From the Editor in Chief Editor in Chief: M. Satyanarayanan ■ CMU and Intel Research ■ [email protected]

Roger Needham, 1935–2003

M. Satyanarayanan

oger Needham, one of the giants of Needham and Schroeder’s approach R computer science, passed away on combined several simple ideas into an 1 March 2003. At the time of his death, elegant whole. First, it used end-to-end he was the Director of Microsoft’s encryption to convert an open network Cambridge Research Lab, which he into a secure communication channel. founded in 1997. Prior to joining Second, it inferred the possession of a Microsoft, he was associated with shared secret (the keys used for encryp- Cambridge University for nearly half a tion and decryption) from the ability to century—as an undergraduate and generate a correctly encrypted response graduate student, as a researcher, and to a challenge. Third, it foiled replay eventually as a professor and head of attacks by ensuring that each authenti- the Computer Laboratory. cation attempt involved a fresh instance In this EIC message, I focus on the of a random component (called a nonce). significance of Needham’s research con- We now regard the 1978 paper describ- tributions to pervasive computing. ing the Needham-Schroeder authentica- These contributions are foundational Needham and Schroeder formulated tion protocol as a classic in the field.1 in character. We are so dependent on the authentication problem in a funda- The importance of security and privacy them that we hardly realize that they mentally different way from its prior for- in pervasive computing cannot be over- each required a leap of imagination and mulation in the context of time-sharing stated—indeed, the previous issue of this creativity to bring into existence. In that systems. Not only did a computer system magazine focused on that very topic. respect, they meet Mark Weiser’s crite- have to be assured of the user’s identity, A decade prior to this seminal work, rion for a profound technology: they but the reverse also had to be true: the Needham invented another important “weave themselves into the fabric of human user had to be confident that he technique relevant to security. The time- everyday lives until they are indistin- or she was not interacting with a com- sharing systems of the mid 1960s stored guishable from it.” promised remote computer. In other user passwords in the clear in their local Every time you authenticate yourself words, the problem was one of mutual file systems. This meant that an unscrupu- to a remote system, you probably use a authentication between untrusted parties. lous human operator could steal a pass- derivative of a technique that Needham What made the problem especially chal- word and masquerade as its user. Need- and his colleague Michael Schroeder lenging was the assumption that the net- ham realized that we could avoid the originally developed. In the mid 1970s, work was completely open. Malicious unsafe practice of storing passwords in they were both involved in Xerox third-party machines could eavesdrop on the clear by using the properties of one- PARC’s pioneering effort to create a all communication between the parties way functions. Such a function is com- personal computing environment. Part desiring mutual authentication. A mali- putationally cheap, but its inverse is com- of that vision included using shared cious machine could also inject commu- putationally intractable. Unix and many resources, such as laser printers and file nication into the network, letting it mas- other operating systems adopted this tech- servers, from many different clients querade as one of the parties. It could do nique, which continues to be used to this over a network. The need to control this, for example, by replaying commu- day. access to these resources led naturally nication that it had recorded earlier dur- By the late 1980s, interest in authen- to the need for user authentication. ing a genuine authentication. tication techniques had exploded and

2 PERVASIVEcomputing Published by the IEEE CS and IEEE ComSoc ■ 1536-1268/03/$17.00 © 2003 IEEE IEEE Computer Society Publications Office 10662 Los Vaqueros Circle, PO Box 3014 Los Alamitos, CA 90720-1314 ROGER NEEDHAM: 50 AND 5 STAFF Associate Lead Editor A celebration to honor Roger Needham was held on 17 March 2003. The event was enti- Shani Murray tled “Roger Needham: 50 and 5,” reflecting his 50 years at Cambridge University and 5 years [email protected] at Microsoft Research. Computer scientists from all over the world attended, contributing a Group Managing Editor volume of invited papers. See www.research.microsoft.com/~aherbert/needham_50_5.aspx Crystal Shif for details of the event and the volume. See www.cl.cam.ac.uk/~ksj/RogerNeedham.html for [email protected] biographical details of Roger Needham’s life. Senior Editor Dale Strok Associate Editor Dennis Taylor many new protocols were published. forerunner of systems such as DNS Assistant Editors Rebecca Deuel and Denise Kano Several of these protocols had subtle (Domain Name Server) and LDAP flaws buried deep inside them. Some- (Lightweight Directory Access Protocol), Editorial Assistant Joan Hong times, these flaws passed the critical which are in widespread use today. Magazine Assistant review of protocol developers and of Pauline Hosillos reviewers of research publications. To [email protected] Needham’s chagrin, a small but signif- Contributing Editors icant bug was found in his own pub- n a personal note, it is an honor Kirk Kroeker, Anne Lear, Christine Miller, lished protocol! Although easily fixed, O and a privilege to have known Keri Schreiner, and Joan Taylor this incident exposed a critical need for Roger Needham as a colleague and Design Director intellectual tools to help ensure the cor- friend. His warmth and friendliness Toni Van Buskirk rectness of authentication protocols. In masked his impressive intellect and his Layout & Technical Illustrations collaboration with graduate student keen powers of observation. He con- Carmen Flores-Garvey and Alex Torres Michael Burrows and colleague Mar- ducted himself with humility, recogniz- Production Assistant tin Abadi, Needham developed the ing that talent takes many forms—not Monette Velasco framework and associated tools for all of which are easily observable in a Publisher Angela Burgess reasoning about authentication proto- person. He had a wonderful, dry sense cols. Using these, many authentication of humor that could send an audience Assistant Publisher Dick Price protocols in use (including my own2) into peals of laughter—the perfect anti- Membership & Circulation Marketing Manager or proposed as standards were shown dote to a dreary post-lunch session at Georgann Carter to have bugs. We now regard the paper any conference! His life has enriched Business Development Manager reporting on the framework and tools his friends and the field of computer sci- Sandra Brown as another classic in the security field.3 ence in many ways. Assistant Advertising Coordinator Today, we expect any proposed authen- Debbie Sims tication protocol to be formally verified before acceptance. REFERENCES Submissions: Submit two copies of all articles Besides security, Needham also made and track proposals to IEEE Pervasive Computing, 1. R.M. Needham and M.D. Schroeder, Magazine Assistant, 10662 Los Vaqueros Circle, foundational contributions to other “Using Encryption for Authentication in Los Alamitos, CA 90720-1314; phone +1 714 821 technologies important to pervasive Large Networks of Computers,” Comm. 8380; [email protected]. Manuscripts should computing. In the 1970s, he was ACM, vol. 21, no. 12, Dec. 1978, pp. be approximately 5,000 words long, preferably not 993–999. exceeding 10 references. Visit http://computer.org/ involved in creating a ring network oper- pervasive for editorial guidelines. ating at 10 Mbits/s and a later version 2. M. Satyanarayanan, “Integrating Security operating at 100 Mbits/s. These were in a Large Distributed System,” ACM Editorial: Unless otherwise stated, bylined articles Trans. Computer Systems, vol. 7, no. 3, as well as products and services reflect the author’s early examples of a local area network. Aug. 1989, pp. 247–280. or firm’s opinion; inclusion does not necessarily With collaborators Andrew Birrell, Roy constitute endorsement by the IEEE Computer Society Levin, and Michael Schroeder, he built 3. M. Burrows, M. Abadi, and R. Needham, or the IEEE. “A Logic of Authentication,” ACM Trans. a decentralized naming system called Computer Systems, vol. 8, no. 1, Feb. 1990, Grapevine that used asynchronous data pp. 18–36. propagation and eventual consistency to 4. A. Birrell et al., “Grapevine: An Exercise in achieve scalability and failure-resist- Distributed Computing,” Comm. ACM, ance.4 Grapevine was the intellectual vol. 25, no. 4, Apr. 1982, pp. 260–274. MOBILE AND UBIQUITOUS SYSTEMS

APRIL–JUNE 2003