A "capture protection server" protects a cryptographic key on a device that may be captured by authenticating the user of the device (e.g., by password) before permitting the key to be used. Delegation from one capture protection server to another enables the new server to perform this capture protection function for the device. Delegation, however, opens the system to new vulnerabilities, including difficulties in limiting online password-guessing attacks and in disabling a device that has been stolen by an attacker who knows the password. In this work we present a lightweight protocol for coordinating capture protection servers that eliminates these vulnerabilities. We also report on the implementation of our protocol in a JCA-compliant cryptographic service provider, and ramifications of the JCA interfaces for our approach. This is joint work with Mike Reiter and Asad Samar.
Dr. Chenxi Wang is a member of the research faculty at Carnegie Mellon University. She received her Ph.D. from the University of Virginia in 2001. Her areas of research interest are security issues in distributed systems, survivable networks, and large scale information dissemination. Chenxi is the principal investigator of various NSF and NIST research awards. She is the recipient of faculty fellowship from GM, and the Army Research Office. Chenxi is the author of numerous technical publications and served on program committees for ACSAC, ACM's Privacy Workshop, and the New Security Paradigms workshop.