N. Asokan

Optimistic protocols for fair exchange

We describe a generic protocol for fair exchange of electronic goods with non-repudiation. Goods can be signatures (i.e., non-repudiation tokens of public data), confidential data, or payments. The protocol does not involve a third party in the exchange in the fault-less case but only for recovery.

Key agreement in ad hoc networks

We encounter new types of security problems in ad hoc networks because such networks have little or no support infrastructure. In this paper we consider one such problem: a group of people in a meeting room do not have access to public key infrastructure or third party key management service, and they do not share any other prior electronic context. How can they set up a secure session among their computers? We examine various alternatives and propose new protocols for password-based multi-party key agreement in this scenario. Our protocols may be applicable in other scenarios, too. We also present a fault-tolerant version of a multi-party Diffie-Hellman key agreement protocol which can be of independent interest.

Asynchronous protocols for optimistic fair exchange

The optimistic approach of involving a third party only in the case of exceptions is a useful technique to build secure, yet practical fair exchange protocols. Previous solutions using this approach implicitly assumed that players had reliable communication channels to the third party. We present a set of optimistic fair exchange protocols which tolerate temporary failures in the communication channels to the third party. A central feature of the protocols is that either player can asynchronously and unilaterally bring a protocol run to completion.

Optimistic fair exchange of digital signatures

Flow measuring device with a vortex-generating choke body which is arranged within a pipe section and consists of a prismatic forward part of trapezoidal cross-section and a parallelepiped-shaped extension projecting from the smaller surface of said prismatic part. In the interior of the prismatic part, two parallel pressure chambers are positioned transversely to the flow direction, which are connected via rows of openings or slots to the rear of the prismatic part, above and below the extension to form a pneumatic R-C combination. Pressure pickups for measuring the periodic pressure variations which are generated by the vortex separations and are proportional to the flow velocity, are arranged in the pressure chambers or in pressure-conducting connection therewith. By means of the R-C combination, the phase equality of the vortex separations over the width of the choke body is improved and the fading is reduced.

Protecting the Computation Results of Free-Roaming Agents

When mobile agents do comparison shopping for their owners, they are subject to attacks of malicious hosts executing the agents. We present a family of protocols that protect the computation results established by free-roaming mobile agents. Our protocols enable the owner of the agent to detect upon its return whether a visited host has maliciously altered the state of the agent, thus providing forward integrity and truncation resilience. In an environment without public-key infrastructure, the protocols are based only on a secret hash chain. With a public-key infrastructure, the protocols also guarantee non-repudiability.

Secure Vickrey auctions without threshold trust

We argue that threshold trust is not an option in most of the real-life electronic auctions. We then propose two new cryptographic Vickrey auction schemes that involve, apart from the bidders and the seller S, an auction authority A so that unless S and A collude the outcome of auctions will be correct, and moreover, S will not get any information about the bids, while A will learn bid statistics. Further extensions make it possible to decrease damage that colluding S and A can do, and to construct (m + 1)st price auction schemes. The communication complexity between the S and A in medium-size auctions is at least one order of magnitude less than in the Naor-Pinkas-Sumner scheme.

Server-supported signatures

Non-repudiation is one of the most important security services. In this paper we present a novel non-repudiation technique, called Server-Supported Signatures, S3. It is based on one-way hash functions and traditional digital signatures. One of its highlights is that for ordinary users the use of asymmetric cryptography is limited to signature verification. S3 is efficient in terms of computational, communication and storage costs. It also offers a degree of security comparable to existing techniques based on asymmetric cryptography.

On-board credentials with open provisioning

Securely storing and using credentials is critical for ensuring the security of many modern distributed applications. Existing approaches to address this problem fall short. User memorizable passwords are flexible and cheap, but they suffer from bad usability and low security. On the other hand, dedicated hardware tokens provide high levels of security, but the logistics of manufacturing and provisioning such tokens are expensive, which makes them unattractive for most service providers. A new approach to address the problem has become possible due to the fact that several types of general-purpose secure hardware, like TPM and M-shield, are becoming widely deployed. These platforms enable, to different degrees, a strongly isolated secure environment. In this paper, we describe how we use general-purpose secure hardware to develop an architecture for credentials which we call On-board Credentials (ObCs). ObCs combine the flexibility of virtual credentials with the higher levels of protection due to the use of secure hardware. A distinguishing feature of the ObC architecture is that it is open: it allows anyone to design and deploy new credential algorithms to ObC-capable devices without approval from the device manufacturer or any other third party. The primary contribution of this paper is showing and solving the technical challenges in achieving openness while avoiding additional costs (by making use of already deployed secure hardware) and without compromising security (e.g., ensuring strong isolation). Our proposed architecture is designed with the constraints of existing secure hardware in mind and has been prototyped on several different platforms including mobile devices based on M-Shield secure hardware.

Beyond secure channels

A Trusted Channel is a secure communication channel which is cryptographically bound to the state of the hardware and software configurations of the endpoints. In this paper, we describe secure and flexible mechanisms to establish and maintain Trusted Channels which do not have the deficiencies of previous proposals. We also present a concrete implementation proposal based on Transport Layer Security (TLS) protocol, and Trusted Computing technology. We use Subject Key Attestation Evidence extensions to X.509v3 certificates to convey configuration information during key agreement (TLS handshake). The resulting session key is kept within the Trusted Computing Base, and is updated in a predetermined manner to reflect any detected change in the local configuration. This allows an endpoint to detect changes in the configuration of the peer endpoint while the Trusted Channel is in place, and to decide according to a local policy whether to maintain or tear down the Trusted Channel

Applicability of identity-based cryptography for disruption-tolerant networking

Traditional approaches for communication security do not work well in disruption- and delay-tolerant networks (DTNs). Recently, the use of identity-based cryptography (IBC) has been proposed as one way to help solve some of the DTN security issues. We analyze the applicability of IBC in this context and conclude that for authentication and integrity, IBC has no significant advantage over traditional cryptography, but it can indeed enable better ways of providing confidentiality. Additionally, we show a way of bootstrapping the needed security associations for IBC use from an existing authentication infrastructure.