Re: Hand Waving vs. Rigorous Analysis... (was Security Engineeringvs. Crypto Academics...)

From: Ernst Lippe (ernstl-at-planet-dot-nl_at_ignore.this)
Date: 09/15/04

Date: Wed, 15 Sep 2004 12:38:29 +0200

On Wed, 15 Sep 2004 06:35:06 +0000, Lassi Hippeläinen wrote:

> Ernst Lippe wrote:
> <...>
>> There are two major weaknesses in this system, and they are not at all
>> related to key management as I understand the term. First, permission
>> management for a large user group is very difficult from an
>> organizational point of view. Any modifications to the permission
>> databased should only be made by authorized personel.
> This is a real problem. The real fun begins, when support for dynamic
> membership is added to the game. New members may join the group in the
> middle of a session, and old members may be revoked. I haven't seen any
> working system where those actions could be done in real time. Usually the
> stream is broken to fragments with a separate key, and the keys are
> distributed to members as late as possible. Still there is a time window,
> when authorised recipients (the new members) can't receive the stream, and
> unauthorised ones (revoked members) can.

The only way that you can achieve this is by changing the keys
at very short intervals. Technically, it seems possible but it
would probably be expensive. I don't think that there
are many situations where these additional expenses could be
economically justified.

Ernst Lippe

Relevant Pages

  • Re: PM Security Issue
    ... gives me permission to open projects in Microsoft Project Professional. ... Categories control what you can do it to. ... in which I am a team member, and in which my resources are team members. ... When the My Projects category is included in the Project Managers group, ...
  • Re: MPlayer problem... works as root but not as users
    ... execution only for members of a specific group (and making sure that ... example (assuming you have a group "media" with only trusted userids as ... (note that only execute permission is required to run the binary; ... removing read permission, you ensure that the binary cannot be forced to ...
  • Re: Access denied. You do not have permission to perform this action or access this resource.
    ... your statement) in the subnewsgroup for programming issues- ... I should have permission to access all sites. ... Members of your local administrators group can access all those things. ...
  • Re: Send as distribution list in Exchange 2003
    ... See if SendAs Group application: ... >>> list with a few members to receive external emails ... >>> members, including Full mailbox access. ... >>> have permission to send to this recipient. ...
  • Re: Group rights
    ... You cannot assign multiple groups to an object in a traditional unix ... > I was under the impression that user can be members of groups and groups can ... > be used to assign permissions to files and folders. ... > How then, do I assign multiple groups, different permission to the same ...