1994-02-27 - More crypto in real life…

Header Data

From: “Alan (Miburi-san) Wexelblat” <wex@media.mit.edu>
To: cypherpunks@toad.com
Message Hash: b4247915b8aa2c342e646cea6769315bdd78b9ee735bb5a7788b327bcdabc3f4
Message ID: <9402271629.AA07476@media.mit.edu>
Reply To: N/A
UTC Datetime: 1994-02-27 19:12:54 UTC
Raw Date: Sun, 27 Feb 94 11:12:54 PST

Raw message

From: "Alan (Miburi-san) Wexelblat" <wex@media.mit.edu>
Date: Sun, 27 Feb 94 11:12:54 PST
To: cypherpunks@toad.com
Subject: More crypto in real life...
Message-ID: <9402271629.AA07476@media.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain


[The following is excerpted from RISKS digest.  I have sent mail to Valente
asking him to be more specific about what kind(s) of encryption they use for
their authentication routines.  I am slighly worried by the somewhat naive
statments in this posting.  --AW]

Date: 17 Jan 1994 20:09:29 -0800
From: "Luis Valente" <luis_valente@genmagic.genmagic.com>
Subject: Safety in Telescript

Phil Agre's message of January 6th ("Wild agents in Telescript?") brings
up some very good points. In this message I would like to describe some
of the safety features of Telescript that are used to prevent both
ill-intentioned scripts (e.g., worms, viruses) and buggy scripts from
damaging a Telescripted network.

1) The Telescript language is interpreted, rather than compiled. Thus,
Telescript programs cannot directly manipulate the memory, file system or
other resources of the computers on which they execute.

2) Every Telescript agent (i.e, Telescript program that can move around a
Telescript network) is uniquely identified by a telename. A telename
consists of two components: an authority which identifies the "owner" of
the agent (e.g., the Personal Communicator from which it originated) and
an identity which distinguishes that agent from any other agent of the
same authority. The authority component is cryptographically generated
and cannot be forged. Thus, when an agent is transferred from one
Telescript engine to another, it is possible to verify (using
cryptographic techniques) that the agent is indeed of the authority it
claims to represent. (N.B.: a Telescript engine is a program capable of
interpreting and executing Telescript programs).

3) Every Telescript agent has a permit which limits its capabilities.
Permits can be used to protect users from misprogrammed agents (e.g., an
agent that would otherwise "run away" and consume resources for which the
user would have to pay) and to protect Telescript service providers from
malicious agents. Two kinds of capabilities are granted an agent by its
permit. The first kind is the right to use a certain Telescript
instruction, e.g., the right to create clones of itself. The second is
the right to use a particular Telescript resource and by which amount.
For example, an agent is granted a maximum lifetime, a maximum size and a
maximum overall expenditure of resources (called the agent's allowance),
measured in teleclicks. An agent's permit is imposed when the agent is
first created and is renegotiated whenever that agent travels to an
engine controlled by a different administrative authority. If the agent
exceeds any of its quantitative limits, it is immediately destroyed by
the Telescript engine where it is executing.

4) Telescript agents move around a Telescript network by going from one
Telescript place to another. Telescript provides an instruction -- go --
that gives agents this travelling capability (if granted by their permit,
of course). Places are Telescript programs in their own right. Before
accepting an incoming agent, a place can examine the agent's telename,
permit and class (N.B.: an agent represents an instance of a Telescript
class; thus, the class of the agent represents the "program" that the
agent executes. Like authority names, class names cannot be forged).
Based on that information, the place can do any the following:

    a) Do not allow the agent to enter.

    b) Allow the agent to enter but only after imposing upon it a permit
more restrictive than the one it currently holds (e.g., the agent is only
allowed to consume 100 teleclicks while in this place).

    c) Allow the agent to enter and execute under its current permit.

5) When a Telescript process (agent or place) interacts with another
Telescript process, the telename and class of the former is available to
the latter. This enables Telescript applications to control who can
interact with them and in what ways.

I hope this (brief) description of some of the more pertinent security
features of Telescript will help Risks readers understand how we've
addressed the issues raised in the NYT article and in Phil's message.

-Luis Valente, General Magic, Inc.

------------------------------






Thread