Showing papers by "Ross Anderson published in 1996"

Tamper resistance: a cautionary note

Abstract: An increasing number of systems from pay-TV to electronic purses, rely on the tamper resistance of smartcards and other security processors. We describe a number of attacks on such systems -- some old, some new and some that are simply little known outside the chip testing community. We conclude that trusting tamper resistance is problematic; smartcards are broken routinely, and even a device that was described by a government signals agency as 'the most secure processor generally available' turns out to be vulnerable. Designers of secure systems should consider the consequences with care.

Stretching the Limits of Steganography

Abstract: We present a number of insights into information hiding. It was widely believed that public key steganography was impossible; we show how to do it. We then look at a number of possible approaches to the theoretical security of hidden communications. This turns out to hinge on the inefficiency of practical compression algorithms, and one of the most important parameters is whether the opponent is active or passive (i.e., whether the censor can add noise, or will merely allow or disallow a whole messages). However, there are covertexts whose compression characteristics are such that even an active opponent cannot always eliminate hidden channels completely.

Minding your p's and q`s

Abstract: Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be calculated, whether by forcing a protocol exchange into a smooth subgroup or by choosing degenerate values directly. We survey these attacks and discuss how to build systems that are robust against them. In the process we elucidate a number of the design decisions behind the US Digital Signature Standard.

Two Practical and Provably Secure Block Ciphers: BEARS and LION

Abstract: In this paper we suggest two new provably secure block ciphers, called BEAR and LION They both have large block sizes, and are based on the Luby-Rackoff construction Their underlying components are a hash function and a stream cipher, and they are provably secure in the sense that attacks which find their keys would yield attacks on one or both of the underlying components They also have the potential to be much faster than existing block ciphers in many applications

A security policy model for clinical information systems

Abstract: The protection of personal health information has become a live issue in a number of countries, including the USA, Canada, Britain and Germany. The debate has shown that there is widespread confusion about what should be protected, and why. Designers of military and banking systems can refer to Bell & LaPadula (1973) and Clark & Wilson (1987) respectively, but there is no comparable security policy model that spells out clear and concise access rules for clinical information systems. In this article, we present just such a model. It was commissioned by doctors and is driven by medical ethics; it is informed by the actual threats to privacy, and reflects current best clinical practice. Its effect is to restrict both the number of users who can access any record and the maximum number of records accessed by any user. This entails controlling information flows across rather than down and enforcing a strong notification property. We discuss its relationship with existing security policy models, and its possible use in other applications where information exposure must be localised; these range from private banking to the management of intelligence data.

NetCard - A Practical Electronic-Cash System

Abstract: Our recursive hashing technique greatly reduces the computational complexity in applications where a series of low value payments are made to the same merchant. We have shown how it can be used in simple payment schemes based on both the smartcard and the online processing models of electronic commerce, and can also provide some novel and valuable features, such as a security recovery facility that does not depend on either the legacy systems or the SET protocols. It is an open problem whether hashing techniques can be combined with the more complex anonymous cash schemes.

TIGER: A Fast New Hash Function

Abstract: Among those cryptographic hash function which are not based on block ciphers, MD4 and Snefru seemed initially quite attractive for applications requiring fast software hashing However collisions for Snefru were found in 1990, and recently a collision of MD4 was also found This casts doubt on how long these functions' variants, such as RIPE-MD, MD5, SHA, SHA1 and Snefru-8, will remain unbroken Furthermore, all these functions were designed for 32-bit processors, and cannot be implemented efficiently on the new generation of 64-bit processors such as the DEC Alpha We therefore present a new hash function which we believe to be secure; it is designed to run quickly on 64-bit processors, without being too slow on existing machines

A security policy model for clinical information systems

Abstract: The protection of personal health information has become a live issue in a number of countries, including the USA, Canada, Britain and Germany. The debate has shown that there is widespread confusion about what should be protected, and why. Designers of military and banking systems can refer to Bell & LaPadula (1973) and Clark & Wilson (1987) respectively, but there is no comparable security policy model that spells out clear and concise access rules for clinical information systems. In this article, we present just such a model. It was commissioned by doctors and is driven by medical ethics; it is informed by the actual threats to privacy, and reflects current best clinical practice. Its effect is to restrict both the number of users who can access any record and the maximum number of records accessed by any user. This entails controlling information flows across rather than down and enforcing a strong notification property. We discuss its relationship with existing security policy models, and its possible use in other applications where information exposure must be localised; these range from private banking to the management of intelligence data.

Clinical system security: interim guidelines

Abstract: The BMA asked Ross Anderson to draw up interim guidelines on maintaining security in computerised patient information systems. We publish them here together with the principles on which they are based. The guidelines are designed to help clinicians avoid the most common serious mistakes in computer security and are being published to stimulate discussion of the issues. The principles are discussed fully in “Security in Clinical Information Systems,” which is available from the BMA (Dr Fleur Fisher, Department of Ethics, Science, and Information). Recent articles have illustrated several threats to the confidentiality of personal health information. Many medical records can be easily obtained by private detectives, who typically telephone a general practice, family health services authority, or hospital and pretend to be the secretary of a doctor giving emergency treatment to the person who is the subject of the investigation. One article found that most patients' personal health information could be compromised in this way and was routinely sold by agencies for as little as pounds sterling150.1 2 Nationwide health networking is also seen as a further threat to confidentiality because health records will be available to many more people. These interim guidelines have therefore been drawn up to help tackle the pressing short term concerns; they are supplementary to existing documentation such as The Handbook of Information Security.3 The main threat to the confidentiality of clinical records is carelessness about telephone inquiries of the kind described above. This threat may be largely eliminated if staff follow a number of common sense rules that the best practices have used for years and that are now agreed by the NHS Executive. Whether records are computerised or not, these rules of best practice can be summed up as: clinician-consent-call back-care-commit:

On the reliability of electronic payment systems

Abstract: One of the problems facing the builders of the 'Information Superhighway' is how to charge for services. The high costs of billing systems suggest that prepayment mechanisms could play a large part in the solution. Yet how does one go about making an electronic prepayment system (or indeed any kind of payment system) robust? We describe some recent systems engineering experience which may be relevant-the successful introduction of cryptology to protect prepayment electricity meters from token fraud. These meters are used by a number of utilities from Scotland to South Africa, and they present some interesting reliability challenges.

On the reliability of electronic payment systems

Abstract: One of the problems facing the builders of the 'Information Superhighway' is how to charge for services. The high costs of billing systems suggest that prepayment mechanisms could play a large part in the solution. Yet how does one go about making an electronic prepayment system (or indeed any kind of payment system) robust? We describe some recent systems engineering experience which may be relevant-the successful introduction of cryptology to protect prepayment electricity meters from token fraud. These meters are used by a number of utilities from Scotland to South Africa, and they present some interesting reliability challenges.

The Newton Channel

Abstract: Simmons asked whether there exists a signature scheme with a broadband covert channel that does not require the sender to compromise the security of her signing key. We answer this question in the affirmative; the ElGamal signature scheme has such a channel. Thus, contrary to popular belief, the design of the DSA does not maximise the covert utility of its signatures, but minimises them. Our construction also shows that many discrete log based systems are insecure: they operate in more than one group at a time, and key material may leak through those groups in which discrete log is easy. However, the DSA is not vulnerable in this way.

The Newton Channel

Abstract: Simmons asked whether there exists a signature scheme with a broadband covert channel that does not require the sender to compromise the security of her signing key. We answer this question in the affirmative; the ElGamal signature scheme has such a channel. Thus, contrary to popular belief, the design of the DSA does not maximise the covert utility of its signatures, but minimises them. Our construction also shows that many discrete log based systems are insecure: they operate in more than one group at a time, and key material may leak through those groups in which discrete log is easy. However, the DSA is not vulnerable in this way.

Information Hiding: First International Workshop, Cambridge, U.K., May 30 - June 1, 1996. Proceedings

Abstract: The history of steganography.- Computer based steganography: How it works and why therefore any restrictions on cryptography are nonsense, at best.- Hiding data in the OSI network model.- Stretching the limits of steganography.- Trials of traced traitors.- Establishing big brother using covert channels and other covert techniques.- Covert channels-A context-based view.- Covert channel analysis for Stubs.- Anonymous addresses and confidentiality of location.- MIXes in mobile communication systems: Location management with privacy.- Hiding Routing information.- The Newton channel.- A progress report on subliminal-free channels.- Modeling cryptographic protocols and their collusion analysis.- A secure, robust watermark for multimedia.- Modulation and information hiding in images.- Watermarking document images with bounding box expansion.- The history of subliminal channels.- Blind decoding, blind undeniable signatures, and their applications to privacy protection.- Practical invisibility in digital communication.- Fractal based image steganography.- Echo hiding.- Tamper resistant software: an implementation.- Oblivious key escrow.- HMOS: Her Majesty's Orthography Service.- Information hiding terminology.

On the el ia bi I i ty of Electronic Payment Syst

Abstract: One of the problems facing the builders of the 'Information Superhighway' is how to charge for services. The high costs of billing systems suggest that prepayment mechanisms could play a large part in the solution. Yet how does one go about making an electronic prepayment system (or indeed any kind of payment system) robust? We describe some recent systems engineering experience which may be relevant-the successful introduction of cryptology to protect prepayment electricity meters from token fraud. These meters are used by a number of utilities from Scotland to South Africa, and they present some interesting reliability challenges. Index Terms-Reliability, cryptography, prepayment, metering, robustness, fraud, security, credit control, key management, revocation, robustness.