Results 11  20
of
85
Probable Plaintext Cryptanalysis of the IP Security Protocols
 PROCEEDINGS OF THE SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY
, 1997
"... The Internet Engineering Task Force (IETF) is in the process of adopting standards for IPlayer encryption and authentication (IPSEC). We describe how "probable plaintext" can be used to aid in cryptanalytic attacks, and analyze the protocol to show how much probable plaintext is available ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
(Show Context)
The Internet Engineering Task Force (IETF) is in the process of adopting standards for IPlayer encryption and authentication (IPSEC). We describe how "probable plaintext" can be used to aid in cryptanalytic attacks, and analyze the protocol to show how much probable plaintext is available. We also show how traffic analysis is a powerful aid to the cryptanalyst. We conclude by outlining some likely changes to the underlying protocols that may strengthen them against these attacks.
Cascade Ciphers: The Importance of Being First
, 1993
"... The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, requires the uninterestingly restrictive assumption that the enemy cannot exploit information about the plaintext statistics. It is proved, for very general notions of breaking a cipher and of problem difficulty, that a cascade is at least as difficult to break as the first component cipher. A consequence of this result is that, if the ciphers commute, then a cascade is at least as difficult to break as the mostdifficulttobreak component cipher, i.e., the intuition that a cryptographic chain is at least as strong as its strongest link is then provably correct. It is noted that additive stream ciphers do commute, and this fact is used to suggest a strategy for designing secure practical ci...
DEAL  A 128bit Block Cipher
 NIST AES Proposal
, 1998
"... We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext att ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext attacks" is made small, and the encryption rate is similar to that of tripleDES. We conjecture that the most realistic (or the least unrealistic) attack on all versions of DEAL is an exhaustive search for the keys. We have suggested ANSI to include DEAL in the ANSI standard X9.52. We also suggest DEAL as a candidate for the NIST AES standard. 1 Introduction The DES (or DEA) [14] is a 64bit block cipher taking a 64bit key, of which 56 bits are effective. It is an iterated 16round cipher, where the ciphertext is processed by applying a round function iteratively to the plaintext. The DES has a socalled Feistel structure: in each round one half of the ciphertext is fed through a nonlinear f...
How to Strengthen DES Using Existing Hardware
"... Differential, linear and improved Davies' attacks are capable of breaking DES faster than exhaustive search, but are usually impractical due to enormous amounts of data required. In [20] Wiener designed a million dollar special purpose computer capable of breaking DES in 3.5 hours in average ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
Differential, linear and improved Davies' attacks are capable of breaking DES faster than exhaustive search, but are usually impractical due to enormous amounts of data required. In [20] Wiener designed a million dollar special purpose computer capable of breaking DES in 3.5 hours in average by exhaustive search. In this paper we describe methods of strengthening DES against exhaustive search, differential attacks, linear attacks and improved Davies' attacks that can be applied on existing DES hardware. We use the fact that there are DES chips in the market that permit replacement of the Sboxes. We introduce the concept of keydependent invariant Sbox transformations. Differential and linear properties of the cipher are invariant under these transformations. We show how to expand the key using such transformations. Possible reorderings of Sboxes are discussed; we present orders of the original DES Sboxes which are slightly stronger than the standard order of Sboxes. Finally we suggest a concrete scheme to strengthen DES which uses the methods described above. This modified DES can be used with existing DES hardware and is much stronger than the standard DES.
Domany E: Finding motifs in promoter regions
 J Comput Biol
"... A central issue in molecular biology is understanding the regulatory mechanisms that control gene expression. The availability of whole genome sequences opens the way for computational methods to search for the key elements in transcription regulation. These include methods for discovering the bindi ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
A central issue in molecular biology is understanding the regulatory mechanisms that control gene expression. The availability of whole genome sequences opens the way for computational methods to search for the key elements in transcription regulation. These include methods for discovering the binding sites of DNAbinding proteins, such as transcription factors. A common representation of transcription factor binding sites is a position specific score matrix (PSSM). We developed a probabilistic approach for searching for putative binding sites. Given a promoter sequence and a PSSM, we scan the promoter and find the position with the maximal score. Then we calculate the probability to get such a maximal score or higher on a random promoter. This is the pvalue of the putative binding site. In this way, we searched for putative binding sites in the upstream sequences of Saccharomyces cerevisiae, where some binding sites are known (according to the Saccharomyces cerevisiae Promoters Database, SCPD). Our method produces either exact pvalues, or a better estimate for them than other methods, and this improves the results of the search. For each gene we found its statistically significant putative binding sites. We measured the rates of true positives, by a comparison to the known binding sites, and also compared our results to these of MatInspector, a commercially available software that looks for putative binding sites in DNA sequences according to PSSMs. Our results were significantly better. In contrast with us, MatInspector doesn’t calculate the exact statistical significance of its results.
Transform Domain Analysis of DES
, 1998
"... DES can be regarded as a nonlinear feedback shift register (NLFSR) with input. From this point of view, the tools for pseudorandom sequence analysis are applied to the Sboxes in DES. The properties of the Sboxes of DES under Fourier transform, Hadamard transform, extended Hadamard transform and A ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
DES can be regarded as a nonlinear feedback shift register (NLFSR) with input. From this point of view, the tools for pseudorandom sequence analysis are applied to the Sboxes in DES. The properties of the Sboxes of DES under Fourier transform, Hadamard transform, extended Hadamard transform and Avalanche transform are investigated. Two important results about the Sboxes of DES are found. The first result is that nearly twothirds of the total 32 functions from GF(2 6 ) to GF (2) which are associated with the 8 Sboxes of DES have the maximal linear span 63, and the other onethird have linear span greater than or equal to 57. The second result is that for all Sboxes, the distances of the Sboxes approximated by monomial functions has the same distribution as for the Sboxes approximated by linear functions. Some new criteria for the design of permutation functions for use in block cipher algorithms are discussed. Index Terms DES, nonlinear feedback shift register, transform do...
Security Amplification by Composition: The case of DoublyIterated, Ideal Ciphers
, 1998
"... We investigate, in the Shannon model, the security of constructions corresponding to double and (twokey) triple DES. That is, we consider Fk1 (Fk2(\Delta)) and Fk1(F \Gamma 1 k2 (Fk1 (\Delta))) with the component functions being ideal ciphers. This models the resistance of these constructions to & ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
We investigate, in the Shannon model, the security of constructions corresponding to double and (twokey) triple DES. That is, we consider Fk1 (Fk2(\Delta)) and Fk1(F \Gamma 1 k2 (Fk1 (\Delta))) with the component functions being ideal ciphers. This models the resistance of these constructions to "generic" attacks like meet in the middle attacks. We obtain
Automated analysis of security APIs
, 2005
"... Attacks on security systems within the past decade have revealed that security Application Programming Interfaces (APIs) expose a large and real attack surface but remain to be a relatively unexplored problem. In 2000, Bond et al. discovered APIchaining and typeconfusion attacks on hardware securit ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Attacks on security systems within the past decade have revealed that security Application Programming Interfaces (APIs) expose a large and real attack surface but remain to be a relatively unexplored problem. In 2000, Bond et al. discovered APIchaining and typeconfusion attacks on hardware security modules used in large banking systems. While these first attacks were found through human inspection of the API specifications, we take the approach of modeling these APIs formally and using an automatedreasoning tool to discover attacks. In particular, we discuss the techniques we used to model the Trusted Platform Module (TPM) vl.2 API and how we used OTTER, a theoremprover, and ALLOY, a modelfinder, to find both APIchaining attacks and to manage API complexity. Using ALLOY, we also developed techniques to capture attacks that weaken, but not fully compromise, a system's security. Finally, we demonstrate a number of real and &quot;nearmiss &quot; vulnerabilities that were discovered against the TPM.
A 3Subset MeetintheMiddle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN
"... Abstract. In this paper we describe a variant of existing meetinthemiddle attacks on block ciphers. As an application, we propose meetinthemiddle attacks that are applicable to the full 254round KTANTAN family of block ciphers accepting a key of 80 bits. The attacks are due to some weaknesses i ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we describe a variant of existing meetinthemiddle attacks on block ciphers. As an application, we propose meetinthemiddle attacks that are applicable to the full 254round KTANTAN family of block ciphers accepting a key of 80 bits. The attacks are due to some weaknesses in its bitwise key schedule. We report an attack of time complexity 2 75.170 encryptions on the full KTANTAN32 cipher with only 3 plaintext/ciphertext pairs and well as 2 75.044 encryptions on the full KTANTAN48 and 2 75.584 encryptions on the full KTANTAN64 with 2 plaintext/ciphertext pairs 1. All these attacks work in the classical attack model without any related keys. In the differential relatedkey model, we demonstrate 218 and 174round differentials holding with probability 1. This shows that a strong relatedkey property can translate to a successful attack in the nonrelatedkey setting. Having extremely low data requirements, these attacks are valid even in RFIDlike environments where only a very limited amount of text material may be available to an attacker.
A Proposed Design For An Extended DES
, 1999
"... The Data Encryption standard (DES) has achieved wide utilization, especially in the financial industry. Whilst DES is a standard, the design criteria used in its development have been classified by the US government. This paper reviews what is known about the design criteria for the Sboxes, Pboxes ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
The Data Encryption standard (DES) has achieved wide utilization, especially in the financial industry. Whilst DES is a standard, the design criteria used in its development have been classified by the US government. This paper reviews what is known about the design criteria for the Sboxes, Pboxes, and key scheduling in the current DES. It then indicates how this information could be used to design an extended scheme with a double length key. There are two main objectives indoing this. One is because of increasing doubts about the ability of DES to withstand an attack based on exhaustive keyspace searches, using specialized hardware. The other is to develop an encryption scheme for which the design rules used are known, and hence open to analysis and criticism. 1.