Proposal on a secure communications service element (SCSE) in the OSI application layer

Abstract: A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network. Log-in attempts are recorded so that the identity and whereabouts of network users may be monitored from a network management station.

Abstract: The present invention relates to a process for verifying the preservation of the integrity of an unprotected request sent by an anonymous client to a server, in which only one public key, that of the server, is used. This process is remarkable in that the anonymous client sends, along with his request, a flag which specifies whether or not the server must offer an absolute guarantee of non-repetition of the requests received as well as a unique number, that is, a number which never repeats or has a low probability of repetition, consisting either of a random number with a low probability of repetition or the concatenation of a time indicator and a random number with a certainty of non-repetition, the verification of said integrity being performed during the reception of the response to the request, for which reason the global response includes the response to the request plus the result of a one-way compression function applied to the request, flag and unique number combination, the integrity of the global response moreover being protected either by means of the public key of the server used as a signature key, or by means of a private key established using the public key of the server as an encryption key.

Abstract: Considers the security aspects of communication between two management processes operating in different management domains; identifies two major risks: the security of information exchanged during the management association, and control of access to the management information base (MIB); and enumerates the various threats that must be guarded against and possible methods of attack. Security techniques, including symmetric and public key cryptosystems, are employed in the design of a method of achieving a secure management association. A scheme of authorization control for MIB access is developed. The management of an open system's network resources takes place in the context of a management association. The resources themselves are controlled by an agent process which presents a view of these resources to the outside world as a number of managed objects, each of which contains a number of attributes. The collection of objects presented to the outside world by the agent is known as the MIB. A manager process regulates the operation of the managed resources by engaging in a management association with the agent and instructing it to carry out simple operations on elements of the MIB. Within a single management domain where all processing nodes and network links are under the control of the same administration, security is not such a critical issue. However, when the management association takes place across the boundary between two separate management domains, and make use of public data networks, security issues must be considered in greater detail. >

Abstract: The integrity verification and conservation method involves using a flag emitted by the client with its request, and also a unique number sent by the client. The flag indicates whether the server should or should not offer a guarantee of non-repetition of received requests. The unique number indicating probability or time delay before repetition of the request. The request integrity is obtained when the server's response to the request is received. The information sent with the client request is processed with an algorithm and the result returned to the client. The preferred processing is to apply the server's private encryption key, which allows verification using the server's public encryption key.

Abstract: The authors have proposed a secure communications service element (SCSE) which can provide such security functions as authentification, information confidentiality, and data integrity (prevention of data modification), as application service elements (ASE) in the open-type system interconnection(OSI) application layer. The proposal is evaluated highly from the viewpoint of OSI protocol design technique to realize the security function. This paper attempts to verify the realizability of the proposed SCSE and the applicability to OSI communication. Further, it reports on the design of the SCSE software package and the implementation/evaluation. In the implementation/evaluation of the proposed package, especially, it is intended to demonstrate the applicability to OSI communication applications. As typical examples of SCSE applications, file transfer access and management (FTAM) assuming the totally duplicate communication function in the session layer, as well as document transfer and manipulation (DTAM) assuming the use of the semiduplicate communication function are adopted. Through the verification experiment such as the measurement of the processing load, the practical usefulness and the applicability of SCSE are evaluated. As a result, it is shown that the efficient OSI security communication system can be realized by SCSE. Since the proposed approach can be applied to the totally duplicate and the semiduplicate communications, it is shown that the method is applicable to all OSI communication applications.

Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.

Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.

Abstract: The distribution of keys in a computer network using single key or public key encryption is discussed. We consider the possibility that communication keys may be compromised, and show that key distribution protocols with timestamps prevent replays of compromised keys. The timestamps have the additional benefit of replacing a two-step handshake.

Abstract: : It is shown that the single operation of raising a number to a fixed power modulo a composite modulus is sufficient to implement digital signatures: a way of creating for a (digitized) document a recognizable, unforgeable, document-dependent digitized signature whose authenticity the signer can not later deny. An electronic funds transfer system or electronic mail system clearly could use such a scheme, since the messages must be digitized in order to be transmitted.