Results 1  10
of
15
Plaintext recovery attacks against SSH
 In IEEE Symposium on Security and Privacy
, 2009
"... This paper presents a variety of plaintextrecovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability 2−14 and 32 bits of plaintext from an arbitrary blo ..."
Abstract

Cited by 27 (6 self)
 Add to MetaCart
(Show Context)
This paper presents a variety of plaintextrecovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability 2−14 and 32 bits of plaintext from an arbitrary block of ciphertext with probability 2−18. These attacks assume the default configuration of a 128bit block cipher operating in CBC mode. The paper explains why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, why current provable security results for SSH do not cover our attacks, and how the attacks can be prevented in practice. 1.
A Challenging But Feasible BlockwiseAdaptive ChosenPlaintext Attack on SSL
 SECRYPT 2006, PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY, SET'UBAL
, 2006
"... This paper introduces a chosenplaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 21000 options. SSL and TLS are widely used for securing communication ove ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
This paper introduces a chosenplaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 21000 options. SSL and TLS are widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL and TLS standards mandate the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the first IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediatelypreceding message, and is therefore known to the adversary. The one
Vulnerability of SSL to ChosenPlaintext Attack
, 2004
"... The Secure Sockets Layer (SSL) protocol is widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL standard mandates the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encryp ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
The Secure Sockets Layer (SSL) protocol is widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL standard mandates the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the initial IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediatelypreceding message. We show that this introduces a vulnerability in SSL which (potentially) enables easy recovery of lowentropy strings such as passwords or PINs that have been encrypted. Moreover, we argue that the open nature of web browsers provides a feasible "point of entry" for this attack via a corrupted plugin; thus, implementing the attack is likely to be much easier than, say, installing a Trojan Horse for "keyboard sniffing". Finally, we suggest a number of modi cations to the SSL standard which will prevent this attack.
Concealment and its applications to authenticated encryption
 In EUROCRYPT 2003
, 2003
"... Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, b ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make b  ≪ m, which we call a “nontrivial ” concealment. We show that nontrivial concealments are equivalent to the existence of collisionresistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public or symmetrickey) designed
Blockwise Adversarial Model for Online Ciphers and Symmetric Encryption Schemes
 In Selected Areas in Cryptography ’04, LNCS
, 2004
"... Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encrypt ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encryption. The new introduced adversaries better capture the online properties than classical ones. Indeed, in the new model, the adversaries are allowed to send messages blockbyblock to the encryption machine and receive the corresponding ciphertext blocks onthefly. This kind of attacker is called blockwise adversary and is stronger than standard one which treats messages as atomic objects. In this paper, we compare the two adversarial models for online encryption schemes. For probabilistic encryption schemes, we show that security is not preserved contrary to for deterministic schemes. We prove in appendix of the full version that in this last case, the two models are polynomially equivalent in the number of encrypted blocks. Moreover in the blockwise model, a polynomial number of concurrent accesses to encryption oracles have to be taken into account. This leads to the strongest security notion in this setting. Furthermore, we show that this notion is valid by exhibiting a scheme secure under this security notion. 1
Online Ciphers from Tweakable Blockciphers
"... Abstract. Online ciphers are deterministic lengthpreserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the ith block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Online ciphers are deterministic lengthpreserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the ith block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen, and Namprempre. We simplify and generalize their work, showing that online ciphers are rather trivially constructed from tweakable blockciphers, a notion of Liskov, Rivest, and Wagner. We go on to show how to define and achieve online ciphers for settings in which messages need not be a multiple of n bits. Key words: Online ciphers, modes of operation, provable security, symmetric encryption, tweakable blockciphers. 1
Elastic Block Ciphers in Practice: Constructions and Modes of Encryption
 In Proceedings of the European Conference on Computer Network Defense (EC2ND
, 2007
"... We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1 and RC6. An elastic block cipher is a variablelength block cipher created from an existing fixedlength block cipher. The elastic version supports ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1 and RC6. An elastic block cipher is a variablelength block cipher created from an existing fixedlength block cipher. The elastic version supports any block size between one and two times that of the original block size. We compare the performance of the elastic versions to that of the original versions and evaluate the elastic versions using statistical tests measuring the randomness of the ciphertext. The benefit, in terms of an increased rate of encryption, of using an elastic block cipher varies based on the specific block cipher and implementation. In most cases, there is an advantage to using an elastic block cipher to encrypt blocks that are a few bytes longer than the original block length. The statistical test results indicate no obvious flaws in the method for constructing elastic block ciphers. We also use our examples to demonstrate the concept of a generic key schedule for block ciphers. In addition, we present ideas for new modes of encryption using the elastic block cipher construction.
Authenticated Streamwise Online Encryption ∗
, 2009
"... In Blockwise Online Encryption, encryption and decryption return an output block as soon as the next input block is received. In this paper, we introduce Authenticated Streamwise Online Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fix ..."
Abstract
 Add to MetaCart
(Show Context)
In Blockwise Online Encryption, encryption and decryption return an output block as soon as the next input block is received. In this paper, we introduce Authenticated Streamwise Online Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fixedsized blocks), and thus significantly reduces message expansion and endtoend latency. Also, ASOE provides data authenticity as an option. ASOE can therefore be used to efficiently secure resourceconstrained communications with realtime requirements such as those in the electric power grid and wireless sensor networks. We investigate and formalize ASOE’s strongest achievable notion of security, and present a construction that is secure under that notion. An instantiation of our construction incurs zero endtoend latency due to buffering and only 48 bytes of message expansion, regardless of the
ABSTRACT Elastic Block Ciphers
, 2006
"... Standard block ciphers are designed around one or a small number of block sizes. From both a practical and a theoretical perspective, the question of how to efficiently support a range of block sizes is of interest. In applications, the length of the data to be encrypted is often not a multiple of t ..."
Abstract
 Add to MetaCart
(Show Context)
Standard block ciphers are designed around one or a small number of block sizes. From both a practical and a theoretical perspective, the question of how to efficiently support a range of block sizes is of interest. In applications, the length of the data to be encrypted is often not a multiple of the supported block size. This results in the use of plaintextpadding schemes that impose computational and space overheads. Furthermore, a variablelength block cipher ideally provides a variablelength pseudorandom permutation and strong pseudorandom permutation, which are theoretical counterparts of practical block ciphers and correspond to ideal properties for a block cipher. The focus of my research is the design and analysis of a method for creating variablelength block ciphers from existing fixedlength block ciphers. As the heart of the method, I introduce the concept of an elastic block cipher, which refers to stretching the supported block size of a block cipher to any length up to twice the original block size while incurring a computational workload that is proportional to the block size. I create a structure, referred to as the elastic network, that uses the round function from any existing block cipher in a manner that allows the properties of the round function to be maintained and results
PRIMITIVES AND SCHEMES FOR NONATOMIC INFORMATION AUTHENTICATION By
"... ii ACKNOWLEDGEMENTS The completion of the dissertation would not have been possible without the support of my family that has blessed my life in ways I cannot repay. I wish to recognize, with profound appreciation, the invaluable academic mentoring I received from my advisors: Professor Yvo Desmedt ..."
Abstract
 Add to MetaCart
ii ACKNOWLEDGEMENTS The completion of the dissertation would not have been possible without the support of my family that has blessed my life in ways I cannot repay. I wish to recognize, with profound appreciation, the invaluable academic mentoring I received from my advisors: Professor Yvo Desmedt and Professor Mike Burmester. In addition to my advisors, my sincere thanks are due to the members of my advisory committee, Dr. Mark Van Hoeij, Dr. Kyle Gallivan and Dr. Michael Mascagni, whose guidance and encouragement contributed to the completion of this work. I would also like to thank the Department of Computer Science for giving me an opportunity and providing an environment where I can study and conduct my research. My final thanks goes to the National Science Foundation (NSF) for the financial help through a number of grants awarded to my academic advisors. — Goce