Protecting Security Policies in Ubiquitous Environments Using One-Way Functions

  • Håkan Kvarnström
  • Hans Hedbom
  • Erland Jonsson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2802)


This paper addresses the problem of protecting security policies and other security-related information in security mechanisms, such as the detection policy of an Intrusion Detection System or the filtering policy of a firewall. Unauthorized disclosure of such information can reveal the fundamental principles and methods for the protection of the whole network, especially in ubiquitous environments where a large number of nodes store knowledge about the security policy of their domain. To avoid this risk we suggest a scheme for protecting stateless security policies using one-way functions. A stateless policy is one that only takes into consideration, the current event, and not the preceding chain of events, when decisions are made. The scheme has a simple and basic design but can still be used for practical implementations, as illustrated in two examples in real-life enviroments. Further research aims to extend the scheme to stateful policies.


Intrusion Detection Security Policy Target System Intrusion Detection System Security Mechanism 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bakhtiari, S., Safavi-Naini, R., Pieprzyk, J.: On the Weakness of Gong’s Collisionful Hash Function. Journal of Universal Computer Science 3(3), 185–196 (1997)zbMATHMathSciNetGoogle Scholar
  2. 2.
    Bakhtiari, S., Safavi-Naini, R., Pieprzyk, J.: On Selectable Collisionful Hash Functions. In: Pieprzyk, J.P., Seberry, J. (eds.) ACISP 1996. LNCS, vol. 1172, pp. 287–292. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  3. 3.
    Chapman, D.B., Zwicky, E.D.: Building Internet Firewall. O’Reilly & Associates, Inc., Sebastopol (1995)Google Scholar
  4. 4.
    Cheswick, W.R., Bellovin, S.M.: Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading (1994)zbMATHGoogle Scholar
  5. 5.
    Fieldmeier, D.C., Karn, P.R.: UNIX password security - ten years later. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 44–63. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Gong, L.: Collisionful keyed hash functions with selectable collisions. Information Processing Letters 55, 167–170 (1995)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Hedbom, H., Kvarnström, H., Jonsson, E.: Security Implications of Distributed Intrusion Detection Architectures. In: Proceedings of the 4th Nordic Workshop on Secure IT systems - Nordsec 1999, Stockholm, Sweden, pp. 225–243 (1999)Google Scholar
  8. 8.
    Hedbom, H., Lindskog, S., Jonsson, E.: Risks and Dangers of Security Extensions. In: Proceedings of IFIPWorking Conference on Security and Control of IT in Society-II, SCITS-II, Bratislava, Slovakia, June 15-16 (2001) (to appear)Google Scholar
  9. 9.
    Juels, A., Wattenberg, M.: A Fuzzy Commitmen Scheme. In: Proceedings of the Second ACM Conferens on Computer and Communication Security CCS 1999, Singapore (1999)Google Scholar
  10. 10.
    Morris, R., Thompson, K.: Password security: A case history. Communications of the ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  11. 11.
    Neumann, P.G.: Architectures and formal representations for secure systems, Final Report; SRI Project 6401; Deliverable A002 (1995)Google Scholar
  12. 12.
    Next-generation Intrusion Detection Expert System (NIDES) - A Summary, SRI, Computer Science Laboratory (1995)Google Scholar
  13. 13.
    Northcutt, S.: Network Intrusion Detection: An Analyst’s Handbook. New Riders (1999)Google Scholar
  14. 14.
    Shamir, A., van Someren, N.: Playing hide and seek with stored keys. Weizmann Institute of Science, Israel; nCipher Corporation Limited, England (1998)Google Scholar
  15. 15.
    Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Secure Networks, IncGoogle Scholar
  16. 16.
    Staniford-Chen, S., Tung, B., Porras, P., Kahn, C., Schnackenberg, D., Feiertag, R., Stillman, M.: The Common Intrusion Detection Framework - Data Formats, Internet Draft (September 1998)Google Scholar
  17. 17.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of the USENIX LISA 1999 Conference (November 1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Håkan Kvarnström
    • 1
    • 2
  • Hans Hedbom
    • 3
  • Erland Jonsson
    • 1
  1. 1.Department of Computer EngineeringChalmers University of TechnologyGöteborgSweden
  2. 2.Telia Research ABFarstaSweden
  3. 3.Department of Computer ScienceKarlstad UniversityKarlstadSweden

Personalised recommendations