(Sorted by authors.)Most of the following papers are available online in gnuzipped Postscript, some also in PDF. There is also a complete list of all our publications sorted by language and subject.
André Adelsbach, Michael Steiner (ed.): Cryptographic Semantics for the Algebraic Models; MAFTIA Deliverable D8, Project IST-1999-11583, February 2002.
MAFTIA's Work-package 6 is pursuing the overall goal of
"rigorously defining the basic concepts developed by MAFTIA,
and verifying results of the work on dependable middle-ware."
In the former MAFTIA deliverable D4, we presented a general rigorous model
for the security of reactive systems. This model comprised various types of
faults (attacks) and topology as considered in MAFTIA, but was restricted
to a synchronous timing model. In this deliverable, we focus on a model-
variant for asynchronous reactive systems. This variant is highly important
for MAFTIA, since several of the major MAFTIA middle-ware-protocols are
asynchronous. To illustrate the use of the asynchronous model a proof of
secure message transmission in the asynchronous case is included. We chose
this example which delivers a similar service as the example from D4, to
illustrate the analogies as well as the differences between the two variants of
the secure reactive systems model. As in the synchronous model, we prove
a composition theorem for its asynchronous counterpart, which allows mod-
ular proofs in this model. Furthermore, we discuss how to model adaptive
corruptions in the presented models.
Finally, we discuss the relation between the proposed models and the real world: Every model abstracts in certain ways from the real world and makes assumptions. So do the presented models of secure reactive systems. These abstractions are, on the one hand, necessary to enable reasoning about protocols at all. On the other hand, they can lead to insecure systems in the real world if they are naively implemented. Guided by the goal of secure real world systems, we present an assessment of the model's abstractions and discuss the possible impact on the real world security when implementing reactive systems which are proven secure in this model.
Ammar Alkassar, Christian Stüble: Towards Secure IFF - Preventing Mafia Fraud Attacks; accepted for MILCOM 2002 IEEE Military Communications Conference, Anaheim, October 2002.
Common identification schemes like in the context of identification between friend and foe can be broken by an active adversary who is able to perform real time attacks that have been known as mafia fraud. Because no convincing practical solution is known so far, common security proofs explicitly omit such scenarios. We present an identification scheme in this paper that solves this problem by hiding the conversation channel between the participants using Channel Hopping (CH) technology. The security of our approach is based on the assumption that an adversary cannot efficiently eavesdrop all channels of an CH system in parallel. Finally, we argue that the proposed protocol is essential for a variety of military and civil applications.
Paul Ashley, Matthias Schunter: The Platform for Enterprise Privacy Practices; Information Security Solutions Europe, Paris, October 2002.
Abstract: Enterprises collect personal data while promising fair information practices to their customers. The Platform for Enterprise Privacy Practices (E-P3P) enables an enterprise to keep the privacy promises made. It formalizes the privacy promises into policies and associates a consented policy to each piece of collected data. This consented policy can then be used in access control decisions to enforce the privacy promises made.
Paul Ashley, Matthias Schunter, Calvin Powers: From Privacy Promises to Privacy Management A New Approach for Enforcing Privacy Throughout an Enterprise; ACM New Security Paradigms Workshop, Virginia Beach VA, 2002.
Abstract: Regulations and consumer backlash force many organizations to re-evaluate the way they manage private data. As a first step, they publish privacy promises as text or P3P. These promises are not backed up by privacy technology that enforces the promises throughout the enterprise. Privacy tools cover fractions of the problem while leaving the main challenge unanswered. This article describes a new approach towards enterprise-wide enforcement of the privacy promises. Its core is a new framework for managing collected personal data in a sensitive, trustworthy way. The framework enables enterprises to publish clear privacy promises, to collect and manage user preferences and consent, and to enforce the privacy promises throughout the enterprise. One of the foundations of this framework is the ``sticky policy paradigm'' that defines a customer centric model for managing policies, preferences, and consent.
Michael Backes, Birgit Pfitzmann: Computational Probabilistic Non-Interference; accepted for ESORICS 2002, Zurich, October 2002.
Abstract: In recent times information flow and non-interference have become very popular concepts for expressing both integrity and privacy properties. We present the first general definition of probabilistic non-interference in reactive systems which includes a computational case. This case is essential to cope with real cryptography since non-interference properties can usually only be guaranteed if the underlying cryptographic primitives have not been broken. This might happen, but only with negligible probability. Furthermore, our definition links non-interference with the common approach of simulatability that modern cryptography often uses. We show that our definition is maintained under simulatability, which allows secure composition of systems, and we present a general strategy how cryptographic primitives can be included in information flow proofs. As an example we present an abstract specification and a possible implementation of a cryptographic firewall guarding two honest users from their environment.
Michael Backes, Christian Jacobi, Birgit Pfitzmann: Deriving Cryptographically Sound Implementations Using Composition and Formally Verified Bisimulation; accepted for Formal Methods Europe (FME, part of FLoC), Copenhagen, July 2002.
Abstract: We consider abstract specifications of cryptographic protocols which are both suitable for formal verification and maintain a sound cryptographic semantics. In this paper, we present the first abstract specification for ordered secure message transmission in reactive systems based on the recently published model of Pfitzmann and Waidner. We use their composition theorem to derive a possible implementation whose correctness additionally involves a classical bisimulation, which we formally verify using the theorem prover PVS. The example serves as the first important case study which shows that this approach is applicable in practice, and it is the first example that combines tool-supported formal proof techniques with the rigorous proofs of cryptography.
Michael Backes, Birgit Pfitzmann, Michael Steiner, Michael Waidner: Polynomial Fairness and Liveness; IEEE Computer Security Foundations Workshop (CSFW), Cape Breton, June 2002.
Abstract: Important properties of many protocols are liveness or availability, i.e., that something good happens now and then. In asynchronous scenarios these properties obviously depend on the scheduler, which is usually considered to be fair in this case. Unfortunately, the standard definitions of fairness and liveness based on infinite sequences cannot be applied for most cryptographic protocols since one must re strict the adversary and the runs as a whole to polynomial length. We present the first general definition of polyno mial fairness and liveness in asynchronous scenarios which is suited to cope with arbitrary cryptographic protocols. Furthermore, our definitions provide a link to the common approach of simulatability which is used throughout mod ern cryptography, and we show that polynomial liveness is maintained under simulatability. As an example we present an abstract specification and a secure implementation of secure message transmission with reliable channels, and prove them to fulfill the desired liveness property, i.e., reliability of messages.
Hannes Federrath: AN.ON --- Privacy Protection on the Internet. ERCIM News No. 49, April 2002, 11.
Abstract: AN.ON -- Anonymity online is a joint project (2001-2003) from Dresden University of Technology and the Privacy Commissioner of Schleswig-Holstein/Germany. Its aim is to enable every user to protect his privacy on the internet.
Günter Karjoth, Matthias Schunter, Michael Waidner: Privacy-enabled Services for Enterprises; IBM Research Report RZ 3391 (#93437) 01/21/02, IBM Research Division, Zürich, January 2002.
Abstract: The IBM Enterprise Privacy Architecture (EPA) is a methodology for enterprises to provide an enhanced and well-defined level of privacy to their customers. EPA is structured in four building blocks. The privacy regulation analysis identifies and structures the applicable regulations. The management reference model enables an enterprise to define and enforce an enterprise privacy strategy and the resulting privacy practices. The privacy agreement framework is a methodology for privacy-enabling business process re-engineering. It outputs a detailed model of the privacy-relevant players and activities as well as the privacy policies that govern these activities. The technical reference architecture defines the technology needed for implementing the identified practices. The Platform for Enterprise Privacy Practices (E-P3P) is a refinement of EPA's technical reference architecture: Enterprises collect a certain amount of personal data while promising fair information practices to their customers. E-P3P enables an enterprise to keep the privacy promises made. It formalizes these privacy promises into policies and associates a consented policy to each piece of collected data. This consented policy can then be used in access control decisions to enforce the privacy promises made.
Günter Karjoth, Matthias Schunter, Michael Waidner: Platform for Enterprise Privacy Practices: Privacy-enabled Management of Customer Data; Privacy Enhancing Technologies (PET2002), San Francisco CA, 2002.
Enterprises collect a large amount of personal data about their
customers. Even though enterprises promise privacy to their
customers using privacy statements or P3P, there is no methodology
to enforce these promises throughout and across multiple
This article describes the Platform for Enterprise Privacy Practices (E-P3P), which defines technology for privacy-enabled management and exchange of customer data. Its comprehensive privacy-specific access control language expresses restrictions on the access to personal data, possibly shared between multiple enterprises.
Günter Karjoth, Matthias Schunter, Michael Waidner: Unternehmensweites Datenschutzmanagement; In: Datenschuts als Wettbewerbsvorteil, Vieweg Verlag, 2002.
Abstract: Die IBM Enterprise Privacy Architecture (EPA) ermöglicht Unternehmen ihren Kunden einen umfassenden und wohldefinierten Grad an Datenschutz anzubieten. EPA besteht aus den folgenden vier Grundelementen. Die Datenschutzregulierungsanalyse (privacy regulation analysis) identifiziert und strukturiert die anzuwendenden Bestimmungen. An Hand des Managementreferenzmodells kann das Unternehmen seine Datenschutzstrategie sowie die daraus resultierenden Datenschutzpratiken herleiten. Das datenschutzorientierte Geschäftmodell beschreibt eine Methodik, um Unternehmensabläufe unter Berücksichtigung von Datenschutzanforderungen neu zu strukturieren. Sie generiert ein detailliertes Modell der relevanten Parteien und Aktivitäten sowie der hierauf anzuwendenden Datenschutzpolitiken. Das vierte Element ist die technische Referenzarchitektur, welche die für die Implementierung notwendigen Technologien bereitstellt. Die Platform for Enterprise Privacy Practices (EP3P) stellt eine weitere Verfeinerung der technischen Referenzarchitektur dar: Unternehmen sammeln personenbezogene Daten und versprechen ihren Kunden faire Datenschutzpraktiken bei der Verarbeitung dieser Daten. Dank EP3P können Unternehmen diese Versprechungen automatisiert durchsetzen, indem EP3P gesammelte Daten mit der formalisierten Datenschutzpolitik, welcher der einzelne Nutzer zugestimmt hat, verknüpft.
Günter Karjoth, Matthias Schunter, Michael Waidner: Privacy-enabled Services for Enterprises; To appear atTrustBus (DEXA 2002). Feb 28, IEEE Press, 2002.
Abstract: The IBM Enterprise Privacy Architecture (EPA) is a methodology for enterprises to provide an enhanced and well-defined level of privacy to their customers. EPA is structured in four building blocks. The privacy regulation analysis identifies and structures the applicable regulations. The management reference model enables an enterprise to define and enforce an enterprise privacy strategy and the resulting privacy practices. The privacy agreement framework is a methodology for privacy-enabling business process re-engineering. It outputs a detailed model of the privacy-relevant players and activities as well as the privacy policies that govern these activities. The technical reference architecture defines the technology needed for implementing the identified practices.
Birgit Pfitzmann, Michael Waidner: Privacy in Browser-Based Attribute Exchange; IBM Research Report RZ 3412 (#93644) 06/10/02, IBM Research Division, Zurich, June 2002.
Abstract: Browser-based attribute exchange means protocols for a user of a normal web browser to send attributes, such as authentication or demographic data, to a web site. The best-known deployed protocol of this type in the real world is Microsoft's Passport. We identify the privacy requirements on such protocols in a general consumer scenario, derive the main design decisions needed to fulfil these requirements, and present a protocol with these properties. Our emphasis lies on protocols that could be standardized and deployed short-term.
Ahmad-Reza Sadeghi, Matthias Schunter, Sandra Steinbrecher: Private Auctions with Multiple Rounds and Multiple Items; To appear at TrustBus (DEXA 2002). Feb 28, IEEE Press, 2002.
Abstract: For selling spectrum licenses economists have designed new auction types proceeding over several rounds and offering several licenses simultaneously. Communication between bidders usually is forbidden to prevent collusions (i.e., through separate compartments and supervision). We investigate these auctions from the cryptographic point of view and identify that the usual implementation by a succession of (traditional) sealed-bid auctions where the auctioneer announces at least winner and winning bid of each round offers a covert channel to the bidders. The announcement should be limited to the minimum a bidder needs to know for taking part in the next round. We suggest that the bids made are kept private and she only gets to know which items she currently wins. Only at the end, overall winners and winning bids are revealed. We present a protocol based on a special sealed-bid auction that implements this idea.
Michael Steiner: Secure Group Key Agreement; Dissertation, Saarland University, March 2002.
Abstract: As a result of the increased popularity of group-oriented applications and protocols, group communication occurs in many different settings: from network multicasting to application layer tele- and video-conferencing. Regardless of the application environment, security services are necessary to provide communication privacy and integrity. This thesis considers the problem of key management in a special class of groups, namely, dynamic peer groups. Key management, especially in a group setting, is the corner stone for all other security services. Dynamic peer groups require not only initial key agreement but also auxiliary key agreement operations such as member addition, member exclusion and group fusion. We discuss all group key agreement operations and present a concrete protocol suite, CLIQUES, which offers all of these operations. By providing the first formal model for group key establishment and investigating carefully the underlying cryptographic assumptions as well as their relations, we formally prove the security of a subset of the protocols based on the security of the Decisional Diffie-Hellman assumption; achieving as a side-effect the first provably secure group key agreement protocol.