Matt Blaze's Technical Papers

Last updated 6 August 2006

Many of my technical papers are available here. Newer papers are usually in Adobe PDF format; like it or not, PDF is the de facto standard format for scientific papers these days. Most of the older papers are in PostScript format; you'll need a PostScript printer or viewer (such as GhostView) to read them. Most of these files have also been converted to Adobe PDF format (using ps2pdf) and can be viewed or printed with a PDF viewer such as Acrobat, acroread4, or xpdf. If you have a choice, you'll probably find the PostScript version looks and works better than the PDF version does (ps2pdf doesn't do particularly well with some of the fonts). A few papers are available as plain ASCII text or LaTeX source.

Wiretapping, Surveillance and Countermeasures

The Trustworthy Network Eavesdropping and Countermeasures (TNEC) project studies the reliability of communications interception systems and technologies. A better understanding of the limitations of eavesdropping techniques could lead to more trustworthy law enforcement wiretap evidence (or at least more appropriate treatment of electronic evidence), networks with properties that inherently frustrate (or facilitate) interception, and new techniques for achieving communications security.

One of our first efforts is a comprehensive analysis of the wiretapping technologies used by law enforcement (for both voice and data). We have found serious exploitable weaknesses in fielded interception systems. For details, including audio demos of novel eavesdropping countermeasures, see the wiretapping web page here.

Similar vulnerabilities exist in digital Internet eavedropping systems as well:

  • E. Cronin, M. Sherr, and M. Blaze. "The Eavedsdropper's Dilemma." Technical Report MS-CIS-05-24. University of Pennsylvania. 2005. [PDF].

Another focus of the TNEC project examines local host-based surveillance. The JitterBug demonstrates a novel eavesdropping threat against typed keyboard input. Commercially-available hardware keyboard "sniffers" can easily capture and store an unsuspecting user's keystrokes. Because a subverted keyboard has no direct network connection, sniffer attacks are generally assumed to require either support software on the host or periodic in-person access by the attacker to retrieve the data. We show that this need not be the case. A new technique based on "JitterBugs" can exflitrate captured data entirely through subtle perturbations in the precise times at which typed keystrokes are passed to the host. Whenever a user runs an interactive network application (such as SSH), an attacker can derive previously captured keystrokes entirely by observing the timing of network packets, even from across the Internet or via encrypted wireless traffic. The JitterBug demonstrates that input devices must be scrutinized as part of any trusted computing base and, more generally, that simple "supply chain attacks" can represent a practical and serious threat to data confidentiality. (Gaurav Shah and Andres Molina won the Best Student Paper award at USENIX Security 2006 for this work.)

Physical and "Human-Scale" Security

Cryptologic techniques can be applied outside of computers and networks, Perhaps surprisingly, the abstractions used in analyzing secure computing and communications systems turn out also to be useful for understanding mechnical locks and their keyspaces. Indeed, modeling master keyed locks as online authentication oracles leads directly to efficient solutions for what might naively seem like exponential problems for the attacker. In fact, it seems like almost a textbook example, as if master keying practices for locks were designed specifically to illustrate this class of weakness. We sometimes assume that hardware-based security is inherently superior to that based in software, but even the humble mechanical lock can be just as insecure as complex computing systems, and can fail in similar ways.

A widely circulated paper of mine describes attacks against master keyed mechanical locks. For an overview of the attack, which was described in the January 23rd 2003 New York Times, click here. For a brief commentary on the reaction to this paper, see my essay, "Keep it secret, stupid!" (click here), which was originally posted to comp.risks.

(Warning: there are embedded photos in this paper; they make the PS and PDF files very large. The GZIPed PostScript version is 5.7MB long (uncompresses to 14MB), and the PDF version is 4MB long.)

  • M. Blaze. "Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks." March 2003. IEEE Security and Privacy. March/April 2003. [GZIPed PostScript], [PDF].

  • My Notes on Picking Pin Tumbler Locks, intended primarily for use by students in my security seminar, can be found here [HTML].

While the security metrics and mechanical safeguards used in safes and vaults may not rely on the latest technology, they are often quite ingenious. They may have much to teach computer security. Some of what I understand about the subject is in the survey paper below (warning -- heavily illustrated 2.5MB .pdf file). And for a brief commentary on the reaction to this paper, see my essay, "the second sincerest form of flattery" (click here), which was originally posted to interesting-people.

  • M. Blaze. "Safecracking for the Computer Scientist." U. Penn CIS Department Technical Report. 7 December 2004 (revised 20 December 2004). [PDF].

This position paper, presented at the Cambridge Security Protocols Workshop 2004, introduces and advocates the "Human Scale Security Project," which supports the above work.

  • M. Blaze. "Toward a broader view of security protocols." 12th Cambridge International Workshop on Security Protocols. Cambridge, UK. April 2004.[PDF].

Trust Management

These papers introduce the "trust management" approach to specifying and enforcing security policy.

  • The Trust Management Web Page, updated regularly.

  • M. Blaze, J. Ioannidis, A. Keromytis. "Offline Micropayments without Trusted Hardware." Financial Cryptography 2001. Grand Cayman, February 2001. [PostScript], [PDF].

  • M. Blaze, J. Ioannidis, A. Keromytis. "Trust Management for IPSEC." NDSS 2001. San Diego, February 2001. [PDF].

  • M. Blaze, J. Feigenbaum, J. Ioannidis, A. Keromytis. The KeyNote Trust Management System, Version 2. RFC-2704. IETF, September 1999. [ASCII Text].

  • M. Blaze, J. Ioannidis, A. Keromytis. "Compliance Checking and IPSEC Policy Management." Internet Draft. draft-blaze-ipsp-trustmgt-00.txt. IETF, March 2000. [ASCII Text].

  • M. Blaze, J. Ioannidis, A. Keromytis. "DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System." RFC-2792. IETF, March 2000. [ASCII Text]

  • M. Blaze, J. Ioannidis, and A. Keromytis. " Trust Management and Network-Layer Security Protocols." 1999 Cambridge Protocols Workshop. Cambridge, April 1999. [PostScript], [PDF], [LaTeX Source].

  • M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis. "The Role of Trust Management in Distributed Systems Security." Chapter in Secure Internet Programming: Security Issues for Mobile and Distributed Objects, (Vitek and Jensen, eds.) Springer-Verlag, 1999. [PostScript], [PDF].

  • M. Blaze, J. Feigenbaum, M. Strauss. "Compliance-Checking in the PolicyMaker Trust-Management System." Proc. 2nd Conference on Financial Cryptography. Anguilla 1998. LNCS 1465, pp 251-265, Springer-Verlag, 1998. [PostScript], [PDF].

  • M. Blaze, J. Feigenbaum and J. Lacy. "Decentralized Trust Management." IEEE Symposium on Security and Privacy, Oakland, CA. May 1996. [PostScript], [PDF].

Angelos Keromytis's KeyNote Trust Management toolkit and open-source reference implementation is available here as a GZIPed TAR archive. The toolkit runs under most Unix-like (BSD, linux, etc.) platforms, with limited support for Win32 platforms.

Also see Angelos Keromytis' KeyNote web page for the latest details on the KeyNote implementation.

Remotely-Keyed Encryption

These papers introduce and formalize the notion of "remotely-keyed" encryption, in which a low-bandwidth, but trusted device (such as a smart card) assists a high-bandwidth, but untrusted host with bulk encryption.

  • M. Blaze, J. Feigenbaum, and M. Naor. "A Formal Treatment of Remotely Keyed Encryption (Extended Abstract)". Eurocrypt '98, Helsinki. LNCS 1403 pp. 251-265. [PostScript], [PDF].

  • M. Blaze. "High-Bandwidth Encryption with Low-Bandwidth Smartcards." January 18, 1996. Cambridge Workshop on Fast Software Encryption, February 1996. [PostScript], [PDF].

Key Escrow

These papers describe and evaluate various key escrow proposals, from a technical (as opposed to political) perspective.

  • The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption (second edition). June 1998. [HTML], [PDF].

  • The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption (first edition). May 1997. (OBSOLETE: superseded by second edition, above). [ASCII Text], [PDF], [PostScript].

  • M. Blaze. "Oblivious Key Escrow." First Cambridge Workshop on Information Hiding May 1996. Springer 1997. [PostScript], [PDF], [LaTeX source].

  • Memo from NSA regarding key length report, with comments from M. Blaze and W. Diffie. July 18, 1996. [ASCII Text].

  • M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson and M. Wiener. "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security". Report of ad hoc panel of cryptographers and computer scientists. January 1996. [ASCII Text], [PDF], [PostScript].

  • M. Blaze, J. Feigenbaum and F.T. Leighton. "Master-Key Cryptosytems." Abstract presented at Crypto '95 (rump session), Santa Barbara, CA, August 1995. [PostScript], [PDF]

  • M. Blaze. "Protocol Failure in the Escrowed Encryption Standard." Proceedings of Second ACM Conference on Computer and Communications Security, Fairfax, VA, November 1994. [PostScript], [PDF].

Network-Layer Security

These papers describe the design and implementation network-layer and related security protocols, including JFK, a secure key exchange protocol, and swIPe, a predecessor to the IPSEC standard. (At this point, swIPe is of primarily historical interest, although the USENIX paper should be of some value to IPSEC implementors. JFK is a useful key exchange protocol that should be especially valuable for IPSEC and network security key management).

  • W. Aiello, S. M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A. D. Keromytis, and O. Reingold. "Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols." In Proc. ACM Computer and Communications Security (CCS) Conference. November 2002, Washington, DC. (pp 48-58). [PDF].

  • J. Ioannidis and M. Blaze. "The swIPe IP Security Protocol." Internet Draft. December 1993. [ASCII Text].

  • J. Ioannidis and M. Blaze. "Architecture and Implementation of Network Layer Security Under UNIX." Proceedings of the Fourth USENIX Security Workshop, October 1993. [PostScript], [PDF].

Cryptographic Applications

  • R. Levein, L. McCarthy, M. Blaze. "Transparent Internet E-mail Security (DRAFT)". August 9, 1996. [PostScript], [PDF].

  • M. Blaze and S.M. Bellovin. "Session-Layer Encryption." Proceedings of the USENIX Security Workshop, June 1995. [PostScript].

  • M. Blaze. "Key Management in an Encrypting File System." USENIX Summer 1994 Technical Conference, Boston, MA, June 1994. [PostScript], [PDF].

  • M. Blaze. "A Cryptographic File System for Unix." Proceedings of the First ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993. [PostScript], [PDF].

    The latest CFS code can be found here.

Ciphers and Algorithms

  • S. M. Bellovin, M. Blaze. "Cryptographic Modes of Operation for the Internet." NIST Workshop on AES Modes. Santa Barbara, CA. August 2001. [PDF].

  • M. Blaze, M. Strauss. "Atomic Proxy Cryptography." Full version of our EuroCrypt '98 paper. May 1997. [PostScript], [PDF].

  • M. Blaze. "Efficient Symmetric-Key Ciphers Based on an NP-Complete Subproblem (DRAFT)". October 2, 1996. [PostScript], [PDF]

  • M. Blaze and B. Schneier. "The MacGuffin Block Cipher Algorithm." Leuven Workshop on Cryptographic Algorithms, Leuven, Belgium, December 1994. [PostScript], [PDF].

Cryptography Policy, Export Regulations, and Politics

  • M. Blaze. Declaration in Felten, et al v. RIAA. 13 August 2001. [ASCII Text].

  • S. Bellovin, M. Blaze, D. Farber, P. Neumann, E. Spafford. "Comments on the Carnivore System Technical Review." Formal comments to the US Department of Justice. 3 December 2000. [HTML].

  • M. Blaze & S. M. Bellovin. "Tapping, Tapping on my Network Door." INSIDE RISKS 124. CACM, October 2000. [HTML].

  • M. Blaze. "Cryptography Policy and the Information Economy." Draft. 17 December 1996. [PostScript], [PDF], [ASCII Text].

  • My prepared testimony before the Senate Commerce Committee subcommittee on Science, Technology, and Space. June 26, 1996 [ASCII Text].

  • M. Blaze. "My Life as an International Arms Courier." January, 1995. Adapated from posting to comp.risks [ASCII Text]

Peer-to-Peer Networking

My dissertation work, over ten years ago, anticipated and analyzed what we would now call "Peer-to-Peer" file distribution.

  • M. Blaze. Caching in Large-Scale Distributed File Systems. PhD thesis. Princeton University Department of Computer Science. November 1992. [PostScript].

Other People's Papers

From time to time, I make available papers from other researchers that I didn't write myself but that are of wide interest and don't otherwise have a home. Here's what's available now:

  • S. Fluhrer, I. Mantin and A. Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Preliminary Draft, July 25, 2001. [PostScript].

  • A. Biryukov and A. Shamir. Real Time Cryptanalysis of the Alleged A5/1 on a PC. Preliminary Draft, December 9, 1999. [PostScript].

Click here to return to the home page.