(Sorted by authors.)Most of the following papers are available online in gnuzipped Postscript, some also in PDF. There is also a complete list of all our publications sorted by language and subject.
Don't forget: some proceedings are published in a later year than the conference is held.
André Adelsbach, Birgit Pfitzmann, Ahmad-Reza Sadeghi: Proving Ownership of Digital Content; Information Hiding (IH '99), LNCS 1768, Springer-Verlag, Berlin 2000, 117-133.
Abstract: Protection of digital property has become crucial in the widespread and rapidly growing use of digital media. Making the misuse of copyrighted works detectable, and thus deterring people from misuse is the most promising measure currently known. To achieve this most proposals apply watermarking techniques and focus on resolving the ownership in disputes which may arise after a misuse has been detected. In disputes a trusted third party (judge) decides on the ownership by comparing ownership claims of disputing parties. However, resolving disputes does not necessarily imply determining the rightful owner, since she might not be participating in the dispute. Moreover, in contrast to disputes, one is in practice often confronted with only a single claim of ownership, e.g., in electronic market places where buyers intend to purchase digital items from someone claiming to be the rightful copyright holder. Proof of ownership is highly desirable in such situations because on the one hand, the buyers are ensured not to buy digital items from fake copyright holders and on the other hand, the copyright holders are protected against unauthorized reselling of their digital works. In this paper we present the first general model and generic protocols for proving ownership of digital works. We further introduce concrete instantiations of our generic protocols, e.g., by applying watermarking schemes.
N. Asokan, Phillipe A. Janson, Michael Steiner, Michael Waidner:
State of the Art in Electronic Payment Systems;
Marvin V. Zelkowitz, editor: Advances in Computers
Vol. 53, Academic Press, 2000, 425-449.
(Update of AJSW_97.)
Katrin Borcea, Hannes Federrath, Olaf Neumann, Alexander Schill:: Entwicklung und Einsatz multimedialer Werkzeuge für die Internet-unterstützte Lehre. Praxis der Informationsverarbeitung und Kommunikation PIK 23/3 (2000) 164-168.
Zusammenfassung: An der Technischen Universität Dresden wurden in den letzten Jahren umfassende neue Möglichkeiten der Online-Unterstützung in der Lehre entwickelt und praktisch erprobt. Die Konzepte decken verschiedene Lehrszenarien ab und sind interdisziplinär angelegt. Sie werden in Zusammenarbeit mit anderen Partnern, u.a. den Universitäten Berkeley, Göttingen, Hannover und Kiel sowie der DaimlerChrysler AG und der SAP AG erprobt. Die Verwendbarkeit der entwickelten Lösungsansätze beschränken sich nicht nur auf die Bereiche der Präsenzstudiengänge Informatik und Wirtschaftsinformatik der TU Dresden, sondern spielen auch für die Lehramtsausbildung sowie für andere Fakultäten (z.B. Fachrichtung Psychologie, Fachrichtung Medizin) und im Schulbereich eine wichtige Rolle. Konkret werden drei wesentliche Szenarien der Online-Unterstützung praktisch umgesetzt:
Hannes Federrath: Multimediale Inhalte und technischer Urheberrechtsschutz im Internet. Zeitschrift fär Urheber- und Medienrecht ZUM 44/10 (2000) 804-810.
Zusammenfassung: Der Kampf gegen die illegale Bereitstellung und Nutzung urheberrechtlich geschützter Daten im Internet mit Hilfe technischer Mittel scheint angesichts der phantasievollen Umgehungsmöglichkeiten von Sperren aussichtslos. Die Markierung geschützter Inhalte mit Hilfe digitaler Wasserzeichen und digitaler Fingerabdrücke ermöglicht wenigstens die Verfolgung individuell markierter Kopien und besitzt damit für den Piraten abschreckende Wirkung. Eine Verbreitung von digitalen 1:1 Kopien könnte mit Hilfe hardwaregestützter kryptographischer Verfahren verhindert werden. Allerdings sind solche Technologien sehr teuer und helfen in der Praxis sehr wahrscheinlich auch nur eine begrenzte Zeit. Versuche, das Internet dermaßen zu verändern, dass die Benutzer bei allen Handlungen (egal, ob legal oder illegal) verfolgbar sind, scheitern technisch an der Verfügbarkeit und Nutzbarkeit von Anonymisierungsdiensten und dürften zudem in Konflikt stehen mit datenschutzrechtlichen Bestimmungen.
N. Asokan, Victor Shoup, Michael Waidner: Optimistic fair exchange of digital signatures; IEEE Journal on Selected Areas in Communications 18/4 (2000) 593-610.
Abstract: We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other's signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is "optimistic," in that the third party is only needed in cases where one player crashes or attempts to cheat. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player. A specialization of our protocol can be used for contract signing; this specialization is not only more efficient, but also has the important property that the third party can be held accountable for its actions: if it ever cheats, this can be detected and proven.
Giuseppe Ateniese, Michael Steiner, Gene Tsudik: New Multi-Party Authentication Services and Key Agreement Protocols; IEEE Journal on Selected Areas in Communications 18/4 (2000) 628-639.
Abstract: Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing applications, and replicated servers are just a few examples. Given the openness of today's networks, communication among peers (group members) must be secure and, at the same time, efficient. This paper studies the problem of authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation, and integrity. It begins by considering two-party authenticated key agreement and extends the results to group Diffie-Hellman (1976) key agreement. In the process, some new security properties (unique to groups) are encountered and discussed.
Birgit Baum-Waidner, Michael Waidner: Round-optimal and Abuse-free Optimistic Multi-Party Contract Signing; 27th International Colloquium on Automata, Languages and Programming (ICALP 2000), LNCS 1853, Springer-Verlag, Berlin 2000, 524-535. (Slides in PDF)
Abstract: We present the first optimistic n-party contract signing protocol for asynchronous networks that tolerates up to n-1 dishonest signatories and terminates in the minimum number of rounds (O(n)). We also show how to make this protocol abuse-free by using standard cryptographic primitives (digital signatures, public-key encryption) only. Previous solutions required O(n^2) rounds of communication, and non-standard cryptographic primitives for abuse freeness.
Peter Buhler, Thomas Eirich, Michael Steiner, Michael Waidner: Secure password-based cipher suite for TLS; Symposium on Network and Distributed Systems Security (NDSS '00), San Diego, CA, February 2000, Internet Society, 129-142.
Abstract: SSL is the de facto standard today for securing end-to-end transport. While the protocol seems rather secure there are a number of risks which lurk in its use, e.g., in web banking. We motivate the use of password-based key exchange protocols by showing how they overcome some of these problems. We propose the integration of such a protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certificates stored on the users computer. Additionaly the integration in TLS is as minimal and non-intrusive as possible. As a side-effect we also improve DH-EKE to provide semantic security assuming the hardness of the Decisional Diffie-Hellman Problem.
Mihir Bellare, Juan Garay, Ralf Hauser, Amir Herzberg, Hugo Krawczyk, Michael Steiner, Gene Tsudik, Els Van Herreweghen, Michael Waidner: Design, implementation and deployment of the iKP secure electronic payment system; IEEE Journal on Selected Areas in Communications 18/4 (2000) 611-627.
Abstract: This paper discusses the design, implementation
and deployment of a secure and practical payment system for
electronic commerce on the Internet. The system is based on the
iKP family of protocols developed at IBM Research. The
protocols implement credit card-based transactions between buyers
and merchants while the existing financial network is used for
payment clearing and authorization. The protocols are extensible
and can be readily applied to other account-based payment model,
such as debit cards. They are based on careful and minimal use of
public-key cryptography and can be implemented in either software
or hardware. Individual protocols differ in both complexity and
degree of security.
In addition to being both a pre-cursor and a direct ancestor of the well-known SET standard, iKP-based payment systems have been in continuous operation on the Internet since mid-1996. This longevity -- as well as the security and relative simplicity of the underlying mechanisms -- make our experience with iKP unique. For this reason, this paper also reports on, and addresses, a number of practical issues arising in the course of implementation and real-world deployment of a secure payment system.
Oliver Berthold, Hannes Federrath, Marit Köhntopp: Project "Anonymity and Unobservability in the Internet"; Workshop on Freedom and Privacy by Design / Conference on Freedom and Privacy 2000, Toronto/Canada, April 4-7, 2000, 57-65.
Abstract: It is a hard problem to achieve anonymity for real-time services in the Internet (e.g. Web access). All existing concepts fail when we assume a very strong attacker model (i.e. an attacker is able to observe all communication links). We also show that these attacks are real-world attacks. This paper outlines alternative models which mostly render these attacks useless. Our present work tries to increase the efficiency of these measures.
Hannes Federrath, Andreas Pfitzmann: Gliederung und Systematisierung von Schutzzielen in IT-Systemen; DuD, Datenschutz und Datensicherheit, Vieweg-Verlag 24/12 (2000) 704-710.
Abstract: Dieser Beitrag gliedert und systematisiert mögliche Schutzziele in IT-Systemen, d. h. Anforderungen an den Schutz von Menschen, die sich in Kommunikationsnetzen "bewegen". Jede der vorgestellten Gliederungen beleuchtet verschiedene Seiten des gleichen Problems unter bestimmten Gesichtspunkten und schafft dadurch ein Modell für den Begriff der Sicherheit.
Jürgen Guth, Birgit Pfitzmann: Error- and Collusion-Secure Fingerprinting for Digital Data; Information Hiding (IH '99), LNCS 1768, Springer-Verlag, Berlin 2000, 134-145.
Abstract: Fingerprinting means making copies of the same data identifiable by hiding additional information (a fingerprint) in the data. Embedding the additional data can be done by watermarking techniques, which are mainly a branch of signal processing. Most watermarking methods, however, do not treat colluding attackers who have obtained more than one copy, compare their copies, see differences and use this information to make a copy without a fingerprint. Therefore, there are cryptographic fingerprinting methods to obtain collusion tolerance on top of a watermarking layer. But the most important fingerprinting method by Boneh and Shaw excludes a priori any errors on the watermarking layer, i.e., it is assumed that no changes to the fingerprint occur except those based on the information from collusion attacks. This is a stronger assumption than what most underlying watermarking schemes offer.
This assumption can be justified by making each individual mark fault-tolerant on the watermarking layer, e.g., by replication, but that would imply a significant increase in the data size needed. Instead, here we implement the fault tolerance more efficiently on the cryptographic layer by generalizing Boneh and Shaw's fingerprinting methods. Our remaining assumption on the underlying watermarking is quite reasonable for watermarking methods that would be built according to the best currently known principles.
Kristian Köhntopp, Marit Köhntopp, Andreas Pfitzmann: Sicherheit durch Open Source? Chancen und Grenzen; Datenschutz und Datensicherheit, Vieweg-Verlag 24/9 (2000) 508-513.
Abstract: Es ist bekannt, dass die Sicherheit von gängiger Software heutzutage zu wünschen übrig lässt. An Open-Source-Software knüpfen sich große Hoffnungen auf Besserung dieser Situation. Die Autoren erläutern, welche dieser Hoffnungen realistisch sind.
Gérard Lacoste, Birgit Pfitzmann, Michael Steiner, Michael Waidner (ed.): SEMPER - Secure Electronic Marketplace for Europe; LNCS 1854, Springer-Verlag, Berlin 2000. (350 pp.)
Blurb: This monograph constitutes a major contribution to the development of secure electronic commerce. The book is based on the European R&D project SEMPER - Secure Electronic Marketplace for Europe which aims at securing electronic commerce as a whole by developing a technical security framework realized as a middleware. The first part of this monograph presents an introduction to electronic commerce in general and provides an overview of the proposed solutions; this part is accessible to everybody seriously interested in the topic and does not require a technical background except some basic familiarity with the Internet. The second part presents fundamentally new scientific and engineering results and sets the scene for future R&D activities in securing electronic commerce.
Table of Contents:
Part I. The Vision of SEMPER1. Secure Electronic Commerce
Part II. Project Achievements5. Organizational Overview
MAFTIA Consortium: Reference Model and Use Cases; MAFTIA Deliverable D1, Project IST-1999-11583, August 2000.
Abstract: This document constitutes the first deliverable of MAFTIA work package 1. The objective of this work package is to define a consistent framework for ensuring the dependability of distributed applications in the face of a wide class of threats. In particular, the aim is to develop a coherent set of concepts for an architecture that can tolerate deliberately malicious faults, such as intrusions, in applications distributed over the Internet. The intrusions of concern include not only those perpetrated by external penetrators, but also those carried out by corrupt insiders, i.e., users who are authorized to access the system but not authorized for the accessed data, program or resource, and administrators who misuse their rights. Although intrusions are the primary class of targeted faults, the architecture should also be adequately robust towards accidental physical faults and accidental design faults.
Birgit Pfitzmann, Ahmad-Reza Sadeghi: Self-Escrowed Cash Against User Blackmailing; 4th International Conference on Financial Cryptography (FC '00), LNCS, Springer-Verlag, Berlin 2000.
Protecting customer privacy is an important requirement when designing
electronic cash systems. However, there is also concern that
anonymous cash systems can be misused for criminal activities.
Particularly blackmailing is in fact more severe in digital cash
systems than in paper-based systems. This is because on the one hand
the blackmailer is able to avoid physical contact and on the other
hand there are no recognizable note numbers. To prevent such
activities, several cash systems have been proposed where one or a
collection of trustees can revoke the anonymity of a user. However,
this also introduces a serious risk that this revocation ability is
In this paper we show that the problem of user blackmailing can be solved without this risk. In our proposal, instead of a trustee, it is rather the blackmailed person who reveals the required information to trace extorted coins without compromising any of her secrets. We show how to derive such systems from concrete existing proposals for anonymity-revocable cash systems with passive trustee.
Birgit Pfitzmann, Ahmad-Reza Sadeghi: Anonymous Fingerprinting with Direct Non-Repudiation; Asiacrypt 2000, LNCS 1976, Springer-Verlag, Berlin 2000, 401-414.
Fingerprinting schemes support copyright protection by
enabling the merchant of a data item to identify the original buyer of a
redistributed copy. In asymmetric schemes, the merchant can also
convince an arbiter of this fact.
Anonymous fingerprinting schemes enable buyers to purchase
digital items anonymously; however, identification is possible if
they redistribute the data item.
Recently, a concrete and reasonably efficient construction based on digital coins was proposed. A disadvantage is that the accused buyer has to participate in any trial protocol to deny charges. Trials with direct non-repudiation, i.e., the merchant alone holds enough evidence to convince an arbiter, are more useful in real life. This is similar to the difference between "normal" and "undeniable" signatures.
In this paper, we present an equally efficient anonymous fingerprinting scheme with direct non-repudiation. The main technique we use, delayed verifiable encryption, is related to coin tracing in escrowed cash systems. However, there are technical differences, mainly to provide an unforgeable link to license conditions.
Birgit Pfitzmann, Matthias Schunter, Michael Waidner: Cryptographic Security of Reactive Systems; Workshop on Secure Architectures and Information Flow, Royal Holloway, University of London, December 1 - 3, 1999; Electronic Notes in Theoretical Computer Science (ENTCS) 32 (2000). [preprint]
Abstract: We describe some general relations between
cryptographic and abstracted security definitions, and we present a
novel model of security for reactive systems, generalizing previous
definitions relying on the simulatability paradigm.
The larger context is the goal to provide cryptographic semantics for "abstract" specifications, so that the "reality" of the former can be combined with the brevity or, if a formal language is used, the precision and tool-support, of the latter.
The novel aspects of our specific definition are a separate treatment of honest users, a precise synchronous switching model, and easy inclusion of various trust models. We also believe to have the first general strategy to deal abstractly with accepted vulnerabilities (such as leakage of traffic patterns), and the first worked-out serious-size examples within a general model. Most importantly, our model has the first general composition theorem, and a link to requirements formulated in logics.
Birgit Pfitzmann, Matthias Schunter, Michael Waidner: Secure Reactive Systems; IBM Research Report RZ 3206 (#93252) 02/14/00, IBM Research Division, Zürich, May 2000.
Abstract: We introduce a precise definition of the security
of reactive systems following the simulatability approach in the
synchronous model. No simulatability definition for reactive systems
has been worked out in similar detail and generality before.
Particular new aspects are a precise switching model that allows us to
discover timing vulnerabilities, a precise treatment of the
interaction of users and adversaries, and independence of the trust
We present several theorems relating the definition to other possible variants. They substantiate which aspects of such a definition do and do not make a real difference, and are useful in larger proofs. We also have a methodology for defining the security of practical systems by simulation of an ideal system, although they typically have imperfections tolerated for efficiency reasons.
We sketch several examples to show the range of applicability, and present a very detailed proof of one example, secure reactive message transmission. Its main purpose is to validate the model by an example of a class that has also been considered in other models, but we did encounter new problems related to our strict requirements on timing security.
Birgit Pfitzmann, Matthias Schunter, Michael Waidner: Provably Secure Certified Mail; IBM Research Report RZ 3207 (#93253) 02/14/00, IBM Research Division, Zürich, August 2000.
Abstract: With a certified-mail protocol, one fairly
exchanges a message for a receipt. No satisfactory protocols without
any third party are possible, hence optimistic protocols are the best
one can hope for. Here a third party is only involved if one party
tries to cheat.
Certified-mail protocols are known in the literature, but there was no rigorous definition yet, in particular for the optimistic case and for many interleaved executions. We provide two such definitions. One defines individual integrity and secrecy requirements. The other defines an ideal system and uses a general simulatability definition. We show the relation between the definitions, present an efficient protocol, and prove its security in detail.
Apart from the intrinsic benefits of provably secure certified mail, this paper serves as an example that a serious-sized practical protocol can be rigorously proven with respect to a general simulatability definition and an abstract specification accessible to formal methods.
Birgit Pfitzmann, Michael Waidner:
Composition and Integrity
Preservation of Secure Reactive Systems;
7th ACM Conference on Computer and Communications Security, Athens,
November 2000, ACM Press, New York 2000, 245-254.
(Preliminary version: IBM Research Report RZ 3234 (#93280) 06/12/00, IBM Research Division, Zürich, June 2000.)
Birgit Pfitzmann, Michael Waidner:
A Model for
Asynchronous Reactive Systems and its Application to
Secure Message Transmission;
IBM Research Report RZ 3304 (#93350) 12/11/2000, IBM Research Division,
Zürich, December 2000.
(Final version: PfWa1_01.)
Birgit Pfitzmann, Michael Waidner, Andreas Pfitzmann: Secure and Anonymous Electronic Commerce: Providing Legal Certainty in Open Digital Systems Without Compromising Anonymity; IBM Research Report RZ 3232 (#93278) 05/22/00, IBM Research Division, Zurich, May 2000.
This text is translated from the German article Rechtssicherheit trotz Anonymität in offenen digitalen Systemen, which was published more than 10 years ago: first in 1987 in Computer und Recht Vol. 3 No. 10--12, and with some revisions in 1990 in Datenschutz und Datensicherung (DuD) Vol. 14 No. 5/6. The translation is based on the 1990 version. The text was written for an audience interested in computer science and law, i.e., not primarily for the IT security expert. In those days the assumed technical basis for electronic commerce was "ISDN." Today's readers may read "the Internet" instead. The text is an unedited translation.
The growing importance of conducting legal transactions over open
digital systems creates new requirements for these systems. They
have to be designed in such a way that the users remain anonymous
to one another and their activities cannot be observed by
uninvolved parties. At the same time, the systems have to
guarantee the necessary legal certainty for the transactions being
carried out. It will be demonstrated that legal regulation alone
is not sufficient to ensure that these requirements are dependably
For this reason, known technical methods and new proposals from the field of information technology are presented as a complement to legal regulation. On the one hand, these proposals guarantee unobservability and anonymity when using the system and, on the other hand, they provide sufficient legal certainty for the conduct of typical business processes over the open system without sacrificing anonymity. Due to their particular importance, two issues are presented in more detail: two methods to prevent fraud during the exchange of values between anonymous parties (e.g., an information service offered in exchange for payment), and an anonymous digital payment system and variants of it. The paper concludes with an overview of open problems and a practical evaluation of the issues.
Matthias Schunter: Optimistic Fair Exchange; Dissertation, Saarland University, October 2000. (ps.gz 1.1 MB, PDF 2,5 MB.)
Abstract: A fair exchange guarantees that a participant
only reveals its items (such as signatures, payments, or data) if
it receives the expected items in exchange. Efficient fair
exchange requires a so-called \tp, which is assumed to be correct.
Optimistic fair exchange involves this Third Party only if needed,
i.e., if the participants cheat or disagree.
In Part I, we prove lower bounds on the message and time complexity of two particular instances of fair exchange in varying models, namely contract signing (fair exchange of two signatures under a contract) and certified mail (fair exchange of data for a receipt). We show that all given bounds are tight by describing provably time- and message-optimal protocols for all considered models and instances.
In Part II, we have a closer look at formalizing the security of fair exchange. We introduce a new formal notion of security (including privacy) for reactive distributed systems. We illustrate this new formalism by a specification of certified mail as an alternative to the traditional specification given in Part III.
In Part III, we describe protocols for generic and optimistic fair exchange of arbitrary items. These protocols are embedded into the SEMPER Fair Exchange Layer, which is a central part of the SEMPER Framework for Secure Electronic Commerce.
Michael Steiner, Gene Tsudik, Michael Waidner: Key Agreement in Dynamic Peer Groups; IEEE Transactions on Parallel and Distributed Systems 11/8 (2000) 769-780, August 2000.
Abstract: As a result of the increased popularity of group-oriented applications and protocols, group communication occurs in many different settings: from network multicasting to application layer tele- and video-conferencing. Regardless of the application environment, security services are necessary to provide communication privacy and integrity. This paper considers the problem of key agreement in dynamic peer groups. (Key agreement, especially in a group setting, is the steeping stone for all other security services.) Dynamic peer groups require not only initial key agreement (IKA) but also auxiliary key agreement (AKA) operations such as member addition, member deletion and group fusion. We discuss all group key agreement operations and present a concrete protocol suite, CLIQUES, which offers complete key agreement services. CLIQUES is based on multi-party extensions of the well-known Diffie-Hellman key exchange method. The protocols are efficient and provably secure against passive adversaries.
Gritta Wolf, Andreas Pfitzmann: Charakteristika von Schutzzielen und Konsequenzen für Benutzungsschnittstellen; Informatik-Spektrum 23/3 (2000) 173-191.
Zusammenfassung: Mit der zunehmenden Nutzung des Internet wird die Lösung von Konflikten zwischen Menschen auch bei rechnergestützter Kommunikation notwendig. Für die rechnergestützte Kooperation fehlen jedoch noch die Werkzeuge für Anwender, um eigene Schutzinteressen auszudrücken, Verhandlungen zu führen und deren Ergebnisse durchzusetzen. Die vorliegende Arbeit trägt dazu bei, Anwender bei der Formulierung ihrer Schutzziele in Rechnersystemen zu unterstützen. Auf der Basis grundlegender Erkenntnisse über Schutzziele, insbesondere ihren Eigenschaften und Wechselwirkungen, wird eine Benutzungsschnittstelle für mehrseitige Sicherheit entwickelt. Sie befähigt Nutzer, ihre Schutzinteressen im System auszudrücken. Da der allgemeine Kenntnisstand über Sicherheitsprobleme und zur Verfügung stehende Methoden des Schutzes nur langsam wächst, muß diese Benutzungsschnittstelle so gestaltet sein, daß sie auch von Sicherheitslaien genutzt werden kann. Um den praktischen Wert der entwickelten Benutzungsschnittstelle einschätzen zu können, wurde ein Benutzbarkeitstest mit Sicherheitslaien und -experten durchgeführt.
Abstract: With the steadily growing use of the Internet it is more and more necessary to solve conflicts between people in computer systems. But there is a lack of tools for users to configure their protection goals, to run/carry out negotiations and to enforce the results. The presented work helps users to formulate their protection goals in computer systems. Based on an analysis of protection goals, their properties and forms of interference, we develop a user interface for multilateral security. It enables users to express their protection goals within computer systems. It is intended for use by security experts and lays as well. To validate the user interface, we performed a usability test with security lays and experts.