Finished Projects
Cryptographic Technologies
Adaptive Cryptographically Synchronized Authentication (ACSA)
Sponsored by:
Defense Advanced
Research Projects Agency (DARPA)
Information
Technology Office (ITO)
High Confidence
Networking (HCN) Program
DARPA Contract #F30602-98-C-0215
Dr. Douglas Maughan, DARPA, Program Manager
Melvin Oster, Air Force Research Laboratory, COTR
Table of Contents
- Who We Are
- Overview of ACSA
- ACSA Presentations
- ACSA Documents
- Additional Information on ACSA
- Web Links to Related Work
Who We Are
- Jamison Adcock
- David Balenson
- Dr. Dennis Branstad
- David Carman, ACSA Principal Investigator
- Wesley Griffin
- Michael Heyman
- Roger Knobbe
- Caroline Scace
- Dr. Alan Sherman
- Dr. Roshan Thomas
Overview of ACSA
Objective:
The overall purpose of the ACSA project is to provide a strong network
entity authentication solution that is fast enough to meet the demands
of ultra-fast networks. This research has three primary goals: (1)
To identify a spectrum of practical cryptographic authentication
algorithms that can be selectively used to provide various
levels of authentication of the source (i.e., transmitter in a
distributed network) of data under the assumption that authentication
cannot be provided 100% of the time; (2) To design a control
system that establishes and maintains acceptable levels of
data-source authentication and data integrity assurance in an
environment where the threats to the network are dynamically changing
under the control of a motivated and well-equipped adversary; and (3)
To implement a prototype system that can be used to demonstrate
effective authentication at various speeds and under various attack
scenarios.
Approach:
To achieve our objective, we will build an adaptive cryptographically
synchronized authentication system by combining modern cryptographic
methods in a novel architecture. The foundation of this system is a set
of cryptographic components that will be combined and used dynamically
based on current measurements of risk factors, processing capability,
and communication load. This model includes the network application,
which provides risk and performance requirements, local system factors
that provide policy and threat information, and a controller connected
to a set of authentication mechanisms or gears. Each gear of the model
provides a different speed-assurance tradeoff.
Figure 1 - ACSA Model - Local View
Based on this initial model, we will study the model components and gears in a network communications context in an attempt to optimize the number, characteristics, and use of the gears.
Figure 2 - ACSA Model - Network View
Furthermore, we will define and produce the controller, the various gears, and the protocols that allow the network components implementing this model to work correctly and efficiently. Finally, we will evaluate the model and developed system versus identified communications system security risks.
Current Plan:
- Analyze the initial ACSA model and define components and protocols that allow the model to work correctly and efficiently.
- Investigate relevant: ultra-fast data communication systems; fast cryptographic algorithm software implementations; peer-to-peer cryptographic protocols such as IP Security (IPSec); security support services such as key generation; peer-to-peer cryptographic association management methods such as Internet Key Exchange (IKE).
- Design a ACSA prototype software system that: satisfies the requirements for data origin authentication; specifies cryptographic keying protocols, communication and cryptographic synchronization techniques, authentication gear characteristics and algorithms, and continuous security "torque" control; and specifies the interfaces to the authentication gears and network management services. The architecture shall utilize Internet Key Exchange (IKE) protocols and services as appropriate.
- Develop an ACSA prototype software system that consists of a portable software toolkit with programming interface consisting of modules performing the selected algorithms contained in each authentication gear and the component authentication control.
- Develop, demonstrate and deliver a ACSA software prototype system implemented in an Internet test-bed environment, showing policy establishment, component initialization, peer-to-peer communications, inducements of errors in to the data stream, and the resulting adaptation of the authentication components in response to the errors detected.
- Collaborate and cooperate with other NGI members on the planning and conduct of integrated intra- and inter-NGI testbed demonstrations. Collaborate and cooperate with other NGI members to ensure interoperable prototype hardware and software demonstrating integrated concepts and approaches for Defense-relevant applications.
Technology Transition:
TIS Labs will make the ongoing research results and reports
electronically available without constraint. TIS Labs will make the
software toolkits and user documentation electronically available for
non-commercial purposes with the constraints of evolving export control
policy on cryptographic technology. We will furthermore participate in
the support of intra-government research and development activities in
which multiple organizations are developing open systems specifications
for multi-platform applications. Specifically, we intend to participate
in the IETF activities specifying the IKE and IPSec specifications,
providing written contributions on both data source authentication and
network data integrity assurance. The TIS Labs project team will pursue
a variety of technology transfer activities to make organizations aware
of our results. These activities will include:
- coordinating with technical representatives from NSA who are active in cryptographic technology and from NIST who are active in cryptographic standards activities;
- contributing to government and commercial standards activities relevant to data source authentication and information integrity assurance;
- participating in appropriate computer and network security conferences in order to solicit community feedback and foster community acceptance of our results;
- provide project status reports and technical results via the World Wide Web facilities at TIS Labs; and
- participating with other DARPA researchers in PI meetings and cooperative workshops.
ACSA Presentations
- ACSA Kickoff Brief presented to DARPA on September 11, 1998. (PowerPoint or Acrobat)
- ACSA Presentation to the DARPA/ITO Next Generation Internet (NGI) Principal Investigator's (PI) Meeting held on October 29, 1998. (PowerPoint or Acrobat)
- ACSA Presentation to the XIWT Workshop on Information Assurance and Trustworthy Networks held November 18, 1998. (PowerPoint or Acrobat)
- "Adaptively Trading Off Strength and Performance in Network Authentication" Presentation at the RSA Conference 2000 held January 19, 2000 (PowerPoint or Acrobat)
ACSA Documents
- ACSA Model and Analysis Document - Revision 1.0 delivered to DARPA on December 7, 1998. (Microsoft Word or Acrobat)
- ACSA Final Report delivered to DARPA on December 6, 2000. (Microsoft Word or Acrobat)
Additional Information on ACSA
- Press release issued by Network Associates announcing ACSA contract award
- The ACSA "Quad" Chart- includes a diagram of the High Level Model, New Ideas, Impact and Schedule. (PowerPoint or Acrobat)
- DARPA ITO High Confidence Networking Web Page
- ACSA Web Page on the DARPA ITO High Confidence Networking Site
Web Links to Related Work
- ATOMIC-2 Fast Security and RFC 1810 - Performance Analysis of MD5 by Dr. Joseph Touch
- Design and Analysis of Message Authentication Codes presented by Dr. Phillip Rogaway at the 1996 RSA Data Security Conference on January 19, 1996.
- Bucket Hashing and its Application to Fast Message Authentication authored by Dr. Phillip Rogaway. The link contains additional and updated material not included in the original paper that appeared in Advances in Cryptology - CRYPTO'95.
- Sleepy Network-Layer Authentication Service for IPSEC authored by Felix Wu.