Internet Society Frontpage

Events Membership
About the Internet Standards
Publications  Public Policy
About ISOC Education


NDSS Symposium 2002

NDSS 2002

Network and Distributed System Security Symposium
Catamaran Resort Hotel
San Diego, California
6-8 February 2002

List of Accepted Papers

Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
Adam Stubblefield, Rice University
John Ioannidis, AT&T Labs Research
Aviel D. Rubin, AT&T Labs - Research


We implemented an attack against WEP, the link-layer security protocol for 802.11 networks. The attack was described in a recent paper by Fluhrer, Mantin, and Shamir. With our implementation, and permission of the network administrator, we were able to recover the 128 bit secret key used in a production network, with a passive attack. The WEP standard uses RC4 IVs improperly, and the attack exploits this design failure. This paper describes the attack, how we implemented it, and some optimizations to make the attack more efficient. We conclude that 802.11 WEP is totally insecure, and we provide some recommendations.

PAMINA: A Certificate Based Privilege Management System
Zoltan Nochta
Peter Ebinger
Sebastian Abeck

University of Karlsruhe, Institute for Telematics, Cooperation and Management IT-Research Group


In this paper we present PAMINA (Privilege Administration and Management INfrAstructure), a privilege management system using authorization certificates. Our system supports distributed environments where autonomous authorities can manage and delegate privileges in accordance with their own policies. We introduce Improved Certification Verification Trees (I-CVTs) that guarantee very efficient and trustworthy certificate management. I-CVTs can provide undeniable proofs for the non-existence of a given certificate in contrast to CVTs as proposed in [1]. As a result, each authority can store its own I-CVT in a central, non-trusted, and replicable database. This database provides authenticated verifiers with basically only those certificates that are required to determine whether a user should be granted access to a resource or not. Since the system implements the pull model, clients need not to be involved in the access control decision process. PAMINA handles delegation trees instead of simple delegation chains because authorities can delegate privileges in one certificate that were assigned to them by several certificates. In the prototype that we describe here, PAMINA manages certificates based on X.509.

Distributed Pattern Detection for Intrusion Detection
Christopher Kruegel
Thomas Toth

Technical University Vienna, Austria


Evidence of attacks against a network and its resources is often scattered over several hosts. Intrusion detection systems therefore have to collect and correlate information from different sources. For this purpose, distributed data is forwarded to dedicated hosts where it is further processed. Such a design renders the whole ID system vulnerable to attacks against these special nodes. As networks and traffic grow, they also become performance bottlenecks. We propose a completely decentralized approach that models an intrusion as a pattern of events that occur at different hosts and which does not rely on dedicated correlation entities to detect them. We present a specification language for these patterns and a distributed algorithm to find events that satisfy them. The theoretical properties of our solution are reviewed and experimental data is provided.

Detecting Steganographic Content on the Internet
Niels Provos
Peter Honeyman

University of Michigan
Center for Information Technology Integration


Steganography is used to hide the occurrence of communication. Recent suggestions in US newspapers indicate that terrorists use steganography to communicate in secret with their accomplices. In particular, images on the Internet were mentioned as the communication medium. While the newspaper articles sounded very dire, none substantiated these rumors.

To determine whether there is steganographic content on the Internet, this paper presents a detection framework that includes tools to retrieve images from the world wide web and automatically detect whether they might contain steganographic content. To ascertain that hidden messages exist in images, the detection framework includes a distributed computing framework for launching dictionary attacks hosted on a cluster of loosely coupled workstations. We have analyzed two million images downloaded from eBay auctions and one million images obtained from a USENET archive but have not been able to find a single hidden message.

BlueBox : A Policy-Driven, Host-Based Intrusion Detection System
Suresh N. Chari
Pau-Chen Cheng

IBM Thomas J. Watson Research Center


In this paper we describe our experiences with building BlueBox, a host based intrusion detection system. Our approach can be viewed as creating an infrastructure for defining and enforcing very fine grained process capabilities in the kernel. These capabilities are specified as a set of rules (policies) for regulating access to system resources on a per executable basis. The language for expressing the rules is intuitive and sufficiently expressive to effectively capture security boundaries.

We have prototyped our approach on Linux 2.2.14 kernel, and have built rule templates for popular daemons such as Apache 2.0 and wu-ftpd. We are validating our design by testing against a comprehensive database of known attacks. Our system has been designed to minimize the kernel changes and performance impact and thus can be ported easily to new kernels. We will discuss the motivation and rationale behind BlueBox, its design, implementation on Linux, and related work.

Talking To Strangers: Authentication in Ad-Hoc Wireless Networks
Dirk Balfanz
D. K. Smetters
Paul Stewart
H. Chi Wong

Xerox Palo Alto Research Center


In this paper we address the problem of secure communication and authentication in ad-hoc wireless networks. This is a difficult problem, as it involves bootstrapping trust between strangers. We present a user-friendly solution, which provides secure authentication using almost any established public-key-based key exchange protocol, as well as inexpensive hash-based alternatives. In our approach, devices exchange a limited amount of public information over a privileged side channel, which will then allow them to complete an authenticated key exchange protocol over the wireless link. Our solution does not require a public key infrastructure, is secure against passive attacks on the privileged side channel and all attacks on the wireless link, and directly captures users' intuitions that they want to talk to a {\em particular}\ previously unknown device in their physical proximity. We have implemented our system in Java for a variety of different devices, communication media, and key exchange protocols.

Implementing Pushback: Router-Based Defense Against DDoS Attacks
John Ioannidis
Steven M. Bellovin

AT & T Labs, Research


Pushback is a mechanism for defending against distributed denial-of-service (DDoS) attacks. DDoS attacks are treated as a congestion-control problem, but because most such congestion is caused by malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the routers. Functionality is added to each router to detect and preferentially drop packets that probably belong to an attack. Upstream routers are also notified to drop such packets (hence the term Pushback) in order that the router's resources be used to route legitimate traffic. In this paper we present an architecture for Pushback, its implementation under FreeBSD, and suggestions for how such a system can be implemented in core routers.

Managing Interoperability in Non-Hierarchical Public Key Infrastructures
Peter Hesse, Gemini Security Solutions, Inc.
David Lemire, A&N Associates, Inc.


This paper discusses considerations for certificate issuing systems and certificate processing applications, and directory systems in environments that employ non-hierarchical public key infrastructures (PKIs). The paper highlights X.509 features that should be routinely populated by certificate issuing systems, and expected and processed by certificate processing applications. The observations and recommendations within this paper, while applicable to almost any non-hierarchical PKI, are most relevant to situations where the establishment of interoperability among the PKIs of disparate organizations is a primary goal. The goal of these recommendations is to promote interoperability among the PKI relying parties, while still allowing the owning organizations to maintain security control.

Experimenting with Server-Aided Signatures
Xuhua Ding
Daniele Mazzocchi
Gene Tsudik

University of California, Irvine
Information and Computer Science Department


This paper explores practical and conceptual implications of using Server-Aided Signatures (SAS). SAS is a signature method that relies on partially-trusted servers for generating public key signatures for regular users. Besides its two primary goals of 1) aiding small, resource-limited devices in computing heavy-weight (normally expensive) digital signatures and 2) fast certificate revocation, SAS also offers signature causality and has some interesting features such as built-in attack detection for users and DoS resistance for servers.

Fast-Track Session Establishment for TLS
Authors: Hovav Shacham
Dan Boneh


We propose a new, ``fast-track'' handshake mechanism for TLS. A fast-track client caches a server's public parameters and negotiated parameters in the course of an initial, enabling handshake. These parameters need not be resent on subsequent handshakes. The new mechanism reduces both network traffic and the number of round trips, and requires no additional server state. These savings are most useful in high latency environments such as wireless networks. We include a rollback mechanism to allow a server to gracefully revert to an ordinary TLS handshake when needed. Our design is fully backwards compatible: fast-track clients can interoperate with servers unaware of fast-track and vise versa. We have implemented our proposal to demonstrate the savings in network traffic and round trips.

Advanced Client/Server Authentication in TLS
Adam Hess
Jared Jacobson
Hyrum Mills
Ryan Wamsley
Kent E. Seamons
Bryan Smith

Brigham Young University
Computer Science Department


Many business transactions on the Internet occur between strangers, that is, between entities with no prior relationship and no common security domain. Traditional security approaches based on identity or capabilities do not solve the problem of establishing trust between strangers. New approaches to trust establishment are required that are secure, scalable, and portable. One new approach to mutual trust establishment is trust negotiation, the bilateral exchange of digital credentials to establish trust gradually. This paper describes the Trust Negotiation in TLS (TNT) protocol, an extension to the TLS handshake protocol that incorporates recent advances in trust negotiation into TLS to provide advanced client/server authentication in TLS. In this paper we describe the current limitations in TLS client/server authentication with respect to trust establishment, and show how the TNT protocol overcomes them. We also describe our implementation of TNT, built using PureTLS, a Java TLS package that is freely available. This implementation is the first to provide confidential trust negotiation, verification of private keys during trust negotiation, and a single trust negotiation protocol supporting interoperable trust negotiation strategies.

Active Certificates: A Framework for Delegation
Nikita Borisov
Eric Brewer

UC Berkeley


In this paper, we present a novel approach to delegation in computer systems. We exploit mobile code capabilities of today's systems to build active certificates: cryptographically signed mobile agents that implement delegation policy. Active certificates arrive at a new combination of properties, including expressivity, transparency, and offline operation, that is not available in existing systems. These properties make active certificates powerful tools to express delegation. Active certificates can also be used as a mechanism to implement complex policy systems, such as public key infrastructures; systems built in this way are easily extensible and interoperable. A prototype implementation of active certificates has been built as part of the Ninja project.


Statistically Unique and Cryptographically Verifiable (SUCV) Identifiers and Addresses
Gabriel Montenegro, SUN Labs, Europe
Claude Castelluccia, INRIA Rhone Alpes


This paper addresses the identifier ownership problem. It does so by using characteristics of Statistic Uniqueness and Cryptographic Verifiability (SUCV) of certain entities which this document calls SUCV Identifiers and Addresses. Their characteristics allow them to severely limit certain classes of denial of service attacks and hijacking attacks. SUCV addresses are particularly applicable to solve the address ownership problem that hinders mechanisms like Binding Updates in Mobile IPv6.

An Analysis of the Degradation of Anonymous Protocols
Matthew Wright, Dept. of Computer Science, University of Massachusetts
Micah Adler, Dept. of Computer Science, University of Massachusetts
Brian Neil Levine, Dept. of Computer Science, University of Massachusetts
Clay Shields, Dept. of Computer Science, Georgetown University


There have been a number of protocols proposed for anonymous network communication. In this paper we investigate attacks by corrupt group members that degrade the anonymity of each protocol over time. We prove that when a particular initiator continues communication with a particular responder across path reformations, existing protocols are subject to the attack. We use this result to place an upper bound on how long existing protocols, including Crowds, Onion Routing, Hordes, and DC-Net, can maintain anonymity in the face of the attacks described. Our results show that fully-connected DC-Net is the most resilient to these attacks, but it suffers from scalability issues that keep anonymity group sizes small. Additionally, we show how violating an assumption of the attack allows malicious users to setup other participants to falsely appear to be the initiator of a connection.

Performance Analysis of TLS Web Servers
Cristian Coarfa
Peter Druschel
Dan S. Wallach

Rice University


TLS is the protocol of choice for securing today's e-commerce and online transactions, but adding TLS to a web server imposes a significant overhead relative to an insecure web server on the same platform. We did a comprehensive study of the performance costs of TLS. Our methodology was to profile TLS web servers with trace-driven workloads, replacing individual components inside TLS with no-ops, and measuring the observed increase in server throughput. From this, we estimated the relative costs of each component within TLS, predicting the areas for which future optimizations would be worthwhile. Among our results we show that RSA accelerators are effective for e-commerce site workloads , because they experience low TLS session reuse. Accelerators appear to be less effective for sites where all the requests are handled by a TLS server, thus having higher session reuse rate; investing in a faster CPU might prove more effective.