|
|
- Anabel Bennett
- 8 years ago
- Views:
Transcription
1 FromDependableComputingforCriticalApplications{5,Champaign,IL,September1995,pp.139{157;Volume10of theseriesindependablecomputingandfaulttolerantsystemspublishedbyieeecomputersocietypress. ByzantineAgreementwithAuthentication:Observationsand ApplicationsinToleratingHybridandLinkFaults LiGongy,PatrickLincoln,andJohnRushby ComputerScienceLaboratory SRIInternational MenloPark,California94025,USA Abstract WeshowthattheassumptionsrequiredoftheauthenticationmechanisminByzantineagreementprotocolsthatuse\signedmessages"arestrongerthan generallyrealized,andrequiremorethansimpledigitalsignatures.theprotocolsmayfailiftheseassumptionsareviolated.wethenpresentnewprotocolsfor Byzantineagreementthataddauthenticationto\oral message"protocolssothatadditionalresilienceisobtainedwithauthentication,butwithnoassumptions requiredaboutthesecurityofauthenticationwhenthe numberandkindoffaultspresentarewithintheresilienceoftheunauthenticatedprotocol. Ouranalysisisperformedundera\hybrid"fault modelthatadmitsmanifest(e.g.,crash)andsymmetricfaultsaswellasarbitrary(i.e.,byzantine)faults. Wealsoextendtheclassicalsignedmessagesprotocol tothisfaultmodel,andshowthatitsfaulttoleranceis matchedbyoneofournewprotocols.wethenexplore thebehaviorofthesevariousprotocolsunderthecombinationofhybridprocessorfaultsandcommunicationslinkfaults.usingformalstate-explorationtechniques,weexaminecasesbeyondthoseguaranteedby simpleworst-caseboundsandndthattheresilience ofoneofthenewprotocolsexceedsthatoftheothers intheseregions. Thenewprotocolsaresuperiortootherknownprotocolsinpropertiesandmeasuresofpracticalinterest,andwerecommendthemforgeneraluse.They areparticularlyattractiveinsecurity-criticalsystems whereauthenticationmaybesubjectedtosophisticated cryptographicattack,andinsafety-criticalembedded ThisworkwassupportedinpartbytheNationalAeronauticsandSpaceAdministration,LangleyResearchCenter,under contractnas ,bytheairforceoceofscienticresearch,airforcematerielcommand,usaf,undercontract F C0044,andbytheNationalScienceFoundationundercontractCCR yligongisnowwithjavasoftandcanbereachedat systemswhereitmaybenecessarytouseveryshort signatures,butwheremaximumresilienceisrequired. 1Introduction Afundamentalrequirementinfault-tolerantsystemsbasedonthe\statemachine"approach[27]is forreplicatedprocessorstoreachagreementonthe valuesofsingle-sourcedata,suchassensorsamples. Initsabstractform,thisistheproblemofByzantineAgreement(anditsvariant,theproblemof\InteractiveConsistency,"alsoknownas\sourcecongruence,"\distributedconsensus,"and\reliablemulticast")[16,23].TherearetwobroadclassesofprotocolsforachievingByzantineagreement.Thosebased on\oralmessage"assumptionsplacenorestrictions onwhatafaultyprocessormaydo;thosebasedon \writtenmessage"assumptionsdisallowfaultyprocessesmakingundetectablemodicationstomessages astheyarerelayedfromoneprocessortoanother,and alsodisallowprocessorsmanufacturingmessagesthat purporttocomefromanotherprocessor.itisgenerallystatedthatthewrittenmessagesassumptionscan besatisedusingcryptographicauthenticationmethods(i.e.,\digitalsignatures"),andprotocolsbasedon theseassumptionsarethereforeoftencalled\signed messages"or\authenticated"protocols[5,11,16]. Bothoralandwrittenmessageprotocolsproceedin \rounds"andtheparametersofinterestinclude:how manyfaultscanbetoleratedbyagivennumberof processors,andhowmanyroundsandhowmanymessagesarerequired?theoreticalstudiesalsoconsider thesizeofthemessages,orthetotalnumberofbits transmitted.theadvantageofwrittenmessagesprotocolsisthattheycangenerallywithstandmorefaults thanoralmessageprotocols,andoftenrequirefewer messages.forexample,oralmessageprotocolsrequire 3t+1processorstowithstandtfaults,whilewritten messagesprotocolsrequireonlyt+2(theproblemis vacuousunlessthereareatleasttwononfaultypro- 1
2 cessors).however,bothclassesofprotocolsprovably requiret+1roundsintheworstcase[5,11],though \earlystopping"protocols(whicharemosteasilyconstructedunderthewrittenmessagesassumptions)use fewerroundswhentheactualnumberoffaultsisless thant[2,7,8,10,12]. Itwouldseemthatthewrittenmessagesprotocols havesignicantadvantagesovertheiroralmessage counterparts(e.g.,asymptotically,athree-foldadvantageinnumberoffaultstolerated).however,these advantagesmaynotbesosignicantinpractice.in embeddedapplications,themostseverepracticalconstraintontheseprotocolsisthenumberofrounds:a givenapplicationwillgenerallyxthenumberrof roundsitcanaord(generallytwo).this,inturn, xesthenumberoffaultsthatcanbetoleratedatr?1, independentlyoftheclassofprotocolschosen.1the classofprotocolsdoesaectthenumberofprocessors required:e.g.,two-roundwrittenmessageprotocols requirethreeprocessorstotolerateasinglefault,while oralmessageprotocolsrequirefour.butifotherpurposes(e.g.,clocksynchronization)alreadyrequirefour ormoreprocessors,thereseemsnocompellingreason tousewrittenmessageprotocols.infact,thereisan argumentagainsttheseprotocolswhichchriswalter,oneofthedevelopersofthemaftarchitecture forfault-tolerantightcontrol[15]expressedtousas follows:\youhavetoassumethatdigitalsignatures satisfytherequirementsforwrittenmessages,andin life-criticalsystemsweprefertomakeasfewassumptionsaspossible."itturnsoutthatthiscautionis justied. Intherestofthepaper,werstdescribethevariousassumptionsthatsuchprotocols(wewillcall them\authenticatedprotocols")dependon,highlightingtherisksinplacingthecorrectnessofbyzantine agreementontheeectivenessofcryptographicprotocolsforwhichcurrentlythereisnomethodofassurancethatisdenitiveandgenerallyaccepted.we note,however,thatauthenticatedprotocolscantoleratemorefaultsthanoralmessageprotocols,andwe showthatthisadvantageisretainedwhentheanalysis isextendedtoahybridfaultmodelthatcountsfaults morecarefullythanthepurelybyzantinefaultmodel. Wethenconsidertheadditionofauthenticationto variantsoftheoralmessagesprotocolandshowthat thisincreasesthenumberoffaultstheycantolerateif theassumptionsontheauthenticationmechanismare warranted,withoutcompromisingtheirinnatefault 1Thesmallnumberofroundsandthedeterministicprocessor andcommunicationsschedulingusedinembeddedapplications alsoobviatethebenetsofearlystopping. toleranceifthoseassumptionsareviolated.assuming authentication,weshowthatoneofthesenewprotocolscantolerateasmanyhybridfaultsastheclassical SignedMessagesprotocol. Wethenexaminethetwo-roundversionsofthe variousprotocolsunderanenlargedfaultmodelthat includescommunicationslinkfaults.formanyapplications,thisisthemostrealisticclassofprotocolandfault-model,andweprovideevidence,derived fromformalstate-explorationtechniques,thatoneof theauthenticatedoralmessageprotocolsprovidesthe greatestfaulttolerance. 2Byzantineagreement,faultmodels, andmessageassumptions IntheclassicalByzantineGeneralsproblem,there areanumberofparticipants,whichwecall\processors."adistinguishedprocessor,whichwecallthe transmitter,possessesavaluetobecommunicatedto alltheotherprocessors,whichwecallthereceivers. (Thesecorrespondtothe\CommandingGeneral"and \LieutenantGenerals,"respectively,intheterminologyofLamport,Shostak,andPease[16].)Itisassumedthattherearepoint-to-pointcommunications pathsbetweeneachpairofprocessors.thebyzantine Agreementproblemcanbestudiedunderseveraldifferentsetsofassumptions.Weconsiderboth\Oral" and\written"messageassumptions,anda\hybrid" faultmodel.theoralmessagesassumptionsarethe following[16,p.387]. A1:Everymessagethatissentbetweennonfaulty processorsiscorrectlydelivered. A2:Thereceiverofamessageknowswhosentit (assumptionofprivatechannels). A3:Theabsenceofamessagecanbedetected (assumptionofsynchrony). WrittenMessagesassumptionsaddthefollowingto thoseoforalmessages[16,p.391]. A4(a):Messagessentbyanonfaultyprocessor(underthehybridfaultmodel seelater thisbecomesanon-arbitrary-faultyprocessor)cannotbe alteredormanufacturedbyotherprocessors. A4(b):Anynonfaultyreceivercanidentifytheprocessorthatoriginatedamessage,ifthatprocessorisnonfaulty(again,underthehybridfault modelthisbecomesanon-arbitrary-faultyprocessor).notethata2concernsthecaseofadirectpathfromsendertoreceiver,whereasa4(b) concernsamessagefroman\originatingsender" 2
3 thatispossiblyrelayedbyotherprocessorsbefore reachingthereceiver. Therearenprocessorsintotal,ofwhichsome(possiblyincludingthetransmitter)maybefaulty.Inthe classicalbyzantinegeneralsproblem,thereareno constraintsotherthanthosegivenaboveonthebehavioroffaultyprocessors.thisleadstopessimistic estimatesofthenumberoffaultsthatcanbetolerated becauseallfaultsareregardedastheworstpossible. Wethereforeconsidera\hybrid"faultmodel(originallyduetoThambiduraiandPark[29]andalsoinvestigatedbyWalter,Suri,andHugue[30])thatdistinguishescertainsimplerkindsoffaultaswellasthose thatareunconstrained.thefaultmodeswedistinguishforprocessorsarearbitrary-faulty,symmetricfaulty,andmanifest-faulty.amanifestfaultisone thatcanbedetectedbymechanismspresentinall nonfaultyprocessors(e.g.,missingorimproperlyformattedmessages).theothertwofaultmodesyield behaviorsthatarenotdetectablybad:asymmetricfaultpresentsthesamefaultybehaviortoevery nonfaultyprocessor;anarbitraryfaultiscompletely unconstrained(i.e.,byzantine)andmaypresent(possibly)dierentaberrantbehaviorstosomenonfaulty processors,andgoodbehaviortoothers. Theabovecharacterizationofthehybridfault modelisagenericone;forbyzantineagreement,the characterizationoffaultmodeshastoberenedin termsoftheprocessorbehaviorsrelevanttothisproblem(see[26]foradierentcharacterizationinterms relevanttoclocksynchronization).thebasicstepin anagreementprotocolisforaprocessortotransmit avaluevtoseveralotherprocessors.theinterpretationofamanifestfaultinthiscontextisonethat producesdetectablymissingvalues(e.g.,timing,omission,orcrashfaults),orthatproducesavaluethatall nonfaultyrecipientscandetectasbad(e.g.,itfails checksumorformattests).symmetricfaultsdeliver wrong,ratherthanmissingormanifestlycorrupted values butdosoconsistently,sothatallreceivers ofagiventransmissionobtainthesamewrongvalue v06=v.arbitraryfaultsareunconstrained,andcan delivercorrect,wrong,ormanifestlyfaultyvaluesin anycombination. Undertheseassumptions,theByzantineAgreementproblemistodeviseaprotocolthatwillallow eachreceiverptocomputeanestimatepofthetransmitter'svaluesatisfyingthefollowingconditions: Agreement:Ifreceiverspandqarenonfaulty, thentheyagreeonthevalueascribedtothe transmitter thatis,forallnonfaultypandq, p=q. Validity:Ifreceiverpisnonfaulty,thevalueascribed tothetransmitterbypis Thevalueactuallysent,ifthetransmitteris nonfaultyorsymmetric-faulty, ThedistinguishedvalueE,ifthetransmitter ismanifest-faulty. AlltheByzantineagreementprotocolsweconsider proceedinrounds:intherstround,thetransmitter sendsavaluetoalltheotherprocessors;insubsequent rounds,theseprocessorsexchangethevaluesreceived amongthemselvesinordertodetectinconsistencies; eachreceiverthendecidesononevalueamongthose receivedandexchanged.howthisdecisionismade, andhowtheexchangesaredone,dependsontheprotocolconsidered. Noticethattheadditionalassumptionsforwrittenmessagesessentiallyconstrainthebehaviorof symmetric-andarbitrary-faultyreceivers:underoral messageassumptions,suchreceiverscanalterormanufacturemessagespurportingtocomefromotherprocessorsinthelaterrounds thisisprohibitedunder writtenmessagesassumptions.authenticatedprotocolsattempttosatisfythewrittenmessagesassumptionsusingdigitalsignatures:eachprocessorsigns themessagesthatitsends.anyreceivercancheck theauthenticityofamessageandconrmtheidentity ofitsclaimedoriginatorbycheckingthesignature. Thereareseveraldigitalsignatureschemesthatprovidethesebasicproperties[4,9,22,25].However,in thefollowingsectionweshowthattheseschemesmust beusedverycarefully. 3 Authenticationissues Themessagesthatarepassedamongtheprocessorsinauthenticatedprotocolshavetheform ff:::fvgp:::gqgrwhichsymbolizesthevaluevin amessagesignedandsentbyprocessorp,received signedandforwardedbyprocessors:::;qandnally received,signedandforwardedbyprocessorr.ifprocessorpisnonfaulty,thenatnostageintheprotocol shouldthereexistff:::fv0gp:::gqgrinwhichv6=v0. (Thisfollowsbecauseifpisnonfaulty,itwouldnot sendouttwodierentvaluesvandv0,andauthenticationpreventsanyotherprocessormanufacturing suchavalue.)itisgenerallyassumedthatthisrequirementissatisedifdigitalsignaturesaresimply computedonandattachedtothemessagesbeingrelayed.thiswouldbetrueifavalidmessageofthe formff:::fvgp:::gqgrcouldonlyariseonceinthe lifetimeoftheprotocol.theoreticalexaminationsof theseprotocolsnormallyconsideronlyasingle\run," 3
4 butinpracticetheywillbecalledrepeatedly(e.g., todistributesensorsamplesatthebeginningofevery processcontrolcycle).itfollowsthatprocessorrcould saveavalidmessagef:::fv0gp:::gqfromonerunof theprotocolandcouldtheninjectthecorrectlysigned messageff:::fv0gp:::gqgrintoalaterrun,whichwill causeanynonfaultyreceivertoconcludethattheoriginalsenderpmustbefaulty,andtherebydefeatthe protocol. Wedonotneedtopostulateactive,intelligentattackstobeconcernedaboutthiskindofproblem:a hardware\obyone"faultthatcausesamessageto bepickedupfromthewrongbuerwhentwoagreementprotocolsareinoperationsimultaneously(as whenallprocessorsareexchangingsensordata)could producethisbehavior.asolutiontothisparticular problemistoincludeadditionalinformationunderthe digitalsignaturesthatwillidentifymessagesas\fresh" (Lamport,Shostak,andPeasesuggestsequencenumbers[16,page400]),butthisneedstobedonecarefully inordertodistinguishthisrunoftheprotocolfrom othersthatmaybeactivesimultaneously. Intherestofthissection,wediscussthisanda numberofotherissuesrequiringcareintheimplementationofauthenticatedbyzantineagreementprotocols. Signaturepermutation.Thesignaturesystemmustnotbecommutative. Otherwise, 8p;q;v;ffvgpgq=ffvgqgpand,ifthesessioninitiator isfaulty,anotherfaultyprocessorcanfalselyaccuse athird,butcorrect,processorofbeingfaultyina several-roundprotocol. Verifyingsignaturesequences.Verifyingasequenceoftsignaturesisnottrivial.Arecipientcan tryallpossiblesequencesoftoutofnsignatures,but thisrequiresanexponentialamountofcomputation. Orthemessagecanincludeahint,suchastheidentityofthesigner,ineachstageofthesigning,sothe messagemaylooklikefq;fp;vgpgq.wecanalternativelyrequirethatalistofhintsisattachedtoeach messageoutsidethesignatures.however,suchhints willaddo(nlogn)bitstothemessagelength(inannroundprotocol),thusexceedingthetightlowerbound onmessagebitsbysrikanthandtoueg[28,theorem 1]byafactorofn.(Intoday'spractice,asecuredigitalsignatureusesabout512to1024bits.)Notethat hintsarenecessarywhetherthesignaturesystemused iscommutativeornot.athirdapproachistogloballyorderthemessagessothatarecipientcandeduce fromthecontextwhichsignaturesequenceshouldbe usedforverication. Processorsareassumedtoknoweachothers'signaturekeys.Borcherding[3]investigatesthecasewhere thereisnocentralauthoritytodistributethesekeys, andproposesthenotionof\localauthentication"to achieveaweakerversionofbyzantineagreement. Distinguishingconcurrentsessions.When multiplesessionscanexecuteatthesametime,itis vitaltodeterminetowhichrunamessagebelongs. Otherwise,supposeeachprocessormaintainsadierentsensorandallprocessorsaretryingtoagreeon thevaluesofallsensors,thenafaultyprocessormay \borrow"asignedmessagefromonerunanduseitin another.evenabenignprocessorcanpossiblymake suchamistake,aswedescribedpreviously.onesolutionistoattachasessionidentier,possiblythe identityofthesessioninitiator,tothesensorvalue. Thissolutionwillincreasethesizeofeachmessageby O(logn)bits.Thisdoesnotexceedthelowerbound bysrikanthandtoueg[28]becausetheyalreadyallocateo(logn)bitsforsignatures. Detectingreplayattacks.Besidedistinguishing concurrentsessionsinitiatedbydierentprocessors, itisequallyimportanttodetectanyattempttoreuse pastmessages(fromthesameinitiator)inanewrun. Theinitiatormustsecurelyattachafreshnessidenti- ertothesignedvalue.forexample,theinitiatorcan signboththefreshnessidentierandthevalueinthe samesignature. Therearethreetypesoffreshnessidentiers,each ofwhichcanbeusedinmorethanoneway[13].the rstisatimestamp,ifprocessorshavesynchronized clocks.inthiscase,theinitiatorattachesthereading fromthelocalclocktothevaluebeforesigningthem. Arecipientrejectsanymessagewithatimestampthat isoutsideanagreedtimewindowrelativetotherecipient'slocalclock.asignicantriskexistswhena faultyprocessorcanalsohaveafaultyclocksothat theprocessorsendsoutvaluessignedwithtimestamps inthefuture.evenifthisprocessorweretorecover, anotherfaultyprocessorcouldplaybacksuchamessagewhenthecorrecttimecomes.thesignicanceof thisattackliesinthefactthatthereisnoguarantee thatanycorrectprocessorwillknowtheexistenceof previouslysignedmessages(withfuturetimestamps). Toinvalidatesuchmessages,arepairedprocessorcan changeitssignaturekeyduringreintegration. Thesecondtypeofafreshnessidentierisarandom number,alsoknownasa\nonce."sincethenonce mustbegeneratedbytheprocessorthatischecking forfreshness,processorsmustexchangenonceswith eachother(thusaddingoneroundtotheprotocol), 4
5 andthevaluemustbesignedwithallo(n)nonces, thusincreasingthemessagelengthsignicantly. Thethirdtypeisacountervalue.Eachprocessormaintainsamonotoniccounter,incrementsthe countervaluebeforeinitiatingasession,andthen signsthevaluetogetherwiththecurrentcounter value.eachprocessoralsomaintainsavectortimestamp,notingthelastseencountervaluefromevery otherprocessor,andrejectsanyvaluesignedwitha pastcountervalue.similartotimestamps,afaulty processormaysign\future"countervalues,soitis prudenttochangetoanewsignaturekeyafterrepair. Repairandrestart.Whenaprocessorfails,it mayloseallitsstateinformation,includingthecur- rentsessionandroundnumbersandfreshnessidenti- ers.ifthefailureisarbitrary,thenthesurvivingstate informationmaybewrong.forexample,itsclockor countersmaybeturnedbackorforward.moreover, simplyaskingeveryprocessortoresettheircounters tozeroisvulnerabletoreplayattacks.therefore,to restorethesynchronybetweenprocessorsafterrepair, arepairedprocessormustusechallenge-response(with nonces)toobtainfromotherprocessorsfreshreplies containingthecurrentstateinformation.giventhe additionalneedofassigninganewsignaturekeyto therestartingprocessorandnotifyingallotherprocessorsofthecorrespondingpublickey,restartcanbe costly. Messageredundancy.Amessagecontainingthe valuetobesignedmustcontainsucientredundancy toprotectagainstforgery.forexample,afaultyprocessorpmaychoosearandomnumberxandbroadcast itasfvgpforsomevaluev.becauseitisquitepossible thatthereisavaluev0suchthatx=ffv0gqgp,pmay eectivelyforgeasignatureofvaluev0signedbyq. Orthefaultyprocessorpcansimplycopyfv0gqfrom apreviousprotocolrunandbroadcastffv0gqgp.any processorrwhofurthersignsffv0gqgpisalsospoofed. Therearemanywaystointroduceredundancyinto themessages.oneistoattachachecksumofasuf- cientlengthtotheoriginalvalue.thesizeofthe messagewillthusincrease,perhapsby128bits(the sizeofatypicalone-wayhashfunctionoutput)orat leasto(logn)bits.notethatincludingauniqueidentierofthecurrentrundoesnotprovidesucientredundancybecausearandomlyselectedvaluexcanbe oftheformfid;vgq,andifidisforafuturerun,an attackcanstillhappeninthefuture. 3.1Practicalimplications Wehaveshownthatauthenticationusingdigital signaturesneedstobemanagedverycarefullyifitis tobesecureagainstattack.howsignicantarethese threats?therearetwomainclassesofapplications forauthenticatedbyzantineagreementprotocols:securesystemsthatmustmaintaincoordinationinthe faceofcaptureandactivesubversionofsystemcomponents(e.g.,theat&t\rampart"architecture[24]), andsafety-criticalembeddedcontrolsystems(e.g.,the MAFTarchitectureforaircraftightcontrol[15]). Sophisticatedcryptographicandotherattacksarea givenintherstclassofapplications,soourconcern aboutthesecurityofauthenticationneedsnofurther justicationhere(theliteratureisrepletewithbroken cryptographicprotocols[1,21]). Intelligentmaliciousattackisnotconsideredaseriouspossibilityinembeddedsystems,andtheargumentinthesecasesisalittledierent.Byzantineresilientarchitecturesareattractiveinthesecontexts becausetheysimplifythecaseforassuranceandcertication:insteadofacollectionoffault-tolerance mechanismstocounterspecicfailuremodes,andfor whichitisnecessarytoprovideevidenceofcoverage andnoninterference,wehaveasinglemechanismthat canwithstandanykindoffault,uptosomenumber,anditisonlynecessarytoprovideevidencefor correctnessandfortheestimatedoverallfaultarrival rate.writtenmessageprotocolscompromisethepurityofthisposition:faultyprocessorscannolonger doabsolutelyanything,butareconstrainedbycertainassumptions.realprocessorscandoabsolutely anythingwhenfaulty,andinimplementationsusing signedmessages,itistheauthenticationmechanism thatconstrainsthemwithintheassumedfaultmode. Forcertication,itisthereforenecessarytoprovide strongevidencethattheauthenticationmechanism doesaccomplishthis:brokenauthenticationisnotjust anotherfaulttobetolerated,itisaviolationofthe assumptionsunderwhichcorrectnessoftheprotocol andhenceoftheentirearchitecture isestablished. Wehaveseenthatcryptographicallystrongauthenticatedprotocolsrequireevensmalldatamessagestobeencapsulatedinlargesignatureand freshness-indicatingwrappers,andtocarryvarious key-managementindicators.hence,embeddedsystemsmayprefertodispensewithtrulysecureauthenticatedprotocolsandtouseshortkeyedchecksums(lamport,pease,andshostaksuggestasuitablechecksumalgorithm[16,page400]),withxed keysandsimplesequence-numberstoindicatefreshness.theauthenticationassumptionsmaysometimes failtoholdinthisarrangement.inthefollowingsectionswepresentandstudyprotocolsthattakeadvantageofauthenticationifitispresent,butthatretainbyzantineresilienceevenwhensignaturesmaybe 5
6 forged.sincechecksumswillonlyrarelybe\forged" byrandommalfunctions,theseprotocolsareverywell suitedtotheneedsofembeddedsystems. Thediscussionhassofarfocussedonauthentication failureinonedirection:failuretoadequatelyconstrain thebehaviorofafaultyprocessor.authenticationcan alsofailintheotherdirection:causinggoodmessages toberejectedasbad.therearetwowaysthiscan comeabout:theauthenticationmechanismmaybe algorithmicallyincorrectornonrobust(e.g.,vulnerabletolossofcrypto-synch),orahardwarefaultmight damageakey.theissuesenumeratedearlierinthis sectionareintendedtohelpdesignersavoidtherst ofthesedangers;thesecondismorelikely,butless serious,becauseitisjustanotherfault,andwillbe toleratedtothesameextentasotherfaults. 4Signedmessageswithhybridfaults Wehavearguedthatgreatcareinimplementationisnecessaryinordertosatisfytheassumptions oftheauthenticatedprotocols.thiscarewouldbe justiediftheauthenticatedprotocolshadsignicant advantagesoveroralmessageprotocols.however,for thecaseofpracticalimportance thatis,two-round protocols thereappearslittletochoosebetweenthe twoclassesofprotocols:thesignedmessageprotocolsm(1)andtheoralmessagesprotocolom(1)of Lamport,Pease,andShostak[16]bothrequiretwo rounds2,andbothtolerateonlyasinglearbitrary fault.thedierenceisthatom(1)requiresfourprocessors,whilesm(1)requiresbutthree.however,a variationonom(1)calledomh(1)[19]thatoperatesunderthehybridfaultmodelcantolerateaarbitrary,ssymmetric,andmmanifestfaultssimultaneously,providedn,thenumberofprocessors,satises n>2a+2s+m+1anda1.thus,omh(1)appears totoleratemorefaultsthansm(1)undercertaincircumstances.ofcourse,thiscomparisonisunfairbecausetheanalysisforomh(1)considersthehybrid faultmodel,whereasthatforsm(1)treatsallfaults asarbitrary.sooneitemthatwarrantsexamination isthebehaviorofsm(1)underthehybridfaultmodel. Theclassicalsignedmessagesprotocol,SM(r)proceedsasfollows[16,p.391]: SM(r) Thetransmittersendsasignedmessageto eachreceiver.eachreceiveraddsitssignaturetothemessageandsendsittothe otherreceiverswhoaddtheirsignaturesand 2Theparameterrtotheseprotocolsstartsatzero,sothat thenumberofroundsisr+1. sendittotheothers,andsoonforrrounds. Whenalltheexchangesarecompleted,each receiverdiscardsanyimproperlysignedmessages,extractsthevaluessentbythetransmitterfromthosethatremainandappliesa deterministicchoicefunctiontothosevalues. Notethatifthetransmitterisnotarbitrarily-faulty, thesetofvaluesconsideredinthechoicewillbeasingleton.lamport,peaseandshostakshow[16,theorem2]thatsm(r)cantolerateuptorfaultyprocessors,theoptimalresult[6,11]. ToextendSM(r)anditsanalysistothehybridfault modelisstraightforward:thehybridprotocolsmh(r) simplyrecognizesanddiscardsmanifest-faultyvalues.authenticationpreventssymmetric-faultyreceiversfrominjectingcorrectlysignednewvalues,so thesereceiverseitherduplicateothermessages(which isharmless),ortheyintroduceincorrectlysignedmessages,whichwillbediscarded.thus,messagesfrom bothmanifest-andsymmetric-faultyreceiverseither duplicateexistingvaluesorareignored;hencethey playnopartintheprotocolanditisasiftheseprocessorswereabsent.itfollowsthatonlyarbitrary-faulty processorsneedbecountedinthefault-tolerancecalculation.thus,bydirectanalogywiththecorrespondingresult(theorem2,page393)in[16],wehavethe followingresult. Theorem1Foranyr,ProtocolSMH(r)satisesValidityandAgreementprovidedra,whereaisthe numberofarbitrary-faultyprocessors. Theresultissomewhatvacuousunlessthereareat leasttwononfaultyprocessors,sowealsohaven> a+s+m+1,andra.thismaybecompared withomh(r),wherewehaven>2a+2s+m+rand ra. ItcanbeseenthatOMH(r)andSMH(r)havethe samefaulttolerancewithregardtorounds,butthat SMH(r)requiresconsiderablyfewerprocessorsthan OMH(r)(or,equivalently,cantoleratemorefaultsfor agivennumberofprocessors).however,thisincreased faulttoleranceisobtainedatthecostofdependingon authentication:iftheauthenticationassumptionsfail foranyreason,thensmh(r)mayfailaltogether. 5Combiningauthenticationandoral messages TheideaofexaminingSM(r)underthehybridfault modelsuggeststhedualinquiry:examiningoralmessageprotocolsinthepresenceofauthentication.it turnsoutthatthisyieldsprotocolsthatcombinethe advantagesofthetwoclassesofprotocolswithfew 6
7 oftheirdisadvantages.asnotedinthediscussion ofsmh(r),authenticationturnssymmetric-faultyreceiversintomanifest-faultyones:theycanonlygeneratemessagesthatareimproperlysigned.inorder toexploitthisinanoralmessagesprotocol,weneed aprotocolthathasthecapabilitytodiscardbadmessages.theclassicalprotocolom(r)doesnotdothis, butourhybridprotocolomh(r)does.ittherefore seemsthemostpromisingplacetostart. TheprotocolOMH(r)[19]isourmodiedandformallyveried[17]versionofThambiduraiandPark's protocolz(r)[29],whichisinturnamodicationof ther+1-roundoralmessagesprotocolom(r)oflamport,shostak,andpease[16].thekeyideainboth Z(r)andOMH(r)istointroduceadistinguishedvalue Etorecordreceiptofmanifest-faultymessages.E valuesareignoredinthemajorityvotethateachprocessorusestodecideitsnalvalue.inz(r),eis usedtorecordbothmanifest-faultymessagesandthe reportofsuchmessagesrelayedbyanotherprocessor. Thisleadstoconfusionwhenthereisamanifest-faulty transmitterandanarbitrary-orsymmetrically-faulty receiver;z(1)canfailinthiscircumstance,andthis leadstomorecomplexfailuresinther>1cases. OMH(r)repairsthisproblembytreatingthereport ofmanifest-faultyvaluesdierentlythanthosevalues themselves:r(e)indicatesthereportofe,r(r(e)) thereportofareport,andsoon.aninversefunction UnRisusedto\stripo"theseRsatalaterstage intheprotocol.onlye(notr(e),r(r(e)),etc.)is ignoredinthemajorityvote. Asnotedintheprevioussection,OMH(r)isable totolerateaarbitrary,ssymmetric,andmmanifest faultssimultaneously,providedn,thenumberofprocessors,satisesn>2a+2s+m+randra.this isoptimalwhenonlyarbitraryfaultsarepresent(we havea=r,s=m=0,sothatn>3a,satisfyingthe lowerboundestablishedbypease,shostak,andlamport[23]).separateanalysisshowsthattheprotocol isalsooptimalwhenonlymanifestfaultsarepresent, andtheobtainedboundisn>m[18].whenonly symmetricfaultsarepresent,however,theprotocolis denitelysuboptimal,inthatadditionalroundscan reduceitsresilience.forexample,inomh(0)(where receiverssimplyacceptwhatevervaluetheyobtain fromthetransmitter),thenumberofsymmetric-faulty receiversisirrelevant.inomh(1),however,wherereceiversrelayinformationtoeachotherandtakethe majorityofthevaluesobtained,onesymmetric-faulty receivercandefeattheprotocolunlessn4. Supposenowthatweusedigitalsignaturestoadd authenticationtoomh(r),therebycreatingaprotocolwecancallomha(r).first,aslamport,shostak, andpeaseobserve[16,p.393],thereisnopointauthenticatingthenalstepintheprotocol(i.e.,the OMH(0)round),becausewehavepoint-to-pointcommunicationsandthecommunicationportonwhicha messagearrivesservestoauthenticateit(thisisassumptiona2);thusomha(0)isthesameasomh(0). Forthegeneralcase,wesimplymodifyOMH(r)so thatprocessorssignallmessagesthattheysend,and improperlysignedmessagesaretreatedbytheirreceiversase. Noticethataslongasauthenticationdoesnotintroducefaults(i.e.,aslongasaproperlysignedmessage cannotbemistakenlyconsideredimproperlysigned), thenomha(r)musthaveatleastthefaulttolerance ofomh(r),andthisisindependentofthecryptographicstrengthofthesignaturescheme.however,if wemaketheusualassumptionsaboutthestrengthof thesignaturescheme,thenauthenticationreducesthe severityoffaultsthatcanbeintroducedbyreceivers. Inparticular,asymmetric-faultyreceivercannotinjectacompletelyfalsevalueintotheexchanges:at worst,itcaninjectaneorr(e)value;similarly, anarbitrary-faultyreceivercanselectivelyinjecte andr(e),orcanpassonthetruevaluethatitreceived.(faultyprocessorscannotinjectr(r(e))etc., becausethiswouldrequireanr(e)correctlysignedby anotherprocessor.)unfortunately,theresidualabilitytoinjectr(e)issucienttolimitthenumber andcombinationoffaultsthatcanbetoleratedby OMHA(r)tobenobetter,intheworstcase,thanfor OMH(r). Thisdisappointingresultsuggestsconsideration ofaprotocolza(r),derivedfromthambiduraiand Park'sprotocolZ(r)inthesamewaythatOMHA(r) isderivedfromomh(r).sincez(r)andza(r)lack thee,r(e)distinctionsofomh(r)andomha(r),it followsthatsymmetric-faultyreceiversarereducedto manifest-faultyinza(r).similarly,arbitrary-faulty receiversarereducedtomanifest-faultyor\nonfaulty withcommunicationslinkfaults,"whichisacaseconsideredinsection6.furthermore,authentication overcomesthebuginz(r);thisbugarisesinz(1)when anarbitrary-orsymmetric-faultyreceiverinjectsspuriousvaluesintotheexchangesunderamanifest-faulty transmitter:theevaluesfromthetransmitter,and thoserelayedbygoodreceivers,areignoredinthemajorityvotes,whicharethereforewonbythespurious valuesinjectedbythefaultyreceiver.za(r)eliminatesthisbugbecauseitpreventsthefaultyreceivers manufacturingthespuriousvaluesthatotherproces- 7
8 sorswillincorporateintheirmajorityvotes.protocol ZA(r)isdenedasfollows. ZA(0) 1.Thetransmittersendsitsvaluetoeveryreceiver. 2.Eachreceiverusesthevaluereceivedfromthe transmitter,orusesthevalueeifamissingor manifestlyerroneousvalueisreceived. ZA(r),r>0 1.Thetransmittersignsandsendsitsvaluetoevery receiver. 2.Foreachp,letvpbethevaluereceiverpobtains fromthetransmitter,oreifnovalue,oramanifestlybadvalue,orincorrectlysignedvalueis received. EachreceiverpactsasthetransmitterinProtocol ZA(r?1)tocommunicatethevaluevptothe othern?2receivers. 3.Foreachpandq,letvqbethevaluereceiverp receivedfromreceiverqinstep(2)(usingprotocolza(r?1)),orelseeifnosuchvalue,ora manifestlybadvalue,orincorrectlysignedvalue wasreceived.eachreceiverpcalculatesthemajorityvalueamongallnon-evaluesvqreceived; ifnosuchmajorityexists,thereceiverusessome arbitrary,butfunctionallydeterminedvalue. Wehavethefollowingresults,wherea,s,andmare thenumbersofarbitrary-,symmetric-,andmanifestfaultyprocessors,respectively,andnisthetotalnumberofprocessors. Lemma1Ifsignaturesaresecure,thenforanya,s, mandr,protocolza(r)satisesvalidity. Proof:Intherstround,thetransmittersignsand sendsitsvaluetoallreceivers.validityassumesa nonfaultytransmitter,soallnonfaultyreceiverswill obtainthecorrectvalueinthisround.thereceivers exchangevaluesinsubsequentrounds,andfaultyreceiversmayinjectfaultyvaluesintothisprocess.however,authenticationpreventstheinjectionofanycorrectlysignedvalueotherthanthatsentbytheoriginal transmitter.thustheonlyvaluesenteringthemajorityvotewillbethisvalueand,possibly,e.sinceall goodreceiversobtainedatleastonecopyofthevalue vdirectlyfromthetransmitter,andsomecombination ofvsandesfromotherreceivers,thehybridmajority willalwaysbev.2 Theorem2Ifsignaturesaresecure,thenforanyr, ProtocolZA(r)satisesconditionsValidityandAgreementifra. Proof:Theproofisbyinductiononr.Inthebase caser=0therecanbenoarbitrary-faultyprocessors, sincera.iftherearenoarbitrary-faultyprocessors thenthepreviouslemmaensuresthatza(0)satises Agreement,andValidityfollows.Wethereforeassume thatthetheoremistrueforza(r?1)andproveitfor ZA(r),r>0. Firstconsiderthecaseinwhichthetransmitter isnotarbitrary-faulty.thenvalidityisensuredby Lemma1,andAgreementfollowsfromValidity.Now considerthecasewherethetransmitterisarbitraryfaulty.thereareatmostaarbitrary-faultyprocessors,andthetransmitterisoneofthem,soatmost a?1ofthereceiversarearbitrary-faulty.atthenext stage,wehaveonelessroundtoperform,andoneless arbitraryfaulttotolerate.sinceweassumera,we alsoknowr?1a?1,andwemaythereforeapplythe inductionhypothesistoconcludethatza(r?1)satisesconditionsagreementandvalidity.hence,for eachq,anytwononfaultyreceiversgetthesamevalue forvqinstep(3).(thisfollowsfromvalidityifoneof thetworeceiversisprocessorq,andfromagreement otherwise).hence,anytwononfaultyreceiversgetthe samevectorofvaluesv1;:::;vn?1,andthereforeobtainthesamevaluehybrid-majority(v1;:::;vn?1)in step(3)(sincethisvalueisfunctionallydetermined), therebyensuringagreement.2 Theorem2showsthatZA(r)hasthesame(optimal)faulttoleranceasSMH(r)whensignaturesare secure;however,za(r)hasthesignicantadvantage thatitisnottotallybrokenifauthenticationfails. Inthepresenceofauthenticationfailure,ZA(r)revertsto,atworst,thefaulttoleranceofZ(r).To besure,z(r)isvulnerabletocertaincongurations oftwofaultsnomatterhowmanyroundsandreceiversareused(thatiswhywedevelopedomh(r)), butintheimportantcaser=1,itsfailuremodeis verypreciselycharacterized(manifest-faultyreceiver andatleastonesymmetric-faultorarbitrary-faulty receiver thelatterisrequiredtobreakagreement). AnalternativeistousetheprotocolOMHA(r),whose fallback,omh(r)isfullyrobustagainstarbitraryand manifestfaults,butwhoseresilienceinthepresence ofworkingauthenticationisinferiortothatofza(r). Table1comparesthevariousprotocolswehavediscussedintermsofworst-casebounds. 8
9 Protocol SM(r) SMH(r) ViolatedAuthenticationAssumptions OM(r) a=s=0,n>m+1 n>a+s+m+1, Sound OMH(r) n>2a+2s+2m+r,ra n>2a+2s+2m+r,ra(same) OMHA(r)n>2a+2s+m+r,ra n>2a+2s+m+r,ra(same) ra Z(r) ZA(r) yz(1)alsofailswithamanifest-faultytransmitterandonesymmetricorarbitrary-faultyreceiver;z(r),r>1,failsinadditionalcases. n>2a+2s+m+r,rayn>a+s+m+1, n>2a+2s+m+r,rayn>2a+2s+m+r,ray(same) ra 6Linkfaults Table1:ComparisonofByzantineAgreementProtocols classoffaults;wecallthemlinkfaults,withthecharacterizationthatwhenanonfaultyprocessorsendsits valuevtoanonfaultyrecipientoverafaultylink,the valuereceivedmaybeeithervore. Communicationsfailuresrepresentanimportant 7Examiningfaulttoleranceusing alinkfaultisnotattributedtoaprocessor;thus,a processoratthereceivingendofafaultylinkmaybe sirabletotoleratelinkfaultseciently.noticethat connectorsarepronetonoiseandbreakage),itisde- Becausetheyarisefrequentlyinpractice(wiresand rathercrudewaysofcountingfaults:therearemany Theworst-caseboundsgivenabovearebasedon state-explorationtechniques asymmetryandarethereforeasexpensivetotolerate faultsisduetothefactthatthesefaultsdointroduce theagreementandvalidityconditions.thediculty inextendingbyzantineagreementprotocolstolink nonfaultyandtheprotocolmustensurethatitsatises theprotocolsperformundermorene-grainedanalysis scenariosforthebehaviorofasystemwith,say,one twolinkfaults,buttheworst-caseanalysestreatthem allalike.itisthereforeinterestingtoenquirehowwell arbitrary-faultyandonemanifest-faultyprocessorand thosecharacterizedbythesimpleworst-casebounds. and,inparticular,howtheyperforminregionsbeyond presenceoflinkfaultsandhybridprocessorfaults,providedthatthereispathoflengthr+1linksorless fromthetransmittertoeachnonfaultyreceiverthat passesthroughonlynonfaultyprocessorsandgood WecanobservethatZA(r)achievesValidityinthe Theideaistomodelthesystemasthecomposition oftheprotocols,butamoreattractivealternativeis behaviorinspeciccongurationsunderallscenarios. Simulationcouldbeusedtosamplethebehavior asarbitraryfailuresintheworstcase. oftwoconcurrentprocesses:onethatinjectsfaults touseaformalstate-explorationtooltoexaminetheir andonethattoleratesordiagnosesthem.astateexplorationtoolwillthensystematicallyexploreall tocharacterize.wecanalsoobservethatforagreement,alinkfaultisasdisruptive,intheworstcase,as links.smh(r)hasthesameboundsonvalidityas possiblescenariosfortheirinteraction. systemfromdaviddill'sgroupatstanford[20]for ZA(r),whilethatofOMHA(r)isworseanddicult anarbitraryfaultateitherthesenderorreceiveron thelink.thus,iflinkfaultsareattributedtoeither fortheomh(1),omha(1),z(1),za(1),andsmh(1) ofprocessorsneededtoaccountforallsuchfaults,then theirsenderorreceiver,andlistheminimumnumber protocolsinthen=5case,andcausedmurtonondeterministicallyperformasymbolic\faultinjection" thispurpose.essentially,weprovidedmurprograms WehaveusedtheMur(pronounced\Murphy") ZA(r)willachieveAgreementprovidedra+l.SimilarworstcaseboundsapplyforAgreementinSMH(r), thenruntheprotocols.byexploringalldierentruns (ofbothlinkfaultsandhybridprocessorfaults)and whileomha(r)requiresn>2a+2s+m+r+2land (thereareover20,000ofthem),muressentiallyundertakesexhaustivefaultinjectionontheseprotocols (theprocesstakesacoupleofminutesonasparc ra+l. 10).Ofcourse,itwouldbestraightforwardtowritea 9programtodothis,butweconsidertheuseofformal state-explorationtoolsaverypromisingandgeneral
10 techniquefortheexaminationofalgorithmsforfault inthecasen=5andr=1,andrediscoveredthe onfaulttoleranceclaimedforthevariousprotocols toleranceanddiagnosis. knownvulnerabilityofz(1)tomanifest-faultytransmitters[19].thatistosay,exhaustivesearchofall Ourexperimentsconrmedtheworst-casebounds faultcongurationssatisfyingtheboundsclaimedin Table1forthecaseofn=5andr=1foundnoviolationsofValiditynorofAgreement,exceptforthe knowncasesinz(1). tainedwhenweallowedfault-injectiontocontinuebe- yondthesimplecharacterizationsofworst-casefault tolerancefortheprotocolsconcerned.forexample, However,muchmoreinterestingresultswereob- althoughnove-processor,two-roundprotocolcan ZA(1)doestoleratetwosuchfaultsinmostcases. WethereforeusedourMurfault-injectionsystemto withstandtwolinkfaultsintheworstcase,wefound counthowmanyscenarioscausedeachprotocoltofail withandwithouttheassumptionofsecureauthentication Ṗrotocol OMH(1) OMHA(1) AuthenticationAssumptions Z(1) Violated 25 Sound ZA(1) 25 SMH(1) whereeachprotocolfails Table2:Percentageoffaultcongurationsina5-plex cussed,usingexhaustivestateexplorationtocalculate thepercentageoffaultcongurationsthatcausedthe mostresilientoftheseprotocolsunderthecombination protocolstofail.overall,itseemsthatza(1)isthe Table2comparesthevariousprotocolswehavedis- ofhybridandlinkfaults,thoughmoreexperimentsare neededtoconrmthis. faultclass(good,manifest,symmetric,orarbitrary) toeachprocessor,andanassignmentofuptothree faultylinksbetweenprocessors.weexcludedcongurationswithlinkfaultsemanatingfromarbitraryor Faultcongurationsconsistofanassignmentof behavior).foreachconguration,wetestedwhether causegoodreceiverstodisagreeorcauseagoodreceivers(suchlinkfaultshavenorealimpactonsystem manifestlyfaultytransmitters,orarrivingatfaultyre- anyscenarioofmessagesbythefaultyprocessorscould10 congurationsforwhichsuchfailurewaspossible. ceivertofailtoagreewiththetransmitter.foreach protocol,wethencalculatedthepercentageofallfault writtenspecications,reducingthesearchspacedramatically.forexample,thecongurationwhereall processorsaregoodexceptthatthethirdreceiveris ThenewestreleaseoftheMursystemautomaticallydetectsandexploitssymmetryinappropriately intheassignmentofbehaviorstoprocessors.be- areusedintheassignmentoffaultylinksaswellas onlyexploresoneofthesealternatives.symmetries cessorsaregoodexceptthesecondreceiver,andmur manifest-faultyisisomorphictothecasewhenallprosolute,performance.wefurtherreducedthesetof Table2shouldbetakentoindicaterelative,notabcauseofthesesymmetryreductions,notallcongurationsarecountedindividually,sothenumbersin sendingmanifestlybad(e)values,sincethiswould satised.weexcludedsymmetric-faultyprocessors congurationstorequireatleastonegoodreceiver, amounttothesamethingasamanifestfault,andwe sinceotherwisevalidityandagreementaretrivially andthatwhenthetransmitterisgood.however,we tersincethereisverylittledierencebetweenthiscase anyway,includingthepossibilityofbehavingasgood, alsoexcludedthecaseofasymmetric-faultytransmit- didallowanarbitrary-faultytransmittertobehavein iouscombinationsofgood,wrong,andevalues. symmetric-ormanifest-faulty,aswellassendingvar- manifestlybad(e)valuesorthecorrectvalue.inalgorithmomha(1),arbitrary-faultyreceiversalsohave thatauthenticationneverleadstogoodprocessorsdisativenumbersofcongurationswherethevariousalgorithmsbehaveacceptably. signicantlyreducethetotalnumberofcongurations thatneedtobeconsidered,butdonoteecttherelcardinggoodmessages.thesefactors,takentogether, receivedfromthetransmitter.thusforalgorithm ZA(1)arbitrary-faultyreceiversareonlyabletosend werenotallowedtosenddatavaluesotherthanthat Fortheauthenticatedprotocols,faultyreceivers lier,thisisthemainsourceofbrittlenessofomha(1). Wefurthermaketheassumptionintheseexperiments theopportunitytosendr(e)and,asdiscussedear- ornotsignaturesaresecure(dramaticallysoifsignaturesareinsecure).za(1)isalsosuperiorinoverall ZA(1)wringsthemaximumfaulttolerancefroma formstheclassicalsignedmessagesprotocolwhether givenamountofredundanthardware,andoutper- Thetableshowsthattheauthenticatedprotocol resiliencetoomha(1).thisisnottosaythatza(1) isuniformlysuperiortoomha(1).consideragood
11 transmitterwithlinkfaultstoallreceiversexceptp, andphasalinkfaulttoreceiverq.underza(1),q decidesoneandalltheotherreceiversdecideonthe valuesentbythetransmittertop,therebyviolating Agreement.UnderOMHA(1)allreceiverssettleon E.Notethatwearetestingthefaulttoleranceofthese protocolswellbeyondtheirusuallyclaimedfaulttolerance:onlyapproximatelyvepercentofallfault congurationswestudiedfallwithintheworst-case boundsoftheprotocols.thus,alltheseprotocolsare farmoretolerantoffaultsthantheirsimpleworst-case boundswouldsuggest. 8Conclusion Theassumptionsrequiredoftheauthentication mechanisminbyzantineagreementprotocolsthatuse \signedmessages"arestrongerthangenerallyrealized,andrequirethatdigitalsignaturesareusedwith greatcare.violationoftheseassumptionscancause theprotocolstofail.wehavepresentednewprotocolsthatcombineauthenticationwith\oralmessages" protocolssothatadditionalresilienceisobtainedwhen theauthenticationassumptionsaresound,buttheresilienceoftheunauthenticatedprotocolisretained whenauthenticationassumptionsareviolated. Whentheauthenticationassumptionsaresound, oneofthesenewprotocols,calledza(r),matchesthe faulttoleranceoftheclassicalsignedmessagesprotocolunderahybridfaultmodel,andsurpassesitwhen communicationslinkfaultsareconsidered.za(r)also performswelloverallwhenauthenticationassumptionsareviolated,buthasanunfortunate\hole"inits worst-casebound(itisvulnerablewhenthetransmitterismanifest-faulty).anotherofthenewprotocols, OMHA(r)maybepreferredifthiscaseisconsidered important,thoughitislessresilienttolinkfaultsthan ZA(r). Thesenewprotocolsaresuperiortootherknown protocolsinpropertiesandmeasuresofpracticalinterest,andwerecommendthemforgeneraluse.they areparticularlyattractiveinsecurity-criticalsystems whereauthenticationmaybesubjectedtosophisticatedcryptographicattack,andinsafety-criticalembeddedsystemswheremaximumresilienceisrequired butwhereonlyshortorcryptographicallyweaksignatures(e.g.,checksums)maybefeasible.selectionof themostsuitableprotocolforagivensystemmustobviouslydependontheexpectedmodesandfrequencies offaults,andtheconsequencesofsystemfailure. Ouruseofthestate-explorationsystemMurto performsymbolic\faultinjection"is,webelieve, novel.itsuggestsaverypromisingnewapplication areaforthisclassofformalmethodstools,andone thatweintendtopursueinfuturework. Acknowledgments OurunderstandingofthesetopicshasbenettedgreatlyfromdiscussionswithChrisWalterand MicheleHugue(boththenwithAlliedSignal).Commentsbytheanonymousreviewerswerealsovery helpful.malteborcherdingoftheuniversityofkarlsruhepointedoutsomeerrorsintheoriginalpaper. References PapersbySRIauthorscangenerallyberetrieved fromhttp:// [1]MartnAbadiandRogerNeedham.Prudentengineeringpracticeforcryptographicprotocols.InProceedingsoftheSymposiumonResearchinSecurity andprivacy,pages122{136,oakland,ca,may1994. IEEEComputerSociety. [2]BirgitBaum-Waidner.Byzantineagreementwitha minimumnumberofmessagesbothinthefaultless andworstcase.infaulttolerantcomputingsymposium23[14],pages554{563. [3]MalteBorcherding.Ecientfailurediscoverywith limitedauthentication.in15thinternationalconferenceondistributedcomputingsystems,pages78{82, Vancouver,Canada,May1995.IEEEComputerSociety. [4]W.DieandM.E.Hellman.Newdirectionsincryptography.IEEETransactionsonInformationTheory, IT-22(6):644{650,November1976. [5]D.DolevandH.R.Strong.Authenticatedalgorithms forbyzantineagreement.siamjournaloncomputing,12(4):656{666,november1983. [6]DannyDolevandRudigerReischuk.BoundsoninformationexchangeforByzantineagreement.Journal oftheacm,32(1):191{204,january1985. [7]DannyDolev,RudigerReischuk,andH.Raymond Strong.EarlystoppinginByzantineagreement.JournaloftheACM,37(4):720{741,October1990. [8]KlausEchtle.Faultmaskingwithreducedredundant communication.infaulttolerantcomputingsymposium16,pages178{183,vienna,austria,july1986. IEEEComputerSociety. [9]T.ElGamal.Apublickeycryptosystemandasignatureschemebasedondiscretelogarithms.IEEE TransactionsonInformationTheory,IT-31(4):469{ 472,July1985. [10]PaulD.Ezhilchelvan.Earlystoppingalgorithmsfor distributedagreementunderfail-stop,omission,and timingfaulttypes.in6thsymposiumonreliability indistributedsoftwareanddatabasesystems,pages 201{212,Williamsburg,VA,March1987.IEEEComputerSociety. 11
12 [11]M.FischerandN.Lynch.Alowerboundforthe timetoassureinteractiveconsistency.information ProcessingLetters,14:183{186,1982. [12]F.DiGiandomenico,M.L.Guidotti,F.Grandoni, andl.simoncini.agracefuldependablealgorithm forbyzantineagreement.in6thsymposiumonreliabilityindistributedsoftwareanddatabasesystems, pages188{200,williamsburg,va,march1987.ieee ComputerSociety. [13]L.Gong.Variationsonthethemesofmessagefreshnessandreplay.InProceedingsoftheComputerSecurityFoundationsWorkshopVII,pages131{136,Franconia,NH,June1993.IEEEComputerSociety. [14]FaultTolerantComputingSymposium23,Toulouse, France,June1993.IEEEComputerSociety. [15]R.M.Kieckhafer,C.J.Walter,A.M.Finn,andP.M. Thambidurai.TheMAFTarchitecturefordistributed faulttolerance.ieeetransactionsoncomputers, 37(4):398{405,April1988. [16]LeslieLamport,RobertShostak,andMarshallPease. TheByzantineGeneralsproblem.ACMTransactions onprogramminglanguagesandsystems,4(3):382{ 401,July1982. [17]PatrickLincolnandJohnRushby.Formalverication ofanalgorithmforinteractiveconsistencyundera hybridfaultmodel.incostascourcoubetis,editor, Computer-AidedVerication,CAV'93,volume697 oflecturenotesincomputerscience,pages292{304, Elounda,Greece,June/July1993.Springer-Verlag. [18]PatrickLincolnandJohnRushby.Formalverication ofanalgorithmforinteractiveconsistencyundera hybridfaultmodel.technicalreportsri-csl-93-2,computersciencelaboratory,sriinternational, MenloPark,CA,March1993.AlsoavailableasNASA ContractorReport4527,July1993. [19]PatrickLincolnandJohnRushby.Aformallyveried algorithmforinteractiveconsistencyunderahybrid faultmodel.infaulttolerantcomputingsymposium 23[14],pages402{411. [20]RalphMeltonandDavidL.Dill.MurAnnotated ReferenceManual.ComputerScienceDepartment, StanfordUniversity,Stanford,CA,March1993. [21]JudyH.Moore.Protocolfailuresincryptosystems. ProceedingsoftheIEEE,76(5):594{602,May1988. [22]NationalInstituteofStandardsandTechnology.The digitalsignaturestandard.communicationsofthe ACM,37(7):36{40,July1992. [23]M.Pease,R.Shostak,andL.Lamport.Reaching agreementinthepresenceoffaults.journalofthe ACM,27(2):228{234,April1980. [24]MichaelReiter.Asecuregroupmembershipprotocol.InProceedingsoftheSymposiumonResearchin SecurityandPrivacy,pages176{189,Oakland,CA, May1994.IEEEComputerSociety. [25]R.L.Rivest,A.Shamir,andL.Adleman.Amethod forobtainingdigitalsignaturesandpublic-keycryptosystems.communicationsoftheacm,21(2):120{ 126,February1978. [26]JohnRushby.Aformallyveriedalgorithmforclock synchronizationunderahybridfaultmodel.inthirteenthacmsymposiumonprinciplesofdistributed Computing,pages304{313,LosAngeles,CA,August 1994.AssociationforComputingMachinery. [27]FredB.Schneider.Implementingfault-tolerantservicesusingthestatemachineapproach:Atutorial. ACMComputingSurveys,22(4):299{319,December [28]T.K.SrikanthandS.Toueg.Simulatingauthenticated broadcaststoderivesimplefault-tolerantalgorithms. DistributedComputing,2(2):80{94,1987. [29]PhilipThambiduraiandYou-KeunPark.Interactive consistencywithmultiplefailuremodes.in7thsymposiumonreliabledistributedsystems,pages93{ 100,Columbus,OH,October1988.IEEEComputer Society. [30]C.J.Walter,N.Suri,andM.M.Hugue.Continualonlinediagnosisofhybridfaults.InF.Cristian,G.Le Lann,andT.Lunt,editors,DependableComputing forcriticalapplications 4,volume9ofDependable ComputingandFault-TolerantSystems,pages233{ 249.Springer-Verlag,Vienna,Austria,January1994. Theviewsandconclusionscontainedhereinarethoseoftheauthors andshouldnotbeinterpretedasnecessarilyrepresentingtheocial policiesorendorsements,eitherexpressedorimplied,oftheair ForceOceofScienticResearchortheU.S.Government. 12
Reprintofapaperpresentedatthe8thACMSymposiumonOperatingSystem Principles,PacicGrove,California,14{16December1981.(ACMOperating DesignandVericationofSecureSystems SystemsReviewVol.15No.5pp.12-21) ComputerScienceLaboratory
More informationAmyP.Felty1,DouglasJ.Howe1,andFrankA.Stomp2 ProtocolVericationinNuprl? 2Dept.ofComp.Sci.,UCDavis,Davis,CA95616,USA.stomp@cs.ucdavis.edu 1BellLabs,MurrayHill,NJ07974,USA.ffelty,howeg@bell-labs.com whileretainingexistingadvantagesofthesystem,anddescribesapplicationoftheprovertoverifyingthescicachecoherenceprotocol.the
More informationSelect cell to view, left next event, right hardcopy
Run 480841:029822 @ 170718 on 061003 e/p currents: 34.9 / 86.7 ma FTi: 4 hits, mean 1.0 +/- 2.3 min/max -1.8 2.9 Number of hits (P/Q) 733 625 clusters (P/Q) 137 53 tracks (123 P) 0 0 0 1 Run 480841:029822
More informationV e r d e s I s t v á n a l e z r e d e s V Á L T O Z Á S O K. F E L A D A T O K. GONDOK A S O R K A TO N A I
V e r d e s I s t v á n a l e z r e d e s V Á L T O Z Á S O K. F E L A D A T O K. GONDOK A S O R K A TO N A I A L A P K IK É P Z É S B E N F Ő IS K O L Á N K O N C T A N U L M Á N Y > N a p j a i n k b
More information2 1k 0 3k 2 0 1 4 S 5 7 P a s t w a c z ł o n k o w s k i e - Z a m ó w i e n i e p u b l i c z n e n a u s ł u g- i O g ł o s z e n i e o d o b r o w o l n e j p r z e j r z y s t o c i e x - a nnt e
More informationSmart Integration of Wireless Temperature Monitoring System with Building Automation System
Smart Integration of Wireless Temperature Monitoring System with Building Automation System Case Study Area of engagement Solution to integrate wireless temperature monitoring system with BMS (Building
More informationRIKI THE INTERSECTION OF TRANSLATIONAL RESEARCH AND IMPLEMENTATION SCIENCE: AN EARLY CHILDHOOD PREDICTIVE ANALYTIC MODEL (ECPQIM4 )
THE INTERSECTION OF TRANSLATIONAL RESEARCH AND IMPLEMENTATION SCIENCE: AN EARLY CHILDHOOD PREDICTIVE ANALYTIC MODEL (ECPQIM4 ) Richard Fiene, Ph.D. February 11, 2015 Bennett Pierce Prevention Research
More informationMENTAL HEALTH AND SUBSTANCE ABUSE SERVICES BULLETIN MENTAL RETARDATION BULLETIN COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE
MENTAL HEALTH AND SUBSTANCE ABUSE SERVICES BULLETIN MENTAL RETARDATION BULLETIN COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE DATE OF ISSUE December 17, 2002 EFFECTIVE DATE Immediately NUMBER
More informationAPPENDIX 4D HELP DESK SERVICES. In this Appendix, in addition to the definitions set out in Schedule 1 of this Agreement:
APPENDIX 4D HELP DESK SERVICES 1. INTERPRETATION In this Appendix, in addition to the definitions set out in Schedule 1 of this Agreement: Help Desk Report means in respect of: (a) (b) the Facility, any
More informationHow To Sell Pens For A Year
ProHealth Care, Waukesha, WI Pulmonary Rehab Article January 2006 PENS Newsletter I heard another success the other day for Close to Home PENS. We ran an innocent little PENS article about pulmonary rehab
More information51st LEGISLATURE - STATE OF NEW MEXICO - FIRST SESSION, 2013
// 1 BILL 1st LEGISLATURE - STATE OF NEW MEXICO - FIRST SESSION, INTRODUCED BY DISCUSSION DRAFT AN ACT RELATING TO CRIMINAL INVESTIGATIONS; PROVIDING FOR ADMINISTRATIVE SUBPOENAS FOR INVESTIGATIONS INVOLVING
More informationNorthern Arizona University FY 2016 Annual Audit Plan June 2015
1 (Mandatory) (Cyclical) Athletics NCAA Compliance (Year 2 of 3) 400 Compliance Reputational Per NCAA Division I Manual 22.2.1.2(e), at least once every four years Athletics rulescompliance program must
More informationBIENNIAL REVIEW. of SAGU s Drug & Alcohol Abuse Prevention Program
BIENNIAL REVIEW of SAGU s Drug & Alcohol Abuse Prevention Program Approved: May 29, 2015 Table of Contents Introduction to Biennial Review... 2 Additional Explanation Regarding the 2015 Biennial Review...
More informationCODE OF CONDUCT 1 BIAS. Board members, program reviewers and staff shall:
CODE OF CONDUCT 1 The accreditation process is by nature, sensitive; objectivity and credibility are essential. The purpose of NCATE s Code of Conduct is to prevent both real and apparent conflicts of
More informationU. S. Department of Housing and Urban Development. Office of Inspector General for Investigation. Inspections and Evaluations Division
U. S. Department of Housing and Urban Development Office of Inspector General for Investigation Inspections and Evaluations Division Inspection of Whether Duplicate Rental Assistance Payments Were Made
More informationSIM-K 3030 SIM-K 3035. 453,- Kè. 15-19 mm. 15-19 mm. 453,- Kè. 453,- Kè. 15-19 mm. 15-19 mm. 566,- Kè. 566,- Kè. 15-19 mm.
SIM-K 3030 3030/S35 BRAUN 3030/S35 WEISS 3030/S35 RAL 8003 3030/S35 RAL 9006 3030/S35 RAL 1036 3030/S35 F1 3030/S35 F9 SIM-K 3035 3035/S35 BRAUN 3035/S35 WEISS 3035/S35 RAL 8003 3035/S35 RAL 9006 3035/S35
More informationZA-12. Temperature - Liquidus + 45 o C (81 o C) Vacuum = 90mm
Ragonne Fluidity, Inches Zn-Al Impact 38 34 30 26 22 18 14 No. 3 Zn-Al ZA-8 Liquidius ZA-12 Temperature - Liquidus + 45 o C (81 o C) Vacuum = 90mm Zn-Al (0.01-0.02 percent mg) ZA-27 10 0 2 4 6 8 10 12
More informationCoverage Analysis. Purpose
Coverage Analysis Purpose The purpose of this policy is to provide a method for researchers to perform a Coverage Analysis (CA) for clinical research conducted at Mission Hospital, Inc., Memorial and St.
More informationWHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS
WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS Introduction Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or
More informationTROLLEY LOCKS FOR TROLLEY MANAGEMENT
TROLLEY LOCKS FOR TROLLEY MANAGEMENT RONIS TROLLEY LOCK FEATURES AND BENEFITS > Strength A robust metal housing. An internal metal mechanism providing long life. A strong galvanized steel key and chain.
More informationOverview of the North Carolina Office of the Commissioner of Banks
Overview of the North Carolina Office of the Commissioner of Banks Ray Grace, Commissioner of Banks January 22, 2014 COMMISSIONER OF BANKS History of NCCOB 1804 - First NC bank charter authorized by the
More informationVOIP 911 FEE REMITTANCE PROCEDURES
BUREAU OF 9-1-1 VOIP 911 FEE REMITTANCE PROCEDURES Revision 7 October 1, 2014 Pennsylvania Emergency Management Agency 2605 Interstate Drive Harrisburg, PA 17110 800-Hbg-PEMA www.pema.pa.gov VoIP 911 Fee
More information356 As at: 08/2014. Recommended makes and types of summer tyres. Type 356. EU tyre label Noise emission. Rolling
356 As at: 08/2014 Type 356 Wheel size 4.5Jx15 42 FA/RA 165 HR 15 Michelin XAS - - - 356 B, all model years 15-inch 356 C, all model years 5.5Jx15 42 FA/RA 165 HR 15 Michelin XAS - - - 356 C, all model
More informationSMH10R. User's Guide. www.senabluetooth.com. Low Profile Motorcycle Bluetooth Headset & Intercom
Low Profile Motorcycle Bluetooth Headset & Intercom www.senabluetooth.com User's Guide 1998-2013 Sena Technologies, Inc. All rights reserved. Sena Technologies, Inc. reserves the right to make any changes
More information8 / c S t a n d a r d w y m a g a ń - e g z a m i n c z e l a d n i c z y dla zawodu Ś L U S A R Z Kod z klasyfikacji zawodów i sp e cjaln oś ci dla p ot r ze b r yn ku p r acy Kod z klasyfikacji zawodów
More informationAgriculture: Soybean Meal (ISM) New Maintenance Requirement Change 1,700 USD +100 USD
NOTICE February 25, 2013 New Margin Requirements New York, NY ( February 25, 2013 ) Effective with the open of business Wednesday, February 27, 2013 and thereafter, the margin requirements are as follows:
More informationState of New Jersey DEPARTMENT OF THE TREASURY DIVISION OF TAXATION PO BOX 269 TRENTON NJ 08695-0269 In reply respond to: (609) 633-1132
State of New Jersey DEPARTMENT OF THE TREASURY DIVISION OF TAXATION PO BOX 269 TRENTON NJ 08695-0269 In reply respond to: (609) 633-1132 SPECIFICATIONS FOR REPORTING W-2 INFORMATION VIA ELECTRONIC FILING
More informationThe Wireless Network Road Trip
The Wireless Network Road Trip The Association Process To begin, you need a network. This lecture uses the common logical topology seen in Figure 9-1. As you can see, multiple wireless clients are in
More informationTimeout The Crosspoint Status Request message has a timeout, which means that you need to wait 1 second in between request messages.
Network Control Protocol Important notes Binary Code The strings shown on the next pages are in binary coded format. Please be aware that any terminal program you may use to control a Network unit from
More informationDepartment of Financial Services Superintendent s Regulations
Department of Financial Services Superintendent s Regulations Part 504 BANKING DIVISION TRANSACTION MONITORING AND FILTERING PROGRAM REQUIREMENTS AND CERTIFICATIONS (Statutory authority: Banking Law 37(3)(4)
More informationLuxor. Automatic retractable bollard
Luxor Automatic retractable bollard Manage, control and restrict Modern urban planning requires advanced systems able to regulate both public and private vehicular flows. Urbaco, has always been in tune
More informationNew IRS Reporting Requirements Forms 1094-C & 1095-C
New IRS Reporting Requirements Forms 1094-C & 1095-C October 22, 2015 Presented By: Lee Centrone Senior Vice President BeneSys, Inc./A&I Benefit Plan Administrators, Inc. 1 Please note that this Trust
More informationDynamic Load Balance Algorithm (DLBA) for IEEE 802.11 Wireless LAN
Tamkang Journal of Science and Engineering, vol. 2, No. 1 pp. 45-52 (1999) 45 Dynamic Load Balance Algorithm () for IEEE 802.11 Wireless LAN Shiann-Tsong Sheu and Chih-Chiang Wu Department of Electrical
More informationxzy){v } ~ 5 Vƒ y) ~! # " $ &%' #!! () ˆ ˆ &Šk Œ Ž Ž Œ Ž *,+.- / 012 3! 45 33 6!7 198 # :! & ŠkŠk Š $š2 š6œ1 ž ˆŸˆ & Š)œ1 ž 2 _ 6 & œ3 ˆœLŸˆ &Šž 6 ˆŸ œ1 &Š ' 6 ª & & 6 ž ˆŸ«k 1±²\³ kµ² µ0 0 9 ² ķ¹>² µ»º
More informationProduct Safety and RF Exposure for Mobile Two-Way Radios Installed in Vehicles or as Fixed Site Control Stations
Product Safety and RF Exposure for Mobile Two-Way Radios Installed in Vehicles or as Fixed Site Control Stations! C a u t i o n BEFORE USING THIS RADIO, READ THIS BOOKLET WHICH CONTAINS IMPORTANT OPERATING
More informationUK Radio Licence Interface Requirement 2036 For Mobile Asset Tracking Services
UK Radio Licence Interface Requirement 2036 For Mobile Asset Tracking Services (Version 1.0) 98/34/EC Notification Number: 2000/393/UK Published 15 December 2000 Page 1 File name: ir2036.doc Blank Page
More informationPayment Transaction.
Payment Transaction. Payment transaction information. Payment instructions will be processed on the same business day if we receive them before the relevant cut-off time on that day. Any payment instructions
More informationPAYMENT TRANSACTION. Your payment transaction information
PAYMENT TRANSACTION Your payment transaction information Contents Payment transaction information 1 Outbound domestic payments 2 Inbound domestic payments 3 International payments 4 Outbound international
More informationAirport Parking Management with Software as a Service (SaaS)
Parking and leisure centre systems Airport Parking Management with Software as a Service (SaaS) An alternative to traditional IT strategies? Martin Hughes, Managing Director Scheidt & Bachmann UK Thomas
More information16 Rankings On First Page. 30 Total Keywords. KEYWORD RANKINGS We are tracking Benchmark Date and Current Ranking. Ranking Changes Improved
Keyword Rankings harmonygroup.co.za 0 Total Keywords 8 Rankings On First Page 6 Rankings On First Page 7 Rankings On Second Page 7 Ranking Changes Improved NA Ranking Changes Declined KEYWORD RANKINGS
More informationCertified Platinum Configurations
The tables in this document describe the Certified Platinum Configurations as of the effective date of the applicable table. In order to determine which table applies to you, please note the following:
More informationVARIATION TO LICENCE AREA PLAN
Attachment A VARIATION TO LICENCE AREA PLAN BRIDGETOWN (RADIO) May 2001 LICENCE AREA PLAN BRIDGETOWN VARIATION The Australian Broadcasting Authority hereby varies the licence area plan (LAP) for radio
More informationDAP Proxy Server Configuration. Technical Note
DAP Proxy Server Configuration Technical Note The software described in this manual is furnished under license and may only be used or copied in accordance with the terms of the license. Manual release
More informationINTERIM SITE MONITORING PROCEDURE
INTERIM SITE MONITORING PROCEDURE 1. PURPOSE The purpose of this SOP is to describe the interim monitoring procedures conducted at Institution, according to GCP and other applicable local regulations.
More informationOMANTEL REFERENCE INTERCONNECTION OFFER
OMANTEL REFERENCE INTERCONNECTION OFFER July 7, 2010 LEASED LINES Index INDEX... 2 1 GENERAL... 3 2 DEFINTIONS... 4 3 LEASED LINE PORTFOLIO... 5 4 ORDERING AND DELIVERY... 6 5 CHANGING AND DISCONNECTION...
More informationsince 1928 ALBIN PUMP ALH HOSE PUMPS TECHNICAL DATASHEETS
AB U S US TA ATASTS 05 3 BS - ATA ST 0.25 nstalled power (Kw) 05 (3 lobes) 8 Bars 0.18 0.12 3 Bars Temperature ( ) ontinous 24/24h ntermittent* ccasional* low (l/h) 3.4 6.8.2 13.6 16.9.4 *ntermitent use
More informationSenate Bill No. 48 Committee on Health and Human Services
Senate Bill No. 48 Committee on Health and Human Services CHAPTER... AN ACT relating to public health; repealing provisions that provide for a statewide health information exchange system; authorizing
More informationIPThermo206G. Offline/online data collector, SMS alarm sender, watchdog terminal for IPThermo Pro network
IPThermo206G Offline/online data collector, SMS alarm sender, watchdog terminal for IPThermo Pro network IPThermo 206G is the central data handling terminal of the IPThermo Pro measurement network. This
More informationGUIDELINES FOR ENERGY CHECKS AND ENERGY ANALYSIS IN WATER AND WASTEWATER UTILITIES
GUIDELINES FOR ENERGY CHECKS AND ENERGY ANALYSIS IN WATER AND WASTEWATER UTILITIES Optional: Report of a Rapid Survey Energy Efficiency in Water and Wastewater Utilities Author: Holger Laenge Consulaqua
More informationRSA Event Source Configuration Guide. IBM iseries AS/400
Configuration Guide IBM iseries AS/400 Last Modified: Tuesday, March 11, 2014 Event Source (Device) Product Information Vendor IBM Event Source (Device) iseries AS400 Supported Versions V5R2 and above
More informationSE 4C03 Winter 2005 An Introduction of Firewall Architectures and Functions. Kevin Law 26 th March, 2005-03-29
SE 4C03 Winter 2005 An Introduction of Firewall Architectures and Functions Kevin Law 26 th March, 2005-03-29 1). Introduction A person who has used the Internet before would hear about the term firewall.
More informationCOMPLIANCE WITH LAWS AND REGULATIONS (CLR)
Principle: Ensuring compliance with applicable laws, regulations and professional standards of practice implementing systems and processes that prevent fraud and abuse. 91 Compliance with Laws and Regulations
More informationThursday September 23 rd 11:30 AM to 12.45 PM Kerhonkson, New York.
NYAPRS 28 TH Annual Conference Integrating Mental Health and Addiction Recovery into our Lives and Systems Presenter: John Challis B.A., B.S.W., Dip Teach. Director of Technical Assistance Thursday September
More informationThird-Party Access and Management Policy
Third-Party Access and Management Policy Version Date Change/s Author/s Approver/s Dean of Information Services 1.0 01/01/2013 Initial written policy. Kyle Johnson Executive Director for Compliance and
More informationInput module, input/output module
Sinteso / Cerberus PRO Input module, input/output module FDCI221, FDCIO221 Input module and input/output module for the automatically addressed detector line Input module FDCI221: Monitorable contact input
More informationBy reversing the rules for multiplication of binomials from Section 4.6, we get rules for factoring polynomials in certain forms.
SECTION 5.4 Special Factoring Techniques 317 5.4 Special Factoring Techniques OBJECTIVES 1 Factor a difference of squares. 2 Factor a perfect square trinomial. 3 Factor a difference of cubes. 4 Factor
More informationMENTAL HEALTH CONSULTANT PROCEDURE
TMC MIGRANT SEASONAL HEAD START MENTAL HEALTH CONSULTANT PROCEDURE Procedure No. MH-100-A Effective Date of Procedure: 11/13/99 Program Area: Mental Health Services Revised 02/11 STATEMENT OF PROCEDURE
More informationNote: This article was updated on October 1, 2012, to reflect current Web addresses. All other information remains unchanged.
Related Change Request (CR) #: 3444 Related CR Release Date: September 10, 2004 Effective Date: N/A Related CR Transmittal #: R299CP Implementation Date: N/A Note: This article was updated on October 1,
More informationWeather Radar Basics
Weather Radar Basics RADAR: Radio Detection And Ranging Developed during World War II as a method to detect the presence of ships and aircraft (the military considered weather targets as noise) Since WW
More informationIEEE 802.11 frame format
IEEE 802.11 frame format Pietro Nicoletti www.studioreti.it 802-11-Frame - 1 P. Nicoletti: see note pag. 2 Copyright note These slides are protected by copyright and international treaties. The title and
More informationSafety Plan Reviews in 3D Christopher Santulli, PE. April 23, 2012 Times Square Marriott Marquis
Safety Plan Reviews in 3D Christopher Santulli, PE April 23, 2012 Times Square Marriott Marquis Safety Responsibility Building Code 3301.1 Responsibility for safety (abbr.) Nothing in this chapter shall
More informationEuropean Wide Certified Diabetes Educator Course (EU-CDEC) Quality Assurance and Risk Management Plan Report (WP7)
Annex 26 - Quality Assurance and Risk Management Plan Report European Wide Certified Diabetes Educator Course (EU-CDEC) Quality Assurance and Risk Management Plan Report (WP7) WP Leaders: Ondrej Cinek,
More informationWHITE PAPER. Static Load Balancers Implemented with Filters
WHITE PAPER Static Load Balancers Implemented with Filters www.ixiacom.com 915-6911-01 Rev. A, July 2014 2 Table of Contents Load Balancing of Monitoring Systems as a Key Strategy for Availability, Security
More informationArkansas Department Of Health and Human Services Division of Medical Services P.O. Box 1437, Slot S-295 Little Rock, AR 72203-1437
Arkansas Department Of Health and Human Services Division of Medical Services P.O. Box 1437, Slot S-295 Little Rock, AR 72203-1437 Fax: 501-682-2480 TDD: 501-682-6789 Internet Website: www.medicaid.state.ar.us
More information1 7 / c S t a n d a r d w y m a g a ń - e g z a m i n c z e l a d n i c z y dla zawodu M E C H A N I K - M O N T E R M A S Z Y N I U R Z Ą D Z E Ń Kod z klasyfikacji zawodów i sp e cjaln oś ci dla p ot
More informationHealth Home Monitoring: Policies and Procedures Revised: October 2015. Section 2 Guidance for Monitoring the Reporting of Complaints and Incidents
Section 2 Guidance for Monitoring the Reporting of Complaints and Incidents The Policy Oversight of the health and welfare of Health Home members through care coordination and linkage to services and programs
More informationEfficient General-Adversary Multi-Party Computation
Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate
More informationTOWN OF MORRISTOWN REQUEST FOR PROPOSAL TRAFFIC CONTROL SIGNAL MONITORING SYSTEM. RFP DEADLINE (EXTENDED): November 16, 2010 (Tuesday), 4:00 P.M.
TOWN OF MORRISTOWN REQUEST FOR PROPOSAL TRAFFIC CONTROL SIGNAL MONITORING SYSTEM RFP DEADLINE (EXTENDED): November 16, 2010 (Tuesday), 4:00 P.M. EST I. Introduction and Purpose Proposers are required to
More informationOff Site Access PPD IT How to Guides December 2010
Off Site Access When you are working away from RAL, you can connect to the RAL network via Virtual Private Network. This allows you to see internal RAL web pages and provides a way to access SSC, which
More informationCOLLECTION, USE, AND DISCLOSURE LIMITATION
COLLECTION, USE, AND DISCLOSURE LIMITATION This is one of a series of companion documents to The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
More informationNorth Dakota Medical Association. 2014 ND ehealth/himss Summit
North Dakota Medical Association 2014 ND ehealth/himss Summit Medicine in North Dakota Today As of September 2014: 1696 active practicing physicians statewide 15% increase since 2010 (1470) Average age
More informationSecurity Management System. MHPD Module
Security Management System MHPD Module 1 Security Management System: Why do we need to use SMS? Security Management System Accessing SMS MHPD Module Security Groups Mental Health Provider Data Exchange
More informationINFORMATION PROCEDURE
INFORMATION PROCEDURE Managing Social Media Records EPA Classification.: CIO 2155-P-06.0 CIO Approval Date: 06/12/2015 CIO Transmittal.: 15-006 Review Date: 06/12/2018 Issued by the EPA Chief Information
More informationRemote Access. A Service Guide for Colleges. An overview of the opt-in Remote Access service provided by Ontario College Library Service
A Service Guide for Colleges An overview of the opt-in Remote Access service provided by Ontario College Library Service Remote Access A Service Guide for Colleges Contents Remote Access Basics... 2 All
More informationYour launch pad for excellence UNIVERSITY. 6 cm filling height. Ferranti Computer Systems MECOMS University Training Overview
Your launch pad for excellence UNIVERSITY 6 cm filling height Ferranti Computer Systems MECOMS University Training Overview CLASSROOM: ADVANCED FUNCTIONAL METER DATA MANAGEMENT UNIVERSITY Introduction
More information0,2 D(0) A(1) D(1) 1,3 D(2) 0,2 D(0) A(1) D(1) 1,3 D(2) D(3) D(3) D(1) D(1) A(4) D(2) 4,6 D(3) A(4) 4,6 GO BACK 3 SELECTIVE REJECT WINDOW SLIDES
WASHINGTON UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CS423 Computer Communications: More Error Recovery Fall 1995 This is the fourth of probably 7 lectures on the Data Link Layer. In the last lecture we
More informationSoftware Defined Radio (SDR) Application Review Guide
Software Defined Radio (SDR) Application Review Guide TCB Workshop October 6, 2009 Jim Szeliga Laboratory Division Office of Engineering and technology Federal Communications Commission Presentation Outline
More informationDivision of Medical Services
Division of Medical Services Program Planning & Development P.O. Box 1437, Slot S-295 Little Rock, AR 72203-1437 501-682-8368 Fax: 501-682-2480 TO: Arkansas Medicaid Health Care Providers Transportation
More informationREGULATORY ALERT NATIONAL CREDIT UNION ADMINISTRATION 1775 DUKE STREET, ALEXANDRIA, VA 22314. DATE: October 2001 NO.: 01-RA-11
REGULATORY ALERT NATIONAL CREDIT UNION ADMINISTRATION 1775 DUKE STREET, ALEXANDRIA, VA 22314 DATE: October 2001 NO.: 01-RA-11 TO: All Federally-Insured Credit Unions SUBJECT: Suspicious Activity Report
More informationBanks Behaviour in the European Money Market and the Operational Framework of the Eurosystem
Banks Behaviour in the European Money Market and the Operational Framework of the Eurosystem Ulrike Neyer November 2002 Abstract The Eurosystem has stated its intention to reformulate important aspects
More information3M Electronic Monitoring / SVEP. 3M Domestic Violence GPS Proximity Notification System Web Training
3M Domestic Violence GPS Proximity Notification System Web Training Objective TO EXPLAIN HOW THE SYSTEM PROTECTS THE VICTIMS OF DOMESTIC VIOLENCE 2 3M Domestic Violence GPS Proximity Notification System
More informationHow to travel from Qatar to UAE and Oman by road
How to travel from Qatar to UAE and Oman by road Experience from journey January 2007 Jacob Helm-Petersen (MOQ) and Thomas Gierlevsen (COWI) Prepared by Thomas Gierlevsen Rev. 1 Preparations: 1) Obtain
More informationWhat is Process Validation?
What is Process Validation? Process Validation is defined as the collection and evaluation of data, from the process design stage throughout production, which establishes scientific evidence that a process
More informationB I N G O B I N G O. Hf Cd Na Nb Lr. I Fl Fr Mo Si. Ho Bi Ce Eu Ac. Md Co P Pa Tc. Uut Rh K N. Sb At Md H. Bh Cm H Bi Es. Mo Uus Lu P F.
Hf Cd Na Nb Lr Ho Bi Ce u Ac I Fl Fr Mo i Md Co P Pa Tc Uut Rh K N Dy Cl N Am b At Md H Y Bh Cm H Bi s Mo Uus Lu P F Cu Ar Ag Mg K Thomas Jefferson National Accelerator Facility - Office of cience ducation
More informationMass deployment Smart Gas- (& Electricity) Meters Netherlands
Mass deployment Smart Gas- (& Electricity) Meters Netherlands Arno Tuinman Liander Infostroom Controls grid for gas and electricity 1 Agenda Speaker Introduction Liander Introduction Status Deployment
More informationVENDOR SECTION An overview of the Vendor Section which is used to add, edit and send messages to vendors.
PROPERTY MANAGER TRAINING MANUAL INTRODUCTION Relate 24/7 SM is an automated prospect and resident follow-up email marketing machine. Even when your leasing team is busy with other important tasks, this
More informationOFFICE OF MENTAL HEALTH AND SUBSTANCE ABUSE SERVICES BULLETIN
OFFICE OF MENTAL HEALTH AND SUBSTANCE ABUSE SERVICES BULLETIN ISSUE DATE: EFFECTIVE DATE: NUMBER: October 20, 2011 October 30, 2011 OMHSAS-11-08 SUBJECT: BY: Administrative Investigations SCOPE: State
More informationAppendice 1 al Regolamento ENAC ATSEP Basic training Shared
Regolamento ENAC ATSEP Appendici Pag. 1 Appendice 1 al Regolamento ENAC ATSEP Basic training Shared Subject 1: INDUCTION TOPIC 1 BASIND Induction Sub-topic 1.1 BASIND Training and Assessment Overview Sub-topic
More informationAN ACT ENHANCING EMERGENCY PREPAREDNESS AND RESPONSE.
OLR Bill Analysis ssb 23 AN ACT ENHANCING EMERGENCY PREPAREDNESS AND RESPONSE. SUMMARY: This bill requires the Public Utilities Regulatory Authority (PURA) to (1) initiate a docket to review utility company
More informationSeptember 2, 2014. Dear Chairman Brady:
The Honorable Kevin Brady Chairman U.S. House Committee on Ways and Means, Subcommittee on Health 1135 Longworth House Office Building Washington, DC 20515 Dear Chairman Brady: On behalf of our nearly
More informationTP32MTT.03 TP32MTT.03.1. [ GB ] Probes for soil thermal profile measurement
TP32MTT.03 [ GB ] Probes for soil thermal profile measurement [ GB ] [ GB ] Description Temperature measurement at 7 levels (TP32MTT.03) or 6 levels () In accordance with the requirements of the World
More informationWet or Electronic Stamp: Ethical Considerations
Luther L. Liggett, Jr. Partner Direct: 614.427.5742 Cell: 614.561.2892 LLL@kjk.com One Columbus Center, Suite 1900 10 West Broad Street Columbus,, Ohio 43215 Main: 614.427.5731 Toll-free: 888.696.8700
More informationThe Melbourne DR Company - A Guide to Business
11 January 2008 [Director] or [Secretary] Dear INVITATION TO SUBSCRIBE FOR SHARES AND BECOME A MEMBER OF AN ELIGIBLE DIGITAL REPRESENTATIVE COMPANY
More informationIJTC.ORG REVIEW OF IDS SYSTEM IN LARGE SCALE ADHOC NETWORKS
REVIEW OF IDS SYSTEM IN LARGE SCALE ADHOC NETWORKS Palamdeep a,, Dr.Parminder Singh b a MTech Student, k.palambrar@gmail.com,chandigarh Engineering College,Landran,Punjab,India b Assistant Professor, singh.parminder06@gmail.com,chandigarh
More informationAttachment III RELATED LAWS, REGULATIONS AND POLICIES
Attachment III RELATED LAWS, REGULATIONS AND POLICIES The requirements and expectations for incident management and reporting detailed in this bulletin are related to a variety of laws, regulations, and
More informationFrequently Asked Questions. 1. How do I repost a RAL/ERC file using ACA/Lacerte software?
Frequently Asked Questions 1. How do I repost a RAL/ERC file using ACA/Lacerte software? To restore the ral or erc, at the main screen of the direct allaince you would select ral and restore bank file.
More informationAny references to non-cna Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such Web sites.
Disclaimer 1 The purpose of this presentation is to provide information, rather than advice or opinion. It is accurate to the best of the speaker's knowledge as of the date of the presentation. Accordingly,
More informationMedical Transcription Solutions For Your Unique Organization
Medical Transcription Solutions For Your Unique Organization Professional At The Service of Professionals BIMSLINK www.bimslink.com USA:1-641-262-1009 Europe (UK): 0116-249-8775 PAK: 92-21-538-1323 Page
More information