Methodik, um Unternehmensabläufe unter BerŽücksichtigung von Datenschutzanforderungen neu zu strukturieren. Sie generiert ein detailliertes Modell der relevanten Parteien und Aktivitäten sowie der hierauf anzuwendenden Datenschutzpolitiken. Das vierte Element ist die technische Referenzarchitektur, welche die für die Implementierung notwendigen Technologien bereitstellt. Die Platform for Enterprise Privacy Practices (E-P3P) stellt eine weitere Verfeinerung der technischen Referenzarchitektur dar: Unternehmen sammeln personenbezogene Daten und versprechen ihren Kunden faire Datenschutzpraktiken bei der Verarbeitung dieser Daten. Dank E-P3P können Unternehmen diese Versprechungen automatisiert durchsetzen, indem E-P3P gesammelte Daten mit der formalisierten Datenschutzpolitik, welcher der einzelne Nutzer zugestimmt hat, verknüpft.


Chun-Li Lin, Hung-Min Sun, Michael Steiner and Tzonelih Hwan: Three-party Encrypted Key Exchange Without Server Public-Keys, IEEE Communications Letters, 5(12:497--499, December 2001.

Abstract: Three-party key-exchange protocols with password authentication --- clients share an easy-to-remember password with a trusted server only --- are very suitable for applications requiring secure communications between many light-weight clients (end users); it is simply impractical that every two clients share a common secret. In 1995, Steiner, Tsudik and Waidner proposed a realization of such a three-party protocol based on the \emph{Encrypted Key Exchange} (EKE) protocols. However, their protocol was later demonstrated to be vulnerable to off-line and undetectable on-line guessing attacks. In 2000, Lin, Sun and Hwang proposed a secure three-party protocol with server public-keys. However, the approach of using server public-keys is not always a satisfactory solution and is impractical for some environments. In this article, we propose a secure three-party EKE protocol without server public-keys.


David Powell, André Adelsbach, Christian Cachin, Sadie Creese, Marc Dacier, Yves Deswarte, Tom McCutcheon, Nuno Neves, Birgit Pfitzmann, Brian Randell, Robert Stroud, Paulo Veríssimo, Michael Waidner: MAFTIA (Malicious- and Accidental-Fault Tolerance for Internet Applications); Supplement of the 2001 Int. Conf. on Dependable Systems and Networks, Göteborg, 2001, D32-D35.

Abstract: MAFTIA is investigating the tolerance paradigm in security. Instead of just aiming to prevent intrusions, we aim to make the overall system secure and operational, even if some subsystems are successfully attacked. Critical Internet applications should ideally remain operational, providing the correct, intended service and protecting all confidential information from unauthorized access, in spite of malicious faults, i.e., intrusions, as well as accidental faults. The project is thus investigating tolerance techniques based on distributed trust and verification techniques for providing confidence in the provided dependability.


Birgit Pfitzmann, Michael Waidner: A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission; IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Washington 2001, 184-200.
(Preliminary version PfWa2_00.)

Abstract: We present a rigorous model for secure reactive systems in asynchronous networks with a sound cryptographic semantics, supporting abstract specifications and the composition of secure systems. This enables modular proofs of security, which is essential in bridging the gap between the rigorous proof techniques of cryptography and tool-supported formal proof techniques.
The model follows the general simulatability approach of modern cryptography. A variety of network structures and trust models can be described, such as static and adaptive adversaries; some examples of this are given.
As an example of our specification methodology we provide an abstract and complete specification for Secure Message Transmission, improving on recent results by Lynch, and verify one concrete implementation. Our proof is based on a general theorem on the security of encryption in a reactive multi-user setting, generalizing a recent result by Bellare et.al.


Birgit Pfitzmann, James Riordan, Christian Stüble, Michael Waidner, Arnd Weber: The PERSEUS System Architecture; IBM Research Report RZ 3335 (#93381) 04/09/01, IBM Research Division, Zurich, April 2001.
(See also the PERSEUS home page.)

Abstract: We present the system architecture and a prototype of Perseus, a secure operating system focusing on personal security management. Nevertheless Perseus allows users to use their favourite applications in a convenient, known way. It is built upon a trusted computing base that is small enough to be formally verified and evaluated according to the Common Criteria or ITSEC. The design includes the services necessary to support post-purchase installation of secure applications by the user. It is flexible enough to run on a wide range of hardware platforms, which allows PCs or PDAs to be used as general-purpose trusted devices. To support a common binary interface the Perseus system acts as a host that runs an existing operating system as one application (client OS). Moreover, by using the client OS judiciously to perform non-critical tasks, the size of the secure kernel can be significantly reduced compared to a stand-alone secure system.


Birgit Pfitzmann, James Riordan, Christian Stüble, Michael Waidner, Arnd Weber: Die PERSEUS System-Architektur; angenommen für Verläßliche IT-Systeme, GI-Fachtagung VIS '01, Kiel, Sept. 2001.

Abstract: Sichere Anwendungen sind ohne ein sicheres Betriebssystem unmöglich. Wir zeigen auf, wie bestehende Mechanismen wie kryptographische Protokolle oder Smartcards umgangen werden können, und präsentieren eine Systemarchitektur für eine allgemeine Sicherheitsplattform, die klein genug ist, um nach den Common Criteria oder ITSEC evaluiert zu werden, und die es Nutzern erlaubt, ihre vorhandenen Anwendungen bequem weiterzubenutzen. Das Design enthält alle nötigen Dienste, um auch sichere Softwareinstallationen durch den Endbenutzer durchführen zu lassen. Um eine verbreitete Applikationsschnittstelle zur Verfügung zu stellen, arbeitet das Perseus System als Host, der als eine Clientapplikation ein existierendes Betriebssystem (client OS) ausführt. Dadurch, dass dieses Client OS alle nicht sicherheitskritischen Aufgaben übernimmt, können wir den Sicherheitskern klein und überschaubar halten. Zuletzt wird ein allgemeines Modell und ein erster bestehender Prototyp des Perseus Systems vorgestellt. Er basiert auf dem Fiasco Mikrokern und führt Linux als Client OS aus.


Ahmad-Reza Sadeghi, Michael Steiner: Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference; Eurocrypt 2001, LNCS 2045, Springer-Verlag, May 2001, 243-260.
(See also the heavily revised and extended final version of the paper!)

Abstract: The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Diffie-Hellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom offered by parameters such as computational model, the problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature.
In this paper we identify parameters relevant to cryptographic applications and describe a formal framework for defining DL-related assumptions. This enables us to precisely and systematically classify these assumptions.
In particular, we identify a parameter, termed granularity, which describes the underlying probability space in an assumption. Varying granularity we discover the following surprising result: We prove that two DL-related assumptions can be reduced to each other for medium granularity but we also show that they are provably not reducible with generic algorithms for high granularity. Further we show that reductions for medium granularity can achieve much better concrete security than equivalent high-granularity reductions.


Michael Steiner, Peter Buhler, Thomas Eirich, Michael Waidner: Secure password-based cipher suite for TLS; ACM Transactions on Information and System Security 4/2 (2001), 134-157.
(Journal version of BESW_00.)

Abstract: SSL is the de-facto standard today for securing end-to-end transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of password-based key-exchange protocols can overcome some of these problems. We propose the integration of such a protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certificates stored on the users computer. Additionally, its integration in TLS is as minimal and non-intrusive as possible.


Thomas Schoch, Oliver Krone, Hannes Federrath: Making Jini Secure. Proc. 4th International Conference on Electronic Commerce Research (ICECR4) 2001, 276-286.

Abstract: In this paper we describe a security architecture for Jini services. The current Jini API and its implementations do not handle any security aspects. In an open and distributed environment like the Internet, many attacks can be started or Jini services can be abused. On the other hand, Java -- the programming language which Jini is made of -- provides some security concepts. We show how a strong authentication and authorization architecture for Jini with a secure communication channel can be realized by using existing Java technology and without any modifications of the Jini API.


Paulo Veríssimo, Nuno Ferreira Neves (ed.): Service and Protocol Architecture for the MAFTIA Middleware; MAFTIA Deliverable D23, Project IST-1999-11583, January 2001, Technical Report DI/FCUL TR-01-1, University of Lisboa.

Abstract: This document describes the specification of the MAFTIA middleware architecture. This specification focusses on the models, building blocks and services. It describes the tradeoffs made in terms of models, the choices of building blocks and their topology, and the portfolio of services to be offered by the MAFTIA middleware to applications and high-level services. In particular, regarding the system model, it presents a detailed discussion on the fault, synchrony, topological, and group models, which were used to guide the overall architecture. The architecture was divided into two main levels, the site part which connects to the network and handles all inter-host operations, and a participant part which takes care of all distributed activities and relies on the services provided by the site-part components.


Back to SIRENE's Home or Pointers to the Outside World.
Ahmad-Reza Sadeghi sadeghi@cs.uni-sb.de
Last modified: $Date: 2002/08/16 18:06:09 $