%0 Conference Proceedings %A Bertino, Elisa %A Ferrari, Elena %A Parasiliti Provenza, Loredana %T Signature and Access Control Policies for XML Documents %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 1-22 %F Access Control %X Information push is today an approach widely used for information dissemination in distributed systems. Under information push, a Web data source periodically (or whenever some relevant event arises) broadcasts data to clients, without the need of an explicit request. In order to make information push usable in a large variety of application domains, it is however important that the authenticity and privacy requirements of both the receiver subjects and information owners be satisfied. Although the problem of confidentiality has been widely investigated, no comparable amount of work has been done for authenticity. In this paper, we propose a model to specify signature policies, specifically conceived for XML data. The model allows the specification of credential-based signature policies, supporting both single and joint signatures. Additionally, we provide an architecture for supporting the generation of selectively encrypted and authenticated XML document, ensuring at the same time the satisfaction of both access control and signature policies. The work reported in this paper has been partially supported by the EU under the PANDA IST Thematic Network. %0 Conference Proceedings %A Domingos, Dulce %A Rito-Silva, António %A Veiga, Pedro %T Authorization and Access Control in Adaptive Workflows %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 23-38 %F Access Control %K Access control, adaptive workflow, adaptive authorizations %X In recent years we have witnessed the development of adaptive workflow management systems. These systems offer an extended set of features to support both ad-hoc and evolutionary changes, while ensuring correctness of process definition and their running instances. Ad-hoc and evolutionary changes impose new access control requirements, which have been neglected by adaptive workflow research and are not met by existing models for traditional workflow management systems (WfMSs). In this paper, we extend the role-based access control model for adaptive workflows. This extension is done by defining authorizations for adaptive WfMSs and adaptive authorizations. %0 Conference Proceedings %A Ao, Xuhui %A Minsky, Naftaly H. %T Flexible Regulation of Distributed Coalitions %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 39-60 %F Access Control %K Distributed coalition, Security policy, Decentralized regulatory mechanism, Law-Governed Interaction, Policy hierarchy, Policy interoperability %X This paper considers a coalition C of enterprises {E1,..., En }, which is to be governed by a coalition policy Pc , and where each member-enterprise Ei has its own internal policy Pi that regulates its participation in the coalition. The main question addressed in this paper is how can these three policies be brought to bear, on a single transaction-given that the two internal policies Pi and Pj may be formulated independently of each other, and may be considered confidential by the respective enterprises. We provide an answer to this question via a concept of policy-hierarchy, introduced into a regulatory mechanism called Law-Governed Interaction (LGI). %0 Conference Proceedings %A Hofheinz, Dennis %A Müller-Quade, Jörn %A Steinwandt, Rainer %T Initiator-Resilient Universally Composable Key Exchange %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 61-84 %F Crypto Protocols %K formal cryptography, cryptographic protocols, universal composition, key exchange %X Key exchange protocols in the setting of universal composability are investigated. First we show that the ideal functionality of [9] cannot be realized in the presence of adaptive adversaries, thereby disproving a claim in [9]. We proceed to propose a modification , which is proven to be realizable by two natural protocols for key exchange. Furthermore, sufficient conditions for securely realizing this modified functionality are given. Two notions of key exchange are introduced that allow for security statements even when one party is corrupted. Two natural key exchange protocols are proven to fulfill the "weaker" of these notions, and a construction for deriving protocols that satisfy the "stronger" notion is given. %0 Conference Proceedings %A Watanabe, Yuji %A Numao, Masayuki %T Multi-round Secure Light-Weight Broadcast Exclusion Protocol with Pre-processing %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 85-99 %F Crypto Protocols %K broadcast encryption, broadcast exclusion problem, pre-processing %X A broadcast exclusion protocol allows a broadcaster to transmit a encrypted message to a set of n users over a broadcast channel so that all but some specified small group of k excluded users can decrypt the message, even if these excluded users collude with each other in an arbitrary manner. Recently, Matsuzaki et al. pointed out a potential problem in the earlier works regarding the number of modular exponentiation, and proposed an extended scheme in which decryption requires only two modular exponentiations regardless of n and k. However, our analysis shows this scheme has a limitation of the number of rounds. The contribution of this paper is to present a new broadcast exclusion protocol maintaining security within a virtually unlimited number of rounds without spoiling the efficiency. First, we demonstrate a limitation of the rounds of the previous work by showing how a user can derive the system secret parameters after more than a certain number of rounds. Then, we present a new protocol for which we can provide rigorous security proof under the Computational Diffie-Hellman (CDH) assumption. We note that even if we point out some limitation of the previous work, we still consider it nevertheless significant. In particular, we derived our new protocol by modifying some of their fundamental techniques. %0 Conference Proceedings %A Wang, Lingyu %A Li, Yingjiu %A Wijesekera, Duminda %A Jajodia, Sushil %T Precisely Answering Multi-dimensional Range Queries without Privacy Breaches %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 100-115 %F Privacy Enhancing Technology Theory %X This paper studies the privacy breaches caused by multi-dimensional range (MDR) sum queries in online analytical processing (OLAP) systems. We show that existing inference control methods are generally infeasible for controlling MDR queries. We then consider restricting users to even MDR queries (that is, the MDR queries involving even numbers of data values). We show that the collection of such even MDR queries is safe if and only if a special set of sum-two queries (that is, queries involving exactly two values) is safe. On the basis of this result, we give an efficient method to decide the safety of even MDR queries. Besides safe even MDR queries we show that any odd MDR query is unsafe. Moreover, any such odd MDR query is different from the union of some even MDR queries by only one tuple. We also extend those results to the safe subsets of unsafe even MDR queries. %0 Conference Proceedings %A Serjantov, Andrei %A Sewell, Peter %T Passive Attack Analysis for Connection-Based Anonymity Systems %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 116-131 %F Privacy Enhancing Technology Theory %X In this paper we consider low latency connection-based anonymity systems which can be used for applications like web browsing or SSH. Although several such systems have been designed and built, their anonymity has so far not been adequately evaluated. We analyse the anonymity of connection-based systems against passive adversaries. We give a precise description of two attacks, evaluate their effectiveness, and calculate the amount of traffic necessary to provide a minimum degree of protection against them. %0 Conference Proceedings %A Gomulkiewicz, Marcin %A Klonowski, Marek %A Kutylowski, Miroslaw %T Rapid Mixing and Security of Chaum's Visual Electronic Voting %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 132-145 %F Privacy Enhancing Technology Theory %K electronic voting, mix network, randomized partial checking, Markov chain, rapid mixing, path coupling %X Recently, David Chaum proposed an electronic voting scheme that combines visual cryptography and digital processing. It was designed to meet not only mathematical security standards, but also to be accepted by voters that do not trust electronic devices. In this scheme mix-servers are used to guarantee anonymity of the votes in the counting process. The mix-servers are operated by different parties, so an evidence of their correct operation is necessary. For this purpose the protocol uses randomized partial checking of Jakobsson et al., where some randomly selected connections between the (encoded) inputs and outputs of a mix-server are revealed. This leaks some information about the ballots, even if intuitively this information cannot be used for any efficient attack. We provide a rigorous stochastic analysis of how much information is revealed by randomized partial checking in the Chaum's protocol. We estimate how many mix-servers are necessary for a fair security level. Namely, we consider probability distribution of the permutations linking the encoded votes with the decoded votes given the information revealed by randomized partial checking. We show that the variation distance between this distribution and the uniform distribution is already for a constant number of mix-servers (n is the number of voters). This means that a constant number of trustees in the Chaum's protocol is enough to obtain provable security. The analysis also shows that certain details of the Chaum's protocol can be simplified without lowering security level. %0 Conference Proceedings %A Casassa Mont, Marco %A Pearson, Siani %A Bramhall, Pete %T Towards Accountable Management of Privacy and Identity Information %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 146-161 %F Privacy Enhancing Technology Applications %X Digital identities and profiles are valuable assets: they are more and more relevant to allow people to access services and information on the Internet. They need to be secured and protected. Unfortunately people have little control over the destiny of this information once it has been disclosed to third parties. People rely on enterprises and organizations for its management. In most cases this is a matter of trust. This paper describes an approach to make organizations more accountable, provide strong but not impregnable privacy enforcement mechanisms and allow users to be more involved in the management of the privacy of their confidential information. As part of our ongoing research, we introduce a technical solution based on sticky privacy policies and tracing services that leverages Identifier-based Encryption (IBE) along with trusted platform technologies such as TCPA (TCG) and Tagged Operating Systems. Work is in progress to prototype this solution. %0 Conference Proceedings %A Backes, Michael %A Pfitzmann, Birgit %A Schunter, Matthias %T A Toolkit for Managing Enterprise Privacy Policies %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 162-180 %F Privacy Enhancing Technology Applications %X Enterprise privacy enforcement allows enterprises to internally enforce a privacy policy that the enterprise has decided to comply to. An enterprise privacy policy often reflects different legal regulations, promises made to customers, as well as more restrictive internal practices of the enterprise. Further, it may allow customer preferences. Hence it may be authored, maintained, and audited in a distributed fashion. Our goal is to provide the tools for such management of enterprise privacy policies. The syntax and semantics is a superset of the Enterprise Privacy Authorization Language (EPAL) recently proposed by IBM. The basic definition is refinement, i.e., the question whether fulfilling one policy automatically fulfills another one. This underlies auditing of a policy against an old or new regulation or promise and transferring data into a realm with a different policy. It is also the semantic basis for composition operators. We further define such composition operators for different purposes. Our main focus it to combine usability for enterprises, e.g., by treating multiple terminologies, incomplete data, and different types of errors and defaults, with the formal rigor needed to make privacy compliance meaningful and predictable. %0 Conference Proceedings %A Scherzer, Helmut %A Canetti, Ran %A Karger, Paul A. %A Krawczyk, Hugo %A Rabin, Tal %A Toll, David C. %T Authenticating Mandatory Access Controls and Preserving Privacy for a High-Assurance Smart Card %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 181-200 %F Privacy Enhancing Technology Applications %X This paper presents an authentication protocol for high-assurance smart card operating systems that support download of mutually suspicious applications. Such a protocol is required to be part of the operating system, rather than the traditional smart card approach of allowing applications to do authentication, because strong authentication is essential for the operating system to protect one application from another. The protocol itself is based on the existing IKE protocol [13], used for authentication in IPSEC. What is new is the integration of an IKE-like protocol with authentication of mandatory secrecy and integrity access controls, the recognition that a single PKI-hierarchy cannot certify identity and all possible mandatory access rights, and the use of IKE to resolve privacy problems found in existing smart card authentication protocols. %0 Conference Proceedings %A Baldwin, Adrian %A Shiu, Simon %T Hardware Encapsulation of Security Services %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 201-216 %F Security models and applications %X Hardware security modules can be used to encapsulate simple security services that bind security functions such as decryption with authorisation and authentication. Such hardware secured services provide a functional root of trust that can be placed within context of a wider IT solution hence enabling strong separations of control and duty. This paper describes an approach to using such hardware-encapsulated services to create virtual trust domains within a deployed solution. This trust domain is defined by the hardware protection regime, the service code and the policies under which it is managed. An example is given, showing how a TLS session within a web service environment can be protected and how this service can extend the secure communications into the backend systems. %0 Conference Proceedings %A von Oheimb, David %A Walter, Georg %A Lotz, Volkmar %T A Formal Security Model of the Infineon SLE 88 Smart Card Memory Management %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 217-234 %F Security models and applications %K Security, formal analysis, smart cards, memory management, Interacting State Machines, Isabelle/HOL %X The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system, typically used for sandboxing application programs dynamically loaded on the chip. High-level (EAL5+) evaluation of the chip requires a formal security model. We formally model the memory management system as an Interacting State Machine and prove, using Isabelle/HOL, that the associated security requirements are met. We demonstrate that our approach enables an adequate level of abstraction, which results in an efficient analysis, and points out potential pitfalls like non-injective address translation. %0 Conference Proceedings %A Heldal, Rogardt %A Hultin, Fredrik %T Bridging Model-Based and Language-Based Security %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 235-252 %F Security models and applications %X We present a way to support the development of software applications that takes into account confidentiality issues, and how the developed code can be automatically verified. We use the Unified Modelling Language (UML) together with annotations to permit confidentiality to be considered during the whole development process from requirements to code. We have provided support for software development using UML diagrams so that the code produced can be be validated by a language-based checker, in our case Jif (Java information flow). We demonstrate that the combination of model-based and language-based security is compelling. %0 Conference Proceedings %A Basin, David %A Mödersheim, Sebastian %A Viganò, Luca %T An On-the-Fly Model-Checker for Security Protocol Analysis %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 253-270 %F Authentication %X We introduce the on-the-fly model-checker OFMC, a tool that combines two methods for analyzing security protocols. The first is the use of lazy data-types as a simple way of building an efficient on-the-fly model checker for protocols with infinite state spaces. The second is the integration of symbolic techniques for modeling a Dolev-Yao intruder, whose actions are generated in a demand-driven way. We present experiments that demonstrate that our tool is state-of-the-art, both in terms of coverage and performance, and that it scales well to industrial-strength protocols. %0 Conference Proceedings %A Backes, Michael %A Pfitzmann, Birgit %A Waidner, Michael %T Symmetric Authentication within a Simulatable Cryptographic Library %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 271-290 %F Authentication %X Proofs of security protocols typically employ simple abstractions of cryptographic operations, so that large parts of such proofs are independent of cryptographic details. The typical abstraction is the Dolev-Yao model, which treats cryptographic operations as a specific term algebra. However, there is no cryptographic semantics, i.e., no theorem that says what a proof with the Dolev-Yao abstraction implies for the real protocol, even if provably secure cryptographic primitives are used. Recently we introduced an extension to the Dolev-Yao model for which such a cryptographic semantics exists, i.e., where security is preserved if the abstractions are instantiated with provably secure cryptographic primitives. Only asymmetric operations (digital signatures and public-key encryption) are considered so far. Here we extend this model to include a first symmetric primitive, message authentication, and prove that the extended model still has all desired properties. The proof is a combination of a probabilistic, imperfect bisimulation with cryptographic reductions and static information-flow analysis. Considering symmetric primitives adds a major complication to the original model: we must deal with the exchange of secret keys, which might happen any time before or after the keys have been used for the first time. Without symmetric primitives only public keys need to be exchanged. %0 Conference Proceedings %A Zimmermann, Jacob %A Mé, Ludovic %A Bidan, Christophe %T An Improved Reference Flow Control Model for Policy-Based Intrusion Detection %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 291-308 %F Intrusion Detection %K Policy-based intrusion detection, information flow control, access control %X In this paper, we describe a novel approach to policy-based intrusion detection. The model we propose checks legality of information flows between objects in the system, according to an existing security policy specification. These flows are generated by executed system operations. Illegal flows, i.e., not authorized by the security policy, are signaled and considered as intrusion symptoms. This model is able to detect a large class of attacks, referred to as attacks by delegation in this paper. Since the approach focuses really on attack effects instead of attack scenarii, unknown attacks by delegation can be detected. %0 Conference Proceedings %A Axelsson, Stefan %T Visualisation for Intrusion Detection Hooking the Worm %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 309-325 %F Intrusion Detection %X Even though intrusion detection systems have been studied for a number of years several problems remain; chiefly low detection rates and high false alarm rates. Instead of building automated alarms that trigger when a computer security violation takes place, we propose to visualise the state of the computer system such that the operator himself can determine whether a violation has taken place. In effect replacing the "burglar alarm" with a "security camera". In order to illustrate the use of visualisation for intrusion detection purposes, we applied a trellis plot of parallel coordinate visualisations to the log of a small personal web server. The intent was to find patterns of malicious activity from so called worms, and to be able to distinguish between them and benign traffic. Several such patterns were found, including one that was unknown at the time to the security community at large. %0 Conference Proceedings %A Kruegel, Christopher %A Mutz, Darren %A Valeur, Fredrik %A Vigna, Giovanni %T On the Detection of Anomalous System Call Arguments %B Computer Security - ESORICS 2003 %D 2003 %J 8th European Symposium on Research in Computer Security (ESORICS 2003) %E Gollmann, Dieter %E Snekkenes, Einar %I Springer-Verlag %C Gjøvik, Norway %6 1 %S Lecture Notes in Computer Science %Y Goos, Gerhard %Y Hartmanis, Juris %Y van Leeuwen, Jan %V 2808 %P 326-343 %F Intrusion Detection %K Intrusion detection, anomaly models, system calls %X Learning-based anomaly detection systems build models of the expected behavior of applications by analyzing events that are generated during their normal operation. Once these models have been established, subsequent events are analyzed to identify deviations, given the assumption that anomalies usually represent evidence of an attack. Host-based anomaly detection systems often rely on system call traces to build models and perform intrusion detection. Recently, these systems have been criticized, and it has been shown how detection can be evaded by executing an attack using a carefully crafted exploit. This weakness is caused by the fact that existing models do not take into account all available features of system calls. In particular, some attacks will go undetected because the models do not make use of system call arguments. To solve this problem, we have developed an anomaly detection technique that utilizes the information contained in these parameters. Based on our approach, we developed a host-based intrusion detection system that identifies attacks using a composition of various anomaly metrics. This paper presents our detection techniques and the tool based on them. The experimental evaluation shows that it is possible to increase both the effectiveness and the precision of the detection process compared to previous approaches. Nevertheless, the system imposes only minimal overhead.