Although cryptographic techniques areplaying an increasingly important role in modern computing system security,userlevel tools for encrypting file data arecumbersome and suffer from a number of inherent vulnerabilities. The Cryptographic File System (CFS) pushes encryption services into the file system itself. CFS supports securestorage at the system level through a standardUnix file system interface to encrypted files. Users associate a cryptographic key with the directories they wish to protect. Files in these directories (as well as their pathname components) aretransparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server.CFS can use any available file system for its underlying storage without modification, including remote file servers such as NFS. System management functions, such as file backup, work in a normal manner and without knowledge of the key. This paper describes the ...

This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES)). It is shown that the success of suchattacks on an r-round cipher depends on the existence of (r-1)-round differentials that have high probabilities, where an i-round differential is de#ned as a couple ##; # # such that a pair of distinct plaintexts with difference # can result in a pair of i-th round outputs that have di#erence #, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differential cryptanalysis attack and to show when an r-round cipher is not vulnerable to suchattacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "difference", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round di#erential has a probability about 2

Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers -- timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES -- and then generalize our research to other cryptosystems.

swIPe is a network-layer security protocol for the IP protocol suite. This paper presents the architecture, design philosophy, and performance of an implementation of swIPe under several variants of Unix. swIPe provides authentication, integrity, and confidentiality of IP datagrams, and is completely compatible with the existing IP infrastructure. To maintain this compatibility, swIPe is implemented using an encapsulation protocol. Mechanism (the details of the protocol) is decoupled from policy (what and when to protect) and key management. swIPe under Unix is implemented using a virtual network interface. The parts of the implementation that process incoming and outgoing packets are entirely in the kernel; parameter setting and exception handling, however, are managed by userlevel processes. The performance of swIPe on modern workstations is primarily limited only by the speed of the underlying authentication and encryption algorithms; the mechanism overhead is negligible in our prototype. 1.

Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architectures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches.

. This contribution focuses on a class of Galois field used to achieve fast finite field arithmetic which we call an Optimal Extension Field (OEF), first introduced in [3]. We extend this work by presenting an adaptation of Itoh and Tsujii's algorithm for finite field inversion applied to OEFs. In particular, we use the facts that the action of the Frobenius map in GF (p m ) can be computed with only m- 1 subfield multiplications and that inverses in GF (p) may be computed cheaply using known techniques. As a result, we show that one extension field inversion can be computed with a logarithmic number of extension field multiplications. In addition, we provide new extension field multiplication formulas which give a performance increase. Further, we provide an OEF construction algorithm together with tables of Type I and Type II OEFs along with statistics on the number of pseudo-Mersenne primes and OEFs. We apply this new work to provide implementation results using these me...

. Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing m-bit and 2m-bit hash round functions from m-bit block ciphers are studied. A principle is formalized for evaluating the strength of hash round functions, viz., that applying computationally simple #in both directions# invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three previously proposed 2m-bit hash round functions are formulated. Finally, three new hash round functions based on an m-bit block cipher with a 2m-bit key are proposed. 1 Introduction This paper is intended to provide a rather rounded treatment of hash functions that are obtained by iterati...

This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.

. Large classes of weak keys have been found for the block cipher algorithm IDEA, previously known as IPES [?]. IDEA has a 128bit key and encrypts blocks of 64 bits. For a class of 2 23 keys IDEA exhibits a linear factor. For a certain class of 2 35 keys the cipher has a global characteristic with probability 1. For another class of 2 51 keys only two encryptions and solving a set of 16 nonlinear boolean equations with 12 variables is sufficient to test if the used key belongs to this class. If it does, its particular value can be calculated efficiently. It is shown that the problem of weak keys can be eliminated by slightly modifying the key schedule of IDEA. 1 Introduction At Eurocrypt '90 the block cipher proposal PES (Proposed Encryption Standard) was presented [?]. At Eurocrypt '91 the same authors presented a modification of PES, called IPES (Improved PES) [?]. The reason for this modification were new insights based on differential cryptanalysis [?]. IPES has become comme...