|
|
Back to Tuomas Aura's Homepage
Tuomas Aura's Publications
Hide abstracts and BibTeX entries.
2008
|
|
1.
|
Tuomas Aura, Janne Lindqvist, Michael Roe, Anish Mohammed,
Chattering laptops,
In proceedings of Privacy Enhancing Technologies Symposium (PETS 2008), LNCS ????,
Leuven, Belgium, July 2008, Springer.
[PS][PDF]
Abstract:
Mobile computer users often have a false sense of anonymity
when they connect to the Internet at cafes, hotels, airports or other public
places. In this paper, we analyze information leaked by mobile computers
to the local access link when they are outside their home domain. While
most application data can be encrypted, there is no similar protection
for signaling messages in the lower layers of the protocol stack. We found
that all layers of the protocol stack leak various plaintext identifiers of
the user, the computer and their affliations to the local link, which a
casual attacker can observe. This violates the user's sense of privacy
and may make the user or computer vulnerable to further attacks. It is,
however, not possible to disable the offending protocols because many
of them are critical to the mobile user experience. We argue that the
most promising solutions to the information leaks are to filter outbound
data, in particular name resolution requests, and to disable unnecessary
service discovery depending on the network location. This is because
most information leaks result from failed attempts by roaming computers
to connect to services that are not available in the current access network.
|
2007
|
|
2.
|
Tuomas Aura, Michael Roe, Steven J. Murdoch,
Securing network location awareness with authenticated DHCP
,
In proceedings of IEEE SecureComm 2007,
Nice, France, September 2007.
[PS][PDF]
Abstract:
Network location awareness (NLA) enables mobile
computers to recognize home, work and public networks and wireless
hotspots and to behave differently at different locations. The location
information is used to change security settings such as firewall rules.
Current NLA mechanisms, however, do not provide authenticated
location information on all networks. This paper describes a novel
mechanism, based on public-key authentication of DHCP servers, for
securing NLA at home networks and wireless hotspots. The main
contributions of the paper are the requirements analysis, a naming
and authorization scheme for network locations, and the extremely
simple protocol design. The mobile computer can remember and
recognize previously visited networks securely even when there is no
PKI available. This is critical because we do not expect the majority
of small networks to obtain public-key certificates. The protocol also
allows a network administrator to pool multiple, heterogeneous
access links, such as a campus network, to one logical network
identity. Another major requirement for the protocol was that it must
not leak information about the mobile host's identity or affiliation.
The authenticated location information can be used to minimize
attack surface on the mobile host by making security-policy
exceptions specific to a network location.
|
|
|
3.
|
Tuomas Aura, Moritz Becker, Michael Roe, Piotr Zielinski,
Reconciling multiple IPsec and firewall policies
,
In proceedings of Security Protocols Workshop 2007,
Brno, Chek Republic, April 2007. To appear in Springer LNCS.
[PS][PDF]
Abstract:
Manually configuring large firewall policies can be a hard
and error-prone task. It is even harder in the case of IPsec
policies that can specify IP packets not only to be accepted
or discarded, but also to be cryptographically protected in
various ways. However, in many cases the configuration
task can be simplified by writing a set of smaller, independent
policies that are then reconciled consistently. Similarly,
there is often the need to reconcile policies from
multiple sources into a single one. In this paper, we discuss
the issues that arise in combining multiple IPsec and
firewall policies and present algorithms for policy reconciliation.
|
2006
|
|
4.
|
Tuomas Aura and Michael Roe.
Designing the Mobile IPv6 Security
Protocol.
Annales des
télécommunications / Annals of telecommunications, special issue on
Network and information systems security, volume 61 number 3-4,
March-April 2006. Editors Frédéric Cuppens, Hervé Debar, and Elisa
Bertino. Hermes Science Publications.
Also appeared as Microsoft Research Technical Report MSR-TP-2006-42.
[PS][PDF]
Abstract:
Abstract Mobile IPv6 is a network-layer mobility protocol for the IPv6 Internet. The protocol includes several security mechanisms, such as the return-routability tests for the mobile's home address and care-of addresses. This paper explains the threat model and design principles that motivated the Mobile IPv6 security features. While many of the ideas have become parts of the standard toolkit for designing Internet mobility protocols, some details of the reasoning have not been previously documented.
|
|
|
5.
|
Tuomas Aura, Thomas A. Kuhn and Michael Roe.
Scanning electronic documents for Personally identifiable information.
In proceedings of Workshop on Privacy in the Electronic Society (WPES 2006),
Alexandria, VA, USA, October 2006.
[PS][PDF]
|
2005
|
|
6.
|
Tuomas Aura and Michael Roe.
Reducing Reauthentication Delay in Wireless
Networks.
In proceedings of IEEE SecureComm 2005,
Athens, Greece, September 2005.
[PS][PDF]
Abstract:
When a wireless mobile user is moving across a mobile network
or between co-operating networks, the network operators often want to verify
the user's access rights before granting service. The security protocol causes
a delay in the network access, which may be much longer than the typical delays
caused by mobility management. An alternative would be to provide so
called optimistic service before the user has been authenticated or paid for
the access. Thus, there is a trade-off between the security of the access
control and the quality of service observed by the user. Our aim is to reduce
the authentication delay and to enable optimistic access without opening a
window for fraudulent access. We present a protocol for the reauthentication of
a mobile node when it repeatedly connects to different access points or
co-operating wireless networks. The protocol is based on credentials which the
mobile receives from access points as a proof of past honest behavior and which
it presents when associating with a new access point. It can be implemented
with keyed one-way functions that result in low computation and communication overhead
both for the mobile and for the network.
|
|
|
7.
|
Tuomas Aura, Aarthi Nagarajan, and Andrei Gurtov.
Analysis of the HIP Base Exchange Protocol.
In proceedings of 10th Australasian Conference on
Information Security and Privacy (ACISP 2005), Brisbane, Australia,
July 2005.
[PS][PDF]
Abstract:
The Host Identity Protocol (HIP) is an Internet
security and multi-addressing mechanism specified by the IETF. HIP introduces a
new layer between the transport and network layers of the TCP/IP stack that
maps host identifiers to network locations, thus separating the two conflicting
roles that IP addresses have in the current Internet. This paper analyzes the
security and functionality of the HIP base exchange, which is a classic key
exchange protocol with some novel features for authentication and DoS
protection. The base exchange is the most stable part of the HIP specification
with multiple existing implementations. We point out several security issues in
the current protocol and propose changes that are compatible with the goals of
HIP.
|
|
|
8.
|
Tuomas Aura, Michael Roe and Anish Mohammed.
Experiences with Host-to-Host IPsec
Security Protocols, 13th International Workshop, Cambridge, UK, April 2005.
To appear.
[PS][PDF]
Abstract:
This paper recounts some lessons that we learned
from the deployment of host-to-host IPsec in a large corporate
network. Several security issues arise from mismatches between
the different identifier spaces used by applications, by the IPsec
security policy database, and by the security infrastructure (X.509
certificates or Kerberos). Mobile hosts encounter additional problems
because private IP addresses are not globally unique, and because
they rely on an untrusted DNS server at the visited network. We
also discuss a feature interaction in an enhanced IPsec firewall
mechanism. The potential solutions are to relax the transparency of
IPsec protection, to put applications directly in charge of their
security and, in the long term, to redesign the security protocols
not to use IP addresses as host identifiers.
@InProceedings{Aura05,
author = {Tuomas Aura and Michael Roe and Anish Mohammed},
title = {Experiences with Host-to-Host {IPsec}},
booktitle = {Security Protocols, 13th International Workshop},
year = 2005,
month = apr,
address = {Cambridge, UK},
note = {To appear},
}
|
|
|
9.
|
Tuomas Aura.
Cryptographically Generated Addresses (CGA).
RFC 3972, IETF, March 2005.
[TXT]
Abstract:
This document describes a method for binding a public signature key
to an IPv6 address in the Secure Neighbor Discovery (SEND) protocol.
Cryptographically Generated Addresses (CGA) are IPv6 addresses for
which the interface identifier is generated by computing a
cryptographic one-way hash function from a public key and auxiliary
parameters. The binding between the public key and the address can
be verified by re-computing the hash value and by comparing the hash
with the interface identifier. Messages sent from an IPv6 address
can be protected by attaching the public key and auxiliary parameters
and by signing the message with the corresponding private key. The
protection works without a certification authority or any security
infrastructure.
@TechReport{rfc3972,
author = {Tuomas Aura},
title = {Cryptographically Generated Addresses ({CGA})},
institution = {IETF},
year = 2005,
month = mar,
type = {RFC},
number = 3972
}
|
2004
|
|
10.
|
Tuomas Aura and Alf Zugenmaier.
Privacy, Control and Internet Mobility.
Position paper in Security Protocols, 12th International Workshop,
Cambridge, UK, April 2004.
To appear.
[PS][PDF]
|
|
|
11.
|
Tuomas Aura, Pekka Nikander and Gonzalo Camarillo.
Effects of Mobility and Multihoming on Transport-Protocol
Security.
In Proc. 2004 IEEE Symosium on Security and Privacy (SSP'04),
Berkeley, CA USA, May 2004. IEEE Computer Society.
[PS][PDF]
Abstract:
The Stream Control Transmission Protocol (SCTP) is a reliable message-based transport protocol developed by the IETF that could replace TCP in some applications. SCTP allows endpoints to have multiple IP addresses for the purposes of fault tolerance. There is on-going work to extend the SCTP multihoming functions to support dynamic addressing and endpoint mobility. This paper explains how the multihoming and mobility features can be exploited for denial-of-service attacks, connection hijacking, and packet flooding. We propose implementation guidelines for SCTP and changes to the mobility extensions that prevent most of the attacks. The same lessons apply to multihomed TCP variants and other transport-layer protocols that incorporate some flavor of dynamic addressing.
@InProceedings{Aura03d,
author = {Tuomas Aura and Pekka Nikander and Gonzalo Camarillo},
title = {Effects of Mobility and Multihoming on
Transport-Protocol Security},
booktitle = {Proc.\ 2004 IEEE Symposium on Security and Privacy (SSP'04)},
year = 2004,
month = may,
address = {Berkeley, CA USA},
publisher = {IEEE Computer Society},
pages = "12--26",
}
|
2003
|
|
12.
|
Tuomas Aura.
Cryptographically Generated Addresses (CGA).
In Proc. 6th Information Security Conference (ISC'03), volume 2851 of LNCS,
pages 29-43, Bristol, UK, October 2003. Springer.
[PS][PDF]
(Presentatation
[PPT][PDF])
Abstract:
Cryptographically generated addresses (CGA) are IPv6 addresses some address bits are generated by hashing the address owner's public key. The address owner uses the corresponding private key to assert address ownership and to sign messages sent from the address without a PKI or other security infrastructure. This paper describes a generic CGA format that can be used in multiple applications. Our focus is on removing weaknesses of earlier proposals and on the ease of implementation. A major contribution of this paper is a hash extension technique that increases the effective hash length beyond the 64-bit limit of earlier proposals.
@InProceedings{Aura03a,
author = {Tuomas Aura},
title = {Cryptographically Generated Addresses {(CGA)}},
booktitle = {Proc.\ 6th Information Security Conference (ISC'03)},
year = 2003,
month = oct,
address = {Bristol, UK},
publisher = {Springer},
volume = 2851,
series = "LNCS",
pages = "29--43",
}
|
|
|
13.
|
Tuomas Aura.
Mobile IPv6 Security.
In Proc. Security Protocols, 10th International Workshop,
volume 2845 of LNCS, pages 215-228, Cambridge, UK, April 2002. Springer 2003.
[PS][PDF]
Abstract:
This paper presents a case study of security protocol design: authentication
of binding updates in Mobile IPv6.We go step by step through the threat
analysis and show how each threat is addressed in the protocol design. The goal
is to solve any new security issues caused by the introduction of mobility without
requiring any new security infrastructure.
@InProceedings{Aur02a,
author = {Tuomas Aura},
title = {Mobile {IPv6} Security},
booktitle = {Proc.\ Security Protocols, 10th International Workshop},
year = 2002,
month = apr,
address = {Cambridge, UK},
publisher = {Springer},
volume = 2845,
series = "LNCS",
pages = "215--228",
}
|
|
|
14.
|
Pekka Nikander, Tuomas Aura, Jari Arkko and Gabriel Montenegro.
Mobile IP version 6 (MIPv6) Route Optimization Security
Design
. In Proc. IEEE Vehicular Technology Conference Fall 2003,
Orlando, FL USA, October 2003. IEEE Press.
[PS][PDF]
Abstract:
Mobile IPv6 (MIPv6) allows a Mobile Node to talk
directly to its peers while retaining the ability to move around and
change the currently used IP address. This mode of operation is
called Route Optimization (RO), as it allows the packets to
traverse a shorter route than the default one through the Home
Agent. In Route Optimization, the peer node learns a binding
between the Mobile Node's permanent Home Address and its
current temporary Care-of-Address. Once such a binding is in
place, the peer node will send all packets whose destination is the
Home Address to the Care-of-Address. This is potentially
dangerous, since a malicious host might be able to establish false
bindings, thereby preventing some packets from reaching their
intended destination, diverting some traffic to the attacker, or
flooding third parties with unwanted traffic.
In this paper we discuss the design rationale behind the
MIPv6 Route Optimization Security Design.
@InProceedings{NAAMN03a,
author = {Pekka Nikander and Tuomas Aura and Jari Arkko
and Gabrial Montenegro},
title = {Mobile IP version 6 (MIPv6) Route Optimization Security Design},
booktitle = {In Proc.\ IEEE Vehicular Technology Conference Fall 2003},
address = {Orlando, FL USA},
year = 2003,
publisher = {IEEE Press},
month = oct
}
|
2002
|
|
15.
|
Tuomas Aura, Michael Roe, and Jari Arkko.
Security of internet location management
. In Proc. 18th Annual Computer Security Applications
Conference (ACSAC), pages 78-87, Las Vegas, NV USA, December 2002. IEEE Press.
[PS][PDF]
(Presentation
[PPT][PDF])
Abstract:
IPv6 protocol, the mobile node sends binding
updates to its correspondents to inform them about its current location. It is
well-known that the origin of this location information must be authenticated.
This paper discusses several threats created by location management that go
beyond unauthentic location data. In particular, the attacker can redirect data
to bomb third parties and induce unnecessary authentication. We introduce and
analyze protection mechanisms with focus on ones that work for all Internet
nodes and do not need a PKI or other new security infrastructure. Our threat
analysis and assessment of the defense mechanisms formed the basis for the
design of a secure location management protocol for Mobile IPv6. Many of the
same threats should be considered when designing any location management
mechanism for open networks.
@InProceedings{AuRoAr02,
author = {Tuomas Aura and Michael Roe and Jari Arkko},
title = {Security of Internet Location Management},
booktitle = {Proc.\ 18th Annual Computer Security Applications
Conference},
pages = {78--87},
year = 2002,
address = {Las Vegas, NV USA},
month = dec,
publisher = {IEEE Press},
}
|
|
|
16.
|
Jari Arkko, Tuomas Aura, James Kempf, Vesa-Matti Mäntylä,
Pekka Nikander, and Michael Roe.
Securing IPv6 neighbor discovery and
router discovery
.
In Proc. 2002 ACM Workshop on Wireless Security (WiSe),
pages 77-86, Atlanta, GA USA, September 2002. ACM Press.
[PS][PDF]
Abstract:
When IPv6 Neighbor and Router Discovery functions were
defined, it was assumed that the local link would consist of
mutually trusting nodes. However, the recent developments in
public wireless networks, such as WLANs, have radically changed
the situation. The nodes on a local link cannot necessarily trust
each other any more, but they must become mutually suspicious
even when the nodes have completed an authentication exchange
with the network. This creates a number of operational difficulties
and new security threats. In this paper we provide a taxonomy for
the IPv6 Neighbor and Router Discovery threats, describe two new
cryptographic methods, Cryptographically Generated Addresses
(CGA) and Address Based Keys (ABK), and discuss how these
new methods can be used to secure the Neighbor and Router
discovery mechanisms.
@InProceedings{AAKMNR02,
author = {Jari Arkko and Tuomas Aura and James Kempf and
Vesa-Matti M{\"a}ntylä and Pekka Nikander
and Michael Roe},
title = {Securing {IP}v6 neighbor discovery and router discovery},
booktitle = {Proc.\ 2002 ACM Workshop on Wireless Security (WiSe)},
pages = {77--86},
year = 2002,
address = {Atlanta, GA USA},
month = sep,
publisher = {ACM Press}
}
|
2001
|
|
17.
|
Tuomas Aura and Dieter Gollmann.
Communications
security on the internet
. Software Focus, 2(3):104-111,
Autumn 2001.
Abstract:
The Internet is an open network where all traffic is
subject to interception by malicious outsiders. This article overviews
the current major threats and security solutions for communication
over the Internet. We note that the lack of satisfactory
authentication infrastructures and guaranteed quality of service remain the
main impediments for secure communication. Continuous evolution of the
protection mechanisms, developer skills, and user culture are necessary
to stay on track with the progress in communication technology.
@Article{AurGol01,
author = {Tuomas Aura and Dieter Gollmann},
title = {Communications Security on the Internet},
journal = {Software Focus},
year = 2001,
volume = 2,
number = 3,
pages = {104--111},
month = {Autumn}
}
|
|
|
18.
|
Tuomas Aura and Silja Mäki.
Towards a
survivable security architecture for ad-hoc networks
.
In Proc. Security Protocols, 9th International Workshop,
volume 2467 of LNCS, pages 63-79, Cambridge, UK, April 2001.
Springer.
[PS][PDF]
Abstract:
We present a security architecture for access control in ad-hoc
networks of mobile electronic devices. Ad-hoc networks are formed on
demand without support from pre-existing infrastructure such as
central servers, security associations or CAs. Our architecture is
fully distributed and based on groups and public-key certification.
The goal is a survivable system that functions well even
when network nodes fail and
connections are only occasional. We identify some open problems
in the optimal use of unreliable communications for security
management.
@InProceedings{AurMak01,
author = {Tuomas Aura and Silja M{\"a}ki},
title = {Towards a survivable security architecture for
ad-hoc networks},
booktitle = {Proc.\ Security Protocols, 9th International Workshop},
year = 2001,
month = apr,
address = {Cambridge, UK},
publisher = {Springer},
volume = 2467,
series = "LNCS",
pages = "63--79",
}
|
2000
|
|
19.
|
Tuomas Aura.
Authorization and
Availability - Aspects of Open Network Security
.
Doctoral Thesis, appeared as
HUT TCS Research Report A64, November 2000.
[PS][PDF]
(introduction only).
Abstract:
The world is becoming increasingly dependent on secure, reliable
access to services on the Internet and in other open communications
networks. Since the administration and authority on these networks
are completely distributed, it is not possible to set or enforce
global security policies. While security and confidentiality of data
are still significant concerns, access control and resistance to
denial-of-service (DOS) attacks have become at least as significant
security goals. Traditional methods for access-right management and
resource allocation, which were defined for centrally administered
systems, are not applicable on the open networks. Consequently, new
techniques for access control and DOS prevention are needed.
This dissertation addresses several aspects of the security of open,
distributed systems: decentralized access control, design of
key-establishment protocols, and denial-of-service resistance. We
suggest technical solutions both for extending the scope of
applications that can securely be run on the networks and for
improving the reliability of the underlying infrastructure for all
applications.
We define a formal model of key-oriented access control and use this
model to develop algorithms for access-control decisions from a
certificate database. We survey privacy protection in public-key
infrastructures, introduce a new kind of threshold certificate, and
present novel certificate-based solutions for access control between
mutually distrusting software packages on intelligent-network
routers and for software license management with smartcards. We also
describe novel design principles for cryptographic protocols to
improve their robustness against common replay attacks at a low cost
and to protect on-line services against denial-of-service attacks
that attempt to exhaust server memory and computational resources.
Additionally, we develop a method for analyzing the vulnerability of
network topologies to denial of service by the destruction of
communications links.
Throughout, the emphasis is on security issues critical for the
commercial and private use of the Internet and other open
communications systems where mutually distrusting entities must share
resources and co-operate.
@PhdThesis{Aura00,
author = {Tuomas Aura},
title = {Authorization and Availability ---
Aspects of Open Network Security},
school = {Helsinki University of Technology},
year = 2000,
month = nov,
note = {Appeared as HUT TCS Research Report A64}
}
|
|
|
20.
|
Tuomas Aura, Johan Lilius.
A causal
semantics for time Petri nets
. in Theoretical Computer
Science, volume 243, issue 1-2, July 2000, pp. 409-447, Elsevier
2000.
@Article{AurLil00,
author = {Tuomas Aura and Johan Lilius},
title = {A causal semantics for time Petri nets},
journal = {Theoretical Computer Science},
year = 2000,
volume = 243,
number = {1--2},
pages = {409--447},
month = jul,
url = {http://www.elsevier.nl/PII/S0304397599001140}
}
|
|
|
21.
|
Silja Mäki, Tuomas Aura, Maarit Hietalahti.
Group management protocol with digital
personal appliances.
Laboratory for Theoretical Computer Science,
Helsinki University of Technology, Project report,
December 2000, Espoo, Finland.
@TechReport{MakAurHie00b,
author = {Silja M{\"a}ki and Tuomas Aura and Maarit Hietalahti},
title = {Group management protocol with digital personal appliances},
institution = {Laboratory for Theoretical Computer Science,
Helsinki University of Technology},
year = 2000,
type = {Project report},
address = {Espoo, Finland},
month = dec
}
|
|
|
22.
|
Silja Mäki, Maarit Hietalahti, Tuomas Aura.
A Survey of Ad-hoc Network Security.
Laboratory for Theoretical Computer Science,
Helsinki University of Technology,
Interim project report, May-December 2000, Espoo, Finland,
@TechReport{MakHieAUr00,
author = {Silja M{\"a}ki and Maarit Hietalahti and Tuomas Aura},
title = {A Survey of Ad-hoc Network Security},
institution = {Laboratory for Theoretical Computer Science,
Helsinki University of Technology},
year = 2000,
type = {Interim project report},
address = {Espoo, Finland},
month = {May, September, December}
}
|
|
|
23.
|
Silja Mäki, Tuomas Aura, Maarit Hietalahti.
Robust Membership Management for Ad-hoc
Groups
. In Proc. 5th Nordic Workshop on Secure IT Systems
(NORDSEC 2000).
[PS][PDF].
Abstract:
In ad-hoc networks, the network nodes or users often form peer groups. The
members of a group may share an application, a physical location, or
administrative tasks. Defining who is a member of the group is also the first
step towards establishing a shared secret key for secure communications. Group
membership management involves adding and removing nodes in the group, as well
as a method for authenticating the group members. In this paper, we present a
fully distributed, certificate-based system for group membership management. It
is designed to suit highly dynamic ad-hoc networks where communications is
sporadic and nodes often fail unexpectedly.
@InProceedings{MakAurHie00,
author = {Silja M{\"a}ki and Tuomas Aura and Maarit Hietalahti},
title = {Robust Membership Management for Ad-hoc Groups},
booktitle = "Proc. 5th Nordic Workshop on Secure IT Systems
(NORDSEC 2000)",
address = {Reykjavik, Iceland},
year = 2000,
month = oct
}
|
|
|
24.
|
Tuomas Aura, Pekka Nikander, Jussipekka Leiwo.
DOS-resistant authentication with client
puzzles
. Proc. Security Protocols Workshop 2000,
Lecture Notes in Computer Science, volume 2133, pages 170-181,
Cambridge, UK, April 2000, Springer 2001.
[PS][PDF].
Abstract:
Denial of service by server resource exhaustion has become a major security
threat in open communications networks. Public-key authentication does not
completely protect against the attacks because the authentication protocols
often leave ways for an unauthenticated client to consume a server's memory
space and computational resources by initiating a large number of protocol runs
and inducing the server to perform expensive cryptographic computations. We show
how stateless authentication protocols and the client puzzles of Juels and
Brainard can be used to prevent such attacks.
@InProceedings{AurNikLei00,
author = {Tuomas Aura and Pekka Nikander and Jussipekka Leiwo},
title = {{DOS}-resistant authentication with client puzzles},
booktitle = {Proc.\ Security Protocols Workshop 2000},
year = 2000,
month = apr,
address = {Cambridge, UK},
publisher = {Springer},
volume = 2133,
series = "LNCS",
pages = "170--181"
}
|
|
|
25.
|
Tuomas Aura, Carl Ellison.
Privacy and Accountability in Certificate Systems.
Research Report A61, Laboratory for Theoretical Computer Science,
Helsinki University of Technology, Espoo, Finland, April 2000.
[PS][PDF].
Abstract:
Discretionary access right management on the Internet and in other
distributed communications systems is increasingly based on public-key
identity and authorization certificates. The certificates pose a
threat to privacy because they identify the owners and reveal the
authorization relations between them. This paper overviews the privacy
concerns and describes techniques for minimizing the amount of
confidential information leaked about individuals and organizations.
We also show how identity escrow certificates can ensure individual
accountability without identity authentication. All the techniques can
be implemented with SPKI certificates.
@TechReport{AurEll00,
author = {Tuomas Aura and Carl Ellison},
title = {Privacy and accountability in certificate systems},
institution = {Helsinki University of Technology,
Laboratory for Theoretical Computer Science},
year = 2000,
number = {A61},
type = {Reseach Report},
address = {Espoo, Finland},
month = apr
}
|
|
|
26.
|
Jussipekka Leiwo, Pekka Nikander, Tuomas Aura.
Towards network denial of service resistant protocols.
in Proc. Sixteenth Annual Working Conference on Information Security (SEC2000),
IFIP Series, Vol. 175, Beijing, China, August 2000, Kluwer Academic Publishers.
[PS][PDF].
(See the Protocols workshop paper above for actual solutions.)
Abstract:
Networked and distributed systems have introduced a new significant threat to
the availability of data and services: network denial of service attacks. A well
known example is the TCP SYN flooding. In general, any statefull handshake
protocol is vulnerable to similar attacks. This paper examines the network
denial of service in detail and surveys and compares di erent approaches towards
preventing the attacks. As a conclusion, a number of protocol design principles
are identi ed essential in designing network denial of service resistant
protocols, and examples provided on applying the principles.
@InProceedings{LeiNikAur00,
author = {Jussipekka Leiwo and Pekka Nikander and Tuomas Aura},
title = {Towards network denial of service resistant protocols},
booktitle = {Proc. IFIP SEC 2000},
???pages = {},
year = 2000,
???editor = {},
month = aug,
???publisher = {}
}
|
|
|
27.
|
John R. Hughes, Tuomas Aura, Matt Bishop.
Using conservation of flow as a security mechanism
in network protocols
.
in Proc. 2000 IEEE Symposium on Security and Privacy,
Oakland, CA USA, May 2000, pp.132-141, IEEE Computer Society Press 2000.
[PS][PDF]
Abstract:
The law of Conservation of Flow, which states
that an input must either be absorbed or sent on
as an output (possibly with modification), is an
attractive tool with which to analyze network
protocols for security p roperties. One of its uses
is to detect disruptive network elements that
launch Denial of Service attacks by absorbing or
discarding packets. Its use requires several
assumptions about the protocols being analyzed.
In this paper, we examine the WATCHERS
algorithm to detect misbehaving routers. We
show that it uses Conservation of Flow without
sufficient verification of its assumptions, and can
consequently be defeated. We suggest
improvements to make the use of Conservation of
Flow valid.
|
|
|
28.
|
Tuomas Aura, Matt Bishop, Dean Sniegowski.
Analyzing single-server network inhibition.
in Proc. 2000 IEEE Computer Security Foundations Workshop,
Cambridge, UK, July 2000, pp. 108-117,IEEE Computer Society Press 2000.
[PS][PDF][slides PS].
Abstract:
Network inhibition is a denial-of-service attack where the adversary attempts
to disconnect network elements by disabling a limited number of communication
links or nodes. We analyze a common variation of network inhibition where the
links have infinite capacity and the goal of the attacker is to deny connections
from a single server to as many clients as possible. The problem is defined
formally and shown to be NP complete. Nevertheless, we develop a practical
technique for network-inhibition analysis based on logic programming with
stable-model semantics. The analysis scales well up to moderate-size networks.
The results are a step towards quantitative analysis of denial of service and
they can be applied to the design of robust network topologies.
@inproceedings{AurBisSni00,
author = {Tuomas Aura and Matt Bishop and Dean Sniegowski},
title = {Analyzing single-server network inhibition},
month = jun,
year = 2000,
booktitle = {Proc.\ 13th IEEE Computer Security Foundations Workshop},
pages = "108--117",
address = {Cambridge, UK},
publisher = {IEEE Computer Society Press},
}
|
1999
|
|
29.
|
Tuomas Aura, Dieter Gollmann.
Software license management with smart cards.
in Proc. USENIX Workshop on Smartcard Technology,
Chicago, May 1999, pp. 75-85, USENIX Association 1999.
[PS][PDF]
Abstract:
This paper describes public-key protocols for binding software licenses to
tamper-resistant smart cards, for transferring licenses between cards, and for
purchasing them on-line. The protocols support software distribution both
through retail stores and over the Internet. The user can transfer licenses from
several cards onto a single card to avoid juggling between several cards in the
reader. The protocols are based on signed delegation certificates that are
mostly stored outside the smart card. A smart card reader and cards capable of
public-key signatures are the only new hardware needed. The protocols are easy
for the user and simple to implement and analyze. We prove the security of the
transfer protocol.
@InProceedings{AurGol99,
author = "Tuomas Aura and Dieter Gollmann",
title = "Software license management with smart cards",
booktitle = "Proc. USENIX Workshop on Smartcard Technology",
month = may,
year = 1999,
publisher = {USENIX Association},
address = {Chicago, IL USA},
pages = "75--85"
}
|
|
|
30.
|
Tuomas Aura,
Distributed access-rights management with delegation
certificates
, Secure Internet Programming:
Security Issues for Distributed and Mobile Objects, J. Vitek and C.
Jensen (Eds.), LNCS 1603, pp. 211-235,
Springer 1999.
[PS][PDF].
(Copyright 1999
Springer
)
Abstract:
New key-oriented discretionary access control systems are based on delegation
of access rights with public-key certificates. This paper explains the basic
idea of delegation certificates in abstract terms and discusses their advantages
and limitations. We emphasize decentralization of authority and operations. The
discussion is based mostly on the SPKI certificates but we avoid touching
implementation details. We also describe how threshold and conditional
certificates can add flexibility to the system. Examples are given of access
control between intelligent networks services.
@InCollection{Aura99a,
author = "Tuomas Aura",
title = "Distributed access-rights management with delegation
certificates",
booktitle = "Secure Internet Programming -- Security Issues for
Distributed and Mobile Objects",
publisher = "Springer",
year = 1999,
HIDEeditor = "J. Vitek and C. Jensen",
volume = 1603,
series = "LNCS",
pages = "211--235"
}
|
1998
|
|
31.
|
Tuomas Aura, Petteri Koponen, Juhana Räsänen,
Delegation-based access control for intelligent network
services
,
in proceedings of ECOOP Workshop on Distributed Object
Security, Brussels, Belgium, July 1998.
[PS][PDF].
Abstract:
Delegation with public-key certificates appears to be a natural technique for
access control between intelligent network (IN) service providers. It supports
strongly the IN business model and fits well to an object-oriented design. In
the Calypso project, we are implementing access control to Java-based IN
services with SPKI delegation certificates.
@InProceedings{AurKopRas98,
author = {Tuomas Aura and Petteri Koponen and Juhana R {\"as\"a}nen},
title = {Delegation-based access control for intelligent
network services},
booktitle = {Proc. ECOOP Workshop on Distributed Object Security},
year = 1998,
address = {Brussels, Belgium},
month = jul
}
|
|
|
32.
|
Tuomas Aura,
Fast access control decisions from delegation certificate
databases
, in proceedings of 3rd Australasian
Conference on
Information Security and Privacy ACISP '98, Brisbane, Australia,
July 1998, pp. 284-295,
Lecture Notes in Computer Science 1438,
Springer 1998.
[PS][PDF].
Abstract:
In new key-oriented access control systems, access rights are
delegated from key to key with chains of signed certificates. This
paper describes an efficient graph-search technique for making
authorization decisions from certificate databases. The design of
the algorithm is based on conceptual analysis of typical delegation
network structure and it works well with threshold certificates.
Experiments with generated certificate data confirm that it is
feasible to find paths of delegation in large certificate sets. The
algorithm is an essential step towards efficient implementation of
key-oriented access control.
@InProceedings{Aura98b,
author = {Tuomas Aura},
title = {Fast access control decisions from
delegation certificate databases},
booktitle = {Proc. 3rd Australasian Conference on Information
Security and Privacy (ACISP '98)},
volume = {1438},
series = {LNCS},
year = 1998,
publisher = {Springer},
HIDEeditors = {Colin Boyd and Ed Dawson},
month = jul,
address = {Brisbane, Australia},
pages = {284--295}
}
|
|
|
33.
|
Tuomas Aura,
On the structure of delegation networks, in
proceedings of 11th IEEE Computer Security Foundations Workshop,
Rockport, Massachusetts, June 1998,
pp. 14-26, IEEE Computer Society Press 1998.
[PS][PDF].
Abstract:
In new distributed, key-oriented access control systems such as SPKI, access
right are delegated by a freely formed network of certificates. We formalize the
concept of a delegation network and present a formal semantics for the
delegation of access rights with certificates. The certificates can have
multiple subjects who must jointly use the authority. Some fundamental
properties of the system are proven, alternative techniques for authorization
decisions are compared and their equivalence is shown rigorously. In particular,
we prove that certificate reduction is a sound and complete decision technique.
We also suggest a new type of threshold certificates and prove its properties.
@InProceedings{Aura98a,
author = {Tuomas Aura},
title = {On the structure of delegation networks},
booktitle = {Proc.\ 11th IEEE Computer Security Foundations Workshop},
year = 1998,
pages = "14--26",
address = {Rockport, MA USA},
publisher = {IEEE Computer Society Press},
month = jun,
url = "ftp://saturn.hut.fi/pub/aaura/aura-csfws98.ps"}
}
|
1997
|
|
34.
|
Tuomas Aura,
On the structure of delegation networks,
Licentiate's thesis, December 1997,
appeared as HUT Digital Systems Laboratory Report A48, December 1997.
[PS][PDF],.
(See also the CSFW'98 paper above.)
Abstract:
In new distributed, key-oriented access control systems access rights
are delegated by a freely formed network of certificates. For example,
the SPKI public-key infrastructure is being designed for this kind
of distributed trust management on the Internet.
We formalize the concept of a delegation network and present a
formal semantics for the delegation of access rights with
certificates. The certificates can have multiple subjects who must
jointly use the authority. Some fundamental properties of the system
are proven, alternative techniques for authorization decisions are
compared and their equivalence is shown rigorously. In particular,
we prove that certificate reduction is a sound and complete decision
technique. We also suggest a new type of threshold certificates and
prove its properties. The formal model is used to develop efficient
algorithms for access control decisions from a database of
certificates.
@TechReport{Aura97c,
author = {Tuomas Aura},
title = {On the structure of delegation networks,
{L}icentiate's thesis},
institution = {Helsinki University of Technology,
Digital Systems laboratory},
number = "A48",
address = {Espoo, Finland},
month = dec,
year = 1997,
url = "file://saturn.hut.fi/pub/reports/A48.ps.Z"
}
|
|
|
35.
|
Antti Huima and Tuomas Aura.
Using multimodal logic to express
conflicting interests in security protocols
.
In Proc. DIMACS Workshop on Design and Formal
Verification of Security Protocols, NJ USA,
September 1997.
@InProceedings{HuiAur97,
author = {Antti Huima and Tuomas Aura},
title = {Using multimodal logic to express
conflicting interests in security protocols},
booktitle = {Proc. DIMACS Workshop on Design and Formal
Verification of Security Protocols},
year = 1997,
address = {New Jersey, USA},
month = sep
}
|
|
|
36.
|
Tuomas Aura, Pekka Nikander,
Stateless connections,
in proceedings of International Conference on Information
and Communications Security ICICS'97, Beijing, November 1997,
pp. 87-97, Lecture Notes in Computer Science 1334,
Springer 1997.
[PS][PDF].
Abstract:
We describe a secure transformation of stateful connections or parts of them
into stateless ones by attaching the state information to the messages.
Secret-key cryptography is used for protection of integrity and confidentiality
of the state data and the connections. The stateless protocols created in this
way are more robust against denial of service resulting from high loads and
resource exhausting attacks than their stateful counterparts. In particular,
stateless authentication resists attacks that leave connections in a half-open
state.
@InProceedings{AurNik97b,
author = {Tuomas Aura and Pekka Nikander},
title = {Stateless connections},
booktitle = "Proc. International Conference on Information
and Communications Security (ICICS'97)",
volume = 1334,
HIDEeditors = {Yongfai Han and Tatsuaki Okamoto and Sihan Qing},
pages = "87--97",
year = 1997,
address = "Beijing, China",
series = {LNCS},
publisher = {Springer},
month = nov
}
|
|
|
37.
|
Tuomas Aura,
Comparison of graph-search algorithms for
authorization verification in delegation networks
,
in the proceedings of 2nd Nordic Workshop on Secure Computer Systems
NORDSEC'97, Espoo, Finland, November 1997.
[PS][PDF].
(See the ACISP'98 paper above.)
Abstract:
We describe and compare several algorithms for authorization decisions from a
database of certificates. The algorithms are based on well-known graph-search
techniques that we enhance to handle joint-delegation certificates. Experiments
on generated certificate data were done to compare the efficiency of the
algorithms.
@InProceedings{Aura97b,
author = {Tuomas Aura},
title = {Comparison of graph-search algorithms for authorization
verification in delegation networks},
booktitle = "Proc. 2nd Nordic Workshop on Secure Computer Systems
NORDSEC'97",
address = {Espoo, Finland},
year = 1997,
month = nov
}
|
|
|
38.
|
Tuomas Aura, Johan Lilius,
Time processes of time Petri nets,
proceedings of 18th Int. Conf. on Application and
Theory of Petri Nets (ATPN), Toulouse, June 1997, pp. 136-155, Lecture
Notes in Computer Science 1248, Springer 1997.
[PS][PDF].
Abstract:
Time Petri nets are Petri nets extended with a notion of time, where the
occurrence time of a transition is constrained by a static interval. The
objective of this work is to give time Petri nets a partial order semantics
based on the nonsequential processes semantics for untimed net systems. A time
process of a time Petri net is defined as a traditionally constructed causal
process that has a valid timing. This means that the events of the process are
labeled with occurrence times which must satisfy specific validness criteria.
These criteria are obtained by analyzing how the timing constraints interact
with the causal ordering of the events in the net. An efficient algorithm for
checking then validness of a given timing is sketched. Interleavings of the time
processes are defined as linearizations of the causal partial order of events
where also the temporal ordering of events is preserved. The relationship
between the firing schedules of a time Petri net and the interleavings of the
time processes of the net is shown to be bijective. Also, a sufficient condition
is given for when the invalidity of timings for a process can be inferred from
an initial subprocess. An alternative characterization for the validness of
timings then results in an algorithm for constructing the set of all valid
timings for a process. This set of all valid timings is presented as sets of
alternative linear constraints from which the existence of a valid timing can be
decided.
@InProceedings{AurLil97,
author = {Tuomas Aura and Johan Lilius},
title = {Time processes of time Petri nets},
booktitle = {Proc.\ 18th Int.\ Conf.\ on Application and
Theory of Petri nets (ATPN'97)},
volume = 1248,
series = {LNCS},
pages = "136--155",
year = 1997,
publisher = {Springer},
month = jun
}
|
|
|
39.
|
Tuomas Aura,
Strategies against replay attacks,
in proceedings of 10th IEEE Computer Security Foundations
Workshop, Rockport MA, June 1997, pp. 59-68, IEEE Computer
Society Press 1997. (Copyright 1997 IEEE)
[PS][PDF].
Abstract:
The goal of this paper is to present a set of design principles for avoiding
replay attacks in cryptographic protocols. The principles are easily applied to
real protocols and they do not consume excessive computing power or
communications bandwidth. In particular, we describe how to type-tag messages
with unique cryptographic functions, how to inexpensively implement the full
information principle with hashes, and how to produce unique session keys
without assuming mutual trust between the principals. The techniques do not
guarantee security of protocols, but they are concrete ways for improving the
robustness of the protocol design with relatively low cost.
@InProceedings{Aura97a,
author = {Tuomas Aura},
title = {Strategies against replay attacks},
booktitle = {Proc.\ 10th IEEE Computer Security Foundations Workshop},
year = 1997,
address = {Rockport, MA USA},
pages = "59--68",
publisher = {IEEE Computer Society Press},
month = jun
}
|
|
|
40.
|
Tuomas Aura, Pekka Nikander
Stateless connections,
HUT Digital Systems Laboratory Report A46, May 1997.
[PS][PDF],.
(See also the more concise ICICS'97 paper above.)
Abstract:
We describe a transformation of stateful connections or parts of them into
stateless ones by attaching the state information to the messages. Message
authentication codes are used for checking integrity of the state data and the
connections. The stateless server protocols created in this way are more robust
against denial of service resulting from high loads and resource exhausting
attacks than their stateful counterparts. In particular, stateless
authentication resists attacks that leave connections in a half-open state.
Examples of problems related to statefulness and solutions to them shown
for the X.509, ISAKMP, TCP and HTTP protocols.
@TechReport{AurNik97a,
author = {Tuomas Aura and Pekka Nikander},
title = {Stateless connections},
institution = {Helsinki University of Technology,
Digital Systems laboratory},
year = 1997,
address = {Espoo, Finland},
number = "A46",
month = May,
url = "file://saturn.hut.fi/pub/reports/A46.ps.Z"
}
|
1996
|
|
41.
|
Tuomas Aura,
Practical invisibility in digital communication,
in proceedings of the
Workshop on Information Hiding, Cambridge, England, May 1996,
pp. 265-278, volume 1174 of Lecture Notes in Computer Science,
Springer 1996.
[PS][PDF].
Abstract:
This paper gives an overview of cryptographically
strong mass application invisibility in digital communication. It
summarizes principles and methodology, clarifies terminology, and
defines some new concepts. A new algorithm for hiding bit selection in
digital images is proposed and an experimental implementation of the
algorithm is described. Finally, the paper closes with a discussion
of the implications of the availability of invisible communication.
@InProceedings{Aura96b,
author = {Tuomas Aura},
title = {Practical invisibility in digital communication},
booktitle = {Proc. First Int.\ Workshop on Information Hiding},
volume = 1174,
series = {LNCS},
year = 1996,
pages = "265--278",
publisher = {Springer}
}
|
|
|
42.
|
Tuomas Aura,
Time processes of time Petri nets,
Master's thesis, February 1996,
appeared as HUT Digital Systems Laboratory Report A38, August 1996.
[PS][PDF].
(See also the more concise ATPN paper and the
TCS article above.)
Abstract:
The objective of this thesis is to give time Petri nets a partial order
semantics, like the nonsequential processes of untimed net systems.
A time process of a time Petri net is defined as a traditionally
constructed causal process with a valid timing.
This means that the events of the process are labeled with occurrence
times which must satisfy specific validness criteria.
An efficient algorithm for checking validness of known timings is presented.
Interleavings of the time processes are defined as linearizations
of the causal partial order of events where also the time order of
events is preserved. The relationship between firing schedules of a time
Petri net and the interleavings of the time processes of the net is
shown to be bijective. Also, a sufficient condition is given
for when the invalidity of timings for a process can be
inferred from its initial subprocess. An alternative characterization
for the validness of timings results in an algorithm for constructing
the set of all valid timings for a process. The set of all valid timings
is presented as sets of alternative linear constraints, which can be used
in optimization problems. The techniques developed can be used to compute,
for example, the maximum time separation of two events in a process.
The existence of a valid timing for a given process can be decided in NP time.
@MastersThesis{Aura96a,
author = {Tuomas Aura},
title = {Time processes of time Petri nets, Master's Thesis},
school = "Helsinki University of Technology,
Digital Systems Labratory",
year = 1996,
month = feb,
note = {appeared as HUT Digital Systems Lab. Technical Report A38,
August 1996},
annote = {Received the annual Pro Gradu award of the The Finnish
Society for Computer Science for a distinguished
Master's thesis in computer science in 1995-96.}
}
|
1995
|
|
43.
|
Tuomas Aura,
Modelling the Needham-Schröder authentication
protocol with high level Petri nets
,
Digital Systems Laboratory Report B14, September 1995.
[PS][PDF],.
Abstract:
This paper gives an overview of cryptographically strong mass application
invisibility in digital communication. It summarizes principles and methodology,
clarifies terminology, and defines some new concepts. A new algorithm for hiding
bit selection in digital images is proposed and an experimental implementation
of the algorithm is described. Finally, the paper closes with a discussion of
the implications of the availability of invisible communication.
@TechReport{Aura95,
author = "Tuomas Aura",
title = "Modelling the {Needham-Schr{\"o}der} authentication protocol
with high level {P}etri nets",
institution = "Helsinki University of Technology,
Digital Systems Labratory",
year = 1995,
address = {Espoo, Finland},
number = "B14",
month = sep,
url = "file://saturn.hut.fi/pub/reports/B14.ps.Z"
}
|
|
|
