SecureCommunicationUsingRemoteProcedureCallsAndrewD.BirrellFebruary13,19842:56pm{Copyrightnoticegoeshere}Abstract:Researchonencryption-basedsecurecommunicationprotocolshasreachedastagewhereitisfeasibletoconstructend-to-endsecureprotocols.Thispaperdescribesthedesignofsuchaprotocol,builtaspartofaremoteprocedurecallpackage.Thepaperdescribesthesecurityabstractionpresentedtousersofthepackage,theauthenticationmechanisms,andtheprotocolforencryptingandverifyingremotecalls.CRCategoriesandSubjectDescriptors:ClassNo[MajorClassification]:ClassificationTopicDescriptors,Descriptors,...ComputingReviewscategoriesgohere;GeneralTerms:keywords,keywordsTheauthor'spresentaddressis:DigitalEquipmentCorporation,ComputerSystemsResearchLaboratory,130Lytton,PaloAlto,CA94301.TheworkdescribedherewasperformedwhileemployedbytheXeroxCorporation.XEROXXeroxCorporationPaloAltoResearchCenter3333CoyoteHillRoadPaloAlto,California94304PRELIMINARYDonotdistributewithouttheauthor'spermissionpT ! 9'}OuqIrC  o% ,.s%$t %s~ USt'M 0/7X 5f](!'+F/>6p:0& D u t& + & j*--3& 5*`/i1&*- 4<v xi &/4Dd  Hc?SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS11.IntroductionManycomputingenvironmentsnowexistwherefrequentandsubstantialpartsoftheactivitiesinvolvecommunicationamongstcomputerslinkedbyopennetworks.Ausermaywellspendmostofhistimeatapersonalcomputer,andusenetworksfortransferringdatatoandfromotherpersonalcomputers,orsharedservercomputerssuchasprinters,fileserversandmailservers.Mostofthenetworks(andinternetworks)usedfortheseactivitiesareopeninthesensethattheyarereadilyvulnerabletoeavesdroppingandinterferencefromunauthorizedintruders.Suchanarchitecturepresentssecurityproblemsmuchdifferentfromtheonestraditionallyfacedinmonolithictimesharingsystems.Inparticular,itisclearthatsecuritymustbebasedontheuseofencryptioninthecommunicationprotocols.Fundamentally,encryptionpermitstheestablishmentofadatachannelthatislessopenthantheunderlyinginternetwork,byarrangingthatonlyauthorizedpartiescancreate,inspectand/ormodifysomeorallofthedata.Establishing,usingandmaintainingsuchasecuredatachannelrequirestheresolutionofmultipleproblems.First,itisnecessarytoidentifytheauthorizedparties(traditionallycalledprincipals).Second,itisnecessarytoconvinceeachprincipalthattheothersareindeedwhotheyclaimtobe.(Thisstepistraditionallytermedauthentication.)Third,itisnecessarytotransfertheactualdatainamannerthatisnotvulnerabletothevariousthreats.Thesecondandthirdoftheseareinevitablyinterdependent,sincearecipientmayrequireconvincingthateachparticulardatumdidindeedcomefromtheassertedsender.Thereareseveraldiscussionsinthepublicliteratureaboutdesigningcommunicationprotocolstoachievevariousformsandlevelsofsecurity.Muchofthepublishedmaterialisconcernedwithparticularaspectsoftheoverallproblem,especiallythedesignandimprovementofauthenticationprotocols[1,5,10].Thereislessmaterialavailabledescribinghowtoconstructacompletesecurecommunicationprotocol.ArecentreportbyVoydockandKent[11]givesathoroughdescriptionofonesuchdesign,includingsubstantialdescriptionofthesupportingargumentsfortheirdesign.Therearedisappointinglyfewrealimplementationsofsecureprotocols.Thepurposeofthispaperistodescribetheconstructionofsuchaprotocol.Itispossibletoincludesecurecommunicationatvariouslevelsinthecommunicationprotocolhierarchy.Atthephysicallayer,securitycanbeachievedbyvariousnon-cryptographictechniquesthatpreventtamperingwiththecommunicationmediumitself.Atthenetworklayer,itispossibletoencryptalltrafficoneachnetworkusingacodewhosekeyissharedamongallnodesdirectlyconnectedtothatnetwork.Thisistermedlinkencryption;itprotectsagainstintrudersfromoutsidethecommunitythatsharesthatnetwork,butdoesnotdistinguishprincipalswithinthatcommunity.Whenmultiplenetworksareinvolvedinacommunicationpath,linkencryptionallowsintrusionbymembersofthetrustedcommunityofeverynetworktraversedbythepath.Thelowestlayeratwhichwecanprovideanend-to-endguaranteeistheinternetworklayer,whereweintroducedirectnode-to-nodeaddressingofpackets.Butinmanycommunicationarchitectures(includingours)itisnotuntilthetransportlayerthatend-to-endsecurityisfeasible.Thetransportlayeristhelowestlevelatwhichenoughstateinformationiskepttoestablishtheauthenticityofincomingdatainsuccessivepacketsofaninteraction.Itisthetransportlayerwherewearefirstconcernedwiththew ]7x ]7 ]7w&]7x$]7 wK]7xj]7w]7x ]7w%@]7x&]7w-]7x.]7t;]7yUD wQ GV &O) /3_5#7 O !$}+@,/259M\ rRX "J ),.,04$7K[  gGJ"%F),/5n9 :I' _ k !z$hI'%I'w'I'),./26&8F  "  m z(F)`Fw.$F/F35 D8 /R! )~-. 5[8`BVb -iW!$*(I*-)/1 8:@U   !&)/ 1348>!H 1  k"(+/ 6:;n ) X/2o"u *.S1 8< 9Ro   "m)-8.0+6V87 f z77w 7!'7# (z*+24:5O , D_"_$X'+.0~ 8z3 wU33 =~Oj 2 $')f*/236o 0 S_ " )#26b7.  B!&?)-O/4,} 5 _ #V'G- 7A*H E!#&1,13s:( N  V 3"') 2j4; % %r &)+128# :K["6%(+U.06! !w   "% ,25/8B dx!% ,/469Rl~ eC   !D&)+. 7   vOK$& *6W px #:')+1T56|7< :  p$'n(-y24*8>s CzHw $[%*/H58jb  rh!G (: .25  ymK $'*T 125c;8 j Cz j! jw, j!'),`038 ; 6=  ) ),03#9Q { ;C (d 0f 6:u;dY ! "(+1468q4 l 'l E& ( 0@2#8V;d t [  Y4"%)+.117: l Hc<2SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLSrelationshipbetweensuccessivepackets.Hereweintroducecodewhichhandlespacketsequencing,detectsmissingorrepeatedpackets,andretransmitstorecoverfromlostormalformedpackets.Thesemechanismsarejustwhatisneedtoimplementasecureprotocol,andsowehavechosentointroducesecurecommunicationasanaspectofthetransportlayerprotocol.Onecouldalsointroducesecurityfacilitiesathigherlevels.However,doingsowouldreproducemanyofthemechanismsalreadyextantinthetransportlayer.Thesemechanismshavealwaysbeendifficulttodesignandimplement,andoftensignificantlyreduceefficiency.Implementingthemtwiceseemsundesirable.Itwouldalsoreducetheutilityofthesecureprotocol,sincetheeasiestwaytocommunicatewouldlikelybebyusingthetransportlayerdirectly.Thisisparticularlytrueofremoteprocedurecalls,whereamajorpurposeistosimplifythetaskofcommunicating,byprovidingasinglesimpleandwidelysharedmechanism:procedurecalls.Ifsecurityweresomethingthatrequiredextraprogrammingbeyondtheprocedureinvokationitself,thenitwouldintrudeontheaimofeasycommunication.Largepartsofoursecuritydesignarederivedfrompreviouswork.Amoderateunderstandingofpreviousworkisneededforproperappreciationoftheremainderofthispaper;thereportbyVoydockandKent[11,12]isagoodintroduction.Asdiscussedinsection3,weusethefederaldataencryptionstandard(DES)forourencryption[4].Thischoiceisdictatedlargelybytheavailabilityofveryfast(andcheap)hardwareforDES.Hence,ourschemesarebasedontheuseofprivatekeys(insteadofpublickeys[8]).Forourpurposesitwouldbeimpracticabletohaveeachpairofprincipalsthatwanttocommunicateshareaprivatekey,soourschemeisbasedontheuseofanauthenticationservice(alsoknownasakeydistributioncenter).Thuseachprincipalhasasingleprivatekeyknownonlytotheprincipalandtheauthenticationservice.Whentwoprincipalswishtocommunicate,theynegotiatewiththeauthenticationservicetoobtainasharedconversationkey.Thisconversationkeyisusedtoencryptsubequentcommunicationbetweenthetwoprincipals.Thedesignpresentedherearoseaspartofaprojecttoimplementremoteprocedurecalls(RPC)ontheXeroxresearchinternetwork.TheoveralldesignofthisRPCpackagehasbeenreportedinanearlierpaper[3].PriortotheconstructionofthisRPCpackage,therewerenoencryptionbasedprotocolsintheinternetwork.Previousprotocolstransmittedpasswordsascleartextwheneveranyauthenticationwasdesired.PartofthedesignofthisRPCpackageincludedanewtransportlayerprotocol,andthisseemedlikeanidealopportunitytoincludesecurityfeaturesatthecorrectlevelintheprotocolhierarchy.AnadditionalfactorthatenabledtheintroductionofasecureprotocolwasthatmostsoftwareusingtheresearchinternetworkhadrecentlyconvertedtousingGrapevine[2]astheprimaryauthorityfornamingandauthenticatingindividualsandservices.ThisallowedustoenvisageusingGrapevineasthemediatorinthenegotiationtoestablishtheauthenticityoftheprincipalsinvolvedinsecurecommunication.2.TheSecurityAbstractionOfferedtoClientsClientsofourRPCpackageinterfacetoitssecurityfacilitiesbydealinginconversations.At\w \x \ E\w\x\ w\x0\w z\x!\w&\x&\w-\x.\wT'  e'$(@,Q1`5 Q  . !c#H(\+.07O "/!"',/1p36;M+ e %)7KU p ,FL '"f&-026I z Tsv"N&* 255w9FeA    $)2 0 9D G( ($H&(,26g8B L -%(.f12 :O@O l m"#)s,/1 ;8>+A h [ ")",.R3T6; !" )-a026E;-9` 7|  j/("(',.40 5Hn  |X7 "!$`+ ,/47;83p G:  &(-+.03@5:.0  { 0 0wU0^0= #"6&'-A1368 .G px..wN..@!')j-D/B14z5.6i.:#w,vi^ + 8$& /1v48f;z*B ^ > n  #%f(,.r2f469x;Cz( w ( sz( ( x "w&F( &( (n,/l5Z79H%P  8 A 'I,03 :#  8 "=&(,.z2#3# :Pw#8%x'(w*/2s5;E / T Tx !w#)t-0`2o 9R   %,.>14V:i  a4x!i"iw$i)/0395 TO { !&+1/25J9; G  %(u 0e243u7 ZD "q%<*026o  "9& # *-k3C6V;d c] , J ')J.1o 9: / L   yf 10wd }x 5d dw-dpLT# )(+Q0Rz2-d2d w9d;d s HbSECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS3conversationrepresentsacommunicatingpairofsecurityprincipals;duringsecurecommunication,oneoftheseprincipalsisanimplementorofaremoteprocedure,theotherisacalleronthatprocedure.AclientcancreateaconversationbypresentingtheRPCruntimesystemwithhisnameandprivatekey,andthenameoftheotherprincipal.Subsequently,ifthatconversationisanargumentofaremoteprocedurecall,theRPCruntimesystemensuresthatthecallisperformedsecurelyusingaconversationkeyknownonlytothosetwoprincipals.Weguaranteetothecallerandcalleethattheyarethetwoprincipalsnominatedwhentheconversationwascreated.(Moreprecisely,weguaranteethatthecallerandcalleeareeachtrustedbyoneofthoseprincipals,totheextentofhavingbeentoldtheconversationkeybyoneofthem.)Whenaserverisinvokedforanincomingcallwithaconversationasargument,theservermayasktheRPCruntimesystemforthenameoftheotherprincipalintheconversation.Thus,ourclientsneverdealexplicitlywithencryption,buttheygettheappropriateguarantees.Creatingaconversationinvolvesaninteractionbetweentheprincipalwhowishestocreateitandtheauthenticationservice(asdescribedinsection4).Usingaconversationtomakearemotecall(describedinsection5)involvesonlythetwoprincipals-theauthenticationserviceisnotconcernedwiththis.Forexample,ifprincipalAwishestocommunicatesecurelywithprincipalB,thenA'sprogramwouldincludeacallontheRPCruntimesystemoftheform:conv_RPC.CreateConv[from:nameOfA,to:nameOfB,key:privateKeyOfA]PrincipalAcouldthenmakeremotecallstoaprocedureP.QimplementedbyBsuchas:x_P.Q[thisConv:conv,arg:y]InsidetheimplementationofP.Q,principalBcouldfindtheidentityofhiscallerbyacallontheRPCruntimesystemoftheform:caller_RPC.GetCaller[thisConv];Thisconceptofconversationsisorthogonaltotheotherabstractionsinvolvedinacall.Multipleprocessescanparticipateinasingleconversation;theremaybemultiplesimultaneouscallsinaconversation;callscanbemadethroughmultipleremoteinterfacesbutstillbepartofthesameconversation.Callsmaybemadeineitherdirectioninaconversation,independentofwhichprincipalisthecallerandwhichisthecallee.Indeed,itwouldbeconsistentformanymachines(withthesametwoprincipals)toparticipateinasingleconversation,althoughwehavenotimplementedthis.Notethatwerestrictasecureconversationtoapairofprincipals.Wedonotdirectlysupportmulti-partyconversations(althoughtheymaybeemulatedbypairwisetwo-partyconversations).Nordowesupportthirdpartyoperations.Forexample,ifauserAcallsaserverBtoperformsomeoperation,theserverBcannotcommunicatesecurelywithathirdprincipalC(onathirdmachine)toperformsomeactiononbehalfofAmerelybyprovidingtheauthenticationinformationthatBobtainedfromA.Tosupportsuchinteraction,itwouldbenecessaryforAtoestablishaconversationbetweenhimselfandC,thengiveBenoughinformation(particularly,theauthenticatorandconversationkey)toallowBtoparticipateintheconversation.Suchinteractionscanbemadesecurely,andarenotruledoutbyourpackage,butweprovidelittleaidforthem.Whenbuildingasecuresystemofanysort,itisimportanttobeclearaboutthethreatsthatarew \ x \ \ w&\ x$\ wK\ xj\ w\ x \ w%@\ x&\ w-\ x.\ t;\ wT0   eC# *r.3( Q ( \Q# *-K1&2438#:eO g LS ~~ %0x'O(hOw*cO/47=9tM  i^N # ,.m1r 9;CK^T6 YxK^nK^wK^"',/2&46oI*`  Y e "E% ,P.5K7 9F  N !%(? 0T38D >eE" }#(Y*\-.2t 9:B( e  "M$ (- .;2L39;C@X  c#&)tx+@X,@Xw.@X38:>$ x %',03 :; 1  _  b%' /4k6Y 9o ! *.06872  &r(W-+/47:5R LI '!$3k : |]3w3 ";'*|0c3w1U320t5S3w6F370/  8 x(00w0+_!t. r G. .t . . "), w,t,wI, :T}t#,#,w%, .5t00,w1,4tk*Jr7*J*Jt*J*J $'w(. tF(.(w((t^(w( #&+0,/2246-8:x%w% ~7t#rP##t##w!w  z A  ! $ , 1304I7C   #&). 7:9<  3 a M$ *-0P2_5a789  BG ! * 13}7l <"]$e *-'17(:qz#  R# $Y*,7/z1 ::<A  GU V z >< <w#<$ , .03*8'  j#R%9*0:M\   `"! "#|&w(U+{,|0w2l429 t w   $%:(|.| w0 2375 j- dt0 jw j^m%(2 1> 8t; jw 6t 6w 6  $5 R!#)t+ 6w- 6.4'5:  t9w6zt[w9 &z .1 :| , m Nt*w  )Z- 47P9s]  &:6["'*?,.d J nis *&(0*-h1E38: Hb%4SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLSbeingcountered.Weguaranteetothecallerthathiscallwillbeperformedonlybyacalleewhosenamethecallerhasnominated.Wewilltellthecalleethetruenameofthecaller.Callscannotbeobservedintransit,totheextentthatanintrudercannotdeterminewhichprocedureisbeingcalled,noranyinformationabouttheargumentsorresults(excepttheirlength),Callsandresultscannotbemodifiedbyanintruderwhileintransit.Anintrudercannotcauseacalltobeinvokedmorethanonce.Wedonotattemptanyprotectionagainsttrafficanalysisoragainstdenialofservice(althoughclearlyacallerwillnoticeifhisremotecalldoesnotcompletebecauseofadenialofserviceattack).Itisalsoimportanttobeawarethattheseguaranteesarenotabsolute.Thebestthatcanbeofferedisthatwemakeitprohibitivelyexpensiveforanintrudertoviolatetheseguarantees.Theaimistomakethatexpensegreaterthanthevaluetotheintruder.Thecommunicatingprincipalsshouldtrustthesesecurityguaranteesonlytotheextentthattheytrusttheauthenticationservice,theencryptionalgorithm,andeachother.3.EncryptionAlgorithmsAsmentionedinsection1,weusethefederaldataencryptionstandard(DES)forourencryption.WemadethischoiceprimarilybecauseDESisavailableincheap,fasthardware(asfastas14megabitspersecond).TherehasbeensomecontroversyoverthecryptographicstrengthsandweaknessesofDES,butthesearenotimportanttoourdesign.Thedesignwouldbeunaffectedbyachoiceofanyotherprivatekeyencryptionalgorithm.Ourdetailedpacketformatsallowformultipleencryptionalgorithms,andforkeylengthsupto128bits.Useofapublickeysystem[8]wouldhavealargeimpactontheauthenticationprotocol.Basically,DESmaps64-bitblocksofplain-textinto64-bitblocksofcipher-text.Thatbasicmappinghidesthedata,butdoesnothidepatterns(suchasrepeatedblocksofzeros)anddoesnotdetectmodifications.Thecipherblockchaining,orCBC,modeofDES[6]hidesthepatterns,butstilldoesnotguaranteetodetectmodifications.WeusetheCBCmodewiththeadditionofa64-bitchecksumencryptedattheendofthepacket.Thischecksumisformedbyaccumulatingthe64-bitexclusive-oroftheplaintextblocks(thisisperformedbyhardwareinparallelwiththeencryption).Thistechniquereducestheprobabilityofmostundetectedmodificationsto2-64.Thisassertionisbasedontheobservationthatfromthepointofviewofanintruderwhodoesnotknowtheconversationkey,modifyingablockofciphertextproducesanunpredictablemodificationtotwoblocksofplaintextwhendecrypted.Itisfairlysimpletoshowthatarandommodificationto64-bitsofplain-texthasprobability1-2-64ofchangingtheresultingchecksum.AnalternativemodificationtoCBCmodehasbeenproposedbyEhrsam,etal[7],whichwerejectedbecausetherequisiteextrahardwarewouldbemorecomplicated.Rememberthatanintruderhasanaprioriprobabilityof2-56ofguessingtheconversationkeyathisfirstattempt.Unfortunately,VoydockandKenthaverecentlypointedoutthatbothoftheseschemesfordetectingmodificationstociphertextareinadequate[12].Ifanintruderswapstwoadjacentciphertextblocks,thechangemightnotbedetected.Wehavenotyetmodifiedourprotocolstorepairt\w \x \ E\w\x\ w\x0\w z\x!\w&\x&\w-\x.\wT& #  #n&(.135+9Q  C ~(!$&*,m.3X6;COx   +6")--6358MJ D 3% (b.14X8KT  S\$7(,-0z2?4G9I I ] M "&+-268F` A 7"%(.357.;zD (  <!bkz!a% +.V07_:OB C: ".(+:-m349@N h |\$W'*.03j:[> Ov &)+w-147:;  7   a#y6g  w3  $)>w!j (2-x.43/3w0r31^336 0q x00w\0!O"')/1457m.y i m " +14J ;zx,}w>,},}  h 6g ]$(* 13w48:*IY  !V%*.06Y ( )  7! "W#'*w.15B89% j# x# #w #bzN##w ##',Qz.<#.# w4#6G#9!w d )\{#q%#*/ 047:B Uz$BB(wBB{PB Bw!B"{B&Gx'B(Bw*B,0528:T Z,^ !Nx#$w&*-0679<X Un(&4',u.r 69<  O ,'B!r#m)v+$0 3(5 q2 / M $ -P/x/w1Aq26;<'s  {  #%'-U046:    %' 0 8:2 B  ^!;"&L)*/+ 78   _ hxB,wD @$,.t 5/ jx j~ jw jd =??z j@ j8w j!+%='h,14"9 6& q ~.  )#%!*-(z/5 60 6w4W 6 ;zxwi  M Es~ 3& )!&)g,b/15f: w(eu $ %',038d S[ #&l(.1b7l91 O HbiSECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS5thisdefect.Weassumethatuserschoose(orareissued)sufficientlyrandomprivatekeys[9].Temporarykeys,CBCinitializationvectors,andconversationkeysshouldbegeneratedbytheauthenticationserversusingahardwarerandomnumbergenerator.Inthedescriptionsinthefollowingsections,wehaveomittedsomedetails.Thesedetailsarequitesystematic,beingthemodificationsneededforsecuredistributionofCBCinitializationvectors,foravoidanceoftransmissionsofciphertextforknownplaintext,andforminimizingtheamountofdataencryptedwithlongtermkeys.Allthesedetailsaregiveninfullinsection8.Weusethenotation{P}KtoindicatetheciphertextformedbyencryptingplaintextPusingencryptionkeyK.Ineachcontext,ifPisanencryptionkeyweintendstraightforwardsingle-blockuseofDES,andotherwiseweintendencryptionusingtheCBCmodewiththechecksumdescribedabove.4.AuthenticationThereissubstantialliteratureonprotocolsforimplementingthisnegotiation[1,5,10].TheprotocolweuseisbasedprimarilyonNeedhamandSchroeder's[10],modifiedslightlytoimprovesomeshortcomings,andrearrangedtomeetourefficiencygoals.Thisprotocolreliesonthepresenceofatrustedauthenticationservice.WeusetheGrapevinedistributedsystem[2]asourauthenticationservice.GrapevineprovidesadistributedreplicateddatabaseindexedbystringsknownasRNames.SeveralvaluesmaybeassociatedwithanRName.Onesuchvalueisusedastheprivatekeyforsecurityprincipals.Ourauthenticationschemecreatesanauthenticator.Anauthenticatorisencrypteddatathatoneprincipalcanusetoassuretheotherofhisidentity.WhenprincipalApassesanauthenticatortoB,theassuranceisbasedonB'sobservationthatsomeonewhoknewB'sprivatekey(namelytheauthenticationservice)promisesthattheimbeddedconversationkeywasgivenonlytoprincipalA.Bmayaswellbelievetheassurance,becausetheonlyalternativeisthatB'sprivatekeyhasbeencompromised.Theauthenticatortakestheform{CK,T,A}KBwhereCKisaconversationkey,AisA'sname,Tisthetimeatwhichtheauthenticatorwascreated,andKBisB'sprivatekey.Tisusedtolimitthedamagepotentiallycausedbyacompromisedprivatekey,bylimitingthelifetimeofanauthenticatortoafewhours.Toobtainanauthenticator,AcallstheRPCruntimesystemonA'shost,givingitA'sname,B'snameandA'sprivatekey.TheRPCruntimesystemcallstheauthenticationserviceremotely(withoutadditionalencryption)givingit[A,B,X]whereAandBaretheprincipalnamesandXisanon-repeating64-bitnumber.(Alternatively,Xmaybechosenpseudo-randomlyorrandomly.)Theauthenticationservicereturns{authenticator,X,B,CK}KAw \x \ \w&\x$\ wK\xj\w\x \w%@\x&\w-\x.\t;\wT*Qd C ([ %+./36OxOlOwO  "<&)/14; M; em KW  $B)l-2f6|:I# n8  $$] +x-I#.JI#w0RI# 83FL ""&A)_,%.p 58(D ;Um"%(*r,.3HB\ QtBBrCwnB,i!"#(* 15Ft8Bw9B@Q t q@Qw c@Q  tR@Qw@Q) "%',5 >xR>8>w>~> G  !x$6>%>w'>+./07 ;y6j w3  :o ), 4>:[0{ 0  (=+M166 7. H  #, Sd )/14 6o*K '  !(.X/ 6 (  Qz((w(("'*'," 257%6  K51! # ~Nz#V# w!]#"#$ -%.47:!yG  _}p#P ,$?|*!yw+f!y/1n 9|;d!ywt>>w|>  t>wF>t>w>t>w^>"%6&*-# 5n8 t  wr t w  Ht  w (c Z% ,143Y4   " #$'  3 & t wN `x  w "'Ht)Q w*D +.3!t4z w5m 6: ltP lwB l bx' l lw li"d$ -27 7 x t  !*wt$wtjw  Ltw (,2t;w n2  ).td !O#)%r&M k Hb6SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLSwhereKAisA'sprivatekeyandCKistheconversationkey,alsoimbeddedintheauthenticator.TheRPCruntimesystemonA'shostmaynowobtaintheconversationkeyandauthenticator,andisassuredthatitandCKwereissuedbytheauthenticationserviceforcommunicationbetweenAandB.Additionally,theRPCruntimesystemgeneratesapermanentlyuniqueidentifierfortheconversation.LaterwhenAaskstheRPCruntimesystemtomakearemotecallusingthisconversation,ithasavailabletheauthenticator,theconversationkeyandtheuniqueidentifier.Thefirstpartoffigure2showstheoperationofcreatingaconversation.Thepermanentlyuniqueidentifierofaconversationiscreatedbyconcatenatingtheuniqueidentifierofthisprocessorwithasequencenumber.Whentheruntimesystemisfirststarted,thissequencenumberisinitializedfromaonesecondreal-timeclock,andthevaluesusedforuniqueidentifiersneverexceedthecurrentvalueofthatclock.Thisrestrictstherateofgenerationofnewconversationsonasingleprocessortoalongtermaverageofonepersecond,althoughtheburstratemayoccasionallyexceedonepersecond.Notethatinordertoreturntheauthenticator,theauthenticationserviceusestheprivatekeysofbothprincipals.SincetheGrapevinedatabaseisdistributed,bothofthesekeysmightnotbeknownbyanysingleGrapevinehost.SotorespondtotherequestaGrapevinehostmayneedtocommunicateinasecurefashionwithanotherGrapevinehost.TheGrapevineserversarecapableofcommunicatingsecurelyamongstthemselves,sincetheyarethemselvessecurityprincipalsregisteredinapartofthedatabasethatisreplicatedoneveryGrapevinehost.Itisimportanttorememberthattheentiresecurityofthisschemedependsonthesecurityoftheauthenticationservice'sdatabase.Ultimately,thismustdependonthephysicalprotectionofthehostsmaintainingthisdatabase.5.MakingSecureCallsThestructureemployedforourRPCpackage(aswehavedescribedintheearlierpaper[3])isasfollows.Acallerinitiatesaremotecallbymakingalocalcalltoaspeciallyconstructeduserstubmodule.ThisstubtakestheargumentsofthecallandanidentificationofthedesiredprocedureandplacestheminoneormorepacketswhichitpassestotheRPCruntimesystem.Theruntimesystemisresponsiblefortransmittingthepacketsreliablytotheremotehostandwaitingforaresponse.Intheremotehost,thepacketsarereceivedandarepassedtotheappropriateserverstubmodule(alsospeciallyconstructed).Theserverstubunpackstheargumentsandmakesanordinarylocalcalltotheappropriateprocedure.Whenthislocalcallreturns,theserverstubtakestheresults,placestheminoneormorepackets,andtheRPCruntimesystemcommunicatesthembacktothecallermachine,wheretheyaregiventotheuserstub.Theuserstubthentakestheresultsandreturnsfromtheoriginallocalcall.Thisstructureisdepictedinfigure1,andisdescribedinmuchmoredetailintheearlierpaper[3].Theearlierpaperalsodescribesourbindingmechanism,wherebyacallerdetermineswhichhostimplementsadesiredremoteprocedure.tYw Yx Y EYwYxY wYx0Yw zYx!Yw&Yx&Yw-Yx.YwQtQ QwQtQwQ Att+Q(QwQ j "c%Q(.0C2 OOx0OOw ODtOwODOUXe q$'' /)14 M)   ?tMMwpMK 'F+. 7tKSwKStWKSwIKS +xKSsKSw~KSX$u% -2| 8:I  tIwIxIIwI!#s'(,.2h4 Fd   B I!$'+ 258;zD7 D  B  4 $]%*- 58@L  p %"',1W25:> F 7f%O)T,#.2658; z G2f7"%*-C01 8:E9 q j el *7p#b%'*.46:q7{ +L5FJ * o "N +X/25k:35 o! (+-1^48;C0 B 8!"%** +=2 58;.  8 m#'*i18583,t 9 "% +0 6 *@u p> z*@*@w*@&I( G / l"$'l,Y136V;z%X H ( $!)+-X2 9#:#~  y% =w bxdw`1!^#&-.15g9N;> yb !%3')f*0 z7l8):Mwp D du= .#% -/T16<  Q}#<$x'n<(B<w*L</57Z < "%&).b149< ~K O-!$O&+,/ z6m6:Mw D |S^ c%(.1}57 j8T  8B" $)+/26;8 6-  L#xU 6) 6w4 6$) 259: Qy#J&H)g,/36:| =Y &'+-Z0179\y+ -U F"(+703 7d*  V I$ ?H_SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS7<== q  x_q3qw q$!j$})014.7x<  Um!%t),v 3Y7:     _%)(d*u.027B9>  !Iw_N#]%),/25:  e/ "<&)m 03 :| j   $V8!$)=*1x4 j5 jw7 j: 6 "$z'+1 7  @!A#)8*-Z147U <  >e %'e).L347X:uz wg t d  / Ha M /: '?@ ??      !! !!!!!!!!!!  !! !!  !! !!!!%AA ??%!!- %!!% / / 5 7 7 7 = / -!!5!!5!!-!!6!!; !!%@@7!!/!!;!!?@?%@?%@?@?AA:!!;!!!H H *@  s ds d s d s D s d s d s` ds d s0 D s d s d s ds d s ds d s. d s&`  s/  s9 d s'` ds0 d s D s8 d s: d s8 d s0 d s0 D s' d s s  s s d s d s $ s8 d s0 d s4 $ s d%X Ee>`CDU8SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS<== not foundDSend RFAo Lookup ConvID Store CK, etcDecrypt Call PkttRPC+StubuRPC+StubuUserSCaller machine Callee machine Server Do callReturnl Encrypt, SendDecrypt Call PkttDo callReturnlGetAuth[A,B,X]k{ {CK,T,A}KB, X, B, CK }KAsCall[ConvID, {CallID, ....}CK ]"RFA[rfaID, ConvID, {CallID}CK, Y ].!Result[ConvID, {CallID, ....}CK ]"Call[ConvID, {thisCallID, ...}CK ]T$Result[ConvID, {thisCallID, ...}CK ]ACalltCalltGetAuth New ConvIDvStore CK, AuthReturnC Encrypt, Send Wait for pktD Lookup ConvIDrespond Wait for pktDDecrypt Encrypt, Send Wait for PktDDecrypt Encrypt, Send%[rfaID, B, {CallID,Y}CK, {CK,T,A}KB ]t]Cw ]Cx ]C E]Cw]Cx]C w]Cx0]Cw z]Cx!]Cw&]Cx&]Cw-]Cx.]Cr1}r l!#l%(,.3{46 qJ ~6qqr|q9q | $Q~$q%}qr(tq(q),/.U04R5L95<7  JB 'S!%'L+-;/31_46; `E ow '  s   (#%w -v 3o49m; k&   8J%!(e*B,1E2 :[ 6S  7*x7 6 6w 6%A&*/w1 37g  f C  "(7,I025:| 4 J4# "'g,l26: !x  wt$#%,.J056dL GH 6%(`*!+,24Y7:Q HcH[X-[X' 84 ' 1!!)!! 2 -5@@-)@@1 -) !!!-3AA+ @6?! -#AAA@&? 3   2  2  3 5@@ 2 @?AA3AA- " -%@@7 " -@?9 " 9 ? " 9#  -# !!!- -AA    !!!!!! !!A'!!>'!!;'!!8'!!5'!!2'!!/'!!,'!!)'!!&'!!#'!! '!!'!!'!!'!!'!!'!!'!! '!!'!!'!!'!!'!!A !!> !!; !!8 !!5 !!2 !!/ !!, !!) !!& !!# !! !! !! !! !! !! !! !! !! !! !! !! !! 7!!7!!7!!7!!K!!A)@ @_ 8 & L 6 p ds 4D s/ :d s1 4d s2 2d s. 0ds/ .d s, $d s, " s,  s, D s, d s, d s 7 s. 'D s@ 7 s :d s0 )$ s9 '$ s8 s8 d s, d s, d s8 s8 d s 5 s / s %s " s d!s $" s $ s $$ s $ s 4ds ` 2d s .d s ,d s $d s "d s d s @ ds d s ds @ d s d s ds, d s %cD $R?@BSECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS9Thisdeterminationisjustasitwouldbefornon-securecalls,andusesthesamedatastructures.Notethatweareusingthemechanismsforeliminatingduplicatesthatmayhappeninanytransportprotocoltosimultaneouslyeliminatereplaysmaliciouslyinjectedbyanintruder.(Thisisdiscussedfurtherinsection6.)Atypicalsecurecallisshownattheendoffigure2.Wehaveassumedtheexistenceintheserverofamappingfromconversationidentifiertocallerandconversationkey.Further,thetableusedbytheservertoeliminateduplicatecalls(whichgivesthesequencenumberofthelastcallfromeachprocessoneachhost)ispartofthesecurityarrangements,sinceitisthisthatpreventsanintruderreplayinganoldcall.Clearly,thesemappingsmustbeestablishedinitiallyinasecureway,bysomeformofconnectionestablishmentprotocol.Inourpackage,thisisachievedbyatechniquethatalsopermitstheservertodiscardthisinformationwhentheconnectionisidle.Thisisachievedbyaformofcall-back,knownasarequestforauthenticator,orRFA.Whenaserverreceivesacallpacketwhoseconversationidentifierisunknowntotheserver(andwhich,therefore,theserverisunabletodecrypt),theserversendsanRFApacketbacktothecallingmachine.TheRFApacketcontains[conversation-identifier,{call-identifier}CK,Y]whereYisanon-repeating(orpseudo-random)64-bitnumber.Sincetheserverdoesnotyetknowtheconversationkey,itcannotperformanyencryptionsordecryptionsyet,but{call-identifier}CKisavailabletotheserverfromtheinitialpartofthe(stillencrypted)packet.(ThisencryptionisdefinedtousepurelyCBC,withnochecksum.)OnreceivingtheRFA,thecaller(whoisA)returnsapacketcontaining[B,{call-identifier,Y}CK,authenticator]Thisallowstheserver,B,toobtaintheconversationkeyandA'snamefromtheauthenticator.Thecallidentifierintheresponseassurestheserverofthecurrentcallsequencenumberforthecallingprocesscontainedinthecall-identifier.TheserverdecryptstheoriginalcallpacketandverifiesthatitscallidentifiermatchesthatintheRFAresponse.ThenumberYboundinwiththecallidentifierintheRFAresponseassurestheserverthattheRFAresponseisnotaretransmission,andhencethatthecallisnotbeingreplayedbyanintruder.TheinclusionofB'snameinthisresponseispurelytoenabletheRPCruntimesystemtodecrypttheauthenticatorwithoutconsultinghigherlevelsoftware;anincorrectnameherewouldcausethepacketdecryptiontofail.TheuseofthisRFAprotocolforthefirstcallofaconversationisshowninthemiddleoffigure2.Wehavenowestablishedtheinformationtheserverneedsforacceptingsteadystatecalls.Thishascostustwoextrapackets,whichisminimalforanyformofconnectionestablishment.TheservermaydiscardthisinformationafterasuitableperiodwithnocallsfromA,sincetheinformationcanbeobtainedbytheserverwheneveritwishes.Thuswedonotrequireaconnectionterminationprotocol.6.PreventionofReplayedCallsThemostcomplicatedofthethreatswearepreventingisthatwedonotletanintrudercausew \x \ \w&\x$\ wK\xj\w\x \w%@\x&\w-\x.\t;\wT(? 9 b/E #'R*.-K/3q6 QuAg ` s ! (T+!."3 47VOy2 Z "')+257*MW  } {?!#&(c,dKVBY,%' &* 1 79I! m'\P $&V,L295A9FX\\$'K*.0=3m5r8D  0 yn0 &(+.c3w6B[? 9+8' $% , 54;d@P.  C%R!#&(,.B35 > vx "%' .24z6->6>; ; w;;{ 8; ;w ~; ;#' / 57 9 O Xe"Z$ ),30@4x5969w897~GU x7~7~w7~3t05I.kr)5t*5I+-w3t3w3 % q!g'l+ -147,9t0p x vg "$ ,1.t1r02#0r;"1mw.j ; s!c$ +14 ;,w 1x ,wP,ww,w,w %x(;,w),ww*,w+|,w-15t6,ww7~,w8*B* t+()r(t!(" + w%  t%w%|0 #1%t(%w)%*.2!4 #   !8#%*y-#3+8w:!p % W!e%+W-3+5:|;  $ !yR xs;G;w!b;'*t0;w1;57:  Wx  wk! #x%&w(.023  h<*!'*0t2hw3[48: [ kxw A!&)? 16 j]C@ !;$'k+ 24x7:5x[5/5w@5 K#g !"'D(+R/15F  `"&(.36;: da.!+#')h 0 :[   # &(*t.J w/= 03`5 cj  [^"o$&(-. 5 /y p wd   $&s)M+-0249~ HbU10SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLStheservertoinvokeacallmorethanonce.Basically,thisisachievedbythemechanismthateliminatesduplicatecallsbasedonthesecurelytransmittedcallidentifier.Thismechanismisinitializedsecurely(andrestoredsecurelyiftheserverdiscardsit)bytheRFAmechanism.However,thereareseveralsubtletiesinthis.Notethatwespecifiedthepermanentuniquenessoftheconversationidentifier.Ifsomehowanintrudercausedaprincipaltore-useaconversationidentifierfromsomepreviousconversation,theonlypossibleadverseeffectwithprobabilitymorethan2-56isdenialofservice.Thiswouldhappeniftheserver'stablestillcontainedanentryforthatconversationidentifier:inthatcase,theserverwouldincorrectlybelievethatitknewtheconversationkey,andsothechecksumwouldlookwrongwhenthecaller'spacketsweredecrypted.Areplayedcallwouldbeacceptedonlyiftheconversationidentifierwasre-usedwiththesameconversationkey.Sinceconversationkeysareallocatedsecurelyandrandomlyonthecaller'sbehalfbytheauthenticationservice,thereplayisacceptedwithprobability2-56.Asimilarargumentappliestotheidentifierofthecallingmachine.Weusedthiswhenlookinguptheconversationidentifierintheserver'stable,andwedidsobybelievinginformationtransmittedunencryptedinthepacketheader.Theonlyeffectoftheintrudermodifyingthepacketheaderwouldbethatwewoulddecryptthepacketwiththewrongconversationkey(exceptfora2-56probability),andthiswouldbedetectedbyourchecksumarrangements.Becauseofthis,wecanoptimisebynotincludingthecaller'smachineidentifierinthesecurepartofthepacketatall.Wealsoarerelyingontheuniquenessofthecallidentifiers.Thishasthreeparts:amachine-relativemonotonicsequencenumber,amachine-relativeprocessidentifier,andaglobalmachineidentifier.Thesequencenumberdoesnotneedtobepermanentlyunique,sinceforacalltobeconsideredatallitspermanentlyuniqueconversationidentifiermustbeapprovedbythecallerrespondingtotheRFA.However,withinaconversation,thesequencenumbermustbenon-repeating:sinceweusea32-bitfieldthislimitsusto232callsperconversation.Othersecurityconsiderationsrestrictthereasonablelifetimeofaconversationtolessthanthis.Thecallercanstraightforwardlyensurethemachine-relative(non-permanent)uniquenessoftheprocessidentifier.Themachineidentifierisnottransmittedwiththecallidentifier,sinceitmaybepickedupfromthepacketheaderandverifiedwhilelookinguptheconversationidentifier.Again,thepossibilityofanintrudercausingacallertouseaduplicatemachineidentifierisnotaproblem(beyondthe2-56probabilityofidenticalkeys),sinceitwouldcausetheservertodecryptthepacketusingthewrongconversationkey.TheperiodforwhichaservermaintainstheconnectionstateinformationmustbeguaranteedtobelongerthanthemaximumlengthoftimeforwhichAiswillingtocontinueretransmittingacallpacket.Otherwise,anintrudercouldwaituntilacallhasbeeninvoked,suppressallfurtherpacketsbetweenBandA,waituntilBhasdiscardedthestateinformation,andthenallowaretransmissionandsubsequentpackets(includingtheRFA)getthrough.Thiswouldhavetheeffectofcausingthecalltobeinvokedtwice.Thisremarkablyunlikelyeventisdepictedinfigure3.Itispreventedbytheserverkeepingitsstateinformationforalongenoughperiod.Notethatthisonlyrequiresclocksthatrunatapproximatelythesamerate,notsynchronizedclocks.t\w (\x \ \wP\xM\ wu\x\w \x!\w&i\x';\w.1\x//\wT. zt #&(:.&0]2:eQ  e# &) 04J;O K : &')x,+O,Ow/O 6M n w%K\4 "z5K\K\wK\ "$ , 354;CI'`   %)L,2| :FR A  !x"Gw$zF%)+1 48IDj 30)  ' .03p69'B* md !$'O)+j158@V n:y   # '&).125: >!  OZ !R$ ,/2/7;  _- &+H-2m4%:9 x:Ew 397H6 |/!%,;.148@5O:  4 "%4&(. 5 3   z "%[*14(80a  =d"a& .169(:x;41sw.   i$$ .#35R8f:,} t "|$*&*-/`167*H  i"T%H -l037< ( f)K.P 479% `<(Y #g%z'%'% w.%3799z:# _   $ $ )-Q/55=7,9!w x !w !ww ,!wL!wa !$).23 Bw G BvnxwB"L +(/"4<    "v%)H,//2/ #%(`-i 47 > * "A#&z(Z,.24b8p #5  "&)5 /183 8I<@  w$*;,x-1w/< 67^  $c( *l. 6  l= %) 046!  O Sit$ w% '+-j3" < j! +!"W%'+06{8 5't 5w 5t 5w 5t| 5w: 5#g&) 148<    \x !w#$&c,x/379h #  ql=b #),.6359;   @ "%:&}).47:dg N| ~"[%u' 0< K Hb#fSECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS11<== not foundDSend RFAo Store CK, etcDecrypt call pktInvoketDo callagain!lcall send call pktIntruder Wait for ackDsuppress Retransmitc Wait for ackDsuppress Retransmitc Wait for ackDRPC+StubuUserSCaller machine Respond and so on ... Retransmitcsuppress Wait for ackDsuppressallowallowallowallow Call[...] Call[...] Call[...] Call[...] Call[...] Result[...] Result[...]RFA[...].RFA[...]. Reply[...]] Reply[...]] Call[...]<==<< Lookup ConvID Wait for pktDw ]:x c]: ]:w]:x]: w]:x]:wP]:x Y]:w$]:x%]:w,]:x-]:t;"]:r!n1}: r: *V ':*Q,046r  L  [+."&H( .m/1308 ` ySXw$b;h"(]+c-2)5.7 k{ % ') +).2:5 ;  x o w  EI1%c(D-A15x8: j ]o"!>%(>, 3L :| 5    !'*0436';z  `Z! #(%* 4I68  @  4|O"e$&,/14]6   *qX !#%)/ 3P5,6:d  Yz # $(}*&/80]35 8: Hc?J%KJ.6, ')!!5!!5'!!5#!!!! * /?@ * ??  *   * +  ?0?+AAAA + ?@0?++ + * + 5 * 7 7 * 7+ ++AA+/@@= * +@?+AA * # * +AA/AA#+AA#AAAAAA)!!#)!!##!!!!!#!!!!!!#!!# !! !!#!! !!N -@ 0 s8 *s8 & s. 0 s0 4 s8 0d s/ ,s/ * s, & s- $ s.@ s-  s-  s-` d s,  s-`  s.`  s-` s,  s/  s8` s8  s , s , s 4 s " s & s `  s  s $ s `  s  s 0 s@ 0d s 4 s s  s ` $ s  s * s  s ,s s s s -D s& - s %D s $ s D s%` ' s% ! s%  s`  s` s$ s%  s ds s `  RH *=C$12SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLSmachineidentifier,4bytesfortheconversationidentifier,4bytesforthecallsequencenumber,2bytesfortheprocessidentifierinthecleartextplusanother2intheciphertext.Thisaddssignificantlytotheminimumpackettransmissiontimeandtothetimerequiredtoconstructorinterpretthepacket.Wecouldperformadequateduplicateeliminationfornon-securecallsbyusinga2bytemachineidentifier,2bytecallsequencenumberand2byteprocessidentifier.Thesizecouldbereducedsignificantlybymoresubtleencodings,butonlyatthecostofprocessingtimeininterpretingandverifyingit.Wealsomustmaintainandlook-upthetableintheservergivinginformationabouteachconversation.ThepacketexchangeoftheRFAmechanismisrequiredsolelyforsecurecalls.Oneunexpected(thoughobviousinretrospect)sideeffectofencryptingourpacketswastomakedebuggingourprotocolmoredifficult.AcommonwayofdebuggingEthernetprotocolswithoutperturbingthemistoobservepacketsintransitusingathirdmachine-thisislesseasywhenthepacketsareencryptedwithasecurelygeneratedconversationkey.Wearenotunhappyaboutthesecosts,though.Thecostofsecurityisnotveryhigh,andwearehappytopayitinordertogetawayfromourpreviouscompletelyunprotectedstate.Ofcourse,thereisnoneedforallclientstopaythecostofsecurity.Thosemakingnon-securecallscanhappilyusethesimplerprotocolwedescribedintheearlierpaper[3].Wealsoofferanintermediatestylewhichusessecureauthentication,butdoesnotencryptthecallsthemselves.8.AdditionalDetailsoftheSecurityProtocolCryptologistsareawarethatacipherisoftenmoreeasilybrokeniftheciphertextforknownplaintextisavailable,oriflargeamountsofciphertextareavailableencryptedwithasinglekey.WithDESitisnotclearhowimportantthesethreatsare,butsincethepreventativemeasuresarequitesimplewehaveincludedtheminoursecurityprotocols.Similarly,theinitializationvectorusedbytheCBCmodeofDESmustberandomlychosenandsecurelydistributedifthefirstplaintextblockisknownorhasonlyasmallamountofunknowninformation.Someencryptionhardwareencouragesastyleofusagewheretheprincipal'sprivatekeyisloadedintotheunitonlyonce(possiblymanually),andencryptionisalwaysbyworkingkeys,whicharepresentedtotheunitencryptedwiththeprivatekey;theworkingkeysandtheprivatekeyneedneveroccuroutsidetheencryptionhardwareasplaintext.Inthefollowing,KXandKYaretemporarykeysandJisaninitializationvector,randomlychosenbytheauthenticationservice.Theauthenticatorisinfact:{KX}KB{{CK}KB,T,A}KXThisCBCencryptionusesazeroinitializationvector;itisimportantthat{CK}KBisthefirstplaintextblock,sincethisvalueisunknowntoanintruder.WhentheauthenticationserviceissendingtheauthenticatorbacktoA,itactuallysends:{KY}KA{J,authenticator,X+1,B,CK}KYThisCBCencryptionusesazeroinitializationvector;itisimportantthatJisthefirstplaintextt\w (\x \ \wP\xM\ wu\x\w \x!\w&i\x';\w.1\x//\wT( @9  $%_)+X-0j6f;QX H9ql"')o+`.269O   Zu "%'*M-3m5Q;oM Fb$I +y- 479KVG h "O$F'(l+0 7:I"  o #R%(*-/1 8W;F  ~E"+%*Y,0v2O49D  [ Fh$]& x(dD)7Dw+@D2i39SB>w@P o #') 038;>  U$ w%b(v*j1_7A; 2)"!%N&f)/102469~9`? 9 '7}Z ? I #&(}-/148G; 5IJo   F*{$ * 2683x  ?P}/"'+ 258>0 a E$4'%),/1 :. AC!$ ' y)- / ew% % sy"&+d,/H36^8#Y C]' s#<%+n156I:F!xx!x!xw~!x ~ %!h$3&*d, 4:D6  a3! (0 .1 9P_xw xoTwE #&|+ 24W69O  (-Bg$f ,0d 7* K  _ $'y)-03}69r  Ezyr `r$w'ur(r,/Z57:O>b } y k!#(+#.2J6 :  d!z t! " w$ t& ' w)Q +2r5t8m w9 ;C  ^$  $x  Yt kr t krS t k!#$r% w 6x' 6 6w 6 *: )!c"$>*t- 6.7 6r0 w2 64e69 l Lm)'"w&) 268`  twxtQr&tx !%'*)r*&wdx:ddw-d '@ "#%+t.}dw/d1h36:| x HbSECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS13block,sincethisvalueisunknowntoanintruder.ThepacketreturnedinresponsetoanRFApacketactuallycontains:[B,{J,call-identifier,Y+1}CK,authenticator]Again,theCBCencryptionusesazeroinitializationvector.Whenencryptingpacketsincallsinthisconversation,Jisusedastheinitializationvector.RememberthatallencryptionsotherthanencryptedkeysuseCBCmodewithanadditionalchecksumtodetectmodifications.9.StatusandConclusionsOurremoteprocedurecallpackageisfullyimplementedandisindailyusebyanumberofapplications.TheprotocolforaccessingtheAlpinefileservers(whichprovideafilesystemfeaturingdistributedatomictransactions)usesoursecurityfeatures,asdoesthecontrolprotocolforanethernet-basedvoiceproject.Bothoftheseapplicationshavefoundthesecuritymechanismsentirelypainlesstouse.Unfortunatelythepresentimplementationhastwodeficienciesin.First,mostofourcomputersarenotyetequippedwithDEShardware,soatpresentweareusingatrivialexclusive-orschemeinplaceofagenuineencryption.Second,wehavenotyetretrofittedtheGrapevineserverstosupportthesecureauthenticationprotocol.Weareconfidentthatneitherofthesechangeswouldseriouslydisturbourimplementation,buttheydomakeitimpossibleforustomeasuretheperformanceimpactofencryption.Wearehappywithourdecisiontoincludesecurecommunicationinthispackage.Ithasenabledustoexploreindetailtheimplicationsofourprevioustheoreticaldesignsforsecurecommunication.Ithasshownthatsecurecommunicationcanbesuccessfullyincludedinourprotocolfamily,andthatsecuritycanbepresentedtoprogrammersasacommunicationfacilitythatiseasyandconvenienttouse.Oncewehavesuitablehardwareinplace,wewillrapidlybeabletoconverttoasituationwherewearerelyingonlyonthephysicalsecurityoftheGrapevineserversandoftheparticipatingendusers'workstations.References1.Bauer,K.R.,Berson,T.A.andFeiertag,R.J.Akeydistributionprotocolusingeventmarkers.SytekreportTR-81060,SytekInc.,Sunnyvale,CA,1981.2.Birrell,A.D.,Levin,R.,Needham,R.M.andSchroeder,M.D.Grapevine:anexerciseindistributedcomputing.Comm.ACM25,4(April1982),260-274.3.Birrell,A.DandNelson,B.J.ImplementingRemoteProcedureCalls.Trans.OnComp.Sys.2,1(February1984),??-??.4.DataEncryptionStandard.FIPSpublication46,NationalBureauofStandards,U.S.DepartmentofCommerce,WashingtonD.C.January1977.5.Denning,D.E.andSacco,G.M.Timestampsinkeydistributionprotocols.Comm.ACM24,8w ]'x c]' ]'w]'x]' w]'x]'wP]'x Y]'w$]'x%]'w,]'x-]'t;"]'wU7 p  !k%+F,2}4x6U76U7w8U7StPq!Fr!Q[t#P$j -twNcxNNw N kc n$i( /N4,58:Le tLew %Le aY /!)),A.{ 6$: J1b |x J1 J1wJ1 $s&"*0 yD| wAg *4 &)^*,0:2460;z?3 O su7!&*/}027W< D  [%'+@-28;C: +  Vz "%7)5+0 848,6a   ! (+n/2U464,W 4xR4,74,w4,{C!#&7)+/ 6;1>` 7[{ '"i (+<168'/j !*$(*.3K7- ;" &)+,25/ +[A )&3m 3 *G+.c4N58&gD   R!T (,.3) $+  ]m %+-035:|" #    (>,/_0368 T& Y|MF!z$2(*-/46b7 = *BG #).m1#259  yn w": 6cGH" *Q/37z wa=" )" sp  Ud #"& -/46A  > z v > t >-wa >> >s    "(z, - 13P7:xw;( ;  6 N zl ^w%>*+ 2p5 x ld ! I "Y ) z0d1d59w;d;d  Hc,14SECURECOMMUNICATIONUSINGREMOTEPROCEDURECALLS(August1981),533-536.6.DESmodesofoperation.FIPSpublication81,NationalBureauofStandards,U.S.DepartmentofCommerce,WashingtonD.C.December1980.7.Ehrsam,W.F.,Matyas,S.M.,Meyer,C.H.,Tuchman,W.L.Acryptographickeymanagementschemeforimplementingthedataencryptionstandard.IBMSyst.J.17,2(1978),106-125.8.Kline,C.S.andPopek,G.J.Publickeyvs.conventionalkeyencryption.AFIPSConferenceProceedings48,1979,831-837.9.Matyas,S.M.andMeyer,C.H.Generation,distributionandinstallationofcryptographickeys.IBMSyst.J.17,2(1978),126-137.10.Needham,R.M.andSchroeder,M.D.Usingencryptionforauthenticationinlargenetworksofcomputers.Comm.ACM21,12(December1978),993-999.11.Voydock,V.L.andKent,S.T.Securityinhigherlevelprotocols:approaches,alternativesandrecommendations.BBNReport4767,BoltBeranekandNewman,Inc.,(October1981).AlsoavailableasReportICST/HLNP-81-19,NationalBureauofStandards,WashingtonD.C.(October1981).12.Voydock,V.L.andKent,S.T.SecurityMechanismsinHigh-LevelNetworkProtocolsACMComp.Surveys15,2(June1983).t-w (-x - -wP-xM- wu-x-w -x!-w&i-x';-w.1-x//-w% # [  z;## wh#O#%)+ 2b5  x l`nV ]rN$')r 2P5 :  z%Q:%:(, -w.:/:05/ ` QL &7) z1/2,6%  7w  t x X2 j $' / 0 9z& y w Q .b`L  k U  %'T 0[25;z+ z J+ H+w5++"+ a 8 !}$ +v 3 :| |z | |_w | |#%,6/d5@:HNz H HwHH $&F , 4H7lg a #n%E ,2z9_:]d w rdOdO 9H3 HELVETICA HELVETICAY HELVETICA HELVETICA HELVETICALOGO HELVETICA TIMESROMAN TIMESROMAN TIMESROMAN TIMESROMAN TIMESROMAN HELVETICA HELVETICA HELVETICA TIMESROMAN  HELVETICA   1 ' 3 d= Hd; J s2 a;1 wlif`C.S. andd-ekmf`mwwc key vs. dr en #d=ion. AFRPCSecurityPaper.cm.indV 48, 1h=whAw-837. d\9.dfdedmdeddf@ddpdqd|dqddfLd8ddddntddddddifPfK􌽗ddddϼntNfKuddj/XRPCSecurityPaper.press Birrell.pat13-Feb-84 15:07:02 PST: