SC-CFS: Smart

ard Se ured Cryptographi File

System
Naomaru Itoi

Center for Information Te hnology Integration

University of Mi higan
Ann Arbor
http://www. iti.umi h.edu/proje ts/smart ard/
Storing information se urely is one of the most important roles expe ted for omputer systems, but it
is di ult to a hieve with urrent ommodity omputers. The omputers may yield se rets through
physi al brea h, software bug exploitation, or password guessing atta k. Even le systems that provide
strong se urity, su h as the ryptographi le system, are not perfe t against these atta ks. We have
developed SC-CFS, a le system that en rypts les
and takes advantage of a smart ard for per-le key
generation. SC-CFS ounters password guessing atta k, and minimizes the damage aused by physi al
atta k and bug exploitation. The performan e of the
system is not yet satisfa tory, taking 300 ms for a essing a le.

Introdu tion

Storing information se urely has been one of the

most important appli ations of omputer systems
sin e their introdu tion. As information te hnology
is being integrated into so iety rapidly, se ure storage is now demanded more strongly, and by more
people, than ever. For example, onsider the re ent
in ident in whi h a laptop omputer was stolen from
the State Department of the United States in January 2000 [20. Not only the people who deal with
highly lassied information, but also ordinary people are threatened by ha kers, as they store their
private data on omputers today, e.g., e-mail, nan ial information, Internet a tivity history, and
medi al history.
For the purpose of this paper, we dene se ure
storage as \a storage system that prote ts the se-

re y, authenti ity, and integrity of the information

it stores".1 Unfortunately, modern ommodity omputers annot provide se ure storage be ause of the
three prevalent, but ina urate, assumptions about
omputer systems. First, modern ommodity omputers tend to overlook physi al se urity, and la k
physi al prote tion; read and write a ess to omputational and storage devi es is typi ally possible
by simply opening the over of a omputer. For example, a hard disk drive is easily removed, giving
full a ess to an adversary. Se ond, bugs in design and implementation of software are unavoidable [8, and an be exploited to give away se rets.
Exploitable bugs are found in all ranges of software,
and some of them are so serious that they lead to administrative rights (root) ompromise [11. Third,
passwords are often the weakest link in se urity systems. On e passwords are stolen, no matter how
se urely the system is designed and implemented,
it be omes vulnerable to impersonation. Passwords
an be stolen from memory, from virtual memory
ba king store [23, in transit through networks [25,
or an be guessed with di tionary atta k [17.
An obvious ountermeasure to theft of se rets is to
en rypt the se rets with an en ryption key, and prote t the key. Matt Blaze has realized this with
a Cryptographi File System for UNIX (CFS) 2 ,
whi h transparently en rypts les in a le system
[4. Although CFS adds signi ant se urity to urrent systems, it still suers from the the problems
introdu ed above. First, CFS relies on user hosen
passwords to provide en ryption keys, making di 1 Denning denes the desired properties of a ommuni ation hannel similarly [6.
2 Throughout this do ument, we refer to CFS version 1.3.3
by \CFS".

tionary atta k possible. An adversary an obtain

iphertext through physi al atta k or bug exploitation, and an run an o-line di tionary atta k. Se ond, the number of passwords a user an remember
is limited. To lower the burden of the user, CFS
uses one key to en rypt all the les in a dire tory
tree, whi h is not as desirable as using one key for
ea h le. If the key is stolen, physi ally or through
exploitation, the les en rypted under the key are
revealed. Therefore, the fewer les are en rypted
under a single key, the better.
We atta k this problem by storing a randomly generated user key on a smart ard, and generating a le
key that is used to en rypt only one le. We have
implemented su h a system alled SC-CFS, based on
CFS. Instead of a password, SC-CFS uses the random key on a smart ard to generate le keys, thus
thwarting di tionary atta k. On host ompromise,
SC-CFS reveals only the keys of the les that are
urrently used (and these les are already in memory in the lear, anyway), thus minimizing damage. The design, se urity onsiderations, implementation, performan e evaluation, related work, and
future dire tion are dis ussed in this paper.

Design

2.1

Cryptographi File System Review

As SC-CFS is based on CFS, it is important to

understand how CFS works. CFS onsists of a
CFS daemon, or fsd, and appli ation programs.
fsd is a Network File System [21 server daemon
(i.e., it provides a le system that an be mounted
and be a essed through the NFS proto ol) that
stores data en rypted. Appli ation programs in lude mkdir, whi h reates a CFS prote ted dire tory, atta h, whi h prepares a CFS dire tory
for use, and deta h, whi h reverses atta h's operation.

Only the owner of the smart ard should be able

to use the le system. Therefore, a le key,
whi h is used to en rypt and de rypt a le,
should be derived from the master key in a
smart ard. On the other hand, the master key
should NOT be derivable from the le key.

A unique le key is used to en rypt ea h le.

A le key is used to en rypt only one le to
minimize the damage if it is revealed through
host ompromise. This property is dis ussed
more in Se tion 3.

A le key hanges with the asso iated le.

When a le is written, its asso iated le key
hanges to prote t the new le ontent; this
provides forward se re y. Consider the following s enario: a le key is stolen through host
ompromise. The le ontent is revealed to the
adversary. Later, the le ontent is updated by
a user. If the le key does not hange, the new
ontent is also available to the adversary. To
avoid this, the le key should hange on every
update.

To a hieve these goals, we designed the following

key management s heme.

A randomly generated master key is stored in

a smart ard.

fsd uses a le's inode number and a timestamp of last modi ation as a seed of the le.
Ea h entry is 4 bytes long, so the seed is 8 bytes
long (finode#, timestampg).

fsd sends the seed to the smart ard. The

ard replies with the SHA1 hash result of
the seed on atenated with the master key.
(SHA1finode#, timestamp, Kuser g). This is
20 bytes long.

fsd further hashes the result into an 56-bit

DES key, and uses it to en rypt and de rypt
the le.

Readers interested in details of CFS are advised to

onsult Blaze's paper [4.
2.3
2.2

Key Management

The goals of key management are as follows:

A le key is derived from a master key in a

smart ard.

Authenti ation

SC-CFS employs the same authenti ation me hanism as CFS. A \signature", whi h is a 4 byte predened string on atenated with 4 byte random string,
en rypted in a way des ribed in the previous key
management se tion, is stored in ea h CFS dire tory. When a user starts a essing the dire tory,





atta h tries to de rypt the signature. If atta h

re overs the predened string orre tly, the user has
entered the right password (in CFS) or used the
right smart ard (in SC-CFS), so he is allowed to
enter the dire tory.

In SC-CFS, before a smart ard is used, the orre t

Personal Identi ation Number (or PIN) must be
typed. The PIN is a 3 - 8 digit number, whi h
prote ts the information in the smart ard when it
is lost or is stolen. The adversary who owns the
smart ard annot use it without knowing the PIN,
as the smart ard blo ks after some xed number,
say three, wrong PINs are entered.
2.4

Another le enters the a he.

On e a minute.
CFS dire tory is deta hed.

Se urity Consideration

We dis uss the se urity of our approa h here, mainly

in omparison with CFS. Another ryptographi le
system, Transparent Cryptographi File System (or
TCFS), has a key management system similar to
CFS [5. Dis ussion of CFS in this se tion also applies to TCFS.

Ca hing

CFS employs partial en ryption of a le to minimize

the performan e overhead introdu ed by en ryption.
When a blo k (8 byte) in a le is updated, it is
rst XOR'ed with a pre omputed string, en rypted
with a sub key, and then XOR'ed with another pre omputed string. The two pre omputed strings and
the sub key are pseudorandomly generated, based
on the dire tory key 3 . The advantage of this approa h over a haining mode en ryption, su h as
DES-CBC, is that a le an be partially updated.
Chaining mode en ryption requires the entire le to
be en rypted at on e.
As one of our goals is to hange a key with every
update of the asso iated le, we do not use this
partial en ryption approa h. Instead, every write
re-en rypts the whole le, . Therefore, DES-CBC
is used.4 This introdu es potentially prohibitive
performan e overhead be ause of paging. In most
UNIX systems, a le onsists of several 4096 byte
pages. A write operation to a long le is split into
multiple 4096 byte writes. For example, to write a 1
Mbyte le, 256 write operations are ne essary. We
annot aord to hange a le key and en rypt the
entire le 256 times. To ounter this, a single le
a he is introdu ed.
The a he loads a le when it is rst a essed, and
de rypts it. When the le is losed, it is en rypted
under an updated le key and written ba k to the
ba king store. Be ause NFS does not have a lose
operation (NFS server is stateless), writeba k happens in one of the following events:
3 A dire tory key is a key used to en rypt les in a dire tory. This is entered by a user.
4 We still ould have used partial en ryption to a hieve
partial reads. The de ision to use DES-CBC may be re onsidered in the future.

3.1

Model

We start with onstru ting a model of our system.

The model onsists of the following parti ipants:
Ali e (A)
Host

A user who uses CFS or SC-CFS.

A host omputer that runs CFS or SC-CFS.

A smart ard that plays the key generation role in SC-CFS.

Smart ard

A ba king store for CFS or SCCFS. This may be any le system, e.g., a lo al
le system or a network le system.

Ba king Store

Mallory (M)
3.2

An adversary.

Threats

We make the following assumptions in our model.

1. Mallory an ompromise a host.
Mallory an exploit se urity holes of the host,
or physi ally a ess the host and overwrite the
system administrator's password. Mallory an
read and modify any information on the host.
2. Mallory annot substantially hange the behavior of the host.
By Assumption 1, Mallory is able to install a
Trojan horse in the host, whi h, for example,
steals de rypted les. However, we assume this
atta k is impossible be ause:

Maintaining Trojan horses is hard, as Ali e an nd them by looking at hange of

le ontents and logs.




It be omes mu h harder if Ali e uses appli ation integrity he ker, su h as Tripwire

[16.

In SC-CFS, a smart ard remembers a randomly generated master key, and generates le keys, eliminating this problem.

It be omes even harder if Ali e uses hardware based integrity he ker, su h as

AEGIS [1 and sAEGIS [13.

Storage Theft

3. Mallory annot ompromise the smart ard.

Mallory an neither read nor modify any information in a smart ard. She annot in uen e
the behavior of a smart ard.
4. Cryptographi operations are strong.

3.3

Storage theft is sometimes more easily a omplished

than host ompromise, thus requires spe ial attention.
In CFS, the keys are derived by user passwords, and
are vulnerable to di tionary atta k. An adversary
who steals a hard disk an run o-line di tionary
atta k as follows:

Our prin ipal ipher is DES, whi h is assumed impossible to ompromise in reasonable
amount of time. This may not be a good assumption any more in the age of fast DES
ra kers [7. DES should be repla ed with
triple-DES in the future.





Also, our prin ipal hash fun tion, SHA1, is assumed to be ollision free.

Apply reversed CFS en ryption operation to an

en rypted le.

If this re overs a readable text, this is the right

key. If it does not, pi k another password and
try again.

Atta k

Key Theft

If a host is ompromised (possible by Assumption

1), keys an be stolen in CFS and SC-CFS:
In CFS, the key that en rypts the urrent working
dire tory is stolen. As a result, all the les in the
dire tory are revealed. Unless the key is expli itly
hanged, all the les will be a essible by the adversary.
In SC-CFS, the key that en rypts the le urrently
in the SC-CFS a he is stolen. The rest of the les
in the le system are safe. The master key is safe
be ause it is in a smart ard (Assumption 3). When
the le is updated, it is en rypted under a dierent
key, so it be omes safe again.
SC-CFS is more se ure than CFS be ause when a
key is stolen, only one le an be de rypted by the
key. This le is being used by an appli ation, so
it resides in the lear in memory, and is revealed
on host ompromise, anyway. In ontrast, when a
dire tory key is stolen in CFS, all the les in the dire tory tree, in luding the ones that are not opened,
are revealed.
CFS takes this \key per dire tory tree" approa h to
avoid for ing a user to remember many passwords.

Pi k a password.
Generate a sub key and random strings, as CFS
does.

Many sophisti ated password ra kers are published

(e.g., John the Ripper [22), and an be used to
implement su h an atta k.
In SC-CFS, the master key is a random number, so
it is not vulnerable to di tionary atta k. By Assumption 4, brute for e atta k on the master key is
also impossible.
On-Line Atta k

In both CFS and SC-CFS, user authenti ation is

performed by atta h, with a password in CFS and
with a PIN in SC-CFS. As a onsequen e, if Mallory
ompromises the host (possible by Assumption 1)
while Ali e is using CFS or SC-CFS, she is able to
impersonate Ali e.
This auses more serious damage to CFS than to
SC-CFS be ause with CFS, Ali e has no way knowing Mallory is a essing her les. With SC-CFS,
one an take advantage of physi al isolation of a
smart ard to ounter this problem. For example, if
a LED box that indi ates data transmission via a serial port is installed on Ali e's omputer, she knows
when Mallory is a essing her les. Furthermore, a
display on the smart ard reader that displays the
name of the a essed le and a pad on the reader
that asks for a PIN on a essing les are useful.

The problem of on-line atta k is a potent threat

to almost all smart ard based systems be ause urrent smart ards do not have a se ure I/O path with
users. This is an important problem. A smart ard
reader with a built-in PIN pad an solve this problem partially, i.e., it prevents PIN theft. SPYRUS's
Rosetta Personal A ess Reader 2 is an example of
su h readers [26.

operations are modied to a ess data through

the a he.

When atta h is invoked with -p

port-number option, it asks for a PIN

instead of a password and then sends it to

fsd. fsd initializes the smart ard, sends the

PIN to the smart ard, and then arries out the

ard authenti ation des ribed in Se tion 2.3.

Virtual Memory Compromise

Niels Provos has pointed out that virtual memory ba king store may ontain riti al se rets even
though appli ation programs delete them [23. By
reading a hard disk whi h is used as the ba king
store, Mallory is able to re over se rets.

In CFS, the user master key and the dire tory keys
may be in virtual memory. In SC-CFS, the user
master key is in a smart ard, so only the le keys
are vulnerable.

Modi ation to fsd

In CFS, fsd stores finode#, reation timeg
in a le alled .pve t en rypted-lename. SCCFS uses the same le. 5 First, fsd is modied to store a modi ation time instead of a
reation time, as the modi ation time is used
as a seed of a le key in SC-CFS.
Then, the single-le a he des ribed in Se tion
2.4 is implemented. Finally, read and write

5 CFS

does this instead of using information in the vnode

stru ture, as the information hanges on undesirable o asions, e.g., when a le is ba ked up and is resumed, or its
modi ation time is hanged by tou h.

Modi ation to mkdir

When mkdir is invoked with -S option, it reates a signature des ribed in Se tion 2.3 in the
newly reated SC-CFS dire tory.

Implementation of SC-CFS applet

The master key is stored in a le in a smart ard alled ``ke'', or 0x6b65. This le is ongured so that it annot be a essed without
going through the applet. The applet reads
this le only after the orre t PIN is presented.
Key generation is simple: the applet on atenates the 8 byte seed to the 16 byte master key,
hashes it with SHA1, and returns the result to
fsd.

Host-side implementation was tested on Linux2.2.12 and OpenBSD-2.7. NFS is a standard

proto ol, so this should run on almost any
UNIX. Smart ard-side implementation is spe i to
S hlumberger Cyber ex A ess smart ard. Be ause
Cyber ex A ess is a Java ard, we refer to the
smart ard-side program as \SC-CFS applet".

Modi ation to deta h

When deta h is invoked, fsd leans up the
a he and terminates the onne tion with the
smart ard.

Implementation

SC-CFS has been implemented as extension to CFS.

The implementation is divided into the following
parts: modi ation to fsd, atta h, mkdir, and
implementation of the SC-CFS applet. Here we dis uss ea h part.

Modi ation to atta h

Performan e Evaluation

We have evaluated the performan e of SC-CFS

in omparison with CFS and a lo al le system
(EXT2). First, the result of the Andrew Ben hmark Test [10 is reported to show user response
time. Then, we look into the details of SC-CFS's
most expensive operation: smart ard a ess.
The result shows that SC-CFS is signi antly slower
than CFS when it a esses a smart ard to generates
keys. Most of this penalty is due to the slow speed
of a smart ard.
All the measurements have been arried out on
Linux-2.2 with 400 MHz AMD K6 and on Cyber ex A ess smart ard. All the numbers reported
are in se onds, and are average of 5 trials.

5.1

Round Trip Time

The Andrew Ben hmark (ABM), a standard le system ben hmark test, is used to measure the overhead of SC-CFS. ABM has ve phases: MakeDir
(mkdir), Copy ( p), S anDir (ls -l), ReadAll
(grep), and Make ( ). Sour e ode of C programs
used in the Make phase is slightly modied from
the original Andrew Ben hmark to make the test
runnable on Linux-2.2 6 . The results are shown below. The numbers are in se onds.
Lo al CFS (se ) SC-CFS (se )
MakeDir 0
0.2
0.2
0.6
1.0
21.8
Copy
S anDir 1.2
1.6
1.0
ReadAll 2.0
3.0
22.6
5.0
7.8
29.6
Make
SC-CFS works as e iently as Lo al and CFS when
it does not need to a ess a smart ard (MakeDir
and S anDir 7 ). However, in the other ases (Copy,
ReadAll, Make), SC-CFS is mu h slower.

seed to the smart ard and invokes the key generation method inside the smart ard. The other is
get response, whi h asks the smart ard to return
the result of key generation. A smart ard standard
ISO 7816-4 [12 denes the T=0 ommuni ation proto ol, whi h Cyber ex A ess adopts, to be unidire tional, i.e., a smart ard an either send or re eive data in one APDU. Therefore, in addition to
generate key APDU, get response APDU is ne essary. These two APDUs are sent to the smart ard
onse utively.
The following table shows the breakdown of the two
APDUs. \generate key APDU overhead" is time
spent for sending a seed to smart ard, invoking the
method, and preparing a buer for returned data.
Be ause this annot be broken down further, it is
shown as one operation.
operation
time (se )
Hash (SHA1) 24 byte into 20 byte 0.15
0.10
generate key APDU overhead
Sele t root in le system
0.01
Sele t key le \ke" in le system
0.01
Read 16 byte from key le
0.01
get response APDU (20 byte)
0.01
total
0.29

This performan e impa t is learly due to the slow

speed of a smart ard. Key generation, the only servi e the smart ard provides, takes 0.31 se ond. The
following table shows: (1) the number of a esses
to a smart ard, (2) (1)  the average smart ard a The ost boils down to two dominating operations:
ess time (0.31), and (3) the dieren e between the
SHA1 hash fun tion and generate key APDU overround trip time of SC-CFS and CFS. The se ond
head. These two are ne essary operations, and we
olumn and the third are very lose, showing that
annot improve the performan e of them without
the most of the performan e overhead is for smartmodifying the smart ard. This points out the ne ard.
essity of smart ards that exe ute ryptographi op#a #a 0:31(s) SC-CFS CFS(s) erations faster, with lighter method invo ation overhead.
MakeDir 0
0
0
Copy
70
21.7
20.8
S anDir 0
0
-0.6
ReadAll 70
21.7
19.6
6 Related Work
Make
75
23.3
21.8
5.2

Detailed Look

As smart ard a ess is seen to be the bottlene k of

SC-CFS, this part deserves spe ial attention. Detailed performan e evaluation was arried out on
Cyber ex A ess, whi h ommuni ates at 57.6 Kbps
with the host.
SC-CFS's smart ard operation involves two APDUs
One is generate key, whi h sends an 8 byte

8:

6 We

added ve global variables, removed two get har()s,

and hanged options to ar. None of them should alter performan e signi antly.
7 File attributes retrieved by stat() are not en rypted.
8 An APDU is a ommand sent to a smart ard from a

There exist several remotely keyed en ryption algorithms. The remotely keyed en ryption is a way to
en rypt bulk data with a key in a smart ard, where
only small amount of work is done on the smart ard,
and the rest is done on a fast host. Our session key
generation s heme is one of them. Other examples
in lude RKEP by Matt Blaze [3, another one by
Blaze [2, ReMaRK [19 and ARK [18 by Lu ks,
and one by Jakobsson et al. [15.
We have hosen our keying s heme be ause this is
implemented the fastest on the smart ard we used
(Cyber ex A ess). It is implemented with one
host. Readers interested in smart ard on epts are advised
to onsult a referen e text [9.

smart ard all, in whi h a hash fun tion is alled

on e. RKEP requires one smart ard all with two
en ryption alls and one hash fun tion all. The
other Blaze requires one smart ard all with one
en ryption all (en ryption is more expensive than
hash fun tion in Cyber ex A ess). ReMaRK requires two smart ard alls with two en ryption fun tion alls and one hash fun tion all. ARK requires
two smart ard alls with two random permutation
alls and two random fun tion alls. Jakobsson requires one smart ard all with one en ryption all.

requirements of an environment, middle ground implementation may be useful, e.g., \key per n les"
approa h, or a hing le keys.

Our keying s heme appears to prote t a master key

and generates good session keys. However, not being ryptographers, we ould not prove our s heme
to be as se ure as the other s hemes in this paper. Whether our s heme is best for SC-CFS or
we should hoose one of the the other s hemes is
under dis ussion.

The following three aspe ts highlight the value of

this work.

7
7.1

Future Dire tion

Administration Tools

With the urrent SC-CFS prototype, a user has to

manually update his master key and PIN via our
smart ard ommuni ation tool alled pay [24. Automated tools to do this should be provided.
7.2

Con lusion

We have developed SC-CFS, whi h improves the se urity of CFS by integrating a smart ard as a personal se ure storage of a key.

Improvement to important software.

As introdu ed in Se tion 1, the in reasing threat of

physi al atta k demands a way to prote t se rets
in a omputer. CFS (and all the other le systems
that prote t les through en ryption) is a se ure
and seamless solution to this problem. This work
improves CFS in two important properties: se urity and onvenien e. SC-CFS is more se ure than
CFS be ause (1) the master key is a random number instead of a password, (2) the user master key
is not exposed to the host, and (3) a stolen le key
an reveal only one le. It is also more onvenient
than CFS be ause all a user has to remember is a
short PIN, rather than multiple long passwords.

Performan e Improvement

Clearly, performan e overhead is a large obsta le

against wide deployment of SC-CFS. 300 millise ond overhead per le is a eptable for some appli ations, for example, word pro essing, but is not
for others, su h as s anning a large number of email messages for a string, or a query operation on
a large database. Therefore, performan e improvement is essential.
Unfortunately, as shown in Se tion 5.2, the overhead
is dominated by individual operations in a smart ard, whi h we, as appli ation developers, annot
hange. We hope new smart ards or other similar
devi es will a hieve mu h higher performan e in the
near future.
To improve the performan e of SC-CFS with urrent smart ard te hnology, it is possible to ompromise between \key per dire tory tree" approa h
(CFS) and \key per le" approa h (SC-CFS). The
former is more e ient, but the latter is more se ure. Depending on the se urity and performan e

Important appli ation for smart ards.

We believe that widespread deployment of se ure

hardware is essential to the se urity of omputer
systems. Systems are as se ure as the weakest link,
and relian e on user passwords is often the weakest link. Granted, passwords an be made stronger
by hoosing good ones and by hanging them often. However, widespread deployment of se urity riti al Internet servi es requires a human to maintain many passwords: omputer login, le system
authenti ation, newspaper homepages, e- ommer e
homepages, online banks, web portals, and so on.
Realisti ally speaking, it is impossible for a human
to maintain so many good (therefore hard to remember) passwords. She will end up using the same
password for many servi es, or will write the passwords down somewhere. Besides, she does not want
to type passwords all the time. Smart ards solve
this problem ni ely by se urely storing keys. Therefore, we wish to ontribute to the widespread deployment of smart ards, and this work is an impor-

tant step toward the goal, as se ure storage is an

important and suitable appli ation of a smart ard
(authenti ation being another [14).
Remark on smart ard performan e

Performan e evaluation in Se tion 5 shows how important a fast smart ard is. In re ent years, smart ards have matured in terms of fun tionality and
reliability. However, we have not seen signi ant
performan e improvement, even though mi ropro essors have sped up by 5 to 10 times.

Availability

SC-CFS has been tested on Linux 2.2 and OpenBSD

2.7. The sour e ode of SC-CFS is available at CITI
homepage:
http://www. iti.umi h.edu/proje ts/
smart ard/s - fs.html

A knowledgment
We thank Niels Provos for suggesting a high speed
key generation method. Peter Honeyman and Jim
Rees have advised us through this proje t, and suggested a le a hing idea.
This work was partially supported by a resear h
grant from S hlumberger, In .

Referen es
[1 William A. Arbaugh, David J. Farber, and
Jonathan M. Smith. A se ure and reliable bootstrap ar hite ture. In 1997 IEEE Symposium
on Se urity and Priva y, Oakland, CA, May
1997.
[2 M. Blaze. Key management in an en rypting le system. In Pro eedings of the USENIX
Summer 1994 Te hni al Conferen e, pages 27{
35, Boston, MA, USA, 6{10 1994.
[3 M. Blaze. High-bandwidth en ryption with
low-bandwdith smart ards, 1996.
[4 Matt Blaze. A ryptographi le system for
UNIX. In Pro eedings of 1st ACM Conferen e

on Computer and Communi ations Se urity,

pages 9{16, Fairfax, Virginia, November 1993.
ftp://ftp.resear h.att. om/ dist/mab/ fs.ps.

[5 G. Cattaneo, G. Persiano, A. Del Sorbo,

A. Celentano, A. Cozzolino, E. Mauriello,
and R. Pisapia. Design and implementation
of a transparent ryptographi le system
for UNIX. Unpublished Te hni al Report.
Dip. Informati a ed Appl, Universita di
Salerno. Available via ftp in ftp://edugw.
dia.unisa.it/pub/t fs/do s/t fs.ps.gz.,
July
1997.
[6 Dorothy Denning. Cryptography and Data Se urity. Addison-Wesley, 1983.
[7 Ele troni Frontier Foundation. Cra king DES
- Se rets of En ryption Resear h, Wiretap Politi s & Chip Design. O'Reilly & Asso iates,
In ., 1 edition, 1998.
[8 Jr. Frederi k P. Brooks. The Mythi al ManMonth : Essays on Software Engineering.
Addison-Wesley, 2 edition, July 1995.
[9 S ott B. Guthery and Timothy M. Jurgensen.
Smart Card Developer's Kit. Ma Millan Te hni al Publishing, Indianapolis, Indiana, De ember 1997.
[10 J.H. Howard, M.L. Kazar, S.G. Menees, D.A.
Ni hols, M. Satyanarayanan, R.N. Sidebotham,
and M.J. West. S ale and performan e in a
distributed le system. ACM Transa tions on
Computer Systems, 6(1):51 { 81, Feb. 1988.
[11 John D. Howard. Se urity in idents on the
internet. In Pro eedings of INET 98. Internet So iety, 1998. http://www. omms.uab.es/
inet99/inet98/ 2d/2d 3.htm.
[12 The International Organization for Standardization and The International Ele trote hni al
Commission. ISO/IEC 7816-4 : Information
te hnology - Identi ation ards - Integrated
ir uit(s) ards with onta ts, 9 1995.
[13 Naomaru Itoi, William A Arbaugh, Samuela J
Polla k, and Daniel M Reeves. Personal se ure
booting. Te hni al report, Center for Information Te hnology Integration, 2000. To appear
in ACISP 2001, Australia. Te hni al Report at
http://www. iti.umi h.edu/ te hreports/.
[14 Naomaru Itoi and Peter Honeyman. Smart ard
integration with Kerberos V5. In Pro eedings of
USENIX Workshop on Smart ard Te hnology,
Chi ago, May 1999.

[15 M. Jakobsson, J. Stern, and M. Yung. En rypt

small, 1999.
[16 Gene H. Kim and Eugene H. Spaord. The design and implementation of tripwire: A le system integrity he ker. Te hni al report, Purdue
University, 1995. CSD-TR-93-071.
[17 Daniel V. Klein. Foiling the ra ker: A survey of, and improvements to, password se urity. In UNIX Se urity Workshop II, pages 5 {
14. USENIX Asso iation, 1990.
[18 S. Lu ks. A elerated remotely keyed en ryption. Le ture Notes in Computer S ien e,
1636:112{123, 1999.
[19 Stefan Lu ks. On the se urity of remotely keyed
en ryption. In Fast Software En ryption, pages
219{229, 1997.
[20 Christopher Marquis. Deep se urity aws seen
at state dept, May 2000. http://www.fas.org/
sgp/news/2000/05/ nyt051100.html.
[21 Sun Mi rosystems. Network lesystem spe i ation. Network Working Group, Request For
Comments 1094, Mar h 1989.
[22 Open Wall Proje t.
John the ripper.
http://www.openwall. om/john/.
[23 Niels Provos. En rypting virtual memory. In
Pro eedings of 9th USENIX Se urity Symposium, August 2000.
[24 Jim Rees.
Iso 7816 library, 1997.
http://www. iti.umi h.edu / proje ts /
sin iti / smart ard / s 7816.html.
[25 Dug Song. dsni. http://www.monkey.org/
dugsong/dsni/.
[26 Spyrus. http:// www.spyrus. om/.