Comparing the expressive power of access control models is recognized as a fundamental problem in computer security.  Such comparisons are generally based on simulations between different access control schemes.  However, the definitions for simulations that are used in the literature make it impossible to put results and claims about the expressive power of access control models into a single context.  Furthermore, some definitions for simulations used in the literature such as those used for comparing RBAC (Role-Based Access Control)  with other models, are too weak to distinguish access control models from one another in a meaningful way.

We propose a theory for comparing the expressive power of access control models. We perceive access control systems as state-transition systems and require simulations to preserve security properties.  We discuss the rationale behind such a theory,  apply the theory to reexamine some existing work on the expressive power of access control models in the literature and present three results. We show that: (1) RBAC with a particular administrative model from the literature (ARBAC97) is limited in its expressive power; (2) ATAM (Augmented Typed Access Matrix) is more expressive than TAM (Typed Access Matrix), thereby solving an open problem posed in the literature;  and (3) a trust-management language is at least as expressive as RBAC with a particular administrative model (the URA97 component of ARBAC97).

SUPERCEDED BY CERIAS TR 2005-26

We propose Oblivious Attribute Certificates (OACerts), an attribute certificate scheme in which a certificate holder can select which attributes to use and how to use them.  In particular, a user can use attribute values stored in an OACert obliviously, \ie, the user obtains a service if and only if the attribute values satisfy the policy of the service provider, yet the service provider learns nothing about these attribute values.

To build OACerts, we propose a new cryptographic primitive called Oblivious Commitment Based Envelope (OCBE).  In an OCBE scheme, Bob has an attribute value committed to Alice and Alice runs a protocol with Bob to send an envelope (encrypted message) to Bob such that: (1) Bob can open the envelope if and only if his committed attribute value satisfies a predicate chosen by Alice. (2) Alice learns nothing about Bob’s attribute value. We develop provably secure and efficient OCBE protocols for the Pedersen commitment scheme and predicates such as $=,\ge,\le,>,<,\ne$ as well as logical combinations of them.

While Open Source software is routinely described as “more secure” than commercial off the shelf software, all available evidence suggests that there is little difference in the level of trust that should be accorded either type of system. The paper also relies on an analysis using risk perception theory to explain why Open Source is widely believed to be “more secure” than other types of software.

BGP is essential to the operation of the Internet, but is vulnerable to both accidental failures and malicious attacks. We propose a new protocol that works in concert with BGP, which Autonomous Systems will use to help detect and mitigate accidentally or maliciously introduced faulty routing information. The protocol differs from previous efforts at securing BGP in that it is receiver-driven, meaning that there is a mechanism for recipients of BGP UPDATE messages to corroborate the information ...

We describe a system that we have designed and implemented for publishing content on the web. Our publishing scheme has the property that it is very difficult for any adversary to censor or modify the content. In addition, the identity of the publisher is protected once the content is posted. Our system differs from others in that we provide tools for updating or deleting the published content, and users can browse the content in the normal point and click manner using a standard web browser and a client-side proxy that we provide. All of our code is freely available.

This paper deals with the problem of secure cooperative updates for XML documents in distributed systems. In particular, we introduce the basic notions underlying a flow language by using which a user can specify the flow that a given XML document has to follow within a group of cooperative subjects. A key feature of the flow language is to be based on the notion of subject credentials. In addition, we describe a policy language to specify special-purpose authorizations allowing selected subjects to modify or extend a given document flow. Finally, we briefly describe the protocols for verifying that the path followed by a document in a collaborative group agrees with the specified flow and to verify that modifications on a given flow are in accordance with the specified authorizations.

In this paper, we investigate a method by which smart cards can be used to enhance the security of session key distribution in the third-party setting of Needham & Schroeder. We extend the security model of Bellare & Rogaway to take into account both the strengths and weaknesses of smart card technology, we propose a session key distribution protocol, and we prove that it is secure assuming pseudo-random functions exist.

In this paper we introduce a system called Crowds for protecting users’ anonymity on the world-wide-web.  Crowds, named for the notion of “blending into a crowd”, operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members.  Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request form a member who is merely forwarding the request on behalf of another.  We describe the design, implementation, security, performance, and scalability of our system.  Our security analysis introduces degrees of anonymity as an important tool for describing and proving anonymity properties.

The first and only print publication devoted solely to the subject of the pf packet filter used in OpenBSD, FreeBSD, and NetBSD operating systems.

Written by Jacek Artymiak, a frequent contributor to ONLamp.com, Building Firewalls with OpenBSD and PF is the first and only print publication devoted solely to the subject of the pf packet filter used in OpenBSD, FreeBSD, and NetBSD operating systems. Topics covered include: firewall design, ruleset syntax, packet normalization (scrubbing), packet redirection (masquerading), packet filtering, bandwidth management (ALTQ), load balancing, and more.

Today’s world of increasingly dynamic computing environments naturally results in more and more data being available as fast streams. Applications such as stock market analysis, environmental sensing, web clicks and intrusion detection are just a few of the examples where valuable data is streamed to its consumer.  Often, streaming information is offered on the basis of a non-exclusive, single-use customer license. One major concern, especially given the digital nature of the valuable stream, is the ability to easily record and potentially “re-play” parts of it in the future. If there is value associated with such future re-plays, it could constitute enough incentive for a malicious customer (Mallory) to duplicate segments of such recorded data, subsequently re-selling them for profit. Being able to protect against such infringements becomes a necessity.

In this paper we introduce the issue of rights protection for streaming data through watermarking. This is a novel problem with many associated challenges including: the inability to perform multiple-pass random accesses to the entire data set, the requirement to be fast enough to keep up with the incoming stream rate, to survive instances of extreme sparse sampling and summarizations, while at the same time keeping data alterations within allowable bounds.  We propose a solution and analyze its resilience to various types of attacks as well as some of the important expected domain-specific transforms, such as sampling and summarization. We implement a proof of concept software (wms.*) for the proposed solution and perform experiments on real sensor data to assess these resilience levels in practice. Our method proves to be well suited for this new domain. For example, we can recover an over 97% confidence watermark from a sampled (e.g. less than 8%) stream.  Similarly, our encoding ensures survival to stream summarization (e.g. 20%) and random alteration attacks with very high confidence levels, often above 99%.

In this paper we propose and evaluate new graphical password schemes that exdploit features of graphical input displays to achieve better security than textbased passwords.  Graphical in put devices enable the user to decouple the position of inputs from the temporal order in which those inputs occur, and we show that this decoupling can be used to generate password schemes with substantially larger password spaces.  In order to evaluate the security of one of our schemes, we devise a novel way to capture a subset of the “memorable” passwords that , we believe, is itself a contribution.  In this work we are primarily motivated be devices such as personal digital assistants (PDAs) that offer graphical input capabilities wia a stylus, and we describel our prototype inplementation of one of our password schemes on such a PDA, namely the Palm Pilot.

Access control in enterprises is a key research area in the realm of Computer Security because of the unique needs of the target enterprise. As the enterprise typically has large user and resource pools, administering the access control based on any framework could in itself be a daunting task. This work presents X-GTRBAC Admin, an administration model that aims at enabling policy administration within a large enterprise. In particular, it simplifies the process of user-to-role and permission-to-role assignments, and thus allows decentralization of the policy administration tasks. Secondly, it also allows for specifying the domain of authority of the system administrators, and hence provides mechanism to distribute the administrative authority over multiple domains within the enterprise. The paper also illustrates the applicability of the administrative concepts presented in our framework for enterprise-wide access control.

We present RTML version 1, a Role-based Trust-management Markup Language, which is an XML-based data representation of the RT framework. RTML extends the original design of RT, adding the following features: new data types to encode permissions involving structured resources and ranges, restrictive inheritance of roles for flexible refinement of permissions, and notions of identity roles and identity-based roles to address the issue of enforcing Separation of Duty policies when a physical user holds multiple keys.

RTML enables the deployment of the RT framework. Compared with systems like SPKI/SDSI and KeyNote, it has the following distinguishing features. RTML is designed with a logic-based semantics foundation. RTML directly addresses the issue of vocabulary agreement and uses strongly typed credentials, help reducing potential errors in writing credentials and unintended interactions among credentials. RTML supports more flexible delegation, including the ability to delegate to principals that have certain properties and to control the scope of a delegation. RTML also supports Separation of Duty in a more expressive way.

An implementation of the title program is described.  It was used to factor many integers with up to 135 digits. Our program is much faster than the (non-hypercube) multiple polynomial quadratic sieve with two large primes.