DOCSLIB.ORG

Thesis Work, and Also for Spending Many Hours Improving My Thesis Even If His Tight Schedule Did Not Allow Him To

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Provided by the author(s) and NUI Galway in accordance with publisher policies. Please cite the published version when available. Title A Privacy-enhanced Usage Control Model Author(s) Slawomir, Grzonkowski Publication Date 2010-04-20 Item record http://hdl.handle.net/10379/1849 Downloaded 2021-09-25T17:55:36Z Some rights reserved. For more information, please see the item record link above. A Privacy-Enhanced Usage Control Model Sławomir Grzonkowski Submitted in fulfillment of the requirements for the degree of Doctor of Philosophy SUPERVISOR: DIRECTOR OF RESEARCH: EXTERNAL EXAMINER: Dr. Peter Corcoran Prof. Manfred Hauswirth Prof. Witold Abramowicz Digital Enterprise Research Institute, National University of Ireland, Galway September 2010 Acknowledgments I would like to thank to my supervisor, Dr. Peter Corcoran, for his proactive guidance through academia and supervision of this thesis work, and also for spending many hours improving my thesis even if his tight schedule did not allow him to. I am especially thankful for taking me over after one year of my studies. I am also thankful to Bill McDaniel for providing a very good environment for work within the e-learning cluster and later in the DAI stream. In particular I appreciate the fact that he let me investigate thoroughly the ideas I believed in. I thank to Prof. Stefan Decker for giving me the opportunity of doing my Ph.D in DERI; and for his support and supervision at the early stage of my studies. I am indebted to Dr. Brian Wall for seeing opportunity in my ideas and also for stimulating me to work hard on them. I would like to thank other people who worked with me, especially to Wojciech Zaremba for his help on on the early ZKP prototype implementation; and to Łukasz Korczy´nskiand Anna D ˛abrowska for their great performance on the SeDiCi project. I am also thankful to prof. Manfred Hauswirth for his constructive feedback on the final version of this thesis, and also for his help in formulating a well structured documentation of my research. I would also like to express my gratitude to prof. Witold Abramowicz for agreeing to be my external examiner, his scientific support, and also for his time and energy in reviewing my thesis. I thank to my peers, colleagues and mentors at DERI for many stimulating conversations about research ideas and also for their help in settling in Ireland. My work also benefited from Enterprise Ireland due to its financial support under the grants no. *ILP/05/203* and REI1005. I dedicate the highest thanks to my parents, Elzbieta˙ and Kazimierz, without their help I could not possibly done this work. They kept motivating me, even in the most stressful moments. Sławomir Grzonkowski, Galway, Ireland, 2010 i ii Abstract Recently we have observed a growing demand for secure technologies for e-commerce that do not put customers at risk of identity theft. We have also experienced the advent of Web 2.0 which has led to new business models and which has changed the way users interact with the Web. This thesis proposes a set of strategies and enhancements towards providing improved security and privacy in such new settings. We introduce a novel concept: Fair Rights Management (FRM). It can be classified as a usage control solution. FRM enables a flexible way of managing digital content. There was a need to provide additional security extensions to keep such a flexible model applicable. Thus, in our approach we take advantage of trust obtained from social networks. This is also the reason why we created an efficient zero-knowledge proof protocol that is lightweight enough to be deployed within existing web-applications. The proposed protocol is also suc- cessfully integrated with Semantic Web architecture and associated components. It enables practical Web and mobile applications which employ trust-based transactions as part of their workflow. This core contribution overcomes various disadvantages of prior art and enables a range of new applications and potentially new business models. We show that compared to existing Usage Control Models (UCON) (i) FRM is a step to- wards fair use in the digital world and we also argue that our approach is enforced by law; (ii) the participants of the proposed solution do not put their privacy at risk. Our research shows that existing infrastructure is sufficient to support ZKP-based solutions; and thus, it is feasible to offer the users enhanced privacy within existing deployed solutions. iii iv Contents Acknowledgmentsi Abstract iii Contents v I Prelude1 1 Introduction 5 1.1 Motivation........................................5 1.2 Research Questions...................................7 1.3 Contribution.......................................8 1.4 Reader’s Guide.....................................9 II State of the Art 13 2 Management and Usage Control of Digital Media 17 2.1 Access Control...................................... 18 2.2 Trust Management................................... 21 2.3 Digital Rights Management.............................. 23 2.4 Usage Control Models................................. 29 2.5 Fair Use.......................................... 31 v 2.6 Summary and Conclusion............................... 34 3 Web Authentication 37 3.1 Vulnerabilities of Authentication Protocols..................... 38 3.2 Web Authentication Solutions............................. 41 3.3 Summary and Conclusion............................... 48 4 Trust Issues in The Social Semantic Web 51 4.1 Social Networks..................................... 51 4.2 Friend-of-a-Friend Vocabulary............................ 54 III Core 59 5 Conceptual Model 63 5.1 Existing Usage Control Solutions........................... 63 5.2 FRM Usage Control Model............................... 64 5.3 Structure of Authorization Decision......................... 66 5.4 Model Definitions.................................... 67 5.5 Summary......................................... 70 6 Zero Knowledge Proof Authentication 71 6.1 Zero Knowledge Proof Authentication........................ 71 6.2 Approaches to ZKP................................... 73 6.3 Protocol Compositions................................. 76 6.4 Usability Considerations of using ZKP Protocols.................. 78 7 Implementation 79 7.1 Conceptual Model Implementation.......................... 79 7.2 Trust Management and Access Control........................ 82 7.3 Applied Rights Expression Model.......................... 83 7.4 Rights Management Vocabularies........................... 86 7.5 Digital Watermarking.................................. 88 vi 7.6 Authentication Service................................. 90 7.7 Application Scenarios.................................. 97 8 Evaluation 103 8.1 Usability of a Web-based ZKP implementation................... 103 8.2 Sequential Composition................................ 105 8.3 Parallel Composition.................................. 106 8.4 Concurrent Composition................................ 114 8.5 Other Protocol Threats................................. 117 8.6 Open Questions of Graph Isomorphism....................... 118 8.7 Summary and Conclusion............................... 119 IV Conclusions 121 9 Summary and Future Work 125 9.1 Summary......................................... 125 9.2 Conclusions and Contributions............................ 126 9.3 Future Work....................................... 128 V Appendices 129 A FRM Implementation Design 133 A.1 Object Discovery.................................... 133 A.2 Object Download.................................... 134 A.3 Member Item...................................... 134 A.4 Borrow Object...................................... 134 A.5 Buy Object........................................ 136 A.6 Digital Watermarking.................................. 136 A.7 Content Player...................................... 136 B RDF Examples of FRM Data Samples 139 vii C Sampled Data 141 C.1 Parallel composition.................................. 141 C.2 Concurrent composition................................ 141 D Academic Contributions 145 D.1 Principle Academic Contributions.......................... 145 D.2 Supplemental Publications and Academic Contributions............. 152 D.3 Volunteer Work & Contributions........................... 152 Bibliography 155 List of Figures 173 List of Tables 175 Glossary 177 Index 179 viii Part I Prelude 1 3 "I, myself, have had many failures and I’ve learned that if you are not failing a lot, you are probably not being as creative as you could be -you aren’t stretching your imagination." — John Warner Backus 4 Chapter 1 Introduction In this chapter we explain our motivations and goals. A short historical overview of e- commerce and information dissemination solutions is presented to provide a context for our research. A reader’s guide and overview of the thesis structure are also provided. 1.1 Motivation There are two primary motivations for the research presented in this thesis. The first is the growing demand for secure technologies for e-commerce that do not put customers at risk of identity theft. The second is the advent of Web 2.0 and the social semantic web. It has led to new business models and has changed the way that user’s interact with the web. 1.1.1 E-commerce Commerce is defined as the exchange of goods and services between parties, typically for money. Originally, such exchanges were made face to face. Thus there was a natural element of trust increased by the familiarity of the seller by the buyer [Gefen 2000]. In the today’s world
Recommended publications
  • The Digital Millennium Copyright Act Implicates the First Amendment in Universal City Studios, Inc. V. Reimerdes

    The Digital Millennium Copyright Act Implicates the First Amendment in Universal City Studios, Inc. V. Reimerdes

    The Freedom to Link?: The Digital Millennium Copyright Act Implicates the First Amendment in Universal City Studios, Inc. v. Reimerdes David A. Petteys* TABLE OF CONTENTS I. IN TRO D U CTIO N .............................................................. 288 II. THE WEB, FREE EXPRESSION, COPYRIGHT, AND THE D M C A .............................................................................. 290 III. THE CASE: UNIVERSAL CITY STUDIOS, INC. V. R EIMERD ES ...................................................................... 293 A . Factual Background ................................................... 294 B . Findings of F act ......................................................... 297 C. The Court's Statutory and Constitutional Analysis ..... 298 1. Statutory A nalysis ................................................ 299 a. Section 1201(a)(1) ............................................ 299 b. Linking to Other Sites with DeCSS .................. 302 2. First Amendment Challenges ................................ 304 a. DMCA Prohibition Against Posting DeCSS .... 305 b. Prior R estraint ................................................ 307 c. The Prohibition on Linking ............................. 309 3. T he R em edy ........................................................ 312 IV . A N A LYSIS ......................................................................... 314 A. The Prohibition Against Posting DeCSS ..................... 314 1. F air U se ............................................................... 314 2. First Amendment
  • Supporting Secure Services on Dynamic Aggregation of Heterogeneous Networks

    Supporting Secure Services on Dynamic Aggregation of Heterogeneous Networks

    Supporting Secure Services on Dynamic Aggregation of Heterogeneous Networks SUBMITTED TO UNIVERSITY OF SOUTHERN QUEENSLAND IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY David Tai Wai Lai July 2010 Certification of Dissertation I certify that the ideas, experimental work, results, analysis, software, and conclusions reported in this dissertation are entirely my own effort, except where otherwise acknowl- edged. I also certify that the work is original and has not been previously submitted for any other award or degree. Signature of Candidate Date Endorsement Signature of Supervisor Date ii I certify that I have read this dissertation and that, in my opin- ion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Dr. Zhongwei Zhang (University of Southern Queensland) I certify that I have read this dissertation and that, in my opin- ion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Dr. Shan Suthaharan (University of Northern Carolina at Greensboro) iii iv Abstract Sharing of services over IP networks prove to be an effective approach to satisfy the demand of network users when their home network cannot offer the required services. Authenti- cation, authorization and revocation are some of the important challenges in the service sharing services over IP networks. This research address the problem associated with the authentication because it becomes more and more complicated due to the incompatible au- thentication schemes used by individual autonomous networks, privacy of authentication information, and the overhead in establishing the sharing.
  • Handout 5 Summary of This Handout: Stream Ciphers — RC4 — Linear Feedback Shift Registers — CSS — A5/1

    Handout 5 Summary of This Handout: Stream Ciphers — RC4 — Linear Feedback Shift Registers — CSS — A5/1

    06-20008 Cryptography The University of Birmingham Autumn Semester 2009 School of Computer Science Volker Sorge 30 October, 2009 Handout 5 Summary of this handout: Stream Ciphers — RC4 — Linear Feedback Shift Registers — CSS — A5/1 II.2 Stream Ciphers A stream cipher is a symmetric cipher that encrypts the plaintext units one at a time and that varies the transformation of successive units during the encryption. In practise, the units are typically single bits or bytes. In contrast to a block cipher, which encrypts one block and then starts over again, a stream cipher encrypts plaintext streams continuously and therefore needs to maintain an internal state in order to avoid obvious duplication of encryptions. The main difference between stream ciphers and block ciphers is that stream ciphers have to maintain an internal state, while block ciphers do not. Recall that we have already seen how block ciphers avoid duplication and can also be transformed into stream ciphers via modes of operation. Basic stream ciphers are similar to the OFB and CTR modes for block ciphers in that they produce a continuous keystream, which is used to encipher the plaintext. However, modern stream ciphers are computationally far more efficient and easier to implement in both hard- and software than block ciphers and are therefore preferred in applications where speed really matters, such as in real-time audio and video encryption. Before we look at the technical details how stream ciphers work, we recall the One Time Pad, which we have briefly discussed in Handout 1. The One Time Pad is essentially an unbreakable cipher that depends on the fact that the key 1.
  • Digital Rights Management and the Process of Fair Use Timothy K

    Digital Rights Management and the Process of Fair Use Timothy K

    University of Cincinnati College of Law University of Cincinnati College of Law Scholarship and Publications Faculty Articles and Other Publications Faculty Scholarship 1-1-2006 Digital Rights Management and the Process of Fair Use Timothy K. Armstrong University of Cincinnati College of Law Follow this and additional works at: http://scholarship.law.uc.edu/fac_pubs Part of the Intellectual Property Commons Recommended Citation Armstrong, Timothy K., "Digital Rights Management and the Process of Fair Use" (2006). Faculty Articles and Other Publications. Paper 146. http://scholarship.law.uc.edu/fac_pubs/146 This Article is brought to you for free and open access by the Faculty Scholarship at University of Cincinnati College of Law Scholarship and Publications. It has been accepted for inclusion in Faculty Articles and Other Publications by an authorized administrator of University of Cincinnati College of Law Scholarship and Publications. For more information, please contact [email protected]. Harvard Journal ofLaw & Technology Volume 20, Number 1 Fall 2006 DIGITAL RIGHTS MANAGEMENT AND THE PROCESS OF FAIR USE Timothy K. Armstrong* TABLE OF CONTENTS I. INTRODUCTION: LEGAL AND TECHNOLOGICAL PROTECTIONS FOR FAIR USE OF COPYRIGHTED WORKS ........................................ 50 II. COPYRIGHT LAW AND/OR DIGITAL RIGHTS MANAGEMENT .......... 56 A. Traditional Copyright: The Normative Baseline ........................ 56 B. Contemporary Copyright: DRM as a "Speedbump" to Slow Mass Infringement ..........................................................
  • United States District Court Southern District of New York Universal City Studios, Inc.; Paramount Pictures Corporation; Metro-G

    United States District Court Southern District of New York Universal City Studios, Inc.; Paramount Pictures Corporation; Metro-G

    UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK UNIVERSAL CITY STUDIOS, INC.; PARAMOUNT ) 00 Civ. _____________ PICTURES CORPORATION; METRO-GOLDWYN- ) MAYER STUDIOS INC.; TRISTAR PICTURES, INC.; ) COLUMBIA PICTURES INDUSTRIES, INC.; TIME ) DECLARATION OF FRITZ ATTAWAY WARNER ENTERTAINMENT CO., L.P.; DISNEY ) IN SUPPORT OF PLAINTIFFS’ ENTERPRISES, INC.; AND TWENTIETH ) APPLICATION FOR A PRELIMINARY CENTURY FOX FILM CORPORATION; ) INJUNCTION ) Plaintiffs, ) ) v. ) ) SHAWN C. REIMERDES, ERIC CORLEY A/K/A ) “EMMANUEL GOLDSTEIN” AND ROMAN KAZAN, ) ) Defendants. ) ) ) ) ) ) ) ) 5169/53185-005 NYLIB1/1143931 v3 01/14/00 12:35 AM (10372) Fritz Attaway declares, under penalty of perjury, as follows: I make this declaration based upon my own personal knowledge and my familiarity with the matters recited herein and could and would testify under oath to same, should I be called as a witness before the Court. 1. I am a Senior Vice President for Government Relations and Washington General Counsel of the Motion Picture Association of America (“MPAA”), a not-for-profit trade association, incorporated in New York, representing the motion picture companies that are plaintiffs in this action. The MPAA, among other functions, combats motion picture piracy, an illegal underground industry that steals billions of dollars annually from the creative talents, tradespeople, producers, and copyright owners in the motion picture industry. The MPAA runs a comprehensive anti-piracy program that includes investigative, educational, legislative, and technical efforts in the United States and over 70 other countries. I was personally involved in the process that led to the passage of the Digital Millennium Copyright Act (“DMCA”) and in the negotiations that let to the adoption of the Contents Scramble System (“CSS”) as an industry- wide standard.
  • Etsi Tr 133 995 V13.0.1 (2017-04)

    Etsi Tr 133 995 V13.0.1 (2017-04)

    ETSI TR 133 995 V13.0.1 (2017-04) TECHNICAL REPORT Universal Mobile Telecommunications System (UMTS); LTE; Study on security aspects of integration of Single Sign-On (SSO) frameworks with 3GPP operator-controlled resources and mechanisms (3GPP TR 33.995 version 13.0.1 Release 13) 3GPP TR 33.995 version 13.0.1 Release 13 1 ETSI TR 133 995 V13.0.1 (2017-04) Reference RTR/TSGS-0333995vd01 Keywords LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
  • State of North Carolina Request for Proposal No

    State of North Carolina Request for Proposal No

    STATE OF NORTH CAROLINA REQUEST FOR PROPOSAL NO. 41-100358-001 Department of Information Technology Offers will be publicly opened: April 29, 2020 at 2:00pm EST Issue Date: March 2, 2020 Refer ALL inquiries regarding this RFP to: Commodity Number: 920 Leroy Kodak] Description: Identity Access Management System [email protected]] Using Agency: Department of Information [919-754-6665] Technology Requisition No.: None OFFER The State solicits offers for Services and/or goods described in this solicitation. All offers and responses received shall be treated as Offers to contract. EXECUTION In compliance with this Request for Proposal, and subject to all the conditions herein, the undersigned offers and agrees to furnish any or all Services or goods upon which prices are offered, at the price(s) offered herein, within the time specified herein. By executing this offer, I certify that this offer is submitted competitively and without collusion. Failure to execute/sign offer prior to submittal shall render offer invalid. Late offers are not acceptable. OFFEROR: STREET ADDRESS: P.O. BOX: ZIP: CITY, STATE & ZIP: TELEPHONE NUMBER: TOLL FREE TEL. NO PRINT NAME & TITLE OF PERSON SIGNING: FAX NUMBER: AUTHORIZED SIGNATURE: DATE: E-MAIL: Offer valid for one hundred twenty (120) days from date of offer opening unless otherwise stated here: ____ days ACCEPTANCE OF OFFER If any or all parts of this offer are accepted, an authorized representative of the Department of Information Technology shall affix their signature hereto and any subsequent Request for Best and Final Offer, if issued. Acceptance shall create a contract having an order of precedence as follows: Best and Final Offers, if any, Special terms and conditions specific to this RFP, Specifications of the RFP, the Department of Information Technology Terms and Conditions, and the agreed portion of the awarded Vendor’s Offer.
  • Dcryptology DVD Copy Protection

    Dcryptology DVD Copy Protection

    Group 4 dCryptology DVD Copy Protection dCryptology DVD Copy Protection By Kasper Kristensen, 20072316 Asger Eriksen, 20073117 Mads Paulsen, 20072890 Page 1 of 22 Group 4 dCryptology DVD Copy Protection Content Scrambling System.................................................................................................................3 The keys............................................................................................................................................4 How it works....................................................................................................................................4 The decryption..................................................................................................................................4 LFSR.................................................................................................................................................5 How is the output used:....................................................................................................................5 Key decryption.................................................................................................................................7 Mutual Authentication:.....................................................................................................................8 CSS ATTACKS:..................................................................................................................................9 Mangling Process.............................................................................................................................9
  • BIG-IP Access Policy Manager

    BIG-IP Access Policy Manager

    DATA SHEET BIG-IP Access Policy Manager WHAT'S INSIDE Simple, Secure, and Seamless Access to 2 Bridging Secure Any Application, Anywhere Application Access Applications are gateways to your critical and sensitive data. Simple, secure access to 17 BIG-IP APM Features your applications is paramount, but application access today is extremely complex. Apps 19 F5 BIG-IP Platforms can be hosted anywhere—in the public cloud, in a private cloud, on-premises, or in a data center. Ensuring users have secure, authenticated access anytime, anywhere, to only the 19 F5 Support Services applications they are authorized to access is now a significant challenge. There are different application access methods to deal with these complexities. There are also various sources for authorized user identity, as well as dealing with applications that require modern or more traditional authentication and authorization methods, single sign-on (SSO), federation, and more, in addition to ensuring a secure, simple user access experience to support and consider. With digital transformation touching every part of an enterprise today, native cloud and Software as a Service (SaaS) applications are now the enterprise application standard. Many organizations, though, find they’re unable or unwilling to migrate all their applications to the cloud. There may be mission-critical classic or custom applications that cannot or should not support migration to the public cloud or be easily replaced by a SaaS solution. Applications are being hosted in a variety of locations, with differing and many times disparate authentication and authorization methods that are unable to communicate with each other or work seamlessly across existing SSO or federated identity.
  • Oracle Mobile Security a Technical Overview

    Oracle Mobile Security a Technical Overview

    Oracle Mobile Security A Technical Overview ORACLE WHITE PAPER | MAY 2015 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. ORACLE MOBILE SECURITY Table of Contents Disclaimer 1 Executive Overview 1 Oracle Mobile Security – Address Employee and Consumer use cases 2 Oracle Mobile Security Suite – Enterprise Mobility Management Solution 3 Assembling the Blocks – Core Solution Components 4 Oracle Mobile Security Container 5 Oracle Mobile Security App Containerization Tool 6 Oracle Mobile Security Access Server (MSAS) 6 Oracle Mobile Security Manager 7 Oracle Access Management Mobile and Social 7 OAuth Support 8 Extending Enterprise Security to Mobile Apps 9 Oracle Mobile and Social Client SDKs 16 Conclusion 17 Appendix: The New Mobile Computing Paradigm 18 Mobile App Development Models 18 Oracle Platform Security Services 19 REST 19 JSON 19 JSON Web Token 19 OpenID and OpendID Connect 19 OAuth 20 ORACLE MOBILE SECURITY SAML 22 WS-Security and SOAP 22 ORACLE MOBILE SECURITY Executive Overview Mobile computing gradually allows us to make the elusive “anytime, anywhere access” mantra a reality. More and more employees use their own mobile device in the workplace, a phenomenon known as “Bring Your Own Device” (BYOD), resulting in employees using the same device for personal and business purposes.
  • UNITED STATES DISTRICT COURT SOUTHERN DISTRICT of NEW YORK ------X UNIVERSAL CITY STUDIOS, INC, Et Al

    UNITED STATES DISTRICT COURT SOUTHERN DISTRICT of NEW YORK ------X UNIVERSAL CITY STUDIOS, INC, Et Al

    UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - x UNIVERSAL CITY STUDIOS, INC, et al., Plaintiffs, -against- 00 Civ. 0277 (LAK) SHAWN C. REIMERDES, et al., Defendants. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - x OPINION Appearances: Leon P. Gold Jon A. Baumgarten Charles S. Sims Scott P. Cooper William M. Hart Michael M. Mervis Carla M. Miller PROSKAUER ROSE LLP Attorneys for Plaintiffs Martin Garbus George E. Singleton David Y. Atlas Edward Hernstadt FRANKFURT, GARBUS, KLEIN & SELZ, P.C. Attorneys for Defendants Contents I. The Genesis of the Controversy ..........................................3 A. The Vocabulary of this Case ........................................4 1. Computers and Operating Systems .............................4 2. Computer Code ...........................................5 3. The Internet and the World Wide Web ..........................7 4. Portable Storage Media ......................................9 5. The Technology Here at Issue ................................10 B. Parties .......................................................11 C. The Development of DVD and CSS .................................13 D. The Appearance of DeCSS ........................................17 E. The Distribution of DeCSS ........................................19 F. The Preliminary Injunction and Defendants’ Response ...................20 G. Effects on Plaintiffs ..............................................22 II. The
  • AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations∗

    AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations∗

    AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations∗ Guangdong Bai?, Jike Lei?, Guozhu Meng?, Sai Sathyanarayan Venkatraman?, Prateek Saxena?, Jun Suny, Yang Liuz, and Jin Song Dong? ∗National University of Singapore ySingapore University of Technology and Design zNanyang Technological University Abstract than 250 million people reportedly use it every month as of 2011 [7]. Ideally, authentication protocols should be for- Ideally, security protocol implementations should be for- mally verified prior to their implementations. However, mally verified before they are deployed. However, this is majority of web sites do not follow this principle. Au- not true in practice. Numerous high-profile vulnerabilities thentication protocols have historically been hard to design have been found in web authentication protocol implemen- correctly and implementations have been found susceptible tations, especially in single-sign on (SSO) protocols imple- to logical flaws [31, 41]. Web authentication protocols are mentations recently. Much of the prior work on authentica- no exception—several of these implementations have been tion protocol verification has focused on theoretical foun- found insecure in post-deployment analysis [16, 29, 39, 42]. dations and building scalable verification tools for checking There are three key challenges in ensuring that appli- manually-crafted specifications [17, 18, 44]. cations authenticate and federate user identities securely. In this paper, we address a complementary prob- First, most prior protocol verification work has focused on lem of automatically extracting specifications from im- checking the high-level protocol specifications, not their plementations. We propose AUTHSCAN, an end-to-end implementations [13,21,44]. In practice, however, checking platform to automatically recover authentication protocol implementations is difficult due to lack of complete infor- specifications from their implementations.