Computer Security and
Cryptography Reading Group
September 2003 List
Date & Location |
Reading |
10 Sept. 2003
5331 CS
2:30 - 3:30 PM
|
Paper # 1
David Ferraiolo, Richard Kuhn
National Institute of Standards and Technology
Role-Based Access Control
15th NIST National Security Conference (NIST-NCSC 1992)
URL: http://citeseer.nj.nec.com/ferraiolo92rolebased.html
While Mandatory Access Controls
(MAC) are appropriate for multilevel
secure military applications,
Discretionary Access Controls (DAC)
are often perceived as meeting the
security processing needs of
industry and civilian
government. This paper argues that
reliance on DAC as the principal
method of access control is
unfounded and inappropriate for many
commercial and civilian government
organizations. The paper describes a
type of non-discretionary access
control - role-based access control
(RBAC) - that is more central to the
secure processing needs of
non-military systems then DAC.
Paper # 2
John Barkley
National Institute of Standards and Technology
Comparing Simple Role Based Access Control Models and Access Control Lists
URL: http://citeseer.nj.nec.com/barkley97comparing.html
The RBAC metaphor is powerful in its
ability to express access control
policy in terms of the way in which
administrators view
organizations. The functionality of
simple Role Based Access Control
(RBAC) models are compared to access
control lists (ACL). A very simple
RBAC model is shown to be no
different from a group ACL mechanism
from the point of view of its
ability to express access control
policy. RBAC is often distinguished
from ACLs by the inclusion of a
feature which allows a session to be
associated with a proper subset of
the roles (i.e., groups in ACL
terms) authorized for a user. Two
possible semantics for this feature
are described: one which requires a
similar amount of processing as that
required by ACLs, and another which
requires significantly more
processing than that required by
ACLs. In addition, the capability to
define role hierarchies is compared
to an equivalent feature in ACLs.
|
17 Sept. 2003
5331 CS
2:30 - 3:30 PM
|
Paper # 1
Chris Lesniewski-Laas and M. Frans Kaashoek
MIT
SSL Splitting: Securely Serving Data from Untrusted Caches
12th USENIX Security Symposium (Security'03), Pp. 187-200, Washington DC, August 4-8, 2003
URL: http://www.cs.wisc.edu/~lpkruger/lesniewski.pdf
A popular technique for reducing the
bandwidth load on Web servers is to
serve the content from
proxies. Typically these hosts are
trusted by the clients and server
not to modify the data that they
proxy. SSL splitting is a new
technique for guaranteeing the
integrity of data served from
proxies without requiring changes to
Web clients. Instead of relaying an
insecure HTTP connection, an SSL
splitting proxy simulates a normal
Secure Sockets Layer (SSL)
connection with the client by
merging authentication records from
the server with data records from a
cache. This technique reduces the
bandwidth load on the server, while
allowing an unmodified Web browser
to verify that the data served from
proxies is endorsed by the
originating server.
SSL splitting is implemented as a
patch to the industry-standard
OpenSSL library, with which the
server is linked. In experiments
replaying two-hour access.log traces
taken from LCS Web sites over an
ADSL link, SSL splitting reduces
bandwidth consumption of the server
by between 25% and 90% depending on
the warmth of the cache and the
redundancy of the trace. Uncached
requests forwarded through the proxy
exhibit latencies within
approximately 5% of those of an
unmodified SSL server.
Paper # 2
B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux
EPFL LASEC / UBS / EPFL LASEC / EPFL SSC & Ilion
Password interception in a TLS/SSL channel
Advances in Cryptology - Crypto 2003, 17-21 Aug 2003, Santa Barbara (CA), USA
URL: http://lasecwww.epfl.ch/pub/lasec/doc/CHVV03.ps
Simple password authentication is
often used e.g. from an email
software application to a remote
IMAP server. This is frequently done
in a protected peer-to-peer tunnel,
e.g. by SSL/TLS. At Eurocrypt'02,
Vaudenay presented vulnerabilities
in padding schemes used for block
ciphers in CBC mode. He used a side
channel, namely error information in
the padding verification. This
attack was not possible against
SSL/TLS due both to the
unavailability of the side channel
(errors are encrypted) and premature
abortion of the session in case of
errors. In this paper we extend the
attack and optimize it. We show it
is actually applicable against the
latest and most popular
implementations of SSL/TLS (at the
time this paper was written) for
password interception. We
demonstrate that a password for an
IMAP account can be intercepted when
the attacker is not too far from the
server in less than an hour in a
typical setting. We conclude that
these versions of the SSL/TLS
implementations are not secure when
used with block ciphers in CBC mode
and propose ways to strengthen
them. We also propose to update the
standard protocol.
|
24 Sept. 2003
5331 CS
2:30 - 3:30 PM
|
Paper # 1
B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux
EPFL LASEC / UBS / EPFL LASEC / EPFL SSC & Ilion
Password interception in a TLS/SSL channel
Advances in Cryptology - Crypto 2003, 17-21 Aug 2003, Santa Barbara (CA), USA
URL: http://lasecwww.epfl.ch/pub/lasec/doc/CHVV03.ps
Simple password authentication is
often used e.g. from an email
software application to a remote
IMAP server. This is frequently done
in a protected peer-to-peer tunnel,
e.g. by SSL/TLS. At Eurocrypt'02,
Vaudenay presented vulnerabilities
in padding schemes used for block
ciphers in CBC mode. He used a side
channel, namely error information in
the padding verification. This
attack was not possible against
SSL/TLS due both to the
unavailability of the side channel
(errors are encrypted) and premature
abortion of the session in case of
errors. In this paper we extend the
attack and optimize it. We show it
is actually applicable against the
latest and most popular
implementations of SSL/TLS (at the
time this paper was written) for
password interception. We
demonstrate that a password for an
IMAP account can be intercepted when
the attacker is not too far from the
server in less than an hour in a
typical setting. We conclude that
these versions of the SSL/TLS
implementations are not secure when
used with block ciphers in CBC mode
and propose ways to strengthen
them. We also propose to update the
standard protocol.
Paper # 2
S. Vaudenay
EPFL LASEC
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS...
Advances in Cryptology - Eurocrypt 2002, 28 April - 2 May 2002, Amsterdam, Netherlands
URL: http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps
In many standards, e.g. SSL/TLS,
IPSEC, WTLS, messages are first
pre-formatted, then encrypted in CBC
mode with a block cipher. Decryption
needs to check if the format is
valid. Validity of the format is
easily leaked out from communication
protocols because the receiver
usually sends an error message when
the format is not valid. This is a
side channel.
In this paper we show that the
validity of the format of the
decryption is actually a hard core
bit predicate. We demonstrate this
by implementing an efficient and
practical side channel attack which
enables the decryption of any
ciphertext. The attack complexity is
O(NbW) where N is the message length
in blocks, b is the block length in
words, and W is the number of
possible words (typically 256). We
also discuss about extensions to
other padding schemes and various
ways to fix the problem.
|
|
< Back to the Sec & Crypto reading group page
|