Detecting instances of software theft and plagiarism is a difficult problem. The statistical analysis of peculiar words or phrases known to be used by an author is a common method of settling authorship disputes in English literature. This paper presents a similar method for identifying authorship of programs. The method is based on typographic or layout style program characteristics. Our experiments show that these characteristics can be useful in determining authorship. The major benifits of the method are that it is simple, easy to automate, and can be used in conjunction with other program fingerprinting methodologies.

Programming style guidelines and automated coding sytle analyzers have been developed without a solid experimental or theoretical basis. In this paper we make a distinction between typographic sytle characteristics and underlying structural style content and show that this distinction aids in assessing the influence of style factors. This distinction permits straightforward identification of specific style factors and a better understanding of thier effect on program comprehension. The results of our studies have a direct impact on automated coding style assessment programs, programming standards, program maintainablity, and code formatting tools.

In this paper we describe simple identification and signature schemes which enable any user to prove his identity and the authenticity of his messages to any other user without shared or public keys. The schemes are provably secure against any known or chosen message attack if factoring is difficult, and typical implementations require only 1 to 4 of the number of modular multiplications required by RSA scheme. Due to their simplicity, security and speed, these schemes are ideally suited for microprocessor-bases devices such as smart cards, personal computers, and remote control systems.

Three Israeli computer scientists-Uriel Feige, Amos Fiat and Adi Shamir, of the Weizmann Institute-figured out how to play the game, called “Zero knowledge proofs of identity”. They publicized their result at conferences and they applied for U.S. patent protection. Ironically the United States said disclosure was “detrimential to the national security”, and imposed a secrecy order. The three Israelis sought relief, and, with intervention from powerful sources, they got it. Though no one will say for certain, it appears that the National Security Agency (NSA), the goverment decrypter of secrets, stepped in to help. What the research is, and why the NSA had reason to involve itself, is the story we present here.

The notion of a “proof of knowledge”, suggested by Goldwasser, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadequate for some of the applications in which they are used. Consequently, new researchers keep getting misled by existing literature. The purpose of this paper is to indicate the source of these problems and suggest a definition which resolves them.

It is often desirable to achieve mutual authentication and secret key exchange in the same protocol. Two kinds of approaches may be considered for this purpose ; authentication after key exchange using symetric algorithms and Diffie-Hellman type key exchange protocols, and key exchange after authentication by modifying 3-move identification schemes based on zero-knowledge technique. This letter presents several such protocols by each approach.

On a moonless night the spy returns to the castle after a reconnoitering mission to the enemy camp. As he nears the gate a voice whispers, “What’s the password?” But is it a friend or foe who whispers? How can the spy show he knows the password without actually revealing it to a possible imposter? The spy’s dilemma is commonplace now with the widespread use of telecom- munications. When your automatic teller machine communicates with your bank, each must be assured that the other is legitimate; the electronic “passwords” must be unforgeable and must be of no use to imposters and eavesdroppers.

In the first part of this paper two techniques for system authentication via a password are analyzed. The first is a probabilistic protcol for the improvement of the login security mechanism and the second is a zero knowledge model for system authentication. Their major advantages and disadvantages are identified and commented upon. The second part of this paper, a new protocol is proposed as a combination of the two, which establishes a new approach which is quite effective in the case of system-to-system authentication. This protocol avoids some of the limitations of the previously mentioned two techniques, while at the same time manages to merge several of the advantages of both.

Contains different system attack scenarios

All shared secret or shared control schemes devised thus far are autocratic in the sense that they depend in their realization on the exsistance of a single party-which may be either an individual or a device-that is unconditionally trusted by all the participants in the scheme [5,6]. The function of this trusted party is to first choose the secret (piece of information) and then to construct and distribute in secret to each of the participants the private pieces of information which are their shares in the shared secret or control scheme. The private pieces of information are constructed in such a way that any authorized concurrence (subset) of the participants will jointly have sufficient information about the secret to reconstruct it while no unauthorized collection of them will be able to do so. For many applications, though, there is no one who is trusted by anyone else. In the absence of a trusted party or authority, no one can be trusted to know the secret and hence-until now-it has appeared to be impossible to construct and distribute the private pieces of information needed to realize a shared control scheme. It is worth noting that in commercial and/or international applications, this situation is more nearly the norm than then exception.

The paper presents a comparative assessment of the suitability of exisitng access control models for use in web-based applciations.

This paper describes KryptoKnight, an authentication and key distribution system that provides facilities for secure communication in any type of network environment. KryptoKnight was designed with the goal of providing network secuity services with a high degree of compactness and flexibility. Message compactness of KryptoKnight’s protocols allows it to secure the communication protocols at any layer, without requiring any major protocol augmentations in order to accommodate security-related information. Moreover, since KryptoKnight avoids the use of bulk encryption it is easily exportable. Owing to its architechtural flexibility, KryptoKnight functions at both endpoints oc communication can perform different security tasks depending on the network configuration. These and other novel features make KryptoKnight an attractive solution for provideing security services to existing applications irrespective of the protocol layer, network configuration of communication paradigm.

We describe a theory of authentication and a system that implements it. Our theory is bases on the notion of pricipal and a ‘speak for’ relation between principals. A simple principal either has a name or is a communication channel; a compound principal can express an adobted role or delegated authority. The theory shows how to reason about a principal’s authority by deducing the other principals the other principals that it can speak for; authenticating a channel is one important application. We use the theory to explain many existing and proposed security mechanisms. In particular, we describe the system we have built. It passes principals efficiently as arguments or results of remote procedure calls, and it handles public and shared key encryption, name lookup in a large name space, groups of principals, program loading, delegation, access control, and revocation.

We describe a design for security in a distributed system and its implementation. In our design, applications gain access to security services through a narrow interface. This interface provides a notion of identity that includes simple principals, groups, roles, and delegations. A new operating system component manages principals, credentials, and secure channels. It checks credentials according to the formal rules of a logic of authentication. Our implementationis efficient enough to support a substantial user comminuity.

Questions of belief are essential in analyzing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required initial assumptions of the participants and thier final beliefs. Our formalism has enabled us to isolate and express these differences with a precision that was not previously possible. It has drawn attention to features of protocols of which we and thier authors were previously unaware, and allowed us to suggest improvements to the protocols. The reasoning about some protocols has been mechanically verified. This paper starts with an informal account of the problem, goes on to explain the formalism to be used, and gives examples of its application to protocols from the literature, both with shared-key cryptography and with public-key cryptography. Some of the examples are chosen because of their practical importance, while others serve to illustrate subtle points of the logic and to explain how we use it. We discuss extensions of the logic motivated by actual practice - for example, in order to account for the use of hash functions in signatures The final sections contain a formal semantics of the logic and some conclusions.