Paul F. Syverson. A different look at secure distributed computation. In 10th IEEE Computer Security Foundations Workshop, pages pp109--115. IEEE Computer Society, June 1997.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....to click on the causes, recommendations or comments column entries to bring up the associated requirements elicitation trees, or click on the effects and comments column entries to display the associated consequence identification tree. 10.3. 4 Formalisation of requirements Meadows and Syverson [152, 153, 155] formalised protocol requirements in temporal logic, in order to use to analyse protocols in the NRL protocol analyser. They also suggested that such requirements could be used in the design stage. Section 6.3) Buttyn, Staamann and Wilhelm [41] use synthesis rules in their Simple logic to refine ....

Paul F. Syverson. A different look at secure distributed computation. In 10th IEEE Computer Security Foundations Workshop, pages pp109--115. IEEE Computer Society, June 1997.

....generally reasonable for authentication protocols and underlies most systems designed for protocol analysis, e.g. 5, 18, 16, 1, 13] Within the Dolev Yao model, the capabilities of the intruder are circumscribed. They can be in many respects neutralized by relying on appropriate message formats [2, 22]. However, practical reasons, such as limited bandwidth, sometimes make such architectures inviable. We claim that a significant source of faulty designs and contradictory analyses can be traced to shortcomings in the languages used to specify protocols. The popular usual Partially supported ....

P. F. Syverson. A different look at secure distributed computation. In Proc. CSFW-10, pages 109--115. IEEE Computer Society Press, 1997.

....generally reasonable for authentication protocols and underlies most systems designed for protocol analysis, e.g. 5, 22, 19, 1, 16] Within the Dolev Yao model, the capabilities of the intruder are circumscribed. They can be in many respects neutralized by relying on appropriate message formats [2, 26]. However, practical reasons, such as limited bandwidth, sometimes make such architectures unviable. We claim that a significant source of faulty designs and contradictory analyses can be traced to shortcomings in the language used to specify protocols. The popular usual notation relies on the ....

P. F. Syverson. A different look at secure distributed computation. In Tenth IEEE Computer Security Foundations Workshop --- CSFW-10, pages 109--115. IEEE Computer Society Press, June 1997. 18

....nearly all approaches rely on some variant of the Dolev Yao intruder, we could not find a formal proof in the literature that this model indeed implements the most powerful attacker. Finally, it should be observed that our notion of access control is orthogonal to the insightful guidelines of [2, 27], aimed at constructing protocols that are immune by design to certain classes of attack. This paper is structured as follows: in Section 2, we recall the form of an MSR specification. Its access control policy and the relative decidability results are the subject of Section 3. In Section 4, we ....

P. F. Syverson. A different look at secure distributed computation. In Tenth IEEE Computer Security Foundations Workshop --- CSFW-10, pages 109--115. IEEE Computer Society Press, June 1997.

....functionality. F i feasible region acceptable functionality unacceptable functionality acceptable insecurity unacceptable insecurity image of U x L Figure 8. Heuristic Representation of Feasibility Region Considering the temporal nature of the downgrading, a stochastic game theoretic [13] approach might be called for. Consider a two person game where the gains are the increase in security ( GammaL) and the losses ( GammaU ) are the decrease in functionality. From this, one should be able to produce a pay off function. We feel that it will be a very complicated game and we will ....

Syverson, P.F. (1997) "A Different Look at Secure Distributed Computation," Proc. Computer Security Foundations Workshop, pp. 109-115, 1997.

....the intruder between A and B may not be able to directly communicate with the intruder between C and D. They may only be able to communicate via honest principals, e.g. one intruder can signal the other by causing an honest principal between them to send certain messages to the other. cf. [26] for more discussion of this model of computation in a hostile environment. This naturally engenders a view of the environment as a distributed group principal. Similarly, sets of honest principals trying to solve some threshold computation (e.g. decryption or signature) may be thought of in ....

....not describe them here. We typically assume a single environment between any two system principals. This we call a pairwise 3 environment. In some sense, the communication graph for the system is fully connected, but with an environment principal between any two system principals (much as in [26], although our environments need not be hostile) However, in practice many of these environment principals will 2 Unlike the knowledge based programs of [11, 12] our knowledge programs do not have standard tests (those not involving epistemic operators) because we have yet to see a need for ....

Paul F. Syverson, "A Different Look at Secure Distributed Computation", in 10 th IEEE Computer Security Foundations Workshop (CSFW10), IEEE CS Press, pp. 109--115, June 1997.

....the intruder between A and B may not be able to directly communicate with the intruder between C and D. They may only be able to communicate via honest principals, e.g. one intruder can signal the other by causing an honest principal between them to send certain messages to the other. cf. [Syv97] for more discussion of this model of computation in a hostile environment. This naturally engenders a view of the environment as a distributed group principal. Similarly, sets of honest principals trying to solve some threshold computation (e.g. decryption or signature) may be thought of in ....

....not describe them here. We typically assume a single environment between any two system principals. This we call a pairwise 3 environment. In some sense, the communication graph for the system is fully connected, but with an environment principal between any two system principals (much as in [Syv97], although our environments need not be hostile) However, in practice many of these environment principals will simply block any transmission they receive. And, we will not bother to specify these in cases where there is obviously no direct communication between the two principals or we do not ....

Paul F. Syverson, "A Different Look at Secure Distributed Computation", in 10 th IEEE Computer Security Foundations Workshop (CSFW10), IEEE CS Press, pp. 109--115, June 1997.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC