The central goal of secure information sharing is to “share but protect” where the motivation to “protect ” is to safeguard the sensitive content from unauthorized disclosure (in contrast to protecting the content to avoid loss of revenue as in retail Digital Rights Management). This elusive goal has been a major driver for information security for over three decades. Recently, the need for secure information sharing has dramatically increased with the explosion of the Internet and the convergence of outsourcing, offshoring and B2B collaboration in the commercial arena and the real-world demonstration of the tragic consequences of lack of information sharing in the national security arena. As technology has made the “share” aspect ever easier so has it increased the difficulty of enforcing the “protect” aspect. The central contribution of this paper is to show that the emergence of industrial strength Trusted Computing

Permission is granted for noncommercial reproduction of the work for educational or research purposes.

We address the issue of encrypting data in local storage using a key that is derived from the user's password. The typical solution in use today is to derive the key from the password using a cryptographic hash function. This solution provides relatively weak protection, since an attacker that gets hold of the encrypted data can mount an off-line dictionary attack on the user's password, thereby recovering the key and decrypting the stored data. We propose an

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards " (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones.

We revisit the venerable question of "pure password"-based key derivation and encryption,and expose security weaknesses in current implementations that stem from structural flaws in Key Derivation Functions (KDF). We advocate a fresh redesign, named Halting KDF (HKDF),which we thoroughly motivate on these grounds: 1. By letting password owners choose the hash iteration count, we gain operational flexibilityand eliminate the rapid obsolescence faced by many existing schemes. 2. By throwing a Halting-Problem wrench in the works of guessing that iteration count, wewiden the security gap with any attacker to its theoretical optimum. 3. By parallelizing the key derivation, we let legitimate users exploit all the computationalpower they can muster, which in turn further raises the bar for attackers. HKDFs are practical and universal: they work with any password, any hardware, and aminor change to the user interface. As a demonstration, we offer real-world implementations for the TrueCrypt and GnuPG packages, and discuss their security benefits in concrete terms.

This paper describes and provides detailed rationale for a simple (and fully specified) HMAC-based key derivation function (KDF) that can serve multiple applications under a wide variety of requirements and assumptions, and whose design is backed by careful cryptographic analysis. The proposed scheme follows the extract-then-expand paradigm for KDF design (which we present and discuss in great detail) and results in a hash-based KDF whose security relies on as weak as possible assumptions from the underlying hash function. Moreover, the same approach allows for alternative implementations fully or partially based on block ciphers (e.g., AES). The proposal is intended to address two important and timely needs of crypto applications: (i) providing a single hash-based KDF design that can be standardized for use in multiple and diverse applications, and (ii) providing a conservative, yet efficient, design that exercises much care in the way it utilizes a cryptographic hash function. The bulk of the paper is dedicated to present detailed cryptographic analysis for the proposed design based on recent research in this

carried out under my supervision and that this work has not been submitted elsewhere for a degree. (Prof. Rajat Moona) (Prof. Dheeraj Sanghi)

Abstract. We introduce the concepts of memory-hard algorithms and sequential memory-hard functions, and argue that in order for key derivation functions to be maximally secure against attacks using custom hardware, they should be constructed from sequential memory-hard functions. We present a family of key derivation functions which, under the random oracle model of cryptographic hash functions, are provably sequential memory-hard, and a variation which appears to be marginally stronger at the expense of lacking provable strength. Finally, we provide some estimates of the cost of performing brute force attacks on a variety of password strengths and key derivation functions. 1.

In the Next Generation Networks (NGNs) users will carry multiple devices forming cooperative networks known as Personal Area Networks (PANs). Some existing technologies enable this type of networks, such as Bluetooth or IEEE 802.15.4, but a unified framework capable of self-organizing them dynamically in a full heterogeneous environment populated by these and other technologies still has to be defined. Also, these networks are envisioned to be connecting dynamically to the Internet, and may use two IP versions and their autoconfiguration mechanisms. In this paper we propose a new framework, the Autoconfiguration and Self-management of Personal Area Networks (ASPAN), which enables the automatic and dynamic deployment of PANs in the heterogeneous environments envisioned for NGNs and handles the automatic and dynamic connection of a PAN to the global Internet.

WinZip is a popular compression utility for Microsoft Windows computers, the latest version of which is advertised as having \easy-to-use AES encryption to protect your sensitive data." We exhibit several attacks against WinZip's new encryption method, dubbed \AE-2" or \Advanced Encryption, version two." We then discuss secure alternatives. Since at a high level the underlying WinZip encryption method appears secure (the core is exactly Encryptthen -Authenticate using AES-CTR and HMAC-SHA1), and since one of our attacks was made possible because of the way that WinZip Computing, Inc. decided to x a dierent security problem with its previous encryption method AE-1, our attacks further underscore the subtlety of designing cryptographically secure software.