Results 1  10
of
11
Systematic Design of TwoParty Authentication Protocols
, 1992
"... We investigate protocols for athenticaged exchange of messages between two parties in communication network. Secure authenticated exchange is essential for network security. It is not difficult to design sirop!e and seemingly correct solutions for its however, roany such Csolutions' can be broken. W ..."
Abstract

Cited by 52 (3 self)
 Add to MetaCart
We investigate protocols for athenticaged exchange of messages between two parties in communication network. Secure authenticated exchange is essential for network security. It is not difficult to design sirop!e and seemingly correct solutions for its however, roany such Csolutions' can be broken. We give some examples of such protocols tnd we show a useful methodology which cn be used to break many protocols. In particuhr, we brek a protocol that is being standardized by the I$O. We present a new authenticated exchange protocol which is both p'o,abll nd highii ici ad practica/. The security of the protocol is proven, bed on tn sumption about the the cryptosystero employed (nnely, that it is secure when used in CBC mode on a certain message spce). We think that this tssumption is quite retsonabte for mny cryptosystems, tnd furthermore it is often ssuroed in pr&ctical use of the DES cryptosystem. Our protocol cnnot be broken using the methodology we present (which w strong enough to catch tit protocol we found). The reduction to the security of the encryption mode, indeed ctptures the nonexistence of the exposures thtt the methodology catches (specitli=ed to the actual use of encryption in our protocol). Furthermore, the protocol prevents chosen plaintext or ciphertext attacks on the cryptosystem. The proposed protocol is efficient ad practical in senertl spects. First, it uses only conventional cryptosrtphy (tike the DES, or ny printrelyshared onewry function) and no publickey.,Second, the protocol does not require synchronized clocks or counter mnaement. Third, only a srodl number of encryption operations is needed (we use no decryption), tll with a sinsis shared Iey. In idition, only three messMss tre exchased durin$ the protocol, nd the size of these roesaes is r...
Trusted integrated circuits: a nondestructive hidden characteristics extraction approach,” IH
, 2008
"... Abstract. We have developed a methodology for unique identification of integrated circuits (ICs) that addresses untrusted fabrication and other security problems. The new method leverages nondestructive gatelevel characterization of ICs postmanufacturing, revealing the hidden and unclonable unique ..."
Abstract

Cited by 19 (14 self)
 Add to MetaCart
Abstract. We have developed a methodology for unique identification of integrated circuits (ICs) that addresses untrusted fabrication and other security problems. The new method leverages nondestructive gatelevel characterization of ICs postmanufacturing, revealing the hidden and unclonable uniqueness of each IC. The IC characterization uses the externally measured leakage currents for multiple input vectors. We have derived several optimization techniques for gatelevel characterization. The probability of collision of IDs in presence of intra and interchip correlations is computed. We also introduce a number of novel security and authentication protocols, such as hardware metering, challengebased authentication and prevention of software piracy, that leverage the extraction of a unique ID for each IC. Experimental evaluations of the proposed approach on a large set of benchmark examples reveals its effectiveness even in presence of measurement errors. 1
How to Forge DESEncrypted Messages in 2^28 Steps
, 1996
"... In this paper we suggest keycollision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of the size of the key space. As a result, in some circumstances, some DES keys can be recovered while they are still in use, and these keys can then be used to forge messag ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
In this paper we suggest keycollision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of the size of the key space. As a result, in some circumstances, some DES keys can be recovered while they are still in use, and these keys can then be used to forge messages: in particular, one key of DES can be recovered with complexity 2 28 , and one key of (threekey) tripleDES can be recovered with complexity 2 84 .
Generalized Birthday Attacks on Unbalanced Feistel Networks
 in proceedings of Crypto’98, LNCS
, 1998
"... Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudorandom permutations from kn bits to kn bits using d pseudorandom functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen pl ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudorandom permutations from kn bits to kn bits using d pseudorandom functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen plaintexts an adversary can distinguish Fk (with d =3k−3) from a random permutation with high probability. If d< (3k − 3) then fewer plaintexts are required. We also show that for any Fk (with d =2k), any adversary with m chosen plaintext oracle queries, has probability O(m k /2 (k−1)n) of distinguishing Fk from a random permutation.
Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions
 ASIACRYPT'07
, 2007
"... Unbalanced Feistel schemes with expanding functions are used to construct pseudorandom permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Unbalanced Feistel schemes with expanding functions are used to construct pseudorandom permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla [6] investigated such schemes, which he denotes by F^d_k, where d is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in d, k and n. Key words: Unbalanced Feistel permutations, pseudorandom permutations, generic attacks on encryption schemes, Block ciphers.
Herding, Second Preimage and Trojan Message Attacks Beyond MerkleDamg˚ard
"... Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical MerkleDamg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Usin ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical MerkleDamg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hashtwice ” construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack — the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.
Generalizing the Herding Attack to Concatenated Hashing Schemes ⋆
"... Abstract. In this paper we extend the herding attacks for concatenated hash functions, i.e., hash functions of the form h(x) = h1(x)h2(x). Our results actually apply a much larger set of hash functions. We show that even when the compression function of h(·) can be written as two (or more) data p ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this paper we extend the herding attacks for concatenated hash functions, i.e., hash functions of the form h(x) = h1(x)h2(x). Our results actually apply a much larger set of hash functions. We show that even when the compression function of h(·) can be written as two (or more) data paths, where one data path is not affected by the second (while the second may depend on the first), then the generalized herding attack can be applied. This result along with Joux’s original observations show that schemes that aim to improve the resistance of hash functions against these attacks, must use diffusion between the various data paths. Keywords: Concatenated hash functions, MultiCollisions, Herding attack. 1
Author manuscript, published in "SAC, Calgary: Canada (2009)" Herding, Second Preimage and Trojan Message Attacks Beyond MerkleDamg˚ard
, 2009
"... Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical MerkleDamg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Usin ..."
Abstract
 Add to MetaCart
Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical MerkleDamg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hashtwice ” construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack — the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.