Results 1  10
of
53
Authenticated Key Exchange Secure Against Dictionary Attacks
, 2000
"... Passwordbased protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been laggi ..."
Abstract

Cited by 394 (37 self)
 Add to MetaCart
(Show Context)
Passwordbased protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to define various goals. We take AKE (with "implicit" authentication) as the "basic" goal, and we give definitions for it, and for entityauthentication goals as well. Then we prove correctness for the idea at the center of the Encrypted KeyExchange (EKE) protocol of Bellovin and Merritt: we prove security, in an idealcipher model, of the twoflow protocol at the core of EKE.
Provable Data Possession at Untrusted Stores
, 2007
"... We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the serv ..."
Abstract

Cited by 279 (9 self)
 Add to MetaCart
We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking supports large data sets in widelydistributed storage systems. We present two provablysecure PDP schemes that are more efficient than previous solutions, even when compared with schemes that achieve weaker guarantees. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation.
Pors: proofs of retrievability for large files
 In CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security
, 2007
"... Abstract. In this paper, we define and explore proofs of retrievability (PORs). A POR scheme enables an archive or backup service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sufficient fo ..."
Abstract

Cited by 238 (10 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we define and explore proofs of retrievability (PORs). A POR scheme enables an archive or backup service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sufficient for the user to recover F in its entirety. A POR may be viewed as a kind of cryptographic proof of knowledge (POK), but one specially designed to handle a large file (or bitstring) F. We explore POR protocols here in which the communication costs, number of memory accesses for the prover, and storage requirements of the user (verifier) are small parameters essentially independent of the length of F. In addition to proposing new, practical POR constructions, we explore implementation considerations and optimizations that bear on previously explored, related schemes. In a POR, unlike a POK, neither the prover nor the verifier need actually have knowledge of F. PORs give rise to a new and unusual security definition whose formulation is another contribution of our work. We view PORs as an important tool for semitrusted online archives. Existing cryptographic techniques help users ensure the privacy and integrity of files they retrieve. It is also natural, however, for users to want to verify that archives do not delete or modify files prior to retrieval. The goal of a POR is to accomplish these checks without users having to download the files themselves. A POR can also provide qualityofservice guarantees, i.e., show that a file is retrievable within a certain time bound. Key words: storage systems, storage security, proofs of retrievability, proofs of knowledge 1
Scalable and efficient provable data possession
 Proceedings of SecureComm 2008
"... Storage outsourcing is a rising trend which prompts a number of interesting security issues, many of which have been extensively investigated in the past. However, Provable Data Possession (PDP) is a topic that has only recently appeared in the research literature. The main issue is how to frequentl ..."
Abstract

Cited by 147 (3 self)
 Add to MetaCart
(Show Context)
Storage outsourcing is a rising trend which prompts a number of interesting security issues, many of which have been extensively investigated in the past. However, Provable Data Possession (PDP) is a topic that has only recently appeared in the research literature. The main issue is how to frequently, efficiently and securely verify that a storage server is faithfully storing its client’s (potentially very large) outsourced data. The storage server is assumed to be untrusted in terms of both security and reliability. (In other words, it might maliciously or accidentally erase hosted data; it might also relegate it to slow or offline storage.) The problem is exacerbated by the client being a small computing device with limited resources. Prior work has addressed this problem using either public key cryptography or requiring the client to outsource its data in encrypted form. In this paper, we construct a highly efficient and provably secure PDP technique based entirely on symmetric key cryptography, while not requiring any bulk encryption. Also, in contrast with its predecessors, our PDP technique allows outsourcing of dynamic data, i.e, it efficiently supports operations, such as block modification, deletion and append. 1.
A Oprea. Proofs of retrievability: Theory and implementation
, 2008
"... A proof of retrievability (POR) is a compact proof by a file system (prover) to a client (verifier) that a target file F is intact, in the sense that the client can fully recover it. As PORs incur lower communication complexity than transmission of F itself, they are an attractive building block for ..."
Abstract

Cited by 60 (3 self)
 Add to MetaCart
A proof of retrievability (POR) is a compact proof by a file system (prover) to a client (verifier) that a target file F is intact, in the sense that the client can fully recover it. As PORs incur lower communication complexity than transmission of F itself, they are an attractive building block for highassurance remote storage systems. In this paper, we propose a theoretical framework for the design of PORs. Our framework improves the previously proposed POR constructions of JuelsKaliski and ShachamWaters, and also sheds light on the conceptual limitations of previous theoretical models for PORs. It supports a fully Byzantine adversarial model, carrying only the restriction—fundamental to all PORs—that the adversary’s error rate ɛ be bounded when the client seeks to extract F. Our techniques support efficient protocols across the full possible range of ɛ, up to ɛ nonnegligibly close to 1. We propose a new variant on the JuelsKaliski protocol and describe a prototype implementation. We demonstrate practical encoding even for files F whose size exceeds that of client main memory. 1
FormatPreserving Encryption
"... Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous ..."
Abstract

Cited by 33 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rankthenencipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cyclewalking approach for enciphering on a nonsparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1
Group DiffieHellman Key Exchange Secure against Dictionary Attacks
 IN ADVANCES IN CRYPTOLOGY – ASIACRYPT’02
, 2002
"... Group DiffieHellman schemes for passwordbased key exchange are designed to provide a pool of players communicating over a public network, and sharing just a humanmemorable password, with a session key (e.g, the key is used for multicast data integrity and confidentiality) . The fundamental se ..."
Abstract

Cited by 33 (10 self)
 Add to MetaCart
Group DiffieHellman schemes for passwordbased key exchange are designed to provide a pool of players communicating over a public network, and sharing just a humanmemorable password, with a session key (e.g, the key is used for multicast data integrity and confidentiality) . The fundamental security goal to achieve in this scenario is security against dictionary attacks. While solutions have been proposed to solve this problem no formal treatment has ever been suggested. In this paper, we define a security model and then present a protocol with its security proof in both the random oracle model and the idealcipher model.
Secure PasswordBased Cipher Suite for TLS
 PROCEEDINGS OF NETWORK AND DISTRIBUTED SYSTEMS SECURITY SYMPOSIUM
, 2001
"... SSL is the defacto standard today for securing endtoend transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of passwordbased keyexchange protocols can overcome some of
these probl ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
SSL is the defacto standard today for securing endtoend transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of passwordbased keyexchange protocols can overcome some of
these problems. We propose the integration of such a protocol (DHEKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certi#12;cates stored on the users computer. Additionally, its integration in TLS is as minimal and
nonintrusive as possible.
Remote Data Checking Using Provable Data Possession
, 2011
"... We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling ran ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking is lightweight and supports large data sets in distributed storage systems. The model is also robust in that it incorporates mechanisms for mitigating arbitrary amounts of data corruption. We present two provablysecure PDP schemes that are more efficient than previous solutions. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. We then propose a generic transformation that adds robustness to any remote data checking scheme based on spot checking. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation. Finally, we conduct an indepth experimental evaluation to study the tradeoffs in performance, security, and space overheads when
Derandomized constructions of kwise (almost) independent permutations
 In Proceedings of the 9th Workshop on Randomization and Computation (RANDOM
, 2005
"... Abstract Constructions of kwise almost independent permutations have been receiving a growingamount of attention in recent years. However, unlike the case of kwise independent functions,the size of previously constructed families of such permutations is far from optimal. This paper gives a new met ..."
Abstract

Cited by 24 (4 self)
 Add to MetaCart
(Show Context)
Abstract Constructions of kwise almost independent permutations have been receiving a growingamount of attention in recent years. However, unlike the case of kwise independent functions,the size of previously constructed families of such permutations is far from optimal. This paper gives a new method for reducing the size of families given by previous constructions. Ourmethod relies on pseudorandom generators for spacebounded computations. In fact, all we need is a generator, that produces &quot;pseudorandom walks &quot; on undirected graphs with a consistent labelling. One such generator is implied by Reingold's logspace algorithm for undirected connectivity [35, 36]. We obtain families of kwise almost independent permutations, with anoptimal description length, up to a constant factor. More precisely, if the distance from uniform for any k tuple should be at most ffi, then the size of the description of a permutation inthe family is O(kn + log 1ffi). 1 Introduction In explicit constructions of pseudorandom objects, we are interested in simulating a large randomobject using a succinct one and would like to capture some essential properties of the former. A natural way to phrase such a requirement is via limited access. Suppose the object that we areinterested in simulating is a random function f: {0, 1}n 7! {0, 1}n and we want to come up witha small family of functions G that simulates it. The kwise independence requirement in this caseis that a function g chosen at random from G be completely indistinguishable from a function fchosen at random from the set of all functions, for any process that receives the value of either